Ms20347a THB

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20347A
Enabling and Managing Office 365
MCT USE ONLY. STUDENT USE PROHIBITED
ii Enabling and Managing Office 365
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2017 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty

/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks
are property of their respective owners.
Product Number: 20347A
Part Number: X20-96881
Released: 04/2017
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

xi
Enabling and Managing Office 365
xii Enabling and Managing Office 365
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following individuals for their contribution
towards developing this title. Their effort at various stages in the development has ensured that you have
a good classroom experience.
Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Microsoft Exchange Server and Active Directory deployments
for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for
Microsoft Press. For the last years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory Domain System (AD DS) and Exchange Server courses. Stan has been a Microsoft
Certified Trainer (MCT) for 14 years.
Damir Dizdarevic Subject Matter Expert/Content Developer

Damir Dizdarevic is a Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), Microsoft Certified IT Professional (MCITP) and MCT. He is the Executive Director for
services at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Occasionally, he also works as a
consultant for enterprise clients. Damir has more than 20 years of experience on Microsoft platforms, and
he specializes in Windows Server, Exchange Server, and cloud and mobility solutions. He has worked as a
designer, Subject Matter Expert, and technical reviewer on many Microsoft Official Courses on Windows
Server, Exchange Server, Microsoft Office 365, and Microsoft Azure topics, and has published more than
400 articles in various IT magazines, such as Windows ITPro and INFO Magazine. He is also a frequent and
highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, Damir is a
Microsoft Most Valuable Professional (MVP) for Cloud and Datacenter Management nine years in a row.
His technical blog is available at http://dizdarevic.ba/ddamirblog.
Byron Wright Content Developer

Byron Wright is a partner in a consulting firm where he performs network consulting, computer-systems
implementation, and technical training. Byron also is a sessional instructor for the Asper School of
Business at the University of Manitoba, where he teaches management information systems and
networking. Byron has authored and coauthored a number of books on both Windows Server and
Windows client operating systems, and Exchange Server, including the Windows Server 2008 Active
Directory Resource Kit. To recognize Byrons commitment to sharing knowledge with the technical
community, he has been awarded the Microsoft MVP Award for Exchange Server.
Andrew J. Warren Content Developer

Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a Subject Matter Expert for many of the Windows Server
2012 courses, and the technical lead on many Windows 8 courses. He also has been involved in
developing TechNet sessions on Exchange Server. Based in the United Kingdom, Andrew runs his own IT
training and education consultancy.
Vladimir Meloski Content Developer

Vladimir Meloski (MCT and MVP on Exchange Server), is a consultant providing unified communications
and infrastructure solutions based on Exchange Server, Microsoft Lync Server, Windows Server, and
Microsoft System Center. Vladimir has 17 years of professional IT experience, and has been involved in
Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on
labs, and technical expert. He also has been involved as a Subject Matter Expert and technical reviewer for
Microsoft Official Curriculum courses.
Enabling and Managing Office 365 xiii
Clifton Leonard Content Developer

Clifton Leonard is a content developer and Subject Matter Expert with more than 25 years of experience
in the IT industry as an engineer, architect, consultant, trainer, and author. Clifton has extensive
experience consulting on Active Directory Domain System (AD DS), Exchange Server, Lync Server, identity
management, and Microsoft Office 365. His clients include large energy corporations, K12 schools,
universities, technology manufacturers, financial institutions, the United States Air Force, and the United
States Department of Defense. Clifton has been a Subject Matter Expert for multiple courses on Windows
Desktop, Windows Server, Exchange Server, Microsoft SharePoint Server, Microsoft Hyper-V, identity
management, and Office 365.
Ron Schindler Content Developer

Ron Schindler has over 20 years experience as an IT professional. He has worked as a technician, trainer,
implementer, manager, and consultant in Office 365, Microsoft SharePoint, Microsoft Lync, and Skype for
Business. He also is a trainer and consultant in Communication, Leadership Development, and
Management skills. Customers have included some of the largest private, educational, governmental, and
financial institutions. Ron has developed multiple training courses and trained many in the certification
process of many Microsoft software programs and products. He has led enterprise-wide implementations
of software throughout the world. Currently, Ron works as a SharePoint administrator on contract for the
federal government.
Martina Grom Subject Matter Expert

Martina Grom works as an IT consultant, and is the co-founder and CEO of atwork information
technology. Martina is recognized as an expert in Microsoft Online Services solutions and was one of the
first eight MVPs worldwide to receive an award in 2011 for her expertise in Office 365. Since 2015, Martina
also has been a Microsoft Regional Director. Her expertise is related to online technologies and her
specialty is in Microsoft Online Services and Office 365. She helps companies in architecture planning for
cloud solutions, provides consulting and architectural planning of cloud projects, and is one of the
organizational heads of cloudusergroup for Germany, Austria, and Switzerland. Martina has authored
numerous books, including Office 365 fuer kleine Unternehmen, a book focused on small business
scenarios for Office 365, and Windows 8 Pro and Windows 8.1, published by Microsoft Press. In addition,
Martina writes numerous articles and blogs. Her passion is online and social media, cloud computing, and
Office 365. Martina has a master degree in International Business Administration from the University of
Vienna, Austria.
Allan Jacobs Technical Reviewer

Allan Jacobs is a trainer, consultant, and writer based in New York City, New York. While technically an
independent contractor, Allan works almost exclusively for Global Knowledge and spends much of his
time travelling to client sites and training centers throughout the United States and Canada. He has
taught many Train-the-Trainer sessions for instructional skills, in addition to Lync and System Center
sessions at Microsoft Certified Trainer summits. For the last nine years, Allan has been selected to staff the
Microsoft TechEd conference and now the Microsoft Ignite conference, and has served as a Subject Matter
Expert on several projects for Microsoft Learning. Allan also co-authored the revision of the Microsoft
course, Microsoft Office Communications Server 2007 R2 and the Lync 2013 Depth Support Engineer. In
his younger days, Allan practiced lawsomething he has happily avoided for the last 15 years.
xiv Enabling and Managing Office 365
Contents
Module 1: Planning and provisioning Office 365
Module Overview 1-1
Lesson 1: Overview of Office 365 1-2
Lesson 2: Provisioning an Office 365 tenant 1-13
Lesson 3: Planning a pilot deployment 1-23
Lab: Provisioning Office 365 1-33
Module Review and Takeaways 1-35
Module 2: Managing Office 365 users and groups

Module Overview 2-1
Lesson 1: Managing user accounts and licenses 2-2
Lesson 2: Managing passwords and authentication 2-8
Lab A: Managing Office 365 users and passwords 2-12

Lesson 3: Managing security groups in Office 365 2-13
Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-17
Lesson 5: Configuring administrative access 2-30

Lab B: Managing Office 365 groups and administration 2-35
Module 3: Configuring client connectivity to Office 365

Module Overview 3-1
Lesson 1: Planning for Office 365 clients 3-2
Lesson 2: Planning connectivity for Office 365 clients 3-8
Lesson 3: Configuring connectivity for Office 365 clients 3-18

Lab: Configuring client connectivity to Office 365 3-24
Module 4: Planning and configuring directory synchronization

Module Overview 4-1
Lesson 1: Planning and preparing for directory synchronization 4-2
Lesson 2: Implementing directory synchronization by using Azure AD Connect 4-15
Lesson 3: Managing Office 365 identities with directory synchronization 4-31
Lab: Configuring directory synchronization 4-42

Enabling and Managing Office 365 xv
Module 5: Planning and deploying Office 365 ProPlus

Module Overview 5-1
Lesson 1: Overview of Office 365 ProPlus 5-2
Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-10
Lesson 3: Planning and managing centralized deployments of

Office 365 ProPlus 5-13
Lesson 4: Office Telemetry and reporting 5-19
Lab: Managing Office 365 ProPlus installations 5-24
Module 6: Planning and managing Exchange Online recipients and permissions

Module Overview 6-1
Lesson 1: Overview of Exchange Online 6-2
Lesson 2: Managing Exchange Online recipients 6-8
Lesson 3: Planning and configuring Exchange Online permissions 6-25

Lab: Managing Exchange Online recipients and permissions 6-30
Module 7: Planning and configuring Exchange Online services

Module Overview 7-1
Lesson 1: Planning and configuring email flow in Office 365 7-2
Lab A: Configuring message transport in Exchange Online 7-13
Lesson 2: Planning and configuring email protection in Office 365 7-14

Lesson 3: Planning and configuring client access policies 7-27
Lesson 4: Migrating to Exchange Online 7-32
Lab B: Configuring email protection and client policies 7-45

Module 8: Planning and deploying Skype for Business Online

Module Overview 8-1
Lesson 1: Planning and configuring Skype for Business Online service settings 8-2
Lesson 2: Configuring Skype for Business Online users and client connectivity 8-13
Lesson 3: Planning voice integration with Skype for Business Online 8-16
Lab: Configuring Skype for Business Online 8-25

xvi Enabling and Managing Office 365
Module 9: Planning and configuring SharePoint Online

Module Overview 9-1
Lesson 1: Configuring SharePoint Online services 9-2
Lesson 2: Planning and configuring SharePoint Online site collections 9-10
Lesson 3: Planning and configuring external user sharing 9-23
Lab: Configuring SharePoint Online 9-36
Module 10: Planning and configuring an Office 365 collaboration solution

Module Overview 10-1
Lesson 1: Planning and managing Yammer Enterprise 10-2
Lesson 2: Planning and configuring OneDrive for Business 10-17
Lesson 3: Configuring Office 365 groups 10-27
Lab: Planning and configuring an Office 365 collaboration solution 10-35

Module 11: Planning and configuring Rights Management and compliance

Lesson 1: Overview of the compliance features in Office 365 11-2

Lesson 2: Planning and configuring Azure Rights Management in Office 365 11-13
Lesson 3: Managing the compliance features in Office 365 11-24
Lab: Configuring Rights Management and compliance 11-41

Module 12: Monitoring and troubleshooting Office 365

Lesson 1: Troubleshooting Office 365 12-2

Lesson 2: Monitoring Office 365 service health 12-12
Lab: Monitoring and troubleshooting Office 365 12-24
Module 13: Planning and configuring identity federation

Lesson 1: Understanding identity federation 13-2
Lesson 2: Planning an AD FS deployment 13-11

Lesson 3: Deploy AD FS for identity federation with Office 365 13-26
Lab: Planning and configuring identity federation 13-44

xvii About This Course
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
This course provides students with the knowledge and skills required to evaluate, plan, deploy, and
operate Microsoft Office 365 services, including its identities, dependencies, requirements, and supporting
technologies. Students also will learn how to set up an Office 365 tenant including federation with existing
user identities, and sustain an Office 365 tenant and its users.
Audience
This course is intended for IT professionals who are responsible for planning, configuring, and managing
an Office 365 environment. Students who attend this course are expected to have a fairly broad
understanding of several on-premises technologies such as Domain Name System (DNS) and Active
Directory Domain Services (AD DS). In addition, they should have a general understanding of Microsoft
Exchange Server, Microsoft Lync Server or Skype for Business Server, and Microsoft SharePoint Server.
This course also is intended as preparation material for IT professionals who are looking to take the exams
70-346: Managing Office 365 Identities and Requirements, and 70-347: Enabling Office 365 Services, to
obtain the Microsoft Certified Solutions Associate (MCSA): Office 365 certification.
Student Prerequisites
This course requires that you meet the following prerequisites:
A minimum of two years of experience administering the Windows Server operating system, including
Windows Server 2012 or later.
A minimum of one year of experience working with AD DS.

A minimum of one year of experience working with name resolution, including DNS.
Experience working with certificates, including public key infrastructure (PKI) certificates.
Experience working with Windows PowerShell.
Experience working with Exchange Server 2013 or later, Lync Server 2013 or Skype for Business Server
2015, and SharePoint Server 2013 or later is beneficial, but not required.
Course Objectives
After completing this course, students will be able to:
Plan an Office 365 deployment, configure the Office 365 tenant, and plan a pilot deployment.
Manage Office 365 users, groups, and licenses, and configure delegated administration.
Plan and configure client connectivity to Office 365.
Plan and configure directory synchronization between Microsoft Azure Active Directory (Azure AD)
and on-premises AD DS.
Plan and implement the Office 365 ProPlus deployment.
Plan and manage Microsoft Exchange Online recipients and permissions.
Plan and configure Exchange Online services.
Plan and implement the Skype for Business Online deployment.
Plan and configure Microsoft SharePoint Online.

xviii About This Course
Plan and configure an Office 365 collaboration solution that includes Yammer Enterprise, Microsoft
OneDrive for Business, and Office 365 groups.
Plan and configure the integration between Office 365 and Azure Rights Management (Azure RMS),
and configure compliance features in Office 365.
Monitor and review Office 365 services, and troubleshoot Office 365 issues.
Plan and implement identity federation between on-premises AD DS and Azure AD.
Course Outline
The course outline is as follows:
Module 1, Planning and provisioning Office 365 reviews the features of Office 365 and identifies recent
improvements to the service, and describes the process of provisioning an Office 365 tenant. This module
also identifies the challenges in deploying Office 365 and the benefits of the Microsoft FastTrack for Office
365 approach, as compared to the traditional plan, prepare, and migrate deployment process.
Module 2, Managing Office 365 users and groups explains how to manage users, groups, and licenses,
and configure administrative access by using the Office 365 console and the Windows PowerShell
command-line interface. This module also explains how to manage user passwords and configure Multi-
Factor Authentication.
Module 3, Configuring client connectivity to Office 365 covers the different types of client software that
you can use to connect to Office 365. It also explains the infrastructure requirements that the clients need
to connect to Office 365, in addition to how to configure different types of Office 365 clients.
Module 4, Planning and configuring directory synchronization explains how to plan, prepare, and
implement directory synchronization as a methodology for user and group management in an Office 365
deployment. It explains how to prepare an on-premises environment, and install and configure directory
synchronization. It also explains how to manage Office 365 identities after you enable directory
synchronization.
Module 5, Planning and deploying Office 365 ProPlus explains how to plan for a client deployment and
ensure that users receive the tools that they need to interact with Office 365 effectively. It also explains
the planning process, how to make Office 365 ProPlus directly available to end users, and how to deploy it
as a managed package. Finally, it describes how to set up Office telemetry so that administrators can track
how users are interacting with Microsoft Office.
Module 6, Planning and managing Exchange Online recipients and permissions describes Exchange
Online, and explains how to create and manage recipient objects, and how to manage and delegate
Exchange security.
Module 7, Planning and configuring Exchange Online services explains how to plan for and configure
email flow, in addition to anti-malware and anti-spam settings in Office 365. It also explains how to plan
and configure policies for Exchange clients. Additionally, it describes how to plan and configure a
migration to Exchange Online.
Module 8, Planning and deploying Skype for Business Online explains how to plan and configure Skype
for Business Online service settings. It also explains how to configure Skype for Business Online user
settings and clients, and plan for voice integration with Skype for Business Online.
Module 9, Planning and configuring SharePoint Online describes how to configure SharePoint Online
services. It explains how to plan and configure SharePoint site collections and external user sharing. It also
provides a brief overview of additional portals, such as the video portal.
xix About This Course
Module 10, Planning and configuring an Office 365 collaboration solution describes how to enable and
configure Yammer Enterprise. It also explains how to configure OneDrive for Business, Office 365 groups,
and Microsoft Teams.
Module 11, Planning and configuring Rights Management and compliance describes the compliance
features in Office 365 and how to manage them. It explains how to plan and configure Azure Information
Protection. Additionally, it explains the security features in Office 365.
Module 12, Monitoring and troubleshooting Office 365 explains how to troubleshoot issues with Office
365 connectivity and services, and how to monitor Office 365 service health.
Module 13, Planning and configuring identify federation explains how identify federation works, and
how you can use Active Directory Federation Services (AD FS) to implement identity federation. It also
explains how to plan an AD FS deployment to support identify federation with Office 365. The module
describes how to deploy AD FS to enable single sign-on (SSO) for Office 365. Finally, it describes hybrid
solutions for Exchange Server, Skype for Business Server, and SharePoint Server.
xx About This Course
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly focused format, which is essential for an effective in-class learning
experience.
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
o Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the

http://www.microsoft.com/learning/en/us/companion-moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the Course
Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps, and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers,
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
o To provide additional comments or feedback on the course, go to

www.microsoft.com/learning/help. To inquire about the Microsoft Certification Program,
send an email to mcphelp@microsoft.com.
xxi About This Course
Virtual Machine Environment

This course is only available with labs that are hosted on a Microsoft authorized hosting partner. The
hosting partner provides the virtual machine environment including a web interface for accessing the
virtual machines. Additionally, the hosting partner provides a static IP address and publicly trusted
certificate that are required to complete the labs in this course. The hosting partner also will provide the
onmicrosoft.com domain name and the public custom domain name that are required for this course.
Virtual Machine Configuration

The following table shows the role of each virtual machine this course uses:
Virtual machine Role
20347A-LON-DC1 Windows Server 2016 domain controller in the

Adatum.com domain
20347A-LON-DS1 Windows Server 2016 member server in the

Adatum.com domain
Used to host directory synchronization and
federation services
20347A-LON-WAP1 Windows Server 2016 standalone server

configured as a Web Application Proxy
20347A-LON-CL1 Windows 10 Enterprise computer
20347A-LON-CL2 Windows 10 Enterprise standalone computer
Software Configuration
The following software is installed on each virtual machine:
Windows Server 2016
Windows 10 Anniversary Update
Office 2016
Course Files
Microsoft frequently updates the features in Office 365 and the user interface that is used to manage
those features. Therefore, in some situations you might notice that the Office 365 user interface that you
are using does not match with the lab instructions. This could be because the changes in Office 365 might
have occurred either during your training session or before the courseware can be updated to address the
changes. In such situations, you should adapt to the changes and work through them in the labs as
necessary.
During the classroom session, you will use the lab steps located in the online lab user interface. The
hosting partner dynamically updates these labs steps as changes occur in the Office 365 user interface.
Therefore, these labs steps will be as up to date as possible for each training session.
xxii About This Course
Classroom Setup
Learning Centers need only to provide students with Internet access. Students can then access the hosted-
lab platform by accessing the URL provided by the hosting partner.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for the computers used by the trainer and students who are taking Official Microsoft
Learning Product courses. Because the virtual machines for this course are hosted by an authorized
learning partner, the instructor and student computers must meet the following minimal hardware
requirement:
Hardware level 6 with dual monitors
1-1
Module 1
Planning and provisioning Office 365
Contents:
Module Overview 1-1
Lesson 1: Overview of Office 365 1-2
Lesson 2: Provisioning an Office 365 tenant 1-13
Lesson 3: Planning a pilot deployment 1-23
Lab: Provisioning Office 365 1-33
Module Overview
The Microsoft range of software and services includes Microsoft Exchange, Microsoft SharePoint,
Microsoft Skype for Business, and Microsoft Office. Users who are located anywhere in the world can
access these services over the Internet. Office 365 is now a major part of this suite of services, and it can
be delivered on multiple platforms to provide enterprise-grade email, conferencing, and other IT services.
To implement Office 365 effectively, organizations must ensure that they can manage identities
effectively. User accounts exist both in the cloud and potentially on-premises. Therefore, administrators
and consultants must be able to plan for and manage a wide range of factors that affect how Office 365
works. These individuals must also be able to identify the best way to manage user accounts and services.
This module reviews the features of Office 365 and identifies recent improvements to the service. It
describes the process of provisioning an Office 365 tenant. This module also identifies the challenges in
deploying Office 365 and the benefits of the Microsoft FastTrack for Office 365 approach as compared to
the traditional plan/prepare/migrate deployment process.
Note: This course does not cover the entire Microsoft for Office 365 FastTrack process; this
content is covered in course 10968B: Designing for Office 365 Infrastructure.
Objectives
After completing this module, you will be able to:
Describe the features and benefits of Office 365.
Provision new tenant accounts.
Plan a pilot deployment of Office 365.

1-2 Planning and provisioning Office 365
Lesson 1
Overview of Office 365
Office 365 is Microsofts cloud-based productivity suite that delivers software as a service (SaaS) to users
around the world. Office 365 products focus in four main areas:
Devices. Office 365 supports a wide variety of devices in which the user interface supports different
methods of interaction, including touch, pen, mouse, and keyboard.
Cloud. Office 365 is designed for the cloud as an on-demand service that is always up to date. Office
365 is an enterprise-grade cloud productivity solution with robust security, guaranteed reliability, and
compliance with industry standards such as ISO-27001, EU Model clauses, the Health Insurance
Portability and Accountability Act (HIPAA), and Federal Information Security Management Act
(FISMA).
Social media. Office 365 integrates social networking into the organization by providing newsfeeds
and microblogging services that can be extended with Yammer.
Control. With features such as Data Loss Prevention (DLP), eDiscovery, archiving and data-hold
capabilities, Office 365 provides a secure and safe way for organizations to control their business data.
This lesson describes the components of Office 365, and explains the features available in the various
subscription plans. It also explains how to determine the most suitable subscription plan for your
organization.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the core components of the Office 365 service.

Describe the additional components of Office 365.
Describe Office 365 Business subscriptions.
Describe Office 365 Enterprise subscriptions.

Describe Office 365 Education and Government subscriptions.
Plan the Office 365 subscriptions.
Explain how you will use Office 365 in your organization.

Describe the Office 365 administration portal.
Enabling and Managing Office 365 1-3
Office 365 core components

The core services in Office 365 consist of cloud-
based equivalents of three of Microsofts premier
server products, along with an integrated
directory service and an install-on-demand
version of Office 2013 and Office 2016. These
popular productivity applications enable
organizations of all sizes to move their entire IT
infrastructure to the cloud or to implement a
range of hybrid options, depending on their
needs.
Additional Reading: For more information,

refer to: Office 365 Service Descriptions at: http://aka.ms/iv18pg
Azure AD
Microsoft Azure Active Directory (Azure AD) underpins all the Office 365 services. Azure AD is an online
instance of Active Directory that also provides authentication and authorization services for other
Microsoft cloud offerings, including Microsoft Azure and Microsoft Intune. Authentication through
Azure AD can be on a cloud-only basis, through directory synchronization (with optional password
synchronization), or include full integration with on-premises directory services through support for
Microsoft Active Directory Federation Services (AD FS) or other SSO providers.
Exchange Online
Microsoft Exchange Online in Office 365 is the latest release of this messaging and collaboration platform,
which provides one location for composing, reading, and storing email, calendar, contact, and task
information in Microsoft Outlook, Outlook Web Access, or Outlook Mobile. Exchange Online includes a
50 gigabyte (GB) mailbox (up from 25 GB) combined with unlimited storage within the archive mailbox in
the Office 365 E3 or E5 plans, or Exchange Online Plan 2. Exchange Online supports access from most
mobile devices, including Android devices, BlackBerry, iPhone, Nokia, and Windows Mobile.
Note: The unlimited storage available within the archive mailbox can store up to 100 GB of
Outlook data without restriction. Additional storage increments are available by contacting
Microsoft Office 365 Support.
Microsoft Teams (SharePoint Online)

By using the Microsoft Teams platform, which is based on Microsoft SharePoint Online, you can
implement a chat-based workspace and share important documents, insights, and status updates with
colleagues. You can keep teams in sync and manage important projects, find vital documents, and locate
people easily. Using Microsoft Teams can also help you stay up to date on company information and
news, whether you are in or out of the office. Storage space is initially set at 10 GB per tenant and 500 MB
per user, but storage upgrades are available. In addition, each user receives another 25 GB in OneDrive for
Business (up from 7 GB) for additional document storage or transfer.
Skype for Business Online

Skype for Business Online provides presence and instant messaging information, so users can identify
whether people are available and then chat, call, and video-conference with each other. By using Skype
for Business Online, you also can create online meetings with audio, video, and web conferencing for up
to 250 people, including anonymous users from outside the organization. You can implement multiparty
high-definition (HD) video with hardware that supports this capability. To improve productivity, Skype for
Business Online provides integration with users calendars in Microsoft Exchange, and also enables the
click-to-communicate feature in Outlook, SharePoint, and other Office applications. Furthermore, Skype
for Business Online introduces integration with on-premises PBX and video teleconferencing systems.
Office 365 ProPlus

Some Office 365 plans include Office 365 ProPlus, which is a downloadable version of the Microsoft
productivity suite of applications, including Word 2013, Excel 2013, PowerPoint 2013, Outlook 2013,
Access 2013, Publisher 2013, OneNote 2013, InfoPath, and the Skype for Business 2013 client. There are
also Web App versions of Word, Excel, PowerPoint, and OneNote.
Office 365 ProPlus supports streaming deployment, which enables users to click the application
installation icon and start using the application itself while the program installs in the background. This
deployment method also enables users to run Office 365 ProPlus alongside earlier versions of Microsoft
Office.
Office 365 additional components

Organizations can also subscribe to optional
components within Office 365 that can enhance
their use of this cloud-based service and provide
users with additional facilities to increase
productivity. These optional components include
Yammer, Project Online, Project Pro for Office
365, and Microsoft Office Visio Pro for Office 365.
Yammer
The Microsoft enterprise social networking tool is
becoming more integrated with Office 365, and
SharePoint Online users now have the option to
replace their activity stream in SharePoint Online
with Yammer. To make this change, users click a Yammer link and sign in to this service through a
separate browser window. Future integration will include SSO between the Yammer service and
Office 365, and will use the Yammer Newsfeed instead of the SharePoint Online one.
Project Online
Project Online is the cloud version of Microsoft Project Server, and it enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value proposition with Project Online is that it enables global organizations to plan portfolios of projects
in multiple time zones.
Project Pro for Office 365

Project Pro for Office 365 provides desktop project management capabilities for small teams and
organizations. Organizations that need full project-management capabilities on the desktop and the
ability to participate online from virtually anywhere on almost any device, can combine this service with
Project Online.
Microsoft Office Visio Pro for Office 365

Office Visio Pro for Office 365 is a subscription version of Visio Professional 2013, the diagramming and
flow-charting application. Users can install it on up to five devices, and it includes Visio on Demand, which
enables a user to install the application temporarily on any PC running Windows 7 or newer versions of
the Windows operating system.
Microsoft Dynamics 365

Microsoft Dynamics 365 is a cloud-based platform that combines CRM and ERP functionalities and
delivers applications for managing business functions, sales, marketing, finances, and customer service.
This platform provides functionalities previously available in Dynamics CRM Online and Dynamics NAV.
Azure Information Protection

With Azure Information Protection, you can enhance the security of documents in your organization and
also provide classification services. This technology uses Azure Rights Management to protect documents
both on premises and in the cloud and to provide monitoring and document usage tracking. With the
classification mechanism that is available in Azure Information Protection, you can classify your Office
documents based on various criteria.
Office 365 Business subscriptions

Office 365 Business subscriptions target small and
medium-sized organizations that need a cloud
collaboration solution and have up to 300 users.
There are three Office 365 Business Subscriptions:
Office 365 Business Essentials, Office 365 Business,
and Office 365 Business Premium.
All Office 365 Business subscriptions include
online versions of Office, including Word, Excel,
and PowerPoint, and cloud file storage and
sharing capabilities with 1 terabyte (TB) storage
per user. Office 365 Business Essentials does not
include full versions of the Office apps, but
includes email with a 50-GB mailbox per user, instant messaging, and HD video conferencing. Office 365
Business includes full installed Office applications, but does not include email, instant messaging, or video
conferencing. Office 365 Business Premium includes both full installed Office applications and email with
a 50-GB mailbox per user, instant messaging, and HD video conferencing.
The following table includes a detailed list of Office 365 Business subscription features.
Office 365 Office 365

Office 365
Select a plan Business Business
Business
Essentials Premium
Full, installed Office applicationsWord, Excel,

PowerPoint, Outlook, Publisher, and OneNote, on up
to five PCs or Macs per user.
Also includes the new Office 2016 apps for PC and
Mac.
Office on tablets and phones for the full, installed

Office experience on up to five tablets and five
phones per user.
Office 365 Office 365

Office 365
Select a plan Business Business
Business
Essentials Premium
Online versions of Office including Word, Excel, and

PowerPoint.
File storage and sharing with 1 TB storage per user.
Business class email, calendar, and contacts with a

50-GB inbox per user.
Unlimited online meetings, IM, and HD video

conferencing. Includes the Skype for Business app.
Corporate social network to help employees

collaborate across departments, locations, and
business apps.
Work management tools to help teams create plans

and organize, assign, and collaborate on tasks.
Online scheduling to help employees collaborate

across departments and locations.
Microsoft Teams chat-based workspace with instant

access to your chats, content, people, and tools.
Professional digital storytelling tools to create

interactive reports, presentations, and more.
User maximum 300 300 300
Office 365 Enterprise subscriptions

Office 365 Enterprise subscriptions target
medium-sized and enterprise organizations that
need a cloud collaboration solution, compliance
tools, a corporate social network, an intranet site
and web conferencing, and the ability to include
an unlimited number of users. There are three
Office 365 Enterprise subscriptions: Office 365
Enterprise E1, Office 365 Enterprise E3, and Office
365 Enterprise E5. Furthermore, organizations
might choose Office 365 Pro Plus.
Office 365 Enterprise E1, E3, and E5 subscriptions

include online versions of Office such as Word,
Excel, and PowerPoint, and cloud file storage and sharing capabilities with 1 TB storage per user. Office
365 Enterprise E1, E3, and E3 subscriptions also include email with a 50-GB mailbox per user, unlimited
instant messaging and HD video conferencing, intranet sites, a corporate social network, Office Graph, a
corporate video portal, and meeting broadcast for up to 10,000 users. Office 365 Enterprise E1 does not
include an option to fully install Office applications. The Office 365 Enterprise E3 subscription includes all
the features of the E1 subscription, including application enterprise management, self-service business
intelligence, and compliance tools such as archiving and legal hold, rights management, data loss
prevention, and email and file encryption. The Office 365 Enterprise E5 subscription includes all the
features of the E3 subscription, including advanced security, analytic tools, public switched telephone
network (PSTN) conferencing and cloud PBX (private branch exchange) for cloud-based call management.
At the time of writing this course, cloud PBX and PSTN services are limited by region.
Office 365 Pro Plus includes online versions of Office, including Word, Excel, and PowerPoint, and cloud
file storage and sharing capabilities with 1 TB storage per user. Office 365 ProPlus also includes the option
to fully install Office applications, and it provides enterprise management of apps and self-service business
intelligence capabilities.
The following table includes a detailed list of Office 365 Enterprise subscription features.
Office 365 Office 365 Office 365 Office 365

ProPlus Enterprise E1 Enterprise E3 Enterprise E5
User maximum Unlimited Unlimited Unlimited Unlimited
Fully installed Office Yes Yes Yes

applications Word, Excel,
(plus Access) (plus Access) (plus Access)
PowerPoint, Outlook,
Publisher, OneNote, and
Skype for Business on up to
five PCs or Macs per user.
Also includes the new Office
2016 apps for PC and Mac.
Office on tablets and Yes Yes Yes

phones for the fully installed
Office experience on up to
five tablets and five phones
per user.
Online versions of Office Yes Yes Yes Yes

including Word, Excel, and
PowerPoint.
File storage and sharing Yes Yes Yes Yes

with 1 TB storage per user.
Business class email, Yes Yes Yes

calendar, and contacts with
Unlimited email Unlimited email
a 50-GB inbox per user.
Unlimited online meetings, Yes Yes Yes

IM, and audio, HD video,
and web conferencing.
Intranet site with Yes Yes Yes

customizable security
settings for teams.
Corporate social network to Yes Yes Yes

help employees collaborate
across departments and
locations.
Work management tools to Yes Yes Yes

help teams create plans and
organize, assign, and
collaborate on tasks.

Microsoft Teams chat-based Yes Yes Yes

workspace with instant
access to your chats,
content, people, and tools.
Professional digital Yes Yes Yes Yes

storytelling tools to create
interactive reports,
presentations, and more.
Personalized search and Yes Yes Yes

discovery across Office 365
using the Office Graph.
Corporate video portal to Yes Yes Yes

upload and share corporate
videos across the company.
Meeting broadcast on the Yes Yes Yes

Internet to up to 10,000
people, who can use a
browser in nearly any device
to attend.
Enterprise management of
apps with Group Policy,
Telemetry, and Shared
Computer Activation.
Self-service business
intelligence to discover,
analyze, and visualize data
in Excel.
Compliance and
information protection,
including archiving and
legal hold, rights
management, data loss
prevention, and email and
file encryption.
Compliance Center tools to

support eDiscovery,
including mailbox and
internal site search, legal
hold, and predictive coding
and text analytics
capabilities depending on
subscription type.
Advanced security for your

data, which helps protect
against unknown malware
and viruses and provides
better zero-day protection
to safeguard your
messaging system.

Analytics tools for personal

and organizational insights
with Power BI and Delve
Analytics.
PSTN conferencing to allow

invitees to join Skype for
Business meetings by dialing
in from a landline or mobile
phone.
Cloud PBX for cloud-based

call management to make,
receive, and transfer calls
across a wide range of
devices.
Office 365 Education, Nonprofit, and Government subscriptions

Office 365 offers subscriptions for education,
nonprofit and government institutions, and home
users as well.
Office 365 offers free subscriptions plans for

education. Educational institutions can apply for
the Office 365 Education subscription, which
provides cloud productivity and collaboration
solutions for students and teachers. Office 365
Education includes online versions of Office,
including Word, OneNote, Excel and PowerPoint,
cloud file storage, and sharing capabilities with
1 TB storage per user. Furthermore, Office 365
Education includes email with a 50-GB mailbox per user, instant messaging and Skype connectivity, team
sites, school video portals, online classes with audio and HD video conferencing, Yammer for school social
network, and compliance tools. Exchange Online provides the email, and Skype for Business Online
provides the IM and HD video conferencing.
Additional Reading: For more information, refer to: Office 365 Education at:
http://aka.ms/c2imoj
Office 365 Nonprofit has four subscription options: Office 365 Nonprofit Business Essentials, Office 365
Nonprofit Business Premium, Office 365 Nonprofit E1, and Office 365 Nonprofit E3. Nonprofit
organizations can apply for the Office 365 Nonprofit Business Essentials and Office 365 Nonprofit E1
subscriptions as a donation, whereas the Office 365 Nonprofit Business Premium and Office 365 Nonprofit
E3 subscriptions have an additional charge.
Additional Reading: For more information, refer to: Office 365 Nonprofit plans and
pricing at: http://aka.ms/wnd4wq
Office 365 Government subscriptions plans include Office 365 Enterprise E1 (Government pricing) and
Office 365 Enterprise E3 (Government pricing). Both plans include online versions of Office, including
Word, Excel and PowerPoint, cloud file storage, and sharing capabilities with 1 TB storage per user. They
also include email with a 50-GB mailbox per user, unlimited instant messaging, HD video conferencing,
intranet sites, a corporate social network, and Office Graph.
Additional Reading: For more information, refer to: Office 365 plans at Government
pricing at: http://aka.ms/knev43
Planning the Office 365 subscription

Office 365 can benefit many organizations, but
the scenarios in which organizations might deploy
and use Office 365 differ. For example, some
organizations might choose to move their entire
on-premises infrastructure to Microsoft Azure and
Office 365. Other organizations might choose a
hybrid solution by hosting some products on-
premises, and hosting other products such as
Exchange and Skype for Business in Office 365.
When planning to purchase an Office 365

subscription, organizations should consider the
following questions:
What business needs will drive your organization to move to Office 365? Some answers might include
better availability, industry standard security, lower cost for hardware and software maintenance, and
support for multiple devices and platforms.
What is the organizations current IT infrastructure? For example, if organizations have many
on-premises custom applications, the planning process of moving custom applications to the cloud
might be time-consuming. Furthermore, while transitioning infrastructure and applications to the
cloud, organizations might choose to deploy a hybrid solution, in which they move Exchange
mailboxes to Office 365, and continue to host custom applications on-premises.
What is the organizations change-management process? Every organization has a different change-
management process that defines the deployment process for new solutions. For example,
organizations might use Microsoft Operations Framework (MOF) 4.0, which incorporates the best
practices of the service management industry. MOF is a particularly appropriate framework to apply
when implementing and operating Office 365, as it can also integrate well with the phases of the
FastTrack deployment plan and can help solve service-delivery issues.
How many users will use Office 365, and what are the organizations plans for growth? Some of the
Office 365 subscriptions are limited in the number of users and the types of functionalities permitted.
Therefore, organizations have to match the requirements for Office 365 functionalities with the
number of users. An organization can mix different Office 365 plans according to its business needs.
For example, one organization can purchase 200 Business Essentials seats, 200 Business Premium
seats, and 200 Enterprise E3 seats on a single tenant.
Overview of the Office 365 administrative portals

You can manage Office 365 by using a web
interface or Windows PowerShell. The web
interface includes multiple administrative portals.
Before you can manage Office 365 with Windows
PowerShell, you need to import Azure Active
Directory module for Windows PowerShell.
The Office 365 web-based administrative portals

include:
Office 365 admin center. The Office 365

admin center is a web-based management
console that you can use to deploy Office 365
for your organization in the cloud. You can
also create users, manage domains and licenses, and administer all aspects of Office 365.
Exchange admin center. The Exchange admin center (EAC) is the web-based management console
that you can use to manage Exchange settings in Office 365. These settings include recipients,
protection, mail flow, public folders, and other settings that are not available in the default Office 365
admin center.
Skype for Business admin center. The Skype for Business admin center is the web-based management
console that you can use to manage Skype for Business settings in Office 365. These settings include
instant messaging, audio and video calls, persistent chat, and online meetings.
SharePoint admin center. The SharePoint admin center is the web-based management console that
you can use to manage SharePoint settings in Office 365. These settings include site collections, user
profiles, business connectivity services, and search.
Security and Compliance Center. The Office 365 Security and Compliance Center is the web-based
management console that you can use to manage compliance features across Office 365 for the
organization. These features include archiving, data loss prevention (DLP), eDiscovery, reports,
retention, and search.
Azure AD admin center. You can use the Azure AD admin center to manage the instance of Azure
Active Directory that Office 365 is using. Within the Azure AD admin center, you can manage users,
domains, and settings for the directory.
By using the Azure Active Directory Module for Windows PowerShell, you can connect to Office 365 to
perform administrative tasks that are not practical, or even possible with the Office 365 admin center web
portal. For example, you can use the Azure Active Directory Module for Windows PowerShell to automate
repetitive tasks such as creating large numbers of user accounts, adding users to groups, and updating
multiple user properties.
Discussion: How will you use Office 365 in your organization?

Based on the previous topic, discuss an Office 365
deployment with other students based on the
What are your organizations business

requirements?
How will Office 365 meet your organizations

business requirements?
Which Office 365 subscription would be most

suitable for your organization?
Question: What are your organizations

business requirements?
Question: How will Office 365 meet your organizations business requirements?
Question: Which Office 365 subscription would be most suitable for your organization?
Lesson 2
Provisioning an Office 365 tenant
An important part of the Office 365 provisioning process is the creation of the tenant account. This
activity was not as crucial in the traditional Office 365 deployment methodology because the pilot
account typically was not transitioned into deployment. Microsoft FastTrack for Office 365 is a service
that includes best practices, tools, and resources that help organizations move to Office 365. With the
FastTrack process, where the pilot account typically persists into the production environment, it is vital
that you enter the right information, because certain values that you specify cannot be changed later.
This lesson explains the various tenant options available for Office 365, and the process of creating a new
tenant account. It also describes how to plan the process of adding custom domains to Office 365, and
how to plan DNS zones and configure DNS records for custom domains.
Lesson Objectives
Describe the process for creating a new tenant account.
Describe the Office 365 tenant options.
Describe the process of planning the addition of custom domains in Office 365.
Describe the process of adding a custom domain to Office 365.
Explain how to plan DNS zones for custom domains in Office 365.
Explain how to configure DNS records for custom domains in Office 365.
Explain how to manage feature updates.
Creating an Office 365 tenant

The overall process for creating a tenant account
for Office 365 is shown below:
1. Decide which Office 365 plan you will use for

a trial.
2. Ensure that you have a valid email account

(organizational or Microsoft account will work
fine).
3. Click the trial link on the Office 365 website.
4. Enter the correct information for your

organization.
5. Complete the sign-in process by validating the text message or phone call.
Trial accounts are available for the following Office 365 plans:
Business and Business Premium
Enterprise (E3 and E5)
Education
Government
Nonprofit (Business Premium and E3)
As mentioned previously, errors in the sign-up process commonly result from organizations selecting the
wrong Office 365 subscription for the size of their business. It is currently not possible to change to
different product families, such as from the Business plan to the Enterprise plan.
Note: The process for provisioning Office 365 Education, Government, and Nonprofit plans
is different, and this course does not cover it. This course assumes that you are selecting the
Enterprise E3 subscription.
During the trial sign-up, you have to supply a valid email address that already exists. Although the sign-up
process creates an email address in the form username@organizationname.onmicrosoft.com, you cannot
use that as the email address for the sign-up process.
If you work for or through a Microsoft partner, and you need more than 25 pilot users for an Enterprise E3
trial, you can apply for an extended trial account. When you request an extended trial tenant to support
the FastTrack Pilot, you must submit a form to fasttrackpilot@microsoft.com. This form must provide
customer information, partner information, and information about the pilot engagement. After two
business days, you should receive a unique provisioning code. This is a single-use code that you can only
use to provision the pilot tenant for the organization. Later topics in this module will cover FastTrack
services.
Office 365 tenant options

When you sign up for a new tenant account, you
need to supply information about the person and
the company that are signing up. Note that the
fields that you see will be different, depending on
the country/region you select at the beginning of
the sign-up process. For example, Switzerland
includes a Canton field. It is important that you
choose the correct location for your tenant during
initial setup, because you cannot change it later.
Tenant location determines where your data will
be stored. For example, if you choose Germany as
your tenant location, your data will be stored in
Europe datacenters.
The following table includes a list of the different fields for which you must provide values when you sign
up for a new tenant account.
Can be
Field Value Required Type
changed
Country/Region Name Yes No Drop-down list
First/Last names Tenant admin Yes Yes Text field, 50-

name character limit
Email Tenant admin Yes Yes Text field

email
Address 1, Address 2, Tenant address Yes Yes Text

Address 3 information No Yes
No Yes
City Company City Yes Yes Text
State/County Company state Yes Yes Drop-down or

text
Zip/Postal code Company Zip Yes Yes Text
Phone Contact phone Yes Yes Text
Organization name Name of the Yes Yes Text

tenant company
Note: The Tenant administrators name must be a real name, not System Administrator. It
is also important that the email address used does not become inaccessible if the person who
registered the account leaves the company.
When you enter this information, Office 365 will generate a default domain name based on the company
name you supply. The default domain name will end with .onmicrosoft.com. Again, this value cannot be
changed after creation, so it is vital that you check that this name is acceptable. If the name already exists,
then a number will be added to make the name unique, such as Adatum426.onmicrosoft.com.
The default domain name is usually not in use for email services, because customers add their custom
domain name. However, this name is important because you use it to access services such as Microsoft
Teams. For example, if you choose the name Adatum426.onmicrosoft.com as your default domain
name, you will be accessing Microsoft Teams by using the Adatum426.sharepoint.com address. You
cannot change this address later.
You are then asked to enter a password and indicate a mechanism for validating the sign-up. Passwords
should be at least 10 characters long and contain a random mixture of uppercase and lowercase letters,
numbers, and special characters.
To validate the sign-up, you can select from either having a text message sent to you or receiving a phone
call. You should specify the country and number for your phone. If you use the text option, ensure that
the phone number is capable of receiving texts.
Once you click the Create My Account link, the confirmatory six-digit number will either be sent to your
phone or you will be called, depending on your prior selection. Enter that number into the confirmation
dialog box to complete the setup of your tenant account.
Planning for custom domains

When planning to add custom domains to Office
365, there are a number of factors you need to
consider. These factors can differ with the Office
365 subscription you select. The following table
sets out these planning factors.
Factor Considerations
Multiple Domains Plan to add the main domain that your company currently uses along with
any other domain that it uses for email messages within the organization. This
scenario is common when the overall company is a business group, or the
organization has been through a merger process and some employees still
have alternative domain addresses.
Subdomains You might want to register subdomains such as content.Adatum.com within

the account for Adatum. Note that Office 365 Business and Enterprise plans
allow you to add subdomains under your root domain, whereas the Office 365
Small Business plans do not.
Domain numbers You can register up to 600 domains with Office 365.
Domain adding You must add root domains before subdomains, so you need to register
order Adatum.com before you add content.Adatum.com.
DNS record hosting DNS records might be hosted by your organizations DNS servers or by an
external hosting provider.
Access to the DNS Check with your DNS hosting organization regarding what access you get to
console the DNS console. To configure Office 365 services, you need to be able to add
the A, CNAME, TXT, MX and SRV records. If your DNS hosting provider does
not give that level of access, you might have to send a request to the DNS
hosting provider to change DNS records needed for your Office 365
deployment.
Not registering DNS It is rare that you would not want to register a DNS domain with Office 365,
but it is a possible optionfor example, if you want to have a completely
separate email and directory service for your Office 365 users. One possible
scenario is a university that might want to host its faculty members in the on-
premises environment and have the students in Office 365 with a different
domain name.
Not changing all You may not want to change all the DNS records to point to Office 365. An
records upcoming topic in this lesson identifies how to handle the verification process
when you do not change all DNS records.
Factor Considerations
DNS record DNS records can take up to 72 hours to propagate. Reducing the Time to Live
propagation timings (TTL) value can speed up this process, but you still need to plan for the
replication time.
Adding a custom domain for Office 365

If an organization has a domain name that it
needs to add to Office 365, there is a specific
process that the administrator or Microsoft
Partner must go through. The process of adding a
custom domain to Office 365 consists of the
following steps:
1. Check that you have ownership of the
domain. Domain ownership can sometimes
be problematic, particularly if a former
employee registered the domain with his or
her information and has now left the
organization. To find out who originally
registered the domain, check the WHOIS record for that domain by using an Internet WHOIS
register, such as who.is.
2. Check that you have access to the DNS console for the domain. Different DNS hosting organizations
provide varying levels of access to DNS records for a hosted domain.
3. Check that you can make changes to the DNS records for the domain.
4. Sign in to the Office 365 admin center, and go to the Domains tab on the Settings menu.
5. Confirm domain ownership for the domain:
a. Enter the domain name for which you want to confirm domain ownership.
b. Add text (TXT) or mail exchanger (MX) records to the DNS record for the domain, according to
the instructions in the Office 365 setup wizard.
c. Confirm ownership by getting Office 365 to verify that you could make that change to the DNS
records.
6. Change the default domain to the new domain, so that any new accounts use this domain value
rather than the one originally assigned when you set up Office 365.
7. Add users and assign licenses (this is part of the Office 365 setup rather than a DNS-specific
operation).
8. Set the domain purpose and finish configuring DNS.
You can cancel out of the domain setup process but still verify that you own the domain. In the Office 365
admin console, you will see the message setup in progress.
Note: After you have verified a domain, you can delete the verification TXT record. You
should also be aware that you can only validate each domain (with any attendant subdomains) to
a single Office 365 tenant account.
Planning DNS zones for custom domains

A publicly available DNS zone setup is very
important during the Office 365 deployment for
organizations that want to use custom domains.
By being able to edit records within their DNS
zone, organizations prove that they own the DNS
zone, so that the Office 365 setup wizard can
create the tenant with the organizations custom
domain, such as Adatum.com.
Furthermore, during the setup, the Office 365

setup wizard will instruct organizations on which
DNS records they need to add to the public DNS
zone. Once the organization configures the DNS
zone according to the instructions in the Office 365 setup wizard, client software such as Outlook or Skype
for Business Client will use autodiscover services and resolve custom domain names with the IP addresses
of Office 365 servers. After this, organizations client computers can connect to Office 365 services, such as
Exchange Online or Skype for Business Online.
Organizations use internal DNS zones configured on internal DNS servers, so that internal clients can
resolve computer names and services. Organizations also use external, public DNS zones configured on
Internet-accessible DNS servers so that clients located on the Internet are able to resolve computer names
and services.
When planning DNS zones for custom domains, organizations might choose between the following two
scenarios:
Internal DNS zones and external DNS zones have different names. In this scenario a company might
set up its own internal DNS for its internal domainAdatum.local, for exampleand then use a DNS
forwarder on the internal DNS servers to redirect name resolution requests for external domains to an
external name server. For example, a request for mail.Adatum.local would be redirected to an
internal IP address, such as 192.168.20.10, whereas a request for mail.Adatum.com might go to
131.107.43.19, the companys external IP address for that host name. Internal clients that connect to
Office 365 services from the internal network will submit resolution requests to the local DNS servers.
Then, a local DNS server will forward the clients request to the external DNS server, which will resolve
the request, and return the answer to the companys internal DNS server. Finally, the local DNS server
will forward the resolved request to internal clients.
Internal DNS zones and external DNS zones have the same name (Split brain DNS). Split-brain DNS is
a configuration in which the internal and external DNS environments provide different IP addresses to
requests for the same host name, depending on where the request is generated. If a request for
mail.Adatum.com comes from inside the Adatum.com network, the address returned might be
192.168.20.10 on the internal network, whereas if a user directly connected to the Internet made the
same request to mail.Adatum.com, the IP address returned might be 131.107.43.19. This
configuration is achieved by creating a zone on the internal DNS server for Adatum.com. When a
client on the internal network makes a request for mail.Adatum.com, the internal DNS server
responds with the IP address for that host, using the A (Address) or CNAME (common name) records
that the server maintains for that zone. There is no requirement to forward on the name resolution
request to the external DNS servers. However, external clients who try to contact mail.Adatum.com
receive a response from the external DNS server that is authoritative for that zone. Internal clients
that connect to Office 365 services from the internal network will submit resolution requests to the
local DNS servers. For a local DNS server to be able to resolve the request to Office 365 services, the
local DNS zones and external DNS zones should both be configured with the same records requested
by the Office 365 setup wizard. Once both the internal and external DNS zones are configured with
the same records, clients will be able to connect to Office 365 services, irrespective of whether they
connect from inside the company or using the Internet.
Configuring DNS records for custom domains

After the Office 365 setup wizard has verified that
the organization owns the custom domain, the
administrator should add additional DNS records
to the custom DNS zone so that the organizations
clients can locate Office 365 services. Each DNS
zone can contain a number of different DNS
record types that provide differing name
resolution services. If the organization hosts its
own external DNS server, then a DNS
administrator should add the necessary DNS
records to provide client connectivity to Office
365 services. If a DNS provider hosts the
organizations DNS zone, then administrators should add the necessary DNS records through the
appropriate management console that the DNS provider has created. Some DNS providers, such as
GoDaddy, provide automated DNS record configuration for Office 365, so organizations do not need to
manually create their DNS records for Office 365. Furthermore, organizations might also select the option
to have Office 365 configure and host the DNS records. This means that the organizations move DNS
management to Office 365.
Office 365 uses the following subset of DNS records:
DNS records for Exchange Online include:
MX. This record is a requirement for SMTP communication between Exchange Online in Office 365
and mail servers on the Internet.
CNAME. Outlook clients use this record to locate the Autodiscover service in Office 365.
TXT. This record is a requirement for Sender Policy Framework (SPF) anti-spam protection.
TXT. Organizations that use Exchange Federation need this record.
The following table below lists the requirements for the MX and CNAME records for Exchange Online.
Type Priority Host name Points to address TTL
MX 0 @ Adatum- 1 Hour
com.mail.protection.outlook.com
CNAME - autodiscover autodiscover.outlook.com 1 Hour
The following table below lists the requirements for the TXT records for Exchange Online.
Type TXT name TXT Value TTL
TXT @ v=spf1 include:spf.protection.outlook.com -all 1 Hour
TXT @ Custom-generated, domain-proof hash text 1 Hour

DNS records for Skype for Business Online include:
SRV. This record is used for SIP federation where an Office 365 domain shares instant messaging (IM)
features with external clients.
SRV. Skype for Business uses this record for coordinating the flow of communication between Skype
for Business clients.
CNAME. Skype for Business clients use this record to find the Skype for Business Online service in
Office 365 and sign in.
CNAME. Skype for Business mobile clients use this record to find the Skype for Business Online service
in Office 365 and sign in.
The following table lists the requirements for the SRV records for Skype for Business Online.
Type Service Protocol Port Weight Priority TTL Name Target
SRV _sip _tls 443 1 100 1 @ sipdir.online.lync.com

Hour
SRV _sipfederationtls _tcp 5061 1 100 1 @ sipfed.online.lync.com

Hour
The following table lists the requirements for the CNAME records for Skype for Business Online.
Type Host name Points to address TTL
CNAME sip sipdir.online.lync.com 1 Hour
CNAME lyncdiscover webdir.online.lync.com 1 Hour
The DNS record for Office 365 Single Sign-On is:
Host (A). This record is used where organizations need single sign-on (SSO) with Active Directory
Federation Services (AD FS). The record provides the endpoint for on-premises and external users to
connect to organization ADFS proxy servers or load-balanced virtual IP addresses.
The following table lists the requirements for the Host (A) record for Office 365 Single Sign-On.
Host (A) sip sipdir.online.lync.com 1 Hour
The DNS records for Mobile Device Management for Office 365 are:
CNAME manage.microsoft.com. When Office 365 users sign in on their mobile devices with an email
address, this setting is used to redirect them to enroll in MDM for Office 365.
CNAME enterpriseregistration.windows.net. This setting is used for workplace join for mobile devices.
The following table lists the requirements for the CNAME records for Mobile Device Management for
Office 365.
CNAME enterpriseregistration enterpriseregistration.windows.net 1 Hour
CNAME enterpriseenrollment enterpriseenrollment.manage.microsoft.com 1 Hour
The DNS record for Microsoft Online Services Sign-In Assistant is:
CNAME. This record is used during the authentication process by client applications, such as Outlook,
Skype for Business Online, Windows PowerShell or Microsoft Azure Active Directory Sync tool. By
using this record, Office 365 connects clients to the appropriate authentication endpoint, depending
on the client location.
The following table lists the requirements for the CNAME record for Microsoft Online Services Sign-In
Assistant.
CNAME msoid clientconfig.microsoftonline-p.net 1 Hour
Additional Reading: For more information, refer to: External Domain Name System
records for Office 365 at: http://aka.ms/d67qkh
Managing feature updates

Microsoft updates Office 365 components with
new features and capabilities so that customers
can experience the improvements in the product.
Microsoft deploys Office 365 updates to
customers after thoroughly testing them.
Organizations might choose to get Office 365
updates according to the Microsoft default release
schedule, or choose to receive them first.
Administrators can choose the schedule of update
deployments in their organizations by choosing
one of following options in the Office 365 admin
center:
Standard release. Standard release is the default option, in which organizations receive the latest
updates per the Microsoft default release schedule, when all Office 365 customers receive them. You
may choose this option if your organizational strategy is to prepare the support staff for upcoming
updates before deploying them in your organization.
First release. The First release option enables organizations to get the latest updates first, and provide
early feedback to Microsoft. Administrators can choose to deploy updates only to selected individuals
in an organization, or to deploy updates to the entire organization.
To configure the first release settings for your organization, in the Office 365 admin center, select
Organization profile from the Settings menu. You can edit the release preferences for all users, or
configure specific users to receive the first release updates.
Question: What are the steps involved in creating a tenant account for Office 365?
Question: What factors should you consider when planning a custom domain?
Lesson 3
Planning a pilot deployment
In this lesson, you will review the overall factors that can affect an Office 365 deployment. However, it is
important to realize that these are not necessarily complete deployment blockers, merely factors of which
you need to be aware. This is the strength of the FastTrack processorganizations can take it as far as
they want, and can reach a deployment position where they realize value from the Office 365 platform
without affecting their existing infrastructure, or compromising on the benefits of the cloud-based service.
Lesson Objectives
Compare an Office 365 pilot to the traditional deployment process.
Describe how your organization implemented Office 365.
List the activities within the pilot phase of the FastTrack approach, and their outcomes.
Gather customer requirements.
Identify customer constraints.
Identify pilot users.
Evaluate the pilot deployment.
Describe the activities that happen in the production deployment after the pilot completes.
List the deployment tools to help with the FastTrack deployment.
Comparing an Office 365 pilot to the traditional deployment process

With the traditional deployment approach, it
might take the organization several weeks or even
months to reach the migration phase. During this
time, the organization is unable to experience the
benefits of Office 365 firsthand. Even when the
pilot deployment is tested, organizations might
not gain useful operational experience from the
pilot.
The result of this approach is that it may be two or

more months until the first users migrate to their
Office 365 mailboxes, and three to four months
before the organization finally benefits from
moving to the new service.
A key message is that cloud deployments are not like traditional on-premises deployments, and they need
a new methodology to accommodate that difference. With the Office 365 FastTrack deployment
approach, customers can:
Experience the value of Office 365 much earlier than with traditional deployment methodologies.
Evolve into features as and when required.
Determine how far to go with the Office 365 migration.

With the FastTrack approach, organizations can deliver a rich user experience and a high-productivity
solution with minimal on-premises requirements, particularly in the pilot phase. Continuing the
deployment path builds on the previous steps already performed in the pilot phase, so there is no
requirement to restart the effort from scratch. The organization also can extend and deliver new
capabilities to users as their needs change.
There are multiple data migration methods available, including user self-service and IT-driven approaches.
The organization can choose one of the following user identity models to suit its needs:
Cloud identities
Synchronized identities (with optional password synchronization)
Federated identities
Finally, there is an Office 365 Deployment Portal with prescriptive step-by-step guidance and video
instructions for the FastTrack process.
Additional Reading: For more information, refer to: FastTrack for Office 365 at:
http://aka.ms/il5z8i
Discussion: How did your organization implement Office 365?

Based on the previous topic, if your organization
already deployed Office 365 pilot, share your
experience of the Office 365 deployment process
with other students.
Overview of the Office 365 pilot phase

It is essential that you have a thorough
understanding of the objectives of the pilot phase
and that you keep them in mind throughout the
entire phase, so that you can avoid project scope
extensions, which can last through the duration of
the pilot, raise technical issues that are best dealt
with later in the deployment process, and deter
customers from appreciating the value and
simplicity of the Office 365 service.
The objectives of the Office 365 pilot phase include:
Deliver a predictable and consistent pilot experience for the customer.
Demonstrate expertise with Office 365.
Gain a detailed understanding of the customers environment and priorities.
Highlight next steps for deployment beyond the pilot.
Rapidly transition to service delivery in the customer environment.
The pilot phase consists of the following activities that you must perform in consecutive order:
1. Check prerequisites. Make sure you have assessed the organization's environment correctly for the
pilot.
2. Set up pilot domains. Determine the domain policy and identify customer domains for the pilot.
3. Add users. Select users to be part of the pilot.

4. Connecting existing email accounts. Determine the available options for connecting to the existing
email system.
5. Set up collaboration sites. Establish use and requirements for SharePoint sites.
6. Prepare pilot users. Plan communications with pilot users.
7. Test the pilot. Identify success factors for testing the pilot.
8. Run the pilot. Record the results of planning decisions.
9. Complete the pilot. Feed the results into Deploy phase planning.
Successful outcomes from the pilot phase are:
Provision the Office 365 service.
Create the initial users in the service.
Enable active use of mail by pilot users.
Deploy Office 365 ProPlus to pilot users (if required).
Enable user evaluation of Office 365 services.
Validate the service integration into the organization landscape.
Establish an Office 365 environment that can move into production.
You must record this information in real time during the pilot. Otherwise, you might miss important
details that might not be recordable after the fact. You will use this recorded information from the pilot
for checking planning decisions against actual outcomes, and it feeds into the Deploy phase.
Gathering customer requirements

The first task before starting the pilot is an initial
analysis of the environment as part of the
qualification process. The analysis does not need
to be in depth at this point. You might also find
that much of this information is already available
and documented within the organization. This
analysis is part of the Office FastTrack three-day
offering.
Additional Reading: For more information,

refer to: Office 365 FastTrack Planning at:
http://aka.ms/se9j3a
Industry sector
With any Office 365 pilot deployment, it is important to identify the organization's industry sector,
because this information will provide insight into the method of working and anticipated behavior.
Furthermore, business requirements for Office 365 might be similar in organizations that belong to the
same industry sector.
Types and number of IT users

Following the identification of the industry sector, you should then identify the number and types of IT
users. User types typically fall into two main categories:
Information workers. Users who work at desks or on the move, and primarily create or process data.
Kiosk workers. Users who do not need regular access to a computer or mobile device to carry out
their tasks.
User analysis
You also need to know how these users are distributed, and how they use their devices. Consider the
following aspects:
Are the users in a few large offices, such as an insurance company, or in many small ones, such as a
car dealership?
Do they work at home, either occasionally or permanently, and do they need to access data on the
move?
What devices do the users have?

Does the organization have a Bring Your Own Device (BYOD) policy in place, or are there local
impromptu arrangements?
Company requirements
You must take into consideration the requirements and characteristics of the organization that is
deploying the pilot, and also its workloads, by assessing the following:
How does the company currently deliver IT? Do they have a centralized department or a distributed
arrangement?
Is the IT in-house or outsourced?
How does the organization view IT services, and how is the department managed?
What compliance and data retention requirements does the company need to consider? Some
organizations have strict compliance regulations in respect to data management, storage, recording,
and transmission.
What are the companys security requirements? Are they likely to be targeted and what level of
protection should they adopt?
What workloads does the company have that do not need to be migrated to Office 365? Look at
areas such as custom applications, business information systems, and stock control environments, and
consider whether these applications will remain on premises.
Finally, what is the company management team's likely attitude toward moving to the cloud? Being
aware of this attitude and having a strategy and tactics to address it are essential for a smooth
deployment.
At this point, the information does not have to be completely accurate. For example, rounding user
numbers to the nearest thousand or hundred is acceptable. If there is an established relationship with the
organization or you already work within the company, much of this information should be available.
Identifying customer constraints

It is important that organizations identify any
constraints that might lead to blocking the Office
365 deployment or that might affect whether the
organization will move forward to the pilot phase.
Organizations must make this identification as
early as possible in the deployment process.
Note that deployment blockers can often occur

because of information that customers have not
shared on time, such as the fact that they may
have some other urgent project that will allocate
IT staff responsible for Office 365 deployment.
The following table lists some potential
constraints and deployment blockers, and the steps that you can take to avoid them.
Potential constraints and deployment blockers Prevention
Lack of management support for Office 365 Clearly communicate the benefits.
Lack of IT department support for this change Fully brief the IT department on what is happening,
and how the change will affect IT department
processes.
Costs/funding Cover the financial angles with the customer.
Competition Highlight the benefits of Office 365, and emphasize the

additional flexibility of options such as hybrid
Exchange.
Data storage requirements With companies that have specific data storage
requirements in terms of where their data is
geographically located, consider choosing hybrid
options and keeping sensitive data onsite.
Potential constraints and deployment blockers Prevention
Bandwidth Emphasize the general productivity and cost-saving

benefits of getting branch offices Internet-connected.
Review technologies such as mesh wireless networks
and satellite links.
Results Create a list of potential constraints that might

transform to deployment blockers. Then for each
constraint, identify a mitigating approach to address
the issue.
Identifying pilot users

The process of selecting and involving pilot users
into the Office 365 FastTrack Pilot is vitally
important and has the potential to make or break
the pilot process. Therefore, it is essential to select
the right people with a balanced mix of interests,
abilities, and attitudes to help ensure the success
of the FastTrack Pilot. Keep in mind the following
points:
Determine the number of pilot users. The first

planning decision is to define the number of
users who will participate in the pilot. As a
rule of thumb, you should consider a pilot
that employs at least five percent of the information worker user base, spread evenly throughout the
departments. Any less than this figure indicates poor preparation and buy-in from your organization.
Plan for pre-pilot users. With larger organizations, it may be necessary to deploy some pre-pilot users.
With these larger pilot engagements, it can be useful to initially roll out Office 365 to a small subset
of users, to help identify issues, before including a wider user community.
Select the pilot users. Pilot users typically meet the following criteria:
o Full-time employees for more than six months.

o Trained information workers.
o Representative of the overall function of the company.
o Employees are a mix of age, experience, and seniority within their department.
o Prepared to provide feedback on the pilot.
Create and implement a pilot user communication plan. Effective communication with the pilot users
is vital and needs to start up to three weeks before the pilot itself.
Train and support the pilot users. Microsoft does not support Office 365 pilot users, so planning user
and helpdesk training and support for the pilot phase is an important part of the experience.
Evaluating the pilot deployment

When the pilot phase completes, the organization
should evaluate the pilot to make a decision
about the next steps and recommendations that
they must complete. If the organization decides
that further testing with new Office 365
capabilities is warranted, it might choose to
extend the pilot. However, if the organization
decides that it is not willing to proceed with the
pilot for any reason, it might choose to end the
pilot.
Extending the pilot

After the pilot engagement is complete, the
organization has the option to continue extending the pilot to prepare further for future changes. The
organization has the following options:
Continue user pilot. The most basic option is simply for the organization to continue with the user
pilot. Users would continue to use Office 365 on a regular basis. The organization can collect user
feedback about Office 365 and highlight the key benefits. This information also enables the
organization to plan future deployments appropriately for each workload. Importantly, the pilot
provides data points to best plan the organizations migration and identity needs.
Expand the scope. The trial tenant used for the pilot service allows up to 250 users, so the
organization could add more pilot users to prove the service fit for various groups within the
organization. Note that users who are moved to the service during the pilot can be transitioned to
production after a decision for service use is reached.
Ending the pilot

Finally, you also must consider what to do if the customer does not want to move from the pilot to the
deployment phase. A key requirement is that you return their environment to how it was before the start
of the pilot, and you should also attempt to identify the reasons why the pilot was not successful. Always
leave the door open for the customer to return to Office 365 at a later date.
Planning the production deployment

Once the organization has ensured that the Office
365 pilot project has met its business
requirements, it might continue with planning the
production deployment. Planning the production
deployment includes steps for planning for the
Office 365 service and planning the organizations
environment.
Planning for the Office 365 service

The pilot provides the organization with its first look at the Office 365 service. The company can take
actions to begin planning how the service will best fit its needs by considering the following options:
Service options. The pilot has enabled users to begin using a broad range of Office 365 features. The
service provides solutions for mail, collaboration, sharing, and other scenarios. The scope of the pilot
was confined to the core service options. Therefore, the organization should determine the additional
scenarios in which Office 365 can be useful.
Identity planning. The pilot introduced the organization to the concept of identity management in
the Office 365 service. The pilot engagement provisions users in the service through cloud identities.
The trial tenant shows how this identity management approach works for administrators and users.
However, the organization also needs to start thinking about identity management. This planning
should consider future additional service scenarios and integration requirements for streamlined
management. Further planning considerations should determine the future implementation plans for
identity management and authentication. The cloud identity approach used in the pilot engagement
uses a stand-alone set of user credentials. The organization should map a plan for the desired
authentication plans including plans for single sign-in (SSO) options.
Mail migration planning. In the pilot, the organization has experienced mail using the Office 365
connected accounts feature. This feature enables users to access existing mail items, and continue to
send and receive mail with their existing email addresses. However, users will expect to bring existing
mail, calendar, and contacts to the new service. Office 365 provides a range of migration options to
help manage this migration. If customers begin planning early to reduce the content users currently
have in place, this migration process is considerably simplified.
Planning the organizations environment

The pilot engagement enabled the Office 365 service and implemented the related components in the
organizations environment. Assuming the results of the trial are acceptable, the organization can then
perform the following post-pilot activities:
Raise awareness. The Summary Results provided at the end of the pilot help the organization share
the results with the company leadership and partner teams. These results can help the organization
develop and track action on the recommended next steps.
Plan for transition. The pilot uses an Office 365 trial tenant that needs to be transitioned to a live
account before the trial expires.
Overview of deployment tools

Microsoft provides deployment tools and
resources that help customers deploy Office 365
solutions and migrate their current on-premises
applications to Office 365. These tools and
resources include TechNet Center for Office 365,
Office Blogs, Office 365 Trust Center, Office 365
Service Descriptions, Office 365 Roadmap, and
Microsoft Planning Services.
TechNet Center for Office 365

TechNet Center for Office 365 is a set of Office 365 resources located on TechNet. These resources include
technical training, documentation, downloads, and related sites. Topics include Office 365 service
description and comparison, deployment, migration, learning videos, and resources for different business
scenarios.
Additional Reading: For more information, refer to: Office 365 for IT pros at:
http://aka.ms/kl703e
Office Blogs
Office Blogs is an online resource that contains the latest information about different Office products,
including Office 365. You can customize blog reading content by choosing:
The Office product you want to read about, such as Office 365, Office Online, Exchange, or Skype for
Business.
Office usage, such as business, public sector, or nonprofit.
The type of information that you want to read about, such as customer stories, events, news, or
podcasts.
Additional Reading: For more information, refer to: FastTrack for Office Blogs at:
http://aka.ms/t1mgkg
Office 365 Trust Center

Office 365 Trust Center provides information about different security aspects of tenant data in Office 365.
Content includes different security topics such as built-in security, privacy by design, continuous
compliance, and transparent operations.
Additional Reading: For more information, refer to: Office 365 Trust Center at:
http://aka.ms/j0074t
Office 365 Service Descriptions

Office 365 Service Descriptions provides information about each Office 365 service, such as Exchange
Online, Skype for Business Online, and SharePoint Online. Once you choose to read about any of the
Office 365 technologies, you are redirected to the appropriate TechNet resource page.
Additional Reading: For more information, refer to: Office 365 Service Descriptions at:
http://aka.ms/gxsbad
Office 365 Roadmap

Office 365 Roadmap is the list of updates that are rolled out to different Office 365 customers. Office 365
Roadmap includes information about the following updates: Launched, Rolling out, In development,
Cancelled, and Previously released.
Additional Reading: For more information, refer to: Office 365 Roadmap at:
http://aka.ms/Kgo4ds
Microsoft Planning Services

Microsoft Planning Services is a service that is available to Software Assurance customers. Microsoft
Planning Services help customers by offering deployment planning best practices and business value
planning information in different phases of customer projects. Planning Services are available for different
Microsoft products, including Office 365.
Additional Reading: For more information, refer to: Software Assurance Planning
Services at: http://aka.ms/leudft
Using Microsoft FastTrack for Office 365 onboarding

Microsoft FastTrack for Office 365 is a service that
helps organizations move to Office 365. FastTrack
includes several components, such as best
practices, tools, resources, and remote
personalized assistance by Microsoft engineers.
Microsoft engineers from the FastTrack Center

team contact organizations that purchase more
than 50 Office 365 Enterprise and Office 365
Business SKUs, along with paid Government,
Kiosk, and Nonprofit SKUs. If the organizations
need migration assistance from the FastTrack
team, they must purchase 150 or more Office 365
seats. The FastTrack service is available if customers have current and eligible Office 365 subscription
plans. This means that customers can use the FastTrack service right after license purchase, but also in
later phases of deployment.
FastTrack engineers assist customers through multiple project phases. After license purchase, a FastTrack
representative contacts the customer and they arrive at a mutual agreement about the kickoff for the
onboarding process. After that, FastTrack engineers work with the customer to assess the customer
environment and then plan for remediation of any potential issues that they find.
If the organization needs to migrate its emails and files from a different, non-Microsoft platform, it can
also use FastTrack services. FastTrack engineers can help migrate data from platforms such as IBM
Domino, Google Apps, Novell GroupWise, or other email systems equipped with Internet Message Access
Protocol (IMAP). If the company also needs to migrate its files to OneDrive for Business, it can do so from
platforms such as Google Drive, Box, or file shares.
With the introduction of the Office 365 Enterprise E5 plan, FastTrack resources are also available for
guidance on PSTN conferencing platforms. Companies in regions where the Office 365 PSTN service is
available can use FastTrack resources for onboarding to Cloud PBX, in addition to configuring PSTN
conferencing, Skype Meeting Broadcast, and PSTN calling plans.
Additional Reading: For more information, refer to: FastTrack for Office 365 at:
http://aka.ms/il5z8i
Question: How does an Office 365 pilot compare to the traditional deployment process?
Lab: Provisioning Office 365

Scenario
A. Datum Corporation is considering moving some of the core on-premises services such as Exchange
Server, Skype for Business Server, and SharePoint Server to Office 365. The project steering committee
needs to ensure that Office 365 can provide the required functionality, and accommodate the corporate
security and compliance requirements. To get started, A. Datum has decided to begin a pilot deployment
of Office 365 for a group of users in the London office.
As one of the most experienced IT admins at A. Datum, you are responsible for implementing the pilot
project. To start, you need to configure the Office 365 tenant, and then configure the custom domain that
your organization uses. You also need to ensure that you are comfortable with the Office 365
administrator interfaces.
Objectives
After completing this lab, you will be able to:
Configure an Office 365 tenant.
Configure a custom domain.
Explore the Office 365 administrator interfaces.
Note: The lab steps for this course change frequently due to updates to Office 365.
Microsoft Learning updates the lab steps frequently, so they are not available in this manual. Use
the lab steps provided by the hosting partner when completing the labs in this course.
Lab Setup
Estimated Time: 75 minutes
Virtual machines: 20347A-LON-DC1 and 20347A-LON-CL1

User name: Adatum\Administrator, Adatum\Holly
Password: Pa55w.rd
This course uses the new Office 365 admin center for all labs. If you are connected to the previous Office
365 admin center when you connect to Office 365, click the banner at the top of the page to connect to
the new admin center.
In all tasks:
Where you see references to Adatumyyxxxx.onmicrosoft.com, replace Adatumyyxxxx with your

unique Office 365 Name displayed in the online lab portal.
Where you see references to Adatumyyxxxx.hostdomain.com, replace the Adatumyyxxxx with

your unique hostdomain.com Name displayed in the online lab portal.
This lab requires the following virtual machines (use only the VMs required for your lab):
LON-DC1
o Sign in as Adatum\Administrator by using the password Pa55w.rd
LON-CL1
o Sign in as Adatum\Holly by using the password Pa55w.rd

Question: Why is it important to specify the correct country/region when you set up an
Office 365 account?
Question: What ports need to be open to ensure client communications with the Office 365
environment, and for what are those ports and protocols used?
Module Review and Takeaways

Best Practices
Best practices for this stage of the Office 365 deployment process are:
Ensure that you understand the organizations need for Office 365.
Identify any in-house services that are not going to transition to Office 365.
Recruit the right people to be pilot users.
Check that you have suitable infrastructure to support a connection to Office 365.
Review Question
Question: If you are selected to lead the Pilot at A. Datum Corporation, what personal
qualities, skills, and experience would you need to demonstrate to maximize the probability
of the organization moving to the pilot phase?
2-1
Module 2
Managing Office 365 users and groups
Contents:
Module Overview 2-1
Lesson 1: Managing user accounts and licenses 2-2
Lesson 2: Managing passwords and authentication 2-8
Lab A: Managing Office 365 users and passwords 2-12
Lesson 3: Managing security groups in Office 365 2-13
Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-17
Lesson 5: Configuring administrative access 2-30

Lab B: Managing Office 365 groups and administration 2-35
Module Overview
After provisioning and configuring the Microsoft Office 365 tenant, the tenant administrator should create
users and groups so that the organizations employees can start working with Office 365. Furthermore, the
tenant administrator should assign administrative roles to the members of the IT team who will be
responsible for managing the Office 365 tenant for the organization.
In this module, you will learn about managing users, groups, and licenses and configuring administrative
access by using the Office 365 console and the Windows PowerShell command-line interface.
Objectives
After completing this module, you should be able to:
Manage user accounts and licenses by using the Office 365 admin center.
Manage passwords and authentication.
Manage security and distribution groups by using the Office 365 admin center.
Manage Office 365 users and groups by using Windows PowerShell.
Configure administrative access.

2-2 Managing Office 365 users and groups
Lesson 1
Managing user accounts and licenses
As the administrator of your organizations Office 365 environment, you will be responsible for creating
and managing user accounts for all of its users. Administrative tasks for a user account includes creating
and managing user objects, creating and configuring password policies, configuring self-service password
management, and configuring multi-factor authentication.
Lesson Objectives
Describe the user account types.
Explain how to create user accounts by using the Office 365 admin center.
Explain how to manage user licenses by using the Office 365 admin center.
Explain how to manage user accounts by using the Office 365 admin center.
Explain how to delete and restore user accounts by using the Office 365 admin center.
User account types

One of the most important considerations for
implementing Office user accounts is the way in
which you create and manage those identities.
You can choose to maintain identities only in
Office 365 or you can integrate identities with
your on-premises Active Directory Domain
Services (AD DS). Each option has different
advantages.
Cloud identities
A cloud identity is a user that exists only in Office
365. You can create a cloud identity with the same
name as an on-premises user account, but there is
no link between them. You create cloud identities by using Office 365 management tools.
The main drawback to using cloud identities is the additional management associated with them. When
you create a new user on-premises, you also need to create that user in Office 365 as a separate step.
Also, users need to maintain a separate password because there is no password synchronization. Most
often, only very small organizations use cloud identities.
Synchronized identities
A synchronized identity is a user that exists in on-premises AD DS and Office 365. The AD DS user and the
Office 365 user are linked together. Any changes that you make to the on-premises user are synchronized
to the Office 365 user.
Azure Active Directory Connect (Azure AD Connect) performs the synchronization. You need to download
Azure AD Connect and install it in your on-premises environment. With it, you have the option to filter
which accounts are synchronized and whether to synchronize passwords.
When you implement synchronized identities, AD DS is the authoritative source for most information. This
means that you perform administration tasks mostly on-premises which are then synchronized to Office
365. Only a very small set of attributes synchronize from Office 365 back to AD DS on-premises.
Authentication for synchronized identities occurs in Office 365. The username and password are evaluated
in Office 365 without any reliance on the on-premises infrastructure.
Federated identities
A federated identity is a synchronized account that is authenticated by using Active Directory Federation
Services (AD FS). AD FS is deployed on-premises and communicates with AD DS on-premises. When Office
365 authenticates a federated identity, it directs the authentication request to AD FS. Because the on-
premises user account is used for authentication, the same password is used for signing in to Office 365
and on-premises AD DS.
Implementing federated identities is significantly more complex than synchronized identities because of
the requirement to implement AD FS. Authentication to Office 365 is dependent on the availability of
AD FS. Service interruptions to on-premises infrastructure can affect Office 365 authentication. For
example, an on-premises Internet outage will cause Office 365 authentication to fail. However, you can
mitigate this by placing a copy of AD DS and AD FS in Microsoft Azure.
The main benefit of using federated identities is single sign-on (SSO). Users authenticate at a domain-
joined workstation by using their credentials. SSO uses these credentials to automatically authenticate to
Office 365 services. When you use synchronized identities, the users typically need to enter in their
credentials manually when accessing Office 365 services.
Federated identities also take advantage of password policies and account lockout policies in an on-
premises AD DS. This provides more flexibility when managing password policies for Office 365. Office
365 monitors accounts for password attacks, but does not have flexible account lockout policies where
you can unlock the accounts.
Note: This module covers management of cloud identities. Subsequent modules will cover
how to implement and manage both synchronized identities and federated identities.
Creating user accounts

Depending on your needs, skills, and
environment, you can use several methods to
provision user accounts:
Office 365 admin center. This is a simple web

interface for individually creating and
managing users.
Import multiple users. This option provides a

method for the bulk importation of multiple
users into the Office 365 admin center
through a comma-separated value (CSV) file.
Windows PowerShell. You can use this

cmdlet-based and script-based interface to create and manage single and multiple users.
Directory synchronization. This option allows you to provision and manage users by synchronizing
Office 365 with an on-premises directory service. You can use the Azure AD Connect tool to
synchronize on-premises Active Directory objects with Azure AD objects in Office 365. Module 4
covers directory synchronization in more detail.
Creating users with the Office 365 admin center

Using the Office 365 admin center is the simplest method for creating a single user account or a small
number of user accounts.
To create a single user:
1. Sign in to Office 365 admin center.
2. On the Office 365 admin center Home page, click Users to display the Active users list. You also can
access the Active users list by pointing to the Users menu in the left pane, and then clicking Active
users.
3. Click Add a user.
4. Fill in the user information.
5. Specify whether the user is an administrator or not.
6. Specify the users location.
7. Select which user licenses to assign.
8. Specify whether to send a confirmation email that contains a temporary password.

9. Create the user.
Note: The password is sent as plaintext in the email. If this is a concern, you need to use
another method to inform the user of their temporary password, such as in person, or through a
phone call or instant message.
Creating users with the Import multiple users option

You can use the Import multiple users option in the Office 365 admin center to import large numbers of
users in one operation by using a comma separated values (CSV) file. Office 365 provides an empty
template and a sample CSV file to make the process easier. You can use a simple text-editing tool such as
Notepad to edit these files or Microsoft Excel.
To create users by using bulk import:
1. In the Office 365 admin center, in Active Users, click More, and then click Import multiple users.
2. Browse to the CSV file that contains your users.

3. The verification result informs you if any errors are in your file. If there are errors, you can view the
results in the linked log file.
4. On the Set user options page, set the new users sign-in status, location, and licenses.
5. On the View your results page, specify who should receive the email of the results. We recommend
that you include your own email address so that you can provide the temporary passwords to your
new users.
Managing user licenses

Your organizations users need licenses to use
Office 365 services such as Microsoft Outlook,
Microsoft SharePoint Online, and Microsoft Lync
Online. When you assign a license to a user, the
service automatically sets up for that user. For
example, when you assign a license for SharePoint
Online, the user is assigned edit permissions on
the default team site.
Assigning licenses to users

Only members of the global admin and user
management admin roles can assign or remove
licenses. You can assign or remove a license for
single or multiple users. To do this, you can use the Office 365 admin center or Windows PowerShell. To
assign or remove licenses for multiple users in the Office 365 admin center:
1. On the Office 365 admin center Home page, click Users.

2. Select the users that you want to assign or remove licenses, and in the More list, click Edit product
licenses.
3. On the Assign products page, you can change the user location, specify whether to replace or add
to existing licenses, and then select the services that you want to modify.
Note: You can assign licenses for specific services by expanding the license. For example,
when you expand the Office 365 Enterprise E5 license, there are about 20 different services that
you can enable and disable. By default, when the license is assigned, all services are enabled.
Note: When you remove a license from one of your users, any service data that is
associated with that user is deleted. You then have a 30-day grace period in which you can
recover that data, but after the grace period, the data is not recoverable at all.
Viewing license information

You can use the Office 365 admin center to view important information about your users license usage,
such as how many licenses you have used, how many are remaining, and which users are currently
unlicensed.
To view the number of licenses remaining:
1. In the Office 365 admin center, on the left navigation pane, on the Billing menu, click Licenses.
2. Note how many licenses are valid and how many licenses have been assigned.
To view any unlicensed users:

2. Click the Views drop-down list.
3. In the drop-down list box, click Unlicensed users.

Managing user accounts

You need to manage several account settings,
such as assigning administrator roles, setting
users sign-in status, specifying user location
settings, and assigning licenses, regardless of the
method that you use to provision user accounts.
You can manage these user settings by using the
Office 365 admin center or Windows PowerShell
cmdlets; however, this lesson only discusses the
Office 365 admin center method to manage users
and their licenses.
Editing users
You can use the Office 365 admin center to edit
single or multiple users. To edit multiple users:
2. Click the user account that you want to edit to open the user properties page.
3. In the User name/Email Aliases section, you can modify the user name and add or modify email
addresses.
4. In the Product licenses section, you can modify the license assigned to the user. You can also set the
user location. Microsoft needs to know the location of each user who utilizes its Office 365 services so
that it only offers permitted services to that user.
5. In the Group memberships section, you can modify group membership for the user.
6. In the Sign-in status section, you can specify the sign-in status of the selected users. You can set this
to Sign-in allowed or Sign-in blocked. If you set it to Sign-in blocked, the user cannot sign in to
Office 365. The user is not immediately prevented from accessing services, but they will be blocked at
the next sign-in attempt. Typical reasons for blocking a user might be that they are a contract worker
or that they have left the organization but you want to retain their email information.
7. In the Office installs section, you can view installations and deactivate Office apps for specific
devices.
8. In the Roles section, you can specify whether the selected users should have Administrator
permissions. The last lesson in this module discusses the different administrator roles.
9. In the Display name Office phone section, you can edit contact information for the user.
10. In the Mail Settings section, you can modify mailbox permissions, email forwarding, automatic
replies, and email apps.
11. In the OneDrive Settings section, you can obtain access to the users files, view the storage quota,
and force a sign-out from all Office 365 sessions.
Deleting and recovering user accounts

When users leave your organization, they no
longer require a user account in Office 365. You
must delete their user accounts to ensure that
they can no longer access Office 365. When you
delete a user account, the assigned Office 365
license for that user becomes available, which you
can assign to another user.
To delete one or more users:
1. In the Office 365 admin center Home page,

click Users.
2. Select the users that you want to delete, click

the More drop-down list, and then click Delete users.
3. In the message box, click Yes to delete the selected users.
4. When they have successfully deleted, click Close.
You can also use Windows PowerShell to delete user accounts by using the Remove-MsolUser command
with the ObjectId Guid or the UserPrincipalName string parameters.
When you delete a user account, the account becomes inactive and the user cannot sign in to access
Office 365 services. However, you might need to restore a users account after deletion. Office 365 retains
the account as a soft deleted inactive account for 30 days after deletion; this enables you to restore the
account.
To restore a user:
1. In the Office 365 admin center, on the Users menu click Deleted users.
2. Select the user that you want to restore, and then click Restore.
3. Select how you want to assign the user password, and then click Restore.
You can also use Windows PowerShell to restore deleted user accounts by using the Restore-MsolUser
cmdlet. A later lesson in this module covers this.
Additional Reading:
For more information, refer to: How to troubleshoot deleted user accounts in Office 365, Azure,
and Intune at: http://aka.ms/prede5
For more information, refer to: Manage inactive mailboxes in Exchange Online at:
http://aka.ms/qlb3b1
Question: What types of user accounts are available in Office 365?

Lesson 2
Managing passwords and authentication
Organizations have to provide secure access to Office 365 for their employees and to protect data from
unauthorized access. One of the most important actions when securing access to Office 365 is to
configure secure password policies. Password policies require users to perform actions that increase
password protection, such as changing passwords at specified intervals, creating complex passwords,
resetting their own passwords, and signing in with multi-factor authentication.
Lesson Objectives
Describe password policy options.
Describe self-service password management.
Describe the concept of multi-factor authentication.

Explain how to plan password policies and authentication.
Password policy options

Office 365 helps provides secure access by
requiring users to sign in with a password. You
need to perform various tasks in managing these
passwords for your organizations users. These
tasks might include changing passwords, setting
password expiration, and resetting passwords.
Setting password expiration

By default in Office 365, users passwords do not
expire until 90 days have passed, and users
receive notification of impending password
expiration 14 days before it occurs.
You can use the Office 365 admin center to change this setting for your organization. To change the
password expiration policy, perform the following steps:
1. In the Office 365 admin center, on the Settings menu, click Security & privacy.
2. In the Password policy section, click Edit.
3. Specify a number of days between 14 and 730 for password expiration.
4. Specify a number of days between 1 and 30 for the notification warning of password expiration.
5. Save your settings.

If a user does not change their password before the expiration time has elapsed, they can still change it by
using the Password update page that appears the next time they sign in. Alternatively, you can reset
their password for them.
You also have the option to set user passwords to never expire on this page. This disables password
expiration for all users. To disable password expiration for single users, you need to use the Set-MsolUser
cmdlet with the -PasswordNeverExpires parameter.
Resetting user passwords

If necessary, you can reset a password for one or more users on the Active users page. You can assign a
new randomly-generated password or a password of your choice. You can also select whether users need
to change their password at next sign in.
Resetting admin passwords

If you forget your own administrator password, the two available options are:
Ask another administrator to reset it for you. In this case, the other administrator must be a global
admin, a user management admin, or a password admin. However, if your account is a global admin
account, you must get another administrator with a global admin account to reset it for you.
Reset the password yourself. On the sign-in page for Office 365, you can use the Cant access your
account? link to reset your password. When you follow the instructions provided by the link, you are
sent an email with a link that allows you to reset your password.
You must have already supplied an alternative email address in your account settings for this to work; this
must not be your Office 365 email address. Additionally, if you use a custom domain name or you are
using directory synchronization, you must have also supplied a phone number in your account details that
is capable of receiving text notifications. In this case, a code will generate automatically and send as a text
message to your mobile phone, and you will need to enter this code on the mobile phone verification
page.
Note: If resetting the password yourself, you must complete the entire admin password
reset process within 10 minutes; otherwise, you will need to start the process again.
Self-service password management

Self-service password reset allows users to reset
their own password without requiring intervention
by an administrator. To reset a password, users
must authenticate their identity first. The
following authentication methods are available:
Email
Mobile phone
Office phone
Security questions
If users forget their passwords, they can reset
them by clicking the Cant access your account? link on the Office 365 Sign in page. However, if the
users have not entered their alternate personal information, they will not be able to reset their password
and they will have to contact the tenant administrator to reset their password. Microsoft support cannot
reset forgotten passwords.
Self-service password reset is not enabled by default. You need to enable self-service password reset for
all users or for specific groups.
Office 365 self-service password reset is available only for Office 365 users with cloud identities where a
password is not linked to the on-premises AD DS. This is because a password from Office 365 cannot be
synchronized back to on-premises AD DS without additional services.
Password writeback
Paid subscriptions for Office 365 store user information in Azure AD Basic. Azure AD Basic is unable to
write back a password change from Azure AD to on-premises AD DS. If you purchase Azure AD Premium,
it includes the ability to write back passwords. This allows you to implement self-service password reset for
synchronized identities and federated identities. This also enhances AD DS by providing a portal for
password reset.
Note: Azure AD Premium licenses can be purchased separately or as part of Enterprise

Mobility Suite licensing.
Multi-factor authentication
Multi-factor authentication in Office 365 helps
increase security by requesting users to provide a
user name and a password while signing in and to
use a second authentication method. The second
authentication method might be acknowledging a
phone call, text message, or an app notification on
their smartphone. If the user names, passwords,
and second authentication method are verified,
the users can sign in to Office 365. You can also
enable users who authenticate from a federated,
on-premises directory for multi-factor
authentication.
The tenant administrator enables multi-factor authentication in the Office 365 admin center by
performing the following steps:
1. In the Office 365 admin center, on the Settings menu, click Services & add-ins.
2. On the Services & add-ins page, click Azure multi-factor authentication.
3. On the Azure multi-factor authentication page, click Manage multi-factor authentication.
4. On the multi-factor authentication page, select the users that you need to enable for multi-factor
authentication, and then click Enable.
After the administrator enables users for multi-factor authentication, users have to configure their second
authentication factor at their next sign-in. You can use the following options as the second authentication
factor:
Call to phone. Users receive a phone call with instructions for the users to press the pound key. After
they press the pound key, users are signed in.
Text message to phone. Users receive a text message containing a six-digit code that they must
enter into the Office 365 portal.
Notification through mobile app. Users configure a smartphone app that receives a notification
that users need to confirm to sign in to Office 365. Smartphone apps are available for Windows
phone, iPhone, and Android devices.
Verification code from mobile app. Users configure a smartphone app and enter the six-digit code
from the app into the portal.
Planning password policies and authentication

To ensure that you manage Office 365 passwords
and password policies correctly, we recommend
that you adhere to the following best practices:
Ensure that you correctly define the

administrator roles. An organization should
create a plan about who will administer its
Office 365 tenant, how many people to
include in the administrators team, and what
permissions to assign to each of the
administrator teams. Each team should be
assigned the exact security permissions that
are necessary to perform their administrative
tasks.
Document and standardize password policies. Password policies should be well documented and
standardized according to an organizations security strategy.
Enforce the use of strong passwords. Strong passwords increase an organizations security because
they are more difficult for an unauthorized user to guess.
Use multi-factor authentication. Multi-factor authentication enhances an organizations security by

protecting the organization from unauthorized users who might steal employees user names and
passwords.
Ensure that users are educated on organizational security policies. Educate users about organizational
security procedures, especially regarding creating complex passwords, securing their passwords
against potential security threats, and resetting their forgotten passwords.
Question: What password policy options are available in Office 365?
Question: How can you enable multi-factor authentication in Office 365 and what multi-
authentication options are available?
Lab A: Managing Office 365 users and passwords

Scenario
After configuring an Office 365 tenant and preparing it for pilot deployment, you are now ready to start
creating user and group accounts in Office 365. You and your team need to be familiar with how to
configure these accounts by using the Office 365 admin center because this will be your primary tool for
managing the environment after the deployment is fully functional. Additionally, you need to make sure
that the password policy for Office 365 users matches the password policy for on-premises users.
Objectives
Manage Office 365 users and licenses by using the Office 365 admin center.
Manage Office 365 password policies.
Microsoft Learning updates the lab steps frequently, so they are not available in this manual.
Use the lab steps provided by the hosting partner when completing the labs in this course.
Lab Setup
Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1

User name: Adatum\Administrator for LON-DC1 and Adatum\Holly for LON-CL1
Password: Pa55w.rd
In all of the tasks:

Where you see references to Adatumyyxxxxx.onmicrosoft.com, replace yyxxxxx with your unique
Office 365 name that displays on the online lab portal.
Where you see references to yourdomain.hostdomain.com, replace the yourdomain with your
unique hostdomain.com name that displays on the online lab portal.
This lab requires the following virtual machines (use only the virtual machines required for your lab):
LON-DC1:
o Sign in as Adatum\Administrator with the password Pa55w.rd.
LON-CL1:
o Sign in as Adatum\Holly with the password Pa55w.rd.
Question: After creating a user account, what account settings are available for you to edit
in the Active users window of the Office 365 admin center?
Question: What password policy settings are available in Office 365?

Lesson 3
Managing security groups in Office 365
After all users for the Office 365 tenant have been created, administrators should create the necessary
groups for distributing email to multiple users with Exchange Online. Administrators also configure
security permissions with SharePoint Online so that users can collaborate and share documents with each
other by having assigned rights and access to SharePoint sites and documents according to organizations
security policies.
Lesson Objectives
Describe groups in Office 365.
Explain how to create and configure security groups by using the Office 365 admin center.
Explain how to delete security groups by using the Office 365 admin center.
Overview of groups in Office 365

While the Office 365 admin center uses security
groups to organize users, Office 365 includes the
following group types:
Office 365 group. Office 365 groups are

similar to distribution groups. An Office 365
group has its own mailbox, and its members
receive email messages that are sent to the
group. In addition, the Office 365 group
provides a shared workspace for email,
conversations, files, and calendar events. This
shared workspace allows members to
collaborate on a project. All conversations are
stored in the group, a dedicated calendar is available to the group, and a dedicated OneDrive for
Business storage is available for group documents.
Distribution list. Use this type of group for sending email. An email sent to a distribution list is sent to
all members of the group.
Mail-enabled security group. You can use these groups for sending email, just as you would with a
distribution group. However, you can also assign this type of group permissions to OneDrive or
SharePoint.
Security group. You can use this type of group to assign permissions to OneDrive or SharePoint, but
they cannot be used for email.
Exchange admin center groups

You can create and manage the following three types of mail-enabled groups in the Exchange admin
center:
Office 365 groups. These are the same as the Office 365 groups that you created in Office 365 admin
center.
Distribution groups. Use these groups only to distribute messages to a set of recipients. These are the
same as a distribution list in Office 365 admin center.
Security groups. Use these groups to distribute messages and to provide access to resources. These
are equivalent to the mail-enabled security group in Office 365 admin center.
Dynamic distribution groups. These groups do not have a predefined member list, because they use
recipient filters and conditions that you define to determine membership dynamically at the time that
messages are sent.
In the previous Office 365 admin center, you cannot edit groups that you create in Exchange admin
center, even though the groups appear in the Security Groups list of the GROUPS section. You can edit
distribution groups in the new Office 365 admin center.
Note: Dynamic distribution groups do not appear in the Office 365 admin center.
SharePoint Online groups

SharePoint Online groups are collections of users who have the same permission level, allowing you to
grant access to your SharePoint Online sites to multiple users. SharePoint Online groups greatly enhance
and simplify the permissions-management process for administrators. Although SharePoint Online groups
can contain individual users, it is better to populate them with security groups from Office 365.
Note: SharePoint Online groups cannot contain distribution groups.
Several built-in groups are created when you create a site collection in SharePoint Online. These are
referred to as default SharePoint Online groups. Which default SharePoint Online groups are created
depends on the site template that is used to create the site. For example, the Team Site template contains
SharePoint Online groups: Team Site Visitors, Team Site Members, and Team Site Owners.
Determining group types

You can determine the different types of groups by using the Office 365 admin center. When you view
groups in the Office 365 admin center, the Type column displays the group type for your reference. You
can also use the Get-MsolGroup | Select DisplayName, GroupType command in the Azure AD module
for Windows PowerShell to display group type information.
To ensure that you create and manage your Office 365 security groups correctly, we recommend the
following best practices:
Organize users into logical groups that have similar access needs.
Add users to security groups and then add those security groups to SharePoint Online default groups
rather than adding individual users to the groups.
Keep your group naming convention simple but clear.
Maintain a consistent and well-defined account provisioning process.
Create policies and procedures for ongoing group maintenance.

Creating and configuring groups
Creating Office 365 security groups

You can use the Office 365 admin center to
organize users into logical groupings to which you
can assign permissions in SharePoint Online. For
example, you could create a security group will all
users from the Sales department to allow them
Full Control access to a sales SharePoint site
collection.
You can add and grant permissions to individual

users or security groups, and you can add them
directly to the default SharePoint Online groups
that already have predefined permissions. However, we recommend adding users into Office 365 security
groups and then assigning SharePoint site permissions to the groups rather than individual users. After
you set up your security group structure in Office 365 and grant permissions to those security groups to
sites in SharePoint Online, you can add users to the appropriate security groups in Office 365. This
provides users the necessary rights to the SharePoint sites.
To create a security group in the Office 365 admin center:

1. In the Office 365 admin center, on the left navigation pane, click Groups.
2. Click Add a group, and on the Add a group page, select Security group, provide a group name and
description for the group, and then click Add.
3. On the group property page, add the users that you want to add to the security group.
You can also use Windows PowerShell to create security groups for Office 365 by using the
New-MsolGroup cmdlet; a later lesson in this module covers this.
Note: Later modules in this course cover the management of Office 365 groups and
distribution groups.
Nesting security groups

You can nest security groups by adding one security group to another. To do this, when adding group
members in the Office 365 admin center, select the appropriate group instead of a user. You also can use
Windows PowerShell to nest security groups.
Editing security groups

The items that you can edit in an existing security group are its name, description, and members.
Note: You cannot use the Office 365 admin center to edit security groups if they are
synchronized with your on-premises Active Directory; you must use local Active Directory
management tools for this purpose.
Deleting groups
When you no longer need a security group, you
can use the Office 365 admin center or Windows
PowerShell to delete it. Unlike user accounts,
when you delete a security group, it is
permanently deleted and you cannot restore it.
User accounts that were members of the deleted
security group remain intact.
To delete a security group in the Office 365 admin

center:
1. In the Office 365 admin center, on the
Groups menu, click Groups.
2. Select the security group that you want to delete.

3. In the details pane on the right, click Delete group.
4. Confirm that you want to delete the group.
Question: List the three types of mail-enabled groups in Exchange Online in Office 365.
Lesson 4
Managing Office 365 users and groups with Windows
PowerShell
By using the Azure AD module for Windows PowerShell, you can connect to Office 365 to perform
administrative tasks that are not practical, or even possible, by using the Office 365 admin center. For
example, you can use the Azure AD module for Windows PowerShell to automate mundane, repetitive
tasks such as creating large numbers of user accounts, adding users to groups, and updating multiple user
properties.
In this lesson, you will learn how to use Windows PowerShell to configure multiple user settings, how to
carry out a bulk update of user properties, how to create users in bulk by using the Azure AD module for
Windows PowerShell cmdlets with bulk users license management, and how to delete users.
Lesson Objectives
Describe how to manage Office 365 by using Windows PowerShell.

Explain how to manage users and licenses by using Windows PowerShell.
Explain how to manage security groups by using Windows PowerShell.
Explain how to import users and groups by using Windows PowerShell.

Explain how to manage users and groups by using Windows PowerShell scripts.
Explain how to configure password policies by using Windows PowerShell.
Overview of managing Office 365 by using Windows PowerShell

By using Azure AD module for Windows
PowerShell cmdlets along with powerful scripts,
you can drastically reduce the time and effort that
are required to perform repetitive administrative
tasks. The following is a list of typical
management tasks that you can perform by using
the Azure AD module for Windows PowerShell
with Office 365:
User management
License assignment
Security group management

Password management
Domain management
Admin role assignments
Azure AD module for Windows PowerShell requirements

You must meet the following prerequisites to run the Azure AD module:
Your computer must be running Windows 8, Windows 7, Windows Server 2012, or Windows Server
2008 R2.
You must install the Microsoft .NET Framework 3.5.1 feature.
You must install all software updates that the Microsoft cloud services to which you have subscribed
require.
You must install the appropriate version of the Microsoft Online Services Sign-in Assistant for your
operating system from the Microsoft Download Center.
Installing the Azure AD module for Windows PowerShell and connecting to Azure AD
To take advantage of Azure cmdlets for Windows PowerShell, you need to download and install the
relevant Windows PowerShell module for Azure for your operating system.
Note: You can download the 64-bit version of the Azure AD module for Windows
PowerShell from the Microsoft Download Center at http://aka.ms/siqtee, and you can download
the 32-bit version at http://aka.ms/fohrds
After you install the Windows PowerShell module for Azure, you need to connect to your online service
through your subscription. To connect to your online service:
1. Open the new Azure AD module for Windows PowerShell console by using the desktop shortcut.
2. At the command prompt, type the following command, and then press Enter:
Connect-MsolService
3. You will be prompted for your credentials.
Getting help on cmdlets

Numerous Azure PowerShell cmdlets can do a multitude of actions to different object types, such as users,
groups, licenses, passwords, and domains.
Additional Reading: For a detailed list of Azure management cmdlets, refer to:
AzureADHelp at: http://aka.ms/rlunlo
For basic help on a specific cmdlet:

1. Open the Azure AD module for Windows PowerShell.
Get-Help cmdletname
For example, Get-Help set-msoluser

For more detailed help on a specific cmdlet, at the command prompt, type one of the following
commands, and then press Enter:
Get-Help cmdletname examples

Get-Help cmdletname detailed
Get-Help cmdletname -full
For example, Get-Help set-msoluser-detailed

Managing users and licenses by using Windows PowerShell

You can use several Windows PowerShell cmdlets
to perform tasks that relate to user management
and license management in Office 365.
Adding users and licenses

When a new user joins your organization, you can
use the New-MsolUser cmdlet to create an
account in Office 365. This cmdlet can also assign
a user license at the same time so that the user
can start accessing online services.
To create a user without a license:
1. Open the Azure AD module for Windows

PowerShell.
New-MsolUser -UserPrincipalName username@domainname DisplayName Firstname Lastname

FirstName Firstname LastName Lastname
For example:
New-MsolUser UserPrincipalName melissa@Adatum.onmicrosoft.com DisplayName Melissa

MacBeth FirstName Melissa LastName MacBeth
To create a user and assign them a license, at the command prompt, type the following command,
and then press Enter:
New-MsolUser -UserPrincipalName username@domainname DisplayName Firstname Lastname

FirstName Firstname LastName Lastname UsageLocation 2-letter location code
LicenseAssignment license
For example:
New-MsolUser UserPrincipalName melissa@Adatum.onmicrosoft.com DisplayName Melissa

MacBeth FirstName Melissa LastName MacBeth UsageLocation US
LicenseAssignment Adatum:ENTERPRISEPACK
Managing user licenses

You can use the Get-MsolAccountSku cmdlet to view the current licensing information for your Office
365 tenant, which includes the number of licenses that are currently available and how many are in use.
You can use the Get-MsolUser cmdlet with the -UnlicensedUsersOnly switch to view a list of users who
currently do not have a license.
Additionally, in the Office 365 admin center, you can view how many licenses your organization has
purchased and how many remain that you can use. However, in the Office 365 admin center, you cannot
easily ascertain which licenses are assigned to which users.
Instead, you can use Windows PowerShell to get a list of all of your Office 365 tenant users with the
licenses that are assigned to each of them, and you can save the results to a CSV file. To get a list of users
and their licenses, at the command prompt, type the following command, and then press Enter:
Get-MsolUser All | ft displayname , Licenses | Out-File filelocation

For example:
Get-MsolUser All | ft displayname , Licenses | Out-File c:\userlicenses.csv
The Set-MsolUserLicense cmdlet enables you to add user licenses, remove user licenses, and update
licensing options. To add a license to a user, at the command prompt, type the following command, and
then press Enter:
Set-MsolUserLicense -UserPrincipalName username@domainname AddLicenses license
For example:
Set-MsolUserLicense UserPrincipalName melissa@Adatum.onmicrosoft.com AddLicenses

Adatum:ENTERPRISEPACK
To remove a license from a user, at the command prompt, type the following command, and then press
Enter:
Set-MsolUserLicense -UserPrincipalName username@domainname RemoveLicenses license
For example:
Set-MsolUserLicense UserPrincipalName melissa@Adatum.onmicrosoft.com RemoveLicenses

Adatum:ENTERPRISEPACK
If you want to replace one license with another, you can do this as a single operation so that the user does
not remain in an intermediate state. For example, you might want to change from a deskless license to an
enterprise license, or you might want to upgrade from a standard license (E1) to an enterprise license (E3).
To add and remove licenses in one operation, at the command prompt, type the following command, and
then press Enter:
Set-MsolUserLicense -UserPrincipalName username@domainname -AddLicenses newlicense

RemoveLicenses oldlicense
For example:
Set-MsolUserLicense UserPrincipalName melissa@Adatum.onmicrosoft.com AddLicenses

Adatum:ENTERPRISEPACK RemoveLicenses Adatum:STANDARDPACK
This would upgrade the users license from an E1 plan to an E3 plan.
Bulk license updates

If you need to update licenses for a large number of users, you can use a Windows PowerShell script to
add and remove licenses in one operation. If you need to upgrade users from an E1 license to an E3
license, you must first generate a CSV file with the list of users who currently have an E1 license, and then
you import that CSV file by using the Import-Csv cmdlet. You will also need to include a script that will
add and remove the required licenses for each user identified by its UserPrincipalName property in the
imported CSV file.
Note: Writing these scripts is outside the scope of this course.

Assigning a subset of licenses

If you only want to assign a subset of service plans from an enterprise license to a user, you can use the
Set-MsolUserLicense cmdlet with the -LicenseOptions switch. To do this, you first need to determine
the individual names of each of the service plans in the enterprise license pack.
To view the individual service plans, at the command prompt, type the following command, and then
press Enter:
Get-MsolAccountSku | Where-Object {$_.SkuPartNumber -eq 'ENTERPRISEPACK'} | ForEach-Object

{$_.ServiceStatus})
The above command returns a list of the individual service plans; however, a number of the service plan
names are difficult to interpret. The following table provides a description of each abbreviated service
plan name.
Service plan name Description
YAMMER_ENTERPRISE Yammer
RMS_S_ENTERPRISE Rights Management Services
OFFICESUBSCRIPTION Office Professional Plus
MCOSTANDARD Lync Online
SHAREPOINTWAC Microsoft Office Online
SHAREPOINTENTERPRISE SharePoint Online
EXCHANGE_S_ENTERPRISE Exchange Online
Now that you know what the service plans are called, you can use the Get-MsolUserLicense cmdlet with
the LicenseOptions switch to assign a subset of service plans from the enterprise license pack. You must
specify the tenant account SKU ID and then disable the service plans that you do not want to include.
For example, to assign only the Office Professional Plus, Lync Online, and SharePoint Online licenses to a
user:
$options = New-MsolLicenseOptions AccountSkuId tenantname:ENTERPRISEPACK -

DisabledPlans YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, SHAREPOINTWAC,
EXCHANGE_S_ENTERPRISE
This saves the resulting license options to the $options variable, which you can then assign to the
LicenseOptions switch when assigning licenses to the user.
Set-MsolUserLicense UserPrincipalName username@domainname -LicenseOptions $options
For example:
Set-MsolUserLicense UserPrincipalName melissa@Adatum.onmicrosoft.com LicenseOptions

$options
Deleting users
When a user leaves the organization, you can use the Remove-MsolUser cmdlet to detach the user from
Office 365. This cmdlet deletes the user, the users licenses, and any other associated data. This type of
deletion is also known as a soft delete.
To delete a user without confirming the operation, at the command prompt, type the following
command, and then press Enter:
Remove-MsolUser -UserPrincipalName username@domainname Force
For example:
Remove-MsolUser UserPrincipalName melissa@Adatum.onmicrosoft.com Force
Note: The Force switch performs the deletion without requiring you to confirm the
operation at the command prompt. While this speeds up the operation, it does create the
possibility of human error.
Similar to Office 365 admin center, when you delete a user, by default, his or her account remains in the
Deleted Users view (the recycle bin) for 30 days before it permanently deletes. This allows you some time
to retrieve accounts that perhaps have deleted in error. However, if you wish to remove an already
deleted account permanently from the recycle bin, you can use the RemoveFromRecycleBin switch.
This type of deletion is also known as a hard delete.
To delete a user from the recycle bin permanently, at the command prompt, type the following
Remove-MsolUser -UserPrincipalName username@domainname RemoveFromRecycleBin
For example:
Remove-MsolUser UserPrincipalName melissa@Adatum.onmicrosoft.com RemoveFromRecycleBin
Restoring users
If you accidentally delete a user, you can use the Restore-MsolUser cmdlet to restore the user account
from the recycle bin back to its original state, as long as you do this within 30 days of the deletion.
To restore a user account from the recycle bin:
Get-MsolUser -ReturnDeletedUsers
2. Note the UserPrincipalName of the user you want to restore, and at the command prompt, type the
following command, and then press Enter:
Restore-MsolUser UserPrincipalName userprincipalnameofusertorestore
Additional Reading: For more information, refer to: How to troubleshoot deleted user
accounts in Office 365, Azure, and Intune at: http://aka.ms/g5rx76
Managing groups by using Windows PowerShell

to perform tasks that relate to security group
management in Office 365.
Creating security groups

You use security groups in Office 365 to organize
users logically. You can use the Get-MsolGroup
cmdlet to return a detailed list of all the security
groups that exist for your tenant, up to a
maximum of 250 groups. The information in the
returned list includes the following:
ObjectId, which is useful when running other

cmdlets
Display name
Group type
Description
To create a security group:
1. Open the Azure AD module for Windows PowerShell.
New-MsolGroup -DisplayName displayname -Description description
For example:
New-MsolGroup DisplayName Sales Description Sales Team
Deleting security groups

Use the Remove-MsolGroup cmdlet to delete a security group from your Office 365 tenant.
To delete a security group, at the command prompt, type the following command, and then press Enter:
Remove-MsolGroup -ObjectId objectid -Force
For example:
Remove-MsolGroup ObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a Force
Note: Rather than determining and using the ObjectId parameter when deleting a group,
you can use a variable such as $groupId and the Get-MsolGroup cmdlet with the searchString
parameter.
Adding and removing users from a security group

Use the Add-MsolGroupMember cmdlet to add members to a security group. The new members can be
users or other security groups, if you nest your security groups.
To determine a users ObjectId, at the command prompt, type the following command, and then press
Enter:
Get-MsolUser All | Select UserPrincipalName, ObjectId
This returns a list of all users with their UserPrincipalName and objectId, which you can use in the next
series of commands.
To add a user to a security group, at the command prompt, type the following command, and then press
Enter:
Add-MsolGroupMember -GroupMemberObjectId groupmemberobjectid GroupObjectId groupobjectid
For example:
Add-MsolGroupMember GroupMemberObjectId f62298ad-6ec1-4da3-8b47-4b84d1cc5941

GroupObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a
To remove a user from a security group, at the command prompt, type the following command, and then
press Enter:
Remove-MsolGroupMember -GroupMemberObjectId groupmemberobjectid GroupObjectId

groupobjectid
For example:
Remove-MsolGroupMember -GroupMemberObjectId f62298ad-6ec1-4da3-8b47-4b84d1cc5941

GroupObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a
Importing users and groups by using Windows PowerShell

If you need to provision multiple accounts in
Office 365, you can use the Import-Csv cmdlet
with a CSV file. This CSV file should contain a list
of all the user accounts that you want to create, in
addition to a column for each of the following
user properties:
FirstName
LastName
DisplayName
UserPrincipalName
LicenseAssignment, if you want to assign licenses at the same time

UsageLocation
The Import-Csv cmdlet will read the CSV file and then create and license an Office 365 user for each user
in the list.
For example:
Import-Csv -Path c:\users.csv | ForEach-Object {

New-MsolUser -FirstName $_.FirstName -LastName $_.LastName `
-UserPrincipalName $_.UserPrincipalName `
-DisplayName "$($_.FirstName) $($_.LastName)" `
-LicenseAssignment 'AdatumPublishing:ENTERPRISEPACK' `
-UsageLocation US
}
Note: This cmdlet will generate random passwords for each user; if you want to predefine
your own passwords, you could add an extra column to the CSV file with the passwords in it and
then update the script to include the -Password parameter.
If you need to provision multiple group objects in Office 365, similar to provisioning multiple user
accounts, you can use the Import-Csv cmdlet with a CSV file. The CSV file should contain a list of all the
group accounts that you want to create, in addition to a column for each of the group properties, such as:
DisplayName
Description
TenantID
For example:
Import-Csv -Path c:\groups.csv | ForEach-Object {

New-MsolGroup -DisplayName $_.DisplayName `
-Description $_.Description
-TenantID $_.TenantID
}
Managing users and groups by using Windows PowerShell scripts

If you need to manage multiple users, for
example, to update attributes for a large number
of users or groups, you can use Windows
PowerShell scripts to perform management tasks.
Windows PowerShell scripts are executable files
that include multiple cmdlets, and these cmdlets
subsequently run in the order specified in the
script file. Because you use Windows PowerShell
scripts for managing multiple objects, we
recommend careful planning and testing in a non-
production tenant before running the scripts.
Furthermore, you only should run scripts that you
understand and know what they do. Do not apply scripts in your production environment that you
download from third-party sites if you do not thoroughly understand the cmdlets in these scripts.
Using scripts for connecting to Office 365

You might create a script that will connect to specific services of an Office 365 tenant. The script should
include your credentials, a cmdlet that will import an appropriate module for managing Office 365, and a
cmdlet that will import a remote Windows PowerShell session. The following is an example of the cmdlets
that you might include in a script that will connect to an Office 365 tenant:
$credential=get-credential
Import-Module MSOnline
Connect-MsolService Credential $credential
If you want to administer Skype for Business Online in Office 365, you should add the following cmdlets to
the script:
Import-Module LyncOnlineConnector
$lyncSession = New-CsOnlineSession -Credential $credential
Import-PSSession $lyncSession
If you also want to administer Exchange Online in Office 365, you should add the following cmdlets to the
script:
ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

"https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication
"Basic" -AllowRedirection
Import-PSSession $ExchangeSession
If you also want to administer SharePoint Online in Office 365, you should add the following cmdlets to
the script:
Import-Module Microsoft.Online.Sharepoint.PowerShell
Connect-SPOService -url https://contoso-admin.sharepoint.com -Credential $credential
If you want to manage users and groups, you can add the cmdlets for Office 365 users and groups to the
script. For example, if you want to add user Amy to the Marketing distribution group, add the following
cmdlet to the script:
Add-DistributionGroupMember -Identity "Marketing" -Member Amy@contoso.com
The earlier topics in this lesson include examples of Windows PowerShell cmdlets that you can include in a
script for managing users, groups, and licenses.
Configuring password policies by using Windows PowerShell

While you can manage password policies by using
the Office 365 admin center, Windows PowerShell
provides more functionality than is available in the
Office 365 admin center. You can use the Azure
AD module for Windows PowerShell to
accomplish the following tasks:
Change a users password.
Set the password policy for the tenant.
Configure user passwords to never expire.
Remove the Password Never Expires setting.

View which user passwords are set to never expire.
Remove strong password complexity requirements on a per-user basis.
Changing a users password

Users receive a temporary password automatically when their user account is created. When they first sign
in, they are required to change their temporary password to a new one that conforms to the Office 365
password policy.
You can also reset a user password in the Office 365 admin center or by using a Windows PowerShell
cmdlet. To change a users password in Windows PowerShell, at the command prompt, type the following
Set-MsolUserPassword UserPrincipalName userprincipalname NewPassword newpassword
Note: If you omit the NewPassword switch, then it is considered a password reset rather
than a password change; in this case, the user will receive a random password, and they must
change it themselves at the next sign-in attempt.
Setting the password policy for a tenant

You can use the Set-MsolPasswordPolicy cmdlet to set the same password policy settings as you can in
the Office 365 admin center. Use this cmdlet to specify the notification warning time of the user password
and the settings for the password expiration notification.
To configure the password policy for a tenant in Windows PowerShell, at the command prompt, type the
Set-MsolPasswordPolicy -DomainName domainname ValidityPeriod numberofdays -

NotificationDays numberofdays
You can also view the current password policy settings by using the Get-MsolPasswordPolicy cmdlet.
Configuring passwords to never expire

You can use Azure AD module for Windows PowerShell commands to configure one or all users so that
their passwords do not expire.
To configure a password to never expire for a single user, at the command prompt, type the following
Set-MsolUser -UserPrincipalName userprincipalname PasswordNeverExpires $true
To configure passwords to never expire for all users, at the command prompt, type the following
Get-MsolUser | Set-MsolUser PasswordNeverExpires $true
Removing the Password Never Expires setting

You can also turn off the Password Never Expires setting for individual users or all users with the Azure AD
module for Windows PowerShell.
To configure a password to expire for a single user, at the command prompt, type the following
Set-MsolUser -UserPrincipalName userprincipalname PasswordNeverExpires $false

To configure passwords to expire for all users, at the command prompt, type the following command, and
then press Enter:
Get-MsolUser | Set-MsolUser PasswordNeverExpires $false
Viewing passwords that are set to never expire

You can use Windows PowerShell to determine which users have their passwords set to never expire.
To view if a single user password is set to never expire, at the command prompt, type the following
Get-MsolUser -UserPrincipalName userprincipalname | Select PasswordNeverExpires
To view the Password Never Expires setting for all users, at the command prompt, type the following
Get-MsolUser | Select UserPrincipalName, PasswordNeverExpires
Note: You can only set passwords to never expire on user accounts that have not been
synchronized with a directory service.
Removing strong password requirements

The default setting in Office 365 requires that all user passwords must comply with complexity
requirements, including the following criteria:
The password must contain at least one lowercase character.
The password must contain at least one uppercase character.
The password must contain at least one non-alphanumeric character.
The password cannot contain any spaces, tabs, or line breaks.
The password must be between 8 and 16 characters in length.
The password cannot contain the user name.
However, you can use Windows PowerShell to change that behavior on a per-user basis.
To remove strong password requirements for a single user, at the command prompt, type the following
Set-MsolUser -UserPrincipalName userprincipalname StrongPasswordRequired $false
Note: We do not recommend removing the strong password requirement, and you should
do so only if specific circumstances require it.
Discussion: Office 365 admin center vs. Windows PowerShell

Base on the previous topic, discuss an Office 365
management task with other students based on
the following questions:
What are the benefits of managing Office 365

tenant with Office 365 admin center?
In what scenario will you administer users and

groups by using Office 365 admin center?
What are the benefits of managing Office 365

tenant with Windows PowerShell?
Lesson 5
Configuring administrative access
In this lesson, you will learn about the permission model in Office 365, and you will learn how to create,
assign, or revoke administrative roles. You will also learn how to determine and assign roles, such as the
global administrator, billing administrator, and user account administrator, and how to delegate
administration to different administrators in your organization.
Lesson Objectives
Describe the Office 365 administrator roles.
Explain how to assign Office 365 administrator roles.
Explain how to plan for delegated administration.
Office 365 administrator roles

Office 365 provides several predefined
administrator roles that you can assign to other
users in your organization to ease administrative
burdens. Because of the nature of the tasks that
these roles can perform, you need to think
carefully about whom you assign them to,
ensuring that those people are responsible and
trustworthy.
Permission model in Office 365

The permission model in Office 365 on which
administrator roles are based is referred to as role-
based access control (RBAC). The RBAC model
makes it easier to assign permissions to a user by giving that user a role with predefined permissions
assigned to it.
Other online services have their own permission models. For example, Exchange Online uses a similar
RBAC model to define administrator roles, but it also uses a security model based on individual
permissions for its mailboxes. SharePoint Online has its own security permission model based on security
groups, permissions, and permission levels, which allows administrators to assign individual permissions or
groups of permissions to its resources, such as site collections, sites, and documents.
Office 365 administrator roles

When you assign roles to a user, you can select to make the user a global administrator or a customized
administrator. The global administrator role can perform all administrative tasks, including assigning
administrator roles to other users. You can have more than one global administrator. The first user
account created during tenant creation is the only global administrator assigned by default.
The customized administrator roles that can be assigned are:
Billing administrator. This role can make purchases, manage subscriptions, manage support tickets,
and monitor the health of the online service.
Note: If your organization did not purchase Office 365 directly from Microsoft, but instead
purchased it through a partner, then you cannot make billing changes, and therefore, you cannot
be assigned the billing administrator role.
Exchange administrator. This role manages Exchange Online by using the Exchange admin center in
Office 365.
Password administrator. This role can change and reset passwords, manage service requests, and
monitor the health of the online service. Password administrators can only change and reset
passwords for standard users and other password administratorsnot other administrator roles.
Skype for Business administrator. This role manages Skype for Business Online by using the Skype
for Business admin center in Office 365.
Service administrator. This role can manage service requests and monitor the health of the online
service. You first need to assign administrative permission to a service such as Exchange Online before
you assign this role to a user.
SharePoint administrator. This role manages SharePoint Online by using the SharePoint admin
center in Office 365.
User management administrator. This role can create and delete users and groups, and it can reset
passwords, manage service requests, and monitor the health of the online service. Although they can
create and delete users, user management administrators are restricted from the following:
o They cannot create other administrator roles.
o They cannot delete global administrators.

o They cannot reset passwords for billing administrators, global administrators, or service
administrators.
In Windows PowerShell, not all administrator roles have the same names as specified in the Office 365
admin center. The following table lists the equivalent role names.
Office 365 admin center role name Windows PowerShell equivalent role name
Global administrator Company administrator
Billing administrator Billing administrator
Password administrator Helpdesk administrator
Service administrator Service support administrator
User management administrator User account administrator
To view the available administrator roles in the Azure AD module for Windows PowerShell, at the
command prompt, type the following command, and then press Enter:
Get-MsolRole
Global administratoronly tasks

Only a global administrator can:
Manage domains.
Manage organization information.
Delegate administrator roles to other users.
Use directory synchronization.
Assigning administrator roles

You can use the Office 365 admin center or
Windows PowerShell to assign the various
administrator roles to users in Office 365.
To assign an administrator role in the Office 365

admin center, perform the following steps:
1. In the Office 365 admin center Home page,

click Users.
2. In the list view, click the name of the user to

which you want to assign an administrator
role.
3. In the details pane on the right side, in the

Roles section, click Edit.
4. Under Edit user roles, select an admin role by selecting one of the option buttons.
5. Provide an alternate email address.
6. Save your changes.
To assign an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:
Add-MsolRoleMember -RoleName nameofrole RoleMemberEmailAddress useremailaddress
For example:
Add-MsolRoleMember RoleName Helpdesk Administrator RoleMemberEmailAddress

melissaf@Adatum.onmicrosoft.com
To view a users assigned administrator role, at the command prompt, type the following cmdlet, and then
press Enter:
Get-MsolUserRole UserPrincipalName userprincipalname
To view all users who are assigned to a specific administrator role, at the command prompt, type the
following cmdlets, pressing Enter after each:
$role = Get-MsolRole RoleName Helpdesk Administrator

Get-MsolRoleMember RoleObjectId $role.ObjectId
To remove an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:
Remove-MsolRoleMember -RoleName nameofrole RoleMemberEmailAddress useremailaddress
For example:
Remove-MsolRoleMember RoleName Helpdesk Administrator RoleMemberEmailAddress

melissaf@Adatum.onmicrosoft.com
Corresponding online service roles

Administrator roles in Office 365 have some corresponding roles in other online services, such as
Exchange Online and SharePoint Online.
Exchange Online SharePoint Online

Office 365 role Skype for Business Online role
role role
Global Exchange Online SharePoint Online Skype for Business Online

administrator administrator administrator administrator
Company
administrator
Billing Not applicable Not applicable Not applicable

administrator
Password Helpdesk Not applicable Skype for Business Online

administrator administrator administrator
Service Not applicable Not applicable Not applicable

administrator
User management Not applicable Not applicable Skype for Business Online
administrator administrator
Exchange Online Exchange Online Not applicable Not applicable

Skype for Business Not applicable Not applicable Skype for Business Online
Online administrator
administrator
SharePoint Online Not applicable SharePoint Online Not applicable

Planning delegated administration

If you do not have in-house administrators, you
can outsource your administration to a Microsoft
partner. For example, if your organization is small
and does not need specialized IT administration
roles, you might rely on a Microsoft partner to
provide IT administrative functionality.
In Office 365, this is called delegated

administration, and is initiated by a partner
sending your organization an email message
requesting that you give them permission to
act as an administrator on your behalf.
Delegated administration process

To accept the delegated administration offer:
1. Open the email message from your partner and read the terms of the offer.
2. Click the link to authorize the agreement, which takes you to an authorization page in Office 365.
3. Under Delegated administration, click Yes to authorize the partner to be your delegated
administrator.
4. If the delegated administration offer came with a trial subscription or a purchase offer, create the trial
or subscription tenant account.
To view the delegated administrators, in the Office 365 admin center, click Settings, and then click
Partner relationships.
Administrator roles set by partners

When you delegate administration to a partner, they receive the ability to specify administration roles for
your organization when they create users on your behalf. They can assign these roles to support agents in
their own organization or to users in your organization. However, delegated administrators are restricted
to the following two roles only:
Full administration. This role has the same privileges as the Global administrator role in Office 365.
Limited administration. This role has the same privileges as the Password administrator role in
Office 365.
To ensure that you manage Office 365 administrator roles correctly, we recommend the following best
practices:
Carefully plan administrator roles by creating a matrix to distribute roles based on the organizations
operational model.
Document and audit administration roles and their privileges.
Ensure that you keep administration roles up to date by changing or removing roles as necessary.
Ensure that you get approval and sign off for final administration role design.
Question: What are the administrator roles that you can assign in Office 365?
Lab B: Managing Office 365 groups and administration

Scenario
In addition to creating user accounts, you also need to know how to create group accounts in Office 365.
In this pilot project, you will use Windows PowerShell commands to manage users and groups. If the pilot
is successful, you can manage several hundred users and groups, and Windows PowerShell will be a
means to manage them efficiently. One of the goals in the pilot project is to test delegated administration
in Office 365, so you also need to delegate password management and billing management to different
users.
Objectives
Manage Office 365 groups by using the Office 365 admin center.
Manage Office 365 users and groups by using Windows PowerShell.
Configure delegated administrators.
Lab Setup
Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1

User name: Adatum\Administrator for LON-DC1 and Adatum\Holly for LON-CL1
Password: Pa55w.rd

Where you see references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with
your unique Office 365 name that displays on the online lab portal.
Where you see references to yourdomain.hostdomain.com, replace yourdomain with your unique
domain name that displays on the online lab portal.
LON-DC1
o Sign in as Adatum\Administrator with the password Pa55w.rd.
LON-CL1
o Sign in as Adatum\Holly with the password Pa55w.rd.
Question: How would you design your group structure to minimize adding and removing
people from groups?
Question: What should you do before you can use Windows PowerShell to administer users
and groups in Office 365?
Question: Why would you create multiple administrative roles in Office 365 by using role-
based access control (RBAC)?

Review Questions
Question: What is the most efficient way of creating user accounts if your organization
decides to migrate to Office 365?
Question: How will you configure Office 365 password policies in your organization, and will
you use multi-factor authentication?
Question: Why is it more convenient to assign permissions to security groups than to users?
Question: In which management scenarios will you use Office 365 with Windows PowerShell
rather than the Office 365 admin center?
Question: In which scenarios will you use RBAC in Office 365?
Best Practices
Always perform detailed planning for user and group management, and check the plan in a test
Office 365 tenant before deploying in production.
Plan and test user administrative tasks to improve user management efficiency and to eliminate errors
in the production environment, especially when running Windows PowerShell scripts.
Plan for multi-factor authentication to help administrators choose the authentication method that
suits their organizational security requirements.
Plan administrative roles to distribute administrative tasks according to organizational security and
business requirements.
3-1
Module 3
Configuring client connectivity to Office 365
Contents:
Module Overview 3-1
Lesson 1: Planning for Office 365 clients 3-2
Lesson 2: Planning connectivity for Office 365 clients 3-8
Lesson 3: Configuring connectivity for Office 365 clients 3-18
Lab: Configuring client connectivity to Office 365 3-24
Module Overview
Microsoft Office 365 supports different types of clients that run on various hardware platforms. In
this module, you will learn about the different types of client software that you can use to connect to
Office 365. You also will learn about the infrastructure requirements that the clients need to connect
to Office 365, and how to configure different types of Office 365 clients.
Objectives
Plan for the deployment of Office 365 clients.
Plan for, and troubleshoot, connectivity for Office 365 clients.
Configure connectivity for Office 365 clients.

3-2 Configuring client connectivity to Office 365
Lesson 1
Planning for Office 365 clients
You can use several clients to connect to Office 365, such as Office 2016 apps for Windows, Microsoft
Office Online, mobile devices, and Office 2016 for Mac. Based on your organizations business
requirements, you should choose the appropriate clients and deploy them in your organization.
Lesson Objectives
List the types of clients that can connect to Office 365.
List the new features in Office 2016.

Describe the key features and usage scenarios for Office Online.
Identify the mobile clients that are available for Office 365.
List the new features in Office 2016 for Mac.
Overview of Office 365 clients

Depending on the Office 365 plan, you can deploy
several client packages to your end users.
Microsoft Office 365 ProPlus

Office 365 ProPlus is a downloadable version of the
Microsoft productivity suite, and it includes
Microsoft Word 2016, Excel 2016, PowerPoint 2016,
Outlook 2016, Access 2016, Publisher 2016,
OneNote 2016, Sway, and the Skype for Business
client. Office 365 ProPlus also includes Microsoft
OneDrive for Business with 1TB of personal cloud
storage for each user.
Office 365 ProPlus supports streaming deployment by using the Click-to-Run technology, which allows
users to click an application-installation icon, and start using the application while the application installs
in the background. Office 365 ProPlus is not a web-based version of Microsoft Office, so users do not have
to be connected to the Internet permanently. However, users will need an Internet connection during
deployment. After the Office 365 ProPlus installation finishes, it runs locally on the user's computer. This
course will cover more details about Office 365 ProPlus in later modules.
Visio and Project Pro

Some Office 365 plans also include Visio and Project Pro. However, these applications are not part of
Office 365 ProPlus.
Office Online
There also are Office Online versions of Word, Excel, PowerPoint, and OneNote. Office Online streams
them directly from the cloud, and you cannot use these applications offline. These applications run using
your web browser, and they provide a limited set of functionalities compared to the full version provided
with Office 365 ProPlus.
Office 2016 for Mac

Office 2016 for Mac is the version of Office that runs on Mac OS X. Office for Mac includes Word, Excel,
PowerPoint, OneNote, and Outlook. You can configure whether Office 2011 for Mac, Office 2016 for Mac,
or both are available on the Apps page in the Office 365 admin center. Mac users can download and
install the software from the Office 365 Software site. The license that covers Office installation for PC or
mobile phone also covers the installation of Office for Mac.
Office for iPad, iPhone and iPod touch

You can use the new Office for iPad, iPhone, and iPod touch app to view, create, and edit documents on
an iPad. You can install this application from the App Store, and it consists of touch-friendly versions of
Word, Excel, PowerPoint, OneNote, and Outlook. Apart from these applications, you can also install Skype
for Business, Office 365 Video, and applications to access SharePoint groups and Office 365 groups. All
Office applications are available for iPhone and iPad. You can use these applications for free in a view-
only mode, but if you want to edit documents, you must have an Office 365 subscription.
Office for Android

If you use an Android-based mobile phone or tablet, you can now use the Android version of Office.
Office for Android includes Word, Excel, PowerPoint, OneNote, and Outlook. You can use these
applications to view, create, and edit documents on a mobile phone or a tablet. Skype for Business and
OneDrive are also available for Android devices. You can install all these applications from Google Play
Store. You can use these applications for free in a view-only mode, but if you want to edit documents, you
must have an Office 365 subscription.
New features in Office 2016

Any user of Office 365, who has an eligible license,
can install Office applications directly from the
Office 365 user portal to their PC or Mac. Users can
choose between Office 2013 and Office 2016 for
their PC or Office 2011 for Mac and Office 2016 for
Mac for their Mac OS devices. Office 365
subscribers, who have installed Office 2013 already,
have an option to upgrade their current Office 2013
apps to Office 2016, which provides several new
features, including:
The coauthoring feature in Word and PowerPoint enables multiple users to work together on a
document simultaneously. Users can collaborate on shared documents regardless of the devices they
are using.
The OneDrive integration feature in Word, PowerPoint, Excel, OneNote, and Outlook provides access
to Office documents that users save in OneDrive from different devices and Office apps.
The Skype integration feature enables users to collaborate from any device by using instant
messaging, audio, video, and screen sharing.
The multiplatform support feature in Word, PowerPoint, Excel, OneNote, and Outlook enables users
to work on different devices, including Windows, Android, and Apple devices.
The Clutter feature in Outlook makes decisions on prioritizing users emails, and moves lower priority
emails to a separate folder.
If you install Office to your PC or Mac from the Office 365 user portal, you will also be eligible to receive
automatic feature updates for Office. Microsoft releases a set of feature updates for Office apps almost
every month.
Additional Reading: For more information, refer to: What's new and improved in Office
2016 for Office 365 at: https://aka.ms/vqzwz0
Office Online
Office Online provides an alternative way to use
Office applications online. You cannot use Office
Online in an offline mode because you never install
it on your local computer. You stream Office Online
from either Office 365 or on-premises servers.
Therefore, you need Internet access or network
access to use Office Online. Office Online is
accessible from various Microsoft and non-
Microsoft browsers. Also, you can access Office
Online from tablets and smartphones. You can use
the following Office Online apps to view and edit
documents online:
Microsoft Word Online
Microsoft OneNote Online
Microsoft PowerPoint Online
Microsoft Excel Online
Office Online vs. Office 365 ProPlus and Office 2016 Professional Plus
Office Online provides a subset of the Office 365 ProPlus and Office 2016 Professional Plus features.
However, this subset includes all of the editing and formatting features that users utilize most commonly,
including:
Word Online. Includes features that allow you to perform basic document editing and formatting in a
web browser. However, to perform advanced editing, you must open the documents in Word by
using the Open in Word command. After you finish your edits, you can save them to the website
from which you opened Word Online.
Additional Reading: For more information, refer to: Differences between using a
document in the browser and in Word at: http://aka.ms/b2wwul
OneNote Online. Enables you to take notes and organize note pages in a web browser. However,
to perform advanced editing, you must open the notebooks in OneNote by using the Open in
OneNote command. In OneNote Online, you cannot open notebooks that are created with versions
prior to OneNote 2010.
notebook in the browser and in OneNote at: http://aka.ms/js6f8w
PowerPoint Online. Enables you to create and share basic presentations in your web browser. You can
work simultaneously with others, and present your slide show from anywhere. To perform advanced
editing, you must open the presentations in PowerPoint by using the Open in PowerPoint
command.
Additional Reading: For more information, refer to: How certain features behave in
PowerPoint Online at: http://aka.ms/edhcwl
Excel Online. Enables you to view a workbook in a browser window, and use basic editing and
printing features. However, to perform advanced editing, you must open the workbook in Excel by
using the Open in Excel command.
workbook in the browser and in Excel at: http://aka.ms/sc8n0n
System requirements
Office Online supports the following browsers:
Microsoft Edge
Internet Explorer 11 or newer
The latest version of Mozilla Firefox
The latest version Apple Safari

The latest version of Google Chrome
Additional Reading: For more information on browser requirements, refer to: Office
Online browser support at: http://aka.ms/jv2cok
Office 365 mobile clients

Office 365 supports multiple platforms for mobile
devices, such as Windows 10 Mobile, Android, and
Apple iOS devices. The availability of the features
depends on the type of the platform and the
operating system that you are using.
The following table lists the available Office 365 features for different mobile platforms.
Windows Phone
Apps and features Surface and Windows 10 iOS Android
Mobile
Outlook Web App Yes Yes Yes Light version
Outlook Yes Yes Outlook for Outlook for Android

iPhone and
iPad
Exchange ActiveSync Yes Yes Yes Yes
Search the global Yes Yes Yes Yes

address list, sync
calendar and contacts,
and remote wipe
Office on mobile devices Yes Yes Yes Yes
Office Online Edit View-only in View-only on View-only

browser, edit in iPhone, edit
Office Mobile on iPad
View documents in Yes Yes Yes Yes

OneDrive for Business
Skype for Business Yes Yes Yes Yes

mobile app
Office 365 Partner admin Yes Yes Yes Yes

mobile app
Overview of Office 2016 for Mac

Office 2016 for Mac includes several improvements
and new features. Office 365 users who own a Mac
can install the new Office 2016 by signing in to
Office 365. The following table lists some of the
new Office 2016 for Mac features.
Product Feature
Office Provides improved integration capabilities with OneDrive, OneDrive

for Business, and SharePoint
Provides multitouch gesture support
Word Provides improved document sharing capabilities that enable users to

Product Feature
share files and invite other users to review or edit documents
Improves coauthoring, which enables multiple users to work
simultaneously on the same Word document
Provides relevant contextual Internet information that the Bing search
provider displays in the Insights pane
Excel Provides the PivotTable Slicers feature, which helps users discover
patterns in large volumes of data
Offers the Analysis Toolpak add-on feature, which enables users to
perform complex statistical or engineering analysis
PowerPoint Offers the Threaded comments feature, which allows users to have
conversations about the relevant text
Provides an improved presenter view
Provides improved coauthoring features, which allows multiple users
to work simultaneously on the same PowerPoint presentation
OneNote Provides sharing capability for OneNote notebooks with other users
Offers different formatting capabilities for notes, including the ability
to insert files, pictures, and tables
Outlook Provides Push Mail support for email synchronization

Provides an online archive folder in the navigation pane, which allows
users to move older messages on the server
Offers a side-by-side calendar view, in which users can see multiple
calendars in parallel
Discussion: Which Office 365 clients you will need to support?

Based on the different types of clients that you can
use with Office 365, discuss what type of clients you
will need to support in your organization.
Lesson 2
Planning connectivity for Office 365 clients
Organizations should consider business requirements before implementing Office 365 clients, and
administrators should evaluate system requirements for Office 365 clients before deployment.
Furthermore, administrators should evaluate the network-bandwidth requirements and technologies that
will provide automatic client configuration, such as Autodiscover.
Lesson Objectives
Describe the requirements for network infrastructure.
Describe the requirements for network bandwidth.
Describe the tools for evaluating network connectivity.
Describe Autodiscover.
Describe how Outlook and Skype for Business use Autodiscover.
Identify the Domain Name System (DNS) records that Autodiscover requires.
Explain how to troubleshoot client connectivity.
Requirements for network infrastructure

Network administrators should understand what
type of Office 365 clients their organizations will
use. Based on that information, they can plan and
evaluate the client-connection requirements, such
as the ports that Office 365 clients need. The
following table shows these ports.
Protocol Port Usage
TCP 443 Office 365 portal (admin and user), Outlook, Outlook on the web,
SharePoint Online, the Skype for Business client, and Active
Directory Federation Services (AD FS) federation and proxy
TCP 25 Mail routing
TCP 587 Simple Mail Transport Protocol (SMTP) relay
TCP 143/993 IMAP Simple Migration Tool
TCP 80/443 Microsoft Azure Active Directory Sync tool, mail migration tools,
Exchange Management Console, and Exchange Management Shell
TCP 995 Post Office Protocol (POP3) with SSL

Protocol Port Usage
PSOM/TLS 443 Skype for Business Online: outbound data sharing
STUN/TCP 443 Skype for Business Online: outbound audio, video, and application
sharing sessions
STUN/UDP 3478 Skype for Business Online: outbound audio and video sessions
TCP 5223 Skype for Business mobile client push notifications
UDP 20000- Skype for Business-to-phone outbound

45000
RTC/UDP 50000- Skype for Business: outbound audio and video sessions
59000
Additional Reading: For more information on the list of ports, refer to: Ports and
protocols used by Office 365 at: http://aka.ms/ifj2gl
Third-party caching and filtering rules

Microsoft Office 365 relies on third-party content-caching engines to achieve good performance and fast
response times. The types of content that these third-party engines cache are non-Secure Socket Layer
(SSL) resources, such as the images downloaded to draw the Outlook Web App user interface.
Organizations might use IP-based filtering for the SSL content that downloads from Office 365 and for the
Office 365 endpoints that make in-bound calls to an on-premises environment. However, Office 365 does
not support, nor is it possible to use, IP-based filtering for the non-SSL resources that third-party content-
caching engines host. To configure filtering rules that allow these non-SSL resources to download to your
intranet clients, you need to use hostname-based filtering rather than IP-based filtering. This is because
the IPs that third-party content-caching engines use change frequently, which makes it impractical to
track each individual IP change. However, you should allow the following hostnames for non-SSL
resources:
r3.res.outlook.com
r4.res.outlook.com
prod.msocdn.com
Additional Reading: For more information on IP-based filtering, refer to: Office 365 URLs
and IP address ranges at: http://aka.ms/Rploze
IPv6-capable devices
If the organization is connecting to Office 365 with network equipment that is capable of Internet
Protocol version 6 (IPv6), you must ensure that:
The network equipment can support Internet Protocol version 4 (IPv4) and IPv6.
The perimeter emulates any hardware solution that has been configured to allow IPv6 clients to
connect to the Microsoft Exchange Online services.
For example, if your organization uses a web proxy, you must configure it as an IPv6-capable web proxy.
Requirements for network bandwidth

Using Office 365 services will result in an increase in
your organizations Internet traffic. Therefore, it is
important to evaluate and assess how these services
affect your organizations network.
In Microsoft Exchange hybrid deployments,

directory synchronization and email traffic typically
have the greatest effect on bandwidth, but
organizations should notice a general increase in
the Internet traffic after they migrate users to Office
365.
Before you deploy Office 365 in your organization,

you must consider how deployment will affect
bandwidth with respect to:
The Office 365 service offerings to which the organization has subscribed.
The number of client computers that will be in use at any given time.
The nature of the tasks that each client computer will perform.
The performance of the Internet browser that is installed on client computers.
The capacity of the network connections and network segments associated with each client
computer.
The organizations network topology and capacity of its network hardware.
The number of simultaneous mailbox migrations.

The number of simultaneous Skype for Business conferencing and telephony connections.
Office 365 ProPlus installation and desktop setup.
Network address translation (NAT) limitations.

It is important to test and validate download, upload, and latency constraints with respect to Internet
bandwidth, so that you can ensure that your end users have a satisfactory experience. Apart from the
users experience, the Internet bandwidth also affects the speed at which you can migrate on-premises
mailbox content to Exchange Online. If you have a slow or latent connectivity, you can migrate only a few
mailboxes during one migration window. Later modules in this course will provide more information on
this topic.
Office 365 ProPlus installation uses significant bandwidth, and you must run the Office 365 ProPlus
desktop setup on each client computer. If you initiate the setup without installing any necessary operating
system service packs and updates, this can utilize a significant amount of download bandwidth, because
each computer connects separately to the Internet, downloads the service packs or updates, and installs
them. To prevent bandwidth saturation, you should deploy updates before you deploy the Office 365
ProPlus setup. You also can use a package deployment tool, such as Microsoft System Center
Configuration Manager, so that updates download only once, and you then can distribute them as part of
your planned and scheduled deployment.
If you cannot deploy the updates prior to deploying the Office 365 ProPlus setup, you can use Active
Directory Group Policy to throttle the Office 365 ProPlus deployment by deploying the setup package to
one user subset at a time, such as by organizational unit or site/location. This allows all users to download
the updates, but the downloads length might vary from days to weeks. There are tools, such as the
Exchange Client Network Bandwidth Calculator and Skype for Business, Bandwidth Calculator, that you
can use to estimate network bandwidth.
Additional Reading: For more information, refer to: Exchange Client Network Bandwidth
Calculator at: http://aka.ms/r7m054
Additional Reading: For more information, refer to: Skype for Business, Bandwidth
Calculator at: http://aka.ms/i6jsff
NAT limitations
While evaluating network-bandwidth requirements, you also must consider NAT limitations. Most users
on corporate networks access the Internet through a private (RFC1918) IP address space. Organizations
then use gateway technologies, such as firewalls and proxies that provide NAT, or port address-translation
services to translate from the internal private address space to an external IP address or address range.
Each outbound connection from an internal device translates to a different source Transmission Control
Protocol (TCP) port on the public IP address. Therefore, thousands of users on a corporate network can
share a few publicly routable IP addresses.
An Outlook client potentially can consume eight or more connections. The maximum number of available
ports on a Windows-based NAT device is 64,000, so there typically would be a maximum of 8,000 users
behind an IP address before the ports are exhausted. If customers are using NAT devices that are not
running a Windows operating system, the total available ports could be less than 64,000.
To determine the maximum number of devices behind a single public IP address, monitor the network
traffic to determine peak port consumption per client. Also, set a peak factor for the port usage (minimum
four). You then can use the following formula to calculate the number of supported devices per IP
address:
Maximum supported devices behind a single public IP address = (64,000 restricted ports)/(Peak
port consumption + peak factor).
For instance, if 4,000 ports were restricted so that they can be used by Windows devices and six ports
were needed per device with a peak factor of four:
Maximum supported devices behind a single public IP address = (64,000 4,000)/(6 + 4)= 6,000.
To support more than 2,000 devices behind a single public IP address, follow these recommendations to
assess the maximum number of supported devices:
Monitor network traffic to determine peak port consumption per client, and collect this data from
multiple locations, from multiple devices, and at multiple times.
Use the formula listed above to calculate the maximum users per IP address that can be supported in
your environment.
Tools for evaluating network connectivity

You can use many different tools to evaluate client
connectivity. To access these tools, sign in to the
previous Office 365 admin center, and from the
navigation menu, choose Tools. On the Tools page,
you can access Office 365 health, readiness, and
connectivity checks; Microsoft Office 365 Best
Practices Analyzer, the Microsoft Connectivity
Analyzer Tool, and the Microsoft Office 365 Client
Performance Analyzer.
Note: At the time of this writing, the network

connectivity tools were not available in the new
Office 365 admin center. The Troubleshooting client connectivity topic later in this lesson
provides an explanation of the Microsoft Connectivity Analyzer Tool.
Office 365 health, readiness, and connectivity checks

Office 365 health, readiness, and connectivity checks are tools that evaluate configuration requirements
for the Office 365 services, and perform readiness checks in the on-premises environment. If these tools
detect any potential issues, they will display applicable information so that administrators can address the
issues proactively.
We recommend that you use Office 365 health, readiness, and connectivity checks in the following
scenarios:
When your organization is planning to deploy Office 365.
When your organization has deployed Office 365, and plans to add new features.
Office 365 health, readiness, and connectivity checks perform tests in the following categories:
Office setup. They evaluate the configuration of a users Outlook and Office deployment.
Computer settings. They evaluate a computer to determine whether it has the latest updates, and
what Internet browsers and other configuration settings it utilizes.
Domains. They evaluate the Office 365 domains and determine whether the DNS settings are correct.
Users and Groups. If the organization uses Active Directory Domain Services (AD DS), it verifies the
security objects for directory synchronization and/or single sign-on (SSO). Organizations can ignore
errors if they are not planning to integrate their directory with Office 365.
Office 365 health, readiness, and connectivity checks display the results in following categories:
Passed. This displays when an organizations settings are correct for Office 365.
Warning. This displays when an organizations settings are not optimized for Office 365. You can fix
the settings, so that the results do not show warnings, or choose to ignore the warnings, and continue
with your deployment.
Error. This displays when an organizations settings have issues that will block the Office 365
deployment. You should fix the settings before you continue with the Office 365 deployment.
Office 365 Best Practices Analyzer

The Office 365 Best Practices Analyzer for Microsoft Exchange Server 2013 is an automated tool that you
can use in the organizations where you have deployed Exchange Server 2013 in an on-premises
environment or in a hybrid configuration. The Office 365 Best Practices Analyzer evaluates the health and
configuration of on-premises Exchange Server 2013 environment, and compares it with the predefined
best-practices settings that we recommend. It then displays the results which you can save and view later.
You might choose to modify the current Exchange 2013 configuration and rerun the Office 365 Best
Practices Analyzer tool to verify that the change fixed the issues.
If you want to run Office 365 Best Practices Analyzer, you must download it from the previous Office 365
admin center. You need an Office 365 or Microsoft Azure Active Directory user ID to download the tool.
Office 365 Client Performance Analyzer

Office 365 Client Performance Analyzer is a tool that identifies network performance issues between an
organizations client computers and Office 365. You should run the Office 365 Client Performance
Analyzer whenever users notify you about connectivity issues.
Office 365 Client Performance Analyzer performs the following networking tests:
Performs network performance analysis between client computers and Office 365
Analyzes DNS and Internet Service Provider (ISP) data

Checks whether all ports that Office 365 requires are open
Checks the client computer information, including operating system, browser, and hardware
configurations
Performs route tracing and measures bandwidth
Checks download times and ping statistics
What is Autodiscover?
The Autodiscover service in Office 365 simplifies
client configuration in Microsoft Office Outlook
2007, Outlook 2010, Outlook 2013, and Outlook
2016. Autodiscover provides configuration
information that Outlook requires to create a
configuration profile for the client. The
Autodiscover service provides profile settings to
Outlook 2007, Outlook 2010, Outlook 2013, and
Outlook 2016 clients and the supported mobile
devices based on the users email address and
password. Additionally, it provides configuration
information for Skype for Business clients when they
connect to Skype for Business Online in Office 365. If you want to connect Outlook and Skype for Business
clients to the Office 365 service, you must create appropriate DNS records that will point to the
Autodiscover service in Office 365.
Note: The DNS records required for Autodiscover topic later in this lesson provides a
detailed description of the DNS records that are necessary for locating the Autodiscover services
for Outlook and Skype for Business clients.
You can test whether Autodiscover is working correctly by pressing the Ctrl key, right-clicking the
Outlook icon in the notification area, and then clicking Test E-mail AutoConfiguration.
You can use the Microsoft Remote Connectivity Analyzer tool for testing the Autodiscover functionality.
You can use this official Microsoft testing tool to test Autodiscover for ActiveSync and Outlook
connectivity, and use it for an on-premises Exchange Server, and to test Office 365 service availability.
Note: The Troubleshooting client connectivity topic later in this lesson explains the
Microsoft Connectivity Analyzer Tool.
Additional Reading: You can find the Remote Connectivity Analyzer tool at the following
URL: http://aka.ms/ppl6h8
How Outlook and Skype for Business use Autodiscover

An Outlook client connects to Office 365 in the
following manner:
1. When Outlook 2007 or a newer version starts

for the first time, you have to type your email
address and password in the appropriate fields.
2. Based on the email address that you enter, the

client looks for the Autodiscover host in DNS.
For example, if you sign in as
Holly@Adatum.com, the Outlook client will
search for the autodiscover.adatum.com record.
The client then redirects Outlook to the
Autodiscover service in Office 365, where the
client performs a request to download the configuration information.
3. The request that the client makes to Office 365 is actually the HTTP POSTS command to the
Autodiscover service endpoint, which requests configuration information for the SMTP address that
the client sends in the request.
4. Office 365 provides the Autodiscover information to the client.
5. Outlook downloads and applies the required configuration information from the Autodiscover
service.
6. Outlook then uses the appropriate configuration settings to connect to Exchange Online in
Office 365.
The Skype for Business clients connect to Office 365 in the following manner:
1. When a Skype for Business client starts for the first time, you have to type your email address and
password in the appropriate fields.
2. Based on the email address that you enter, the client looks for specific records in DNS. For example, if
you sign in as Holly@Adatum.com, the Skype for Business client will search for the sip.adatum.com
record. The client redirects Skype for Business to the Autodiscover service in Office 365, where the
client performs a request to download the configuration information.
3. Office 365 provides the Autodiscover information to the Skype for Business client.
4. The Skype for Business client downloads and applies the required configuration information from the
Autodiscover service.
5. The Skype for Business client then uses the appropriate configuration settings to connect to Skype for
Business Online in Office 365.
DNS records required for Autodiscover

In order for Outlook and Skype for Business clients
to locate the Autodiscover services in Office 365,
you should configure the appropriate DNS records
on the publicly available DNS servers on the
Internet. In organizations where the internal DNS
namespace, such as Adatum.local, is different from
the Internet DNS namespace, such as Adatum.com,
the internal DNS servers forward internal client
queries to Internet DNS servers. In organizations
that use split-brain DNS, where internal and
Internet DNS namespaces are the same, such as
Adatum.com, you should configure both the
internal and Internet DNS servers to resolve the Autodiscover records in Office 365.
The following table lists the Autodiscover records that Outlook clients need to connect to Exchange
Online in Office 365.
DNS record Purpose Value to use
CNAME The Autodiscover service Alias: Autodiscover

(Exchange Online) configures Outlook for users. Target: autodiscover.outlook.com
CNAME The Autodiscover service Alias: For example,

(Exchange federation) configures Outlook for users in Autodiscover.service.adatum.com
Exchange federation scenarios. Target: autodiscover.outlook.com
This record is optional, and it is
needed when you deploy
Exchange in a hybrid
configuration with Office 365.
The following table lists the Autodiscover records that Skype for Business clients need to connect to Skype
for Business Online in Office 365.
DNS record Purpose Value to use
CNAME Used by the Skype for Business Alias: sip

(Skype for Business clients to find the Skype for Target: sipdir.online.lync.com
Online) Business Online service in Office
365 and sign in.
CNAME Used by the Skype for Business Alias: Lyncdiscover

(Skype for Business mobile clients to find the Skype Target: webdir.online.lync.com
Online) for Business Online service in
Office 365 and sign in.
Troubleshooting client connectivity

Microsoft provides tools that you can use to analyze
connectivity issues in Office 365 deployments.
Remote Connectivity Analyzer is an online tool that
you can use to run tests directly from the
http://testconnectivity.microsoft.com website. The
Microsoft Connectivity Analyzer Tool is another tool
that runs a similar set of tests, but it runs the tests
locally from a client computer. In addition, you can
use the Microsoft Office 365 Support and Recovery
Assistant tool to fix issues related to Office 365
connectivity. This tool allows you to run the
connectivity tests locally from a client computer.
The Remote Connectivity Analyzer website

The Remote Connectivity Analyzer website, also known as the Exchange Remote Connectivity Analyzer,
provides a set of tools for identifying common connectivity issues for Outlook, Exchange, Skype for
Business, and Office 365. Remote Connectivity Analyzer has several tests that you can access from the
various tabs that are present in the tool.
The Microsoft Connectivity Analyzer Tool

The Microsoft Connectivity Analyzer Tool is a downloadable client program that you can use to identify
connectivity issues between email clients and Exchange Server, and between email clients and Office 365.
You also can use this tool to troubleshoot Exchange Server and Office 365 deployments. Furthermore,
email users can use the Microsoft Connectivity Analyzer Tool to identify common problems.
The Microsoft Connectivity Analyzer Tool is a companion to the Remote Connectivity Analyzer website.
Remote Connectivity Analyzer enables you to identify connectivity issues by simulating connectivity from
the Internet, while the Microsoft Connectivity Analyzer Tool allows both you and end users to run similar
tests from a client computer within the corporate network.
To install the Microsoft Connectivity Analyzer Tool, go to the Remote Connectivity Analyzer website at
http://testconnectivity.microsoft.com, click the Client tab, and then click Install Now.
The Microsoft Connectivity Analyzer Tool and the Remote Connectivity Analyzer both provide a log that
shows the test steps that were successful, and those that were unsuccessful. Additionally, the Microsoft
Connectivity Analyzer Tool provides a Tell me more about this issue and how to resolve it link that
provides suggestions about how to help fix reported issues. You can save the log as MCATestResults.html.
Additional Reading: For more information on the specific error conditions that are
identified by the Microsoft Connectivity Analyzer Tool, and for help on resolving the issue, refer
to: Microsoft Connectivity Analyzer Tool at: http://aka.ms/aphk3s
The Office 365 Support and Recovery Assistant tool

Office 365 Support and Recovery Assistant is a tool that helps users to isolate Outlook connectivity issues
with Exchange Online in Office 365. The tool runs multiple diagnostic tests, and then it either fixes the
connectivity issues or provides information on how troubleshoot the issues. Furthermore, the tool
generates a log file that contains the test results, which users can submit to the support team for further
investigation.
The Office 365 Support and Recovery Assistant tool performs diagnostic tests to identify and fix potential
issues with Office setup, Outlook, Outlook for Mac, Mobile devices, and Outlook on the web.
Question: Which tools will you use for evaluating network connectivity for Office 365?
Question: What is Autodiscover?
Question: Which tools will you use to troubleshoot client connectivity with Office 365?
Lesson 3
Configuring connectivity for Office 365 clients
When an organization deploys different types of Office 365 clients, the organizations administrators must
configure and support Office 365 clients. Some clients, such as Outlook and the Skype for Business client,
use the Autodiscover functionality to connect to Office 365 services automatically. Other clients, such as
Office Online, are web-based and only require users to connect to the Internet to access their
functionalities. Furthermore, you will need to configure and manage many users mobile devices so that
they can access Office 365 services.
Lesson Objectives
Describe how to configure Outlook.
Describe how to configure Skype for Business.

Describe how to work with Office Online.
Describe how to configure the OneDrive for Business client.
Describe how to manage mobile devices.
Configuring Outlook
When Outlook users connect to Office 365, they
need to provide their Office 365 email address and
password when they start Outlook for the first time.
The Autodiscover functionality in Office 365
automatically configures Outlook for use with
Office 365. For Autodiscover to work properly, you
must configure appropriate DNS records during the
Office 365 tenant setup.
Connectivity protocols
Outlook can connect to Office 365 by using the
Messaging Application Programming Interface
(MAPI) over HTTP or Outlook Anywhere. Both
protocols use MAPI commands to communicate with Exchange Online in Office 365, but Outlook
Anywhere encapsulates remote procedure call (RPC) packets that contain the MAPI commands in HTTPS.
MAPI over HTTP places the MAPI commands directly in HTTPS packets, which is more efficient. MAPI over
HTTP is better designed for modern networks and connectivity over the Internet. MAPI over HTTP and
Outlook Anywhere both use TCP port 443. If a client, such as Outlook 2010, does not support MAPI over
HTTP, it always uses Outlook Anywhere.
Outlook connectivity for cloud-only and hybrid deployments

Outlook clients connect in different ways, depending on whether you have a cloud-only or hybrid Office
365 deployment. In a cloud-only deployment, Outlook clients on an internal network connect to Office
365 services by using Autodiscover DNS records on internal or Internet DNS servers. Internet-based
Outlook clients connect to Office 365 services by using Autodiscover DNS records on the Internet DNS
servers.
However, in a hybrid deployment of Office 365, Outlook clients always need to connect to the
Autodiscover service that is running on the organizations Exchange server. When a client is on an internal
network, Outlook locates the Exchange server by searching for the Autodiscover Service Connection Point
located in AD DS. After Outlook connects to the Exchange server, the Exchange server determines if the
users mailbox is in an on-premises environment or Office 365. If the users mailbox is located in Office
365, the Exchange server provides alternate SMTP domain information to Outlook. Outlook uses that
alternate SMTP domain to search for the Office 365 Autodiscover services record on the Internet, and
then connects to Exchange Online in Office 365. When a client is on the Internet, Outlook locates the
Exchange server by searching for the Autodiscover record that points to the Exchange client access
services on the internal network. After Outlook connects to the Exchange server, the Exchange server
determines if the users mailbox is in an on-premises environment or Office 365. If the users mailbox is
located in Office 365, the Exchange server provides alternate SMTP domain information to Outlook, which
uses it to search for the Office 365 Autodiscover services record on the Internet, and then connects to
Exchange Online in Office 365.
Network configuration
Office 365 services contain multiple endpoints through which clients connect to services, such as
Exchange Online, Skype for Business Online, and SharePoint Online. Office 365 endpoints include fully
qualified domain names (FQDNs), ports, uniform resource locators (URLs), and IPv4 and IPv6 address
ranges. Some organizations restrict computers on their networks from accessing certain Internet
resources. Therefore, it is important that you know every endpoint that Office 365 uses, so that you can
properly configure the organizations network devices, such as routers and firewalls. After you configure
the network devices, clients can connect successfully to Office 365 services.
Note: For more information on Office 365 endpoints, refer to: Office 365 URLs and IP
address ranges at: http://aka.ms/Cpq72y
Configuring Skype for Business

The Skype for Business 2016 client is the default
client for Skype for Business Online in Office 365.
You can deploy the Skype for Business client
through an IT-managed deployment, or you can
allow end users to install it. The method that you
choose depends on several factors, including your
organizations size and security requirements, the
deployment methods that you have in place
already, and the experience of your users.
Skype for Business clients use the Autodiscover

service to connect to Skype for Business Online in
Office 365. Users must enter their email addresses
and passwords to connect to Office 365.
Users also can choose to configure a Skype for Business client manually. We do not recommend this
configuration method because it increases the probability that users will make a typing error.
Furthermore, non-IT users might find it difficult to configure the Skype for Business client, which might
lead to increased support calls to your organizations IT department.
However, in some scenarios, users might have to configure the Skype for Business client manually. For
example, if the DNS configuration for the Autodiscover service is not configured properly, clients cannot
locate Autodiscover services in Office 365. In this case, users must configure the Skype for Business client
manually, and then test the Skype for Business Online functionality.
To configure the Skype for Business client, users must perform the following steps:
1. In the upper-right corner of the Skype for Business client, click Options.
2. On the menu, click Tools, and then click Options.
3. In the Skype for Business Options window, in the navigation pane on the left, click Personal.
4. In the right pane of the window, under My Account, type their email address, and click Advanced.
5. In the Advanced Connection Settings dialog box, click Manual Configuration.
6. Insert the following information for both Internal Server Name and External Server Name:
sipdir.online.lync.com:443.
Note: The Online Meeting add-in for Skype for Business, which supports meeting
management from the Microsoft Outlook messaging and collaboration client, installs
automatically with Skype for Business.
Working with Office Online

Some users can choose to use Office Online apps
instead of the full versions of Office apps. For
example, a user might have an Office 365 license
that does not include a full Office installation, such
as Office 365 Business Essentials.
Using Office Online

Office Online apps open when a user selects a
document to view or edit from the OneDrive page
in the Office 365 portal. Users also can open Office
Online apps from on-premises editions of Office
Web Apps, Exchange, and SharePoint. Office Online
includes commonly used editing features. However,
users can access advanced features by editing a document in an existing Office installation, such as Office
365 ProPlus.
Office Online apps vs. Office apps

There are many differences between Office Online apps and on-premises Office apps, including the
following application-level differences with respect to features:
Word Online does not have advanced page layout tools or advanced printing capabilities.
Users cannot preview or author Office Online documents without an Internet connection.
Office Online documents do not have Office add-ins, and they cannot run Visual Basic for
Applications (VBA) and forms scripts.
Excel Online cannot create external data connections.
The default locations for saving documents are different in Office Online and on-premises Office,
including in:
Word Online. Users must save documents manually, because there is no auto-save feature, and they
can save them locally.
Excel Online. Users must save the worksheets manually. They can use the download command to
download a copy to the local computer.
OneNote Online. If a OneNote notebook is saved to a Microsoft SharePoint document library, the
OneNote notebook is available online. Users can share the notebook by sending a link in an email
message, rather than sending it as an email attachment. Recipients can click the link to read notes in
their web browser.
PowerPoint Online. It saves all changes automatically, and there is no Save command that the users
must utilize. To download a copy of a file, users must have the PowerPoint desktop app. If a
presentation is saved in a SharePoint document library, the presentation is available online. Users can
share the presentation by sending a link in an email message, rather than sending it as an email
attachment. Recipients with proper permissions can view the presentation in their web browser or
mobile device.
The differences in supported file types in Office Online and on-premises Office include:
Binary and template files in Excel are not available in Excel Online.
PowerPoint Online does not support add-ins for PowerPoint.
In SharePoint Online, you can configure the default behavior for opening documents, so that they open in
Office Online or in an Office client application.
Additional Reading: For more information on Office Online, refer to: Office Online
Service Description at: http://aka.ms/qla0s5
Configuring the OneDrive for Business client

OneDrive for Business is a private library for the
storage, organization, and sharing of users work
documents. It is an integral component of a users
Office 365 online environment, and you provide it
to your organizations users through a subscription
to an eligible Office 365 plan or through a
subscription to SharePoint Online. If you get
OneDrive for Business through your organizations
subscription to Office 365, then you get 1 terabyte
(TB) of personal storage space by default. However,
if you host your OneDrive for Business library on an
on-premises SharePoint server, your SharePoint
administrator allocates and controls your storage space.
The files that a user stores in OneDrive for Business are visible initially only to the user who stored them.
However, the user can share the files with everyone in the organization by simply placing them in the
Shared with Everyone folder. Alternatively, the user can share a file with specific coworkers by clicking
the SHARE option that appears when they click the ellipsis () menu for a file. After clicking the SHARE
option, the user can enter the names of coworkers to whom they want to send an invitation to share
the file.
Note: OneDrive for Business is not the same as OneDrive, which is a cloud-based service
that is for personal storage, and which is provided with Microsoft and Outlook.com accounts. This
can be confusing to some users because in the Office 365 portal, the OneDrive for Business
feature actually displays as OneDrive in the navigation bar. However, it is important to
understand that these are different services for different purposes.
Earlier, Microsoft provided two versions of OneDrive one for the consumer-based OneDrive service and
the other client for OneDrive for Business. However, recently these two applications merged into one, so
now there is only one OneDrive client application that can manage both personal OneDrive and OneDrive
for Business. If you are using Windows 10, this new application is installed by default. If you are using an
older operating system, such as Windows 8 or Windows 8.1 you should update your Office installation to
get the new version of OneDrive client.
Synchronize a OneDrive for Business library to a computer

Users can use the OneDrive for Business feature to synchronize their librarys files to their local computer,
so that they can work offline on files, and synchronize them to the OneDrive for Business library after they
are back online.
To synchronize OneDrive for Business with a local computer, users can perform the following steps:
1. In the Office 365 portal or a SharePoint Online site page, click OneDrive in the navigation bar.
2. In the toolbar, click Sync.

3. If prompted to start an application, select Microsoft OneDrive, and then click OK.
4. Sign in to their account, if required.
5. On the Ready to sync your OneDrive for Business documents? page, click Sync Now.
6. Choose Show my files.
The synchronized files will be located in a OneDrive for Business subfolder under their username, and they
now can work on the files locally. Any changes that they make will synchronize automatically with the
OneDrive for Business library when they go back online.
Additional Reading: For more information, refer to: What is OneDrive for Business at:
http://aka.ms/p9wzus
Managing mobile devices

Office 365 includes the mobile device management
(MDM) feature that is built-in to provide you with
tools to secure and manage your mobile devices,
such as Windows Phone, Windows 10 Mobile,
Android, and Apple iOS devices. You can use MDM
to create an inventory of all enrolled devices that
connect to Office 365, and you also can manage
device-security policies, remotely wipe a device, and
view detailed device reports. You should carefully
plan your mobile device management strategy
because most users today use their smartphones
and tablets to access their business email and files
using services such as Office 365. Mobile devices can pose a significant security risk if you do not manage
and protect them properly. You should always ensure that mobile devices are protected with at least a
complex PIN, before you allow it to connect to your business environment or cloud service such as Office
365.
To activate and set up MDM for Office 365, you must:
1. Activate MDM in the Office 365 Security & Compliance admin center console. You should expand
Threat management, and then select Device management.
2. Set up MDM for Office 365 by configuring required DNS records for Windows Mobile and the Apple
Push Notification Service certificate for iOS devices.
3. Create MDM device security policies.
4. Enroll users. After you deploy an MDM policy, each Office 365 user receives an enrollment message
when they sign in to Office 365 from their mobile device. They must complete the enrollment and
activation steps before they can access any Office 365 email and documents. Users who work on
Android or iOS devices have to install the Company Portal app as part of the enrollment process.
5. Manage mobile devices from the previous Office 365 admin center. Some common MDM tasks
include, viewing device properties, accessing reports, and wiping devices.
If you want to have a more sophisticated mobile device management, and the ability to deploy
applications to your mobile devices, you should consider using Microsoft Intune service instead of MDM
for Office 365. Microsoft Intune, available as a separate service or as a part of Enterprise Mobility Suite, is
a cloud-based platform that enables you to manage all kinds of mobile and desktop or laptop devices
from one place. You can also use Microsoft Intune for mobile application management, to deploy
applications on mobile devices and apply policies for both devices and applications. Microsoft Intune
easily integrates with Office 365 as it uses the same Azure AD instance as Office 365, so you dont have to
configure user and device objects separately.
Additional Reading: For more information, refer to: Overview of Mobile Device
Management (MDM) for Office 365 at: https://aka.ms/igq2rg
Additional Reading: For more information, refer to: What is Intune at:
https://aka.ms/xz8gc8
Question: Outlook uses which protocols to connect to Office 365?
Question: What steps should you perform to enable MDM in Office 365?
Lab: Configuring client connectivity to Office 365

Scenario
You configured the Office 365 tenant and the custom domain for A. Datum Corporation. You also created
user accounts for your pilot users. The next step you must perform is to ensure that clients can connect to
Office 365, and that their configuration is automatic, where possible. To enable these features, you must
configure the required DNS records for your custom domain, and use the Office 365 connectivity tools to
verify connectivity. You then must configure Office 2016 clients to connect to Office 365.
Objectives
Configure DNS records for Office 365.
Run Office 365 connectivity analyzer tools.

Configure and verify client connectivity.
Lab Setup
Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1, and 20347A-LON-CL2
User name: Adatum\Administrator, Adatum\Holly, LON-CL2\Francisco
Password: Pa55w.rd
When you see references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxx with your

unique Office 365 name that is displayed in the online lab portal.
your unique hostdomain.com name that is displayed in the online lab portal.
This lab requires the following virtual machines:

LON-DC1
o Sign in as Adatum\Administrator with the password Pa55w.rd
LON-CL1
o Sign in as Adatum\Holly with the password Pa55w.rd
LON-CL2
o Sign in as LON-CL2\Francisco with the password Pa55w.rd
Question: Why do you need to edit the DNS configuration, and add the canonical name
(CNAME), service (SRV), and MX records?
Question: How can you verify that the Autodiscover service in Office 365 is properly configured?

Best Practices
Planning is the key to a successful Office 365 client deployment, and your planning process should
include:
Analyzing Office 365 clients and deciding which clients meet the organizations business
requirements.
Performing a detailed review of all DNS record changes that are needed for Office 365 deployment
process. Without a proper DNS configuration, there might be issues when clients connect to Office
365 services.
Planning network connectivity. When you migrate your infrastructure to Office 365, all of your
organizations resources are hosted in the cloud. Therefore, you need a reliable Internet connection to
support client connections to Office 365.
Planning changes that you need to configure in your organizations network infrastructure, such as
firewalls and internal DNS servers that provide connectivity to Office 365.
Preparing a thorough support plan for users to help them transition to Office 365 services.
4-1
Module 4
Planning and configuring directory synchronization
Contents:
Module Overview 4-1
Lesson 1: Planning and preparing for directory synchronization 4-2
Lesson 2: Implementing directory synchronization by using Azure AD Connect 4-15
Lesson 3: Managing Office 365 identities with directory synchronization 4-31
Lab: Configuring directory synchronization 4-42
Module Overview
In this module, you will learn how to plan, prepare, and implement directory synchronization as a
methodology for user and group management in a Microsoft Office 365 deployment. This module covers
the preparation of an on-premises environment; the installation and configuration of directory
synchronization, and how to manage Office 365 identities after you enable directory synchronization.
Objectives
Plan and prepare for directory synchronization.
Implement directory synchronization by using Microsoft Azure Active Directory Connect

(AD Connect).
Manage Office 365 identities with directory synchronization.

4-2 Planning and configuring directory synchronization
Lesson 1
Planning and preparing for directory synchronization
In this lesson, students will learn about directory synchronization with Microsoft Azure Active Directory
Connect (Azure AD Connect). Included in this lesson is a review of the installation requirements, planning
for nonroutable domain names and multiple forests, cleaning up existing objects in Active Directory
Domain Services (AD DS), and enabling directory synchronization.
Lesson Objectives
Describe Office 365 authentication options.
Describe directory synchronization.
Plan for directory synchronization.
Describe prerequisites for directory synchronization.

Prepare for directory synchronization.
Configure a tenant for directory synchronization.
Office 365 authentication options

With an effective account access management
solution, your organization can track who has
access to what information across the
organization. Access control is a critical function
of a centralized, single-point provisioning
system. Besides protecting sensitive information,
access controls expose existing accounts that
have unapproved authorizations or are no longer
necessary.
Accounts in most information technology (IT)

systems include hundreds of parameters that
define authorities, and the provisioning system
can control these details in your environment. New users can be readily identified with the data feed that
you establish from the human resources directory. The access request approval capability initiates the
processes that approve, or reject, resource provisioning for them.
The following table compares the options for user account management and provisioning across the
three topologies.
Design Options
Lifecycle
Management Phase
On-Premises Cloud Hybrid
Account With AD DS, you can You have to create an Extend Active
Management and create a scalable, account for every user Directory
secure, and who will access a identities into
Provisioning
manageable Microsoft cloud service. the cloud
infrastructure for You can also change through
user and resource user accounts or delete synchronization
management, and them when you no and Federation
provide support for longer need them. By Service.
directory-enabled default, users do not
applications such as have administrator
Microsoft Exchange permissions, but you
Server. can optionally assign
them.
Provisioning groups
in AD DS through a Within Microsoft Azure
Microsoft Identity Active Directory (Azure
Manager (MIM). AD), one of the major
features is the ability to
Provisioning users in
manage access to
AD DS.
resources. These
Administrators can resources can be part of
use access control to the directory, as in the
manage user access case of permissions to
to shared resources manage objects
for security through roles in the
purposes. In Active directory, or resources
Directory, access that are external to the
control is directory, such as
administered at the software as a service
object level by (SaaS) applications,
setting different Azure services, and
levels of access, or Microsoft SharePoint
permissions, to sites or on-premises
objects, such as Full resources. At the center
Control, Write, Read, of Azure AD access
or No Access. Access management solution is
control in Active the security group. The
Directory defines resource owner (or the
how different users administrator of the
can use Active directory) can assign a
Directory objects. By group to provide
default, permissions certain access rights to
on objects in Active the resources they own.
Directory are set to The members of the
the most secure group will be provided
setting. access, and the resource
owner can delegate the
rights to manage the
groups members list to
someone elsesuch as
a department manager
or a help-desk
administrator.
Azure AD
Azure AD is an online instance of AD DS. Azure AD provides authentication and authorization for Office
365 and for other Microsoft cloud offerings, including Azure and Microsoft Intune. Authentication
through Azure AD can be on a cloud-only basis, through directory synchronization from on-premises
AD DS, with optional password synchronization, or you can enable user authentication with on-premises
user accounts through Active Directory Federation Services (AD FS) or other single sign-on (SSO)
providers.
Authentication options in Office 365 falls into one of three main categories:
Cloud-only. Cloud-only identities are exactly as the name suggests; the user identity only exists in the
cloud, so all password management and policy control is done through Windows Azure AD. Each user
will have two entirely separate identities.
Directory synchronization with optional password synchronization. With directory synchronization,

you set up a directory synchronization server or appliance that provides either one or two-way
synchronization of users, groups, and attributes from on-premises AD DS to Azure AD. In the case of
Exchange hybrid environments, there is also synchronization of certain attributes from online to on-
premises. However, it is important to remember that even with password synchronization, there are
still two sets of security credentials; it is just that directory synchronization and password sync are
keeping them aligned. Users still authenticate to Azure AD to access Microsoft Exchange Online and
other online services.
SSO with AD FS. The SSO option hands over authentication control to your directory service.
Therefore, users no longer authenticate against Azure AD but against AD FS. Consequently, when a
user types user@adatum.com into the Office 365 sign-in page, the user receives a message telling
them that they have been redirected to their organizations sign-in page. They now enter their on-
premises identity and authenticate to the Office 365 online services by using a delegated token that
verifies to Office 365 that the user has been successfully authenticated by their on-premises directory
service.
Note: The SSO authentication option is covered in more detail in later modules of this
course.
In the pilot phase of a deployment, you implement cloud-only identities as this option does not have any
on-premises infrastructure requirements. In this phase, you plan for directory synchronization with
password synchronization.
Password synchronized users can sign into Microsoft cloud services, such as Office 365, Microsoft
Dynamics CRM, and Intune, using the same password as they use when signing into their on-premises
network. The user's password is synchronized to Azure AD via a password hash and authentication occurs
in the cloud. See password synchronization for more information.
Federation with AD FS users will be able to sign into Microsoft cloud services, such as Office 365,
Microsoft Dynamics CRM, and Intune, using the same password as they use when signing into their on-
premises network. The users are redirected to their on-premises AD FS infrastructure for authentication.
Overview of directory synchronization

Directory synchronization is the synchronization
of directory objects (users, groups, contacts, and
computers) between your on-premises AD DS
environment and the Office 365 directory
infrastructure, Azure AD.
Although directory synchronization is most

commonly used to synchronize data to Office
365 by default, new features allow two-way
synchronization from Office 365 directory to
your on-premises AD DS. In addition to directory
objects, directory synchronization can provide
two-way synchronization of user passwords as
well. Directory synchronization tools, such as Azure AD Connect, perform this synchronization and are
installed on a dedicated computer in your on-premises environment.
Integrating your on-premises directories with Azure AD makes your users more productive by providing a
common identity for accessing both cloud and on-premises resources. With this integration, users and
organizations can take advantage of the following:
Organizations can provide users with a common hybrid identity across on-premises or cloud-based
services, including consistent group membership, by leveraging AD DS and then connecting to
Azure AD.
Administrators can use policies set through AD DS to provide conditional access based on application
resource, device and user identity, network location and multi-factor authentication without having to
perform additional tasks in the cloud.
Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS
apps and non-Microsoft applications.
Support staff will experience fewer support calls because if users have fewer passwords to remember,
they are less likely to forget them.
Security will have confidence in knowing that user identities and information are protected because
all the servers and services used in SSO are mastered and controlled on-premises.
Security will have greater confidence when they have the option to use strong authentication, also
called two-factor authentication, with the cloud service.
Developers can build applications that leverage the common identity model, integrating applications
into on-premises AD DS or Azure for cloud-based applications.
To take advantage of the integration between your on-premises directories with Azure AD, deployment of
a directory synchronization tool is required. Consequently, the directory synchronization tool provides for
the following features and functionality:
SSO
Two-way synchronization of user passwords
Skype for Business 2015 hybrid environment

Microsoft SharePoint Server 2013 hybrid environment
Microsoft Exchange Server 2016 hybrid environment, including:
o A shared Global Address List (GAL) between your on-premises Exchange Server environment and
Exchange Online
o A synchronized GAL information from different mail systems
o The ability to add users to and remove users from Office 365 service offerings. This requires the
following:
Two-way synchronization from your on-premises AD DS environment to the Office 365
directory infrastructure
An on-premises Exchange Server hybrid deployment
o The ability to move some or all mailboxes to Office 365 from an on-premises Exchange Server, or
vice versa
o Safe senders and blocked senders enabled on-premises synchronization to Exchange Online
o The ability to send email with basic delegation and send-on-behalf-of
Two-way synchronization of photos, thumbnails, conference room mailboxes, and security and
distribution groups
Filtering and scoping to individual organizational units
When you synchronize user accounts with the directory synchronization tool for the first time, they are
marked as nonactivated. These users cannot access any of the services in Office 365 such as send/receive
email, access Skype for Business Online or Microsoft SharePoint Online, and they are not assigned Office
365 subscription licenses. When assigning Office 365 subscriptions to specific users, you must activate the
user accounts by assigning a valid Office 365 license.
Planning directory synchronization

When planning for directory synchronization, the
following issues must be considered:
Identify on-premises AD DS preparation

tasks. For example, AD DS attribute updates
or schema extensions and whether an AD DS
upgrade is required to meet minimum
version requirements for forest functional
level.
Determine the required accounts and

permissions to use during deployment,
configuration, and operation of the directory
synchronization tool.
Identify the network port requirements.
Identify any requirements for auditing once you enable synchronization.
Identify any domain controller placement issues that might affect synchronization performance and
reliability.
Plan for multiple AD DS forest or domain scenarios.
Perform capacity planning, such as preparation for large scale deployments requiring Microsoft SQL
Server databases, and Azure AD quota limits.
Plan for two-way directory synchronization.
Plan for nonroutable domain names, such as .LOCAL, by using additional user principal name (UPN)
suffixes.
Plan for Active Directory filtering to narrow the scope of which AD DS objects to synchronize to
Office 365.
Best practices for deploying directory synchronization, include:
Have a proper project plan.
If AD DS filtering is used, configure it before synchronizing objects to Office 365.
Work with a cloud services partner.
Perform thorough capacity planning.
Remediate AD DS before deploying directory synchronization.

Add all Simple Mail Transfer Protocol (SMTP) domains as verified domains before synchronizing;
domains cannot be removed until all synchronized objects are no longer using the domain as a proxy
address or UPN.
Multi-forest deployment considerations

While the directory synchronization tool can synchronize with multiple on-premises AD DS forests, the
deployment will be more complex. If your organization has multiple forests for authentication (logon
forests), and would prefer a simpler deployment option, you might need to plan for the following
activities:
Evaluate consolidating your forests. In general, more support is required to maintain multiple AD DS
forests. Unless you have security constraints that dictate the need for separate forests, consider
simplifying your on-premises AD DS environment prior to deploying the directory synchronization
tool.
Deploy directory synchronization to support your primary AD DS forest only. Consider planning to
deploy Office 365 only for your primary AD DS forest during the initial rollout of Office 365.
Two-way directory synchronization

By default, the directory synchronization tool writes directory information from your on-premises AD DS
to your Office 365 environment. When you configure two-way synchronization in the tool, you enable
writeback functionality where the directory synchronization tool copies a limited number of AD DS object
attributes from Office 365 and writes them to your on-premises AD DS. This writeback functionality is
commonly used in an Exchange Server 2016 hybrid environment.
Two-way directory synchronization is required if your organization plans to take advantage of advanced
Office 365 features and functionality, such as Exchange Online archiving, safe and blocked senders, and
Exchange voice mail. In two-way directory synchronization, the directory synchronization tool will
writeback the following required AD DS object attributes from Office 365 to your on-premises AD DS.
SafeSendersHash
BlockedSendersHash
SafeRecipientsHash
msExchArchiveStatus
ProxyAddresses as X500 email addresses
msExchUCVoiceMailSettings
msExchUserHoldPolicies
Additional Reading: For more information, refer to: Azure Hybrid Identity Design
Considerations Guide at: http://aka.ms/ibuqek
Prerequisites for directory synchronization

After you complete a plan for directory
synchronization, you will need to review the
prerequisites. These tasks will enable you to
prepare the environment for directory
synchronization, and includes:
Capacity planning for your directory

synchronization database server.
Identifying the hardware requirements for

your directory synchronization computer.
Identifying if your environment exceeds the
Azure AD object quota.
Reviewing the network ports required by directory synchronization.
Determining if any schema extensions to AD DS are required.
Capacity planning
Directory synchronization is a critical tool for integration with your cloud service offerings; therefore, you
need to plan accordingly to properly implement directory synchronization. In most organizations, user
objects from AD DS make up the bulk of the directory synchronization payload and influence both
synchronization times and the sizing of your infrastructure.
The directory synchronization tool has a significant database dependency, so you will need to plan for
database capacity requirements. If your AD DS forest has fewer than 50,000 objects, then the default
Windows Internal Database (WID) should be sufficient. However, if your environment has more than
50,000 objects, then you might require a full version of SQL Server. Most directory synchronization tools
scales to forests of 600,000 or more objects.
Hardware requirements
Deployments with more than 50,000 objects in AD DS require a significant increase in memory
requirements (from 4 gigabytes [GB] random access memory [RAM] to 16 GB); therefore, it is important to
implement adequate hardware resources when transitioning from the pilot to production phase.
Number of objects in Central processing

Memory Hard disk size
AD DS unit (CPU)
Fewer than 10,000 1.6 gigahertz (GHz) 4 GB 70 GB
10,00050,000 1.6 GHz 4 GB 70 GB
50,000100,000 1.6 GHz 16 GB 100 GB
100,000300,000 1.6 GHz 32 GB 300 GB
300,000600,000 1.6 GHz 32 GB 4500 GB
More than 600,000 1.6 GHz 32 GB 5000 GB

Azure AD object quota

By default, Azure AD will allow 50,000 objects (users, mail-enabled contacts, and groups). The object
quota automatically increases to 300,000 after the first domain is verified. If the object quota is exceeded
during directory synchronization, the tenant administrator will receive the following email message:
The Directory Synchronization batch run was completed on <date/time> for tenant <name>.
The following errors occurred during synchronization:
Synchronization has been stopped. The company has exceeded the number of objects that can be
synchronized. Contact Technical Support and ask for an increase in your companys quota.
If you have a requirement to synchronize more than 300K objects, you will need to contact Microsoft
Technical Support to request a limit increase to the object quota. If you have a requirement to
synchronize more than 500K objects, you will need a license such as Office 365, Azure AD Basic, Azure AD
Premium, or Enterprise Mobility Suite. During the planning phase, it is important to plan appropriately for
any quota increase requests; otherwise, this could become a deployment blocker if left to the last minute.
Additional Reading: For more information, refer to: You receive a This company has
exceeded the number of objects that can be synchronized error in a directory synchronization
report at: http://aka.ms/r4x1q4
Network ports
The network traffic for directory synchronization between the directory synchronization tool and Azure
AD is over a Secure Socket Layer (SSL). Most of the traffic is outbound, initiated by the directory
synchronization computer, and uses port 443. The writeback of passwords uses an Azure Service Bus relay
as an underlying communication channel, meaning that you do not have to open any new ports on your
firewall for this feature to work.
Network traffic between the directory synchronization computer and on-premises AD DS uses standard
Active Directory-related ports; for uninterrupted directory synchronization, the directory synchronization
computer must be able to contact all domain controllers in the forest.
Schema extensions
If your environment runs AD DS but not an Exchange Server, and you plan to enable the Exchange Server
2016 hybrid deployment feature, then you need to install the Exchange Server 2016, or Exchange Server
2013, schema extensions prior to installing directory synchronization.
Additional Reading: For more information, refer to: Prepare Active Directory and
domains at: http://aka.ms/xwdxic
Additional Reading: For more information, refer to: Prepare for directory
synchronization at: http://aka.ms/esbu4f
Preparing for directory synchronization

Before you deploy directory synchronization to
synchronize your on-premises AD DS to Azure
AD, you will need to do some preparation in
your environment.
If you will be using SSO in your

environment, then you should deploy it
before directory synchronization.
You will need to prepare your on-premises

AD DS environment, which includes
resolving issues with object attributes.
You will identify and configure the

appropriate UPN suffixes in your on-premises AD DS environment.
You will use the Office 365 readiness checks to run automatic checks against your on-premises AD DS
environment and to assess its readiness to deploy Office 365.
You will use Office 365 IdFix to resolve any issues identified by the Office 365 readiness checks.
Consider activating directory synchronization a long-term commitment. After you have activated
directory synchronization, you can only edit synchronized objects by using your on-premises AD DS
management tools.
AD DS preparation
When preparing for deployment of directory synchronization, your project plan should include AD DS
preparation, and the requirements and functionality of the Azure AD. To prepare AD DS:
Identify the source of authority
Satisfy domain controller requirements
Clean up AD DS
Set up auditing
Source of authority
For directory synchronization, source of authority refers to the location where Active Directory service
objects, such as users and groups, are mastered (an original source that defines copies of an object) in a
cross-premises deployment. You can change the source of authority for an object by using one of these
scenariosactivate, deactivate, or reactivate directory synchronization from within Office 365 or with
Windows PowerShell. Source of authority transfers from Office 365 to your customers on-premises
directory service after you perform the first sync.
Additional Reading: For more information, refer to: Directory synchronization and source
of authority at: http://aka.ms/fvexdc
Domain controller requirements

The on-premises AD DS forest must meet specific requirements for the schema master, global catalog
servers, and domain controllers. It is important to carefully read the latest requirements and ensure that
your on-premises AD DS servers meet those requirements.
Additional Reading: For more information, refer to: Prepare for directory
synchronization at: http://aka.ms/e1d0ft
Active Directory cleanup

To help ensure a seamless transition to Office 365 by using directory synchronization, you should prepare
your AD DS forest before you begin your Office 365 directory synchronization deployment.
Your directory remediation efforts should focus on the following tasks:
Remove duplicate proxyAddresses and userPrincipalName attributes.

Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.
Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName,
displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes.
AD DS auditing
You might want to use AD DS auditing to capture and evaluate the events that are associated with
directory synchronization, such as user creation, password reset, adding users to groups, and so on. By
implementing directory synchronization, auditing captures directory services logs from the AD DS domain
controllers. Note that security logging might be disabled by default, so you will need to enable it for
events to appear in the logs.
UPN suffixes
Before deploying directory synchronization, it is important to verify that on-premises user objects in
AD DS have a nonnull value for the UPN suffix, and that the value is correct for both the AD DS domain
and Office 365. The UPN suffix is the part of a UPN to the right of the @ character. If a verified public
routable domain is used in Office 365, then this domain should be the UPN suffix, so that the users'
principal names are of the form user@verified domain. If the on-premises UPN suffix does not contain a
public routable DNS domain (such as contoso.local), the default routing domain (for example,
contoso.onmicrosoft.com) is used for the UPN suffix in Office 365.
If the UPN suffix must be changed, it is important to check for any applications that might be dependent
on a specific UPN. If planning SSO, you need know your AD DS UPN to register the domain for SSO (for
federated or nonfederated IDs).
After you deploy directory synchronization, modifying the users UPN suffix is not supported. If you need
to modify the UPN after you deploy directory synchronization, you will need to manually update the UPN
in Office 365; therefore, it is important that you plan the UPN suffix correctly from the start. To add a UPN
suffix to the on-premises AD DS:
1. In Active Directory Domains and Trusts, sign in to one of the organizations Active Directory domain
controllers.
2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
3. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
4. Repeat step 3 to add additional alternative UPN suffixes.
If directory synchronization has already been deployed, the users UPN for Office 365 might not match
the users on-premises UPN defined in AD DS; this can occur if the user was assigned an Office 365
subscription license before the domain was verified. To resolve this issue, Windows PowerShell can be
used to update users UPNs in Office 365 to ensure that their Office 365 UPN matches their corporate user
name and domain in your on-premises AD DS.
Office 365 readiness checks

The Office 365 readiness checks, formerly known as the Office 365 OnRamp tool, are used to run
automatic checks against a current on-premises environment and to assess its readiness to deploy Office
365. These checks are read-only, and do not make permanent changes to the on-premises environment.
After the checks have completed, the Office 365 readiness checks list the configuration steps that you will
need to complete a deployment.
Depending on the type of Office 365 deployment required, the Office 365 readiness checks will validate:
Credentials. Determines whether there are valid credentials available in the local environment,
including necessary administrator rights in Exchange Server 2013 or later if migrating to Exchange
Online. It will also determine whether there are valid tenant administrator credentials for any existing
trial account with Office 365.
Network. Determines whether there is network connectivity to Office 365, and checks for availability
of required ports.
Domains. Determines the on-premises domain suffixes, and identifies whether any domains are
already verified with Office 365. Appropriate DNS records are also checked.
Users and groups. Determines whether the on-premises AD DS is ready for directory synchronization
and SSO. User and group objects are also checked to ensure that they meet the requirements for
successful synchronization with Office 365.
Email. Evaluates messaging integration with the on-premises environment, and the readiness for
email migration if required.
Sites. Determines whether the on-premises AD environment is able to support the deployment of
Microsoft SharePoint Online.
Skype for Business. Identifies any current integration with Skype for Business Server 2016 or Lync
Server.
User software. Determines whether domain-joined computers meet the service and identity
requirements for the required Office 365 deployment.
Note: At a minimum, an Office 365 trial tenant is required to complete all the readiness
checks.
You can access the Office 365 readiness checks from the previous Office 365 admin center. The computer
used to run the readiness checks must meet the following system requirements:
Windows Server 2008 R2, Windows 7 (64-bit) or later
Internet Explorer 9.0 or later
Windows PowerShell v2.0 or later
WinRM 2.0 or later
Office 365 IdFix tool

While the Office 365 readiness checks provide valuable information about your environment, they will not
resolve any issues identified by the tool. On the other hand, the Office 365 IdFix tool provides you the
ability to identify and remediate the majority of object synchronization errors in your AD DS forests in
preparation for deployment to Office 365. This remediation will then allow you to more successfully
synchronize users, contacts, and groups from your on-premises AD DS into the Office 365 environment.
The Office 365 IdFix tool queries all the AD DS domains in the currently authenticated forest and displays
object attribute values that would be reported as errors by the directory synchronization tool. The Office
365 IdFix tool displays these object attribute values in a data grid. This data grid supports the ability to
scroll, sort, and edit the objects in a resulting table to produce compliant values. Depending on the
method of use, the Office 365 IdFix tool provides:
Confirmation of each change is enforced. Only the objects you have selected to update will be
changed.
Transaction rollback. You can undo confirmed updates to object attributes applied to the forest.
Well known exclusions. Not all AD DS objects should be made available for editing as some could
cause harm to the source environment, for example, critical system objects. These objects are
excluded from the Office 365 IdFix data grid.
Save to File. Data is exported into CSV or LDF format for offline editing or investigation.
Import of CSV. Data is imported from a CSV file. Because this function relies upon the
distinguishedName attribute to determine the value to update, the recommended method to use
this feature is to export from a query, such as the Save to File. Keep the other columns as they were
and do not introduce escape characters into the values.
Verbose logging. Because the Office 365 IdFix tool makes changes in your environment, verbose
logging is enabled by default.
Support for multi-tenant and dedicated Office 365 tenants. Depending on your environment, the
Office 365 IdFix tool supports validation of multiple or dedicated Office 365 tenants.
The computer used to run the Office 365 IdFix tool must meet the following system requirements:
Windows Server 2008 R2, Windows 7 (64-bit) or later
The Microsoft .NET Framework 4.0 or later
Additional Reading: For more information, refer to: IdFix DirSync Error Remediation Tool
at: http://aka.ms/sr02nb
Configuring a tenant for directory synchronization

Before you use directory synchronization to
initiate synchronization, you must first enable
Active Directory synchronization in Office 365.
This process can take up to 24 hours to
complete, so it is important to plan for this
requirement ahead of the directory
synchronization deployment. You can enable
Active Directory synchronization in the Office
365 tenant through the Office 365 admin center,
or by using Windows PowerShell.
To enable Active Directory synchronization by

using the previous Office 365 admin center,
complete these steps:
1. In the left navigation pane, click Users, and then click Active Users.
2. In the right navigation pane, under Active Directory synchronization, click Set up.
3. Under Activate Active Directory synchronization, click Activate.
4. At the prompt, click Activate.
To enable Active Directory synchronization in the new Office 365 admin center, you should run the
Directory sync setup assistant.
To enable Active Directory synchronization by using the Microsoft Azure Active Directory Module for
Windows PowerShell, type the following command, and then press Enter:
Set-MsolDirSyncEnabled -EnableDirSync $true -Force

Lesson 2
Implementing directory synchronization by using
Azure AD Connect
In this lesson, students will learn how to deploy Azure AD Connect. Included in this lesson is a review of the Azure AD Connect
installation requirements, the options for installing and configuring the tool, and students will review the monitoring of Azure
AD Connect.
Lesson Objectives
Describe Azure AD Connect.
Describe Azure AD Connect requirements.

Describe Azure AD Connect express synchronization settings.
Describe Azure AD Connect customized synchronization.
Upgrade to Azure AD Connect.
Describe Azure AD Connect Health.
Describe how Azure AD Connect works in multi-forest scenarios.
Describe Azure AD Connect pass-through authentication.
Overview of Azure AD Connect

The Azure AD Connect tool, formerly known as
Windows Azure Active Directory Synchronization
or DirSync, is the latest directory synchronization
tool supported by Office 365. Azure AD Connect
is designed to operate as a software-based set-
and-forget appliance. For Office 365, the
purpose of the tool is to allow coexistence
between your on-premises Active Directory
environment and Office 365 in the cloud. When
using Azure AD Connect for directory
synchronization:
New user, group, and contact objects in on-

premises AD DS are added to Office 365; however, Office 365 licenses are not automatically assigned
to these objects.
Attributes of existing user, group, or contact objects that are modified in on-premises AD DS are
modified in Office 365; however, not all on-premises AD DS attributes are synchronized to Office 365.
Existing user, group, and contact objects that are deleted from on-premises AD DS are deleted from
Office 365.
Existing user objects that are disabled on-premises are disabled in Office 365; however, licenses are
not automatically unassigned.
In a cloud-only Office 365 deployment, all Azure AD objects are originally created (mastered) in the cloud,
and must be edited using cloud-based tools (either using the Office 365 admin center, or by using
Windows PowerShell cmdlets). In this scenario, Azure AD is referred to as the source of authority for all
Active Directory objects.
Azure AD requires a single source of authority for every object. It is important to understand, therefore,
that in the scenario you have deployed Azure AD Connect for Active Directory synchronization, you are
mastering objects from within your on-premises AD DS byusing tools such as Active Directory Users and
Computers or Windows PowerShellthe source of authority is the on-premises AD DS. After the first
synchronization cycle has completed, the source of authority is transferred from the cloud to the on-
premises AD DS. All subsequent changes to cloud objects (except for licensing) are mastered from the on-
premises AD DS tools. The corresponding cloud objects are read-only, and Office 365 administrators
cannot edit cloud objects if the source of authority is on-premises.
Email address matching is used to identify the on-premises AD DS user object that relates to an Office 365
user:
If a user exists in your on-premises AD DS and no matching user yet exists in Office 365, Azure AD
Connect will create a new Office 365 user with the same email address as the on-premises account.
If a user already exists in both your on-premises AD DS and in Office 365, and these objects have the
same email address, then during the first synchronization these objects will become joined, or linked.
More information on attributes and matching is provided later in this module.
By synchronizing user, contact, and group objects, Azure AD Connect provides a unified GAL experience
between an on-premises AD DS or Exchange environment, and Office 365. Using the filtering features in
Azure AD Connect, objects hidden from the GAL on-premises are also hidden from the GAL in Office 365.
We will cover filtering and scoping later in this module.
Azure AD Connect supports the following simple scenarios:
Where Office 365 replaces on-premises Exchange Server.
Where there are both on-premises and Exchange Online mailboxes in a hybrid deployment scenario.
In hybrid scenarios, Azure AD Connect allows mail routing between on-premises and Office 365 with a
shared domain namespace. This scenario allows on-premises/cloud coexistence for both Exchange Server
2013 or later, Skype for Business Server 2015, or Lync Server 2013.
Note: Azure AD Connect is not designed to be used as a single-use bulk upload tool for
Office 365, and does not automatically assign licenses to the Office 365 accounts.
Some Office 365 deployment models set up AD FS and SSO before Azure AD Connect, and then use the
tool to ensure that Office 365 accounts are present for all on-premises users after federation has been
enabled. However, this course follows the Office 365 FastTrack methodology, where Azure AD Connect is
used as an enabler for SSO through AD FS.
Azure AD Connect requirements

Azure AD Connect is the successor of DirSync,
Azure AD Sync, and Microsoft Forefront Identity
Manager with the Azure AD connector
preconfigured for synchronizing user, group,
contact, and computer objects from your on-
premises AD DS to Office 365. This out-of-the-
box configuration is why Azure AD Connect is
referred to as a software appliance (set and
forget).
Azure AD requirements
Before deploying Azure AD Connect in your
environment, there are a few requirements for
Azure AD:
An Azure subscription or an Azure trial subscription. This is only required for accessing the Azure
portal and not for using Azure AD Connect. If you are using Office 365 you do not need an Azure
subscription to use Azure AD Connect, because Azure AD tenant is provisioned with Office365. If
you have an Office 365 license you can also use the Office 365 portal to establish directory
synchronization. With a paid Office 365 license you can also get into the Azure portal from the Office
365 portal.
Add and verify the domain you plan to use in Azure AD. For example, if you plan to use Adatum.com
for your users, then you will need to ensure the domain name has been verified in Office 365 and that
you are using more than the default domain, adatum.onmicrosoft.com.
An Azure AD directory will by default allow 50K objects. As discussed earlier in the module, when you
verify your domain the limit increases to 300K objects. If you need even more objects in Azure AD,
you need to open a support case to have the limit increased even further. If you need more than
500K objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or
Enterprise Mobility Suite.
Domain and forest requirements

Azure AD Connect requires that the AD schema version and forest functional level must be Windows
Server 2003 or newer. Azure AD Connect supports a single AD DS forest with express settings, and
supports multiple AD DS forest scenarios and multiple Exchange organizations with customized settings.
The scenario with multiple forests will be discussed later in this lesson.
Note: Using Azure AD Connect for Forefront Identity Manager 2010 R2 or later, using
Azure AD Connect with a non-Microsoft directory service, and installing Azure AD Connect on a
non-Windows computer are all out of scope for this course.
To integrate with Azure AD Connect, Active Directory domain controllers must run one of the following
operating systems:
Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) or later.
If you plan to use the password writeback feature, the AD domain controllers must be on Windows
Server 2008 or later.
When you install Azure AD Connect with express settings, the directory synchronization computer must
be a member of a domain, and for single forest scenarios, this computer must be joined to a domain
within the same forest that will be synchronized. On the other hand, with customized settings, you can
install Azure AD Connect on a computer that is not joined to a domain. Azure AD Connect also supports
installation on domain controllers. However, for production scenarios, we recommend to use a member
server for Azure AD Connect.
During installation of Azure AD Connect, you will be required to select an AD DS attribute for the source
anchor. This attribute, also called sourceAnchor, should be an attribute that is immutable during the
lifetime of a user object, as it is the link between on-premises AD DS and Azure AD. In most scenarios, this
might be the objectGUID. This attribute will not change unless the user account is moved between
forests/domains.
However, in a multi-forest scenario, where you move user accounts between forests, another attribute
must be used, such as an attribute with the employeeID.
Note: Attributes to avoid are those that would change if a person marries or changes
assignments. Other attributes which cannot be used include attributes with an @-sign, therefore
email and userPrincipalName cannot be used.
Operating system and supporting software requirements

Azure AD Connect requires the following Windows Server versions (64-bit edition only):

If you plan to use the password synchronization feature, the server must be on Windows Server 2008
R2 SP1 or later.
In addition, Azure AD Connect requires the following software prerequisites:

Microsoft .NET Framework 4.5.1 or later.
Windows PowerShell 3.0 or later.
Windows Azure AD Module for Windows PowerShell (64-bit version).
Additional Reading: For more information, refer to: Office 365 URLs and IP address
ranges at: http://aka.ms/A4c1kq
Permissions and accounts

Installing and configuring Azure AD Connect requires the following accounts:
An Azure AD Global Administrator account for the Azure AD directory with which you want to
integrate.
An Enterprise Administrator account for your on-premises AD if you use express settings or upgrade
from the Microsoft Azure Active Directory Sync Tool (DirSync).
Azure AD Connect uses the Azure AD Global Administrator account to provision and update objects in the
Office 365 tenant when you initiate directory synchronization. If you create a dedicated service account in
Office 365 for directory synchronization in place of the Office 365 tenant administrator account, it is
important to disable the default 90-day password expiration; otherwise, the synchronization service will
stop working when the password expires for the Office 365 tenant administrator account. In this scenario,
you will need to reconfigure Azure AD Connect to update the password.
To disable password expiration for the service account in Office 365 by using the Azure Active Directory
Module for Windows PowerShell, type the following command, and then press Enter:
Set-MsolUser -UserPrincipalName <service account>@<domain>.onmicrosoft.com -

PasswordNeverExpires $true
The account used to install and configure Azure AD Connect must have the following permissions:
Enterprise Administrator permission in your on-premises AD DS. This is required to create the
directory synchronization service account in AD DS.
Local administrator permission on the Azure AD Connect computer. This is required to install the
Azure AD Connect tool.
The account used to configure Azure AD Connect and run the configuration wizard must reside in the
local group ADSyncAdmins on the Azure AD Connect computer; by default, the account used to install
Azure AD Connect (the Enterprise Administrator account) is automatically added to this group during
installation.
The Enterprise Administrator account is only required when installing and configuring Azure AD Connect,
and the Enterprise Administrator credential is not stored or saved by the configuration wizard.
The Enterprise Administrator account is required to:
Create the MSOL_<id> domain service account in the CN=Users container of the root domain.
Delegate the following permissions to MSOL_<id> on each domain partition in the forest
o Replicating Directory Changes
o Replicating Directory Changes all
o Replication Synchronization
Note: Because it poses a security risk with the service account it uses, Azure AD Connect
does not support using a group Managed Service Account to connect to your on-premises
AD DS environments. By default, Azure AD Connect creates service accounts with minimal
privileges but with nonexpiring passwords on the computer that run Azure AD Connect, and in
both the on-premises AD DS and the Azure AD tenant.
During an Azure AD Connect configuration, you can enable the Exchange hybrid deployment feature.
Previously known as rich coexistence, this feature allows for the coexistence of Exchange mailboxes both
on-premises and in Azure by synchronizing a specific set of attributes from Azure AD back into your on-
premises AD DS. During deployment, the Enterprise Administrator account will create an MSOL_Active
Directory_Sync_RichCoexistence group in the CN=Users container of the root domain automatically. In
addition, the Enterprise Administrator account will delegate write permissions for particular AD DS
attributes that writeback from Azure AD to your on-premises AD DS. These attributes are covered earlier
in this module.
The following accounts are created in your on-premises AD DS during Azure AD Connect configuration:
MSOL_<id>. This account is created during installation of Azure AD Connect, and is configured to
synchronize to Azure AD. The account has directory replication permissions in your on-premises
AD DS and write permission on certain attributes to enable the Exchange Hybrid Deployment.
AAD_<id>. This is the service account for the synchronization engine, and is created with a randomly
generated complex password automatically configured to never expire. When the directory
synchronization service runs, it uses the service account credentials to read from your on-premises
AD DS and then to write the contents of the synchronization database to Azure AD by using the
Office 365 tenant administrator credentials specified during configuration of Azure AD Connect.
Note: Do not change this service account after installing Azure AD Connect, as directory
synchronization will attempt to use the service account created during setup. If the account is
changed, directory synchronization will stop running and scheduled directory synchronizations
will no longer occur.
Database requirements
Azure AD Connect requires an SQL Server database to store identity data. By default, a SQL Server 2012
Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is
created on the local machine. SQL Server Express has a 10 GB database limit, which allows you to manage
approximately 100,000 objects. In large deployments, you might need to manage a higher volume of
objects. In this scenario, you should configure Azure AD Connect to a full version of SQL Server. Azure AD
Connect supports all versions of SQL Server, from SQL Server 2014 to SQL Server 2008 (with SP4 or later).
When deploying to a different version of SQL Server, SQL Server rights are required to create the database
used by Azure AD Connect, and to enable the SQL service account with the role of db_owner. You can
achieve this by ensuring that the account used to install Azure AD Connect has sysadmin permission to
the SQL database, and that the service account used to run Azure AD Connect has public permission to
the database used by Azure AD Connect.
Azure AD Connect express synchronization settings

During installation of Azure AD Connect, you can
choose the Express Settings, which is the default
option and is one of the most common
scenarios. When doing this, Azure AD Connect
deploys synchronization with the password
synchronization option. This is for a single forest
only and allows your users to use their on-
premises password to sign in to Office 365.
Using the Express Settings is the recommended

and default option. The scenario for when to
choose Express Settings include:
If you have a single AD DS forest.
Users sign in with the same password using password synchronization.
During installation of Azure AD Connect with Express Settings, the installer will:
Install the synchronization engine.
Configure Azure AD Connect.
Configure the on-premises AD DS connector.

Enable password synchronization.
Configure synchronization services.

Configure sync services for Exchange hybrid deployment (optional).
Enable automatic upgrade of Azure AD Connect.
Using the Express Settings will automatically start synchronization once the installation is complete
(though you can choose not to do this).
Azure AD Connect customized synchronization

An alternative option to the Express Settings is
installing Azure AD Connect with customized
settings. This option is beneficial if you have
additional configuration options or need
optional features that are not covered in the
express installation. The scenarios for when to
select Customized Settings include:
When you have multiple forests.

When you customize your sign-in option,
such as AD FS for federation or use a non-
Microsoft identity provider.
When you customize synchronization features, such as filtering and writeback.
In addition to the required components that are installed as part of Express Settings, you might select the
following optional components during installation:
Specify a custom installation location. This optional component allows you to specify a different
location to install Azure AD Connect.
Use an existing server running SQL Server. This optional component allows you to select an existing
database server.
Use an existing service account. This optional component allows you to specify an existing service
account. By default, Azure AD Connect will create a local service account for the synchronization
services to use. The password is generated automatically and unknown to the person installing Azure
AD Connect. If you specify a remote server running SQL Server, then you will need a service account
to which you know the password.
Specify custom sync groups. This optional component allows you to specify existing management
groups for Azure AD Connect. By default, Azure AD Connect will create four groups on the server
when the synchronization services install. These groups include: Administrators group, Operators
group, Browse group, and the Password Reset group. Use this option if you prefer to specify your own
groups. The groups must be on the server and cannot be located in the domain.
During installation of Azure AD Connect with Customized Settings, the installer will allow you to enable
the following features:
Select the Single Sign-On Method. This feature allows you to specify the SSO method for users. The
SSO methods include password synchronization, federation with AD FS, or do not configure.
Connect multiple on-premises directories or forests. This feature allows you to connect to one or
more AD DS domains or forests.
Matching across forests. This feature allows you to define how Azure AD represents users from your
AD DS forests. A user might either be represented only once across all forests or have a combination
of enabled and disabled accounts.
Sync filtering based on organizational units. This feature allows you to run a small pilot where only a
small subset of objects should be created in Azure AD and Office 365. To use this feature, create an
organizational unit in your AD DS and add the users and groups which should synchronize with Azure
AD to the OU. You can later add and remove users to this group to maintain the list of objects which
should be present in Azure AD.
Select the Source Anchor. This feature allows you to choose the primary key that will link the on-
premises user with the user in Azure AD.
Select the login attribute. This feature allows you to choose the attribute users will use when they
login to Azure AD and Office 365. Typically, this should be the userPrincipalName attribute. But if
this attribute is nonroutable and cannot be verified, then it is possible to select another attribute, for
example email, as the attribute holding the login ID, known as Alternate ID.
Additional Reading: For more information, refer to: Configuring Alternate Login ID at:
http://aka.ms/nqh5gc
Exchange hybrid deployment. This optional feature enables for the coexistence of Exchange
mailboxes both on-premises and in Office 365 by synchronizing a specific set of attributes from
Azure AD back to your on-premises AD DS.
Azure AD app and attribute filtering. This optional feature enables you to tailor the set of
synchronized attributes to a specific set, based on Azure AD apps.
Password hash synchronization. You can enable this optional feature if you selected federation as the
SSO solution. You can then use password synchronization as a backup option.
Password writeback. With this optional feature, password changes that originate in Azure AD are
written back to your on-premises AD DS. You typically deploy this feature when you want to enable
users for self-service password reset of their Azure AD passwords.
Group writeback. With this optional feature, if you use the Groups in Office 365 feature, then you can
have these groups in your on-premises AD DS as a distribution group. This option is only available if
you have deployed Exchange Server on-premises.
Device writeback. With this optional feature, device objects in Azure AD are written back to your on-
premises AD DS for conditional access scenarios.
Directory extension attribute sync. Not available in previous directory synchronization versions, this
optional feature enables you to extend the schema in Azure AD with custom attributes added by your
organization or other attributes in your on-premises AD DS.
After selecting the optional features, the Azure AD Connect installer will provide you the option to deploy
a new Windows Server 2012 R2 or later AD FS farm or to select an existing Windows Server 2012 R2 or
later AD FS farm. In addition, the Azure AD Connect installer will provide you the option to set up the
federation relationship between AD FS and Azure AD. It configures AD FS to issue security tokens to Azure
AD and configures Azure AD to trust the tokens from this specific AD FS instance.
Note: The Azure AD Connect installer will only allow you to configure the trust for a single
domain during the first time. You can configure additional domains at any time by opening up
Azure AD Connect again and performing this task.
During the final stages of the Azure AD Connect installer, you will have the option to automatically start
synchronization once the installation is complete (though you can choose not to do this). You will also
have the option to enable staging mode. This process allows you to set up a new directory
synchronization server in parallel with an existing server.
While Office 365 only supports one directory synchronization server connected to one Azure AD directory
in the cloud, if you want to move from another server, for example one running DirSync, then you can
enable Azure AD Connect in staging mode. When enabled, the sync engine will import and synchronize
data as normal, but it will not export anything to Azure AD and will turn off password sync and password
writeback.
While in staging mode, it is possible to make required changes to the sync engine and review what is
about to be exported. When the configuration looks good, run the installation wizard again and disable
staging mode. This will enable data to export to Azure AD.
Note: Ensure you disable the other directory synchronization server at the same time so
only one server is actively exporting to Azure AD.
Upgrading to Azure AD Connect

If you previously deployed DirSync, then you
might choose to upgrade to Azure AD Connect
to take advantage of the newer features in Azure
AD Connect. Depending on your current DirSync
deployment scenario, there are different options
for the upgrade to Azure AD Connect:
In-place upgrade. If the expected upgrade
time is less than 3 hours, then the
recommend option is to do an in-place
upgrade.
Parallel deployment. If the expected

upgrade time is more than 3 hours, then the
recommend option is to do a parallel deployment on another server. If you have more than 50,000
objects in AD DS, estimate that it will take more than 3 hours, to do the upgrade. In this scenario, the
preferred upgrade option is a parallel deployment.
Note: When you plan to upgrade from DirSync to Azure AD Connect, do not uninstall
DirSync yourself before the upgrade. Azure AD Connect will read and migrate the configuration
from DirSync and uninstall after inspecting the directory synchronization server.
In-place upgrade
The wizard displays the expected time to complete the upgrade. This estimate is based on the assumption
it will take 3 hours to complete an upgrade for a database with 50,000 objects (users, contacts, and
groups). Azure AD Connect will analyze your current DirSync settings and recommend an in-place
upgrade if the number of objects in your database is less than 50,000. If you decide to continue, your
current settings will apply automatically during the upgrade and your server will automatically resume
active synchronization.
During inspection of the DirSync server, Azure AD Connect will assess the customizations of the directory
synchronization server. While Azure AD Connect supports most of the configuration changes for an
upgrade, there are a few scenarios that might prevent an in-place upgrade.
The following configuration changes are supported with DirSync and will be upgraded:
Domain and organizational unit (OU) filtering
Alternate ID (UPN)
Password synchronization and Exchange hybrid settings
Your forest or domain and Azure AD settings

Filtering based on user attributes
The following are unsupported DirSync changes and will prevent an in-place upgrade:
Removed attributes
Using a custom extension dynamic-link library (DLL)
In the unsupported scenarios, the recommendation is to install a new Azure AD Connect server in staging
mode and verify the old DirSync and new Azure AD Connect configuration. Reapply any changes using a
custom configuration, as described earlier in the module.
Note: The passwords used by DirSync for the service accounts cannot be retrieved and will
not be migrated. These passwords are reset during the upgrade.
The high-level steps for upgrading from DirSync to Azure AD Connect include:
Analysis of current DirSync configuration

Collect Azure AD global admin password
Collect credentials for an enterprise admin account (only used during the installation of Azure AD
Connect)
Installation of Azure AD Connect
o Uninstall DirSync
o Install Azure AD Connect

o Optionally begin synchronization
Additional steps are required when:
You are currently using Full SQL Server, local or remote

You have more than 50,000 objects in scope for synchronization
Parallel deployment
If you prefer to deploy Azure AD Connect in a parallel deployment you can use one of two options,
depending on your current environment:
Parallel deployment with more than 50,000 objects. During the upgrade from DirSync to Azure AD
Connect, the wizard will provide you the option to Export Settings if it determines there are more
than 50,000 objects. This option will export the current configuration settings of the DirSync server.
When you install Azure AD Connect on a separate server, these settings will be imported to migrate
any settings from your current DirSync to your new Azure AD Connect installation.
Parallel deployment with less than 50,000 objects. If you have less than 50,000 objects but still prefer
to deploy Azure AD Connect in a parallel deployment, then you can override the in-place upgrade
recommendation. This option is common if you want to take the opportunity to refresh the hardware
and OS. In this scenario, you will need to do the following:
a. Run the Azure AD Connect installer on the DirSync server.
b. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking
the "X" in the upper-right corner of the window.
c. Open a command prompt.
d. From the installation location of Azure AD Connect (default is C:\Program Files\Microsoft Azure
Active Directory Connect) execute the following command:
AzureADConnect.exe /ForceExport
e. Click the Export settings button. When you install Azure AD Connect on a separate server these
settings will be imported to migrate any settings from your current DirSync to your new Azure
AD Connect installation.
Installing Azure AD Connect

When you install Azure AD Connect on a new server it will assume that you want to perform a clean
installation of Azure AD Connect. Because you want to use the DirSync configuration settings that you
exported earlier, there are some extra steps you will need to perform:
1. Run the Azure AD Connect installer.
2. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the
X in the upper-right corner of the window.
3. Open a command prompt.
4. From the installation location of Azure AD Connect (default is C:\Program Files\Microsoft Azure
Active Directory Connect) execute the following command:
AzureADConnect.exe /migrate
5. The Azure AD Connect installation wizard starts and allows you to select the settings file that
exported from your DirSync installation.
6. Configure any advanced options, including:

A custom installation location for Azure AD Connect.
An existing instance of SQL Server. Do not use the same database instance as your DirSync server.
A service account used to connect to SQL Server. If your SQL Server database is remote, then this
account must be a domain service account.
7. Click Next.
8. On the Ready to configure page, leave the Start the synchronization process as soon as the
configuration completes option selected. The server will be in staging mode so changes will not
export to Azure AD at this time.
9. Click Install.
Enable Azure AD Connect

In order to enable Azure AD connect, you will need to:
Verify that Azure AD Connect is ready to begin synchronization.
Uninstall DirSync from the old server.
Enable Azure AD Connect on the new server.
To verify that Azure AD Connect is ready to take over directory synchronization from DirSync you will
need to open Synchronization Service Manager in the Azure AD Connect group on the Start menu.
In Synchronization Service Manager, you will need to view the Operations tab. On this tab, you are
looking to confirm that the following operations have been completed:
Import on the AD Connector
Import on the Azure AD Connector
Full Sync on the AD Connector
Full Sync on the Azure AD Connector
Review the result from these operations to ensure there are no errors and that you are satisfied with the
changes that are about to be exported.
Next, you will need to uninstall the Azure AD sync tool from the Programs and Features tool on the old
server.
Note: The uninstallation of DirSync might take up to 15 minutes to complete.
With DirSync uninstalled, there is no active server exporting to Azure AD. You must complete the next
step before any changes in your on-premises AD DS will continue to synchronize to Azure AD.
After installation, reopening Azure AD Connect will allow you to make additional configuration changes.
Start Azure AD Connect on the Start menu or from the shortcut on the desktop and do the following:
Note: Make sure you do not try to run the installation MSI again.
1. Select Configure staging mode.
2. Turn off staging by clearing the Enabled staging mode check box.
3. Click the Next button.
4. On the confirmation page, click the install button.
Azure AD Connect is now your Active Directory synchronization server.

Azure AD Connect Health

Azure AD Connect Health helps you monitor and
gain insight in to your on-premises identity
infrastructure and the synchronization services
available through Azure AD Connect. It offers
you the ability to view alerts, performance, usage
patterns, configuration settings, and allows you
to maintain a reliable connection to Office 365.
You accomplish this by using an agent that is
installed on the targeted servers.
The Azure AD Connect Health portal presents

the information retrieved from the agent. Using
the Azure AD Connect Health portal you can
view alerts, performance monitoring, and usage analytics. This information is in one easy to use place for
your convenience.
While Azure AD Connect Health for AD FS monitors your on-premises AD FS environment, Azure AD
Connect Health for Sync monitors and provides information on the synchronizations that occur between
your on-premises AD DS and Azure AD. Azure AD Connect Health for Sync provides the following set of
key capabilities:
View and act on alerts to ensure reliable synchronizations between your on-premises infrastructure
and Azure AD.
Email notifications for critical alerts.
View performance data.
To get started with Azure AD Connect Health, do the following:
1. Sign in to the Azure portal.
2. Access Azure AD Connect Health by going to the Marketplace and searching for it or by selecting
Marketplace, and then selecting Security + Identity.
3. In the introductory window, click Create. This will open another window with your directory
information.
4. In the directory window, click Create.
Note: You will need an Azure AD Premium License to use Azure AD Connect Health.
When you first access Azure AD Connect Health, you will be presented with the first window. In the first
window, you can access the following information:
Quick Start. This option will open the Quick Start window. Here you can download the Azure AD
Connect Health agent by selecting Get tools, access documentation, and provide feedback.
AD FS. This option represents all of the AD FS services that Azure AD Connect Health is currently
monitoring. By selecting one of the instances, a window will open with information about that
services instance. This information includes an overview, properties, alerts, monitoring, and usage
analytics.
Configure. This option allows you to turn the following on or off:
o Auto update to automatically update the Azure AD Connect Health agent to the latest version.
This option will automatically update the agent on your server to the latest version of the Azure
AD Connect Health Agent when they become available. This is enabled by default.
o Allow Microsoft access to your Azure AD directorys health data for troubleshooting purposes
only. When this option is enabled, Microsoft will be able to see the same data that you are
seeing. This can help with troubleshooting and assistance with issues. This is disabled by default.
Additional Reading: For more information, refer to: Monitor your on-premises identity
infrastructure and synchronization services in the cloud at: http://aka.ms/dqaaps
Azure AD Connect in multi-forest scenarios

For certain, more complex organizations it is
common to have more than one AD DS forest
on-premises. For example, if an organization
wants to implement account-resource forest
topology, they will need to have two AD DS
forests. Another example for having two AD DS
forests is after there is a merger between an
organization or acquisition.
Implementing directory synchronization between

an on-premises environment with more than one
AD DS forest and an Azure AD tenant is a bit
more complex than a scenario with only one
AD DS forest. However, Azure AD Connect supports connecting multiple forests to a single Azure AD
tenant. A server that runs Azure AD Connect software does not have to be joined to any domain locally,
however, it must be able to access domain controllers in both forests. In some cases, you can choose to
place the Azure AD Connect server in a demilitarized zone (DMZ).
Note: You cannot have more than one Azure AD Connect server connected to a single
Azure AD tenant. There is 1:1 ratio between an Azure AD tenant and a server that runs Azure AD
Connect software. If you want to have more than one Azure AD Connect server, you need to
deploy more than one Azure AD tenant. An exception to this is temporary usage of the Azure AD
Connect staging server. The Azure AD Connect servers staging mode reads data from all
connected directories, but does not write anything to those connected directories.
When you have more than one AD DS forest locally, you must configure directory synchronization so that
a single object in Azure AD represents each user. When you run the Azure AD Connect Setup Wizard
with an option to customize configuration, you can configure options for this on the Uniquely
identifying your users page. On this page, you can select between several options. The default option is
that users are represented only once across all directories. This scenario assumes that each user has only
one account in the forest where the user is authenticated during sign in. Additionally, if you implement
Exchange Server, this scenario assumes that the user has only one mailbox in the forest that has the best
data quality for attributes published to a GAL.
Another option is to select that user identities exist across multiple directories. In this case, you must
choose how to perform user matching. You can do it by using a mail attribute or by using the ObjectSID
and msExchangeMasterAccountSID attribute.
Additional Reading: More information about supported topologies for Azure AD Connect
is available at: https://aka.ms/m31qhc
Azure AD Connect pass-through authentication

When you implement a cloud service such as
Office 365, while still having some resources on-
premises, your users must authenticate to both
the cloud and the on-premises infrastructure. As
previously mentioned, it is very beneficial for
users to use the same set of credentials to
authenticate against both cloud and on-
premises resources. Usually, this is achieved by
using Azure AD Connect synchronization with a
password hash sync to Azure AD. In scenarios
where organizations want to perform all
authentication on-premises, you should deploy
an AD FS service and configure your Azure AD tenant in federated mode. In this scenario, each
authentication request for resources on-premises or in a cloud, is always directed to the AD FS server
deployed locally. However, deployment and management of the locally deployed AD FS infrastructure
might be too demanding and too complex for some organizations.
A recent update for Azure AD Connect, provided a new option to address this scenario. This new feature is
called Azure AD pass-through authentication.
Azure AD pass-through authentication helps you ensure that password validation for services that rely on
Azure AD, is always performed against an on-premises AD DS. Unlike the solution with AD FS, this solution
is easy to implement and maintain.
Azure AD pass-through authentication is configured by using Azure AD Connect, and it works by using an
on-premises agent that listens for external password validation requests. You can deploy this agent to one
or more servers to provide high availability. There is no need to deploy this server to DMZ, as all
communication is outbound only. A server that runs the agent for pass-through authentication should be
joined to the AD DS domain where users are located.
When a user accesses a cloud service that relies on Azure AD, he or she is presented with an Azure AD
login page. After a user enters their credentials into the Azure AD login page, the Azure AD service checks
if the connector for pass-through authentication is configured for the users domain. If it is, credentials are
placed on the connector queue for validation. A connector agent deployed on-premises then retrieves
user credentials and performs authentication against the locally deployed AD DS. Response from AD DS is
returned to the connector and the connector provides this response to Azure AD.
To enable Azure AD pass-through authentication, you should use the Azure AD Connect Setup Wizard.
On the User Sign-in page, you should select the Pass-through authentication option. The first
connector for pass-through authentication will be deployed on the same server where Azure AD Connect
runs. However, we recommend that you deploy an additional connector on at least one more server, to
achieve redundancy. For other servers, you should download the Azure AD Application Proxy
Connector as a separate installation.
In addition, ensure that you have all ports required for Azure AD pass-through authentication available, as
listed in the table below.
Port Description
80 Enables outbound HTTP traffic for security validation such as SSL

certificate revocation lists.
443 Enables user authentication against Azure AD.
8080/443 Enables the Connector bootstrap sequence and Connector automatic

update.
9090 Enables Connector registration (required only for the Connector

registration process).
9091 Enables Connector trust certificate automatic renewal.
9352, 5671 Enables communication between the Connector and the Azure AD
service for incoming requests.
9350 [Optional] Enables better performance for incoming requests.
1010010120 Enables responses from the connector back to Azure AD.
Additional Reading: For more information about Azure AD Pass-through Authentication

visit: https://aka.ms/lusqtt
Lesson 3
Managing Office 365 identities with directory
synchronization
In this lesson, students will learn about managing Office 365 identities with Azure AD Connect. Included in
this lesson is managing users and groups in Office 365 with Azure AD Connect and how to maintain
directory synchronization.
Lesson Objectives
Manage users with directory synchronization.
Manage groups with directory synchronization.
Modify directory synchronization.
Monitor directory synchronization.
Troubleshoot directory synchronization.
Managing users with directory synchronization

When you successfully deploy Azure AD Connect
and enable scheduled synchronization, there are
several required management tasks to ensure
users synchronize efficiently.
User writeback
User accounts created in Azure AD can now
synchronize back to on-premises AD DS.
To enable the user writeback feature for Azure

AD Connect, you need to enable the user
writeback option during installation of Azure AD
Connect, with customized settings, and then run
the following Windows PowerShell cmdlets on the Azure AD Connect server:
Note: User writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.
Import-Module C:\Program Files\Microsoft Azure Active Directory

Connect\AdPrep\AdSyncPrep.psm1
Initialize-ADSyncUserWriteBack -AdConnectorAccount $accountName -UserWriteBackContainerDN
$userOU
Note: $accountName is the account that will be used by Azure AD Connect to manage
objects in AD DS, this is usually an account in the form of an Azure AD number. $userOU is the
OU where these cloud users will be stored in on-premises AD DS.
Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OUs.
After the synchronization completes, Office 365 users will appear in the on-premises container, which you
selected during the configuration.
Note: An Azure AD Premium license is required to enable device writeback.
Password writeback
Users can now change their passwords via the login page or user settings in Office 365 and have them
written back to on-premises AD DS.
To enable the password writeback feature for Azure AD Connect, you need to enable the password
writeback option during installation of Azure AD Connectwith customized settingsand then run the
following Windows PowerShell cmdlets on the Azure AD Connect server:
Note: Password writeback requires that the AD DS forest runs Windows Server 2012 R2 or
later.
Get-ADSyncConnector | fl name,AADPasswordResetConfiguration
Get-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD"
Set-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD" -Enable
$true
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Password`";user'"
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;user'"
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;user'"
Note: Azure AD Connect uses the $accountName account to manage objects in AD DS,
this is usually an account in the form of Azure AD number. $passwordOU is the OU where these
cloud users will be stored in on-premises AD DS.
Once these cmdlets complete, they will configure the following:
The Azure AD Connect connectors are enabled for password reset.

Azure AD Connect service account to on-premises AD DS will have permission to reset passwords to
objects in this OU. You can view the permissions in Active Directory Users and Computers for this OU
if you enable Advanced mode in the program. There should be a permission entry for this account
that is not inherited from the parent OUs.

Device writeback
Devices that are enrolled with Office 365 MDM or Intune, which will allow login to AD FS controlled
resources based on the user and the device they are on. Device writeback is used to enable conditional
access based on devices to AD FS protected applications, or relying party trusts. This provides additional
security and assurance that access to applications is granted only to trusted devices.
To enable the device writeback feature for Azure AD Connect, you need to enable the device writeback
option during installation of Azure AD Connectwith customized settingsand then run the following
three Windows PowerShell cmdlets on the Azure AD Connect server:
Note:
Device writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.
Device writeback requires that AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later.
Install-WindowsFeature Name AD-DOMAIN-Services IncludeManagementTools

Import-Module 'C:\Program Files\Microsoft Azure Active Directory
Connect\AdPrep\AdSyncPrep.psm1'
Initialize-ADSyncDeviceWriteback {Optional:DomainName [name] Optional:-
AdConnectorAccount [account]}
Note: DomainName is the AD DS domain where device objects are created.

AdConnectorAccount is the AD DS account that Azure AD Connect uses to manage objects in
the directory. This is the account used by Azure AD Connect sync to connect to AD. If you
installed using express settings, it is the account prefixed with MSOL_.
These cmdlets will configure the following:
If not present, they create and configure new containers and objects under CN=Device Registration
Configuration,CN=Services,CN=Configuration,[forest-dn], where forest-dn is the Distinguished
Name of your AD DS forest.
If not present, they create and configure new containers and objects under
CN=RegisteredDevices,[domain-dn], where forest-dn is the Distinguished Name of your
AD DS forest. Device objects are created in this container.
They set necessary permissions on the Azure AD Connector account to manage devices on your
AD DS.
Managing primary Simple Mail Transfer Protocol addresses

One of the key user maintenance tasks is to manage user mailbox attributes, in particular, primary Simple
Mail Transfer Protocol (SMTP) addresses. For an on-premises user account to get the correct primary
SMTP address, it needs to be mailbox-enabled, either by using the Exchange 2016 admin center, or by
setting the mail attribute manually to mail-enable the user.
Note: If a primary SMTP address is not set for a user account, Office 365 will use a
@domain.onmicrosoft.com as the users default SMTP address.
If it is not possible to ensure that all synced users will have a valid primary SMTP address prior to
synchronization, you can use user attribute filtering to ensure that all accounts without a valid UPN are
excluded from synchronization scope.
Recovery from accidental deletes

Azure AD now supports soft deletes. After you delete a user in Office 365, either following synchronization
or if you manually remove an unsynchronized user in Office 365, the users data is deleted and the users
licenses can be reassigned; however, accounts remain recoverable for 30 days. After the cloud recycle bin
is purged (hard delete), it is no longer possible to restore deleted accounts.
Recovery from unsynchronized deletes

Another important maintenance task is dealing with an on-premises delete that does not synchronize to
Office 365, so that the linked object is not removed from Azure AD. Such a situation might occur if
directory synchronization has not yet completed, or if directory synchronization failed to delete a specific
cloud object, both of which results in an orphaned Azure AD object.
To resolve this issue, follow these steps:

1. Manually run a directory synchronization update.
2. Force directory synchronization.
3. Check that directory synchronization occurred correctly.

4. Verify directory synchronization.
If the above steps validate that directory synchronization is working correctly but the AD DS object
deletion has still not propagated to Azure AD, the orphaned object can be manually removed using one
of the following Microsoft Azure Active Directory Module for Windows PowerShell cmdlets:
Remove-MsolContact
Remove-MsolGroup
Remove-MsolUser
For example, to manually remove an orphaned user originally created using directory synchronization, run
the following cmdlet:
Remove-MsolUser UserPrincipalName <username>@<Office 365 domain>
Accidental account deletion

If you accidentally delete a user account and a directory synchronization cycle runs, this action will delete
the user in Office 365. However, if you have the recycle bin feature enabled in AD DS, you can recover the
account from the recycle bin and the link between accounts is re-established. If you do not have the
recycle bin enabled, you might need to create another account with a new GUID.
Additional Reading: For more information on how to troubleshoot deleted user accounts
in Office 365 is available at the following link, refer to: http://aka.ms/cmof9n
Bulk activation of new accounts

User accounts that you create in Office 365 through directory synchronization are not automatically
activated for Office 365. We recommend that you use scripting to manage this requirement. A simple
approach makes use of Microsoft Azure Active Directory Module for Windows PowerShell cmdlets. For
example:
Get-MsolAccountSku (to report the Office365 SKUs that, such as EXCHANGESTANDARD)

Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation <location>, such as "US"
Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses SKU
The isLicensed user attribute indicates whether a user has a license assigned (True) or not assigned
(False). Windows PowerShell can, therefore, report on licensed Office 365 user accounts. To show all users
licensed in Office 365, enter the following command at the Microsoft Azure Active Directory Module for
Windows PowerShell prompt:
Get-MsolUser | Where-Object {$_.isLicensed -eq "True"}

To export a list of licensed Office 365 users to CSV, use the following command:
Get-MsolUser | Where-Object { $_.isLicensed -eq "True" } | Export-Csv
C:\Labfiles\LicensedUsers.csv
Additional Reading: For more information, refer to: Getting all Licensed Office 365 users
with PowerShell at: http://aka.ms/me03qp
Additional Reading: For more information, refer to: How to Use PowerShell to
Automatically Assign Licenses to Your Office 365 Users at: http://aka.ms/pwr39r
Managing groups with directory synchronization

Similar to the directory synchronization of users
from on-premises AD DS to Azure AD, groups
(as well as their membership) in AD DS also
synchronize from on-premises AD DS to Azure
AD. Similarly to the user writeback feature, the
group writeback feature also writes Office 365
Groups from Azure AD to on-premises AD DS.
The process that Azure AD Connect uses is very
similar for user and group objects, and has many
of the same limitations and caveats.
Note: Writing Office 365 Modern Groups

back to on-premises AD DS requires your on-premises Exchange server to be on Exchange 2013
cumulative update 8 (released in March 2015) or later, or Exchange 2016 to recognize this new
group type.
Although you enable the group writeback feature during installation of Azure AD Connect by selecting
the group writeback feature after installing with customized settings, you also need to create the OU and
appropriate permissions required for group writeback in AD DS. For this, Azure AD Connect has a built-in
cmdlet, called Initialize-ADSyncGroupWriteBack that prepares AD DS automatically.
Note: Group writeback requires that the AD DS forest runs Windows Server 2012 R2 or
later.
Import-Module C:\Program Files\Microsoft Azure Active Directory

Connect\AdPrep\AdSyncPrep.psm1
Initialize-ADSyncGroupWriteBack -AdConnectorAccount $accountName -
GroupWriteBackContainerDN $groupOU
Note: Azure AD Connect uses the $accountName account to manage objects in AD DS

this is usually an account in the form of Azure AD number. $groupOU is the OU where these
cloud groups will be stored in on-premises AD DS.
Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OUs.
After the synchronization completes, Office 365 Groups will show up in the on-premises container, which
you selected during the configuration. These groups will be represented as distribution groups in on-
premises AD DS.
Note: At this time, group writeback in Azure AD Connect only supports the writeback of
distribution groups.
Similar to user accounts synchronized from Azure AD to on-premises AD DS, the synchronized groups will
not show up in the on-premises GAL. As such, you will need to run the Update-Recipient cmdlet first as
illustrated in the following example:
Update-Recipient Group_af905347-5322-4183-a1aa-9522a85bfeb9ad
Note: Alternatively, you might use the Update-AddressList or Update-GlobalAddressList

to cause the synchronized group to appear. However, these cmdlets will require more cycles on
the servers running Exchange Server compared with the Update-Recipient cmdlet.
Once this cmdlet completes, the group will show up in the on-premises GAL.
Synchronized groups from Azure AD to on-premises AD DS also includes the membership. If you have
enabled user writeback in Azure AD Connect, the group memberships for user accounts created in Azure
AD are also included. However, if you have not enabled user writeback in Azure AD Connect, only group
memberships for user accounts created on-premises are included.
Note: If deployed, the Exchange Server hybrid writeback is the classic writeback from Azure
AD and is separate from group writeback. As such, it is the only one of the writebacks that does
not require an Azure AD Premium license. Otherwise, an Azure AD Premium license is required if
you enable group writeback without the Exchange Server hybrid writeback feature.
Modifying directory synchronization

In Azure AD Connect synchronization, you can
enable filtering at any time. If you have already
deployed the default configurations of directory
synchronization and then enable filtering, the
objects that are filtered out are no longer
synchronized to Azure AD. Because of this, any
objects in Azure AD that were previously
synchronized but were then filtered are deleted
in Azure AD. If objects were inadvertently
deleted because of a filtering error, you can
recreate the objects in Azure AD by removing
your filtering configurations, and then
synchronize your directories again.
Note: While you can enable multiple customizations of filtering in Azure AD Connect,
Microsoft does not support all modifications or operations of the Azure AD Connect
synchronization outside of the formally documented actions. Any of these actions might result in
an inconsistent or unsupported state of Azure AD Connect sync and, as a result, Microsoft cannot
provide technical support for such deployments.
You might be asking yourself, Why would I want to enable filtering if Azure AD Connect synchronizes
everything I need after implementation? In most cases, your on-premises AD DS environment contains a
lot more objects (for example, user accounts, contacts and groups) than are required within Azure AD. For
instance, service accounts or administrative accounts that are only required on-premises might have no
purpose to synchronize for Office 365. Fortunately, you can filter objects so that only the objects you
require online synchronize. Filtering makes synchronization more secure, with no forgotten accounts in
online services, therefore providing a smaller attack surface. Filtering can also help you limit the number
of objects, which in turn can help you minimize the size of your Azure AD Connect database and might
prevent the need for full SQL Server deployment. Remember, if your environment has more than 50,000
objects, then you might require a full version of SQL Server. In many ways, enabling filtering in Azure AD
Connect will promote less complexity and increase the speed of directory synchronization.
Here are a few scenarios where filtering might be required to customize the default configuration:
You plan to use the multi-Azure AD-directory topology. Then you need to apply a filter to control
which object should be synchronized to a particular Azure AD directory.
You run a pilot for Azure or Office 365 and only want a subset of users in Azure AD. In the small pilot
it is not important to have a complete GAL to demonstrate the functionality.
You have many service accounts and other nonpersonal accounts or administrative accounts you do
not want in Azure AD.
For compliance reasons, your company does not delete any user accounts in on-premises AD DS; you
only disable them. But in Azure AD you only want active accounts to be present.
Note: With the exception of outbound attribute-based filtering, the configurations in

Azure AD Connect will be retained when you install or upgrade to a newer version of Azure AD
Connect. It is always a best practice to verify that the configuration was not inadvertently
changed after an upgrade to a newer version before running the first synchronization cycle.
The following are three filtering configuration types that can be applied to Azure AD Connect (listed in
order of broad filtering to more detailed filtering):
Domain. This filtering configuration type enables you to select which AD DS domains are allowed to
synchronize to Azure AD. You would use the Synchronization Service Manager tool to manage the
properties of the Source AD Connector in Azure AD Connect. This tool is installed on the directory
synchronization server automatically during deployment of Azure AD Connect.
OU. This filtering configuration type enables you to select which OUs in AD DS are allowed to
synchronize to Azure AD. Most organizations already have an OU structure that separates objects that
are eligible for synchronization and those that are not, such as the Exchange Security Groups OU,
service/administrative accounts OU, or an OU for specific security groups. You can use Azure AD
Connect or the Synchronization Service Manager tool to manage the properties of the Source AD
Connector in Azure AD Connect. The Synchronization Service Manager tool is installed on the
directory synchronization server automatically during deployment of Azure AD Connect.
Attribute. This filtering configuration type enables you to control which objects in AD DS should
synchronize to the Azure AD based on criteria of the objects attributes. Even with domain filtering
and OU filtering, it is possible that some objects in an OU should not synchronize. It might also be
impractical to change the OU design for the purpose of filtering objects that synchronize to Azure
AD. While significantly more complex than the Synchronization Service Manager tool, you would use
the Synchronization Rules Editor tool to manage the synchronization rules in Azure AD Connect. This
tool is installed on the directory synchronization server automatically during deployment of Azure AD
Connect.
Note: You use Source AD as the name for your AD DS Connector. If you have multiple
forests, you will have one Connector per forest and the configuration must repeat for each forest.
You can use all, two, or just one filtering configuration type. Which field(s) you choose is dependent on
how your on-premises AD DS domain(s) are structured, what objects need to be synchronized to Azure
AD, and the filtering criteria.
Note: Before making changes to filtering, you should disable the scheduled task for
synchronization on the directory synchronization server to ensure you do not accidently export
changes, which have not been verified, to Azure AD.
Because filtering in Azure AD Connect can remove many objects in a very short time, you should verify
changes to the filters before exporting to Azure AD. After you have completed the configuration steps, we
strongly recommend you follow the verification steps before you export and make changes to Azure AD.
To protect you from deleting multiple objects by accident, the feature that prevents accidental deletes is
on by default. If you delete many objects due to filtering (500 by default) you need to follow the steps in
the following article to allow the deletes to go through to Azure AD.
Additional Reading: For more information, refer to: Azure AD Connect sync: Configure
Filtering at: http://aka.ms/au8smo
Monitoring directory synchronization

As a best practice, we recommend that you use
Microsoft System Center Operations Manager
(Operations Manager) for monitoring the
directory synchronization server and services
such as AD DS to ensure that problems are
detected and communicated effectively to all
responsible administrators. It is available as the
System Center Management Pack for Azure. In
addition, if you have the required license, you
can use Azure AD Connect Health, as described
earlier in this module.
Office 365 admin center

Office 365 provides multiple methods for monitoring directory synchronization. If there are any errors
during directory synchronization, an email notification is sent to the email address registered as the cloud
service technical contact when you signed up for Office 365. In addition, you might see notifications in
the Office 365 Dashboard or Office 365 Message Center for outages related to the Identity Service in
Office 365.
To verify directory synchronization in real-time by using the previous Office 365 admin center:
1. In the left navigation pane, click USERS, and then click Active Users.
2. In the right navigation pane, under Active Directory synchronization, you will see the last synced time.
In the new Office 365 admin center, you can click Settings, and then choose the DirSync errors item. It
will present you with any errors that happen during object synchronization.
Another option is to install the Office 365 Support Central App on your mobile phone. With the mobile
app, you can search for answers; view service health incidents, including planned maintenance events, and
message center notices; post questions and track your answers in the Office 365 for Business Support
Community.
Azure portal
You can also monitor a directory synchronization status in the classic Azure portal and the new Azure
portal. In the classic Azure portal, you can click on your directory item, and then click the DIRECTORY
INTEGRATION tab. On this tab, you can see basic information about directory synchronization.
In the new Azure portal, you can select the Azure Active Directory item, and then click Azure AD
Connect. There you can see the sync status and the last sync time.
Windows PowerShell
You can also use Windows PowerShell cmdlets and scripts to help manage Azure AD, report
synchronization state, and so on.
After connecting to Office 365 in Windows PowerShell, you can use the following cmdlet to verify the last
time directory synchronization was successful in Office 365.
Import-Module MSOnline
Connect-MsolService
Get-MsolCompanyInformation | fl LastDirSyncTime
Additional Reading: For more information, refer to: MS Online Module at:
http://aka.ms/pfsm1x
Synchronization Service Manager

The Synchronization Service Manager is installed automatically, as part of Azure AD Connect. This tool
allows you to verify and change the directory synchronization service. From the Operations tab, you can
select the list of various connector operations to review the Start Time, End Time, and the Status of the
previous jobs that have completed.
Event logs
The directory synchronization tool writes entries to the directory synchronization computer's event log.
These entries indicate the start and end of a directory synchronization session. Directory synchronization
errors are also reported in the event log and sent via e-mail to your organization's designated technical
contact. When reviewing the event log, look for entries whose source is directory synchronization. An
entry designated Event 4 and with the description The export has completed indicates that the directory
synchronization is complete.
Troubleshooting directory synchronization

Key troubleshooting tasks for directory
synchronization include analyzing logs for errors,
and remediating synchronization errors with the
tool itself. Typical issues that can lead to
problems include:
Installation errors, such as using incorrect

on-premises or Office 365 credentials.
Inadvertently deactivating directory

synchronization in the admin center or
through Windows PowerShell.
Unexpected changes in AD DS that affect

OU scoping or attribute filtering.
Corrupted AD DS, requiring directory recovery.
One key area that can lead to issues unless clearly understood is when you deactivate and then reactivate
synchronization in the Office 365 admin center. When directory synchronization is deactivated, the source
of authority is transferred from the on-premises AD DS to Office 365. Deactivation is needed when on-
premises AD DS is no longer being used to create and manage users, groups, contacts, and mailboxes,
such as after a staged Exchange migration to the cloud, where the organization no longer wants to
manage objects from on-premises. Problems can subsequently arise if directory synchronization is then
reactivated, with the source of authority transferred back from Office 365 to the on-premises AD DS.
For example, assume an organization activated directory synchronization in January, and then created
new users on-premises, which were synced to Office 365. In this case, the source of authority is the on-
premises AD DS. In July, the organization deactivated directory synchronization, resulting in transfer of the
source of authority to Office 365; from this point on, objects were edited in Office 365. In September, the
company decided to deploy AD FS and SSO. To meet this requirement, directory synchronization was
reactivated, transferring the source of authority back to the on-premises AD DS. In this example, when
you reactivate and run directory synchronization, any changes made to the Office 365 objects from July
through to September would be overwritten and lost.
Additional Reading: For more information, refer to: Directory synchronization and source
of authority at: http://aka.ms/cdm2kk
Updating Azure AD Connect

It is important to use the latest version of the Azure AD Connect. The link to download Azure AD Connect
is provided on Office 365 or the Azure portal. This is always the most current release and is officially
supported by Microsoft. When upgrading to a new version of the Azure AD Connect, some existing filters
and other management agent customizations might not automatically import into the new installation. If
you are upgrading to a newer version, you must always manually reapply filtering configurations after you
upgrade, but before you run the first synchronization cycle.
Synchronization Service Manager

In order to check the directory synchronization tool for issues, you will need to open Synchronization
Service Manager in the Azure AD Connect group on the Start menu.
Within the application, you will need to view the Operations tab. On this tab you are looking to confirm
that the following operations have been completed successfully:
Import on the AD Connector.
Import on the Azure AD Connector.

Full Sync on the AD Connector.
Full Sync on the Azure AD Connector.
Review the result from these operations to validate the directory synchronization status and to identify
any errors.
By default, these operations are scheduled to run once every three hours. If you do not want to wait this
long to troubleshoot an issue, use the following procedure to force manual synchronization:
Open the Azure AD Connect tool on the Start menu.
Provide the information requested on the wizard pages (you should be able to accept the default
settings if the tool has already been deployed).
On the Configure page, select the Start the synchronize process as soon as the initial
configuration completes option, and then click Finish.
Additional Reading: For more ore information, refer to: How to troubleshoot Azure
Active Directory Sync tool installation and Configuration Wizard errors at: http://aka.ms/bz5cjw
Lab: Configuring directory synchronization

Scenario
The pilot deployment of Office 365 is well underway at A. Datum. The project steering committee has
made the recommendation to continue with migrating additional departments to Office 365. The first
step in completing the migration is to configure directory synchronization so that user and group
accounts will be synchronized for the on-premises AD DS domain rather than managing all user and
group accounts in Office 365.
Objectives
Prepare the on-premises AD DS domain for directory synchronization.
Install and configure directory synchronization with Azure AD Connect.

Manage user and group accounts by using directory synchronization.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, and 20347A-LON-CL2
Password: Pa55w.rd
In all tasks:

Note: When you connect to the Office 365 admin center, you may be prompted to provide
an authentication phone and authentication email address. If you see this window, click Cancel.

LON-DC1
o Sign in as Adatum\Administrator using the password Pa55w.rd
LON-DS1
LON-CL1
o Sign in as Adatum\Holly using the password Pa55w.rd

LON-CL2
o Sign in as LON-CL2\Francisco using the password Pa55w.rd
Question: How do you configure OU level filtering for directory synchronization?


Having completed this module, you can now prepare an on-premises environment ready for directory
synchronization, install and configure Azure AD Connect, and manage Active Directory users and groups
with directory synchronization to Office 365 enabled.
Review Question
Question: What are some of the typical issues that can arise if UPN suffixes are not properly
configured before directory synchronization is deployed?
Real-world Issues and Scenarios

Because directory synchronization is the link between your on-premises AD DS objects and the services in
Office 365, be very careful when making changes to Azure AD Connect or the Synchronization Service
Manager after production deployment. For example, a minor mistake in filtering could accidentally delete
all user mailboxes in Office 365 very quickly.
In some environments, you might test all changes on a separate directory synchronization server in test
that is connected to a separate Office 365 tenant (trial). In addition, you should manually initiate run
profiles for each management agent in Synchronization Service Manager and observe the pending actions
before exporting to Office 365. In some cases, it might be a good idea to create a new run profile for
exporting to Azure AD that includes a maximum limit on the number of allowed deletions.
Tools
IdFix. The Office 365 IdFix tool provides you the ability to identify and remediate the majority of object
synchronization errors in your AD DS forests in preparation for deployment to Office 365.
Best Practices
You must have a proper project plan.
If using filtering, it should be set up before synchronizing any objects.
You should work with a cloud services partner.
You should perform thorough capacity planning.

You should remediate AD DS before deploying directory synchronization.
You should add all SMTP domains as verified domains before synchronizing.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Directory synchronization filtering is no

longer working.
After installing Azure AD Connect, you

might be prompted with the following
error message when you open
Synchronization Service Manager:
"Unable to connect to the
Synchronization Service."
5-1
Module 5
Planning and deploying Office 365 ProPlus
Contents:
Module Overview 5-1
Lesson 1: Overview of Office 365 ProPlus 5-2
Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-10
Lesson 3: Planning and managing centralized deployments of

Office 365 ProPlus 5-13
Lesson 4: Office Telemetry and reporting 5-19
Lab: Managing Office 365 ProPlus installations 5-24
Module Overview
In this module, students will learn how to plan for a client deployment and ensure that users receive the
tools they need to interact with Microsoft Office 365 effectively. This module covers the planning process,
how to make Microsoft Office 365 ProPlus directly available to end users, and how to deploy it as a
managed package. Finally, this module covers how to set up Office telemetry so that administrators can
keep track of how users are interacting with Microsoft Office.
Objectives
Describe Office 365 ProPlus.
Plan and manage user-driven Office 365 ProPlus deployments.
Plan and manage centralized deployments for Office 365 ProPlus.
Describe Office Telemetry and reporting.

5-2 Planning and deploying Office 365 ProPlus
Lesson 1
Overview of Office 365 ProPlus
This lesson examines how to plan for an Office 365 client deployment of Office 365 ProPlus. This includes
planning for Microsoft Outlook, the Skype for Business client, and Office Online. This lesson also explains
the process of activation, revoking activation, and how activation relates to licensing. Finally, it covers the
differences between Click-to-Run and Microsoft installer applications.
Lesson Objectives
Describe Office 365 ProPlus.
Explain Office 365 ProPlus licensing and activation.
Describe Office 365 deployment.
Describe Office 365 ProPlus update branches.
Overview of Office 365 ProPlus

Depending on the Office 365 plan, there are
several client packages that users can deploy.
Office 365 ProPlus is a part of several
subscriptions, but the license assigned to the user
will determine what is available for download and
use.
Office 365 ProPlus

Office 365 ProPlus is a downloadable version of
the Microsoft productivity suite, and includes
Microsoft Word 2016, Microsoft Excel 2016,
Microsoft PowerPoint 2016, Microsoft Outlook
2016, Microsoft Access 2016, Microsoft Publisher
2016, Microsoft OneNote 2016, and the Skype for Business client. Access, Publisher, and Skype for
Business are not part of Microsoft Office 2016 for Mac installations; however, you can download and use
Microsoft Lync 2011 instead of Skype for Business.
Office 365 ProPlus supports streaming deployment by using Click-to-Run technology. This enables users
to click the application installation icon and start using the application, while the program installs in the
background. It is important to emphasize that, although deployment requires an Internet connection,
Office 365 ProPlus installs and runs locally on the user's computer. Office 365 ProPlus is not a web-based
or a light version of Office, and users do not have to connect to the Internet permanently to use it.
However, they must connect at least every 30 days.
Office 365 ProPlus vs. Office Professional 2016

While Office 365 ProPlus installs from the Office 365 subscription license and includes the Office
Professional applications, it differs from Office Professional 2016 in a few ways. These differences include:
Office Professional 2016 is the desktop version of Office. You install Office Professional 2016 in the
traditional way, through Microsoft Windows Installer (MSI) from volume license media, which requires
a volume license product key.
Office 365 ProPlus is a full version of Office that you install through Click-to-Run technology, and it
includes Office Online in the license. Updates automatically push out to the users (we will discuss
controlling the frequency through update branches later in this lesson).
Office 365 ProPlus licensing also provides five copies of the full Office suite to use on multiple devices
per user.
Office Professional 2016 installations do not stream. They include a license for only one copy per user,
and updates do not automatically update the applications without some intervention.
Office 365 ProPlus system requirements

The following table provides examples of Office 365 ProPlus system requirements.
Component Requirement
Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with Streaming
Single Instruction Multiple Data (SIMD) Extensions 2 from Intel (SSE2)
Intel processor.
Memory 2 gigabytes (GB) random access memory (RAM) (PC)

4 GB RAM (Mac)
Hard disk 3.0 GB of available disk space (PC)

6.0 GB Hierarchal File System Plus (HFS+) hard disk format (Mac)
Display 1280x800 minimum resolution.
Operating system PC: Windows 10, Windows 8, Windows 7 Service Pack 1 (SP1), Windows
Server 2016 Windows Server 2012 R2, Windows Server 2012, or
Windows Server 2008 R2
Mac: Mac OS X 10.10
For the best experience, always use the latest operating system version.
Graphics Graphics hardware acceleration requires a DirectX 10 graphics card with

1280x800 resolution.
Browser The use of the most current or immediately previous version of Internet
Explorer, or current versions of Microsoft Edge, Safari, Chrome, or Firefox.
Other browser versions might work, but there is no guarantee.
Network Internet functionality requires an Internet connection.
Internet requirements
Users must be able to connect to Office Licensing Service through the Internet at least once every 30 days.
The following list identifies the ports, protocols, and URLs that Click-to-Run for Office 365 uses for
downloads, installation, automatic updates, subscription maintenance, and activation:
Download and installation from the portal, automatic updates. TCP (80), target URL:
http://officecdn.microsoft.com
Subscription maintenance. TCP (443), target URL: https://ols.officeapps.live.com/olsc
Office 365 ProPlus activation. TCP (443), target URL: https://activation.sls.microsoft.com

Office 365 ProPlus activation. TCP (80), target URLs:

http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl and
http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA
Note: Offices 365 ProPlus uses these URLs internally. They are not intended to be end-user
accessible.
Visio and Project

Some Office 365 plans can add subscriptions of Microsoft Visio and Microsoft Project. These applications
are not part of Office 365 ProPlus, but users download them in the same way as Office 365 ProPlus by
turning them on or off in the Office 365 admin center.
Note: Microsoft InfoPath 2013 and Microsoft SharePoint Designer 2013 have been part of
Office editions in the past, but are now available as a download from the Microsoft Download
Center. These products will not upgrade past the 2013 versions and might require removal and
reinstallation when you install Office 365 ProPlus 2016 applications.
Office 365 ProPlus licensing and activation

To install Office 365 ProPlus, each user must have:
An Office 365 user account and password, to

sign in to Office 365.
An Office 365 license, which the

organization's administrator assigns to the
user.
A single Office 365 license enables a user to

deploy Office 365 ProPlus on up to five different
computers. The user manages these installations
in the Office 365 portal and can deactivate Office
365 on a specific device, if necessary.
The licensing and activation process

As part of the installation process, Office 365 ProPlus communicates with the Office Licensing Service and
the Activation and Validation Service to obtain and activate a product key. Each day, or each time the user
signs in to his or her computer, it connects to the Activation and Validation Service to verify the license
status and extend the product key. If the computer can connect to the Internet at least once every 30
days, Office remains fully functional. If the computer goes offline for more than 30 days, Office enters
reduced functionality mode until the next time a user can make a connection. To get Office fully
functional again, a user can simply connect to the Internet and let the Activation and Validation Service
reactivate the installation.
You can check the activation status within Office applications by clicking File (to go to the Backstage
view), and then clicking Account. If Product Activated appears on the page, you have successfully
activated the Office subscription license. If Office 365 Professional Plus is already running when activation
occurs, the Backstage view might not reflect the licensed status. In this case, you will need to restart the
Office application to see the updated license status.
Office 365 administrators cannot see on which computers a user has installed Office and cannot
deactivate an Office installation on a user's computer. However, administrators do control the assignment
of Office 365 licenses to users. Therefore, when a user leaves an organization, an administrator can
reassign that users Office 365 license to a different user, and any of that user's Office installations will
enter reduced functionality mode.
Reduced functionality mode

If a user attempts to install Office 365 ProPlus on a sixth computer, he or she will need to deactivate one
of the first five installations. Office 365 ProPlus will then go into reduced functionality mode on the
deactivated computer. Office 365 ProPlus also enters reduced functionality mode if the administrator
revokes the user's license to use Office 365 ProPlus from the admin center, or if the Office 365
subscription expires.
In reduced functionality mode, Office 365 ProPlus remains installed on the computer, but users can only
view and print their documents. All features for editing or creating new documents are disabled, and the
user sees a message with the following options to reactivate:
Enter product key
Sign in to Office 365
As long as the Office 365 subscription is current and the user has a license, the user can then choose one
of the available options to reactivate Office 365 ProPlus on that computer.
Overview of Office 365 deployment

You can use the deployment methods discussed in
this topic with whichever applications the Office
365 subscription includes. Note, however, that this
topic specifically covers Office 365 ProPlus; this
course does not cover on-premises deployment of
Office Online to the organization's own
SharePoint Online servers.
Note: Due to its online activation

requirement, you cannot deploy Office 365
ProPlus to computers that cannot or do not have
an Internet connection. For disconnected
computers, you should deploy Office Professional 2016 and a traditional activation method, such
as Key Management Service (KMS) or Active Directory Domain Services (AD DS).
Deployment and bandwidth planning

You must run the Office 365 ProPlus desktop setup on each computer. If you initiate setup without first
installing any necessary operating system service packs and updates, you will use a significant amount of
download bandwidth. Each computer will separately connect to the Internet, and then download and
install service packs or updates. To prevent bandwidth saturation, you should deploy updates prior to
deploying the Office 365 ProPlus setup. You should use a package deployment tool, such as Microsoft
System Center Configuration Manager (Configuration Manager), so that updates download only once, but
are then distributed as part of a planned and scheduled deployment.
If you cannot deploy updates prior to Office 365 ProPlus setup, you can use Active Directory Group Policy
to throttle the deployment of the Office 365 ProPlus. You do so by deploying the setup package to one
subset of users at a time, by using such categories as organizational unit (OU) or site/location. In this way,
although all users are downloading updates, the download activity extends across days or weeks.
Removing previous versions

As part of deployment planning, it is important to consider how to remove any previous Office versions or
previous installations. For example, you might replace Office 2013 Professional Plus with Office 365
ProPlus. You can automatically remove prior versions of Office 365 by using Control Panel, by using a Fix
it tool online, or manually. When installing the newer Office 365 ProPlus version, you must remove prior
versions. You might have to remove and reinstall applications like SharePoint Designer 2013 or InfoPath
2013 when installing a newer version of Office 365 ProPlus but these can be reinstalled after Office 365
ProPlus is installed.
Additional Reading: For more information, refer to: Uninstall Office 2013, Office 2016, or
Office 365 from a Windows computer at: http://aka.ms/imbv8i
User communications and guidance

As part of deployment planning, it is essential to maintain active communications with users. These
communications include advanced notices of planned deployments of Office 365 ProPlus, help and
guidance on using Office 365 ProPlus, and links and pointers to resources and learning tools.
If you expect users to use some form of self-service to install Office 365 ProPlus, you will have to provide
additional information, such as:
Informing users of the download location to use for Office 365 ProPlus setup, as this location varies,
depending on the Office 365 subscription plan (for example, Office 365 ProPlus Enterprise E1 uses a
different location than Office 365 ProPlus Enterprise E3).
Using correct wording in all communications. For example, depending on subscription level, users
might be accessing the Office 365 portal or the Office 365 admin center.
Pointing out to advanced users that Office 365 ProPlus uses Click-to-Run, and that users should not use
any existing volume license media location that they might have used in the past to self-service install
Office Professional 2016 or previous versions. We will cover this information in greater detail in the next
lesson.
Deployment methods
The two most common ways of deploying Office 365 ProPlus to users include:
User-driven (self-service) installation of Office 365 ProPlus directly from the Office 365 portal. We
describe this type of deployment in Lesson 2 of this module.
Managed deployments, by first downloading the Office 365 ProPlus software to the local network
and then push deploying it to users. We describe this type of deployment later in this module.
Users can also deploy Office 365 ProPlus by starting an installation from media in a network share.
Additionally, users can deploy Office 365 ProPlus by using application virtualization, although this method
is beyond the scope of this course.
Office 365 ProPlus uses Click-to-Run technologies for deployment. Click-to-Run is now the default
installation technology for Office Professional 2016, except for volume-licensed editions. Volume-licensed
Office Professional 2016 and previous Office versions use MSI-based deployment and support the
following options:
User-driven deployment from volume-licensed media in a network share.
Information technology (IT) managed deployments.
Application virtualization.
Presentation virtualization (Office 365 ProPlus does not support this option, as such environments do
not support Click-to-Run installations).
Additional Reading: For more information, refer to: Office 2016 Deployment Guides for
Admins at: http://aka.ms/v9e5xl
Office 365 ProPlus update branches

One advantage of using Office 365 is that
applications update automatically when newer
versions become available. This can also be a
challenge for large enterprises that might want a
different frequency for purposes of testing add-
ins, macros, or preparing end user training.
Microsoft provides update branches for
administrators who use a deployment technology
to install Office 365 ProPlus, Office 365 Business,
Microsoft Project Pro for Office 365, and Microsoft
Visio Pro for Office 365. The default update period
for Office 365 ProPlus is every four months unless
changed. There are three update branches:
Current Channel. This update branch is referred to as Current in the Office Deployment Tool or Group
Policy. It provides all the newest features, security updates, and non-security updates for stability or
performance as soon as they become available. This is a great option if you do not have many add-
ins or macros and would like to have users always updated with the newest content.
Deferred Channel. This update branch is referred to as Business in the Office Deployment Tool or
Group Policy. It releases every four months. If you use this update branch, you will continue to get
security updates as they become available, but new features will be available only every four months.
You can choose whether to deploy a release, but only two releases are supported, so if you choose to
skip one, you will need to deploy the newest change or the one right before the newest change when
the next update is available. This will keep you within the eight-month supported window.
First Release for Deferred Channel. This update branch is referred to as Validation in the Office
Deployment Tool or Group Policy. It is for those who like to pilot the next release before it comes out.
Users assigned to this update branch will receive the upcoming features four months in advance.
Because you can assign update branches per user through deployment methods, you could have
some test users set to this update branch for the sole purpose of testing macros, add-ins, or preparing
training materials for end users. This is also a chance to give Microsoft feedback on items that do not
work as expected.
Configuring users for update branches

There are three methods for applying update branches to users, including:
Using the Office 365 admin center. On the Settings menu, access the Apps page, and then click
Software Download settings. You can configure whether updates will be installed every month or
every four months. The default for Office 365 ProPlus is the Standard release for the whole
organization, which updates every four months. If at any time you switch from every month to every
four months, all users will lose any updates that are for a future release. There is no option for
Deferred Channel within the Office 365 admin center.
Using the Office Deployment Tool (Office 2016 version). With this method, you can edit the
configuration.xml file to change the branch to one of the three settings mentioned above. Current,
Business, or Validation are the three available for Office 365 Enterprise subscriptions. If you are using
a business subscription, the key word of Validation is replaced with FirstReleaseCurrent in the
configuration.xml file. Different users could have different configuration.xml files to vary the release
schedules per user.
Using Group Policy. This setting is in Computer Configuration\Administrative Templates

\Microsoft Office 2016 (Machine)\Updates. The choices when enabling the Group Policy settings
are also the three settings mentioned above.
Upgrading Office 365 ProPlus 2013 to Office 365 ProPlus 2016

The process of upgrading to the new Office 365 ProPlus version can vary depending on who is initiating
the upgradeMicrosoft or your organization. If Microsoft is initiating the update, users will automatically
upgrade to Office 365 ProPlus 2016. If you are managing the updates from your IT department you are in
control of when the users receive the newest version. Support for the Office 2013 version of Office 365
ProPlus ends on February 28, 2017.
To upgrade from Office 365 ProPlus 2013 to Office 365 ProPlus 2016, you need to meet the minimum
system requirement of 2-GB of RAM. If your environment meets this requirement, you must determine
which update channel to use.
Reference Links: For Office 365 ProPlus 2016, you need to download the latest Office
Deployment Tool. You can download the tool here: https://aka.ms/jail3c
This version cannot deploy previous versions of Office 365 ProPlus.
Additional Reading: For more information, refer to: Reference for Click-to-Run
configuration.xml file at: http://aka.ms/clh5x3 and Install the First Release build for Office 365
for business customers at: http://aka.ms/Qpy0w7
Discussion: Planning on using Office 365 ProPlus?

If you plan to use Office 365 ProPlus, discuss the
What issues do you anticipate with deploying

Office?
What method would work best for your

organization and why?
What advantages can you identify with user

self-install methods as opposed to
deployment methods from an administrator?
Are there disadvantages?
How will your organization manage update

branches?
Lesson 2
Planning and managing user-driven Office 365 ProPlus
deployments
In this lesson, you will learn how to plan and manage user-initiated installations of Office 365 ProPlus.
Each user initiates these deployments from the initial start page in Office 365 and installs them by using
the Click-to-Run technology. The users options are limited to the location to install only.
Lesson Objectives
After completing this lesson, you should be able to:
Describe the user-driven deployment.
Explain how to manage user-driven deployments.

Describe considerations for user-driven deployments.
Introduction to user-driven deployment

User can perform self-service installation by
signing in to the Office 365 portal, and then
selecting Install Software. This approach does
not require much administrative setup, but
provides for limited control over the deployment
(in contrast with managed deployments). For
example, administrators cannot control where
computer users install Office 365 ProPlus, but they
can disable all Office 365 ProPlus deployments for
a specific user. In a user-driven deployment:
Office always streams from the Internet to the

computer by using Click-to-Run technology;
local source locations are not supported.
Users must have an Office 365 account and be provisioned for Office 365 ProPlus.
Users must have administrative rights to the local computer.
Office 365 ProPlus installs Office 365 updates automatically in the background from the Internet. You
cannot change this behavior.
Managing user-driven installations

For user-driven installations of Office 365 ProPlus,
there are limited management options. You can
prevent users from installing Office 365 ProPlus
from the Office 365 portal; this can be useful if the
organization's policy is to deploy Office 365
ProPlus from an on-premises location in a
managed deployment. Please note that
preventing users from downloading and installing
Office 365 ProPlus is a company-wide option. You
cannot single out one user when turning this
option on or off.
Similarly, administrators cannot control whether

users install the 32-bit or 64-bit version of Office 365 ProPlus in a user-driven deployment. We
recommend the 32-bit version, even on computers that have 64-bit operating systems. If users are
installing from the Office 365 portal, it is important that you clearly instruct users on which version to
install. If they install a 64-bit version, you must fully uninstall all previous 32-bit Office packages.
Additional Reading: For more information, refer to: 64-bit editions of Office 2013 at:
http://aka.ms/qovxa7
Controlling application deployment

Office 365 administrators can use the user software page in the Office 365 admin center to control
whether or not users can install Office software from the Office 365 portal. For example, depending on the
subscription plan, an administrator could permit users to install Office 365 ProPlus packages (Word, Excel,
and PowerPoint), but not Visio. It is important to note, however, that this setting applies to all users. If an
administrator disables Office software installations for users, all users will see the following message on
their software page: The administrator has disabled Office installations. Contact your administrator
for information about how to install Office.
Office 365 ProPlus installs as one package and, from the portal, it is not possible to exclude specific
applications. If an administrator wants to control installations down to an application level, there are two
options:
You can use AppLocker policies to prevent a Click-to-Run application from running.
You can use App-V 5.0 to customize the Office 365 configuration to include only specific applications.
Considerations for user-driven deployments

When planning for user-driven deployments, it is
important to consider typical obstacles that
prevent successful deployments. These obstacles
include the following:
Users do not have admin rights. This is a

requirement of user-driven deployment.
Bandwidth limitations during deployment
prevent successful streaming of Office 365
ProPlus binaries. Ensure that all other updates
for the Windows operating system are
complete before deployment.
Incorrect or unassigned licenses prevent successful user activation.

Windows XP no longer has support and Office 365 ProPlus setup will fail.
Outlook 2016 no longer has support when connecting to Exchange 2007.
Communication and training

Some of your planning should focus on a communication plan to tell stakeholders how the new Office
365 ProPlus will change their day-to-day work. Inform users about macros or other processes that the
new Office 365 ProPlus will change, eliminate, or improve. Ensure that users are aware of the schedule
and any expected downtime.
Depending on the type of deployment you are conducting, you should prepare training all those whom
the deployment will affect. Decide to what extent you need to create training materials. Can you rely
entirely on online training? Can you offer classroom courses? Without training, users might overload the
support team with calls regarding the easiest of tasks, which might jeopardize deployment schedules.
Training and communicating can be good tools to improve the success of your deployment and get
immediate returns in productivity.
Office for Mac

When Mac users select software deployment, Office for Mac 2016 is the default install, and they can install
it on up to five computers. Users can download and install Office for Mac 2011 through September 2016.
PC users can install Office 365 ProPlus on up to five computers. Also, keep in mind that there is full
support for Office Online on Macs, as long as the browser meets the requirements. Mac users can also use
Office 365 with existing Microsoft Office for Mac 2011 Service Pack 3 or Microsoft Office 2008 for Mac
12.2.9 update or a newer version, with Microsoft Entourage 2008 for Mac, Web Services Edition.
Mobile devices
You can use Office 365 on a wide range of mobile devices, including phones and tablets. Office Online is
available for Windows tablets, Windows Phone, iPhone, iPad, and Android devices. Light versions are
available for BlackBerry devices and Nokia (Symbian operating system). Users can use Office 365 on up to
five mobile devices and five PCs.
Additional Reading: For more information, refer to: System requirements for Office at:
http://aka.ms/ghq4zw
Additional Reading: For more information, refer to: Office 365 mobile setup Help at:
http://aka.ms/Ca6hpo
Lesson 3
Planning and managing centralized deployments of
Office 365 ProPlus
In this lesson, students will learn how to manage an Office 365 ProPlus deployment, manage streaming
updates, use the Office deployment tool, and customize the Office 365 deployment.
Lesson Objectives
Describe managed deployments.
Describe the Office Deployment Tool.
Manage and deploy Office with Group Policy.
Manage Office 365 ProPlus updates.
Plan for Office 365 ProPlus deployments.
Introduction to managed deployments

In a managed deployment, the Office 365 ProPlus
software first downloads to the local network, and
then some form of push mechanism deploys it to
users. The following software distribution tools are
examples of mechanisms that you can use to
manage push installations:
Configuration Manager
Intune
Non-Microsoft software distribution
Group Policy login scripts
Scripted installation
In the lab for this module, you will use Group Policy computer startup scripts to deploy Office 365 ProPlus.
However, similar command lines and scripts are part of an electronic software distribution. You can build
them into System Center or Microsoft Deployment Toolkit (MDT) task sequences.
With Group Policy and the Office Deployment Tool, it is important to remember that you must run Click-
to-Run installations as a local admin. For example, Group Policy startup scripts must run from the
computer context and not the user context. You can use Configuration Manager or Remote Desktop in
cases where users do not have admin rights.
Performing managed deployments

For Click-to-Run, you configure the Office client through Group Policy or the Office Deployment Tool.
You do not use the Office Customization Tool (OCT), as you might have done with past volume-licensed
Office 2016 Professional Plus media. You can use the following tools to complement each other:
Configuration.xml. Office Deployment Tool uses this to customize the deployment experience by:
o Assigning which products to install (Office 365 ProPlus, Office 365 Business Premium, Visio, or
others).
o Choosing 32-bit or 64-bit installations.
o Choosing which applications to exclude.
o Choosing which update branch to assign to the user.
o Adding specific language versions.

o Removing previous deployments or languages.
Group Policy. You can use this to manage all other Office settings, including which applications to
block from certain users.
Overview and customization of Office Deployment Tool

You can download Office Deployment Tool from
the Office 365 admin center, or directly from the
Microsoft Download Center. You use Office
Deployment Tool to:
Download Office source files (source URL:
http://officecdn.Microsoft.com).
Install or remove Click-to-Run or customize

installations.
Apply software update policies.
Office Deployment Tool supports three

command-line switches:
/download <path to configuration.xml> to specify the download.
/configure <path to configuration.xml> to specify the Office source file location.
/packager to prepare Office source files so that you can use Click-to-Run in an App-V infrastructure.
The Office Deployment Tool process involves the following key steps:
1. Edit Configuration.xml to specify the Office 365 software to download, such as Office 365 ProPlus or
Visio, and the shared location to use.
2. Use Office Deployment Tool with the download option to place source files in a software
distribution infrastructure; for example, setup.exe /download \\LON-CL1\Office16
\Configuration.xml.
3. Use Office Deployment Tool with the configure option to deploy the Office Deployment Tool and
the configuration file to clients; for example, setup.exe /configure \\LON-CL1\Office16
\Configuration.xml.
4. When client computers execute the Office Deployment Tool, it reads the configuration file, and then
streams Click-to-Run from the specified location (for example, where the source files downloaded
internally).
Note: When you use this method, you deploy the Office Deployment Tool and not the
Office source files. The Office Deployment Tool is a 3-megabyte (MB) executable.
Additional Reading: For information, refer to: Office Deployment Tool for Click-to-Run
at: http://aka.ms/uic22i
Additional Reading: For more information, refer to: Reference for Click-to-Run
configuration.xml file at: http://aka.ms/clh5x3
Managing and deploying Office with Group Policy

You can use Group Policy to manage general
Office settings and application-specific settings,
such as managed add-ins. At the application level,
you use Group Policy to control the user's first-run
experience. The following example includes the
procedure to remove all first-run experiences
resulting in a no-prompt deployment.
1. First, in Group Policy Editor, expand the User

Configuration to the following path:
User Configuration\Administrative
Templates\Microsoft Office 2016
\First Run
2. Set the following settings:
o Disable First Run Movie: Enabled

o Disable Office First Run on application boot: Enabled
3. Then expand the User Configuration to the following path:
User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center
4. Set the following settings:
o Disable Opt-in Wizard on first run: Enabled
o Enable Customer Experience Improvement Program: Disabled
o Allow, including screenshot with Office Feedback: Disabled
o Send Office Feedback: Disabled
o Automatically receive small updates to improve reliability: Disabled
Additional Reading: For more information, refer to: Office 2016 Administrative Template
files (ADMX/ADML) and Office Customization Tool at: http://aka.ms/bengwp
Managing Office 365 ProPlus updates

Click-to-Run uses an optimized software-update
model that provides unobtrusive background
updates. This model results in simpler and smaller
updates. Every month, on Patch Tuesday (the
second Tuesday of the month), Microsoft releases
an updated Office build, comprising a full set of
source files. Unlike with traditional MSI-based
installations, these releases do not include
separate security fixes, private hotfixes, cumulative
updates, and service packs. You use the updated
full set of source files for new installations. For
existing installations, during the update process,
the client performs a delta comparison between the current and updated build, and only downloads the
deltas or differences.
Additionally, this model does not affect users, even if they are using an Office application when an update
is happening. When they close and reopen the Office application, they will be using the newer build
automatically.
Update options
Updating options include:
Automatic from cloud. This is the default mode (typically used for home or small office installations)
where updates download from the cloud. A daily task checks for updates, and when a new build is
available, the client automatically receives the deltas.
Automatic from network. In managed deployments, administrators can specify (by using Group Policy
or the configuration.xml file during setup) to check for updated builds from an internal source.
Typically, small or medium organizations use this option.
Rerun setup.exe by using Electronic Software Delivery (ESD). In large organizations, using an ESD such
as Configuration Manager enables even more fine-grained control of update scheduling. You can use
scripts or task sequences in the ESD to re-execute setup.exe /configure. This will compare the
current version with the source (defined in the SourcePath attribute in the config.xml) and only
install deltas. By using an ESD, administrators can specify how many users receive a new build in a
given time period.
The second and third options enable administrators to control when users receive updated builds. For
these two options, a best practice is to download the updated build to a test share initially, and to apply
updates to test or pilot computers only (as you configure these computers to receive updates from
\\Server\Testing$, for example). After the testing period, you move the updated build to a production
update share, and it begins to update production computers automatically (as they are configured to
receive updates from \\Server\Production$, for example).
Note: Although administrators can choose not to receive updates, it is important to note
that clients can be on an outdated build for only 12 months. After 12 months, clients will need to
download a newer build that Microsoft support will cover.
Using Configuration.xml file to manage updates

Administrators can configure update behavior by using the Office Deployment Tool configuration.xml file
options. For example, use the following command to turn on updates and direct them to the shared
folder:
<Updates Enabled="TRUE" UpdatePath="\\Server\Share\Office\" />
To manage updates, you can set some options. With these update options, you can specify if updates are
managed through Microsoft or through your organization.
Enabled. If set to TRUE (default), Click-to-Run will automatically detect, download, and install
updates.
UpdatePath. Specifies a network, local, or HTTP path for a Click-to-Run installation source to use for
updates. If not set, or set to default, the Click-to-Run source on the Internet is used.
TargetVersion. Sets a specific product build number (for example, 16.0.6366.2036) that the next
update cycle will update. If not set or set to default, Click-to-Run will update to the latest version
advertised at the Click-to-Run source.
Planning for Office 365 ProPlus deployments

When planning for Office 365 ProPlus
deployments, it is important to consider typical
obstacles that prevent successful deployment.
These obstacles include the following:
Users without admin rights. This is a

requirement of Click-to-Run deployments.
Bandwidth limitations during deployment.

Prevents successful streaming of Office 365
ProPlus binaries.
Incorrect licenses. Prevents successful user

activation.
End of support for Windows XP. This will cause Office 365 ProPlus setup to fail.
Lack of information technology (IT) expertise in an enterprise software deployment. You need to
understand tools such as the Office Deployment Tool, Group Policy, and Configuration Manager
before you use them as part of enterprise Office 365 client rollouts.
Discussion: Planning for a Managed Office 365 deployment

What would you take into account while planning
for a managed deployment of Office 365 ProPlus
in your organization?
Deployment method
Update branch
Best Office configurations
Type and level of training

Lesson 4
Office Telemetry and reporting
In this lesson, students will learn how to set up the telemetry service, enable telemetry through Group
Policy, report user issues, and deploy the Office Telemetry Agent.
Lesson Objectives
Describe Office Telemetry.
Deploy and configure Office Telemetry.
Describe how to deploy and configure Office Telemetry.
Describe Office Telemetry considerations.
Overview of Office Telemetry

Office Telemetry provides inventory, usage, and
monitoring tools for Office 2016, Office 2013,
Office 2010, Office 2007, and Office 2003. Data is
collected whenever a user opens, edits, or closes a
monitored document type. Office Telemetry then
aggregates this data in a central database for
reporting and viewing. You can view data by using
an Excel solution, the Office Telemetry Dashboard,
and the Office Telemetry Log.
For Office 2013 and 2016 applications, Office
Telemetry can create records if certain error
situations occur, including a description of the
problem and a link to more information.
Office Telemetry agents are built into Office 2013 Professional, Office 2016 Professional, Office 365
ProPlus 2013, and Office 365 ProPlus 2016. If you enable data collection, information about installed add-
ins, the most recently used documents, and application event data will go to the Office Telemetry Logs
and Office Telemetry Database. However, for Office 2003, Office 2007, and Office 2010, you must first
deploy an agent; this agent collects information about add-ins and recently used documents, but does
not provide application event data.
Note: Another advantage of installing the 32-bit version of Office 365 ProPlus is the added
functionality of all the add-ins that you install and use with the Office applications. With the
Office Telemetry Dashboard, you can measure the use of these add-ins.
Office Telemetry uses

A key function of Office Telemetry is to help when planning an upgrade to Office 365 ProPlus. By
deploying agents to computers that run existing Office editions, collected data can provide inventory
information, and identify the business-critical Office documents and solutions in the organization. You
should then prioritize these solutions for compatibility testing with the newest version of Office 365
ProPlus.
Collecting this data prior to an Office 365 ProPlus rollout provides the information needed to help with
capacity and license planning. Data collection also helps to ensure that ProPlus network and storage
performance will be within acceptable limits. You can also use Office Telemetry after an Office 365 ProPlus
rollout to monitor performance against targets, to monitor user adaption of new features, and to identify
errors and problems with Office solutions.
Telemetry operations
Before data collection can begin, you must enable Office Telemetry client functionality, whether built into
Office 365 ProPlus or deployed to previous versions of Office, through Group Policy or by editing the local
registry. Data collection runs as a scheduled task and requires domain membership.
Office client data is first sent to a shared folder on the network (cloud storage is not an option for this
data). This folder must be accessible to all clients and users. The Office Telemetry processing service,
known as the Office Telemetry Processor, runs on a domain-joined computer running Windows Server
2008 or newer. This service then reads the data and sends it to the Office Telemetry database.
Note: The telemetry processor can run in test or small environments on Windows 10,
Windows 8, or Windows 7; it is also possible to run the processor on a workgroup computer by
using a workaround.
The Office Telemetry database requires Microsoft SQL Server 2005 and newer versions. You can also run it
on Microsoft SQL Express editions in test or small environments.
Note: You can use a single computer for all the Office Telemetry components: database,
share, and processor.
The Office Telemetry Dashboard is an Excel 2016 tool that installs automatically as part of Office
Professional Plus 2016 and Office 365 ProPlus installations. You will find the dashboard in the Tools folder
under the Microsoft Office 2016 Start Menu folder. The dashboard connects to the database to enable
consolidated views of telemetry data, and multiple users can use the dashboard to view the data.
The Office Telemetry Log is an additional tool for developers and experienced users to use when
diagnosing compatibility issues on a specific Office 2016 client. As with the dashboard, the Office
Telemetry Log is also in the Office 2016 Tools folder and requires Excel 2016. It automatically installs with
Office Professional Plus 2013, Office Professional 2016, and Office 365 ProPlus. However, unlike the
dashboard, the Office Telemetry Log connects to the local data store on the client, and not the central
database.
Telemetry management
Telemetry data collection is managed separately for each client through Group Policy settings. Office 2016
administrative templates include these settings, as part of Office16.admx and Office16.adml. They are
located under the User Configuration\Administrative Templates\Microsoft Office 2016\Telemetry
Dashboard node. If you cannot use Group Policy, you can also configure these settings on the local
computer by editing the registry, or by deploying registry files. There are also several telemetry test
settings that update only through the registry editor.
Deploying and configuring Office Telemetry

You first deploy the Office Telemetry Dashboard
and components on user computers. These
components are part of Office Professional 2016
and Office 365 ProPlus installations, and do not
require additional installation. The Office
Telemetry Dashboard Getting Started worksheet
then provides a step-by-step guide and links to
configure all the required Office Telemetry
components.
Note: You can find the Office Telemetry

Dashboard Getting Started worksheet by starting
the Office Telemetry Dashboard in the Office 2016 Tools folder. This opens an Excel spreadsheet
with two tabs for the worksheets at the bottom of the window. The Getting Started and
Telemetry Dashboard Guide are the two worksheets that are available.
You must perform the following steps to install and configure Office Telemetry:
1. Prepare the database. The first step is to deploy SQL Server (Express or full version), or to connect to
an existing SQL Server installation. If a new database is necessary, the Getting Started worksheet
provides download links for SQL Server Express Edition.
Note: When configuring the database, you must not select Mixed Mode authentication,
because the Office Telemetry Dashboard does not support SQL Server authentication.
2. Set up the Office Telemetry Processor. The second step is to set up the Office Telemetry Processor,
which reads information that Office Telemetry Agents store in the shared folder. It then connects and
adds records to the Office Telemetry database. The Office Telemetry Processor setup wizard provides
guidance for installing the processor, setting up the share, and making the database connection.
3. Deploy Office Telemetry Agents. The third step is to deploy any required agents for versions that are
older than Office 2013. The dashboard Getting Started worksheet provides download links for x86
and x64 Office Telemetry Agents. You can deploy agents by using scripts, Group Policy, electronic
software distribution, or application virtualization management features of Configuration Manager.
4. Configure Office Telemetry Agents. The fourth step is to configure Office Telemetry Agents and
enable data logging. The dashboard Getting Started worksheet provides a download link for the
Office 2016 Administrative Template files. You should then import the office16.admx file and
language-specific office16.adml file into the Active Directory domain for use with Group Policy
Management tools.
The Office Telemetry Group Policy settings cover the following options:
o Enabling data collection.
o Enabling data upload to the shared folder.

o Location or Universal Naming Convention (UNC) path of the shared folder that the client will use
to store its data.
o Any applications or solutions to ignore during data collection.

o Custom tags to use to help during data viewing. These tags can include user location,
department, and Active Directory security group. The next topic provides more information on
tagging.
o Enabling privacy settings.
When you have deployed the Group Policy settings to Office clients, the telemetry configuration is
complete, and data collection will begin.
The dashboard Getting Started worksheet provides two additional post-configuration steps:
1. Connect the dashboard to the database. The fifth step on the dashboard Getting Started worksheet is
to connect the dashboard to the database to enable viewing of the data. This step creates and
populates additional worksheets. A later topic will describe this.
2. Configure any required privacy settings. The final configuration step is to optionally configure any
required privacy settings. By default, data collection includes full file names, file paths, and document
titles. Administrators should not always be able to view such detailed information. If you enable the
Turn on privacy settings in Telemetry Agent Group Policy setting, file names, file paths, and titles
will be obscured. For example, a document named Merger_Contoso.docx will be recorded as
Me********.docx in the shared folder, and the document's location and title will be
<location>\******** and ********.
Additional Reading: For more information, refer to: Manage the privacy of data
monitored by telemetry in Office at: https://aka.ms/rb6252
Office Telemetry considerations

When planning for Office Telemetry, it is
important to consider typical obstacles that you
might encounter. These obstacles include:
Permissions. The computers that run the

Office Telemetry Processor, shared folder, and
SQL database must be domain-joined, so that
you can configure the appropriate security
settings. If there is a firewall between the
dashboard and the telemetry database, you
must enable the SQL port in the firewall
configuration. The default port for SQL Server
is 1433.
Note: It is important to check the user permission role for the Office Telemetry Dashboard,
and ensure you have added the user to the td_readonly role.
Infrastructure issues. Various telemetry infrastructure issues can affect successful deployment.
Examples include a corrupt telemetry database, and connectivity issues between agent and shared
folder, between the telemetry processor and the database, or between the telemetry dashboard and
the database.
Unreported data. For various reasons, there might be Office data that never goes to the shared folder,
and is therefore never stored in the database. For example, offline machines or mobile machines that
cannot receive Group Policy might never be enabled for data logging or be able to report back their
data.
If you overlook computers that are running versions older than Office 2013, you might assume that all
computers running Office are reporting data. However, if you have not deployed agents, data will never
be sent. Office 2013 and Office 2016 have agents automatically installed, but earlier Office packages
do not.
Windows XPbased computers do not support the Office Telemetry Agent scheduled task; therefore, they
only report data at each user sign-in.
Missing data. It is important to remember that data reporting is a background activity, and that after
the random initial upload interval, Office Telemetry collects data only every eight hours. Therefore, it
might take some time before all computers are reporting data.
Performance and capacity planning. You can maximize telemetry performance by setting data
thresholds, so that only essential information is reported. You can set thresholds by using the
Telemetry Dashboard Administration Tool (Tdadm.exe).
When planning for capacity, note the following data collection upload sizes:
o Office 365 ProPlus: typically 64 KB at each upload
o Office 2003+: typically 50 KB at each upload
Even with these small upload sizes, significant data collections can result in larger organizations. For
example, 25,000 users reporting data over an eight-hour period can result in 11 GB of data. Make
sure that all computers with installed agents have at least 11 GB of free space for temporary storage
of this data.
Additional Reading: For more information, refer to: Troubleshooting Telemetry

Dashboard deployments at: http://aka.ms/ovxlg9
Lab: Managing Office 365 ProPlus installations

Scenario
Most users in your organization are using Office 2013 on their desktops. As part of the Office 365 pilot
project, you would like to upgrade the clients to Office 365 ProPlus to take advantage of the new features
available in Office 2016.
The project steering committee has not yet decided whether they will allow users to install Office 365
ProPlus, or whether they will use a centralized installation mechanism. As part of the pilot project, you
need to evaluate each option for deploying and managing Office 365 ProPlus.
Objectives
Prepare an Office 365 ProPlus managed installation.
Manage user-driven Office 365 ProPlus installations.
Manage centralized Office 365 ProPlus installations.
Lab Setup
Virtual machines: 20347A-LON-CL1, 20347A-LON-CL3, 20347A-LON-CL4, 20347A-LON-DC1,

20347A-LON-DS1
User name: Adatum\Administrator, Adatum\Holly, Adatum\Beth
Password: Pa55w.rd
In all tasks:
Where you see references to AdatumYYXXXXX.onmicrosoft.com, use your unique

AdatumYYXXXXX Office 365 name displayed in the Lab Page of your web browser.
Where you see references to AdatumYYXXXX.hostdomain.com, replace the AdatumYYXXXX with

This lab requires the following virtual machines: (use only the VMs required for your lab)
LON-DC1
LON-DS1
LON-CL1

LON-CL3
o Sign in as Adatum\Beth using the password Pa55w.rd

LON-CL4
Question: Why do you need to edit the configuration.xml file when preparing to use
managed deployments of Office 365 ProPlus?
Question: How can you verify that the Click-to-Run service is running?
6-1
Module 6
Planning and managing Exchange Online recipients and
permissions
Contents:
Module Overview 6-1
Lesson 1: Overview of Exchange Online 6-2
Lesson 2: Managing Exchange Online recipients 6-8
Lesson 3: Planning and configuring Exchange Online permissions 6-25
Lab: Managing Exchange Online recipients and permissions 6-30
Module Overview
Microsoft Exchange Online in Microsoft Office 365 provides users with a messaging and collaboration
platform, giving them a single location for composing, reading, and storing email, calendar, contact, and
task information. Users can access their personal information from many different device types, including
those running Windows 10, iOS, Android, and Windows Phone. This module describes Exchange Online
and explains how to create and manage recipient objects and how to manage and delegate Exchange
security.
Objectives
Describe Exchange Online.
Manage Exchange Online recipients.
Plan and configure delegated administration.

6-2 Planning and managing Exchange Online recipients and permissions
Lesson 1
Overview of Exchange Online
Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. It gives users single sign-on (SSO) access to email, calendar,
contacts, and tasks from PCs, the web, and many types of mobile device. In addition, Exchange Online
integrates fully with Microsoft Azure Active Directory (Azure AD), enabling administrators to use group
policies and other administration tools to manage Exchange Online features across their environment.
You can also integrate Exchange Online with existing Exchange on-premises installations, either by using
simple coexistence or as a long-term hybrid deployment.
Lesson Objectives
Describe Exchange Online features.

List the Exchange Online subscription options.
Summarize the planning issues with an Exchange Online implementation.
Describe how to connect to Exchange Online from Windows PowerShell.
Exchange Online features

Exchange Online is a hosted messaging solution
that delivers many of the same features as
Exchange Server. It provides your users with
access to email and collaboration functionality
from a variety of client device types and
platforms.
Some features of Exchange Online include:

Mailboxes and online archives. Individual
users have their own mailboxes that they can
use to store mail messages. In addition to the
main mailbox, some Office 365 plans include
an online archive that provides additional
storage.
Calendaring. Each user has a calendar that they can use to track their upcoming events. Users can use
calendars when booking meetings to verify availability. Where appropriate, users can delegate access
to their calendars to other users such as administrative assistants.
View and edit attachments online. When users receive attachments, they can view and edit them
online in Outlook on the web. They do not require a locally installed version of Microsoft Office.
Shared mailboxes and resources. You can use shared mailboxes as a group mailbox for groups of
users that need to share access to a central mailbox. You can configure resources for meeting rooms
and equipment to facilitate booking.
Public folders. Earlier versions of Exchange Server relied on public folders for collaboration. This
feature is still available in Exchange Online if required.
Message policy and compliance. There are several message policy and compliance features in
Exchange Online such as retention policies, message encryption, eDiscovery, data loss prevention, and
journaling.
Antispam and anti-malware. All Exchange Online subscriptions include Exchange Online Protection,
which provides configurable antispam and anti-malware scanning.
Configurable mail flow. To support specialized mail flow scenarios, you can create send and receive
connectors with varying settings. For example, you can create connectors that require Transport Layer
Security (TLS) with a business partner.
Mobile and multiplatform access. Users can access mailboxes and calendars from Microsoft Outlook
on Windows clients or Mac clients. Outlook on the web supports accessing mailboxes and calendars
from almost any platform. Mobile devices can access mailboxes and calendars by using Exchange
ActiveSync.
Hybrid deployment. You can integrate Exchange Online with an on-premises Exchange Server
organization by implementing a hybrid deployment. In a hybrid deployment, Exchange Online and
the on-premises Exchange organization can share a single namespace for messaging. A hybrid
deployment also supports calendar sharing and mailbox moves between Exchange Online and an on-
premises Exchange server.
Migration tools. Exchange Online includes tools to migrate from other on-premises Exchange to
Exchange Online. There is also a tool to migrate from any IMAP messaging service to Exchange
online.
Comparing Exchange Online and an on-premises Exchange Server

To determine whether Exchange Online is appropriate for your organization, you need to identify the
differences between Exchange Online and on-premises Exchange server. Some of these differences are:
Unlimited storage. Many on-premises deployments of Exchange Server place relatively low limits on
mailbox size such as one or two gigabytes (GB). Exchange Online supports large mailboxes of 50 GB
or larger depending on the plan you have purchased.
High availability. For an on-premises Exchange Server, you need to purchase and configure hardware
to store multiple mailbox copies and load balancing to achieve high availability. For true high
availability, you also need an alternate datacenter. Exchange Online is automatically highly available
with your data replicated to multiple datacenters.
Backups. Exchange Online does not have any built-in methods for configuring backups. Instead, you
configure retention through single-item recovery and litigation hold. This is similar to native
Exchange backup in an on-premises deployment of Exchange Server.
Automatic integration with other Office 365 features. Exchange online offers additional features, such
as Office 365 groups, that integrate multiple Office 365 features together. Another example is the
online viewing and editing of email attachments.
New features. Microsoft has many features in Exchange Online that do not exist in an on-premises
Exchange server, such as the Clutter inbox folder. It is possible that some of these features will be
integrated into on-premises Exchange server in the future, but they will always appear first in
Exchange Online because development happens there first.
Exchange Online subscription options

Exchange Online is a part of Office 365 and comes
in several subscription plans, designed to suit the
needs of organizations of different types and sizes
of organization. Each plan includes different
components and features, and includes several
services, such as Office 365 ProPlus or Azure RMS.
All plans include Exchange Online, although the

specific features vary depending on the plan you
have selected. Consequently, it is important that
when you are planning your Exchange Online
solution, you choose the appropriate subscription
plan for your needs. The following table identifies
the important Exchange Online features of each plan. Advanced email features include advanced
archiving, legal hold, and compliance features.
Office 365
Office 365 Office 365 Office 365
Business
Enterprise E1 Enterprise E3 Enterprise K1
Exchange Essentials Office 365
Office 365
Online Enterprise
Education Office 365 Office 365 Office 365
feature Office 365 E5
Government Government Government
Business
E1 E3 K1
Premium
Mailbox 50 GB + 50 50 GB + 50 50 GB + 50 100 GB + 100 GB + 2 GB

GB archive GB archive GB archive unlimited unlimited
archive archive
Advanced Yes Yes Yes

email
Voicemail Yes Yes

integration
You also can obtain Exchange Online as a stand-alone subscription plan. The following Exchange Online
plans are available:
Exchange Online Plan 1. Provides a 50-gigabyte (GB) mailbox and a 50 GB archive per user.
Exchange Online Plan 2. The same as Plan 1, but also includes advanced email and hosted voicemail
integration.
Exchange Online Protection. Helps protect against spam and malware, and helps to provide a clean
and reliable message stream.
Exchange Online Advanced Threat Protection. Helps to protect your email system from online attacks
from malicious persons.
Exchange Online Archiving. Enables archiving, compliance, and eDiscovery within your messaging
system.
Exchange Online Kiosk. Provides a 2-GB mailbox per user and provides support for Exchange
ActiveSync clients. Does not support role-based administration.
Planning an Exchange Online implementation

Office 365 enables companies to outsource their
email to an Exchange-based service that offers
significant functionality improvements over other
cloud-based and on-premises email systems.
When planning Exchange Online and determining
whether it is the right choice for your
organization, you should consider the following
factors:
Architecture. Email organizations, domains,

trusts, and multiforest considerations.
Current email system. Type, version, features,

support, and mail clients.
Features. Email, calendar, contacts, tasks, and public folders.
User requirements. Access, device support, message handling, and rule configuration.
Usability. Integration with other services, authentication, and ease of connection.

Reliability. Uptime guarantees, and mailbox and message protection.
Security. Authentication, authorization, delegation, and proxy addresses.
Manageability. Administration, ease of access, policy enforcement, and user and group management.
Regulatory. Compliance and eDiscovery.
Regardless of the migration or coexistence option that you identify after analyzing your organizations
environment, you should plan for several common factors. These include:
Mailbox sizes. Create and implement a plan to reduce the size of users mailboxes. Mailbox sizes have
a major impact on the time it will take to migrate to Exchange Online. You should discuss options
within your organization on how to reduce mailbox sizes, including clearing out old emails, archiving
messages to Personal Folders (PST) files, deleting sent files (particularly larger ones), and using rules.
Review the organizations tools that will assist you in identifying the largest mailboxes.
Bandwidth. Internet bandwidth, especially the uplink speed, is the second limiting factor that controls
how long it takes to migrate to Exchange Online. Talk to the information technology (IT) department
about their link speed, the links quality, and whether this is a good time to upgrade to a faster link or
to a symmetric technology.
Directory health. It is vital that you plan for a clean directory service before starting the Deploy phase.
This is also the time to remove duplicate accounts, old groups, unnecessary organizational units
(OUs), retired servers, and old client computers, and generally perform housekeeping on the directory
service. You should also check for errors in the log files and ensure that replication is functioning
correctly.
Mail delivery. If you are implementing coexistence, you must plan where to deliver incoming mail.
Delivery will initially be to the on-premises server, but you will need to determine if this is the best
long-term arrangement in a coexistence scenario. You must also identify the point at which you will
switch over in a cutover or staged migration.
Domain Name Services (DNS) settings. You will need to plan for DNS configuration changes during
the migration process, such as mail exchange records (MX records), canonical name records (CNAME
records), and Autodiscover settings. Remember that DNS settings can take time to propagate globally
and that changing the Time to Live (TTL) setting can help speed up this process.
Communications. It is essential that you communicate relevant and timely information about the
migration plan to users. The pilot users can help assure people that the migration will go smoothly,
but you must not overlook this factor in your planning.
Training. If your organizations users are moving from one mail client to Outlook 2013, they will
require a significant amount of training on this new client. If they are updating from an earlier version
of Outlook, they will not require as much training, but you must still include training as a
consideration in your plan.
File types. SharePoint Online blocks some file types. Ensure that your users appreciate the implications
of these blocked file types.
Administering Exchange Online

How you administer Exchange Online depends on
the tasks you need to accomplish and whether
you are using directory synchronization. You can
use the Exchange admin center to perform most
of the common Exchange Online management
tasks, but you might need to use Windows
PowerShell to perform some of the more
advanced administration tasks.
Administration and directory

synchronization
If you are using directory synchronization with
Exchange Online, it is essential that you
understand how it affects management. Data from the on-premises Active Directory Domain Services (AD
DS) is the authoritative source, which means that you need to manage any synchronized users and most
of their attributes from the on-premises AD DS. For example, you would configure email addresses in AD
DS and then synchronize them to Exchange Online.
For the correct attributes to be available for synchronization, you need to extend the AD DS schema on-
premises. The only supported method to manage the attributes is to install a local on-premises Exchange
Server. Microsoft provides an Exchange Server license to organizations using Office 365 for this purpose.
You can run the Exchange server as a virtual machine with minimal resources, and you do not need to
configure the server for hybrid deployment.
Windows PowerShell for administration

Using Windows PowerShell to administer Exchange Online is similar to using Windows PowerShell to
administer Office 365 users and groups. Before you can connect to Exchange Online, you need to install
the Microsoft Online Services Sign-in Assistant for IT Professionals and the Azure AD module. Then, you
can connect to Exchange Online and use Import-PSSession to import the cmdlets to manage Exchange
Online.
Additional Reading: You can obtain the Microsoft Online Services Sign-In Assistant for IT
Professionals RTW from the Microsoft Download Center: http://aka.ms/vl42dg
Additional Reading: You can download the Azure Active Directory Module for Windows
PowerShell (64-bit version) here: http://aka.ms/Pwx3a9
Complete the following procedure to connect to Exchange Online:
Run Windows Azure Active Directory Module for Windows PowerShell as an administrator, and in
the Windows PowerShell window, run the following cmdlets in the same sequence as shown:
$credential = Get-Credential
Note: When prompted, enter the global admin account credentials for your subscription.
Connect-MsolService Credential $credential

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
"https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication
"Basic" AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Note: We recommend that you add these commands to a Windows PowerShell script for
convenience.
Question: How will your organization use Exchange Online?

Lesson 2
Managing Exchange Online recipients
An important part of managing your Exchange Online tenant involves creating and managing recipient
objects, including mailboxes, groups, resources, shared mailboxes, contacts, and mail users. You also must
know how to perform bulk management of these objects. In addition, you should know how to use both
the Exchange admin center and Windows PowerShell to manage these objects.
Lesson Objectives
Describe how to manage Exchange Online mailboxes.
Explain how to configure Exchange Online email addresses.
Explain how to configure Exchange Online distribution groups.
Explain how to configure Exchange Online resources.

Explain how to configure Exchange Online shared mailboxes.
Explain how to configure Exchange Online contacts.
Explain how to bulk import contacts.

Explain how to configure mail users.
Create and manage Exchange Online recipients.
Managing Exchange Online mailboxes

When you create a new user in Office 365 by
using the Office 365 admin center, and assign that
user an Office 365 license that includes Exchange
Online, a mailbox is created automatically for the
user. Having created the user account and
mailbox, you can manage the mailbox by using
either Windows PowerShell or the Exchange
admin center.
Preparing to modify Exchange Online

objects
Before you are able to create or modify objects on
Exchange Online, you might be prompted to run
the following Windows PowerShell cmdlet: Enable-OrganizationCustomization.
Note: You will only be required to run this cmdlet once.
You might encounter this prompt when you attempt to perform the following tasks:
Creating a new role group or creating a new management role assignment.
Creating a new role assignment policy or modifying a built-in role assignment policy.
Creating a new Outlook on the web mailbox policy or modifying a built-in Outlook on the web
mailbox policy.
Creating a new sharing policy or modifying a built-in sharing policy.
Creating a new retention policy or modifying a built-in retention policy.
Managing mailbox properties by using Exchange admin center

From the Exchange admin center, click recipients, select the appropriate user, and then click Edit. You
can then configure the following properties of the mailbox by selecting the various tabs described below:
General. Configure the mailboxs names, display name, and the option to hide the mailbox from the
address list.
Mailbox usage. Provides information on the last sign-in and mailbox space usage.
Contact information. Enables you to configure the postal address and telephone contact details.
Organization. Configure the mailbox users title, department, company, manager, and employees
who report to the user.
Email address. Configure additional email addresses for the mailbox (the next topic will discuss this
in detail).
Mailbox features. Configure settings such as sharing policy, role assignment policy, retention policy,
address book policy. In addition, enable and configure phone and voice features, mobile device types,
and email access protocols (such as POP and IMAP).
Member of. Manage the mailbox group memberships. You can also do this from the group objects
in the Exchange admin center.
MailTip. Configure a MailTip of up to 175 characters for the mailbox. Users corresponding with the
mailbox see the MailTip.
Mailbox delegation. Configure delegate access for the mailbox. You can configure Send As, Send on
Behalf, and Full Access permissions.
Managing mailbox properties by using Windows PowerShell

You can configure the same properties for a mailbox by using the Azure AD Windows PowerShell Set-
Mailbox cmdlet. For example, the following cmdlet configures mailbox forwarding for the mailbox of
Adam Barr. In this instance, the email will be delivered to both Adams mailbox and Manuels mailbox:
Set-Mailbox -Identity "Adam Barr" -DeliverToMailboxAndForward $true -ForwardingSMTPAddress

manuel@Adatum.com
Configuring email addresses

To configure additional email addresses in
Exchange Online, you need to follow a slightly
different process than with on-premises versions
of Exchange Server. The key difference is that
Exchange Online does not provide an email
policy, like Exchange Server. As a result, you have
to use alternative approaches for configuring
these additional email addresses.
Email address assignment in Exchange

Online
When you create a new tenant account in Office
365, you automatically receive a default domain
name in the form companyname.onmicrosoft.com. The administrator account sign-in details and the
primary email address are set to administratorname@companyname.onmicrosoft.com for the account.
When you add a new user account to a simple Office 365 account that does not have any external
domains configured, the mailbox for that user is automatically assigned an SMTP email address that uses
this default domain. This email address is in the form SMTP:username@domainname.
For example, assume the default domain is adatum.hostdomain.com. The default email address policy
will assign a user named Remi Desforges an email address with an @adatum.onmicrosoft.com address,
such as rdesforges@adatum.onmicrosoft.com. Typically, this email address will match his user sign-in to
Office 365.
If you then register an external domain with Office 365, you can create email addresses that use that
domain. New users will get a primary address of @externaldomain and a secondary email address of
@companyname.onmicrosoft.com. You can add additional email addresses and set the primary or reply-
to address for a user, either manually through the Exchange admin center, or in bulk by using Windows
PowerShell.
Note: The primary (or reply-to) SMTP address for a mailbox always contains the acronym
SMTP: in upper case. Secondary and subsequent addresses contain smtp in lower case. For
example, SMTP:user@domain.microsoftonline.com is the primary address, and
smtp:user@domain.com is the secondary address.
Configuring email addresses with the Exchange admin center

To configure additional email addresses, perform the following procedure:
1. In Exchange admin center, click recipients.
2. Under mailboxes, click the mailbox you want to change, and then click Edit.
3. In the Edit User Mailbox window, click email address.
4. Under Email address, click the + sign.
5. Under email address type, ensure that SMTP is selected, and then in the Email address box, enter
the address by using a registered domain name.
6. Optionally, select Make this the reply address to make this address the primary address.
7. Click OK.
Messages sent to this new address will now be delivered to this mailbox. If you selected Make this the
reply address, then this is the address that will receive reply messages.
Configuring email addresses with Windows PowerShell

To configure additional proxy addresses with Windows PowerShell in the form alias@newexternaldomain,
connect to Exchange Online, list all the mailboxes into a variable, and then run the command on each of
the items in the variable. Use the following commands to perform these steps:
$users = Get-Mailbox
foreach ($a in $users) {$a.emailaddresses.Add("smtp:$($a.alias)@newexternaldomain")}
$users | ForEach-Object {Set-Mailbox $_.Identity -EmailAddresses $_.EmailAddresses}
Note: You must connect to the Exchange Online service before running these commands.
Managing email addresses with directory synchronization

When you configure directory synchronization to synchronize on-premises Active Directory accounts with
Office 365, there is a flow of information from Active Directory Domain Services (AD DS) to Office 365.
This information includes fields such as SMTP addresses and user principal names (UPNs).
It important to note that the UPNs and the verified domain names in Office 365 must match. For the sake
of this discussion, let us assume that you are trying to synchronize the ADATUM on-premises domain with
Office 365. In this scenario, the best approach is to set up a UPN suffix of adatum.com in Active Directory
Domains and Trusts, and ensure that all users have that UPN suffix applied. The users then have primary
on-premises SMTP addresses that match their UPNs. In Office 365, you register the adatum.com domain
to Office 365 and set it up for use with Exchange Online.
When you run the first directory synchronization, Office 365 creates the mailboxes in Office 365 and
assigns a primary SMTP address of user@adatum.com. It also creates a secondary address of
user@companyname.onmicrosoft.com. Users can now sign in to Office 365 and access their mailboxes.
If you then either set up password synchronization or implement SSO, typically by using Active Directory
Federation Services (AD FS), users can sign in to Office 365 by using the same credentials that they use for
on-premises sign -ns.
Note: In the case of password sync, there are still two separate accounts, one online and
one in the cloud, but they have the same user name (user@adatum.com), and the password is
synchronized between the two environments.
Configuring distribution groups

In the Office 365 admin center, you can create
security groups and add users to those security
groups. You can then assign permissions to that
security group, such as in SharePoint Online. If
you synchronize your Office 365 account with
your on-premises AD DS, security groups created
in AD DS also synchronize across to Office 365.
Exchange Online provides additional group

features, which enable the creation of the
following group types:
Office 365 groups. You can use this type of

group to combine multiple Office 365
features to create a space for team collaboration.
Security groups. You can use this type of group to send email messages to all members. You can also
use it to assign security permissions.
Distribution groups. You can use this type of group only to send email messages to all members.
Dynamic distribution groups. The membership of this type of group is based on a query. Any users
matching the query are included in the group membership automatically.
Note: Office 365 groups are covered in Module 10, Planning and Configuring an Office 365
Collaboration Solution.
Note: If you create a security group in Exchange Online, it appears in the Office 365 Admin
center as a mail-enabled security group. However, Office 365 security groups do not appear in
Exchange Online because they are not mail-enabled.
Security groups
A mail-enabled security group enables you to distribute messages and grant access permissions in
Azure AD. To create a mail-enabled security group, perform the following procedure:
1. In Exchange admin center, click recipients, and then click groups.
2. In groups, click the + icon, and then click Security group.
3. In the Display name box, enter the name of the group that you want to appear in the Address Book.
4. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the
Email address field.
5. Select the domain for the email address from the drop-down list.
6. In the Notes field, give the group a description so that other administrators know what the purpose
of the group is.
7. Under Owners, note that by default, the group creator is an owner. However, you can remove
yourself as an owner and assign ownership to someone else, including to security groups.
8. To add an owner, click the + icon, select users or security groups, click add, and then click OK.
9. Under Members, note that by default, the group owner is a member. However, you can clear the
Add group owners as members check box, and add other members to the group. Alternatively, you
can let the group owner select members.
10. To add a member, click the + icon, select users or security groups, click add, and then click OK.
11. Select the option for Owner approval is required if you want the group owners to receive requests
to join the group. If you do select this option, only group owners can remove members (not the
administrator).
12. Click Save to save the new group.
After creating the mail-enabled security group, you can change the following settings:
General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.
Ownership. Modify the owners of the group.
Membership. Modify the group membership.
Membership approval. Specify whether owner approval is required.
Delivery management. Specify whether external addressees can email this group or only internal
users, and other settings.
Message approval. Configure moderation, specifying who can moderate the group and who can
send messages to the group without moderation.
Email options. Add additional email addresses for the group.
MailTip. Add a MailTip to specify what displays when users send messages to the group.
Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.
Managing mail-enabled security groups with Windows PowerShell

To create a mail-enabled security group in Windows PowerShell called IT Administrators, run the
following cmdlet:
New-DistributionGroup -Name "File Server Managers" -Alias fsadmin -Type security
To show information about this new security group, run the following cmdlet:
Get-DistributionGroup <Name> | FL Name,RecipientTypeDetails,PrimarySmtpAddress
Distribution groups
A mail-enabled distribution group enables you to distribute messages and grant access permissions in
Azure AD. To create a mail-enabled distribution group, perform the following procedure:
1. In Exchange admin center, click recipients, and then click groups.
2. In groups, click the + icon, and then click Distribution group.
3. In the New Office 365 Group window, click here to create a distribution list.
4. In the Display name box, enter the name of the group that you want to appear in the Address Book.
5. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the
Email address field.
6. Select the domain for the email address from the drop-down list.
7. Give the group a description in the Notes field so that other administrators know what the purpose
of the group is.
8. Under Owners, note that by default, the group creator is an owner. However, you can remove
yourself as an owner and assign ownership to someone else, including to distribution groups.
9. To add an owner, click the + icon, select users or distribution groups, click add, and then click OK.
10. Under Members, note that by default, the group owner is a member. However, you can clear the
Add group owners as members check box, and add other members to the group. Alternatively, you
can let the group owner select members.
11. To add a member, click the + icon, select users or distribution groups, click add, and then click OK.
12. Under Choose whether owner approval is required to join the group, you now have the following
options:
o Open. Anyone can join this group without the approval of the group owners.
o Closed. Only the group owners can add members. All requests to join will be rejected
automatically.
o Owner approval. The group owners approve or reject all requests.
13. In addition, under Choose whether the group is open to leave, you can specify the following
options for leaving the group:
o Open. Anyone can leave this group without the approval of the group owners.
o Closed. Only the group owners can remove members. All requests to leave will be rejected
automatically.
14. Click Save to save the new group.
Note: Microsoft is strongly encouraging the use of Office 365 groups instead of
distribution groups. This is why the option to create a distribution group initially starts with a
window to create an Office 365 group.
After creating the mail-enabled distribution group, you can change the following settings:
General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.
Ownership. Modify the owners of the group.
Membership. Modify the group membership.
Membership approval. Specify the options for joining or leaving the group.
Delivery management. Specify whether external addressees or only internal users can email this
group.
Message approval. Configure moderation, specifying who can moderate the group and who can
send messages to the group without moderation.
Email options. Add additional email addresses for the group.

MailTip. Add a MailTip to specify what displays when users send messages to the group.
Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.
Managing mail-enabled distribution groups with Windows PowerShell

To create a mail-enabled distribution group in Windows PowerShell called IT Administrators, run the
following cmdlet:
New-DistributionGroup -Name "IT Administrators" -Alias itadmin -MemberJoinRestriction open
Dynamic distribution groups

Dynamic distribution groups change their membership depending on a query against account types and
additional criteria. Because dynamic distribution lists can be quite large, it is important to design them
correctly. Creating dynamic distribution lists in Exchange admin center is similar to creating a distribution
list, and differs only in how you set up the criteria. When selecting members, you can select any or all of
the following options:
Users with Exchange mailboxes
Mail users with external email addresses
Resource mailboxes
Mail contacts with external email addresses
Mail-enabled groups
You can then add further criteria to refine the number of accounts that will appear in the results. The table
below lists the additional options.
Variable Condition
State or Province A match on the recipients State or Province

property.
Company A match on the recipients Company property.
Department A match on the recipients Department property.
Custom attribute N (where N is a number from 1 A match on the recipients CustomAttributeN

to 15) property.
Note: Filtering based on organizational unit or domain is not available in Exchange Online.
Managing dynamic distribution groups with Windows PowerShell

You can create a dynamic distribution group by using Windows PowerShell with the following cmdlet:
New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Sales Users Dynamic

Group" -Department Sales
To view information about a dynamic distribution list, enter the following cmdlet:
Get-DynamicDistributionGroup -Identity "Marketing" | Format-List

Configuring resources
Resource mailboxes in Office 365 enable you
to assign a mailbox to a room or an item of
equipment and then book that item by sending it
a meeting request. These mailboxes are similar to
those in on-premises Exchange Server and come
in two different types:
Equipment mailboxes. These mailboxes are

for communal use, for booking discrete,
portable items of equipment, such as portable
projectors, computer monitors, laptops, and
other items. Typically, if a mailbox moves and
does not belong to a nominated person, then
an equipment mailbox is a good way to manage it.
Room mailboxes. These mailboxes are for booking immovable objects, such as conference rooms,
meeting rooms, cinemas, sports halls, and swimming pools. In fact, you can create any physical space
as a room and then book it through Exchange Online. If a room has fixed equipment, such as a
ceiling-mounted projector, then that equipment is part of that room. We recommend that you set up
a movable room, such as a portable cabin or a caravan, as a room mailbox.
Note: We recommend that you have a structured and consistent way to label room or
equipment mailboxes so that it is immediately apparent where a room is located or what the
piece of equipment is.
Creating a new room mailbox

To create a new room mailbox in Exchange admin center, perform the following procedure:
1. In Exchange admin center, click recipients, and then click resources.

2. Under resources, click the + (add) icon, and then select Room mailbox.
3. In the Room name field, enter a descriptive name for the room. For example, type Conference
Room 11 306 if the room is in building 11 and identified on the door as room 306.
4. Under Email address, enter the rooms email address and select the domain from the list of
registered domain names. Again, make the email address consistent and easy to identify, such as
conf-room-11-306@Adatum.com.
5. Add a Location for the room, such as Building 11, Third Floor.
6. If there is a phone in the room, such as a conference phone, enter that number in the Phone field.
7. Enter a Capacity for the room, such as 25.
8. Click Save to save the new room mailbox.
Note: When you create a room mailbox, the option to Accept or decline booking
requests automatically is enabled.
After creating the room mailbox, you can configure the following settings:
General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.
Booking delegates. Accept booking requests automatically, select delegates, or customize

acceptance policy for this mailbox.
Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.
Contact information. Add street, ZIP code, city, and other information, if required.
Email address. Add additional addresses, if required.
MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.
Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.
Managing room mailboxes with Windows PowerShell

To create the mailbox by using Windows PowerShell, run the following cmdlet:
New-Mailbox -Name "Second Floor Conference Room" Room
To configure the room mailbox to process booking requests automatically, run this cmdlet:
Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept
Creating a new equipment mailbox

To create a new equipment mailbox in Exchange admin center, perform the following procedure:
1. In Exchange admin center, click recipients, and then click resources.
2. Under resources, click the + (add) icon, and then select Equipment mailbox.
3. In the Equipment name field, enter a descriptive name for the equipment. For example, type
Portable Projector S/N 32011044 if the equipment is a projector with that serial number.
Alternatively, provide a tag number if there is one.
4. Under Email address, enter the equipments email address and select the domain from the list of
registered domain names. Again, make the email address consistent and easy to identify, such as
projector-32011044@adatum.com.
5. Click Save to save the new equipment mailbox.
Note: When you create an equipment mailbox, the option to Accept or decline booking
requests automatically is enabled.
After creating the room mailbox, you can configure the following settings:
General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.
Booking delegates. Accept booking requests automatically, select delegates, or customize

acceptance policy for this mailbox.
Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.
Contact information. Add street, Zip/post code, city, and other information, if required.
Email address. Add additional email addresses, if required.

Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.
Managing equipment mailboxes with Windows PowerShell

To create the mailbox by using Windows PowerShell, run the following cmdlet:
New-Mailbox -Name "Demonstration Laptop Equipment
To configure the equipment mailbox to process booking requests automatically, run this command:
Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept
Configuring shared mailboxes

Shared mailboxes are special types of mailboxes
that multiple users can access to send and receive
email messages. You also can use shared
mailboxes to set up shared calendars where
employees can schedule their vacation time or
plan shifts. Shared mailboxes provide:
A generic email address, such as

marketing@adatum.com or
sales@adatum.com, to field customer
enquiries.
A way for departments that provide

centralized services to respond to requests
from employees or customers, like the helpdesk, human resources department, or printing.
Support for multiple users to monitor and reply to external or internal email addresses.
When a user replies to a message sent to a shared mailbox, the reply appears to come from the shared
mailbox address. In addition, all users who have access to that shared mailbox can see the messages that
have been sent to that account. Shared mailboxes can have the following delegate permissions:
Full Access. Users with Full Access permission can sign in and carry out actions consistent with a
mailbox owner. However, to send mail, users with Full Access permission must also have Send As or
Send on Behalf Of permission. You can configure Full Access permission through Exchange admin
center or by using Windows PowerShell.
Send As. Users with Send As permission can impersonate the mailbox when sending mail. Messages
received are from the mailbox, so they appear to come directly from marketing@adatum.com, for
example. You can configure Send As permission through Exchange admin center or through Windows
PowerShell.
Send on Behalf Of. Send on Behalf Of permission grants the right to send messages, but those
messages are stamped as from Remi Desforges on behalf of Marketing. You can configure Send on
Behalf Of permission from Windows PowerShell only.
Note: Typically, you use shared mailboxes with security groups. You create a security
group, add users to that group, and then grant the security group Full Access and Send As
control on the mail. To change access rights, you then simply add or remove users from the
security group.
Shared mailboxes do not require user licenses, so you can grant both mailbox users and mail users Send
As and Full Access permission. However, you should be aware that, with mail users, you could potentially
be granting someone outside the organization the right to send mail on behalf of the organization.
To create a shared mailbox in Exchange admin center, perform the following procedure:
1. In Exchange admin center, click recipients, and then click shared.
2. Under shared, click the + (add) icon.

3. In the Display name field, enter the name for the mailbox that you want recipients to see. For
example, Marketing if the shared mailbox is to send out mailings from the marketing department.
4. Under Email address, enter the shared mailboxs email address and select the domain from the list of
registered domain names; for example, marketing@adatum.com.
5. Under Users, add the users or groups that you want to have the right to send mail as
marketing@adatum.com. Click the + icon, and from the list of names, click add, and then click OK.
6. Click Save to save the new mailbox.
Users whom you have set up with Send permission can now enter that address in the From field when
they send emails. The reply comes back to the Marketing mailbox.
After creating the shared mailbox, you can edit the details to add or change further information in the
following tabs:
General. Hide from the address list, and add custom attributes.
Mailbox delegation. Configure Full Access and Send As permissions.
Note: Users that you added when creating the mailbox have both Full Access and Send As
permissions.
Mailbox usage. View current size of the mailbox.
Contact information. Add street, Zip/post code, city, and more information, if required.
Organization. Add manager and department information.
Email address. Add additional email addresses, if required.
Mailbox features. Apply policies, enable and disable protocols, apply litigation hold, set up
archiving, control message delivery, and set message sizes.
Member of. Add to distribution groups.
Managing shared mailboxes with Windows PowerShell

To create a shared mailbox in Office 365 by using Windows PowerShell, run the New-Mailbox cmdlet:
New-Mailbox -Name "Corporate Printing Services" -Alias corpprint -Shared
To edit the mailbox, use the Set-Mailbox cmdlet, just as with a user mailbox:
Set-Mailbox corpprint -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -

IssueWarningQuota 4.5GB
Configuring contacts
Mail contacts are similar to contacts in AD DS.
When you create mail contacts, they consist of
name fields, an alias, and an external email
address.
Mail contacts do not have a user account in Office

365, and therefore, they cannot sign in. However,
they do appear in the global address list (GAL)
throughout the organization. You can add them
to security groups, distribution groups, or
dynamic distribution groups in Exchange admin
center, but not security groups in the Office 365
admin center. Therefore, you can use contacts just
as you would use entries in your contacts folder in Outlook, with the difference that you can manage
Office 365 contacts centrally.
You can also use contacts within your own hierarchy and assign them a manager. This approach is useful if
your organization engages external contractors or associates.
After creating a contact, you can add some optional fields, such as contact information, phone numbers,
notes, title, department, company, manager, and direct reports. Finally, you can configure a MailTip that
appears when someone sends a message to that person.
To create a contact, perform the following procedure:
1. In Exchange admin center, click recipients, and then click contacts.
2. Click the + (new) icon, and then click Mail contact.
3. In the new mail contact page, enter a First name, Initials, and Last name.
4. The Display name is autogenerated based on those first three fields in the form of First name,
middle initial, Last name, but you can change that format.
5. In the Alias box, enter a unique value.
6. In the External email address box, enter the address to which you want to send mail for that user.
7. Click Save.
Note: Typically, it can take a minute or two for the item to update in Office 365. As a result,
you might see an error message stating that the object does not exist the first time you attempt
to edit the new contact.
The new mail contact now appears in the GAL. After creating the new mail contact, you can edit the
details to add or change further information in the following tabs:
General. Name fields, alias, and external SMTP address.

Deleting a contact is as simple as selecting the contact and clicking the Delete icon. You can also export
contact information to a .csv file and display additional columns in the Exchange admin center.
Managing mail contacts with Windows PowerShell

To create a contact in Office 365 by using Windows PowerShell, run the New-MailContact cmdlet:
New-MailContact -Name Fred -DisplayName Frederick -ExternalEmailAddress fred@

lucernepublishing.com
To edit the contact, use the Get-MailContact cmdlet:
Get-MailContact -Identity Fred | Format-List
Bulk importing contacts

Adding multiple contacts individually can be a
time-consuming process. Therefore, if you have a
large number of contacts to import, you can use
Windows PowerShell to perform a bulk import by
using the Import-CSV file cmdlet.
To import contacts in bulk, perform the following
steps:
1. Create a .csv file containing the necessary

information.
2. Use Windows PowerShell to create the

contacts.
3. Customize the newly created contacts by using Windows PowerShell.
The Office 365 community site provides a sample .csv file that you can use as a starting point.
Additional Reading: To download the sample .csv file, refer to: Sample CSV file to bulk-
create external contacts in Exchange Online at: https://aka.ms/yejksx
In the .csv file, do not delete the header row, but you can delete the sample data. You can then populate
the spreadsheet with your own information. At a minimum, you must provide values for the following
fields:
FirstName
LastName
Name
ExternalEmailAddress
You can connect to Exchange Online by using Windows PowerShell and run the following command to
create the contacts:
Import-Csv .\ExternalContacts.csv| ForEach-Object {New-MailContact -Name $_.Name -

DisplayName $_.Name -ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName
-LastName $_.LastName}
The contacts will now appear in the GAL. Next, you can add further information about each contact by
running the import-CSV cmdlet again. This time, it is a two-stage process, beginning with this cmdlet:
$Contacts = Import-CSV .\externalcontacts.csv
This command imports all the entries in the .csv file into a variable called $Contacts. Next, the following
script replaces each value in the contact record with the new value in the .csv file:
$contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City $_.City -

StateorProvince $_.StateorProvince -PostalCode $_.PostalCode -Phone $_.Phone -MobilePhone
$_.MobilePhone -Pager $_.Pager -HomePhone $_.HomePhone -Company $_.Company -Title $_.Title
-OtherTelephone $_.OtherTelephone -Department $_.Department -Fax $_.Fax -Initials
$_.Initials -Notes $_.Notes -Office $_.Office -Manager $_.Manager}
Note: Not all of these fields need to be included for a contact. For example, if you are not
adding the Manager for the contacts, then delete the -Manager $_.Manager element from the
command.
Configuring mail users

A mail user combines some of the attributes of a
full mailbox user with the characteristics of a
contact. By configuring mail users, administrators
can provide users with the ability to sign in to
Office 365, while continuing to provide them with
an external email address. Organizations that use
associates often use mail user accounts to provide
sign-in facilities to these personnel while
forwarding their emails to their external email
addresses. You can assign the mail user accounts
to a manager and department for administrative
purposes.
Note: Administrators use mail users extensively in hybrid Exchange environments. Directory
synchronization configures users with on-premises mailboxes as mail users in Office 365, and
configure their email address as their on-premises mailbox. These users then appear in the online
GAL as contacts.
The characteristics of a mail user are as follows:
They can sign in to Office 365 and access resources such as Microsoft OneDrive for Business or
SharePoint Online.
They have an email address that is external to Office 365, registered against the
ExternalEmailAddress attribute.
They can have a secondary email address for the default companyname.onmicrosoft.com domain.
To create a new mail user, perform the following procedure:
1. In Exchange admin center, click recipients, and then click contacts.
2. Click the + (new) icon, and then click Mail user.
3. In the New mail user page, enter a First name, Initials, and Last name.
4. The Display name is autogenerated based on those first three fields in the form of First name,
middle initial, Last name, but you can change that format.
5. In the Alias box, enter a unique value.
6. In the External email address box, enter the address to which you want to send mail for that user.
7. In the User ID box, enter the sign-in information for that user and from the drop-down box, select his
or her domain from the list of registered domains.
8. In the New password and the Confirm password boxes, enter the users sign-in password.
9. Click Save.
After creating the new mail user, you can edit the details to add or change further information in the
following tabs:
General. Hide from the address list, and add custom attributes.
Email address. Add further email addresses, if required.
Mail flow settings. Restrict who can and cannot send email to this account.
Member of. Add to distribution groups.
Managing mail users with Windows PowerShell

To use Windows PowerShell to create a new mail user, run the following command:
New-MailUser -Name <name> -WindowsLiveID <Microsoft ID> -Password (ConvertTo-SecureString

-String '<password>' -AsPlainText -Force)
You can then use the Set-MailUser cmdlet to change attributes. The following example changes the
external email address:
Set-MailUser adambarr -ExternalEmailAddress adambarr@contoso.com

Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
A mail user is the same as a mailbox user.

Lesson 3
Planning and configuring Exchange Online permissions
Planning for Exchange Online administration is an important part of the overall planning process. To
deliver the efficiencies that Exchange Online can provide, you must identify how you want to administer
Exchange Online. If you do not define your Exchange Online administration processes properly, you might
fail to meet your requirements for security, feature take-up, and data protection.
Lesson Objectives
Describe the concept of role-based access control (RBAC) and describe the Exchange Online admin
roles.
Describe how to configure delegated permissions.
Explain how to use user roles.
Configure delegated administration in Exchange Online.
Plan for Exchange Online admin roles

Exchange Online uses the RBAC permissions
model to restrict the administrative tasks that
users can perform within your Exchange
organization. With RBAC, you can control the
resources that administrators can configure and
the features that users can access. You must plan
the RBAC permissions carefully to ensure that your
administrative model meets your organizational
needs. To ensure that your Exchange Online
administration is working as it should, we
recommend that you apply the following process:
1. Identify the goals you want to achieve by

using Exchange Online.
2. Create or apply a change management framework.
3. Set up a change log system to record changes and record any changes to the environment in the
documentation system.
4. Identify administrative roles and tasks.
5. Map roles and tasks to existing role groups.

6. Define additional administrative role groups as required.
7. Identify training requirements for administrators and deliver training.
8. Assign users to administrative role groups.

9. Monitor the environment.
Identify the goals you want to achieve by using Exchange Online

Before you start administering Exchange Online or delegate that task to other administrators, you must
identify what you want the new environment to achieve. For example, if you want to reduce
administrative costs by implementing Exchange Online, you would not want to create an administrative
setup that is as complex as your current on-premises one.
Create or apply a change management framework

Regardless of whether you have a change management framework such as Microsoft Operations
Framework in place, you should implement one with Exchange Online. You need to have a process for
identifying, testing, approving, and making changes to the Office 365 configuration.
Set up a change log system to record changes

It is essential that you maintain and update comprehensive documentation of your Office 365 settings.
This is probably the most challenging aspect of systems management, as administrators often neglect
documenting this type of information. However, setting up a documentation system and specifying that it
record configuration changes is an essential part of the change management process.
Identify administrative roles and tasks

You must identify the roles and tasks that you want your administrators to perform. For example, you
might have people in your organization who have unusual job responsibilities and require unique
combinations of access rights to Office 365.
Map roles and tasks to existing role groups

When you have finished defining the administrative requirements, you take those roles and map them to
the existing admin role groups. Office 365 provides several admin role groups, which the next topic will
cover.
Define additional administrative roles as required

If you still have accounts that you cannot map to the existing roles, you need to create new ones,
combining the RBAC permissions so that each account has the rights it needs.
Identify training requirements for administrators and deliver training

Once you have identified the roles and responsibilities of each administrator, you should ensure that the
people assigned to specific roles have the skills and training they need to carry out those tasks. Review
online training resources and official Microsoft training courses that might meet their needs.
Assign users to administrative roles

Once you have identified the administrator roles and personnel, and ensured that they have the requisite
knowledge and skills that they need to perform their tasks (including documenting their actions), you can
now map those people to their respective roles and let them resume their responsibilities.
Monitor the environment

You should ensure that you monitor the Exchange Online environment to check that your team is
performing their responsibilities satisfactorily and recording changes. Remember that one of the best
sources of real-time monitoring will be your users. If you have an Exchange Online service outage, check
with the Office 365 admin center first to eliminate the service itself as a source of failure.
Manage administrative permissions with admin roles

After identifying the administrative tasks your
administrators must perform, you must map those
administrative tasks to the Exchange admin role
groups. Office 365 provides the following admin
role groups:
Compliance Management. Members can

configure and manage compliance settings
within Exchange Online.
Discovery Management. Members can

perform mailbox searches in the Exchange
organization.
Help Desk. Members can manage the configuration for individual recipients and view recipients in an
Exchange organization. Members can only manage the configuration that each user can manage on
his or her own mailbox.
Help Desk Administrators (HelpdeskAdmins_<unique value>). Membership in this role group is

synchronized across services and managed centrally. You cannot manage this role group through
Exchange Online.
Hygiene Management. Members can manage Exchange anti-spam features and grant permissions for
antivirus products to integrate with Exchange Online.
Organization Management. Members have permissions to manage Exchange objects in the Exchange
organization and can also delegate role groups and management roles in the organization.
Recipient Management. Members have rights to create, manage, and delete recipient objects.
Records Management. Members can configure compliance features, including retention policy tags,
message classifications, and transport rules.
Tenant Admins (TenantAdmins <unique value>). Membership in this role group is synchronized
across services and managed centrally. You cannot manage this role group through Microsoft
Exchange.
UM Management. Members can manage Unified Messaging organization, server, and recipient
configuration.
View-Only Organization Management. Members can view recipient and configuration objects and
their properties in the Exchange organization.
There are also the admin roles as defined in Office 365, such as Billing Admin, Global Admin, and other
roles. In Exchange Online, these administrator types have the following mapping and equivalent rights.
Office 365 Administrator type Exchange Online equivalent rights
Global Administrator Organization Management
Password Administrator Help Desk Administrator
To assign a user or group to these predefined roles, select the role in Exchange admin center and click
Edit. Then under Members, click the + icon, and add the appropriate members. Click OK and then click
Save.
You can also create your own admin roles. In Exchange admin center:
1. Click permissions, and then on the admin roles tab, click add.
2. In the new role group window, in the Name and Description fields, type a meaningful name and
description that will help identify the function of the role group.
3. Next, under Roles, click the + icon.

4. In the Select a Role window, in the DISPLAY NAME list, select the various roles that you wish to
assign, click add for each, and then click OK.
5. Under Members, click the + icon.
6. In the Select Members window, select the mailboxes and groups that you want to assign to the role,
click add for each, and then click OK.
7. Click Save.
Managing admin roles with Windows PowerShell

To create a new admin role group by using Windows PowerShell, run the New-RoleGroup cmdlet:
New-RoleGroup Name BranchOfficeAdmins roles Mail Recipients, Distribution Groups,

Move Mailboxes, Mail Recipient Creation RecipientOrganizationalUnitScope
Adatum.com/BranchOffice
The preceding cmdlet does the following:
Creates a new role group named BranchOfficeAdmins.

Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation
management roles to the BranchOfficeAdmins role group.
Configures a management role scope limited to the BranchOffice OU in the Adatum.com domain.
To add a user to a role group, run the Add-RoleGroupMember cmdlet:
Add-RoleGroupMember "Recipient Management" -Member Adam
To see who belongs to a role group, use the Get-RoleGroupMember cmdlet:
Get-RoleGroupMember "Recipient Management"
Overview of user roles

You can use user roles in Exchange Online to
enable users to manage aspects of their own
mailboxes and the distribution groups of which
they are owners. To enable this, Exchange Online
uses role assignment policies.
Note: The Default Role Assignment Policy

exists automatically in your Exchange Online
organization. This policy grants users the
permission to set their options in Outlook on the
web and perform other self-administration tasks.
You can create and customize your own role assignment policies to achieve your organizational
requirements. To do this, from the Exchange admin center:
1. Click permissions, and then click user roles.
2. In user roles, click the + icon.
3. In the role assignment policy window, in the Name and Description fields, type a meaningful name
and description that will help identify the function of the role assignment policy.
4. Select the various check boxes beneath the following headings to configure the necessary
permissions:
a. Contact information
b. Profile information
c. Distribution groups
d. Distribution group memberships
e. Other roles
5. Click Save.
Once you have created the policy, you can assign it to specific users or groups of users. To do this, in the
Exchange admin center:
1. Click recipients, and then click mailboxes.

2. Select the appropriate mailbox, and then click Edit.
3. In the User Mailbox window, click the mailbox features tab, in the Role assignment policy list,
click the policy you want to assign, and then click Save.
Note: You can assign the policy to multiple mailboxes by selecting multiple mailboxes in
the Exchange admin center and then, in the action pane, beneath Role Assignment Policy,
clicking Update.
Managing user role groups with Windows PowerShell

To create a new role assignment policy, use the New-RoleAssignmentPolicy cmdlet:
New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions,

MyAddressInformation, MyDisplayName
Question: What requirements does your organization have for assigning Exchange Online
permissions? Does your organization use a centralized or decentralized administration
model? What special permissions will you need to configure?
Lab: Managing Exchange Online recipients and

permissions
Scenario
A. Datum Corporation is ready to move the second group of pilot users to Office 365. Before completing
the move, you must ensure that you can manage Exchange recipients in Exchange Online. You also must
ensure that you can delegate permissions in Exchange Online.
Objectives
Configure Exchange Online recipients.
Delegate administrative permissions.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1
Password: Pa55w.rd
In all tasks:
Where you see references to Adatumyyxxxx.hostdomain.com, replace Adatumyyxxxx with your

Where you see references to yourdomain.hostdomain.com, replace the Adatumyyxxxx with your
unique hostdomain.com Name displayed in the online lab portal.
LON-DC1
LON-DS1
LON-CL1
Question: What Windows PowerShell cmdlet can you use to add a mail-enabled security
group to your Exchange Online subscription?
Question: In the lab, you ran the Set-CalendarProcessing "Conference Room"

-AutomateProcessing AutoAccept cmdlet. What does the -AutomateProcessing
AutoAccept switch do?

Review Questions
Question: What do you need to do to manage your Exchange Online tenant by using
Windows PowerShell?
Question: What types of groups can you use in Exchange Online?

7-1
Module 7
Planning and configuring Exchange Online services
Contents:
Module Overview 7-1
Lesson 1: Planning and configuring email flow in Office 365 7-2
Lab A: Configuring message transport in Exchange Online 7-13
Lesson 2: Planning and configuring email protection in Office 365 7-14
Lesson 3: Planning and configuring client access policies 7-27
Lesson 4: Migrating to Exchange Online 7-32
Lab B: Configuring email protection and client policies 7-45

Module Overview
The Exchange Online functionality in Office 365 is a complete replacement for an on-premises email
solution. However, you should consider several factors when configuring an on-premises solution, much
as you would when configuring Exchange Online. You need to configure email flow to allow reception
and delivery of Internet messages, and messages from applications and partners. You also need to
configure anti-malware and anti-spam settings to meet your organizations needs. To manage Outlook on
the web and mobile devices, you can create policies that you can apply to individual users. Finally, your
organization likely is using an email solution, so you must plan how to migrate from that existing solution
to Exchange Online.
Objectives
Plan and configure email flow in Office 365.
Plan and configure anti-malware and anti-spam settings in Office 365.
Plan and configure policies for Exchange clients.
Plan and configure a migration to Exchange Online.

7-2 Planning and configuring Exchange Online services
Lesson 1
Planning and configuring email flow in Office 365
When you create your Office 365 tenant or subscriber (typically an organization) that utilizes your cloud
services, it can send and receive Internet messages automatically. However, to configure the reception of
Internet messages, you need to add the email domains that you own to Office 365 and configure the
necessary Domain Name System (DNS) records to support it. Adding your email domains configures the
reception of Internet messages.
You can modify the default mail flow by using connectors, transport rules, and journal rules. Connectors
define settings for sending and receiving messages. Typically, you need to create additional connectors
only to support specialized communication that requires enhanced security, such as Transport Layer
Security (TLS). You can use transport rules to modify messages based on matching conditions, such as
adding a disclaimer to all outbound messages. Journal rules send a copy of selected messages to a journal
mailbox for archiving. You typically would use journaling to meet compliance requirements.
If there are problems with message delivery, you can use message traces to identify the issue. Message
traces allow you to search logs, find specific messages, and display information about the messages
delivery, including if there were errors during delivery.
Lesson Objectives
Describe email flow with Office 365.
Describe accepted and remote domains.
Plan and configure connectors.

Plan and configure transport rules.
Plan and configure journal rules.
Plan message flow for Office 365.
Track message flow by using message trace.
Overview of email flow in Office 365

Email flow on the Internet is based on DNS
records. When you add a domain to Office 365, a
list of the DNS records that you must add to your
domain appears. You must add these DNS records
to support all the Office 365 services, and it
contains all the records for sending and receiving
email.
Receiving email
Email servers on the Internet use mail exchanger
(MX) records to identify the server to which email
should be delivered. Each domain name that
receives email needs to have at least one MX
record. You can provide redundancy by using multiple MX records to identify multiple email servers that
can receive a specific domains messages.
For Office 365, you create only one MX record for each domain, and this MX record identifies a host
record that is unique to your domain, and which uses the following format:
domain.mail.protection.outlook.com
When an email is addressed to an address in your domain, the email server delivers the message to this
host record. This host record resolves to multiple IP addresses to provide redundancy. Office 365 creates
and manages the host record automatically when you add the domain.
Office 365 includes antivirus and anti-spam functionality in the Exchange Online Protection (EOP) feature,
which scans all incoming email automatically.
Sending email
Office 365 requires no configuration to send outbound email to the Internet. A mailbox in Office 365 can
send email to the Internet automatically. However, to minimize the chance that a server classifies your
outbound messages as spam, you should configure a sender policy framework (SPF) record.
An SPF record is a text record that you create in DNS for your email domain, and it identifies the sources
that can send messages for your domain. You need to create an SPF record that identifies Office 365 as an
allowed source for your domains email messages.
You can create different types of SPF records, and you should verify the SPF record that Microsoft
recommends when you add your domain. In most cases, the text value will be similar to the following:
v=spf1 includes:spf.protection.outlook.com all
The preceding text record indicates that email recipients should query spf.protection.outlook.com for an
SPF record that identifies the acceptable email sources from your domain and prohibits all other sources.
Additional Reading: For information about customizing SPF records, refer to: Customize
an SPF record to validate outbound email send from your domain at: http://aka.ms/Bg0478
Configuring accepted and remote domains

Office 365 uses accepted and remote domains to
control message flow and formatting. An
accepted domain identifies a domain for which
your Office 365 tenant receives email. A remote
domain specifies formatting options that the
server uses when sending messages to an external
domain.
Accepted domains
When you add a domain to Office 365, and prove
ownership of it, Office 365 adds it automatically as
an accepted domain in Exchange Online. After
you assign email addresses in that domain to
mailboxes, the mailboxes can receive messages immediately.
In Exchange Online, an accepted domain can be:
Authoritative. An authoritative domain is one for which Exchange Online is completely responsible.
Exchange Online hosts all recipients for that domain. This is the most common configuration for an
accepted domain.
Internal relay. An internal relay domain is used when some mailboxes are in Exchange Online and
some mailboxes are in an external organization. Messages received for an internal relay domain are
first evaluated to identify whether there is a matching recipient in Exchange Online. If there is a
matching recipient, Exchange Online delivers the message to that recipient. If no matching recipient
is found, Exchange Online forwards the message through a send connector that is defined for the
internal relay domain. The send connector for the internal relay domain defines how to deliver the
messages to another organization.
You can use the Windows PowerShell Set-AcceptedDomain cmdlet to manage accepted domains.
Note: On-premises Exchange Server organizations can have external relay domains.
However, external relay domains are not available in Exchange Online.
Remote domains
Remote domains define settings for message delivery to SMTP domains that are external to your tenant in
Exchange Online. When you create a remote domain, you control the types of messages that are sent to
that domain. You also can apply message-format policies and acceptable character sets for messages that
your organizations users send to the remote domain.
There is one remote domain named Default that exists after you enable Exchange Online for your tenant.
This remote domain is defined for the domain name *, which applies to all messages. You can create
remote domains for additional domains, as necessary, and often will create them for partner domains
where you want to allow automated messages that you typically do not allow. For example, a remote
domain for a partner organization may allow users to forward messages automatically that the Default
remote domain blocks.
Some of the settings that you can configure for a remote domain include:
AllowedOOFType. Defines whether external or internal out-of-office messages are delivered to the
remote domain. The default is External.
AutoReplyEnabled. Defines whether automatic replies are sent to the remote domain. The default is
$false.
AutoForwardedEnabled. Defines whether messages can be forwarded automatically to the remote

domain by using a rule. The default is $false.
DeliveryReportEnabled. Defines whether delivery reports that clients request are sent to the remote
domain. The default is $true.
NDREnabled. Defines whether nondelivery reports are sent to the remote domain. The default is
$true.
ContentType. Defines the format for messages that are sent to the remote domain. The default is
MimeHtmlText, which formats all messages as HTML unless they are text-formatted.
You can use the Windows PowerShell New-RemoteDomain and Set-RemoteDomain cmdlets to create
and manage remote domains.
Planning and configuring connectors

Exchange Online automatically accepts email
messages from, and sends email messages to, the
Internet. However, you can create additional
connectors to meet your needs for specific
scenarios. One of the most common scenarios
requires TLS for inbound or outbound email to a
partner organization.
In Exchange admin center, the interface does not

reference inbound and outbound connectors, but
does provide scenarios in which you choose a
source and destination for the messages. When
Office 365 is the source, it is an outbound
connector. When Office 365 is the destination, it is an inbound connector.
Inbound connectors
Your Exchange Online organization already accepts all incoming messages from the Internet
anonymously. However, you must create additional inbound connectors if you want different security
settings, and some available options for inbound connectors include:
SenderDomains. Use to define specific sender domains to which a connector applies without
knowing specific IP addresses of the senders servers.
SenderIPAddress. Use to define specific source IP addresses to which a connector applies.
AssociatedAcceptedDomains. Use to define specific accepted domains to which a connector

applies.
RequireTLS. Use to specify that TLS must be used for all communication in this inbound connector.
You can use the Windows PowerShell New-InboundConnector and Set-InboundConnector cmdlets to
manage inbound connectors.
Outbound connectors
Your Exchange Online organization already sends outbound messages to the Internet anonymously.
However, you must create additional outbound connectors if you want different security settings, and
some available options for outbound connectors include:
IsTransportRuleScoped. Use to define that Exchange Online directs messages to this outbound
connector, if a transport rule selects it.
RecipientDomains. Use to define a list of recipient domains that use this outbound connector.
UseMXRecord. Use to specify that messages that this outbound connector delivers use MX records
to determine the delivery destination.
SmartHosts. Use to specify a list of IP addresses that are the destination for messages that this
outbound connector delivers.
TlsSettings. Use to specify how the send connector uses TLS. The options are for encryption only, for
certificate validation, and for domain validation.
You can use the Windows PowerShell New-OutboundConnector and Set-OutboundConnector cmdlets
to manage outbound connectors.
TLS for SMTP

By default, Exchange Online uses opportunistic TLS when sending or receiving email messages. This means
that if the destination server has a certificate installed to support TLS, it will use TLS. However, you have
no guarantee that TLS will be used. Therefore, to ensure that security requirements are met, you can
specify TLS for inbound or outbound connectors.
Planning and configuring transport rules

You can use transport rules to restrict message
flow or modify message contents when messages
are in transit. Transport rules can apply to internal
or external messages, and Exchange Online
evaluates every to determine whether it matches
the conditions in a transport rule.
When you use transport rules, you can:

Prevent specified users from sending or
receiving email from other specified users.
Prevent inappropriate content from entering

or leaving your organization.
Apply restrictions, based on message classifications, that restrict the flow of confidential
organizational information.
Redirect incoming and outgoing messages for inspection before delivery.
Apply disclaimers to messages as they pass through your organization.
Apply message encryption to all outgoing messages.
Transport rules include conditions, actions, and exceptions, and the combination of these parts defines
what messages Exchange Online selects for processing and what action is taken on those messages.
The following section describes the various parts of a transport rule:
Conditions. These indicate the email message attributes, headers, recipients, senders, or other
message parts that Exchange Online uses to identify the email messages to which it applies a
transport rule action. If the email message data that the condition is inspecting matches the
conditions value, Exchange Online applies the rule, as long as the condition does not match an
exception. You can configure multiple transport rule conditions to narrow a rules scope to very
specific criteria. However, you do not need to apply any conditions, which means that the transport
rule applies to all messages.
Note: If you configure multiple conditions on the same transport rule, it will not apply to
an email message unless that message applies to all its conditions. When you specify multiple
values on a single condition, the messages satisfies the condition if it meets at least one of the
values.
Actions. Exchange Online applies actions to email messages that match conditions you specify and for
which no exceptions are present. Each action affects email messages in a different way, such as
redirecting an email message to another address, or dropping the message.
Exceptions. Exceptions determine which email messages to exclude from an action. You base
transport rule exceptions on the same predicates that you use to create transport rule conditions.
Transport rule exceptions override conditions, and they prevent Exchange Online from applying a
transport rule action to an email message, even if the message matches all transport rule conditions
that you configure. You can configure multiple exceptions on a transport rule to expand the criteria
for which Exchange Online should not apply a transport rule action.
Note: If you configure multiple exceptions on the same transport rule, only one exception
must match for Exchange Online to cancel the transport rule action. When you specify multiple
values on a single exception, it a message meets at least one of the values, Exchange Online
considers the exception satisfied.
Planning and configuring journal rules

You can use journaling to retain messages for
compliance reasons. Exchange Online sends
copies of messages that you identify for journaling
to a journaling mailbox, which you
can review.
Journal reports
Exchange Online performs envelope journaling,
which means that it does not simply copy
journaled messages to the journaling mailbox.
Instead, it creates a journal report that it sends to
the journaling mailbox, with the original message
as an attachment. The journal report has
information about the message, such as the subject, sender, recipient, and message-id, which is a unique
Internet-message identifier However, it does not modify the original message.
Journal rules
You create journal rules to identify messages for journaling, based on the journal recipient and scope.
The journal recipients available for journal rules are:
A specific user or group
Apply to all messages
The scopes available for journal rules are:
All messages
Internal messages only
External messages only
Journaling mailbox
When you apply journaling rules, you need to define a mailbox to which Exchange Online delivers journal
reports. You can send all journal reports to the same mailbox, or you can have multiple mailboxes. A
journal mailbox must be a mailbox that is hosted in an external email system, and it cannot be a mailbox
in Office 365.
When you create journaling mailboxes, remember that you must:
Create dedicated journaling mailboxes. Journal reports should not be sent to a mailbox that your
organization uses for other purposes, such as a users mailbox.
Identify how to perform data removal from journaling mailboxes that meets your compliance goals.
Journaling mailboxes gather large amounts of data quickly, so this is important. Alternatively, if you
have an unlimited archive, you can store messages from a journaling archive indefinitely.
Limit and monitor access to journaling mailboxes. A journaling mailbox typically contains sensitive
information that should not be viewed except for compliance reasons. If you use multiple journal
rules for different purposes, it might be appropriate to have multiple journaling mailboxes so that you
can control access.
You can configure an alternate journaling mailbox, so that you avoid undeliverable messages in queues
when your journaling mailboxes are unavailable. You can configure only one alternate journaling mailbox,
and Exchange Online uses it when any journaling mailbox is unavailable. This is most likely to be used
when a mailbox on an external system is used as the journaling mailbox and the alternative is a mailbox in
Exchange Online.
Planning message flow for Office 365

Some organizations use only the default Exchange
Online message flow, in which Exchange Online
accepts anonymous messages from the Internet
and uses opportunistic TLS to secure messages.
However, many organizations have additional
needs that might require you to modify the
default message flow.
On-premises applications
Many organizations have on-premises
applications that deliver email messages, such as:
Accounting systems that send invoices.
Scanners that deliver PDF copies of scanned documents.
Fax servers that deliver PDF copies of faxes.
If an application sends messages only to users in your Exchange Online tenant, the default configuration
might be sufficient. You only need to point the application at Office 365 for message delivery. This allows
anonymous message delivery in your organization. However, consider the following scenarios:
The application might need to send messages to external users. The simplest solution for this problem
is to have the application authenticate to Exchange Online to send these messages. If you cannot
configure the application to authenticate, you can configure an inbound connector that allows
relaying to external addresses that a source IP address secures. However, you should avoid
unauthenticated relaying whenever possible.
The application messages need to be secured. To enforce message security, you can require TLS on an
inbound connector.
Partner organizations
You may have unique requirements when dealing with partner organizations. You can use inbound and
outbound connectors to enforce specific security requirements. You also can use outbound connectors to
deliver messages to email servers that do not have MX records configured. For example, you might:
Require TLS for communication. Typically, financial organizations require TLS because they deal with
confidential information, such as payroll or insurance claims.
Relay messages through a non-Microsoft partner for compliance.
Integration with on-premises Exchange Server

A hybrid configuration integrates Exchange Online with an on-premises Exchange organization, which
allows mailboxes for the same domain to exist in Exchange Online and the on-premises Exchange
organization. When you enable a hybrid configuration, connectors are created to secure message flow
between Exchange Online and the on-premises Exchange server.
Configuring external mail flow for partners

In the Exchange admin center, you create new
connectors for mail flow, based on the source and
the destination. Office 365 is either the source or
the destination for the connector. The other end
of the connector can be one of the following:
Your organizations email server. Use this

option for non-default settings when you
have a hybrid configuration.
Partner organization. Use this option to

configure specific settings, such as encryption,
for a partner organization.
Internet. Use this option to configure specific settings for mail to or from anyone on the Internet.
Inbound partner connector

To create an inbound partner connector, you select the following options for the mail flow scenario:
From: Partner Organization
To: Office 365
To identify the partner, you can use the senders domain or IP address. In most cases, it is easier to identify
partner messages based on the domain in the senders email address. Usually, you do not actively monitor
the IP addresses that your partners use. Using an IP address is more secure because it is fairly easy to
spoof an email address. However, it is more difficult to maintain a list of IP addresses because they might
change without notice.
By default, the new connector requires all messages to be encrypted by using TLS. The connector rejects
the message if TLS encryption is not negotiated. To further enhance security, you can require that the
certificate used for TLS contains a specific subject name that identifies the partner organization. You can
specify wildcards such as *.adatum.com.
You also have the option to reject messages if they are not sent from within a specific address range.
However, similar to identifying the partner by the IP address range, this may require maintenance over
time.
Outbound partner connector

To create an inbound partner connector, you select the following options for the mail flow scenario:
From: Office 365
To: Partner Organization
You can identify messages for the connector by the outgoing domain name or by using transport rules.
Message selection based on domain name is simple to implement. All messages sent to the domain will
use the same settings. If you need to support complex scenarios where only specific messages need the
settings in the connector, then you can use transport rules. For example, you could create a transport rule
that redirects messages to the connector only if they are from the accounting department.
For outbound messages, you need to specify whether they will be routed by an MX record or a smart
host. Routing based on MX records sends messages directly to the partner organization. If you have an
archiving system for outbound messages, then you might need to use a smart host. If you have the IP
address of the partner organization, you can use the smart host setting to send messages directly to the
partner when an MX record is not available.
Note: If you route messages through a smart host, any encryption settings that you
configure apply for connectivity between Office 365 and the smart host. The encryption settings
do not affect communication between the smart host and the partner.
By default, the new connector requires all messages to be encrypted by using TLS. In addition, a trusted
certificate authority must issue the certificate that the partner organization uses. If the partner uses a self-
signed certificate, you can configure the connector to allow any digital certificate. Finally, for added
security, you can require a specific subject name in the certificate.
At the end of the connector creation process, the wizard prompts you to validate the connection. To
complete this process, Office 365 attempts to send a message over the new connector to an email address
that you provide. If validation is not successful, you can review the connector configuration to find out
why. You can save the connector configuration whether validation is successful or not.
Tracking message flow by using message trace

It is quite common to get reports from users that
a message has not been delivered. The message
trace functionality in Exchange Online allows you
to view a messages progress through the
Exchange Online servers, and identify whether a
message has been delivered. If the message has
not been delivered, you can investigate based on
the error messages in the message trace.
Message trace in Exchange admin

center
Exchange admin center provides a simple user
interface that you can use to perform a message
trace. When you perform a message trace, you can specify the following search criteria:
Date range
Delivery status
Message ID
Sender
Recipient
Note: When you add a sender or recipient, it might appear that you are unable to add
email addresses that are not part of your organization. However, you can add any email address
by typing it in the box next to the Check names button.
Message trace in Windows PowerShell

You can use the Windows PowerShell Get-MessageTrace cmdlet to search for messages that have been
sent or received. You then can use the Get-MessageTraceDetail cmdlet to view the same details that are
available in Exchange admin center.
Some of the parameters that you can use with the Get-MessageTrace cmdlet include:
StartDate
EndDate
MessageID
SenderAddress
RecipientAddress
FromIP
Note: There often is a delay of 5 to 30 minutes before message trace information is

available after a message is sent. This applies to both Exchange admin center and Windows
PowerShell.
Check Your Knowledge

Question
You have a trouble ticket to resolve that indicates that automatic replies and
automatically forwarded messages are being delivered outside of your Exchange
organization. Furthermore, the ticket indicates that this behavior needs to stop, and
that you should not allow rule generated messages outside your organization. What
is the best way to implement these changes?
Select the correct answer.
Modify the default remote domain to block automatic replies and automatic
forwarding.
Create a new remote domain that blocks automatic replies and automatic
forwarding
Use Set-OrganizationConfig to block automatic replies and automatic

forwarding.
Use a script to block automatic replies and automatic forwarding for all users.
Create a transport rule to block automatic replies and automatic forwarding.
Statement Answer
After adding a domain to Office 365, you need to configure it as an

accepted domain before Exchange Online can use it for email reception.
Lab A: Configuring message transport in Exchange Online

Scenario
The pilot project is going well at A. Datum Corporation. However, before you finish the pilot project and
perform a full deployment, you need to confirm that you can configure Exchange Online settings to
match the on-premises settings for options such as message transport.
Objectives
Configure message transport settings.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL2

Password: Pa55w.rd
In all tasks:
unique Office 365 Name that displays in the online lab portal.
Additionally, where you see references to yourdomain.hostdomain.com, replace the yourdomain

with your unique hostdomain.com Name that displays in the online lab portal.
Please use only the virtual machines that your lab requires. This lab requires the following virtual
machines:
LON-DC1
LON-DS1
LON-CL1

LON-CL2
Question: Why did you configure the journal rule to send messages to
journal@humongousinsurance.com instead of an Office 365 mailbox?
Question: What formatting options are there for disclaimers in a transport rule?
Lesson 2
Planning and configuring email protection in Office 365
An unprotected mailbox can become filled with spam and malware quickly, so email protection is an
important component of Office 365, which provides it through the EOP feature.
In EOP, you can configure filters to meet your organizations needs, including the malware filter, the
connection filter, and the spam filter. The malware filter specifies how Exchange Online handles messages
that include malware and whether it sends notifications about the malware. The connection filter allows
you to block or allow connections from specific IP addresses. The spam filter has various settings that you
can configure so that you can specify how Exchange Online handles potential spam. You can use reports
to monitor email protection and identify patterns that require further action.
Lesson Objectives
Describe the EOP feature.
Configure the malware filter.
Configure the connection filter.

Configure the spam filter.
Manage the message quarantine.
Describe EOP reports.
Integrate EOP with on-premises Exchange servers.
Describe considerations for configuring email protection.
Overview of EOP
EOP is a cloud service in Exchange Online that
provides both anti-spam and antivirus protection.
However, you also can subscribe to EOP as a
standalone product for use with on-premises
Exchange organizations.
The service level agreement for EOP is:
Anti-spam effectiveness > 99%
False positive ratio < 1:250,000
Blocking of known viruses 100%
Uptime 99.999%
EOP scans inbound and outbound messages. Scanning inbound messages helps protect your
organization, as infected inbound messages are a common malware delivery mechanism. Scanning
outbound messages helps prevent a computer in your organization that may be infected with malware
from sending messages to your colleagues or clients.
In the default configuration of EOP for Exchange Online:
The malware filter deleted all messages with malware detected.
The spam filter moves spam messages to the Junk Email folder.
Outbound spam detection is enabled.
Note: To help improve the spam detection process, you can submit spam that was not
detected to junk@office365.microsoft.com. Examples of phishing scams can be sent to
phish@office365.microsoft.com.
Exchange Online Advanced Threat Protection

You can add Exchange Online Advanced Threat Protection to an Exchange Online tenant. Advanced
Threat Protection increases protection against zero-day threats that are not identified currently.
Advanced threat protection:
Scans suspicious attachments by using real-time behavioral malware analysis to identify previously
unidentified threats.
Scans links in email messages to verify that they are safe.

Provides additional reporting about unknown malware and malicious links.
Configuring the malware filter

Exchange Online uses the EOP malware protection
to protect user mailboxes against infected
messages. EOP uses multiple industry-leading,
malware-detection engines to scan incoming and
outgoing mail, and it updates these engines
regularly as new virus definitions appear.
You can use anti-malware policies to control what
happens when EOP detects malware. One default
anti-malware policy applies to all messages, unless
you create additional anti-malware policies. In
each anti-malware policy, you can select the
messages to which you want a policy to apply by
specifying a recipient, an accepted domain, or a group.
Detection response
The detection response defines the action that EOP performs when it detects malware in a message. You
can select:
Delete the entire message. EOP deletes the message, and the recipient receives no notification that
the message was blocked.
Delete all attachments and use default alert text. EOP deletes all attachments, but the message is sent
to the user with alert text that notifies them that the attachments were deleted.
Delete all attachments and use custom alert text. This option allows you to customize the alert text
sent when malware is detected. You can use this to provide contact information for your help desk, in
case the user has additional questions, or you can provide instructions for further actions that the user
should perform.
Common attachments types filter

The common attachments types filter blocks attachments by file extension. Any attachments that match
the filter are treated as malware. This feature is used to block file types commonly used to deliver malware
such as executable files or Microsoft Office documents with macros. The interface includes a list of
commonly blocked file types that you can customize.
The Default anti-malware policy does not have attachment types filtering enabled by default. However,
when you create a new anti-malware policy, the common attachments types filter is enabled by default.
Sender notifications
By default, senders are not notified when the malware filter blocks their messages. You can enable
notifications for internal senders and external senders separately. Notifying senders alerts them that there
is a problem. However, there is a high likelihood that malware from external senders has a spoofed email
address, so when you send the notification, it is sent to an email address that had nothing to do with
sending the infected message.
Administrator notifications
By default, administrators are not notified when the malware filter blocks a message. You can enable
notifications for messages from internal and external senders separately, and you also can specify separate
administrators to notify for internal and external senders.
You might want to be notified when the malware filter blocks internal senders because someone in your
organization should be informed that an internal computer is sending malware. Notifications about
incoming malware are less likely to be useful.
Customizing notifications
You can customize the notifications that are sent for sender and administrator notifications, and you also
can customize the From name and From address, but EOP uses the same name and address for all
notifications.
The notification messages sent to senders and administrators are the same. However, you can configure a
separate subject and message for messages from internal and external senders.
Configuring the connection filter

Each Exchange Online tenant has one connection
filtering policy that applies to all incoming
messages. You can use the connection filtering
policy to block or allow specific IP addresses from
sending messages to your organization.
The connection filter has three settings:

IP Allow list. EOP allows IP addresses that are
on this list to pass through the anti-spam
filter. You can use this to ensure that EOP
does not block email messages from partner
organizations.
IP Block list. EOP prevents IP addresses that are on this list from sending messages to your
organization. You can use this to block the IP addresses of spammers that are not automatically
detected by EOPs anti-spam scanning. For example, a computer infected with malware might be
sending spam because you are in a contact list. After you identify this it, you can block the IP address
of the infected computer.
Enable safe list. When you enable this option, EOP uses a list of trusted senders that Microsoft
maintains to minimize the risk of a false-positive detection of spam. We recommend enabling this
option.
CIDR ranges
In the IP Allow and IP Block lists, you can enter individual IP addresses or Classless Interdomain Routing
(CIDR) ranges such as 23.103.191.0/24. However, you cannot enter a CIDR range larger than /24 in the
connection filter. If you need to enter a larger address space, you need to enter multiple /24 ranges or use
a transport rule to the set the spam confidence level (SCL) setting to Bypass spam filtering.
Configuring the spam filter

Spam filters control the detection of spam and
what happens to detected spam. Each Exchange
Online tenant includes Default, a single, default
spam filter that applies even if you do not apply
other spam filters. You can modify the Default
spam filter or create additional spam filters. By
creating additional spam filters, you can control
the spam filter settings based on recipient,
recipient domain, or recipient group membership.
You can manage spam filters in the Exchange

admin center or by using the following Windows
PowerShell cmdlets:
New-HostedContentFilterPolicy
Set-HostedContentFilterPolicy
Spam and bulk actions

Exchange Online analyzes incoming messages and assigns them a spam confidence level (SCL) between
-1 and 9, as follows:
SCL of four or less is not spam.
SCL of 5 or 6 is spam, which indicates it likely is spam, but could include false positives.
SCL of 7 or more is high-confidence spam, which means it definitively is spam.
You can set different actions for spam and high confidence spam. By default, Exchange Online moves
both categories to the users Junk Email folder, but you could decide to delete all high-confidence spam
instead of putting it in the Junk Email folder.
The actions that you can perform on spam and high-confidence spam are:
Move message to the Junk Email folder. Keeps spam messages from cluttering user inboxes, but still
allows users to access false positive messages.
Add X-header. Adds a header to the message with text of your choosing. You can create transport
rules that perform further processing on these messages.
Prepend subject line with text. Adds text to the beginning of the message subject. You can use this
setting when you want users to know about spam messages, so they can evaluate them, and ensure
users do not ignore them or inadvertently not receive important messages that have been sent to the
Junk Email folder.
Redirect message to an email address. Redirects the message to an email address that you define. You
can use this to have a shared mailbox where spam is stored for later evaluation if required.
Delete message. Deletes the spam message without delivering it to the user or an alternate location.
You can use this to delete messages that have a high likelihood of being spam with a low risk of
being a false positive.
Quarantine message. Places the message in quarantine, from which either the user or an
administrator can release it. This keeps spam out of user mailboxes, and it provides an easy way to
release false positives.
Bulk email is not necessarily spam. EOP maintains a list of bulk email senders and rates them with a Bulk
Complaint Level (BCL) value based on the number of complaints that are received. A BCL of 0 indicates
that a message is not from a bulk sender, while a BCL of 8 or 9 indicates a high number of complaints,
and indicates that the message likely is spam.
You have the option to mark messages with a specific BCL value as spam. By default, EOP marks messages
from senders with a BCL of 7 as spam, but you can raise or lower this value.
Quarantine
If you send spam messages to quarantine, you can define how long the spam messages are retained in
quarantine. By default, they are retained for 15 days.
You can also perform the following actions on quarantined messages:
Add X-header text.
Prepend text to the subject line.
Redirect to an email address.
Block and allow lists

You can use the block and allow lists to control whether EOP marks messages as spam. EOP always marks
messages from a sender or domain on a block list as high-confidence spam. However, it never marks
messages from a sender or domain on an allow list as spam.
International spam
If your organization has known patterns of messaging that uses only specific languages or receives
messages only from specific regions, you can use international spam settings, which allow you to:
Mark messages in specific languages as high-confidence spam.
Mark messages from specific regions as high-confidence spam.

Advanced options
The advanced options allow you to enable and disable additional scanning criteria that can be used to
identify spam more accurately. By default, all the options are disabled.
You can enable the following criteria to increase a message SCL:
Image links to remote sites
Numeric IP address in URL
URL redirect to other port
URL to .biz or .info websites
You can enable the following criteria to mark messages as spam:
Empty messages
JavaScript or VBScript in HTML
Frame or IFrame tags in HTML
Object tags in HTIML
Embed tags in HTML
Form tags in HTML
Web bugs in HTML
Apply sensitive word list

SPF record: hard fail
Conditional Sender ID filtering: hard fail
NDR backscatter
To monitor advanced options rather than block messages, you can enable test mode. You can add an X-
header to the message, which indicates which advanced option was matched, or you can include a bcc
line to a specific email address.
Note: You can test spam filtering by inserting the following text in a message without any
spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Outbound spam preferences

Outbound messages always are scanned by anti-spam engines. However, you can enable the following
settings for outbound spam:
Send a copy of all suspicious outbound email messages to the following email address or addresses.
Send a notification to the following email address or addresses when a sender is blocked for sending
outbound spam.
Managing message quarantines

If you set your content policy to direct spam
messages into quarantine, and your organization
then receives a message that your content policy
classifies as spam, that message will go into a
quarantine area. Messages from transport rule
matches also can be placed into quarantine.
Putting messages into quarantine is an alternative

to deleting spam or routing it to a users Junk
Email folder. If you are concerned about false
positives, we recommend using a quarantine
rather than deleting spam. If you delete it, you
never actually identify whether it was a false
positive. However, if you place a message in quarantine, you can retrieve and evaluate it if a user needs it.
Expiration
If you do nothing with messages in quarantine, by default, messages expire and are removed by EOP after
15 days. However, you can configure your spam filter to define how long you want to keep messages in
quarantine before they expire. Each message has an expiry time based on the spam filter that identified
the message as spam.
Analyzing messages
To determine what you should do with a message, you can view the message header or preview the
message. Message headers show information such as the servers through which the message was
transferred. When viewing a message header, there is a link to the Microsoft Message Header Analyzer,
which takes the content from the message header and displays it in a more readable format. If you
preview the message, it displays in text instead of HTML, to ensure that any bad code embedded in the
message is not processed.
If you determine that a message is not spam, you can do the following with messages in quarantine:
Release the message to specific recipients.

Release the selected message(s) to all recipients.
Release the selected message(s) and report as false positive.
Release the selected message and allow sender.
Searching for messages

If there are many items in the quarantine, you will want to search for specific messages rather than
browsing the entire list. You can use the advanced search function to search based on the following
criteria:
Message ID
Sender email address
Recipient email address
Subject
Received time
Expires time
Message type (spam, transport rule, bulk, or phish)
End-user spam notifications

If you are placing messages into quarantine instead of the Junk Email folder, you should consider sending
end-user spam notifications, which tells a user that messages addressed to them are waiting in quarantine.
The notification includes a list of quarantined messages.
End-user spam notification is disabled by default, but you can enable them for each spam-filter policy.
When you enable them, you can select how often notifications are sent. The default value is every three
days.
Note: End users can access their quarantine and release messages by going to
https://admin.protection.outlook.com/quarantine
Exchange Online Protection reports

You will not find reports for EOP in the Exchange
admin center, but you can access them from the
Office 365 admin center in the Security &
compliance reports node. The Security &
compliance reports include the following
protection reports:
Top senders and recipients. Shows the top

senders and recipients for messages, spam,
and malware.
Top malware for mail. Shows the most

commonly received malware.
Malware detections. Shows the number of messages with malware that EOP has detected.
Spam detections. Shows the number of spam messages that EOP has detected.
Sent and received mail. Shows the number of messages sent and received, categorized as good mail,
malware, spam, and rules.
Spoof mail report. Shows the received messages from an email address in your email domain that are
sent by unauthorized senders.
When you view these reports, you can specify a date selection for the data that you want to display. You
can select 7 days, 14 days, and 30 days, but you also can define a custom time range.
Some reports also have data selections from which you can choose. For example, in the Top senders and
recipients report, you can select to report on:
Top mail recipients
Top mail senders
Top spam recipients
Top malware recipients

For greater convenience, you can configure EOP to send some reports to a central mailbox from which
you can review or archive the messages, and you can schedule EOP to generate reports weekly or
monthly. Each report also has options that you can modify. For example, you can filter the mail traffic
report by sender, recipient, or mail flow direction.
Integrating EOP with on-premises Exchange servers

Office 365 includes EOP, but you also can use it as
a standalone solution to protect an on-premises
Exchange organization. This provides the same
email protection that Office 365 includes.
Inbound mail flow

When you use EOP with an on-premises Exchange
organization, you first configure email delivery for
your domain to EOP, and EOP then forwards
messages to the on-premises Exchange
Organization.
To enable the correct mail flow, you need to:

1. Add your email domain in Office 365.
2. Create a connector from Office 365 to your organizations email server.
3. Change the MX record for your domain to point to Office 365.
When you create a connector to your on-premises organization, EOP will send all messages for all
accepted domains to your on-premises mail server. This means that the messages for all domains you add
in Office 365 are directed to your on-premises mail server. You can specify your email server in the
connector by IP address or fully qualified domain name (FQDN).
To indicate the status of the messages, EOP adds the X-Forefront-Antispam-Report header to messages.
To identify spam messages in your on-premises Exchange organization, you need to create transport rules
to set the SCL. Use the following two commands in the Exchange Management Shell:
New-TransportRule "EOPSpam1" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -

HeaderContainsWords "SFV:SPM"
-SetSCL 6
New-TransportRule "EOPSpam2" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -
HeaderContainsWords "SFV:SKS"
-SetSCL 6
Securing connectivity
The connector for connectivity to the on-premises mail server requires TLS by default. To support this,
your on-premises mail server must have a certificate installed. You can allow TLS to use any certificate, but
by default, it also requires a certificate from a trusted certification authority (CA). You also have the option
to enforce a specific subject in the certificate.
The firewall in front of your on-premises mail server must forward port 25 to the mail server. To enhance
security, you can restrict connectivity to the mail server, thereby allowing only messages from EOP email
addresses. You also can use a Simple Mail Transfer Protocol (SMTP) relay in your perimeter network, such
as an Exchange Edge server.
Additional Reading: For a list of IP addresses that EOP uses, refer to: Exchange Online
Protection IP addresses at: http://aka.ms/Jbnjfg
The Directory Based Edge Blocking feature

The Directory Based Edge Blocking feature in Exchange can reduce the number of messages sent to your
on-premises mail server significantly. When you implement Directory Based Edge Blocking, only messages
to valid email addresses in your Exchange organization are forwarded to your on-premises mail server.
EOP blocks all messages addressed to invalid email addresses.
To enable Directory Based Edge Blocking, you need to create users in Office 365. You can do this by
implementing directory synchronization with Office 365. Once you create users in Office 365, you can use
transport rules based on recipient, and access messages in end-user spam quarantine.
Note: It is possible to use the New-EOPMailUser cmdlet to create user accounts manually.
However, we recommend directory synchronization for all but the smallest environments. You
also can create new mail users in the Exchange admin center.
Outbound mail flow

You can have your on-premises Exchange organization send message directly to the Internet or relay
messages through EOP. If you relay outbound messages through EOP, you need to create a connector
from your organizations email server to Office 365.
To secure mail flow from your on-premises Exchange organization to Office 365, you can specify the
source IP address for the messages, or you can use a certificate. When you use a certificate, you specify a
subject name in the certificate installed on your on-premises mail server.
Configuring email protection

The default configuration of EOP does a good job
of blocking unwanted spam and malware.
However, you can fine-tune the configuration to
meet your organizations needs. When
configuring EOP, consider the following:
Identify appropriate malware notifications.

Plan the scenarios for which you want to
notify senders, recipients, or administrators
that EOP has detected malware. In most
cases, you want to notify an administrator
when EOP detects malware internally.
Enable the safe list setting in connection

filtering. To prevent false positives for spam filtering, you should enable the safe list setting in
connection filtering. This prevents EOP from marking known safe sources as spam.
Delete or quarantine high-confidence spam. It is unlikely that EOP is detecting high-confidence spam
as a false positive. To avoid cluttering your Junk Email folders, delete or quarantine messages that
EOP detects as high-confidence spam.
Enable international spam options. If you know that you are unlikely to receive legitimate messages in
certain languages or from certain regions, configuring this option can reduce spam.
Use the test mode when you first implement advanced options for spam. Using the test mode enables
you to monitor the messages that the advanced option identifies, and ensure that it is not generating
false positives.
Identify groups of users with different protection needs. You can apply malware and spam filter
policies for specific user groups. This allows you to fine-tune the policies to your users needs, such as
having less spam filtering on a mailbox that receives job applications from the public.
Create a transport rule to block specific file extensions. If you want to block specific file types, you can
create a transport rule that blocks that file types file extension, so that you can help guard against
users opening high-risk file types.
Run scheduled reports to monitor protection activity. Monitoring protection activity may provide you
with insight about how to improve email protection. For example, if you see that one particular
sender or domain is the source of significant spam, you can investigate why.
Configuring Advanced Threat Protection

Advanced Threat Protection enhances the base
functionality of EOP by adding processes to
identify zero day malware and phishing links. Both
of these functions enable you to identify and
block malware that is missed by traditional anti-
malware protection that relies on signatures of
known malware. To enable Advanced Threat
Protection, you create safe attachments policies
and safe links policies and then apply them to
users.
Safe attachments policies

A safe attachments policy defines how Advanced
Threat Protection processes unknown malware detected in attachments. When you create a safe
attachments policy, you define the response and to which recipients it applies. You can specify specific
users, a specific group, or a recipient domain.
One of the considerations for scanning attachments is the time required. Processing an attachment
typically takes 5-7 minutes. The first implementation of Advanced Threat Protection did not deliver the
message until the attachment was scanned. Now, dynamic delivery delivers the message immediately, but
the attachment is not available until it is scanned.
The table below describes the four potential responses in a safe attachments policy.
Response option Description
Off - Attachment will not be scanned Messages to recipients defined by this policy are not subject
for malware. to attachment scanning by Advanced Threat Protection. Use
this option if you are confident that the recipients are
knowledgeable enough to avoid triggering unknown
malware. You can also use this option when fast delivery of
attachments is important.
Monitor - Continue delivering the Messages to recipients defined by this policy are delivered
message after malware is detected; even if malware is detected. However, malware detections
track scan results. are tracked for reporting. You can use this option to identify
the frequency of malware detection before implementing a
policy that blocks malware.
Block - Block the current and future Messages to recipients defined by this policy are not
emails and attachments with detected delivered. In addition, any future instances of this
malware. attachment are automatically identified as malware for faster
detection.
Replace - Block the attachments with Messages to recipients defined by this policy are delivered
detected malware, continue to deliver with the attachment removed. This response allows users to
the message. see that they have been sent a message and is particularly
useful when there is a false positive because the user can
contact an administrator for help.
When malware is detected, you can also choose to redirect the message. When you redirect the message,
it is delivered to a mailbox that you select. You can use this mailbox like a quarantine to forward
attachments that are detected as false positives on to users.
By default, if there is an error in processing the attachment, the response for the message is the same as if
malware was detected. This ensures that malware is not delivered due to a processing error. However, this
also means that all processing errors generate a false positive detection. You can disable this option.
Safe links policies

A safe links policy defines how Advanced Threat Protection scans URLs in email messages for malware.
Links to malware is an increasingly common method used by malware distributors to avoid signature-
based detection for attachments. For example, the malware could be located on a website or a cloud-
based file-sharing service. You need to define the recipients to which a safe links policy applies.
When the action for a safe links policy is On, Advanced Threat Protection rewrites URLs in messages.
When a user clicks the rewritten link, Advanced Threat Protection analyzes the link URL. When a link is
identified as potentially harmful, Advanced Threat Protection redirects the user to a warning page.
Advanced Threat Protection identifies links in HTML-based email messages and text-based email
messages.
The following table lists some specific options that you can enable.
Option Description
Use Safe Attachments to scan Adds an extra layer of protection that scans downloadable
downloadable content files for malware. This can prevent delivery of zero day
malware by links in email messages.
Do not track user clicks Prevents user clicks from being tracked in reports. Generally,
tracking clicks is useful for identifying malware infection
after the fact, but you can disable this for privacy reasons.
Do not allow users to click through to When an unsafe URL is detected, users have the option to
original URL click through and access this site anyway. Selecting this
option removes the option to click through.
Do not rewrite the following URLs Defines a list of URLs that will not be rewritten. You can use
this option to define known safe URLs and URLs for web-
based applications that might not function properly when
rewritten. For example, you can add the URL for your
internal SharePoint sites here.
Statement Answer
Selecting the Enable safe list option in the connection filter reduces the risk
of false positives.
Question: What is the difference between spam and high-confidence spam?

Lesson 3
Planning and configuring client access policies
You can use client access policies to control settings for Outlook on the web and mobile devices. You can
assign Outlook Web App policies to users, which control the features that are available, access to
attachments, and offline access. For mobile devices, you can create rules that determine the types of
mobile devices that are allowed to connect by using Exchange ActiveSync. You also have the option to
quarantine devices until they are approved. Mailbox policies for mobile devices enforce security settings
on those devices.
Lesson Objectives
Configure Outlook Web App policies.
Configure access for mobile devices.

Configure mailbox policies for mobile devices.
Configuring policies for Outlook on the web

Outlook on the web, formerly known as Outlook
Web App, allows users to access their mailboxes
by using a web browser. The feature set in
Outlook on the web closely mimics the features
that are available in Microsoft Outlook 2016, and
provides features that are not available in previous
Outlook versions. In some cases, when you do not
have a locally installed email client, it might be
possible to use Outlook on the web.
After you create your Office 365 tenant with
Exchange Online, there is a single Outlook Web
App policy named OWAMailboxPolicy-Default.
This policy defines Outlook on the web settings for all users. However, you have the option to create
additional Outlook Web App policies, and you can configure each user to use a specific Outlook Web App
policy. This allows you to vary the Outlook on the web settings for users with different needs.
Features
The OWAMailboxPolicy-Default policy enables all Outlook on the web features. Your organization may
decide to simplify Outlook on the web, and disable features that your organization has decided not to
support. Some of the features that are used less often are:
Instant messaging
Text messaging
Unified messaging
LinkedIn contact sync
Journaling
File access
Direct file access allows users to access documents that are attached to email messages. If you do not
enable direct file access, users can see that a message has an attachment, but they cannot open or save it.
Direct file access is enabled by default, but you can disable it.
When you enable direct file access, you can allow, block, or force a save for specific file types. You can
specify file types based on file extension or Multipurpose Internet Mail Extensions (MIME) type. By default,
Outlook blocks file types that are likely to contain malicious code that is executable in a web browser, but
it allows unknown file types by default.
You cannot modify the specific file types in the Exchange admin center. You need to use the
Set-OwaMailboxPolicy cmdlet to modify the following properties:
AllowedFileTypes
AllowedMimeTypes
ForceSaveFileTypes
ForceSaveMimeTypes
BlockedFileTypes
BlockedMimeTypes
Offline access
Outlook on the web can work in offline mode, which means that users can sign in to Outlook on the web
and access mailbox content even when they are not connected to Exchange Online. Everything that the
user does in the mailbox synchronizes with Exchange Online when Outlook on the web reestablishes a
connection to Exchange Online, which means that users have a seamless, faster experience when they are
working on a slow network or one that connects intermittently.
Offline access for Outlook on the web is enabled on a computer-by-computer basis. This means that users
need to enable it on each computer where they want to use this feature. Due to security concerns, we
recommend that you enable offline access for Outlook on the web only on private computers.
Offline access for Outlook on the web has limitations. For example, you cannot access your online archive,
team folders, or tasks. You also cannot perform full-text search in your mailbox. To use Outlook on the
web offline, you should use Internet Explorer 10 or newer, Google Chrome 24 or newer, or Safari 5 or
newer.
You can control the ability to enable offline access for Outlook on the web on the Outlook Web App
virtual directory or in the Outlook Web App policies. You can enable offline access:
Always. This is the default option that allows users to enable offline access from any computer.
Private computer. Allows offline access only on private computers.
Never. Offline access is not allowed.
Public and private computers

Outlook Web App policies have several properties that differentiate between public and private
computers. In Exchange Online, the default configuration treats all computers as private computers. If you
use Set-OrganizationConfig to configure PublicComputersDetectionEnabled as $true, then
computers can be either public or private.
Unlike an on-premises implementation of Exchange Server, users do not get to define whether a
computer is public or private for Exchange Online. For Exchange Online, authentication to Active
Directory Federation Services (AD FS) defines whether a computer is public or private. This is based on the
location of the computer that is initiating authentication rather than the device. If your organization does
not use AD FS for single sign-on with Exchange Online, it is not possible to use public computer detection.
Configuring access for mobile devices

The default configuration of Exchange Online
controls access by using Exchange ActiveSync only
at the user level. If you allow users to use
Exchange ActiveSync, users can connect from any
device that supports it, which means they could
have their mailbox connect to a company mobile
phone and their personal tablet simultaneously.
There are no limits on the types of devices to
which users can connect.
You can configure the following states for

Exchange ActiveSync devices:
Allowed. In the Allowed access state, a mobile

device can synchronize through Exchange ActiveSync and connect to Exchange Online to retrieve
email and manipulate calendar information, contacts, tasks, and notes. This continues as long as the
device complies with the configured mobile-device mailbox policy. This is the default state for all
devices, because Exchange Online does not define any quarantine policies.
Blocked. If the device access rule specifies that a device that should be blocked, that device cannot
connect to Exchange Online, and receives an HTTP 403 forbidden error. You can block a device based
on the device family, or you can block a specific device model. The user receives an email message
from Exchange Online that indicates that the mobile device was blocked from accessing their
mailbox. Exchange Online also might block a device because it fails to apply the mobile device
mailbox policies.
If this is the case, users cannot receive an email message that indicates that the mobile device was
blocked from accessing their mailbox. However, the mobile device information that displays in
Outlook on the web indicates that it is blocked because of the devices failure to apply the mobile
device mailbox policies.
Quarantined. When a mobile device is in a quarantined state, it is allowed to connect to Exchange

Online. However, it will have limited data access. The user can add content to their calendar, contacts,
tasks, and notes folders, but the server will not allow the device to retrieve any content from the
users mailbox. The user receives a single email message that indicates that the mobile device is in
quarantine. The device receives this message, which Exchange Online also makes available in the
users mailbox. You can add customized text to this message to provide instructions for users whose
devices are quarantined. A device remains in quarantined state until an administrator decides whether
to block it or allow it to connect.
If you are placing devices into quarantine, it is important to notify an administrator, who then can
evaluate whether to allow the device to connect. In Windows PowerShell, you can specify who is
notified about quarantined devices, and set the default state for new devices with the following
command:
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -

AdminMailRecipients Administrator@adatum.com
You can create and manage mobile device access rules by using the Exchange admin center or the New-
ActiveSyncDeviceAccessRule cmdlet. The Exchange admin center provides limited options for rules
based on device family and model. By using the New-ActiveSyncDeviceAccessRule cmdlet, you can
create rules based on the device model, device type, device operating system, user agent, and XMSWL
header. The following example creates a new mobile device access rule:
New-ActiveSyncDeviceRule -Characteristic DeviceOS -QueryString Android 4.4.2 -

AccessLevel Allow
Note: When you create mobile device access rules in the Exchange admin center, the
families and models from which you can select populate the list based on the device families and
models that have contacted your Exchange Online tenant. Until Exchange ActiveSync devices
connect, the only value listed is All families.
Configuring mailbox policies for mobile devices

Mobile clients, such as Exchange ActiveSync
clients, are difficult to secure because the devices
are small and portable, and there is a higher
likelihood that users will lose them or they will be
stolen. However, they can contain highly
confidential information, because the storage
cards that fit into the mobile device expansion
slots can store increasingly large amounts of data.
This data-storage capacity is important to users,
but it can increase security risks for your
organization, as malicious users might be able to
get hold of the device and access this data.
Mobile clients also are difficult to manage by using centralized policies because the devices might rarely,
or never, connect to the internal network. The devices also do not require Active Directory accounts, so
you cannot use GPOs to manage client settings.
Implementing mailbox policies for mobile devices

Mailbox policies for mobile devices provide one option for securing mobile devices. When you apply a
policy to a user, the mobile device downloads the policy automatically the next time that the device
connects through Exchange ActiveSync. Exchange ActiveSync allows you to force password requirements
on a mobile device, and to configure several other security options that are mandatory, so that users
cannot change them from the client side.
You apply mobile device mailbox polices on a user-by-user basis, which means that you can create
different policies for different users. You can modify the default mobile device mailbox policy to meet
your organizations security standards. You then can create additional mobile device mailbox policies that
are exceptions to that baseline.
You can apply mobile device mailbox policies only to the level that the mobile device supports. Policy
settings that the mobile platform does not support on the client side are ignored. Each user is assigned a
default policy that does not enforce any security settings. To ensure that mobile devices are as secure as
possible, you should configure mobile device mailbox policies that require device passwords, and encrypt
the data that users store on their mobile devices.
When implementing a mobile device mailbox policy, you can configure the following options:
This is the default policy. Sets a default policy, and applies it to all users that are not assigned another
policy.
Allow mobile devices that do not fully support these policies to synchronize. Allows devices that do
not support all policy options to synchronize.
Require a password. Enables you to specify password requirements.
Allow simple passwords. Allows users to use passwords, such as 1111 or 1234.
Require an alphanumeric password. Requires a password that includes both numbers and letters, such
as A1B2.
Require encryption on device. Requires the storage on a device to be encrypted.
Minimum password length. Specifies the minimum characters in the password.
Number of sign-in failures before device is wiped. Specifies the number of times users can enter a
devices password incorrectly before your device removes all local data, or performs a wipe. Local
device wipe is the mechanism by which a mobile phone wipes itself, without the request coming from
the server. The result of a local device wipe is the same as that of a remote device wipe. The wipe
resets the device to its factory default settings. When a mobile phone performs a local device wipe,
no confirmation is sent to Exchange Online.
Require sign in after device has been inactive for (minutes). Specifies the time, in minutes, of device
inactivity after which the password is required.
Enforce password lifetime (days). Specifies the maximum time a user can use a password on a device.
Password recycle count. Specifies how many different passwords a user must use before repeating
one of the earlier used passwords.
Question: How does Office 365 differentiate between public and private computers that
attempt to connect to it?
Statement Answer
The default configuration for mobile devices quarantines all devices until an
administrator approves them.
Lesson 4
Migrating to Exchange Online
If you have an existing email deployment, you need to plan how to migrate to Exchange Online.
Depending on your existing mail deployment, you have various migration options. For Exchange
organizations, you can perform a cutover Exchange migration, a staged Exchange migration, or a hybrid
migration. Exchange organizations also might need to migrate public folders. For non-Microsoft email
systems, you can perform an Internet Message Access Protocol (IMAP) migration or a PST import.
Lesson Objectives
Describe options for migrating to Exchange Online.
Implement a cutover Exchange migration.
Implement a staged Exchange migration.

Implement an IMAP migration.
Implement a PST import.
Implement a public folder migration.
Describe full hybrid configuration.
Describe minimal and express hybrid configuration.
Options for migrating to Exchange Online

Most organizations already have email configured
as either an on-premises or cloud service. Before
you begin using Exchange Online, it is crucial that
you have a migration plan. A well-planned
migration minimizes downtime, and it ensures
that messages are not lost during the migration.
When planning a migration to Exchange Online,

you need to consider the volume of data that you
need to migrate. This includes the number of
mailboxes that you need to migrate, and the
amount of data in each mailbox. Typically, a very
small organization that has limited data can do a
cutover from its old email system to Exchange Online. Larger organizations that have more data generally
need to perform an incremental migration process, where the mailboxes for the domain coexist in
Exchange Online and the old email system.
The user requirements for historical information are another important consideration. If your organization
determines it is acceptable for users to use a new, empty Exchange mailbox, and you can migrate
historical data later, you likely can use a cutover migration.
The common migration scenarios are:
Cutover Exchange migration. In this type of migration, you move all mailboxes, in a single step, to
Exchange Online from an on-premises Exchange organization.
Staged Exchange migration. In this type of migration, you move mailboxes, in batches, to Exchange
Online from an on-premises Exchange organization.
IMAP migration. In this type of migration, you can migrate data from any IMAP-enabled email
system.
PST migration. In this type of migration, you export mailbox data to PST files, and import the PST files
in Exchange Online.
Hybrid configuration. In this type of migration, you use hybrid configuration to enable coexistence
between Exchange Online and an on-premises Exchange organization. After you enable hybrid
configuration, you can move the mailboxes individually or in groups.
Note: This lesson provides a general overview of the migration options available when
migrating to Exchange Online. For detailed steps on how to implement these migration options,
refer to: Microsoft Exchange Server Deployment Assistant at: https://aka.ms/hprxkj
Implementing a cutover Exchange migration

A cutover migration moves mailbox data, in a
single step, from an on-premises Exchange
organization to Exchange Online. This type of
migration is appropriate only for a small
organization with a limited amount of data.
Exchange Online supports this type of migration
for up to 2,000 mailboxes, but we recommend
using this migration type for organizations with
150 mailboxes or less.
The main benefit of a cutover migration is its

simplicity. Because there is no coexistence
between email systems, you simply have to copy
data, and switch to Exchange Online.
Prepare for a cutover Exchange migration

During a cutover Exchange migration, Exchange Online uses a set of credentials to sign in to your on-
premises Exchange organization and access mailboxes. To allow this to happen, you need to configure a
migration administrator account with Full Access and Receive As permissions to all the mailboxes that you
are migrating.
When Exchange Online accesses the mailboxes in your on-premises Exchange organization, it uses
Outlook Anywhere. Therefore, if you need to enable Outlook Anywhere for your on-premises Exchange
organization.
In Office 365, you need to add the email domain that you are migrating, and you need to create the
necessary DNS records to prove domain ownership.
Connect Office 365 to on-premises Exchange

Before you migrate mailboxes, you need to connect Office 365 to your on-premises Exchange
organization by creating a migration endpoint, which contains the information necessary to connect to
the on-premises Exchange organization for migration. This information includes:
An email address in the on-premises Exchange organization. Office 365 uses this to perform an
Autodiscover and identify the connectivity information for the on-premises Exchange organization.
An account with the necessary privileges to access mailboxes and migrate the mailboxes in the on-
premises Exchange organization.
Exchange server. If Autodiscover did not discover the FQDN for Outlook Anywhere properly, you can
enter it.
RPC proxy server. If Autodiscover did not discover the FQDN of the remote procedure call (RPC)
proxy server properly, you can enter it.
Maximum concurrent migrations. Defines the number of mailbox migrations that occur
simultaneously. If you leave this blank, default values are used.
Maximum concurrent incremental syncs. Defines the number of incremental mailbox synchronizations
that can occur simultaneously after mailbox migration occurs. If you leave this blank, default values
are used.
Run a cutover migration batch

A cutover migration batch does more than just move mailbox data from the on-premises Exchange
organization to Office 365. The cutover migration batch also creates the users and mailboxes in Office
365. Additionally, when the mailbox move is complete, the cutover migration batch performs incremental
synchronization of new mailbox data that the on-premises Exchange organization receives.
When you create a new cutover migration batch, you are prompted to confirm the migration endpoint-
connectivity information. Verify that this is correct, and then you can start the cutover migration batch at
the end of the new migration batch wizard or manually at a specific time. You can run a cutover migration
batch during business hours, but ensure that the Internet connection has sufficient capacity.
To verify that the initial data migration is complete, you can verify that the user accounts have been
created in Office 365 and that the status of the cutover migration batch is Synced. If there are errors, you
can view the log to determine the cause of the errors, and then restart the cutover migration batch.
Change email routing to Office 365

After the initial synchronization is complete, you need to change mail routing to Office 365. Use the DNS
information that you obtained, when you added the domain to Office 365 to complete modifying the MX
record and direct other email server to deliver messages to Office 365.
Typically, hosts and other DNS servers cache the DNS records on the Internet. It is critical that you verify
email is being delivered directly to Office 365 before you delete the cutover migration batch. At
minimum, you should wait for the time defined in the Time to Live (TTL) of the MX record.
Note: To speed up the cutover process, consider shortening the TTL of your MX record
several days before the migration. A TTL of 30 or 60 minutes is significantly better than 24 hours.
Delete the cutover migration batch

After mail starts flowing directly to Office 365, you can remove the cutover migration batch. However,
before you remove the cutover migration batch, confirm that every mailbox has synchronized at least
once since you changed the mail flow. This ensures that no messages are left behind in the on-premises
Exchange organization. Monitor the Last Synced Time value for the cutover migration batch.
Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:
Assign licenses to the user accounts. If you have not assigned any licenses to user accounts, users
cannot access their mailboxes.
Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.
Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.
Additional Reading: For additional detailed information about performing a cutover

migration, refer to: Perform a cutover migration email to Office 365 at: http://aka.ms/jhw5t9
Implementing a staged Exchange migration

You can use a staged Exchange migration for
large Exchange Server 2003 or Exchange Server
2007 organizations where a cutover Exchange
migration is not appropriate. This type of
migration allows you to move mailboxes
incrementally, and there is coexistence between
the on-premises Exchange organization and
Office 365.
Note: You cannot configure a staged

Exchange migration for Exchange Server 2010 and
newer versions. You must use hybrid configuration
to provide similar functionality.
Prepare for a staged Exchange migration

During a staged Exchange migration, Exchange Online uses a set of credentials to sign in to your on-
premises Exchange organization and access mailboxes. To allow this to happen, you need to configure a
migration administrator account with FullAccess permissions to all the mailboxes that are being
migrated, and WriteProperty permission to the TargetAddress property on the user accounts.
When Exchange Online accesses the mailboxes in your on-premises Exchange organization, it uses
Outlook Anywhere. You need to enable Outlook Anywhere for your on-premises Exchange organization if
Outlook Anywhere is not already enabled.
In Office 365, you need to add the email domain that you are migrating. As part of this, you need to
create the necessary DNS records to prove domain ownership.
Create users in Office 365

To create the users and groups in Office 365, you need to configure directory synchronization. To do this,
use Microsoft Azure AD Connect. After you create users in Office 365, you need to license them so that
users can sign in.
Create a staged migration batch

To create a staged migration batch, you need to create a comma separated values (.csv) file that lists the
users to migrate. The .csv file must contain an EmailAddress column and a Password column. A
ForceChangePassword column is optional. The wizard for creating a staged migration batch verifies the
format of the file, including a maximum of 2,000 rows.
Before you create a staged migration batch, you need to create a migration endpoint that defines how to
connect to the on-premises Exchange organization. This process is the same for a staged migration batch
and for a cutover migration batch.
Convert on-premises mailboxes to mail-enabled users

After a staged migration batch is complete, the migration batch sets the TargetAddress property for the
on-premises user account as the Office 365 tenant, and delivery of all new mail for the user is to Office
365. However, the mailbox still exists in the on-premises Exchange organization. You need to remove the
on-premises mailbox and convert the user to a mail-enabled user. This directs the user to Office 365 for
email instead of the on-premises Exchange organization.
Additional Reading: For more detailed information, refer to: Convert Exchange 2007
mailboxes to mail-enabled users after a staged Exchange migration at: https://aka.ms/r1o37w.
This link also has scripts to simplify the conversion process.
Change email routing to Office 365

Similar to completing a cutover migration, after all staged migration batches are complete, you need to
change mail routing to Office 365. Use the DNS information provided when you added the domain to
Office 365 to complete modifying the MX record and direct other email server to deliver messages to
Office 365.
Hosts and other DNS servers typically cache DNS records on the Internet. It is critical that you verify email
is being delivered directly to Office 365 before you delete the staged migration batch. At minimum, you
should wait for the time defined in the TTL of the MX record.
Delete the staged migration batches

After mail starts flowing directly to Office 365, you can remove the staged migration batches. However,
before you remove the staged migration batches, confirm that every mailbox has synchronized at least
once since the mail flow change. This ensures that no messages are left behind in the on-premises
Exchange organization. Monitor the Last Synced Time value for the staged migration batch.
Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:
Assign licenses to the user accounts. If you have not assigned licenses to user accounts, the users
cannot access their mailboxes.
Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.
Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.
Additional Reading: For additional detailed information about performing a staged

Exchange migration, refer to: Perform a staged migration of email to Office 365 at:
http://aka.ms/m3lpyu
Implementing an IMAP migration

If you are migrating from a non-Exchange Server
email system, you cannot use a cutover Exchange
migration or a staged Exchange migration. If the
non-Exchange Server email system supports IMAP,
you can consider doing an IMAP migration. In this
type of migration, Exchange Online logs on to
mailboxes and uses IMAP migrate messages.
Considerations for an IMAP migration include:
You can migrate only mail items.

You can migrate a maximum of 500,000 items
per mailbox (newest first).
You can migrate a maximum message size of 35 megabytes (MB).
Folders with a forward slash in the name are not migrated.
Office 365 Setup wizard

If you perform a small IMAP migration, the simplest method to accomplish that is by using the Office 365
Setup wizard. The wizard takes you through the process for adding the email domain that you are
migrating, and it prompts you to create user accounts and copy data. The main limitation of the wizard is
that you can migrate a maximum of 150 mailboxes only using IMAP.
In the Office 365 Setup wizard, you can create user accounts individually or import them from a .csv file.
After you create the user accounts, you are prompted to enter the source email address and password for
each user. You can enter the same address for the source and destination, but they do not have to be the
same. After entering the user information, you are prompted for the IMAP server address.
The Exchange admin center

You also can use the Exchange admin center to create an IMAP migration batch. In this case, you need to
ensure that you add the email domain to Office 365 and create the user accounts in Office 365.
Once you create the accounts, you then create a .csv file with IMAP user information. The .csv file must
contain the EmailAddress, UserName, and Password columns. The migration batch uses this information
to sign in to the IMAP accounts and move the messages. The .csv file can contain up to 50,000 rows.
When you are ready to perform a migration, you create a migration endpoint that specifies connectivity
information for the source IMAP server. You then create a new IMAP migration batch, and you provide
the .csv file with IMAP user information. When you create the IMAP migration batch, you have the option
to specify folders, such as Deleted Items, that you do not want to migrate.
After the migration is complete, the migration batch continues to perform incremental synchronization
until you delete the IMAP migration batch. Do not delete the IMAP migration batch until your mail
routing points directly to Office 365.
Optimize IMAP migrations

If possible, implement the following guidelines to optimize IMAP migrations:
Use test batches to optimize network settings. If you have the option to modify the number of
connections allowed to your IMAP server, use test batches with varying settings to identify how to
obtain the best throughput.
Migrate data by using an administrator account. If your IMAP server supports the using an
administrator account to access multiple mailboxes, then use an administrator account for credentials
in the CSV file. This avoids the need to collect or reset user passwords on the IMAP server.
Prevent users from changing passwords during the migration. If you use individual user accounts in
the .csv file, this prevent users from changing their passwords during the migration process. If
passwords are changed during the migration process, the migration for the mailbox fails.
Ask users to delete unnecessary messages. This reduces the amount of data to be migrated and can
significantly speed up the overall migration process.
Additional Reading: For additional information about IMAP migration, refer to: What you
need to know about migrating your IMAP mailboxes to Office 365 at: http://aka.ms/crn236
Implementing a PST migration

A PST migration imports mailbox data from PST
files into Office 365 mailboxes. As an
administrator, you can perform the PST imports
for users in the Exchange admin center or
Windows PowerShell. In very small environments,
you also can import .pst files in Outlook.
No matter which method you use to import .pst

files into Office 365 mailboxes, you must make
preparations for your migration, including that
you have:
Configured Office 365 to receive email for the

email domain, which means that you have
added the domain to Office 365. It also means that you edited the domains MX record to ensure that
it is pointing to Office 365.
Created .pst files for mailboxes on your previous email system. You can create the .pst files by
exporting directly from the previous email system, if supported. Conversely, you can create the .pst
files by using Outlook to perform an export of each mailbox.
Created the user accounts in Office 365. You must create user accounts in Office 365, and you must
assign licenses to allow users to sign in and access their new mailbox.
These preparations ensure that users have a new empty mailbox that they can use to send and receive
new messages. Historical data is in the .pst files, and you need to import it into the new mailboxes.
Import PST files with Outlook

In a very small environment, you can use Outlook to import .pst files into an Office 365 mailbox. After you
import the .pst file, Outlook caches the data locally and begins synchronizing it to Office 365. Outlook
must remain open until the data synchronizes fully.
This process is simple, but can be very slow. It also is decentralized, because you must perform it on each
user desktop.
Import PST files into Office 365

You can import .pst files directly into Office 365 mailboxes without using Outlook or any other client
software. This is the most ideal .pst import solution for most organizations.
To prepare for a .pst import, you need to:
Assign the Mailbox Import Export role to a user. This role provides the permissions to perform a .pst
import for mailboxes in Office 365. No users are assigned to this role by default.
Create a PST to user mapping file. This file identifies the mailbox into which each .pst file should be
imported.
Before you import .pst files into Office 365, you need to move the .pst files to Microsoft Azure in one of
two ways. You can:
Ship data on a physical hard drive. Use the Microsoft Azure Import/Export Tool to copy and encrypt
the PST files on an external hard drive. You then can ship the external hard drive to Microsoft.
Microsoft imports the data into Windows Azure, and you then can import it.
Upload data over the network. Use the Microsoft Azure AZCopy Tool to copy the .pst files to
Windows Azure. Files are encrypted while in transit.
Your choice depends on the volume of data that you have and the speed of your network connection. If
you have a large amount of data or a slow network connection, shipping the data on a physical hard drive
may be faster.
Additional Reading: For detailed information about Importing PST files into Office 365,
refer to: Import PST files to Office 365 at: http://aka.ms/G2n2p7
Implementing a public-folder migration

If your organization uses legacy public folders in
Exchange Server 2007 or Exchange Server 2010,
you can migrate them to Office 365, and
Microsoft provides scripts for the migration
process. However, if your organization has public
folders in Exchange Server 2013, there is no
process for migrating them.
Note: If you need to migrate public folders

from Exchange Server 2013 to Office 365, you can
use non-Microsoft tools. You also can migrate
public folders from Exchange Server 2013 by
exporting to a .pst file from Outlook, but this has important limitations on size. A .pst file import
for public folders in Office 365 has a limit of 30 gigabytes (GB).
Migration process
The migration process for public folders requires that you run several scripts to generate configuration
files and data that the migration process requires. In general, you need to:
1. Download the migration scripts. These are the scripts that you run to complete the steps in the
migration process.
2. Prepare for the migration. This involves verifying that proper message routing is in place, verifying
that public folder names are valid, and ensuring that a previous migration attempt is not in progress.
3. Generate a .csv file for folder mapping. In the legacy Exchange organizations, you run Export-
PublicFolderStatistics.ps1 and PublicFolderToMailboxMapGenerator.ps1 to generate a .csv file
that the migration requires.
4. Create a public folder mailbox in Exchange Online. In Office 365, to create the public folder mailbox,
run Create-PublicFolderMailboxesForMigration.ps1, and then specify the .csv file.
5. Start the public-folder migration. In the legacy Exchange organization, you run Sync-
MailPublicFolders.ps1 to synchronize mail-enabled public folders with Exchange Online, create a
new migration batch for public folders, and then start it. You can view the migrations details in the
Exchange admin center.
6. Lock down legacy public folders. After the initial synchronization is complete, in the legacy Exchange
organization, you run Set-Organization PublicFoldersLockedForMigration $true. This prevents
users from accessing the legacy public folders while a final synchronization occurs.
7. Finalize the public-folder migration. In Office 365, run Complete-MigrationBatch to perform a final
synchronization.
8. Test the public folder migration. Configure an Office 365 mailbox to use the migrated public folders
to verify that the data is present and that they are functional. If there are any problems, you can roll
back the migration.
9. Complete the migration. In the legacy Exchange organization, run Set-OrganizationConfig

PublicFolderMigrationComplete $true. In Office 365, run Set-OrganizationConfig
PublicFoldersEnabled Local.
Additional Reading: For detailed information about migrating public folders to Office 365,
refer to: Use batch migration to migrate legacy public folders to Office 365 and Exchange
Online at: http://aka.ms/F6ncbt
Full hybrid configuration

Full hybrid configuration is a way to integrate an
existing Exchange organization with Exchange
Online. Larger organizations also can use it for an
incremental migration of mailboxes from an
existing Exchange organization to Exchange
Online. However, hybrid configuration allows the
permanent coexistence of an on-premises
Exchange organization with Exchange Online.
Full hybrid configuration benefits

Implementing full hybrid configuration offers the following benefits:
Exchange Online mailboxes and on-premises mailboxes can share domain names for message
routing.
Users can perform Free/busy searches for meeting requests between Exchange Online mailboxes and
on-premises mailboxes.
Distribution groups can contain a combination of Exchange Online mailboxes and on-premises
mailboxes.
Both Exchange Online and on-premises mailboxes can access public folders.
The global address list (GAL) synchronizes for Exchange Online mailboxes and on-premises mailboxes.
You can move mailboxes between Exchange Online and on-premises Exchange servers.
Note: Permissions for sharing mailboxes or mailbox folders is not supported between
Exchange Online mailboxes and on-premises mailboxes.
Directory synchronization
Full hybrid configuration requires directory synchronization between your on-premises AD DS and
Office 365. To implement directory synchronization, download and install Azure AD Connect. The
synchronization process creates users and groups in Office 365 that correspond with the users and
groups in your on-premises AD DS.
When you implement directory synchronization, AD DS becomes the authoritative source for information
about your users in Office 365. Many user properties are not editable in Office 365 for synchronized users.
Instead, you edit the user properties in the on-premises AD DS and allow synchronization to update the
objects in Office 365.
When you implement directory synchronization, you have the option to enable password synchronization,
which allows users to have the same password for their on-premises user account and Office 365. When
the password is changed in on-premises AD DS, it is synchronized to Office 365 within about two minutes.
It also is possible to allow password resets from Office 365 to synchronize to the on-premises AD DS.
Note: You also can use AD FS to provide single sign-on for Office 365 accounts, but this
adds significant complexity.
Hybrid Configuration Wizard

The Hybrid Configuration Wizard performs many configuration steps for you in both your on-premises
Exchange organization and Exchange Online. You can obtain the Hybrid Configuration Wizard from the
Office 365 admin center in Users > Migration by selecting the Exchange option. You need to select the
Full Hybrid Configuration option in the Hybrid Configuration Wizard.
The Hybrid Configuration Wizard allows you to:
1. Enable federation for the selected domains. To enable federation, you need to create a DNS TXT
record for each domain to provide ownership. This is different from the TXT record created to provide
ownership when adding the domain to Office 365.
2. Select on-premises servers for mail flow. You must select the Exchange servers that will be responsible
for mail flow between Office 365 and your on-premises Exchange organization. Connectors are
created automatically to secure inbound and outbound mail flow.
3. Identifiy URLs for web services. The hybrid configuration wizard uses Autodiscover to determine the
URLs required for web services connectivity used by free/busy sharing.
4. Create an organizational sharing policy. This policy contains the configuration information required to
allow free/busy sharing between the on-premises Exchange organization and Office 365.
Decommissioning on-premises Exchange servers

Some organizations use hybrid configuration as an interim step to perform an incremental migration to
Office 365. When the migration of mailboxes to Office 365 is complete, they wonder how to complete the
migration process and remove all Exchange server from their on-premises environment. In most cases, it is
not advisable to remove all Exchange servers from the on-premises environment even though all the
mailboxes have been migrated.
If you remove all Exchange servers from the on-premises environment, you lose access to the Exchange
management tools that allow you to modify Exchange attributes. If you continue to use directory
synchronization to perform password synchronization and automatically create Office 365 users, then you
need access to a local copy of the Exchange management tools because the local AD DS is authoritative.
You cannot directly modify many attributes, such as email addresses, in the Office 365 Exchange admin
center.
Note: You may find blog postings about how to manage synchronized user attributes in
the local AD DS by editing the user object in ADSI Edit or Active Directory Users and Computers.
However, direct editing of user objects is not supported.
Minimal and express hybrid configuration

Smaller organizations that do not intend to have
coexistence between an on-premises Exchange
organization and Exchange Online for an
extended time, should consider minimal hybrid
configuration or express hybrid configuration.
Both hybrid configuration options involve lesser
complexity but also have less functionality than a
full hybrid configuration.
Minimal hybrid configuration

A minimal hybrid configuration allows you to
migrate mailboxes incrementally similar to a full
hybrid configuration, but lacks most of the
integrated functionality. You should not use this option during a migration from an on-premises
Exchange organization to Exchange online, which will be relatively short because of the limited
coexistence features.
A minimal hybrid configuration does not include:
Federation.
Secure email transfer.
Free/busy lookups between on-premises and cloud.
Redirection for Outlook on the web and ActiveSync clients.

You can perform mailbox moves from an on-premises Exchange organization to Exchange Online by
using the Exchange admin center just as you would do with a full hybrid configuration. In addition,
Outlook clients are automatically reconfigured when mailboxes are moved.
There is mail flow between the on-premises Exchange organization and Exchange Online. However, the
messages are not guaranteed to be secured by TLS. Messages are secured by TLS if opportunistic TLS is
successful.
Ongoing directory synchronization by using Azure AD Connect is required when implementing a minimal
hybrid configuration. This allows for long-term coexistence where on-premises AD DS updates are
synchronized to Exchange Online, similar to synchronization in a full hybrid configuration.
Express hybrid configuration

An express hybrid configuration is designed for scenarios where mailboxes will be migrated very quickly
from an on-premises Exchange organization to Exchange Online. This configuration is simpler than a
minimal hybrid configuration because directory synchronization is performed as a one-time event.
When you select the Minimal Hybrid Configuration option in the Hybrid Configuration Wizard and you
do not have Azure AD Connect configured for directory synchronization, the Hybrid Configuration Wizard
provides an option to perform a one-time directory synchronization of users and passwords. The wizard
provides you with the steps to download and install Azure AD Connect for a one-time synchronization.
After Azure AD Connect populates the users in Exchange Online, you need to license the users and move
the mailboxes. However, because there is no ongoing directory synchronization, you need to perform all
user management in the Office 365 admin center and Exchange admin center.

Question
Your organization currently is using Gmail and Google Docs, and has decided to
migrate to Office 365 for email and file sharing. Which migration type should you use
so your end users experience the least amount of downtime?
Cutover Exchange migration
Staged Exchange migration
IMAP migration
PST migration


Question
Your organization has an on-premises Exchange Server 2010 deployment, and wants
to migrate to Office 365. Your organization has 3,000 mailboxes, with an average
mailbox size of 1 GB. Which migration type should you use?
Cutover Exchange migration
Staged Exchange migration
IMAP migration
PST migration
Statement Answer
A cutover migration batch continues synchronizing until you remove it.

Lab B: Configuring email protection and client policies

Scenario
The pilot project is going well at A. Datum. Before finishing it and moving into a full deployment, you
need to confirm that you can configure the Exchange Online settings to match the on-premises settings
for options such as anti-spam and antivirus settings, and client access policies.
Objectives
After completing this lab, you will have:
Configured anti-spam and antivirus settings
Configured client access policies
Lab Setup
User name: Adatum\Administrator, Adatum\Holly, and LON-CL2\Francisco

Password: Pa55w.rd
In all tasks:
Where you see references to AdatumYYXXXX.onmicrosoft.com, replace AdatumYYXXXX with

your unique Office 365 Name that displays in the online lab portal.
Where you see references to yourdomain.hostdomain.com, replace the yourdomain with your
unique hostdomain.com Name that displays in the online lab portal.
Please use only the virtual machines that your lab requires. This lab requires the following virtual
machines:
LON-DC1
LON-DS1

LON-CL1
LON-CL2
Question: Why did you configure different anti-spam settings for members of the sales
group?
Question: Why is it important to require a password on mobile devices?


Review Questions
Question: Why is it important not to remove the last on-premises Exchange server when
directory synchronization is in place?
Question: You recently migrated all your organizational mailboxes to Office 365. Many of
your users have mobile devices that connect by using Exchange ActiveSync. Your security
officer was shocked when he saw that a user did not have a password on his mobile device.
Why did this happen, and how can you fix it?
8-1
Module 8
Planning and deploying Skype for Business Online
Contents:
Module Overview 8-1
Lesson 1: Planning and configuring Skype for Business Online service settings 8-2
Lesson 2: Configuring Skype for Business Online users and client connectivity 8-13
Lesson 3: Planning voice integration with Skype for Business Online 8-16
Lab: Configuring Skype for Business Online 8-25
Module Overview
Skype for Business Online is a core component of Microsoft Office 365. Skype for Business Online provides
a variety of options for users to collaborate with each other, including presence information, instant
messaging (IM), and audio and video conferencing. Additionally, Skype for Business Online provides a full
voice solution, where you can replace some or all on-premises Private Branch Exchange (PBX)
functionality with a cloud-based solution.
Objectives
Plan and configure Skype for Business Online service settings.
Configure Skype for Business Online user settings and clients.
Plan voice integration with Skype for Business Online.

8-2 Planning and deploying Skype for Business Online
Lesson 1
Planning and configuring Skype for Business Online
service settings
Most Office 365 subscriptions include Skype for Business Online. When you assign users licenses that
include Skype for Business Online, they can immediately start using this feature. However, before you
enable users to utilize Skype for Business Online, you should understand the Skype for Business Online
service, and you should be able to configure the service settings to meet your organizations
requirements.
Lesson Objectives
Describe Skype for Business Online features.
Describe the various Skype for Business Online subscription options.
Describe Skype for Business Online network requirements.

Explain how to connect to Skype for Business Online by using Windows PowerShell.
Explain how to configure organization settings.
Explain how to configure external communications.
Describe Skype Meeting Broadcast.
Explain how to configure Skype Meeting Broadcast.
Overview of Skype for Business Online

Skype for Business Online helps connect
organizational users with multiple devices, and it
offers a consistent experience for presence, IM, and
voice and video conferencing. Skype for Business
Online is available as a stand-alone Office 365
service or as a part of most Office 365 subscriptions.
Skype for Business Online provides the following

key features:
Real-time presence. Users get availability and
location information to make it easier for them
to choose the best method of communication
with their co-workers. Skype for Business
Online tracks presence information for all Skype for Business Online users, and it provides this
information to the Skype for Business client and other apps such as Microsoft Outlook 2013 or later.
IM. Users can utilize standard text-based IM to communicate in real time with multiple users, and
users can transfer files to those users.
Voice calls. Users can make Skype for Business calls to other Skype for Business users inside and
outside an organization, and if enabled, they can call Skype consumer users.
Web conferencing. Skype for Business Online can host conferences, which you can schedule or run as
needed. Conferences can include IM, audio, video, application sharing, slide presentations, and other
forms of data collaboration.
Audio conferencing. Users can join Skype for Business Serverbased audio conferences by using any
desktop or mobile device. When connecting to an audio conference by using a web browser, users
can provide a telephone number that the audio conferencing service calls.
Enhanced presentations. Users can enhance their online presentations by using Skype for Business
Online screen sharing, application sharing, and virtual whiteboard features.
Support for federation. You can configure federation with other organizations that are running Skype
for Business Online, Skype for Business Server on-premises, Microsoft Lync Server, or Microsoft Office
Communications Serveryou can provide full Skype for Business functionality for users in multiple
organizations.
Skype for Business Online subscription options

Microsoft provides several different Office 365
and Skype for Business subscriptions. Skype for
Business Online is included with many Office 365
Business and Enterprise subscriptions, with different
levels of functionality provided with different
subscriptions.
In addition to ordering Skype for Business Online as
part of an Office 365 subscription, you also can
order Skype for Business Online as a stand-alone
subscription. The following table shows some of the
options that are available with each subscription.
Option Online plan 1 Online plan 2 Skype for Business Server 2015
Presence and instant Yes Yes Yes

messaging
Audio and HD video Yes Yes Yes

calling to
Skype for Business
users
Group HD video calling No Yes Yes
Schedule meetings in No Yes Yes

Outlook
Join meetings from No Yes Yes

desktops and web
browsers, including
anonymously
Desktop sharing, No Yes Yes

application sharing,
and remote control
Persistent Chat No No Yes

Option Online plan 1 Online plan 2 Skype for Business Server 2015
Dial-in audio No Yes No

conferencing
Enterprise Voice No No Yes
Additional Reading: For more information on the Skype for Business options that are
provided with Office 365 and Skype for Business Online stand-alone subscriptions, refer to:
Skype for Business Online Service Description at: http://aka.ms/eljskd
Network requirements for Skype for Business Online

When you plan for a Skype for Business Online
deployment, you need to consider the following
network requirements:
Internet connectivity requirements

If you are not restricting internal user connections
to the Internet based on external domain names or
port numbers, you do not need to change any
network settings on your network. Client computers
in your network initiate all connections to Skype for
Business Online, and in most cases, firewalls do not
block responses to these connections.
Some organizations use proxy servers or firewall settings to block users from accessing Internet locations.
If you are limiting the domains, URLs, and IP addresses that your internal users can access, then you must
ensure that internal clients have access to the domain names, URLs, and ports that Skype for Business
Online servers require.
Additional Reading: For more information on the domain names, URLs, IP addresses, and
port numbers that Office 365 and Skype for Business Online require, refer to: Office 365 URLs
and IP address ranges at: http://aka.ms/Ef9aum
As a best practice, you should allow internal users to access Skype for Business Online servers by using
domain names or URLs rather than IP addresses. The IP addresses that are associated with the Skype for
Business Online servers might change frequently, whereas domain names and URLs are less likely to
change.
In addition to ensuring user access to Skype for Business Online servers, you can perform the following
key network optimization configurations:
Disable authentication for Skype for Business Online audio and video traffic when an authenticating
HTTP proxy is used.
Configure the network to allow User Datagram Protocol traffic for better audio and video
performance.
Modify internal routers and optimize internal network paths for audio and video traffic.
Bandwidth requirements for Office 365

You should carry out a comprehensive assessment of the required network bandwidth for Skype for
Business Online and its conferencing features, as these services might necessitate an increase in the
required bandwidth.
Additional Reading: The Skype for Business Bandwidth Calculator is a tool that you can
use to calculate bandwidth requirements. You can download this tool from: http://aka.ms/h028y7
Additional Reading: For more information on Internet bandwidth usage for Office 365
services, refer to: Network planning and performance tuning for Office 365 at:
http://aka.ms/i09jrk
Connecting to Skype for Business Online by using Windows PowerShell

As with almost all other Office 365 components,
you can manage all Skype for Business Online
settings by using the Windows PowerShell
command-line interface. The Skype for Business
admin center is generally easier for new
administrators to use, but Windows PowerShell
offers the following advantages over the Skype for
Business admin center:
Some tasks can be performed only by using

Windows PowerShell.
More experienced users can use Windows

PowerShell to organize multiple Windows
PowerShell commands into scripts and then use these scripts to automate and speed up repetitive
tasks.
Software requirements
To manage Skype for Business Online by using Windows PowerShell, your computer must be running a
64-bit Windows operating system and have the following installed:
Windows PowerShell 3.0 or later. An appropriate version of Windows PowerShell is already pre-
installed on Windows Server 2012 or Windows 8 or later operating systems.
The Skype for Business Online module for Windows PowerShell. This installs the Skype for Business
Online Connector module and the New-CsOnlineSession cmdlet on your local computer. You can
download this module from http://aka.ms/x3kyib.
Note: If you are using a computer that is running Windows 7, then you will need to install
Windows PowerShell 3.0 and the Microsoft Online Services Sign-In Assistant. This software
provides sign-in and authentication functionality for Office 365 applications, including Skype for
Business Online. This can be downloaded from the Microsoft Download Center at
http://aka.ms/vl42dg
Connecting to Skype for Business Online by using Windows PowerShell

After installing the required software, you need to connect to Skype for Business Online before you can
run remote Windows PowerShell commands. To do this, run the following commands in Windows
PowerShell:
$cred = Get-Credential
$SfBSession = New-CSOnlineSession Credential $cred
Import-PSSession $SfBSession
After completing the first command, a credentials dialog box appears. Enter the user name and password
for a Skype for Business Online administrator. The second command creates the variable $SfBSession and
uses the New-CSOnlineSession command to create a connection to Skype for Business Online by using
the supplied credentials. The last command imports the session to your Windows PowerShell console. You
can then use all Skype for Business Online commands.
To remove the Windows PowerShell session and to disconnect from Skype for Business Online, run the
following command:
Remove-PSSession $SfBSession
Note: Specific examples of Windows PowerShell commands are included in the

configuration topics in the rest of this module.
Additional Reading: For more information on using Windows PowerShell to perform

common administrative tasks in Skype for Business Online, refer to: Quick reference: Using
Windows PowerShell to do common Skype for Business Online management tasks at:
http://aka.ms/tbf95p
Additional Reading: For more information on specific Windows PowerShell cmdlets to

administer and configure Skype for Business Online, refer to: The Skype for Business Online
cmdlets at: http://aka.ms/b0gp7b
Configuring organization settings

After you configure an Office 365 tenant, you can
configure Skype for Business organization settings
in the Skype for Business admin center.
Configuring general settings

You can configure the following organization
settings on the general page:
Presence privacy mode. This defines whether

users presence information displays for
everyone who they communicate with, or just
for their contacts. The options include:
o Automatically display presence

information (default)
o Display presence information only to a users contacts
Mobile phone notifications. Mobile phone notifications alert Windows Phone and iOS users when
they receive incoming instant messages when the users are not actively using their Skype for Business
clients. Users can also disable these push notifications on their devices.
By default, push notifications are enabled for Windows Phones through the Microsoft Push Notification
Service and for iOS devices through the Apple Push Notification Service. You can disable either or both
options. If you disable these options for an organization, users will not receive push notifications even if
the options are enabled on their devices.
Configuring meeting invitations

When users create meeting invitations by using Outlook or Microsoft Outlook Web App, the meeting
invitations include generic meeting details. You can customize Skype for Business meeting invitations for
your organization by configuring the following:
Logo URL. The logo that the URL points to must be a JPG or GIF image that is a maximum of 188
pixels wide by 30 pixels high.
Help URL. This points to your organizations support website.
Legal URL. This points to a website that contains your organizations legal disclaimers.
Footer text. This allows you to enter free text, such as legal disclaimer information, directly into the
meeting invitation.
Configuring organization settings by using Windows PowerShell

You can configure organization settings by using the following commands:
To configure presence privacy settings, use the Set-CsPrivacyConfiguration cmdlet, with the
EnablePrivacyMode parameter. If this parameter is set to True, then users can turn on advanced
privacy mode so that only their contacts can see their presence information. If set to False, then
presence information is available to all users in the organization.
To enable or disable push notifications to iPhones or Windows Phones, you can use the Set-
CsPushNotificationConfiguration cmdlet, which uses the EnableApplePushNotificationService and
EnableMicrosoftPushNotificationService parameters.
To customize meeting invitations, use the Set-CSMeetingConfiguration cmdlet, and configure the
LogoURL, LegalURL, HelpURL, and CustomFooterText parameters.
You can also use the Set-CSMeetingConfiguration cmdlet to configure other meeting parameters
for your organization, including the following:
o Use the AdmitAnonymousUsersByDefault parameter to define whether to allow anonymous users

into meetings automatically, or whether they will need to wait in a lobby until a meeting
presenter admits them.
o Use the AllowConferenceRecording parameter to define whether users will be able to record
meetings.
Configuring external communications

When you implement Skype for Business Online,
you can configure the level of integration between
your organization and other organizations that are
running Skype for Business Online or Skype for
Business Server 2015 on-premises. To do this, you
need to configure external communications settings
in the Skype for Business admin center.
Configuring external access with other

domains
When you enable users to communicate with other
organizations, you are configuring domain
federation. If the other organization is also hosted
on Skype for Business Online and the other organization is not configured to block your domain, then
domain federation is automatically enabled. If the other organization is using an on-premises version of
Lync Server or Skype for Business Server, then they might need to further configure federation with your
online tenant.
Additional Reading: For more information on how to configure an on-premises

environment to federate with Skype for Business Online, refer to: Managing federation and
external access to Lync Server 2013 at: http://aka.ms/v748ur
By default, domain federation with all domains is allowed when you configure an Office 365 tenant. You
can modify the default setting by choosing one of the following options:
Off completely. This disables external access and will prevent users from communicating with
anyone in an external domain.
On except for blocked domains. This enables domain federation for all domains except for those
that you explicitly add to the blocked domains list.
On only for allowed domains. This enables domain federation for all the domains that you explicitly
add to the allowed domains list.
After federation is established between domains, users in the two organizations will be able to
communicate with contacts that they have added to their Skype for Business clients.
Note: Public IM connectivity in Skype for Business Online only supports public IM
connectivity with Lync or Skype users; it does not support other public IM networks such as AOL
Instant Messenger or Yahoo Messenger.
Skype communications between users in federated domains are restricted to Skype for Business Online
features that both organizations support. For example, if your organization supports video conversations
but the other domain does not, your users will not be able to start video conversations with users in that
federated domain.
Configure public IM connectivity

You can also configure whether or not users are able to communicate by using IM and audio and video
calls with users who utilize the public version of Skype. If you want to allow users to communicate with
Skype users, you need to permit domain federation in the external access settings, and then select the Let
people use Skype for Business to communicate with Skype users outside your organization option.
Note: You can also use the Office 365 admin center to configure external communication
settings for Skype for Business Online. To do this, expand the External Sharing tab, and then
click Skype for Business. You can then enable or disable external access and configure the
blocked or allowed domains.
Configuring organization settings by using Windows PowerShell

To configure external communication settings by using Windows PowerShell, use the following
commands:
To enable or disable federation with public IM providers, you can use the
Set-CsTenantFederationConfiguration cmdlet with the AllowPublicUsers parameter.
To allow federation with all domains, you can use a variable with the New-
CsEdgeAllowAllKnownDomains cmdlet, and then use the Set-CsTenantFederationConfiguration
cmdlet with the AllowedDomains parameter and the defined variable.
To view a list of blocked domains, you can use the Get-CsTenantFederationConfiguration cmdlet,
with the | Select-Object -ExpandProperty BlockedDomains parameters.
To add a domain to the blocked domains list, you can use a variable with the
New-CsEdgeDomainPattern cmdlet, and then use the Set-CsTenantFederationConfiguration
cmdlet with the BlockedDomains parameter and the Add method with the defined variable.
Skype Meeting Broadcast

Skype Meeting Broadcast is a new offering from
Office 365 and Skype for Business Online that uses
the Office 365 infrastructure to broadcast meetings
to a large number of attendees. A Skype Meeting
Broadcast can be broadcast live and viewed
simultaneously by up to 10,000 users around the
world.
To use Skype Meeting Broadcast, you must have an

Office 365 Enterprise E1, Office 365 Enterprise E3, or
Office 365 Enterprise E5 or a stand-alone Skype for
Business Online Plan 2 license assigned to your
account. You can use Skype Meeting Broadcast if
you have an on-premises Skype for Business Server deployment, but you must enable hybrid mode with
Skype for Business Online.
When configuring Skype Meeting Broadcast, you can configure the following roles for users in your
organization:
Organizer. A user needs to have meeting organization permissions to create a meeting request and
invite others to join the meeting. An organizer can also review meeting reports after a meeting is
complete. By default, only users assigned the Office 365 Global admin role can organize meetings.
Producer. A user with producer permissions can manage meeting content such as live or dial-in
presentations, audio or video sources, and Microsoft PowerPoint decks. Producers can also record
meetings and post recordings to Office 365 Video.
Event team member. Event team members can contribute to the event as a presenter.
Attendee. Attendees do not have any presenter permissions; they can only attend and view a
meeting.
You cannot schedule Skype Meeting Broadcast in Outlook; instead, you have to connect to
https://broadcast.skype.com, which is the scheduling portal. After you sign in to the portal, you can
schedule a Skype Meeting Broadcast before sending an invitation.
The steps for joining a Skype Meeting Broadcast are the same as joining any other meeting in
Skype for Business, with one exception. Even though users connect by using the familiar method,
participants will not receive any presentation until a presenter turns on audio. In a traditional
Skype for Business meeting, audio is not a requirement.
When running a Skype Meeting Broadcast, you can use a web browser and the Skype for Business Web
App, or you can use the Skype for Business 2015 client. Regardless, the client layout and the options
change slightly when in a broadcast session. For example, you can only show one video feed at a time,
and the only sharing that can occur is by using PowerPoint via Office Web Apps Server, or Office Online
Server.
Configuring Skype Meeting Broadcast

To enable and configure Skype Meeting Broadcast,
you must configure certain settings by using
Windows PowerShell. However, before you can do
that, you must connect to Skype for Business Online
by using an Office 365 global administrators
credentials.
1. To view the current Skype Meeting Broadcast

configuration, run the following command:
Get-CsBroadCastMeetingConfiguration
2. By default, the EnableBroadcastMeeting

parameter is set to False. You can change this to True by running the following command:
Set-CsBroadcastMeetingConfiguration EnableBroadcastMeeting $True

3. Before users can configure meeting broadcasts, you need to enable external communications for your
organization, and you need to ensure that access to the meeting broadcast domains is not blocked.
You must enable the Let people use Skype for Business to communicate with Skype users
outside your organization option. If you are limiting external access by domain, you need to ensure
that the following domains are on the allowed domain list:
o noammeetings.lync.com
o emeameetings.lync.com
o apacmeetings.lync.com
o resources.lync.com
4. If you are limiting the URLs and IP addresses that your users can access on the Internet, you need to
ensure that users can access the following URLs and domains.
URLs Domains
https://broadcast.skype.com Skype.com
https://*.broadcast.skype.com *.skype.com
http://*.microsoftonline.com *.microsoftonline.com
https://*.microsoftonline.com *.microsoftonline.com
http://aka.ms aka.ms
https://*.infra.lync.com *.infra.lync.com
5. After enabling Skype Meeting Broadcast, connect to https://broadcast.skype.com to create a new

meeting. When you create a new meeting, you can add your team members and choose whether to
allow anonymous users or to limit access to specified users or all users in your organization. You can
also create an Outlook invitation to invite users to the broadcast.

Question
You are preparing your Windows 10 workstation to manage Skype for Business Online by using the
Windows PowerShell command-line interface. What software do you need to install on the
computer?
Windows PowerShell 3.0
Microsoft Online Services Sign-In Assistant
Skype for Business Online module for Windows PowerShell
Windows Azure Active Directory module for Windows PowerShell

Question: Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can invite users from outside of your organization to Skype

Meeting Broadcast, but only as attendees, not as presenters.
Lesson 2
Configuring Skype for Business Online users and client
connectivity
After configuring Skype for Business Online service settings, the next step is to configure users settings. By
default, all users that have an appropriate license have access to Skype for Business Online, and the users
will have full access to all Skype for Business Online functionality that you configured for your
organization. You might want to change this default configuration for some or all users.
Lesson Objectives
Explain how to configure audio and video settings for users.
Explain how to configure external communications for users.

Describe the different Skype for Business Online client options.
Configuring audio and video settings for users

By default, users who are assigned a license that
includes Skype for Business Online can use all
functionalities that you have configured for your
organization. You can modify the functionality that
is available to a specific user by editing the user
settings in the Office 365 admin center or the Skype
for Business admin center.
If you want to prevent a licensed user from using

Skype for Business Online, you can remove this
service by editing the user properties in Office 365
admin center. To do this, edit the user license
settings, and remove the Skype for Business option.
To edit user settings, select the users tab in the Skype for Business admin center, select the user account,
and then select the Edit icon. You can configure the following settings on the general tab:
Audio and video. This setting enables you to select one of four options for audio and video
capabilities:
o None
o Audio only
o Audio and video
o Audio and HD video
Record conversations and meetings. This setting defines whether a user is allowed to use the
record option to record meetings.
Allow anonymous attendees to dial-out. This setting enables unauthenticated meeting attendees
to be called by the conferencing service instead of having to dial in directly to the service.
For compliance, turn off non-archived features. This setting turns off the features that are not
archived when an organization implements the Microsoft Exchange in-place hold feature. You should
use this option if your organization is legally bound to archive electronically stored data.
You cannot manage user settings by using Windows PowerShell, except for assigning and configuring
audio conferencing providers (ACPs). You can use the Get-CsOnlineUser cmdlet to view information
about your users.
Configuring external communications for users

External communications are typically configured at
the organizational level to allow users to
communicate with other users outside of the
organization who use Skype for Business Online or
an on-premises version of Skype for Business, Lync
Server, or the Skype public IM service. However,
Skype for Business Online allows you to configure
this setting on a per-user basis.
You can configure the following settings on the

external communications page:
Choose people outside of your organization

that the user can communicate with:
o External Skype for Business users. If you select this option, the user will be able to
communicate with all external domains that you have configured for the organization.
o External Skype users. To select this option, you must select the External Skype for Business
users option. Selecting this option enables the user to communicate with users on the Skype
public service.
Skype for Business Online client options

You can use the following Skype clients with Skype
for Business Online:
Skype for Business 2016 and Skype for Business

2015 clients. These clients provide full access to
Skype presence, IM, and conferencing
capabilities.
Microsoft Lync 2013 for Office 365 client. This

client provides full access to Skype presence,
IM, and conferencing capabilities. It includes
enhanced features that are not available with
Lync 2013 Basic, such as multiparty video
(Gallery View), Microsoft OneNote meeting
notes, recording, and calendar delegation.
Lync 2013 Basic. This locally installed client provides a scaled-down set of Skype presence, IM, and
conferencing features. The Lync 2013 Basic client is available for organizations that have a
subscription that includes Skype for Business Online but not Microsoft Office 365 ProPlus. Lync Basic
does not provide the same enhanced features as the full Lync 2013 client that was described above.
The Office 365 admin center contains information about how to download the current version of Lync
Basic.
Lync Windows Store app. This Lync app is optimized for touch, and it was designed specifically for
Windows 8 and Windows RT. Users can download this app from the Windows Store.
Skype for Business Web App. The web-based Skype for Business Web App client offers users IM in
meetings, enhanced application and desktop sharing, a whiteboard, and presenter access controls.
Additionally, Skype for Business Web App now includes PC-based audio and video. Skype for Business
Web App is designed mainly for external users who are invited to Skype Meetings and for employees
who are not using their usual computer during a meeting. Skype for Business Web App supports
Windows and Macintosh operating systems only.
Skype for Business Mobile app clients. They extend Skype for Business features to users mobile
devices. Skype for Business Mobile app clients provide voice and video over wireless connections, rich
presence, IM, conferencing, and calling features from a single interface. The Skype for Business
Mobile app is available for Windows Phone, iOS (iPhone/iPad), and for Android.
Skype for Business for Mac. This client provides Mac users with integrated presence, IM, conferencing,
and audio and video capabilities, in addition to desktop sharing, application sharing, and file sharing.
Additional Reading: For more information on the available Skype for Business features for
different clients, refer to: Client comparison tables for Skype for Business Server 2015 at:
http://aka.ms/us67gj
Additional Reading: For more information on the available Skype for Business features for
different mobile device platforms, refer to: Mobile client comparison tables for Skype for
Business at: http://aka.ms/mrxvgx
Question: You need to ensure that only specific users in your organization can communicate
with users in other organizations who are using Skype for Business. However, all other users in
your organization should be blocked. How would you configure Skype for Business Online to
achieve this?
Lesson 3
Planning voice integration with Skype for Business Online
Many organizations that have deployed Skype for Business Server 2015 on-premises use the Skype for
Business infrastructure to provide telephony and voice functionality, including connectivity to the public
switched telephone network (PSTN) and mobile phones. Skype for Business Online has enabled dial-in
conferencing for audio conferences through non-Microsoft partners for some time. Some of the most
recent additions to Skype for Business Online have been new features that provide much of the same
functionality as Enterprise Voice does for on-premises deployments.
Lesson Objectives
Describe voice integration options.
Explain how to plan for dial-in conferencing.

Explain how to configure dial-in conferencing with an ACP.
Explain how to configure dial-in conferencing with a Microsoft conferencing bridge.
Describe Cloud PBX features.
Describe the PSTN Calling service.
Describe how to configure PSTN connectivity with an on-premises solution.
Explain how to plan a Cloud PBX solution.
Overview of voice integration options

With an on-premises deployment of Skype for
Business Server, you have the option to allow and
configure Enterprise Voice. Enterprise Voice
provides full telephony functionality for an
organization, enabling users to utilize Lync clients,
Skype for Business clients, or Voice over Internet
Protocol (VoIP) devices to place or receive phone
calls from other organizational users or from
external users. Skype for Business Server provides
full PBX functionality, in addition to various options
for connecting an on-premises PBX with external
PSTN networks.
Skype for Business Online provides similar options for integrating voice functionality. The following
options are available:
Dial-in conferencing by using a non-Microsoft provider. This allows users to join meetings by using a
phone rather than using a Lync or Skype for Business client. You can provide internal or external users
with a local or toll-free phone number, and users can utilize that number to connect to an audio
conference. For this option, you need to set up a subscription with non-Microsoft dial-in conferencing
or ACP, and you need to configure users to utilize that provider.
To enable dial-in conferencing with a non-Microsoft provider, you must subscribe to a Skype for
Business Online Plan 2, Office 365 Enterprise E1, or Office 365 Enterprise E3 license.
Cloud PBX. This provides a full Enterprise Voice solution that Office 365 hosts. With Cloud PBX, you
can replace your on-premises PBX solution, and you can provide users with a full-featured telephony
experience, including voice mail. Users can place phone calls from their computer-based clients or by
using other VoIP devices. Cloud PBX can integrate with your on-premises PSTN gateway solution, or
you can use a cloud-based PSTN gateway solution.
To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the Skype for Business Cloud PBX add-in.
You can also subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business
Cloud PBX add-in.
Voice-calling plans. If you use Cloud PBX and choose cloud-based PSTN integration, you can
subscribe to voice-calling plans that enable users to make calls to PSTN phone numbers by using
Cloud PBX. You can subscribe to a Skype for Business PSTN Local Calling plan or a Skype for Business
PSTN Local and International Calling plan.
To use voice-calling plans, you must have a subscription that provides Cloud PBX, and you must add
the voice-calling plan.
PSTN conferencing. If you enable Cloud PBX, you can also enable PSTN conferencing. PSTN
conferencing is similar to dial-in conferencing in that you can provide PSTN dial-in access to
meetings. However, with PSTN Conferencing, you use the Cloud PBX solution rather than a non-
Microsoft provider to enable dial-in access.
To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the PSTN Conferencing add-in. You can also
subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business Cloud PBX and
PSTN Conferencing add-in.
Additional Reading: For more information on the licensing requirements for each of the
voice integration options, refer to: Skype for Business Online licensing overview at:
http://aka.ms/tm4tg0
Planning dial-in conferencing

Dial-in conferencing provides users with audio
access to meetings from a phone instead of having
users connect to meetings by using clients from
mobile devices or PCs. Many organizations provide
dial-in meetings for users who are outside the
office, or for users who are outside the
organization.
Choosing a dial-in conferencing provider

When you plan your dial-in conferencing provider,
the first consideration is whether to use an ACP or
to use an Office 365only solution for providing
dial-in conferencing:
ACP. ACP provides a conference bridge, and PSTN, and meeting access, and it integrates with Skype
for Business Online. In this scenario, users will call the ACP conference bridge. If access to the
conference is limited to authenticated users, the ACP will authenticate the user and then provide
access to the meeting.
Microsoft conferencing bridge. With this option, Microsoft provides all dial-in conferencing
components. Users dial in to a Microsoft conference bridge, and Office 365 handles all
authentications. This option is easier because you can manage all service and user settings from one
location, and users only need to remember their Office 365 credentials to access conferences.
Note: You can use both a non-Microsoft provider and a Microsoft conferencing bridge for
dial-in conferencing, but each user can only be configured with one or the other option.
Planning dial-in conferencing features

When choosing the dial-in conferencing provider, you need to make decisions regarding the features that
you want to enable for dial-in conferencing. A few of these decisions include:
Do you want to provide only local dial-in numbers, or do you also want to provide toll or toll-free
phone numbers?
Do you need to provide international toll or toll-free numbers?
Do you want to allow users to connect to a conference by using a computer-based client?

Do you want to provide users with the option to have a conference provider call their phones to
provide audio for a conference?
Do you want to provide anonymous, external access to dial-in conferences, or do you want to provide
access to internal, authenticated users only?
Do you need to provide dial-in users support for multiple languages?
Additional Reading: For more information on the features that ACPs and Microsoft dial-in
conferencing provide, refer to: Dial-in conferencing in Office 365 at: http://aka.ms/Dt6jbp
Configuring dial-in conferencing with an ACP

To implement dial-in conferencing by using an ACP,
perform the following actions:
1. Select a dial-in conferencing provider.
2. Set up an account with that provider.
3. Export users and import settings.
4. Optionally, you might also need to manage

user settings manually.
Selecting a dial-in conferencing provider

The choice of dial-in conferencing providers will
vary according to which country/region you are in.
To see which conferencing providers are available in your country/region, click the Find a provider link
on the third-party provider tab in the Skype for Business Online admin center. The link takes you to the
Microsoft Pinpoint website, which lists conferencing providers for your location.
If your organization provides dial-in conferencing services by using an on-premises solution, you might
already have a dial-in conferencing provider. You should check whether the provider also provide dial-in
functionality for Skype for Business Online and Office 365.
Setting up a dial-in conferencing account

If you do not have an existing dial-in conferencing provider or your current provider does not support
Skype for Business Online, you will need to set up another dial-in conferencing account. The process for
setting up an account varies depending on the provider.
Export users and import settings

After you have set up an account, you need to export your users by using the export wizard link on the
third-party provider tab in the Skype for Business Online admin center. This action generates a comma-
separated value file with all the user Session Initiation Protocol account names. You can then send this file
to the ACP, and the provider then returns it with the completed provider name, toll number, toll-free
number, and passcode. You can then import this file by using the import wizard.
Configuring user settings for dial-in conferencing

You can also manually configure dial-in conferencing settings for users. You can configure:
The provider name. This enables you to choose your ACP from a list of supported providers for your
country/region.
Toll number and toll-free number. The ACP supplies you these phone numbers. The numbers that
you enter here appear in the same format in Skype for Business Meeting requests. The toll number is
a required setting, but the toll-free number is optional.
Passcode. This is the code that meeting participants enter when they join meetings.
Configuring dial-in conferencing with a Microsoft conferencing bridge

Instead of using an ACP, you can use an Office 365
only option to provide dial-in conferencing for
users.
To configure dial-in conferencing by using a
Microsoft conferencing bridge, perform the
following steps:
1. Verify that you have a subscription that allows

you to add the PSTN Conferencing add-in. You
must have an Office 365 Enterprise E1, Office
365 Enterprise E3, Office 365 Enterprise E5, or a
Skype for Business Online Plan 2 subscription,
and you must assign a license from this
subscription to each user who will be allowed to use dial-in conferencing.
2. Purchase the PSTN Conferencing add-in and assign it to each user. If you have an Office 365
Enterprise E5 subscription, the PSTN Conferencing add-in is already included.
3. Configure dial-in user settings for all users who will be allowed to use dial-in conferencing.
Overview of Cloud PBX

Cloud PBX is an online PBX solution that fully
integrates with Office 365 and Skype for Business
Online. By deploying Cloud PBX, you can replace
your on-premises PBX system with a full-featured
PBX solution.
Cloud PBX provides almost the same functionality

as an on-premises PBX that is integrated with on-
premises Skype for Business. Users can make calls,
receive calls, and they can perform call control tasks
such as transferring calls or parking calls. Like on-
premises Skype for Business users, Cloud PBX users
can use their Lync or Skype for Business clients on a
computer or mobile device, or they can use VoIP phones that work with Skype for Business. Because
Cloud PBX fully integrates with Office 365, users can utilize the presence information that various apps
provide to identify the status of their contacts or other users in their address books, and then they can
place a call to those users.
If you implement Cloud PBX, calls between users in your organization are handled entirely in the cloud,
without ever connecting to a PSTN. If users are in different locations, they can make toll-free calls through
Cloud PBX.
Another Cloud PBX feature is voice mail. All Cloud PBXenabled users have access to voice mail, which
allows users to listen to messages by using the Skype for Business client. The voice mail is delivered to a
users mailbox as an email with an audio attachment.
One of the features that most on-premises PBX solutions provide is the ability to place and receive calls
from PSTN and mobile phones. You can also connect Cloud PBX with PSTN to provide full dial-in and
dial-out access to PSTN and mobile phones. To provide this functionality, you can:
Add the PSTN Calling service to Cloud PBX. With this option, Microsoft provides PSTN connectivity so
that all incoming and outgoing PSTN calls go through the Microsoft infrastructure.
Integrate Cloud PBX with an on-premises PSTN connectivity solution. With this option, you can use
your existing PSTN connection to provide PSTN connectivity. Cloud PBX users are located in the
cloud, but when they place or receive a PSTN phone call, the call passes through your local
infrastructure to the PSTN. This might be attractive for organizations that have PSTN solutions in
place because it allows users to retain the same phone numbers.
PSTN Calling service
PSTN calling overview

When you configure users to utilize Cloud PBX, they
are assigned phone numbers so that they can place
and receive calls by using VoIP phones or
softphones on their computers or mobile devices.
To obtain these phone numbers, you can reserve
phone numbers when you sign up for Cloud PBX, or
you can transfer the phone numbers that are used
in your organization to Cloud PBX.
In addition to assigning a Cloud PBX license to

users and assigning phone numbers, you also need
to assign a PSTN voice-calling plan to users. Two options are available:
Skype for Business PSTN Local Calling. With this option, users can place calls to PSTN phone numbers
that are in the same country/region as the user. Each licensed user gets 3,000 domestic dial-out
minutes, 60 minutes of conference calling to phones, and unlimited incoming calls each month.
Skype for Business PSTN Local and International Calling. With this option, users can place calls to
PSTN phone numbers that are in the same country/region as the user and to international numbers in
196 countries. Each licensed user gets 3,000 domestic dial-out minutes, 600 international dial-out
minutes, 60 minutes of conference calling to phones, and unlimited incoming calls each month.
Not all users in your organization have to use the same calling plan. You can buy both types of plans and
assign different calling plans to different users.
Note: At the time of writing this course, PSTN calling is only available to organizations that
have a United Statesbased Office 365 billing address.
Additional Reading: For more information on the PSTN voice-calling plans, refer to:
Skype for Business Online PSTN services use terms at: http://aka.ms/gv7f7f
To configure PSTN calling, perform the following steps:
1. Purchase and assign appropriate licenses and PSTN voice-calling plans for your users.
2. Get the phone numbers for your organization. You acquire phone numbers for your organization by
requesting phone numbers from Office 365, or you can use the phone numbers that are already
assigned to you by your carrier.
Additional Reading: For more information on how to port existing phone numbers to
Office 365, refer to: Transfer phone numbers over to Skype for Business Online at:
http://aka.ms/I3rygm
3. Configure emergency addresses and locations for your organization. Before you start assigning phone
numbers to users, you must configure at least one emergency address, and if applicable, one or more
emergency locations. Emergency locations are associated with an emergency address, but they
provide a more exact location within a building.
Additional Reading: For more information on how to configure an emergency address,

refer to: Add or remove an emergency address for your organization at: http://aka.ms/meu76q
You must have a subscription that includes Cloud PBX and a voice-calling plan before you can
configure addresses and locations.
4. Assign phone numbers to users. When assigning phone numbers, you must associate users with
emergency addresses.
PSTN connectivity with an on-premises solution

The second option for enabling PSTN connectivity
for Cloud PBX users is to use an existing PSTN
connection in your organization and configure
Cloud PBX to route outgoing and incoming calls
through that connection. Currently, two options are
available for configuring this connectivity.
Using an existing Skype for Business

Server deployment
If you have already configured Enterprise Voice with
PSTN connectivity in your on-premises
environment, you can use that infrastructure to
provide PSTN connectivity for Cloud PBX. To
implement this solution, you need to:
Deploy an edge server environment that provides connectivity between the on-premises environment
and Skype for Business Online.
Deploy a Mediation Server environment that provides connectivity between Skype for Business Server
and PSTN gateways.
At least one Skype for Business server that provides the Central Management store role.
You can use Skype for Business Server 2015 or Lync Server 2013 for an on-premises deployment.
Additional Reading: For more information on how to plan for and configure PSTN
connectivity through an existing Skype for Business Server deployment, refer to:
http://aka.ms/jawfqa and http://aka.ms/ul1d3b
Using Skype for Business Cloud Connector edition

Cloud Connector edition is a Skype for Business Server hybrid option that provides a set of virtual
machines that implement connectivity between Cloud PBX and an on-premises PSTN connection.
Essentially, the virtual machines provide the same infrastructure that is required if you use an on-premises
Skype for Business Server deployment. With this option, you download and install virtual machines in your
Windows Server 2012 or later Hyper-V environment, and then you follow the configuration steps to create
Skype for Business Server 2015 servers and to configure connectivity to a PSTN gateway. Finally, you
configure connectivity between the on-premises environment and Skype for Business Online.
You should consider the following while planning the Cloud Connector deployment:
Cloud Connector uses the tenant admin credentials of Skype for Business Online.
You do not need to have a full on-premises Skype for Business server infrastructure when using Cloud
Connector.
Cloud Connector cannot co-exist with existing Lync or Skype for Business on-premises servers.
Cloud Connector is available worldwide.
With Cloud Connector, your users are homed online.
Keep your current PSTN carrier, if required.
If you want to provide dial-in conferencing to the users who are hosted on Cloud Connector, you can
purchase PSTN conferencing from Microsoft or from audio conferencing provider (ACP) partners.
Reference Links: For more information on how to plan for and configure Cloud Connector
edition, refer to: Plan for Skype for Business Cloud Connector Edition at: http://aka.ms/otqqzu
and Configure Skype for Business Cloud Connector Edition at: http://aka.ms/hmurjm
Planning a Cloud PBX solution

Cloud PBX provides a complete cloud-based
Enterprise Voice solution. With Cloud PBX, you can
provide dial-in conferencing and a full-featured call
solution for internal and external users, including
PSTN or mobile users. When planning your Cloud
PBX solution, you need to:
Understand your organizations requirements.

The first step in planning any information
technology infrastructure is to understand the
business problem that you are trying to solve. If
your organization is only interested in
providing dial-in conferencing features for a
few users, and most of your voice infrastructure will remain on-premises, your best solution might be
to implement dial-in conferencing by using an ACP. The cost and complexity of this implementation
might be less than a full Cloud PBX deployment. However, if your organization is considering
providing full PBX functionality by using a cloud-based solution, then Cloud PBX is likely to be an
attractive option.
Not all features are currently available in Cloud PBX, so you might not be able to move all of your
voice functionality to the cloud. For example, if your organization needs Response Groups, Group Call
Pickup, or Call Park, you might need to retain an on-premises PBX solution until these features
become available.
Understand your organizations infrastructure. If your organization currently has a reliable on-
premises PBX infrastructure, and this infrastructure is meeting all of your organizations needs, then it
makes sense to continue using that infrastructure and to implement only those Cloud PBX
components that are not available with the PBX. However, if your current PBX solution is not meeting
business requirements, or if it does not have the capacity to expand as your organization expands,
then implementing some Cloud PBX components might be the best solution.
If you have already deployed Skype for Business Server 2015 with Enterprise Voice, then you might
choose to implement a hybrid solution that continues to use the on-premises environment while also
taking advantage of some Cloud PBX features for some or all users.
You should also consider your organizations Internet connectivity when deciding which Cloud PBX
components to implement. If your Internet connection has limited bandwidth or high latency, or if
the connection is not highly reliable, you might choose not to put the additional traffic that is created
by voice on that connection.
If you are concerned about your network bandwidth and performance, consider using Microsoft
Azure ExpressRoute to optimize your connectivity to Office 365.
Additional Reading: For more information, refer to: ExpressRoute and QoS in Skype for
Business Online at: http://aka.ms/edfrbb
Consider ease of management. One significant benefit of using Cloud PBX is that it provides a single
interface for managing all of the voice integration components. Rather than having to manage one
environment for IM and conferencing and a different environment for voice, you can manage all
components from a single location. Additionally, when you use Office 365 to host all components,
you do not have to manage any servers or other infrastructure components.
Consider geographic limitations. Not all Office 365 features are available in all countries/regions at
the same time. If a Cloud PBX feature that you urgently need is not available in your country/region,
you might need to consider another solution as an interim or permanent solution.
Question: Cloud PBX is a relatively new offering in Skype for Business Online. Do you think that
your organization will be interested in this feature? What changes would you need to make in
your organization to start using Cloud PBX?
Lab: Configuring Skype for Business Online

Scenario
As part of an Office 365 implementation, A. Datum Corporation wants to use Skype for Business Online to
provide IM and online conferencing. You need to configure the Skype for Business Online service settings
and the user settings to meet A. Datums requirements.
Objectives
Configure Skype for Business Online organization settings.
Configure Skype for Business Online user settings.
Configure a Skype Meeting Broadcast.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL3, and

20347A-LON-CL4
LON-DC1, LON-DS1
LON-CL1
LON-CL3
LON-CL4
o Sign in as Adatum\Ada using the password Pa55w.rd

In all the tasks:

your unique hostdomain.com name displayed in the online lab portal.
LON-DC1
o Sign in as Adatum\administrator
LON-DS1
LON-CL1
LON-CL3
o Sign in as Adatum\Beth by using the password Pa55w.rd
LON-CL4
o Sign in as Adatum\Ada by using the password Pa55w.rd
Question: How will you change the Windows PowerShell steps that you ran in the lab if you want
to block all communication with external domains except for litware.com?
Question: Do you think that your organization will use Skype Meeting Broadcast?

Tools
Skype for Business admin center. Accessible from the Office 365 admin center, use this tool to configure
Skype for Business Online service settings and user settings.
Skype for Business Server Management Shell. Use this tool to configure Skype for Business Online
settings.
The Skype for Business Online module for Windows PowerShell. This provides the Windows
PowerShell commands that are required to configure Skype for Business Online when you use the
Skype for Business Server Management Shell.

Users cannot authenticate to Skype for Business

Online.
9-1
Module 9
Planning and configuring SharePoint Online
Contents:
Module Overview 9-1
Lesson 1: Configuring SharePoint Online services 9-2
Lesson 2: Planning and configuring SharePoint Online site collections 9-10
Lesson 3: Planning and configuring external user sharing 9-23
Lab: Configuring SharePoint Online 9-36
Module Overview
SharePoint Online is one of the most important services within Office 365. It provides users the capabilities
to work together, share documents, and plan their collaboration. SharePoint Online helps in internal and
external collaboration, and finding information quicker and easier. Users access all these services through
a web browser, which means that even if users are working online or offsite, they are always able to
accomplish tasks and work together. Some of the SharePoint Online features are now available only
online and not in the on-premises version.
This module describes the administrative features available within SharePoint Online and the most
common configuration tasks for any administrator who starts using SharePoint Online. This module
describes the concept of site collections and the different sharing options within SharePoint Online. A
brief overview of additional portals, such as the video portal, are also discussed.
Objectives
Configure SharePoint Online services.
Plan and configure SharePoint Online site collections.
Plan and configure external user sharing.

9-2 Planning and configuring SharePoint Online
Lesson 1
Configuring SharePoint Online services
You can use SharePoint Online as a collaboration platform that enables both internal employees to
collaborate among themselves and to collaborate with members of an external organization. This lesson
describes the administrative functions within SharePoint Online and provides an overview of the
SharePoint admin center. This lesson also describes commonly used administrative features and
configuration options for the overall SharePoint Online experience.
Lesson Objectives
Describe the use of the SharePoint admin center.
Configure SharePoint Online settings.
Describe how to configure SharePoint Online user profiles.

Add SharePoint Online apps.
Configure Office 365 Video.
Overview of the SharePoint admin center

The main location where you manage SharePoint
Online is called the SharePoint admin center. As
the SharePoint Online administrator, you can use
the SharePoint admin center to:
Create and manage site collections.

Allocate and monitor site collection storage.
Manage permissions and users, and help

secure content on sites.
Manage user profiles and configure personal

sites.
Enable and configure specific SharePoint Online features or global settings.

You can access the SharePoint admin center either through a direct link or through the Office 365 admin
center. The direct link looks as follows: https://tenantname-admin.sharepoint.com
To access the SharePoint admin center through the Office 365 admin center, you have to first sign in into
https://portal.office.com. Then, you can switch to the Office 365 admin center. Here, you can access the
SharePoint admin center by clicking the Admin centers menu and then clicking SharePoint.
A global administrator of Office 365 automatically becomes a SharePoint admin center administrator. It is
also possible to assign an administrator for the SharePoint admin center alone.
To delegate permission for SharePoint admin center alone, you should:
1. Open the Office 365 admin center.
2. Under Users, select the user who will be the SharePoint Online administrator.
3. In the Roles section, click Edit.
4. Select the Customized administrator, and then click SharePoint Administrator.

Administrator roles are described in more detail in the Managing Office 365 users and groups module.
Note: Site collection administrators do not have access to the SharePoint Online admin
center.
The main areas that you can access from the SharePoint admin center are:
Site collections. Here, you can create new site collections and manage them. Site collections are a
tiered set of sites.
InfoPath. You use InfoPath Forms Services in SharePoint Online to deploy your organization's forms
to your sites, enabling users to fill out these forms in a web browser.
User profiles. A user profile is the collection of user propertiesand the policies and settings
associated with each of those propertiesthat describe a single user. Here, you find also settings for
your organization such as the management of promoted sites.
BCS. In SharePoint Online, you can create Business Connectivity Services (BCS) connections to data
sources, such as Azure SQL Database or Windows Communication Foundation (WCF) web services,
that are outside the SharePoint Online site.
Term store. Here, you can manage metadata information on a central location.
Records management. You can manage records in place, which means that you can leave a document
in its current location on a site, or store records in a specific archive.
Search. Here, you can customize the search experience for users. This customization includes defining
searchable managed properties in the search schema, identifying high-quality pages to improve
relevance, managing query rules and result sources, and removing individual results.
Secure store. The Secure Store Service is a claims-aware authorization service that includes an
encrypted database for storing credentials.
Apps. You can create an App Catalog site to make internally-developed custom apps available for
users to install. Users can find these apps under the From Your Organization filter on the Site
Contents page.
Sharing. You can set tenant-wide sharing configurations here.
Settings. Here, you manage SharePoint Online tenant-wide settings such as rights management,
OneDrive for Business experience among others.
Configure hybrid. Here, you can configure SharePoint Online hybrid with an on-premises SharePoint
Online site.
SharePoint Online software boundaries and limits

If you use SharePoint Online, there are certain software boundaries and limits. Due to a multitenant
technology, you work in a shared environment with many other Office 365 customers.
Some of the limits are:
Number of site collections per tenant is 500,000.
You can have up to 2,000 site collections per subsite.
The file upload limit is 10 gigabytes (GB).
These limits change from time to time, and we recommend you review them often. These limits are
managed separately from Microsoft Exchange Online Limits.
Additional Reading: For more information, refer to: SharePoint Online and OneDrive for
Business software boundaries and limits at: http://aka.ms/jns65q
Configuring SharePoint Online settings

In the SharePoint admin center, you can configure
general tenant-wide options that are valid across
site collections and the entire SharePoint Online
tenant structure. On the left navigation bar of the
SharePoint admin center, click Settings to
configure SharePoint Online tenant-wide options.
These options are discussed in this topic.
Show or hide options

In this setting, you can configure whether the
OneDrive for Business and Sites menu items are
visible to the users.
Note: These settings disable the visibility of Sites and OneDrive for Business within
Office 365. The app launcher and the entry menu do not show those menu items anymore.
If a user knows the direct link to their OneDrive for Business account or the Sites site, they
can still access it.
Site collection storage management

SharePoint Online is allocated a certain amount of storage based on licensed users. This storage is
available to all site collections in the tenant. Within SharePoint Online, you have the option to assign
storage quotas to site collections or let SharePoint Online manage the storage allocation automatically.
You can configure automatic allocation of storage management if there are numerous site collections or if
an administrator must set site collection storage quotas.
OneDrive for Business experience

The updated interface of OneDrive for Business is aligned to the user interface of OneDrive for consumer
purposes. The interface of OneDrive for Business is better accessible via mobile devices because of the
additional phone and tablet features. If you select New experience, users who use this new experience
can decide for themselves if they want to switch back to the classic view. This menu item will not be
available as soon as the only UI available is the new one.
Admin center experience

Here, you can choose between a simplified view of the SharePoint admin center and an advanced view of
it. With the simplified view, only some navigation options are available. They are:
Site collections
User profiles
Settings
Configure hybrid
Office Graph
Office Graph collects individual activities and relationships across the entire Office suite. Email, social
conversations, meetings, documents in SharePoint Online, and OneDrive for Business are triggered to
present users information that is more relevant in their Office 365 experience. The Office Graph represents
the relationships and interactions between content and users within Office 365. If you want to disable that
and access to Office Delve, you can switch Office Graph off in the settings menu.
Enterprise social collaboration

With this setting, you can replace the SharePoint Online newsfeed with Yammer Enterprise. This setting
will also disable the newsfeed item in the app launcher and replace it with the Yammer icon. Yammer is
described in more detail in the Planning and configuring an Office 365 collaboration solution module.
Note: If Yammer Enterprise is not enabled, switching to Yammer will disable the Newsfeed
icon in the app launcher but it will not enable the Yammer icon.
Streaming video service

You can enable or disable the video portal in this setting. The video portal is a new portal where you can
upload and manage internal videos within Office 365. Video portal is discussed in more detail later in this
lesson.
Site Pages
You can enable or disable the creation of responsive site pages through users.
Global Experience Version settings

Within this setting, an administrator is able to decide which versions of site collections users can create.
Information Rights Management (IRM)

If the organization needs to use Office 365 information rights services, you can enable it here in this
setting. If Azure Rights Management (Azure RMS) is already configured organization wide, administrators
are able to assign usage restrictions. This setting enables IRM to protect SharePoint Online lists and
libraries.
Site creation
You can let users create their own team sites. Site creation is turned on by default and users with Create
Subsites permissions can create team sites. By default, these sites are created under the root SharePoint
Online site https://tenantname.sharepoint.com. Under the Start a site option, you can specify a path
where new team sites the users will create and alternatively, specify a custom template for these sites.
Custom script
With this setting, you can enable or disable custom script settings. You can use this setting to maintain the
security and integrity of sites within your SharePoint Online site collections. If custom scripts are disabled,
some SharePoint Online options are no longer available, such as save as site template, solutions gallery,
and blogs.
Additional Reading: For more information, refer to: Turn scripting capabilities on or off
at: http://aka.ms/Okimfj
Preview features
Beside the First Release settings within Office 365, an administrator can disable Preview Features in
SharePoint Online in the following scenarios:
The preview feature has a different Service Level Agreement (SLA) than Office 365.
SharePoint Online compliance boundaries are not met.
Note: The SharePoint Online preview feature is not related to the First Release feature of
Office 365. The First Release feature allows all or a subset of users to access new Office 365
updates as soon as they become available and are rolled out to tenants through Microsoft.
Connected services
SharePoint 2013 workflows use Microsoft Azure Service Bus. You can disable this service in this setting.
Access apps
Access apps are databases running within SharePoint Online. Access apps are hosted within SharePoint
Online. You can enable or disable access apps.
Mobile push notifications - OneDrive for Business

This feature allows users to get mobile push notifications for changes to their OneDrive for Business
content.
Mobile push notifications SharePoint

This feature allows users to get mobile push notifications for changes to their SharePoint content.
Configuring SharePoint Online user profiles

You can also use the SharePoint admin center to
configure user profiles. In the user profiles menu
item, you will find settings related to user profiles
and the organization.
User profile settings are broadly classified as

people settings, organizational settings, and My
Site settings:
People. In this menu item, you are able to

configure user properties, manage user
profiles, manage user permissions, and many
other tasks. Detailed information about each
user is available, including Manager fields and
other user properties fields.
The settings under user profiles influence general settings such as language settings or promoted
sites.
Organizations. You can use properties in this menu collection to map fields to Active Directory
Domain Services (AD DS) or Lightweight Directory Access Protocol (LDAP)compliant directory
services.
My Site settings. With My Site settings, you can manage My Site owners, promoted links, and links
to Office client applications. To verify or update My Site settings, open the Setup My Sites menu
item. Here, you can configure various settings. For example, there is an option to set the read
permission level to grant access on personal sites for selected users only.
o Secondary My Site owner. An important setting is the secondary My Site owner. You can
configure a secondary user for use in scenarios when you remove a user from Office 365. In that
case, the manager of that person gets access to this My Site. If there is no manager, the
secondary My Site owner becomes the owner of this My Site.
o Publish Links to Office Client Applications. Use this option to publish selected links to
SharePoint Online sites and lists when opening and saving documents from Office client
applications. Links published here appear under the My SharePoints tab when opening and
saving documents. You can configure this setting for a selected user base.
Adding SharePoint Online apps

You can also use the SharePoint admin center to
configure apps that are available to users. Apps
are minor applications that can help you within
your Office application or within SharePoint
Online. Users can install these apps from the From
your organization menu when they browse for
apps. An example of an app is a calendar app.
Using this app in your site collection provides you
an easy-to-use calendar in your team site. Within
that menu, there are capabilities to manage the
App Catalog on an organizational level.
A SharePoint Online administrator can create an

App Catalog site to make either internally developed apps or third-party apps available to users. The users
will find those apps under the from your organization filter in the site contents page.
The following table describes the options available within the From your organization setting.
Option Description
App Catalog Use this option to make apps available within your
organization. This can be apps developed in the
organization or third-party apps. You can make apps for
SharePoint Online and Office become available here, as
well as app requests.
Purchase Apps Use this option to purchase apps from the SharePoint
Store.
Manage Licenses Use this option for license management of purchased

apps.
Configure Store Settings Use this option to configure tenant-wide settings for apps.
Monitor Apps Use this option to track the usage of apps as well as review
errors.
App permissions Use this option to manage app access to the tenant.
To manage apps within the App Catalog, perform the following steps:
1. Create an App Catalog site:
a. On the SharePoint Online Administration menu, on the left side, click Apps.
b. Select App Catalog.
c. Create a new App Catalog site and click OK. The App Catalog site collection is created. You can
find it in https://tenantname.sharepoint.com/sites/apps. In the App Catalog site, all apps are
stored for the entire tenant.
2. Add apps to the App Catalog. It is possible to distribute apps for SharePoint Online or for Office. With
this functionality, users can add apps for SharePoint Online to their site collections. Office apps are
available in the on-premises installations of Office 365 ProPlus.
3. Optionally, install an app for all users. If you want an app to be used by all users, you can configure it
to be deployed.
Configuring Office 365 Video

Office 365 Video is part of SharePoint Online.
Office 365 Video is built with Microsoft Azure
Media Services in the background, which enables
an intranet website portal where people within
the organization can post and view videos. The
video portal is part of SharePoint Online, but it is
not managed through the SharePoint admin
center. The only available option in the
SharePoint admin center is under Settings where
an administrator can enable or disable the video
service.
Note: Microsoft Stream will replace Office

365 Video at a later stage. Microsoft Stream is currently in public preview.
There are two types of administrative permission levels within the Office 365 Video portal:
Video admins. Global administrators and SharePoint Online tenant administrators have this
permission level by default. These admins can perform administrative settings within the video portal.
Channel admins. Channel administrators can create new channels. By default, any user within the
organization has channel administrator rights. A video admin can change this setting.
Video portal settings and preferences

To configure the Office 365 Video portal settings, an administrator with video admin permissions signs in
to Office 365. In the app launcher, the admin clicks Video and opens the video portal. With proper
permissions, the admin has Portal settings available in the video portal.
Within the Portal settings page, the administrator sets permissions as well as the Spotlight Videos setting
and how the videos appear. Another setting here is the preferred channels on the video portal site.
Channel management
Each uploaded video is uploaded in a selected channel. A channel admin can create new channels by
opening the video portal, clicking Channels, and then clicking New Channel. The channel admin
provides a name for the channel and assigns a color to the channel. After the channel is created, users can
upload videos to the channel. Within the Menu Channel settings, the channel admin can set the
permission level of the channel, select spotlight videos for the channel, and allow or deny Yammer
conversations for the channel.
Office 365 Video supports only the codecs and file formats that are supported by Azure Media Services.
Note: For the most up-to-date list of supported codecs and file formats, refer to: Media
Encoder Standard Formats and Codecs at: http://aka.ms/drbvv7
Question: Discuss the advantages and possible disadvantages between SharePoint on-
premises versus SharePoint Online.
Statement Answer
The maximum file size in SharePoint Online is 2 GB.

Lesson 2
Planning and configuring SharePoint Online site
collections
In this lesson, you will learn how to plan and configure SharePoint Online site collections, set resource
quotas and warning levels, set storage quota for site collections, and configure the name and URL of the
site collection. Using site collections helps you organize your organizations content into sites for different
purposes.
Lesson Objectives
Explain the concept of site collections.
Describe the types of sites you can create in SharePoint Online and Office 365.
Plan for site collections.
Create site collections.
Configure site collections.
Manage site collections by using Windows PowerShell.
Describe the common errors and best practices when managing site collections.
Overview of site collections

A SharePoint Online site collection is a
hierarchical group of sites that you, as an
administrator of SharePoint Online, can manage
on an individual basis or as a whole. The sites in a
site collection share items such as administration
settings, owner, and collection-wide permissions.
Each site collection contains one top-level site
that is created automatically when you create the
site collection, and a number of subsites that are
below it in the site hierarchy. Subsites can inherit
permissions and navigation from the parent site,
or these components can be configured and
managed separately. Within SharePoint Online there is no farm level configuration available.
Default site collections

There is a subset of site collections within a
SharePoint Online tenant. They are:
App Catalog
Search Center
My Site host
Video portal
Compliance Center
E-Discovery Center
These site collections exist as standalone site

collections. Some of these may be automatically created for you when you sign up for Office 365. You
may need additional site collections if your organization has other specialized purposes. For instance,
some groups need to restrict access to their content. In this case, you can create a custom site.
SharePoint Online also offers a variety of site collection templates that help you to find the proper
template for your organizational needs.
The following table describes the types of sites you can create in SharePoint Online and Office 365.
Site Description
Team site The team site is a simple template you can use for teamwork and
project collaboration. The site includes libraries and lists for:
Shared documents
Announcements
Calendars
Links
Tasks
Discussion board
Blog site The blog site gives you the possibility to have internal blogs
available for announcements, ideas, observations, and expertise
within your team or organization. The site contains Posts,
Comments, and Links menus.
Project site If you need to manage projects, the project site template provides
an easy way with collaborative features and a Projects Summary
Web Part.
Community site The community site is a site where members can discuss various
topics.
Document Center site This site is for the management of a large amount of documents.
You can use it as a content archive.
Records Center site If you need to manage records such as legal or financial
documents, you can use the records center template. Here, the
entire records management process, from records collection
through records management to records disposition, is supported.
Site Description
BI Center site Use a business intelligence (BI) site to store, manage, share, and
view business reports, scorecards, and dashboards.
Search Center (Enterprise or Enterprise search is a top-level site collection. With this template,
Basic) site you are able to provide search elements based on Enterprise
search.
Publishing site Use this site to create enterprise intranets or communication

portals. Contributors can work on draft versions of pages and
publish them to make them visible to readers. Use this site with
workflow to publish web pages on a schedule by using approval
workflows.
Enterprise Wiki This is a publishing site for sharing and updating large volumes of
information across an enterprise.
Visio Repository site A Visio Process Repository in SharePoint is a document library that
provides check-in and check-out functionality and supports
versioning for Visio diagrams.
There are three categories of templates to choose from in the Office 365 admin center: Collaboration,
Enterprise, and Publishing, or you can pick the Custom template, which enables you to select a
template at a later time.
Planning site collections

Having a hierarchy of top-level sites and subsites
means that you can maintain different control
levels over the features and settings for each site.
This enables you to have a primary site for an
entire organization or team, and individual and
shared sites for subteams, divisions, or other
projects. You can also create separate site
collections for external websites.
The way you organize your site collections

depends mainly on the organizations size and the
needs of the business. If you know certain key
factorssuch as what a site collection will be used
for, who will require access to it, and who will manage itthis makes it easier for you to make key
planning decisions about which site templates to use, how many sites and site collections you need to
create, and how much storage you need.
You should ask yourself the following questions when planning your site collections:
What site templates should you use? You can create a site collection from a site template. These
templates already contain items such as document libraries, lists, pages, and several other common
site components that provide various features for your organization. Any sites that you create from a
template will inherit the templates properties. It is common to use several different site templates
when building your site collection. You can also choose to create a custom site.
How many site collections are required? This number is typically dependent on your organizations
storage limits and its business needs. Some types of sites, such as the Enterprise Search Center and
the My Site host, exist as standalone site collections and may be automatically created for you when
you sign up for Office 365. You will likely need to create further site collections to fulfill the specific
requirements of your organization.
How much storage is required for each site collection? When you purchase the SharePoint Online
service as part of your Office 365 plan, you are allocated a storage pool based on the number of user
licenses and the type of Office 365 plan you purchase. You can let SharePoint Online manage storage
automatically or allocate the storage by yourself. When assigning storage to your site collections, you
can see the total amount of storage allocated to your organization and how much of that remains to
allocate to other site collections. You can modify these storage levels later and you can increase or
decrease them as needed within your storage allocation limit.
Is multilanguage support required? The Multilingual User Interface (MUI) feature allows your users to
display sites and web pages in other languages. This feature is not a translation tool; rather, it
modifies the display language for specific default interface components. MUI modifies the user
interface on a per-user basis and does not affect how other users view the site or page. This MUI
feature only modifies the viewable on-screen components; it does not modify content, such as
documents held within the site. The MUI feature is enabled in SharePoint Online by default, but if you
want to use it on a site collection, then you or another site collection administrator also need to
enable it on that site collection.
Do you need to grant access to external users? Some of your users may need to collaborate with
users external to the organization. In this case, you will need to consider sharing content with those
external users; this will require thought and planning.
Who will manage your site collections? The following roles can administer the SharePoint Online
service:
o Global administrator. This is the main administrative role for the Office 365 admin center and can
perform all administrative tasks, including managing service licenses, users and groups, domains,
subscribed services, and defining site collection administrators.
o SharePoint Online administrator. This role is a customized administrator role. This is the
administrator whose primary role is to administer SharePoint Online using the SharePoint admin
center. This role can create and manage site collections, define site collection administrators,
define tenant settings, and configure most other administrative elements, such as Business
Connectivity Services, Secure Store, InfoPath Forms Services, Records Management, Search, and
User Profiles.
Note: Office 365 global administrators are also automatically SharePoint Online
administrators.
o Site collection administrator. This role is granted the administrative permissions to manage a site
collection. Although a site collection can have several administrators, there can only be one
primary site collection administrator. When creating a new site collection, the SharePoint Online
administrator defines the primary site collection administrator. The SharePoint Online
administrator can add further people to the list of site collection administrators after the site
collection is created. Site collection administrators can add or delete sites, specify a secondary site
collection administrator, and modify site settings for any site in the site collection.
What SharePoint Online limits exist? There are boundaries and limits within SharePoint Online. To do
a proper planning of a site collection design, it is necessary that you know which limits are present
and how they will affect your site collection planning. For example, a too deep site collection
structure may reach the character length limit of the website address.
How to plan for governance? Governance is the set of policies, roles, responsibilities, and processes
that control how your organization cooperates to achieve business goals. As soon as you start
planning your site collection structure, you should also develop a plan to govern them. Examples
include:
o How to manage intellectual property your employees create?
o Are all regulatory requirements met?
o What do the security goals of your company look like?
How to plan for the SharePoint Online site collection lifecycle? The site collection lifecycle defines
how provisioning and deprovisioning of a site collection works. SharePoint Online is a software as a
service (SaaS) and proper provisioning as well as deprovisioning planning can influence the costs of
your Office 365 environment. Proper planning includes planning around how long a site collection
should be archived before it can be deleted.
Best Practice: A recommended best practice is to define more than one site collection
administrator, where the additional administrators act as backups to the primary site collection
administrator.
Creating site collections

As the SharePoint Online administrator for your
Office 365 environment, you will be responsible
for creating and deleting site collections. You can
create multiple private site collections for use
internally by your organizations users.
Creating site collections

SharePoint Online administrators can create
private organization-wide site collections and
assign primary site collection administrators to
each site collection by using the SharePoint admin
center.
To create a site collection:
1. Sign in to Office 365 as a global administrator or SharePoint Online administrator.
2. In the Office 365 admin center, click Admin centers, and then click SharePoint.
3. In the leftmost side, click Site collections.
4. On the ribbon, click New, and then click Private Site Collection.
5. In the new site collection dialog box, specify the following:
o A title for the site collection.
o A website address and URL path for the site collection. You can choose either /sites or /teams as
part of the path and then supply a further path extension to be the path to the site in the empty
text box.
o A language for the site collection.
Note: You must ensure you select the correct language for your site collection here,
because it cannot be changed afterwards.
o A template that matches the purpose of the site collection. For example, if your site collection is
used for a specific project, you choose the project site from the list, and for a team site, you
choose the team site template.
o An appropriate time zone.
o A site collection administrator. You can use either the Check Names or Browse buttons to help
find a users name.
o Optionally, a storage quota. Only if you decide to allocate the storage by yourself, you need to
set a storage quota to allocate to this site collection. This must not exceed the total storage
available that is displayed next to the box.
o A server resource quota to allocate to this site collection.
6. Click OK.
The site collection is then created and eventually appears in the URL list. You will know the site is created
when the URL for the site collection is highlighted in blue as a hyperlink. At this point, the assigned site
collection administrator can begin creating and managing sites in the site collection.
Deleting site collections

There may be situations where you will be required to delete a site collection. This might occur for any
number of reasons, including:
You have a team site collection and that team has been disbanded.
Teams have been reorganized.
You commonly use project-based sites; and the projects are short term and are not required after the
project is complete.
When you delete a site collection, it stays in the Recycle Bin for 30 days before it is permanently deleted;
this gives you a 30-day window of opportunity to restore the entire site collection if it was deleted in error
or your situation has changed and you want to retain it.
Note: When you delete a site collection, you also delete all the sites, site components, and
content in the site hierarchy, including documents and document libraries, lists and list items,
events, site configuration settings, and security information for all sites and their subsites.
As other people will likely be affected by the removal of the site collection, ensure that all interested
partiessuch as site owners and site contributorsare aware of the impending deletion and are given
time to move their content or data to another place if necessary.
To delete a site collection:
4. Select the check box for the site collection(s) you want to delete.
5. On the ribbon, click Delete.
6. On the delete site collections page, read the warning, and then click Delete.
Restoring deleted site collections

If you have deleted a site collection in error, you can see it listed in the Recycle Bin and restore it from
there. The list in the Recycle Bin also shows you how many days are left before the site collection is
permanently deleted.
To restore a deleted site collection:
4. On the ribbon, click Recycle Bin.
5. Select the check box for the site collection(s) you want to restore.
6. On the ribbon, click Restore Deleted Items.
7. On the restore site collections page, click Restore.
The site collection will take some time to restore, and after restoration is complete, the site collection is
listed under Site Collections again.
Configuring site collections

There are several site collection elements and
properties you can configure as a SharePoint
Online administrator, including site collection
properties, owners, sharing, and resource quotas.
Viewing site collection properties

To view site collection properties, select the site
collection, and then click properties. The site
collection properties page of the site collection
displays the following information:
Title
Website address
Primary administrator and other administrators
Number of subsites
Storage usage, quota, and warning level
Resource usage, quota, and warning level

Adding or removing site collection administrators

You can modify the current primary site collection administrator and add or remove other site collection
administrators.
To change the primary site collection administrator:
3. Select the check box next to the appropriate site collection.
4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.
5. In the manage administrators dialog box, under Primary Site Collection Administrator, change
the user name for the primary site collection administrator.
6. Click the Check Names button to verify that the user name is valid.
7. Click OK.
To add or remove site collection administrators:
3. Select the check box next to the appropriate site collection.
4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.
5. In the manage administrators dialog box, under Site Collection Administrators, add people to, or
remove them from, the list.
6. Click the Check Names button to verify that the user names are valid.
7. Click OK.
Sharing site collections

The Sharing option on the ribbon enables you to share your site collections with users outside your
organization. You can do this either through invitations or anonymous guest links, depending on the
tenant configuration.
Managing the server resource quota for a site collection

The server resource quota is a value generated by SharePoint Online for each site collection. The custom
code running in sandboxed solutions adversely affects the performance of other site collections by
depleting available server resources. Having server resource quotas helps reduce this risk.
As a SharePoint Online administrator, you can specify a quota for server resource usage for each site
collection you will monitor to ensure they do not exceed the specified level. SharePoint Online will also
send an alert email to notify the site collection administrator when the server resource quota is near its
limit based on a warning level set by you. The monitoring that SharePoint Online carries out is based on
performance data collected for key resources such as processor and memory usage. If a site collection
reaches its server resource quota limit, SharePoint Online will turn off the sandbox for the site collection
so that custom code can no longer be run.
To change the server resource quota for a site collection:
1. Sign in to Office 365 as a global or SharePoint Online administrator.

4. Select the check box for the site collection for which you want to specify a storage quota.
5. In the ribbon, in the Manage section, click Server Resource Quota.
6. In the set server resource quota dialog box, enter a maximum number of resources to allocate to
the selected site collection out of the available displayed total. The default number of resources is
300.
7. Ensure the Send e-mail when each selected site collection resource usage reaches warning level
at check box is selected. This will send an email alert notification when you are getting close to the
server resource quota limit.
8. Enter a percentage value to set the warning level for the alert email to be triggered. The default is 85
percent.
9. Save your settings.
Upgrading site collections from a previous version

In the SharePoint admin center, under site collections, there is an option on the Manage section of the
ribbon to upgrade the links and settings for your site collections. This setting enables you to:
Specify site collection upgrade settings.
Send an email notification about site collection upgrades to the site collection administrator.
Managing site collections by using Windows PowerShell

You can use the SharePoint Online Management
Shell to simplify the management of your site
collections in SharePoint Online. This can be
especially useful if you are creating and
configuring a lot of site collections and want to
speed up the process rather than manually
creating and configuring them in the SharePoint
admin center.
The SharePoint Online Management Shell is a

Windows PowerShell module. You can use it to
manage SharePoint Online users, sites, site
collections, and organizations from the command
line, instead of using the SharePoint admin center user interface. Windows PowerShell enables you to
perform these command-line operations by using a custom command called a cmdlet. A cmdlet,
pronounced command-let, is constructed as a verb-noun pair, such as Get-Command. The two parts of a
cmdlet are separated by a hyphen (-) without spaces. The verb part refers to the action that the cmdlet
takes. The noun part refers to the object on which the cmdlet takes action. Cmdlets are especially efficient
for batch operations such as controlling an external share in SharePoint Online.
Additional Reading: For more information, refer to: Introduction to the SharePoint Online
Management Shell at: http://aka.ms/Yj9ioq
As with other Microsoft services, you run Windows PowerShell command-line operations by using
cmdlets. You can view a full list of all the available cmdlets by running the Get-Command cmdlet and
access help on how to use each cmdlet by using the Get-Help cmdlet.
Before you can run cmdlets, you have to set up the SharePoint Online Management Shell environment
and connect to the service.
Setting up the SharePoint Online Management Shell

SharePoint Online global administrators use the SharePoint Online Management Shell to manage site
collections remotely.
To set up the SharePoint Online Management Shell:
1. Ensure that you have installed Windows PowerShell 3.0 from Windows Management Framework 3.0.
2. Install the SharePoint Online Management Shell from the Microsoft Download Center at:
http://aka.ms/f04q5o.
3. Open the SharePoint Online Management Shell.
Connecting to the SharePoint Online service

Having set up the SharePoint Online Management Shell, you need to connect to the SharePoint Online
service before you can use Windows PowerShell to manage your site collections.
To connect to the SharePoint Online service:
1. Open Windows PowerShell and load the SharePoint Online module by typing the following
command, and then pressing Enter:
Import-Module Microsoft.Online.Sharepoint.PowerShell
2. At the prompt, type the following command, and then press Enter:
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential

admin@contoso.com
Using Windows PowerShell to manage site collections

There are several useful cmdlets in the SharePoint Online Management Shell that can create and
configure site collections.
You can use the Get-SPOSite cmdlet to view all site collections or view specific properties of site
collections.
To view a list of all your current site collections, at the prompt, type the following command, and then
press Enter:
Get-SPOSite
To view the details of a specific site collection, at the prompt, type the following command, and then
press Enter:
Get-SPOSite Identity urlofsitecollection
When you create a site collection, you can specify a site collection template to use. You can use the Get-
SPOWebTemplate cmdlet to view all the available site collection templates or all those that match the
given identity.
To view a list of all site collection templates:
Get-SPOWebTemplate
You can use the New-SPOSite cmdlet to create new site collections in SharePoint Online. This cmdlet has
several parameters that you can use with it to specify configuration settings such as site collection owner,
storage and resource quota, name, and template.
To create a new site collection, at the prompt, type the following command, and then press Enter:
New-SPOSite Url urlofnewsitecollection Owner upnofsitecollectionowner StorageQuota

number Title nameofsitecollection
Example:
New-SPOSite Url http://tenantname.sharepoint.com/sites/sales Owner user@contoso.com

StorageQuota 400 Title Sales Site
You can use the Set-SPOSite cmdlet to configure or update settings on existing site collections in
SharePoint Online. As with the New-SPOSite cmdlet, this cmdlet has several parameters that you can use
with it to specify configuration settings such as site collection owner, storage and resource quota, and
name.
To set the storage quota and quota warning level for an existing site collection, at the prompt, type the
Remove-SPOSite -Identity https://contoso.sharepoint.com/sites/sales -NoWait
To restore a deleted site collection, at the prompt, type the following command, and then press Enter:
Restore-SPODeletedSite -Identity https://contoso.sharepoint.com/sites/arecycledsite
Additional Reading: For more information, refer to: Use Windows PowerShell cmdlets to
administer site collections in SharePoint Online at: http://aka.ms/rbb2c1
Common errors and best practices

When managing site collections in SharePoint
Online, there are some common errors that you
should avoid, and some best practices you should
follow.
These common errors include:
Granting too many permissions or not

granting enough permissions.
Breaking permissions in between site

collections.
Setting quotas too high or too low.

Poor planning of site collections, domain names, and URLs.
Too much customization.
Planning for a hybrid when there is no need to.

To ensure that you manage SharePoint Online site collections correctly, we recommend the following best
practices:
Follow the Keep it simple, stupid principle.
Centralize your management of SharePoint Online.
Maintain your site to keep it up-to-date.

Plan your permission structure carefully.
Consistently retain the look and feel of the SharePoint Online interface.
Keep thorough and up-to-date documentation of site configuration.

Question
Which of the following sites do you find in the Enterprise section of the site
collection templates in the SharePoint admin center? (Select all that apply).
Document Center site
Community site
Enterprise Wiki
Search Center site
Records Center site
Statement Answer
If you delete a site collection, you can restore it from the Recycle Bin for 30
days.

Question
Which of the following actions do you need to perform during the creation of a site
collection? (Select all that apply.)
Define an administrator
Define the sharing settings
Define a second administrator
Set the language
Set the storage quota

Lesson 3
Planning and configuring external user sharing
External user sharing in SharePoint Online is an Office 365 feature for administrators, power users, and
even for end users. External user sharing allows users to work together across organizational boundaries
by enabling a simple way to give external users a secure access to your site collections. This lesson
describes the concept of external user sharing and planning for it.
Lesson Objectives
Describe the methods for sharing site content with external users.
Describe the considerations for external user sharing.
Configure external user sharing.
Describe the options for sharing documents and auditing shared access.
Remove external user sharing.
Describe the common errors and best practices when configuring external user sharing.
Manage external user sharing by using Windows PowerShell.
Overview of external user sharing

Most organizations have many business cases that
require the sharing of documents between users,
both within and outside of the company. Instead
of sending documents as email attachments,
SharePoint Online provides several features that
help users to collaborate in a much better way,
even with partners outside of your own
organization.
These users are referred to as external users and

could include any person who you want to give
permission to access your site, but who does not
have a license for your organizations Office 365
tenancy. External users would typically be nonemployees such as contractors, onsite agents, vendors,
partners, or your affiliates. Although you might invite external users to contribute as members of a long-
term project and allow them to perform a range of tasks on a project site, they typically will not have the
same capabilities and rights as full-time, licensed users in your organization.
Planning for sharing content with these external users is an important part of your overall permission
strategy for SharePoint Online in Office 365. There are three methods for sharing site content with
external users:
You can share your entire site with external users by inviting them to sign in with either a Microsoft
account (MSA) or an Organizational account (Office 365 user ID).
You can share individual documents with external users by inviting them to sign in to your site with
either a Microsoft account (MSA) or an Organizational account (Office 365 user ID).
You can share individual documents with external users by sending them an anonymous guest link to
view or edit the document.
Note: External users who access the shared site or documents can obtain more permissions
than an anonymous guest who gets access to one specific document through a hyperlink sent by
email. This is because Microsoft can authenticate external users with either a Microsoft account
(MSA) or an Organizational account (Office 365 user ID), and can ensure the permission level for
these users. This is not the case when a link is sent to any other unknown email address. In that
case, every person who gets the link can access the shared document.
Considerations for external user sharing

Because your SharePoint Online sites are likely to
contain both confidential information and
information that you want to share with external
users, it is important to plan how and what
content is shared.
Consider the following questions when planning

your sharing strategy, including how to share your
site content with external users:
Who needs access to content on your site and

any subsites?
Do they need access to an entire site or just a
subsite?
Do they only need access to a few specific documents?
Do they only need to view the shared content, or do they also need to make changes to it?
Which users in your organization need to be able to share content with external users?
Which content on your site should never be shared with users external to your organization?
Is a governance policy in place?
You can organize a SharePoint Online site so that content shared with external users is clearly
differentiated from content intended to stay within the organization. This can be as easy as creating a
document library or a subsite named internal and another subsite named external, or it can be much
more complex. It is important that you plan for the site structure before using external user sharing.
External users restrictions

An external user is someone outside of your organization who can access your SharePoint Online sites and
documents but does not have a license for your SharePoint Online or Microsoft Office 365 subscription.
External users do have some restrictions. After you enable external user sharing, those external users can
perform several tasks and will inherit some rights and capabilities, but there are also some tasks they
cannot perform and they will not receive certain rights and capabilities.
External users can:

Use Microsoft Office Online for viewing and editing documents. If your plan includes Office 365
ProPlus, they will not have the licenses to install the desktop version of Office 365 on their own
computers.
Perform tasks on a site consistent with the permission level assigned. For example, if you add an
external user to the Members group, they will have Edit permissions and they will be able to add, edit,
and delete lists; they will also be able to view, add, update, and delete list items and documents.
See other types of content on sites. For example, they can navigate to different subsites within the site
collection to which they were invited. They will also be able to perform other actions such as viewing
site feeds.
External users cannot:
Create their own personal sites, edit their profile, change their photo, or see aggregated tasks.
External users do not get their own OneDrive for Business document library.
Be an administrator for a site collection (except in scenarios where you have hired a partner to help
manage Office 365). You can designate an external user as a designer for your public website.
See the company-wide newsfeed.
Add storage to the overall tenant storage pool.
Access the Search Center or execute searches. Other search features that may not be available include
advanced content processing, continuous crawls, and refiners.
Access site mailboxes.
Access Microsoft Power BI app for Windows features such as Power View, Power Pivot, Quick Explore,
or Timeline Slicer. These features require an additional license, which is not inherited by external
users.
Use eDiscovery. This requires an Exchange Online license.
Open downloaded documents protected with IRM.
Additional Reading: For more information, refer to: Manage external sharing for your
SharePoint Online environment at: http://aka.ms/adaoao
Configuring external user sharing

You can enable or disable external user sharing at
two levels within the SharePoint admin center:
At the global level for your entire SharePoint

Online tenant. If you enable external sharing,
you can also configure whether to allow
sharing only with authenticated users, or to
allow sharing with both authenticated users
and anonymous users through guest links.
At the individual site collection level. This

enables you to secure content on specific site
collections when you do not want all your
content shared. You can also configure
whether or not to allow sharing with authenticated users, or sharing with both authenticated users
and anonymous users on a site collection.
Note: By default, external user sharing is enabled for the entire tenant and all the site
collections it already contains. It is common practice to disable it globally first and then start
planning how and where to use it.
Note: When you create a new private site collection, the default setting for this site is set to
Don't allow sharing outside your organization. You explicitly turn it on if you want to use
external user sharing in the new site.
The SharePoint Online administrator must enable sharing with external users. To configure external
sharing for a site collection:
2. On the leftmost side, click Site collections.
3. Select the check box for the site collection for which you want to configure external sharing.
4. In the Manage section of the ribbon, click Sharing. (Alternatively, you can open the URL for your
tenant at https://tenantname-admin.sharepoint.com/_layouts/15/online/TenantSettings.aspx)
5. Click one of the following:
o Dont allow sharing outside your organization. This will prevent users from sharing sites or
content with any external users.
o Allow sharing only with the external users that already exist in your organization's
directory
o Allow external users who accept sharing invitations and sign in as authenticated users. This
requires that any external user who have received an invitation to access shared content must
sign in with a Microsoft account (MSA) or with an organizational account (Office 365 ID) before
they are allowed to access the content.
o Allow sharing with all external users, and by using anonymous access links. This allows
external users who have received an invitation and signed in with a Microsoft account (MSA) or
with an organizational account (Office 365 ID) to access shared content, but it also allows users to
share documents directly with external users through anonymous guest links.
6. Click Save.
Note: Be aware that anonymous guest links could potentially be shared with, or forwarded
to, other people; this means that content could be viewed by people other than your intended
target.
Additional Reading: For more information on configuring external user sharing for a
tenant or site collection, refer to: Manage external sharing for your SharePoint Online
environment at: http://aka.ms/adaoao
Sharing documents and auditing shared access

You can view the current external user sharing
settings for multiple site collections by selecting
those site collections on the site collections page,
and then clicking Sharing. This will display all the
current settings. Each site collection will display
one of the following three sharing settings:
Not allowed
Share invitations
Share links and invitations
Sharing content with authenticated external users

After external user sharing is enabled for the tenant or a site collection, depending on the sharing setting,
you can then share either an entire site or individual documents.
To share an entire site with an external user, you need to send them an invitation to the site, which they
will use to sign in to your site and access the content. The invitation is sent to external users through an
email message with a link to the site and an optional message you may have provided in the invitation.
When the external user receives the email invitation, they click the link and sign in with either a Microsoft
account (MSA) or an Organizational account (Office 365 user ID) to access the site and its content.
Note: You can redeem invitations to view content only once. After an external user accepts
an invitation, the invitation cannot be shared or used by others to gain access.
When you send the invitation, you have the option of deciding what kind of permission that external user
will receive when they access your site. The available permission options are:
Full Control. To provide full control of the site, select the Sitename Owners [Full Control] option.
Edit. To allow external users to edit the sites contents, select the Sitename Members [Edit] option.
Read. To allow only read-only access, select the Sitename Visitors [Read] option.
It is a best practice to create a site dedicated to sharing nonsensitive content with external users and
setting specific unique access permissions for that site only.
Note: When granting external users access to your site content, you should always apply
the principle of least privilege, so that those external users only receive the minimum permission
required to perform their tasks, and not more permissions. You should only grant Full Control in
extremely rare cases.
To share a site with an external user for read-only access:
1. Navigate to the site you want to share with an external user.
2. Click SHARE.
3. In the Share sitename dialog box, enter the email address of the external user you want to invite to
share your document. (If you want to share with an internal user, enter their name instead).
4. Enter a message to include in your invitation.

5. Click SHOW OPTIONS.
6. Under Select a group or permission level, in the drop-down list, click Sitename Visitors [Read].
7. Click Share.
8. When the external user receives the emailed invitation, they will see your message, click the Go To
sitename link, and then sign in with either a Microsoft account (MSA) or an Organizational account
(Office 365 user ID).
Note: By default, invitations expire after 7 days, so if the external user has not accepted the
invitation within that time, you need to send a new invitation.
Sharing individual documents by using invitations or anonymous guest links

To share an individual document with an external user, you can either send an invitation in the same way
as you do for a site, but only for the individual document, or you can send an anonymous guest link to
the document, if this setting is enabled for your tenant and the site collection.
Anonymous guest links only enable external users to open the document in the relevant Office Web Apps,
such as Word Online, Excel Online, PowerPoint Online, or OneNote Online, and they cannot open it in the
full desktop version of the application.
To share a document that requires the external user to sign in:

1. Navigate to the site containing the document you want to share with an external user.
2. Click the ellipsis (...) next to the document to open its callout window and click SHARE.
3. In the leftmost pane, ensure that Invite people is selected.

4. Enter the email address of the person with which you want to share the document.
5. In the drop-down list, click either Can edit or Can view.
6. Optionally, enter a message to include in your invitation.
7. Select the Require sign-in check box.
8. Click Share.
To share a document using an anonymous guest link:

1. Navigate to the site that contains the document you want to share with an external user.
2. Click the ellipsis (...) next to the document to open its callout window and then click SHARE.
3. In the leftmost pane, click Get a link.
4. Select one of the following:
o Under View Only, click CREATE LINK to grant read-only permission to the document.
o Under Edit, click CREATE LINK to grant edit permission to the document.
5. After the anonymous guest link URL is created, copy it to a location where it can be easily retrieved,
such as Notepad.
6. Close the dialog box.
7. You can then copy the anonymous guest link URL and paste into a location of your choice, such as an
email message, a chat window, or a social media page.
Note: If you later disable external user sharing at the tenant level, any anonymous guest
links will stop working; when you enable it again, those anonymous guest links will start working
again.
Note: You cannot share files in a library that has been IRM-protected with external users.
Auditing shared access to sites and documents

You can also quickly see users with whom a site or document has been shared, which is useful for auditing
and reporting purposes.
To see a list of users with whom a site has been shared:
1. On the site home page, in the upper right side of the page, click SHARE.
2. Note the list of users after the words Shared with.
To see a list of users with whom a specific document has been shared:
1. Select the document in the library.
2. On the Files tab, in the Manage section of the ribbon, click Shared With. The Shared With dialog
box lists all the users with whom this document has been shared.
3. Click Close.
Auditing in the Office 365 Security & Compliance Center

In the Office 365 Security & Compliance Center, you can view the Office 365 activity reports to know
about user and admin activity within your company. The reports give information about SharePoint
Online Extranet invitation status, users who have sent invitations, and users who have accepted them.
To view a report that shows who has sent invitations:
1. In the Office 365 admin center, open the app launcher.
2. Click Security & Compliance.
3. Click Search & investigation.
4. Click Audit log search.
5. In the Activities area, click Created sharing invitations.
Remove external user sharing

There are several ways of stopping external user
sharing, which include removing user permissions
from an external user by taking them out of a
group, revoking invitations, disabling anonymous
guest links, and disabling external user sharing for
the tenant or site collection.
Removing external user permissions

If an external user has already accepted an invitation, you can still stop their access to a site by removing
their permissions. To remove an external users permissions:
1. On the sites home page, click the Settings icon (the wheel icon).
2. Click Site settings.
3. Under Users and Permissions, click People and groups.
4. On the leftmost side, under Groups, select the group from which you want to remove the users, for
example, Sitename Members.
5. Select the user or users you want to remove, click Actions, and then click Remove Users from
Group.
6. Click OK.
Revoking invitations
You can withdraw invitations you have sent to external users if you need to, but only if the external users
have not yet accepted the invitations. To revoke an invitation:
1. On the sites home page, click the Settings icon (the wheel icon).
2. Click Site settings.
3. Under Users and Permissions, click Access requests and invitations.
4. Under EXTERNAL USER INVITATIONS, click the ellipsis button () for the person or persons you
would like to revoke the invitation.
5. Click WITHDRAW.
Disabling anonymous guest links

You can revoke access to a document you have shared individually by disabling the guest link on the
document. To disable an anonymous guest link:
1. Navigate to the library that contains the document for which you want to disable the anonymous
guest link.
2. Click the ellipsis button () for the document, and click a guest link.
3. In the dialog box, click DISABLE.
4. In the dialog box, click Disable Link.
5. Close the dialog box.
Turning off external user sharing

The other option you have is to disable external user sharing at the tenant or site collection level.
Disabling sharing at the tenant level means you cannot share any content at all with any external users in
any site collections. Disabling sharing at the site collection level means that external user sharing is only
disabled for that specific site collection.
To disable external user sharing for a tenant:
2. On the leftmost side, click sharing.
3. Under sharing outside your organization, click Dont allow sharing outside your organization.
4. Click OK.
To disable external user sharing for a site collection:
2. On the leftmost side, click Site collections.
3. Select the check box for the site collection for which you want to disable external user sharing.
4. In the Site Collections section of the ribbon, click Sharing.
5. Click Dont allow sharing outside your organization.
6. Click Save.
After about a minute, sharing is turned off for the selected site.
Common errors and best practices

When configuring external user sharing in
SharePoint Online, there are some common errors
that you should avoid, and some best practices
you should follow.
These common errors include:
Sharing more content than is necessary by

sharing an entire site rather than one or two
documents.
Granting more shared access than is required;

for example, by giving an external user edit
permission when they only need to read the
document.
Granting access through anonymous guest links temporarily, but later forgetting you have done
granted access.
Lack of awareness of what external users can and cannot do in SharePoint Online.
Lack of documentation of SharePoint Online configuration in relation to external user sharing.
Hijacking can happen. External users can forward the generated email-invitation to another person.
The person who opens the invitation link gets access to the shared content.
To ensure that you configure external user sharing successfully in SharePoint Online, we recommend you
follow these best practices:
Plan what external users can see and access by segmenting your content by its data sensitivity.
Consider creating a site purely for the purposes of sharing content with external users.
Exercise security awareness by using the principle of least privilege.
Set appropriate permissions on the site collection so users cannot share info they should not be
sharing.
External users can forward anonymous guest links with other people, who might also be able to view
or edit the content without signing in. Avoid using anonymous guest links for sensitive content;
instead, share a document by using an invitation that requires sign in.
Ensure you know the identity of any external users before you start sharing content with them.
Remember that these users can sign in to your site and start browsing and accessing content just like
other site members. Depending on the access permission you give them, this may mean that they can
share content with other external users.
If you share team site content, consider creating a subsite for the shared content, and then share that
subsite with external users so that you can assign unique permissions only to that subsite.
External users may not receive the invitation email due to transportation errors or spam filters. In such
cases, send out a new invitation and inform the user to check their mailbox with the invitation-email.
Every invitation is valid only for a specific timeframe, which usually is 7 days. After that time, you must
send a new invitation.
Split your site collections for internal and external users to ease the management.
Note: Try external sharing with a demo user and check the result. Check your external user
sharing constantly to avoid unwanted permissions for external users. Unfortunately, it is not
possible to share documents programmatically through a SharePoint API or through Windows
PowerShell.
Best practices
To decide which method will be appropriate, the following list delivers some key facts to consider for
using external sharing.
To share a site and require sign in, provide someone outside your organization with ongoing access
to information and content on a site. They need the ability to perform just like a full user of your site,
and create, edit, and view content.
To share a document and require sign in, provide one or several people outside your organization
with secure access to a specific document for review or collaboration. These people do not require
ongoing access to other content on your internal site.
To share a document, but not require sign in, share a link to a nonsensitive or nonconfidential
document with people outside your organization so that they can either view it or update it with
feedback. These people do not require ongoing access to content on your internal site.
Managing external user sharing by using Windows PowerShell

You also can use SharePoint Online Management
Shell commands to manage external sharing by
using Windows PowerShell.
Although SharePoint Online provides

management for external sharing in the Web
interface, administrators find it helpful to get an
overview and to manage existing shares
programmatically via Windows PowerShell.
Windows PowerShell Command Builder Tool

Windows PowerShell commands support administrators in automating tasks rapidly. If you are new to
cmdlets, you can use the Windows PowerShell Command Builder Tool. Here, you can choose between all
available cmdlets and their parameters, and the tool creates the corresponding Windows PowerShell
command for you. Additionally, there is help for the command, which is available with one click.
Additional Reading: For more information, refer to: Windows PowerShell for SharePoint
Command Builder at: http://aka.ms/n3apxc
For more information, refer to: Index of Windows PowerShell for SharePoint Online cmdlets at:
http://aka.ms/bccasb
After having installed the SharePoint Online Management Shell environment, the cmdlets are ready for
you to use.
Using the Windows PowerShell cmdlets to control external sharing

The SharePoint Online Management Shell environment provides access to the Office 365 tenant and the
SharePoint Online representational state transfer (REST) services. In addition to the functionality of
managing SharePoint Online sites, there are some cmdlets for working with external sharing.
To get a list of all external users in SharePoint Online for an Office 365 tenant:
1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.
2. To get a list of all external users, run the following command, and then press Enter:
Get-SPOExternalUser -Position 0 -PageSize 30 | Select DisplayName,EMail | Format-

Table
The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell output.
3. Close the Windows PowerShell window.
Note: Save this command in a showexternalusers.ps1 file for further use. This script
allows you to get all the external users in a SharePoint Online tenant by using the standard
Get-SPOExternalUser SharePoint online cmdlet and returns the users DisplayName and email
in the Windows PowerShell output window.
Note: To download an improved version of this script from the TechNet gallery, refer to:
How to get all the external users in a SharePoint Online Tenant! at: http://aka.ms/ajxjrb
Removing a specific external user with Windows PowerShell

To remove an external user in SharePoint Online for an Office 365 tenant:
2. Retrieve the user by running the following command, and then press Enter:
Get-SPOExternalUser
3. Replace the email address with the desired external user email address by running the following
command, and then pressing Enter:
$ExtUser = Get-SPOExternalUser -filter guest1@outlook.com
Now, you have the user object stored in $ExtUser.
4. Remove this user by running the following command, and then pressing Enter:
Remove-SPOExternalUser -UniqueIDs @($ExtUser.UniqueId)
5. The cmdlet asks for confirmation. Click Yes.
6. This command removes the user from the list of external users in SharePoint Online and displays a
message in the Windows PowerShell output that reads Successfully removed the following
external users. 10038FFD909DBCA2 where 10038FFD909DBCA2 is the UniqueID of the removed
user object.
Note: You can filter more than just one specific user with the -filter string. If you want to
remove, for example, all users with the outlook.com domain, you can use this string as filter
criteria.
Note: Anonymous users are invited with a guest link, and so they are not external users.
These shared links do not show with the Get-SPOExternalUser Windows PowerShell cmdlet.
Note: Currently there are no Windows PowerShell cmdlets for creating an external share.
You must do this directly in the SharePoint Online. In addition, there is no SharePoint Online API
for programmatically accessing the external sharing features.
The SharePoint Online Management Shell environment provides access to the Office 365 tenant and the
SharePoint Online REST Services. Besides the functionality of managing SharePoint Online sites, there
exists some cmdlets for working with external sharing.
Getting a list of all external users with Windows PowerShell

To get a list of all external users in SharePoint Online for an Office 365 tenant:
2. To get a list of all external SharePoint Online users, run the following command, and then press Enter:
Get-SPOExternalUser -Position 0 -PageSize 30 | Select DisplayName,EMail | Format-

Table
The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell window.
3. Close the Windows PowerShell window.


Question
What is the correct definition for external users?
Users with a non-Microsoft account
Users with a Microsoft account
Users inside your organizations Azure Active Directory
Users outside your organizations Azure Active Directory
Users in any Azure Active Directory
Statement Answer
From a user perspective, you can share content in SharePoint Online for
internal users in the same way as for external users.

Question
Where can administrators enable external sharing for the Office 365 tenant? (Select
all that apply.)
In the Office 365 admin center, use the setup menu
In the Office 365 admin center, use the external sharing menu
In the SharePoint admin center, use the site collections menu
In the SharePoint admin center, use the apps menu
In the SharePoint admin center, use the settings menu

Lab: Configuring SharePoint Online

Scenario
Now that the pilot group is getting comfortable with Exchange Online and Skype for Business Online, the
next step is to start using SharePoint Online. You need to start the SharePoint Online deployment by
configuring the service settings, creating and configuring site collections, and configuring external user
sharing.
Objectives
Configure SharePoint Online settings.
Create and configure SharePoint Online site collections.
Configure and verify external user sharing.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, and 20347A-LON-CL1

User names: Adatum\administrator for LON-DC1 and LON-DS1 and Adatum\Holly for LON-CL1
Password: Pa55w.rd

Where you see references to Adatumyyxxxx.onmicrosoft.com, replace yyxxxx with your unique
Office 365 name that displays on the online lab portal.

your unique hostdomain.com name that displays on the online lab portal.
LON-DC1
LON-DS1
LON-CL1
Question: What is the best way to verify access to external sites?

Question: What is the best way to configure user profile settings and where do you get all
the data?

Review Question
Question: Create a checklist for proper site collection planning.
Best Practices
SharePoint Online offers several configuration options; planning a collaboration solution and configuring
SharePoint Online are tasks that you must do upfront to have a good SharePoint Online environment
where your users can start working with.
The main points you should consider are:
Do proper planning before you start with user onboarding.
Create a sharing policy that is consistent throughout the service.
Automate site collection generation as much as possible.

10-1
Module 10
Planning and configuring an Office 365 collaboration
solution
Contents:
Lesson 1: Planning and managing Yammer Enterprise 10-2
Lesson 2: Planning and configuring OneDrive for Business 10-17
Lesson 3: Configuring Office 365 groups 10-27
Lab: Planning and configuring an Office 365 collaboration solution 10-35
Module Overview
SharePoint Online Services is a major part of Office 365 services. With Yammer Enterprise, Office 365
offers an enterprise social solution that helps you to build a collaborative environment within your
organization. You can use Yammer Enterprise as a standalone solution, or you can integrate it within
Office 365 and SharePoint Online.
OneDrive for Business is the personal space where users can store their documents, and share files and
folders to work together. Office 365 groups combine Microsoft Exchange Online and SharePoint Online,
and from a user experience perspective, they are present everywhere throughout the Office 365 services.
This module describes how to plan and implement a SharePoint collaboration solution, and how to enable
Yammer Enterprise services within Office 365 and OneDrive for Business, and Office 365 groups.
Objectives
Enable and configure Yammer Enterprise.
Configure OneDrive for Business.
Configure Office 365 groups.

10-2 Planning and configuring an Office 365 collaboration solution
Lesson 1
Planning and managing Yammer Enterprise
Yammer is an organizations private social network, and it provides collaboration options and teamwork
capabilities. It is part of the Microsoft enterprise social strategy. Yammer is available as a standalone
product or as part of Office 365 Enterprise. Yammer helps organizations connect employees, and lets
them share the information they need. It helps users find answers, experts, and information in an easy
way. Yammer helps you to improve project collaboration within your organization. Yammer can help your
organization reduce internal email and email trees. Yammer is useful for collaboration with external
business partners because it provides the ability to create external networks.
Lesson Objectives
Provide an overview of Yammer Enterprise.

Describe how to enable Yammer Enterprise.
Explain how to configure security settings.
Describe how to configure user roles and administrators.

Describe how to configure usage policies.
Describe how to set up and configure external networks.
Explain how to optimize the Yammer user experience.
Overview of Yammer Enterprise

Organizations can use Yammer as their private
social network. With Yammer an organization has
collaboration and teamwork capabilities. Yammer
provides Enterprise social capabilities.
From a users perspective, Yammer provides the
following benefits:
Breaks down internal barriers.

Connects people.
Offers sharing capabilities.
Helps you find information and experts.

Improves project collaboration.
Helps reduce email trees and internal emails.
Provides capabilities for external collaboration.
Helps strengthen communication skills within your organization.
Helps reduce hierarchies in your organization.
Is easy to adopt, and has low onboarding and training costs.

From an administrators perspective, Yammer provides the following benefits:
Provides Yammer users an internal helpdesk tool.
Provide users a secure space to collaborate and share.
Administer users from Office 365 admin center.
Audit users from Office 365 admin center.
Enables control of Yammer network access and appearance.
Enables control of creation and access to external Yammer networks.
Yammer Basic is available for free, Yammer Enterprise is included in an Office 365 subscription. You can
buy Yammer as part of Office 365 Enterprise. A mobile app experience is also available if your users are
connected through their mobile devices.
The Yammer application is available in two versions:
Yammer Basic. This is the free version that is available to all users, and offers fundamental features for
co-workers to collaborate within an organization.
Yammer Enterprise. This is the premium version, which is provided as part of some SharePoint Online
and Office 365 plans. This enterprise version of Yammer provides several additional features and
resources to enable an organization to implement a professional enterprise social network.
You can upgrade from a Yammer Basic network to the Yammer Enterprise network anytime during your
subscription period.
Note: The enterprise version of Yammer is available with some SharePoint Online and
Office 365 plans. Yammer is included in the following Office 365 subscriptions: E1, E3, E5, K1, K2,
Business, and Education.
Yammer Basic includes:
Basic social networking features. Users can create groups, polls, and use the chat feature to
collaborate within the organization.
Collaboration features. Users can work together in groups, and share information, documents, videos,
and notes.
Yammer Mobile. The Yammer mobile app is available for Basic and for Enterprise Networks.
Yammer Enterprise includes:
Administration tools. Only the Yammer Enterprise version enables you to configure Yammer, manage
users, and perform data analytics.
Network- level apps and integrations. You can activate Office 365, manage apps for your network,
and secure your network.
Integrated Office 365 experience. You can integrate Yammer with the overall Office 365 experience.
Services and support. You can get technical support through Office 365 Enterprise support all day,
every day.
You can integrate your business applications via Open Graph with your Yammer network. By using
Yammer Embed, you can bring Yammer conversations into your business applications. For example, you
can extend your apps with Like and Follow buttons, and share updates within your Yammer network.
Yammer also provides a dedicated app directory.
Administering Yammer
Yammer Enterprise within Office 365 is available in the Office 365 app launcher. You also can access
Yammer as an Administrator in the Office 365 admin center.
The primary location for administering Yammer is within the Yammer admin center. A global Office 365
administrator is automatically a verified network administrator in Yammer. It is also possible to configure a
customized administrator for Yammer alone. Admin and User roles are described in more detail later in
this lesson. Single sign-on (SSO) is available through Office 365 sign-in. This means that all users who have
an Office 365 account can sign in to Yammer with the same credentials.
Network access
Only coworkers can join a Yammer network, which means that only users who are members of the same
domain can join the Yammer Enterprise network. A Yammer network is the place where users meet to
collaborate, conduct conversations, and interact. Within Office 365, you can merge more than one
domain into a single Yammer network. Yammer communications are secure and visible only to people
within your organization and those people who are members of your Yammer network or part of a
selected conversation. You should add all Office 365 domains as allowed domains within the Yammer
network of your organization.
The Yammer Portal user interface

The Yammer portal contains your information feed. This information feed shows all conversations. The
following feed options are available to you:
Discovery. Contains all conversations that are most relevant to you. The feed contains information
based on your subscriptions and your interactions within your Yammer network.
All. Shows the conversations to which you have access within your network.
Following: Shows conversations that you actively subscribe to, and all conversations your followers
have participated in or liked. You see conversations about topics that you follow, and conversations
from groups that you have joined.
On the left of the Yammer portal page, you find navigation options for all the groups to which you
subscribe. The groups are sorted by relevance, with the group in which you participate the most
appearing at the top. If you need to search within Yammer, you have a search box on the left side of the
Yammer navigation pane.
Home, Inbox, and Notifications icons

Home. Directs you to your main feed page.
Inbox. Takes you to the inbox, where you find information about conversations in which you are
tagged, or announcements in a group or network to which you belong.
Notifications. Show all the likes for posts that you publish, or comments that you make.
On the right side of your Yammer portal, you see the recent activities of your coworkers. From here you
can view group descriptions, subscribe to groups by email, or move through apps.
Enabling Yammer Enterprise

Yammer is activated automatically for all Office
365 tenants with a subscription that includes
Yammer. This activation either creates a new
Yammer network or connects to an existing
Yammer network that has all or a subset of
domains managed on the Office 365 tenant that
includes a valid Yammer subscription; the existing
Yammer network is upgraded to Yammer
Enterprise if needed.
Merge domains into one Yammer

Enterprise network
If your organization uses more than one custom
domain and you want to have all domains included in one Yammer network, you can migrate one or
more Yammer networks with their own email domains ("subsidiary" networks) to a larger Yammer
Enterprise network ("parent" network).
Note: A network migration migrates only the users with their user information. If you
merge networks, the content (groups, posts) of the merged network is no longer available. Only
the content of the primary network remains active. You cannot reverse network migrations.
Requirements for a network merge

While merging Yammer networks, you should keep in mind the following requirements:
Only Office 365 global administrators can perform a network merge.

Network migrations are only available for Yammer Enterprise networks.
You can start multiple network migrations back to back, without waiting for the previous ones to
complete.
If a user exists in both networks, the user's account from the parent network will remain and be
promoted from a guest account to a regular account.
Note: If you need to preserve any content from the Yammer network that will merge,
export it before the migration takes place. Create a communication plan, and inform your users
about the change.
Merge Yammer networks

1. Sign in as a global administrator to https://portal.office.com.
2. Open Yammer from the Office 365 app launcher.
3. On the left pane, click the Settings icon at the bottom of the page.
4. Click Network Admin.

5. Click Admin, click Network, and then click Network Migration.
6. In the Network Migration Wizard, on the Step 1 of 3 - Check/Add Verified Domains page, note
all the verified domains that are available in your network, and then click next.
7. On the Step 2 of 3 - Choose a Yammer Network to Migrate page, note the first domain that can
be merged.
8. If you want to add this domain to your Yammer network, select the domain, and then click next.
9. On the Step 3 of 3 - Export Data & Start Migration page, note the information about the network,
and then start the migration.
10. Click Start Migration, and then confirm the migration in the Confirm dialog box.
11. Perform steps 1 to 10 for all other domains.
Best practice
If your organization has more than one Yammer network, activate Yammer with the network that has the
largest number of active users to avoid data loss.
Note: You cannot migrate one Yammer network from one Office 365 tenant to another.
Configuring security settings

Several security settings are available for Yammer
Enterprise networks. Some organizations want to
allow only selected IP ranges to have access to
Yammer, while others want to configure selected
password policies. To administer these Yammer
Enterprise functionalities, follow these steps:
1. Sign in to http://portal.office.com as global

administrator.
2. Open Yammer from the Office 365 app

launcher.
3. On the left panel, click the Settings icon at

the bottom of the page, and then click Network Admin.
4. Click Admin, click Content and Security, click Security settings, and then configure the following
security settings:
o IP Range. You can configure or restrict access to the network if you allow only specific IP ranges.
o Password policies. This is only necessary if you do not have any connection to Office 365. With
simplified sign-in for Office 365, you use the credentials from Azure Active Directory. Azure
Active Directory provides the identity management for Office 365 accounts.
o External Messaging. With this setting, you can enforce Exchange Online Transport Rules in
Yammer. Users can add external participants to their Yammer conversations with external
messaging. Exchange Online Transport Rules is a set of proactive controls to prevent organization
information from being shared. These are configured within Exchange Online to protect content
from Yammer networks. If you apply this setting, and one of your users tries to add an external
participant and this violates your Exchange Online Transport Rule, the user receives an error
message. You should not see this method as an option to opt out of the external messaging
setting.
o Enforce Office 365 identity in Yammer. The best way to manage users in Yammer is through
their Office 365 identities. In that scenario, you are able to maintain a single identity for all Office
365 users. By enforcing Office 365 identity in Yammer and configuring federated identity for
Office 365, administrators can achieve SSO capabilities for all services in Office 365, including
Yammer. The default setting is off.
Enforcing Office 365 identity for Yammer users

1. Sign in to http://portal.office.com as global administrator.
3. On the left pane, click the Settings icon at the bottom of the page, and then click Network Admin.
4. Click Admin, click Content and Security, and then click Security settings.
5. Scroll down to the section Enforce Office 365 identity in Yammer, and then select the Enforce
Office 365 identity in Yammer.
6. Confirm that you are ready to activate this option.
7. Click Save.
User experience for accounts that sign in with or without enforced Office 365
identity
If you enforce Office 365 identity, you can manage all users out of Office 365. This makes user activation
and auditing simple. Below are the scenarios:
Office 365 identity enforced. The user is prompted to sign in with his/her Office 365 identity. If the
customer has implemented the federated identity model in Office 365, the user signs in with his/her
SSO credentials.
Office 365 identity not enforced. If the user has a corresponding Office 365 email account, he signs in
with his Office 365 identity.
Office 365 identity not enforced. If the user has no corresponding Office 365 email account, he signs
in with his Yammer identity.
Note: Before you start enforcing Office 365 identities in Yammer, make sure that all current
Yammer users have a corresponding Office 365 identity and inform the users about this change.
Configuring user roles and administrators

Within Yammer you have a several different user
and administrator roles. The permissions that you
can assign to each user and administrator role are:
Role Permissions
Guest User (User Has the same rights as User.

with an external email
address, invited by an
administrator)
User Has the following rights:

Create messages, upload files, share and like messages
Create polls, praise other network members
Use instant messaging
Delete own items
Create notes
Invite other users
Group Admin Has the same rights as User, and the following additional rights:
Create groups
Post announcements in own groups
Configure group settings (name, picture, and description)
Perform member management within groups
Moderate content
Mark notes and files as official within groups
Control membership within groups
Network Admin Has the same rights as Group Admin, and the following additional rights:
Configure network settings and applications
Configure network design
Configure usage-policy behavior
Configure user-profile fields
Invite anyone (also external guests)
See all groups (also unlisted)
Role Permissions
Delete any message
Post announcements
Grant and revoke Network Admin privileges
Remove or block users
Verified Admin (is an Has the same rights as Network Admin, and the following additional rights:
Office 365 Global
Manage user-account activity
Admin, provisioned
by default) Bulk update users
Perform integrations
Monitor keywords
Set data-retention policy
Export data
Configure settings
Access all groups
Export content
If you are using Office 365 sign-in credentials, user management uses Azure Active Directory and Office
365 identities. If you use Yammer as a standalone solution, you can manage Yammer users through the
Yammer admin portal by using the following procedure:
3. On the left pane, click the Settings icon at the bottom of the page.
5. Click Admin, and then click Users.

In this Users section, you can invite external guest users, remove and block users, invite users and bulk
update users. The option export users give you the ability to export all user data from Yammer
Enterprise.
Each user is able to fill out his/her individual profile information. Under the Admin section, in the Profile
fields area, you can select which fields are available for your users to fill out.
Note: The profile fields are synchronized from Azure Active Directory if you have Office 365
identities enabled. Some of this information is also visible in external networks in which you are a
member.
Configuring usage policy

To ensure that all activities on Yammer are
positive, constructive, and in line with your
organizations policies and culture, you can create
a usage policy and require your users to accept it.
As soon as you create or update your usage
policy, it will appear as a link in users home
screens or display as a pop-up message that users
must accept before entering the Yammer network.
You can also set a usage-policy reminder to be
visible in the right sidebar.
Creating or updating a usage policy

administrator.
3. On the left panel, click the Settings icon at the bottom of the page.
5. Click Admin Network, and then click Usage policy.
6. Select the appropriate check boxes if you want to enable a policy reminder in the sidebar, or if you
require your users to accept the policy during sign-up.
7. Type a policy title in the custom policy title text box.
8. Type the user policy text in the Enter your policy in the textbox below text box.
9. Click Save.
Note: You can use HTML tags such as <h1>, <b>, and <i> to format your policy, but
JavaScript is not allowed.
Tips for creating a usage policy

To create a good and motivating usage policy there are some basic guidelines:
Keep it positive and explanatory, and not just a list of "don'ts."
Encourage usage by providing positive examples and suggestions.
Require that content be office appropriate.

Be smart; in written communications, sarcasm never works. Try to set an example with good
communication skills, so that you are likely to motivate and engage people.
Sample acceptable usage policy

Welcome to Yammer! Our goal is to provide a collaborative environment to connect with colleagues, and
bridge various departments and geographic locations to share meaningful information.
Your activity in this network is governed by the following requirements:

Everything in Yammer stays in Yammer! (No public posts or Twitter tweets, or other external
communications).
Please do not post confidential information into the main feed.

Be respectful to other members. It is acceptable to disagree, but please do so in a respectful manner.
Add value with each post.
You are responsible for the material you post to Yammer.
It is important to substantiate ideas, but please keep messages brief and to the point.
Get started by following these best practices:
When you first join, select the colleagues you want to follow. Posts from these colleagues will appear
in your Following feed. To see all the posts in your organization, select All.
Fill out your profile information. Complete the Expertise and Education sections, and be sure to add
a profile picture.
Customize your email preferences in the Notifications section.
Before asking a question, use the search bar and explore the Topics feed to review existing content.
This will help limit repetitive messages.
Browse the Group directory, and join groups that you find important. If a specific group does not
exist, start a new one and invite members of your team to contribute messages. For best results, use
groups as a replacement for existing email listservs.
Add Topics, Links, pictures, and Events to posts when applicable.
Use the Yammer FAQs, and How-to-Guide to help clarify common concerns.
Take time to explore Yammer and become familiar with it.
Post a question, or send a direct message to Network Admin with any specific questions.
Configuring external groups

External groups are Yammer groups that allow
external participants to join. It is not possible to
modify a group and make it external. Instead, you
must create a Yammer group with external
members.
As a Yammer admin, you can add external users to
the group. If the group is set to public, a group
user can suggest adding an external user but the
admin controls whether to add the user.
External groups look different from regular

Yammer groups and are located separately on the
left navigation bar in Yammer.
Create an external group

To create an external group, perform the following steps:
1. Sign in to http://portal.office.com.
3. On the left, click under the list of groups, and then select Create Group. The Create a New Group
dialog box opens.
4. Click External Group.

5. Type a name in the Group Name box.
6. Add members to the group.
7. Choose whether the group is public or private.
8. Click Create Group.
Configuring external networks

External networks are independent Yammer
networks with a network parent that is the
Home network. You can create an external
network as an extension of any Yammer Internal
or Home network.
External networks have administration capabilities
and operate in a manner similar to internal
networks. This means that every external network
can be administered the same way as your
internal home network. External networks are
used to enable collaboration between members of
the home network and external parties outside of
the organization, such as customers, suppliers, and partners. External Networks operate independently of
email domains.
You must invite external parties (with external email addresses), or they must request access to an external
network. On joining, they can only see content that is posted specifically to that external network, which
means that they will not have access to another organizations home network.
Within the Yammer admin portal, you can decide who is allowed to create an external network, and if
approval is required to create an external network. You also can disable external networks completely.
Configuring external networks

3. On the left click the Settings icon at the end of the page.
5. Click Admin Network, and then click External networks.
6. Select the required options, if you want to restrict who is able to create an external network.
Options to restrict external networks:

Any member or only network admins are able to create external networks.
Require admin approval for your organizations members to join other organizations' external
networks.
Disable the Related External Networks directory.
Disable the Our External Networks directory, and remove the External Networks link in the networks
menu.
Creating an external network

3. On the left, click the Settings icon at the end of the page, browse to the end of the list of networks
that you are a member of, click Create a New Network., and then configure the following settings:
o Create a network name.
o Provide a description.
o Add a network image.
o Set permissions.
o Require admin approval for users to join other organizations' external networks.
4. Create the external network.
5. Click save.
Optimizing the user experience with Yammer

You can configure Yammer to be the enterprise
social collaboration network of choice for
SharePoint Online in Office 365. When you make
the change, the app launcher in the Office 365
portal updates to display Yammer instead of the
SharePoint Newsfeed.
Note: If you are using the SharePoint

Newsfeed, please keep in mind that making a
switch to Yammer is a major change to your users
working environment. Ensure that you inform
them of the change, prior to it making it, and
provide some training on how to use Yammer if required.
To replace the SharePoint Newsfeed on the Office 365 portal with Yammer icon, perform the following
steps:
2. In the SharePoint admin center, click Settings.
3. Under Enterprise Social Collaboration, select Use Yammer.com service.
4. Click OK.
After a little while, the Yammer icon will show up instead of the SharePoint Newsfeed Icon in your App
Launcher.
Configuring Yammer Embed

Within SharePoint Online, you can use Yammer Embed to integrate content from groups within your
SharePoint experience. Yammer Embed is the preferred method for embedding Yammer conversations in
a SharePoint site.
Add a Yammer group feed to SharePoint Online

1. In Yammer, go to the group that you want to embed. Locate the Access Options section on the right
panel, and select Embed this group in your site.
2. Copy the script from the pop-up window.
3. In your SharePoint site, click Edit.
4. On the ribbon, click Insert, and then click Web Part.
5. In the Categories list, click Media and Content, and then click Script Editor.
6. In Add part to, select where you want to add the Web Part, and then click Add.
7. Locate your new script editor web part, and then click Edit Snippet.
8. Paste the script you copied from Yammer into the script editor Web Part.
9. Click Insert.
10. Save and publish the SharePoint page. You should see the Yammer group conversation on the
SharePoint page.
Optimize user profile settings within Yammer

It is essential that you provide your users an optimal experience while they use Yammer. As a good
starting point, show the users how they can configure and optimize their user settings to meet their
individual needs.
Access the user profile settings and add profile information


3. On the left panel, click the Settings icon at the bottom of the page.
4. Click Settings.
5. Type the desired information about yourself, and change your profile picture.
Note: A good user profile helps your coworkers find information about you and your skills.
Note that some of these fields are also visible when you are a member of an external network.
Set up notifications
Yammer offers numerous notifications. Users can receive notifications for likes, mentions and a lot more
in. This can be somewhat overwhelming in the beginning of any Yammer experience. A good way to help
your users is to advise them to configure their notification settings.
2. Open Yammer from the app launcher.
3. On the left navigation pane, click the Settings icon at the end of the page.
4. Click Settings.
5. Click Notifications.
6. Configure the settings so that they meet your requirements.
We recommend that users deselect as many options as possible. You should leave only those notification
settings selected that you actually want in your email inbox. A Best practice is to check those notifications
when you are tagged in a post or if you sign in from somewhere else for security reasons.
Note: If you are a member of a group, and you do not want to miss any conversation in the
group, subscribe to the group directly through the notification settings.
Configure preferences
In the preferences tab, users can change their time zone and preferred language.

Question
Select the three Office 365 subscriptions with which Yammer Enterprise is available.
Basic Network with SharePoint Online
Enterprise Network and Office 365
Basic Network and Office 365
Enterprise Network
Enterprise Network and SharePoint Online

Question
Which three features are available only in a Yammer Enterprise Network?
Secure Enterprise Social Networking
Enterprise Administrator
Group Administrator
Verified Administrator
Enterprise Integrations

Question
Which two things must be in place before you enable Yammer Enterprise within
Office 365?
A verified custom domain
A paid Yammer Enterprise network
A Global Administrator in Office 365
A Global Administrator in Office 365 with the verified Domain
A verified Administrator in Yammer

Lesson 2
Planning and configuring OneDrive for Business
Microsoft OneDrive for Business is a private library for storing, organizing, and sharing users work
documents. It is an integral component of a users Office 365 online environment, and it is available when
the organization purchases SharePoint Online licenses.
Lesson Objectives
Describe OneDrive for Business.
Describe the collaboration features in OneDrive for Business.

Describe how to configure the OneDrive for Business client, and how to configure synchronization.
Describe how to migrate files to OneDrive for Business.
Explain how to manage OneDrive for Business.
Describe how to plan a OneDrive for Business implementation.
Overview of OneDrive for Business

Microsoft OneDrive for Business is a cloud storage
repository where you can store, sync, and share
your work files. As part of Office 365, or
SharePoint Server 2013 and SharePoint Server
2016, OneDrive for Business enables you to
update and share your files from anywhere and
work on Office documents with others at the same
time. There are various options to access the
OneDrive for Business folders: through the
browser, through File Explorer, or on a mobile app
that is available for mobile platforms.
OneDrive for Business allows you to store all your

business-related files in a secure location, and sync files across devices and access them anywhere, even
when offline. Depending on the Office 365 subscription you purchase, you will be allocated either up to
1 terabyte (TB) of space or unlimited space in the cloud for OneDrive for Business for each licensed user,
without incurring additional costs. For government plans, this space is limited to 100 gigabytes (GB). This
storage allocation is separate from the tenant allocation.
If your OneDrive for Business library is hosted on a server running SharePoint Server in your organization,
your organizations administrators determine how much storage space is available. OneDrive for Business
includes libraries, a Recycle Bin, and personal newsfeed information.
All files that you store in OneDrive for Business are private, unless you decide to share them. You can
either share a file with everyone in the organization by simply locating it in the Shared with Everyone
folder, or you can share a file with specific co-workers by using the SHARE option. You can do this by
clicking the ellipsis () icon, and then typing the names of the users to send a sharing invitation. You
might even be able to share with partners outside of your organization, depending on what your
organization allows.
Note: Microsoft OneDrive for Business is not the same as OneDrive, which is a cloud-based
service intended for personal storage and is provided with Microsoft Accounts such as
user@outlook.com accounts. This can be confusing because, in the App Launcher and in the
Office 365 portal, the OneDrive for Business feature is actually displayed as OneDrive in the
navigation bar.
Note: When you send email from Outlook 2016 or from Outlook Web App, you can attach
a file stored in OneDrive for Business as a link, instead of sending an attachment. When you
attach a file as a link, you automatically give the recipients permission to edit the file. Also, this
practice saves space in everyone's mailbox, and it encourages people to edit the same copy that
is stored in OneDrive for Business.
The OneDrive for Business storage space in the cloud is available automatically for each user who has a
SharePoint Online license and is separate from the tenant allocation. While SharePoint sites usually store
organization- or team-related content, OneDrive for Business is ideal for personal use.
OneDrive for Business enables users to synchronize folders and files between their local computers and
the cloud. Another important benefit is that OneDrive for Business provides sharing functionality to
collaborate with other users, inside and outside of your own organization.
In summary, OneDrive for Business can make sense in many scenarios. For example, it can serve as a
central personal file storage (which was called Home Directory in local networks), as a way to use
documents offline and online with automatic synchronization, and to share documents with coworkers or
partners securely.
OneDrive for Business collaboration features

OneDrive for Business is your personal document
library in Office 365. By default, the files that you
store in OneDrive for Business are private, but you
can share them as needed. You can store files in
OneDrive for Business, and collaborate on files in
your team site.
While a team site is ideal for storing files that have

shared ownership, where several people or the
whole team can collaborate on them, your
OneDrive for Business storage is ideal for storing
business files that you are working on by yourself.
Additionally, it enables you to share personal
content with other people.
It is a common practice to store business files in your OneDrive for Business storage that other team
members will not need to collaborate on or access regularly.
Sharing documents with OneDrive for Business

You can access the OneDrive for Business collaboration features in Microsoft Edge when you access your
file stored in OneDrive for Business, by using the URL https://yourtenant-
my.sharepoint.com/personal/UPN/. UPN is the Universal Principal Name, the sign-in name, and the
domain name, each separated by underscore characters). For example, the personal address of Hollys
OneDrive for Business account is https://yourtenant-my.sharepoint.com/personal/hleitner_adatum_com/.
You can use the following collaboration features:
You can share a file with specific co-workers by using the SHARE option. You do this by clicking the
ellipsis () icon for a file, and then typing the names of the users to send a sharing invitation.
In File Explorer, you can right-click a file, and then select click More OneDrive sharing options. This
opens Microsoft Edge. In the files list, select the file or folder, and then click Share on the menu bar.
In the sharing dialog box, type the names of the people you want to share your files with, and then
send a sharing invitation.
Note: In older Office 365 tenants, there was a folder named Shared with Everyone. All
files in that folder were visible automatically for all users within the organization. This folder no
longer exists in new Office 365 tenants.
Viewing documents that people have shared with you

To see which documents are shared with you, click the Shared With Me link in the OneDrive for Business
website Quick Action bar on the left pane.
To check if one specific document is shared with other users, select the document or the folder, and then
click Share. In the share dialog box, open Shared with to see a list of all users who have access to that
specific document.
Stop sharing a document

Click the document that you want to stop sharing, and then click Share. In the Share dialog box, click
Shared with. Click STOP SHARING to end sharing of the selected document.
Note: Currently, it is not possible to set a timeframe for sharing files or folders. Objects are
shared until the owner stops the sharing. This must be done manually.
OneDrive for Business client configuration and synchronization

The OneDrive for Business sync client lets you
synchronize your cloud storage or other
SharePoint site libraries to your local computer.
This enables you to take files offline to work on
and then synchronize them back to your
OneDrive for Business library once you are back
online. The synchronization process happens
automatically in the background when your
computer is connected to the Internet.
Currently, two versions of the OneDrive for

Business client are available. This is important
because the new OneDrive for Business sync client
does not support the same features that the current version offers.
The old sync client (groove.exe)

To get the OneDrive for Business sync client, install the desktop versions of Office 2013 or Office 2016.
The following versions of Office 2013 include the OneDrive for Business sync client:
Office Professional Plus 2013 or 2016
Office 365 Enterprise E3, E5
Office 365 Business Professional
Office 365 Business
Office 365 Business Premium
Additional Reading: For more information, refer to: System requirements for Office at:
http://aka.ms/ghq4zw
The OneDrive for Business sync app in available in different languages for both the x86 and x64 platforms.
Additional Reading: Download OneDrive for Business sync app in different languages and
for the x86 and x64 platforms from: http://aka.ms/we3v3g
Restrictions of the old sync client are as follows:

You can sync files of up to 2 gigabytes (GB) in any SharePoint library.
You can sync up to 5,000 items in a SharePoint library.
You can sync up to a total of 20,000 items across all synchronized libraries.
In SharePoint Server 2013, file names can have up to 128 characters while in SharePoint Online, file
names can have up to 256 characters.
Folder name and file name combinations can have up to 250 characters.
Restricted characters in file names in SharePoint Online are: \ / : * ? " < > | # %.
A file or folder name that begins with a tilde (~) sign is not supported in SharePoint Online.
The same file name restrictions that apply to SharePoint Online are also valid for SharePoint Server
2013, with some additional characters: \ / : * ? " < > | # { } % ~ &.
A file name that begins with a period (.) or a tilde (~) sign is not supported in SharePoint Server 2013.
There are some invalid file types that cannot be uploaded, such as *.tmp, *.ds_store, desktop.ini,
thumbs.db, or ehthumbs.db files. Additionally, in SharePoint Server, the IT administrators can block
individual file types to prevent them from being uploaded.
Files that are opened in any application cannot be uploaded.
Note: For more information, refer to Restrictions and limitations that apply when you sync
SharePoint libraries through OneDrive for Business: http://aka.ms/ps7xle
This URL also provides a download of a tool named MicrosoftEasyFix20150, which helps fix sync
issues with OneDrive for Business automatically.
Note: The old sync client is still used for synchronization of SharePoint Document Libraries
because this is not supported currently in the new OneDrive for Business sync client.
The new OneDrive for Business sync client (OneDrive.exe)

Microsoft released a new version of the OneDrive for Business Next Generation Sync Client. This new
client has some improvements over the old client, including:
Support for selective sync. The user can control which folders will synchronize.
Support for synchronizing large files up to 10 GB.

Support for synchronizing more than 20,000 files.
IT administrator deployment, with configurable options such as the ability to block sync for the
OneDrive consumer service and setting the default sync folder location.
Updates to the new sync client independently of Office and Windows updates.
Supported operating systems

Windows 7, Windows 8, and Windows 10
Mac OS X 10.9 and newer
Current restrictions
Restricted characters in file names in SharePoint Online are: #, %, <, >, :, ", |, ?, *, /, and \.
SharePoint Online has a limit of 30 million documents per library.
File size has a 10-gigabyte limit.
File name path has a 256-character limit.

You cannot add a network or mapped drive as your OneDrive sync location.
You cannot synchronize the Shared with Me view files.
The OneDrive for Business sync client does not support authentication proxies.
You cannot sync Information Rights Management (IRM)-protected libraries.
If a user opens a locally synced Office document from File Explorer, the Office integration is limited,
because the Office application is not aware that the file is a document from the cloud. As a result, the
user cannot use document co-authoring, and the most recent document list shows the local path and
not the cloud path. In addition, sharing is not available, and the cloud (modern) attachments are not
available in Outlook 2016.
Additional Reading: For more information, refer to: Deploying the OneDrive for Business
Next Generation Sync Client in an enterprise environment at: https://aka.ms/fw3pch
Additional Reading: For more information, refer to: Restrictions and limitations when you
sync files and folders using the new OneDrive for Business sync client at: https://aka.ms/m9c36m
Additional Reading: For more information, refer to: Deploying the OneDrive Next
Generation Sync Client on OS X and configuring work or school accounts at:
https://aka.ms/ntv444
Additional Reading: For more information, refer to: Meet the OneDrive for Business Next
Generation Sync Client at: http://aka.ms/tvnzw1
Finding the OneDrive for Business sync client version installed on your system
If you are using OneDrive for Business sync client, in the taskbar navigation area, locate the white or blue
OneDrive cloud icon, and then note the pop-up text.
If the cloud icon is gray, you have the new OneDrive for Business Next Generation Sync Client but
have not set it up for your work or school account. Click the gray cloud icon, and sign in by using
your work or school sign-in credentials.
If the cloud icon is white, and the pop-up text reads OneDrive or OneDrive Personal, the
OneDrive consumer service sync client is installed, and it uses the same program as the new OneDrive
for Business Next Generation Sync Client.
If the cloud icon is blue, and the pop-up text reads OneDrive for Business, the old OneDrive for
Business sync client is installed.
If the cloud icon is blue and the pop-up text reads "OneDrive - your organization's name, the new
OneDrive for Business Next Generation Sync Client is installed and configured.
Additional Reading: For more information, refer to: Which OneDrive sync client am I
using? at: http://aka.ms/p17elm
Migrating files to OneDrive for Business

In many scenarios, you will have existing content
on your local computer or a file share that you
want to migrate to OneDrive for Business. As a
first step, we recommend that you analyze your
data to plan and prepare for the migration.
Analyzing data
While analyzing existing data, you should ask
yourself the following questions:
What is the total size of all files that you want

to migrate? In previous topics, you saw that
OneDrive for Business can store up to
unlimited content. Keep in mind that SharePoint Online also has a limit on available capacity per site
collection.
How many files will be migrated? Depending on the sync client that you use (see previous topic),
there is a limit on maximum number of files that you can synchronize. Also, there is a 5,000-item limit
for viewing content in document libraries, and 20,000 for synchronizing personal sites. If you have
more than 5,000 files in one folder, try to split the content over multiple subfolders within SharePoint
Online site collections.
What are the largest file sizes? This depends on the sync client that you use. The maximum file size
with OneDrive for Business is 2 GB, whereas with the OneDrive for Business Next Generation Sync
Client, it is 10 GB. If some files exceed this size, you cannot migrate them into OneDrive for Business.
As an alternative, use another storage system such as a local storage area network, network-attached
storage (NAS), a DVD or Microsoft Azure blog storage.
What does the folder structure look like, and what is the maximum path length? Use the
MicrosoftEasyFix20150 utility to ensure that filenames do not include special characters, and apply
the rules that you learned in the previous topic. The maximum path length that can be synchronized
is 260 characters. If your folder names are too long, try to use abbreviations, such as HR instead of
Human resources.
Additional Reading: Download the MicrosoftEasyFix20150 utility from:

http://aka.ms/rq11p3
What file types exist? OneDrive for Business is ideal for storing Microsoft Office documents. However,
it is not a good idea to move other file types, such as pictures, multimedia files, development code,
and similar content, into SharePoint.
Additional Reading: For more information, refer to: Types of files that cannot be added
to a list or library at: http://aka.ms/orzefl
Is there content that is no longer used? Check if content exists that is not being used anymore, to
reduce the number of files that you plan to migrate. Discuss with the customer if it is really necessary
to keep old data. Cleaning up content is generally a good practice to archive or delete old unused
files from any storage system before you migrate them to another system.
Additional Reading: For more information, refer to: SharePoint Online and OneDrive for
Business: software boundaries and limits at at: http://aka.ms/Ywqifr
Migrating data
After you clean up and prepare the local data, the best way to migrate the data into OneDrive for
Business storage is to use File Explorer. Both the next generation sync client and the old sync client
manage uploading all content to the personal cloud storage.
Note: When you synchronize files to OneDrive for Business, metadata associated with files
and folders are not migrated to the OneDrive for Business storage (to the SharePoint Online
document library). Metadata associated with files or folders is not preserved, and invalid
characters, file type restrictions, or path lengths are not detected.
Some third-party tools provide additional features and migration capabilities. In a future release, the
import function within Office 365 will also be able to import data to OneDrive for Business or you go with
a third-party migration tool.
Additional Reading: For more information on a list of third-party tools that you can use
during migration, refer to: Migrating File Shares to OneDrive for Business at:
http://aka.ms/oo1zjq
Troubleshooting migration issues

You might encounter issues during migration. To identify the issue's cause, do the following:
Check the version of your installed OneDrive for Business sync client to see the tool's restrictions. If
you are running the standalone version of OneDrive for Business, make sure that you download the
latest version of the sync client.
Check your upload speed with an online speed test tool, to get an indication of the maximum upload
speed from your location, and try to schedule uploads outside of business hours. Usually, nights are a
good time to upload a high volume of content.
Additional Reading: To check your upload speed, you can use a speed test service such as
Speedtest: https://aka.ms/xxqnok
If synchronization issues occur, try to repair the issues by identifying the underlying problems. You
can usually do this by fixing filename issues and path length on the local computer.
Managing OneDrive for Business

OneDrive for Business is a personal SharePoint
document library that has all the features and
limitations of a standard SharePoint document
library. OneDrive for Business is simple to use for
end users, and simple to manage for
administrators. Your content is available from
anywhere without the need to configure features.
You can share content with internal and external
users with a mouse click, and it does not require
much effort to maintain these services.
However, users need to understand that they are

responsible for their content. Following are some
aspects that you should consider for managing the content effectively:
Managing security is top priority. Because it is easy to share content, users need to know which
objects are shared, or if there is content that is inheriting unwanted permissions. It is easy to create
orphaned permissions on objects; for example, when sharing a folder. Users should understand that
they need to control which content is shared with whom.
Objects, once shared, can be shared again. An external user can transfer permissions on a document
to another user. The document owners can stop sharing, but they need to monitor their shares.
Monitoring shares can be done by checking shares periodically. The owner of the OneDrive for
Business document library must do this.
Note: Folders and files can be managed best with File Explorer. Shares must be monitored
in the OneDrive for Business site in Microsoft Edge, and can only be controlled online.
Besides the security aspects, users should also check the synchronization of their content between their
local computers and the cloud. Both the OneDrive for Business clients notify any issues in the System Tray
area of the taskbar.
Planning a OneDrive for Business implementation

As an administrator who might be tasked with
implementing OneDrive for Business for your
organization, you need to understand the service
functionality and the administration possibilities
such as security, deploying the Sync Client,
integration, and other factors.
When you plan for implementing OneDrive for

Business within your organization, you should
consider doing the following:
Analyze the existing content, and decide what
should be migrated.
Inform your users about how OneDrive for Business works, and how they can migrate their content.
Inform your users about the benefits of using OneDrive for Business, compared to local storage or
other services.
Help users understand the difference between OneDrive for Business and the OneDrive consumer
version.
Show users how the sync client works.
Support users if errors occur during synchronization, and show them how to fix common errors.
Encourage users to use the sharing functionality whenever needed instead of sending documents as
email attachments. Explain how sharing makes their life easier by sharing with internal users and
external users.
Show users the advantages of sharing and using advanced features such as versioning and archiving,
the Recycle bin, Co-Authoring, document preview, and simplified search.
Note: You also can use OneDrive for Business in local environments. If you want to
implement OneDrive for Business in your organization's SharePoint Server 2016 on-premises
deployment, you must have configured the MySites and the User Profile Service application. To
display the user's My Site as a default Save or Open location in Office 2013, you must configure
SharePoint Server 2016 to use Exchange Autodiscover.
Additional Reading: For more information on the required prerequisites and configuration
settings, and how to plan for OneDrive for Business in SharePoint Server 2016, refer to: Plan for
OneDrive for Business in SharePoint Server 2016 at: https://aka.ms/fo7w53
In hybrid deployment scenarios, you can also redirect your users to OneDrive for Business in Office 365.
Additional Reading: For more information, refer to: How to redirect users to Office 365
for OneDrive for Business at: https://aka.ms/qlal2q

Question
Select all the OneDrive for Business attributes.
Provides up to unlimited Storage
Provides free Online Storage for personal use
Available from any device
Included in Office 365 and SharePoint Online Plans
Allows uploading files up to 15 GB in size
Statement Answer
With the OneDrive for Business next-generation sync client, selective sync is
possible.

Question
Select three characters that are not supported in filenames that you store in OneDrive
for Business and SharePoint Online.
&
?
Lesson 3
Configuring Office 365 groups
Office 365 groups are groups that are available across all Office 365 services and are highly integrated
with all Office 365 services. Office 365 groups help in collaboration and teamwork. Through the Outlook
groups, mobile app users are informed about new content or new communications in the group. Users
also can use this app to work collaboratively with co-workers. Office 365 groups are available only in
Office 365. They are part of Azure Active Directory. Each Office 365 group has a mailbox, a calendar, a
OneNote notebook, and a OneDrive for Business site collection.
Lesson Objectives
Describe Office 365 groups.
Describe the components of Office 365 groups.

Explain how to create and configure Office 365 groups.
Describe how users experience Office 365 groups.
Describe how to remove Office 365 groups.
Overview of Office 365 groups

Office 365 groups are a unique combination of
Azure Active Directory groups with Exchange
Online and SharePoint Online functionality. Office
365 groups are similar to distribution groups. An
Office 365 group has its own mailbox, and its
members receive email messages sent to the
group. In addition, the Office 365 group provides
a shared workspace for email, conversations, files,
and calendar events. It serves as a designated
place to collaborate on a project. All
conversations are stored in the group; a dedicated
calendar is available to the group; and dedicated
OneDrive for Business storage is available for group documents.
Public and private Office 365 groups

With Office 365, Microsoft follows a user-centric approach. This means users can create their own groups
easily and administrators can manage some of the group capabilities.
There are two different group types, public and private. A public group is open to everyone. If you are
interested in that group, you can visit the group, and check out the content and conversations. If it is
interesting to you, you can join the group and be a member. You can subscribe to the group to get email
notifications about group discussions. A private group is exclusive, and is only open to its members. The
content and conversations are secure and is not viewable by everyone. Choose a private group if you are
concerned about security and privacy. To join a private group, you must obtain approval from the group
administrator. Each group, private or public, can receive emails.
Note: At the time of writing this course, you cannot change a public group into a private
group, and vice versa.
There are some limitations that group members and owners should be aware of:
A group can have a maximum of 10 owners.
A user can create only up to 250 groups.
Groups with more than 1,000 members are supported, but there might be performance limits.
Office 365 group components

Office 365 groups are user centric. This means
that users in your organization can create, join,
and remove themselves from Office 365 groups.
The same is true for Office 365 group creation.
Each user can create groups directly from Outlook
or through Microsoft Edge in Office 365.
When you create an Office 365 group, several

things happen in the background:
The Azure Active Directory Group is created.
A mailbox with calendar is created.
A OneDrive for Business page is created.
A OneNote Notebook is created.
Office 365 groups are similar to distribution groups in that members receive email messages sent to the
group. The Office 365 group components include a file store and a mailbox store.
Note: Because Office 365 groups have several components, it can take time to create the
groups.
Groups interact with all Office 365 services, such as Outlook, SharePoint, Yammer, Delve, and Planner.
Creating and configuring Office 365 groups

Because of groups' user-centric design, users or
administrators can create the groups. As a global
administrator, you can create groups in the Office
365 admin center, and you do not need to be a
member of that Office 365 group.
Creating an Office 365 group in Office

365 admin center:
administrator.
2. Go to the Office 365 admin center by using

the app launcher.
3. Select Groups in the left navigation pane, and then click Groups.
4. Click Add a group.
5. On the right pane, you have three options for group type: Office 365 group, Distribution list or
Security group. Select Office 365 group.
6. Review the Office 365 options. Type a name, an email address, and a description. Select if the group
will be public or private, and then select the language.
7. Select the group owner. The group owners are the ones who can manage the group.
8. Select if group members are subscribed to the group or not subscribed.
9. Click Add.
Note: If group members are subscribed to a group, they receive all messages and calendar
items in their inbox.
Note: At the time of writing this course, you cannot add external members to an Office 365
group. If you need that functionality, you must create a Distribution list.
Editing and configuring an Office 365 group

2. Go to the Office 365 admin center by using the app launcher.

3. Select Groups in the left navigation pane, and then click Groups.
4. Click the group.
5. Select one of the options below:

o Edit Members and Owners. By using this option, you can add and remove members from a
group, select a new group owner, or change the status of the group admin.
o Delete Group. If you do not need the group anymore, delete it. The group, its email
conversations, calendar, and documents stored in OneDrive for Business storage will be deleted
along with the group. This action cannot be undone.
Note: Add the time of writing this course, you cannot restore a deleted group.
o Edit Details. Sometimes it is necessary to change or update the name of a group. This name
appears in the address book, on the To: line in email, as the name of the group. A group
description helps your users to decide if a group is relevant for them.
Managing groups through Windows PowerShell

If you need to perform bulk operations on Office 365 groups, you can use Windows PowerShell.
To manage Office 365 groups, you must first connect to Exchange Online by using Windows PowerShell.
You use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange
Online:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -
AllowRedirection
Import-PSSession $Session AllowClobber
Create a new group:
New-UnifiedGroup DisplayName "MVAGroup" -Alias "MVAGroup"
Add a user to the owners group:
Add-UnifiedGroupLinks " MVAGroup " Links user@contoso.onmicrosoft.com LinkType Owner
Add a user to the members group:
Add-UnifiedGroupLinks " MVAGroup " Links user@contoso.onmicrosoft.com LinkType Member
Remove a user from the members group:
Remove-UnifiedGroupLinks " MVAGroup " Links user@contoso.onmicrosoft.com LinkType

Member
Get all members of a group:
Get-UnifiedGroupLinks Identity " MVAGroup" LinkType Members
Group naming policies

Group naming policies allows you to control how group names and email aliases appear in your
organization's directory, and how those appear to users. Naming policies can be useful for adding specific
suffixes to groups or blocking specific names in a group. Naming policies can also be useful if you need
naming policies in different regions. You can assign a group naming policy through Windows PowerShell.
How users experience Office 365 groups

As long as Office 365 groups are not disabled in
your tenant, users can access Office 365 groups
across the all Office 365 services. Office 365
groups are visible to users within their Outlook
Web App and in OneDrive for Business. Also,
groups are part of the Office 365 Planner, and you
can see them in the Outlook 2016 client. Groups
are open and discoverable by default. When a
user finds a group, the user can first explore the
group by checking the memberships,
conversations, and files. If the group interests the
user, the user can join the group and start
participating.
Conversations and email

One of the most important parts of a group is communication. As mentioned, each group has its own
mailbox, and each user can access group conversations either through Outlook or the Outlook Web App.
The group conversations are preserved. This ensures that new members can acquaint themselves with
group content quickly. The group conversations are sorted by date. You can also like a conversation in
Office 365 groups.
Additionally, you can send an email to a group by adding the group name to the To: line of your email
and send it.
Note: Currently, it is not possible to be a member of a group as an external user without an

Office 365 license or email address within the Office 365 tenant. But it is possible to send emails
to a group as an external user.
Group calendar
Each group has its dedicated group calendar. Every member of the group automatically sees meeting
invites and other events. All group calendars are visible in Outlook and Outlook Web App, and can be
viewed side by side. Events that you create in the group calendar are added and synchronized
automatically with your personal calendar.
Files, sharing, and SharePoint team site

Each group has its own SharePoint team site with document libraries. A groups document library is the
primary place for group files.
Note: You can add folders only if the custom scripts on personal sites feature is disabled.
Subscribing to a group
You can be a member of a group, and you can subscribe to it. When you subscribe to a group, you are
requesting that conversations or events from the group be sent to your inbox. You can directly answer to
group conversations from your inbox. Subscribing is not enabled by default. Each user can decide to
subscribe to a group or not subscribe. This helps you subscribe only to the most relevant groups.
Removing Office 365 groups

There might be several reasons why you need to
disable Office 365 groups. The most important
one is that you do not use all the services from
Office 365. If your organization uses only
SharePoint Online as the only service within Office
365 and has another email system on-premises, it
is difficult to use groups because groups are so
deeply connected to all Office 365 services. You
can disable Office 365 group creation at tenant
level; it is also possible to disable group creation
for a subset of users.
Disabling group creation for all users

1. Open Windows PowerShell.
2. Connect to Microsoft Online Services by using the following command:
Connect-MsolService
Get-MsolGroup -SearchString "<Group Name>"
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq
"Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "c83888c4-8ce7-4e08-a36d-6cecc59f3407"
New-MsolSettings -SettingsObject $setting
Hiding a group from the global address list (GAL)

1. Open Windows PowerShell.
2. Connect to Exchange Online Remote PowerShell.
3. Hide a group from the GAL by using the following command:
Set-UnifiedGroup identity <groupname> -HiddenFromAddresslistsEnabled $true
Microsoft Teams overview

Microsoft Teams is the chat-centered workspace
in Office 365. You can use Microsoft Teams to
collaborate through team chats, make calls, and
manage meetings and private messages. You can
extend Microsoft Teams with connectors.
Microsoft Teams provides enhanced security
features and standards compliance to help you
ensure that your company's most sensitive
collaborations are private.
Microsoft Teams is available in the following

Office 365 commercial suites: Business Essentials,
Business Premium, and Enterprise E1, E3, and E5
plans. Microsoft Teams is not available to Education and Government customers at this time.
Note: Microsoft Teams is currently in preview and may be subject to change.
Microsoft Teams is a hub for teamwork. Within team workspaces, you can find content, tools, people, and
conversations. You can use SharePoint Online, OneNote, and Skype for Business to implement Office 365
groups functionalities within Microsoft Teams. Microsoft Teams provides enterprise security and
compliance features that helps keep data encrypted at rest and in transit.
Components of Microsoft Teams

Teams and channels, two components of Microsoft Teams, help you stay organized.
Teams
A team is the overall group of people working on a project. Each team consists of team owners and team
members. There can only be 10 owners per team. As a team owner, you can add new members and other
owners. You can also manage team settings such as enable or disable @mentions. As a team owner, you
can allow .gif files, stickers, memes, and moderation settings in your team. Owners can also rename and
delete teams. Each generated team also generates an Office 365 group.
Each team consists of team members. The maximum amount of team members is 600. Members can add
additional channels to the team.
Within each team, you have documents and conversations. You can give feedback directly and
communicate on a document.
Note: Bots are also a component of Microsoft Teams, which you can use to complete tasks
such as querying information and performing commands.
Channels
Each team has a channel. When you create a team, the default channel is called General. Channels can
cover different topics within a team. Channels are open to everyone on the team.
Requirements of Microsoft Teams
Microsoft Teams is currently available in preview to customers with Business Essentials, Business Premium,
and Enterprise E1, E3, and E5 subscriptions. We also recommend having Exchange Online and SharePoint
Online.
The Microsoft Teams client is available for:
Windows 7 and newer
Mac OSX 10.10 and newer
Windows Phone 10.0.10586 and newer

Android 4.4 and newer
iOS 9 and newer
The teams.microsoft.com website is supported with:

Chrome 51.0 and newer
Firefox 47.0 and newer
Microsoft Edge 12 and newer

Internet Explorer 11 and newer
Enabling Microsoft Teams
To enable or disable Microsoft Teams for your Office 365 tenant, perform the following steps:
1. Open https://portal.office.com.
2. In App launcher, click Admin.
3. On the left, open Settings.

4. Click Microsoft Teams.
5. Turn the Turn Microsoft Teams on or off for your entire organization slider bar on or off.

Question
Select two services with which Office 365 groups are already integrated.
Yammer
Delve
OneNote
Skype for Business

Statement Answer
Office 365 groups provide polls.

Question
Which Windows PowerShell cmdlet do you use to disable groups?
$setting["DisableGroupCreation"] = "true"
$setting["EnableGroupCreation"] = "false"
$setting["EnableUnifiedGroupCreation"] = "false"
Set-OwaMailuserPolicy -Identity test.com\OwaMailUserPolicy-Default

-GroupCreationDisabled $true
Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default

-GroupCreationDisabled $false
Lab: Planning and configuring an Office 365 collaboration

solution
Scenario
With all the core Office 365 components configured and working well, the next step for A. Datum
Corporation administrators is to explore options for using Office 365 to enhance collaboration within the
organization. To do this, you will enable and configure Yammer Enterprise, OneDrive for Business, and
Office 365 groups.
Objectives
After completing this lab you will be able to:
Enable and configure Yammer Enterprise.
Configure OneDrive for Business.
Configure Office 365 groups.
Lab Setup

User name: Adatum\administrator, Adatum\Holly, Adatum\Beth
Password: Pa55w.rd
In all tasks:

your unique hostdomain.com name displayed in the online lab portal.
LON-DC1
o Sign in as Adatum\administrator by using the password Pa55w.rd
LON-DS1
o Sign in as Adatum\administrator by using the password Pa55w.rd
LON-CL1
LON-CL3
o Sign in as Adatum\Beth by using the password Pa55w.rd
Question: If you enforce Office 365 identities in Yammer, what is the impact for Yammer
users with no Office 365 identities?
Question: Which Windows PowerShell cmdlets can you use to create an Office 365 group
and to add the group owner?

Best Practices
Always enable Yammer Enterprise as the primary Enterprise Social Network within Office 365.
Design a usage policy.
Familiarize yourself with the administration options within Yammer Enterprise.
Support users during their initial experience of using Yammer.
Familiarize yourself with the different OneDrive for Business sync clients and their limitations and
features.
Create a consistent sharing policy across Office 365.
Decide if and when you should use Office 365 groups, because they are essential to some of the
Office 365 components.
Decide if Office 365 groups will be user centric or centrally managed.

Synchronization is not working in OneDrive

for Business
Multiple Yammer Networks exist for

different Office 365 domains
Office 365 groups are enabled and used

without administrative awareness
Review Question
Question: Discuss the differences between Office 365 groups and Yammer and possible use
cases where you need one tool or the other.
11-1
Module 11
Planning and configuring Rights Management and
compliance
Contents:
Lesson 1: Overview of the compliance features in Office 365 11-2
Lesson 2: Planning and configuring Azure Rights Management in Office 365 11-13
Lesson 3: Managing the compliance features in Office 365 11-24
Lab: Configuring Rights Management and compliance 11-41
Module Overview
Many organizations are considering moving to the cloudhowever, they still have security concerns
about making this transition. To use a trustworthy service provider, your organization needs to define
security and compliance regulations. By using a cloud service, your organization entrusts your service
provider to process your data. Security, compliance, and privacy in Microsoft Office 365 have two equally
important dimensions:
Service provider capabilities that include technologies, operational procedures, and policies that are
enabled by default.
Customer-managed controls that allow you to customize your Office 365 environment based on the
specific needs of your organization while still helping to maintain security and compliance.
Enhancing security and compliance is an ongoing process and not a steady state. In this module, you will
learn about the compliance features in Office 365 and how to manage them. You will plan and configure
Microsoft Azure Rights Management (Azure Information Protection), and you will be able to discuss the
security features in Office 365.
Objectives
After completing this module, the students will be able to:
Describe the compliance features in Office 365.

Configure Azure Information Protection in Office 365.
Manage the compliance features in Office 365.

11-2 Planning and configuring Rights Management and compliance
Lesson 1
Overview of the compliance features in Office 365
Office 365 complies with industry standard regulations, and its design helps you to meet the regulatory
requirements for your business. In this lesson, you will learn what compliance features are available within
Office 365 and how to use and manage them.
In modern Information Technology (IT) environments, information security is essential. Users require
access to their IT services at all times and on any device. For many devices, such as desktops, tablets, and
smartphones, you need to help ensure that data is as secure as possible. Multiple-device access benefits
your users, especially with the mass consumerization of IT, which spreads to business and government
organizations. Employees introduce technologies, and the devices they use at home and in their
workplaces with this type of access provide malicious hackers a larger surface of attack areas.
Lesson Objectives
Describe the Office 365 compliance and security features.
Describe Office 365 Security & Compliance Center.
Configure permissions in the Security & Compliance Center.
Describe advanced security and compliance features in Office 365 Enterprise E5 subscriptions.
Security considerations when planning an Office 365 implementation

When you consider using Office 365 for your
organization, one important feature to consider is
security.
Security is essential; therefore, you must have a

service provider that you trust to process your
organizations data.
Office 365 has service-level capabilities that

include technologies, operational procedures, and
policies that are enabled by default for customers
who use this service.
Office 365 requires customer controls to include

features that allow you to customize your Office 365 environment based on the specific needs of your
organization.
The security considerations in planning an Office 365 implementation cover a large set of topics, which
include:
Service-level security features. This level of security enhancement exists to help protect your service
and data through layers of security features, including physical, logical, and data layers. This level of
security enhancement provides many features, including:
o Port scanning and remediation.
o System security updates.

o Help with detecting network-level distributed denial of service (DDoS) attacks.
o Azure Multi-Factor Authentication for service access.
o The auditing of all operators and administrators.
o User rights only when needed.
The ability to detect accounts that you no longer need.
Security-related customer controls. Each service within Office 365 offers its own and individual
security features you can control. These features help you to meet your compliance requirements,
control spam and antimalware settings, encrypt data, and control access to content for your users.
You use encryption technologies at the Office 365 service level. The technologies you can configure
within your Office 365 tenant include:
o The Microsoft Rights Management service.
o Security-enhanced email traffic through Secure Multipurpose Internet Mail Extensions (S/MIME).
o Office 365 message encryption.
o Transport Layer Security (TLS) for Simple Mail Transfer Protocol (SMTP) messages to partners.
Privacy by design. The key principles in the data security features within Office 365 are:
o No data mining for advertising.
o You own the data. If you cancel the service, you get your data back.
o Data access is limited, audited, and logged.
Privacy-related customer controls. Customer controls allow you to use policies and features within
Office 365, including:
o Rights Management in Office 365. This capability restricts access to documents, workbooks, and
presentations. Azure Information Protection helps you to prevent sensitive information from
being printed, forwarded, or copied by unauthorized people.
o Privacy-related controls for sites, libraries, and folders. Microsoft SharePoint Online sites are set to
private by default. Microsoft OneDrive for Business does not share uploaded documents until the
user provides explicit permissions and identifies whom to share with.
o Privacy-related controls for communications. Communication controls allow you to communicate

in a security-enhanced way. In Microsoft Skype for Business Online, you can control the
federation levelfor example, no federation, federation with other Skype for Business users, or
federation only with those domains you allow. If you decide to allow or prohibit communications
with a Skype consumer, you can also do that.
Service compliance. Compliance obligations and non-Microsoft audits are required to help meet
compliance and security goals. In addition, governmental requirements exist, including industry
requirements, internal policies, and requirements derived from industry best practices. As a result,
Office 365 has obtained independent verifications, including:
o International Organization for Standardization (ISO) 27001.
o Statement on Standards for Attestation Engagements 16 (SSAE 16) Service Organization Control
1 (SOC 1) (Type II) audits.
o Data transfer for data outside of the European Union (EU) through the EU Model Clauses.
o A Health Insurance Portability and Accountability Act (HIPAA) business associate agreement with
all customers.
o The Federal Information Security Management Act (FISMA).
o The Cloud Security Alliance public registry.

o The Microsoft data processing agreement.
o Payment Card Industry Data Security Standard (PCI DSS) Level One.
Customer compliance. Customer compliance helps users to control their security and compliance
needs within the enterprise. Examples include:
o Data loss prevention (DLP).

o eDiscovery.
o Auditing and reporting functionality.
o The Rights Management service for file-level access restrictions.
o Multi-Factor Authentication.
o S/MIME for security-enhanced, certificate-based email access.
When you plan an Office 365 implementation, it is important to review your internal security
requirements and then create a checklist with the following questions:
What service level do you need?
Are any privacy controls already in place?
What security features do you have, and what is available with Office 365? What are the built-in
security features, and which customer controls does Office 365 offer?
What are your onboarding and offboarding strategies?

Are you currently aware of any security breaches?
Are you transparent in the way you use and access data?
Is data encryption currently in place?
Does a data backup strategy already exist?
Do specific storage requirements exist that are related to your region?
Is your password policy security enhanced?
Compliance and security features in Office 365
Compliance standards for Office 365

Office 365 offers a variety of security and
compliance features to help organizations comply
with certain federal regulations and help keep
customer data secure. These features help to
safeguard information according to:
HIPAA. HIPAA imposes strict privacy
regulations for customers who process
electronic protected health information.
Data processing agreements. A data
processing agreement describes how the data processor handles and safeguards customer data. For
example, the data processor for Office 365 is Microsoft, and the regulations are covered worldwide.
You can sign data processing agreements either online within your Office 365 subscription at
https://portal.office.com/Commerce/supplements.aspx or through your enterprise agreement. To use
Office 365, many organizations defer to legal counsel to help ensure that they are legally safe.
Optional contractual supplements are available, including:
o The Office 365 security amendment, for customers outside of Europe.
o Office 365 and Microsoft Dynamics CRM Online data processing agreements (with EU standard
contractual clauses).
o Office 365 and Microsoft Dynamics CRM Online data processing agreements.
o The Office 365 and Microsoft Dynamics CRM Online HIPAA and Health Information Technology
for Economic and Clinical Health (HITECH) business associate agreement (with an
implementation guide).
FISMA. United States federal agencies can procure information systems and services only from
organizations that meet the FISMA regulations.
ISO/IEC 27001:2013. This standard from ISO and the International Electrotechnical Commission (IEC)
is widely used and the best-known standard for an information security management system. Office
365 meets this security benchmark with physical, logical, process, and management controls. Since
2015, even ISO 27018 privacy controls for the most recent Office 365 audit are included.
EU Model Clauses. The EU Data Protection Directive is a key instrument for the EU privacy and human
rights law. The EU Model Clauses legitimize the transfer of personal data outside the EU, and they
comprise the preferred method for the data transfer of personal data outside the EU.
The U.S.EU Safe Harbor Framework. The U.S.EU Safe Harbor Framework also addresses the transfer
of personal data outside the EU. Office 365 follows the principles and processes stipulated by this
framework.
Note: At the end of 2015, the European Court of Justice declared the U.S.-EU Safe Harbor
Framework invalid, and it is currently undergoing revisions.
The Family Educational Rights and Privacy Act (FERPA). United States educational organizations are
required to follow FERPA regulations regarding the use or disclosure of student education records.
This also includes student information send in email and email attachments.
SSAE 16. Independent organizations can audit Office 365 and provide SSAE 16 SOC 1 Type I and Type
II and SOC 2 Type II reports on how the service implements controls.
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA
pertains to how private sector organizations collect, use, and disclose personal information in regards
to commercial business.
The GrammLeachBliley Act (GLBA). This act protects customers nonpublic personal information,
and financial institutions are required to follow these regulations to protect their clients information.
Security and privacy within Office 365

To help protect customer data and privacy, Microsoft uses the following safeguards:
Restricted access. Microsoft restricts physical datacenter access to authorized personnel and has
implemented multiple layers of physical security. Video camera surveillance and security breach
alarms always control access.
Data encryption. Data is encrypted both at rest and in transit between datacenters and between
datacenters and users.
Data mining. You cannot access data for advertising purposes.
Data ownership. The data stored within Office 365 is available to you at virtually any time.
Data backup. Microsoft regularly backs up your data.
Data deletion. If you decide to leave Office 365, Microsoft provides the support to return or offboard
your data.
Data regions. You decide which region will host your data.
Additional Reading: For more information about data regions, refer to: Where is my
data? at: http://aka.ms/l4tjga
Password policy. Password policies enforce secure-enhanced passwords.
Custom controls about privacy features. You can turn features that impact privacy on or off to meet
your needs.
Data processing. Microsoft contractually commits to the data processing agreement.
Additional Reading: For more information, refer to: Office 365 Trust Center at:
http://aka.ms/vjvvco
Overview of the Security & Compliance Center for Office 365

The Office 365 Security & Compliance Center,
formerly the Compliance Center, is available
through https://protection.office.com/. In the
Office 365 Security & Compliance Center, you can
manage your security and compliance needs for
helping to protect your data within Office 365.
Navigation through the Security &

Compliance Center
In the Security & Compliance Center, on the left
side, the navigation pane has the following menu
items:
Home. This page provides top-level information about the Security & Compliance Center and what is
available here.
Permissions. This page provides an overview of all the permissions granted to users in your
organization for compliance tasks, such as device management, DLP, eDiscovery, and retention.
Security policies. On this page, you can manage devices and set up DLP policies.
Data Management. This page has options for importing data from other systems. You can also set
data retention policies here.
Search & Investigation. On this page, you can use eDiscovery to manage cases.
Reports. Here, you find user activity reports.

Service Assurance. Service Assurance provides information about how Microsoft helps to maintain
the security, privacy, and compliance of Office 365.
Microsoft Cloud Service Trust Portal

The Microsoft Cloud Service Trust Portal gives you access to information about how Microsoft helps to
maintain security, privacy, and compliance. The Trust Portal delivers access to audit reports across
Microsoft cloud services, including those for Azure, Microsoft Dynamics CRM, and Office 365. The
following sections are available in the Trust Portal:
Home
Compliance Reports
Trust Documents
Settings
Contact Us
Additional Reading: For more information, refer to: Office 365 Service Trust Portal at:
http://aka.ms/vqu38w
Office 365 Secure Score

The Office 365 Secure Score is designed to help you analyze data so that you can improve your potential
security risks. With the help of the Office 365 Secure Score, organizations can better understand the
extent to which they have adopted robust security configurations, behaviors, and best practices. The
service is a three-step process that includes:
1. Collect data. Collect the data that will help you analyze your score.
2. Analyze the results. The results are presented in an interactive web experience.
3. Act. Suggested recommendations are made based on the results.
Additional Reading: Office 365 Secure Score is in preview at the time of this writing, so its
features and availability might change. For more information, refer to: Office 365 Secure Score
at: http://aka.ms/h7br1z
Configuring permissions in the Security & Compliance Center

If you want to allow users in your organization to
perform tasks in the Security & Compliance
Center, you need to grant them permissions. Then
users will be able to perform compliance tasks
such as device management, eDiscovery, and
retention or DLP. Permissions in the Security &
Compliance Center are based on the role-based
access control (RBAC) permissions model. This
model is also used in Microsoft Exchange Online.
It grants permissions to administrators and users
based on management roles. Exchange role
groups and Security & Compliance Center role
groups do not share membership or permissions.
Within Office 365, you will find Administrator roles such as the Global admin or Limited admin access. The
Limited admin access roles contain admin roles such as Billing administrator, Password administrator,
Service administrator, User management administrator, Exchange administrator, SharePoint administrator,
and Skype for Business administrator.
Relationship between roles and role groups

Roles grant permissions for a set of tasks. Role groups allow users to perform their jobs across the Security
& Compliance Center. A role group includes a set of permission roles.
Existing role groups in the Security & Compliance Center

To manage access to the various compliance roles, the Security & Compliance Center makes certain role
groups available:
ComplianceAdministrator. The ComplianceAdministrator manages settings for auditing, device

management, DLP, reports, and preservation. The assigned roles include:
o Case Management
o Compliance Search
o Hold
o Organization Configuration
o View-Only Audit Logs
o View-Only Recipients
eDiscoveryManager. The eDiscovery Manager performs searches and places holds on mailboxes,
SharePoint Online sites, and OneDrive for Business locations. The eDiscovery Manager can also create
and manage eDiscovery cases, including adding and removing members from a case. The eDiscovery
Manager creates and edits compliance searches associated with a case. The assigned roles include:
o Case Management
o Compliance Search
o Export
o Hold
o Preview
o Review
OrganizationManagement. The OrganizationManagement role group controls permissions for

accessing features in the Security & Compliance Center. The Organization Manager manages settings
for auditing, device management, DLP, reports, and preservation. Global administrators are
automatically members of this group. The assigned roles include:
o Audit Logs
o Case Management
o Compliance Search
o Hold
o Organization Configuration
o Role Management
o Search And Purge

o Service Assurance View
o View-Only Audit Logs
o View-Only Recipients
Reviewer. The Reviewer uses a limited set of the analysis features in Equivio Analytics. Members of this
group can see only the documents that are assigned to them. They cannot create, open, or manage
an eDiscovery case. The assigned role includes:
o Review
Service Assurance User. The Service Assurance User accesses the Service Assurance section within the
Security & Compliance Center. Members of this role group can use this section to review documents
related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for
their own organization. The assigned role includes:
o Service Assurance View
Supervisory Review. The Supervisory Reviewer controls policies and permissions for reviewing
employee communications. The assigned role includes:
o Supervisory Review Administrator
Retention policy and archiving. These permissions are set in the Exchange admin center. Members of
this group can configure compliance features such as Retention Policy Tags (RPTs), message
classifications, and transport rules. The assigned roles include:
o Audit Logs
o Journaling
o Message Tracking
o Retention Management
o Transport Rules
Document deletion. These permissions are set in the Document Deletion Policy Center. You can find
the Document Deletion Policy Center at https://<tenantname>.sharepoint.com/sites
/CompliancePolicyCenter/. The Compliance Policy Center contains policies to protect the SharePoint
content you want, and you can set policies to delete content you do not want. Policies created here
are assigned to a site collection or template. Because of compliance, legal, or other business
requirements you might be required to retain documents for a certain time frame. Other documents
held longer than required can create an unnecessary legal risk. By creating a document deletion
policy, you can delete documents after a specific time frame. For instance, a document deletion policy
can delete all the documents in OneDrive for Business that are older than seven years.
Give users access to the Security & Compliance Center

Before users can manage security or compliance features, you need to assign them the appropriate
permissions. Each Office 365 global administrator or member of the OrganizationManagement role group
in the Security & Compliance Center can grant permissions to users. If you assign users only selected
permissions, they will be able to manage only the security or compliance features you give them access to.
You can grant users access in two ways: through the Office 365 Security & Compliance Center or through
Windows PowerShell.
To grant users access through the Office 365 Security & Compliance Center, complete the following steps:
1. Sign in to the Office 365 portal.
2. In the app launcher, select the Admin icon.

3. In the Office 365 admin center, open the Admin centers link, and then click Compliance.
4. In the Security & Compliance Center, go to Permissions.
5. Choose the role group that you want to add the user to, and then click Edit.
6. On the role group's properties page, under Members, click Add, and then add the user you want.
7. After you select all the users you want, click Add, and then click OK.
8. Click Save.
To grant user access through Windows PowerShell, complete the following steps:
1. Connect to the Office 365 Security & Compliance Center by using remote Windows PowerShell.
2. On your local computer, open Windows PowerShell, type the following command, and then press
Enter:
$UserCredential = Get-Credential
3. Type your Office 365 user name and password, and then click OK.
4. Connect to remote Windows PowerShell, type the following command, and then press Enter:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic-AllowRedirection
5. Type the following command, and then press Enter:
Import-PSSession $Session
6. Type the Add-RoleGroupMember command to add a user to the OrganizationManagement role,

and then press Enter:
Add-RoleGroupMember -Identity "OrganizationManagement" -Member Holly
7. After you finish adding users, type the following command, and then press Enter to close the
Windows PowerShell session.
Remove-PSSession $Session
Advanced security and compliance features in Office 365 Enterprise E5

subscriptions
Office 365 Enterprise E5 is a subscription that
extends the compliance and security features of
Office 365 with advanced compliance and security
features. Office 365 Enterprise E5 offers extensions
around real-time communications and analytics.
Through advanced security features, you can add
Office 365 advanced eDiscovery, the Secure
Attachments and Safe URLs features of Advanced
Threat Protection, and access control through
Customer Lockbox to your Office 365 tenant.
Customer Lockbox
Office 365 operates with the principles of least privilege and just-in-time access. Therefore, Microsoft
personnel do not have permission to access customer content on an ongoing basis. If permission is
granted, it is for a limited time. A customer must provide explicit approval if Microsoft personnel needs to
access the customer content to perform a service operation. The already-existing approval workflow for
this type of access is extended to customers. Customer Lockbox addresses customer concerns about
access to their data in the service by the service provider. Customer Lockbox technology obtains access to
customer data on all Office 365 services. Customer Lockbox enforces multiple levels of approval within
Microsoft so that Microsoft engineers receive access to customer data when it is necessary and for a
limited time. All access control activities in the service are logged and audited. With Customer Lockbox,
you as a customer are part of this approval process. Until you approve a request, the Microsoft engineer
will not be granted access.
The most common scenario where Microsoft engineers might need to access customer content is when
the customer makes a support request that requires access for troubleshooting.
People who are members of the customers control group provide approvals or rejections of Customer
Lockbox requests. Customer Lockbox is enabled in the initial release through remote Windows PowerShell
commands. Examples of customer content include:
Email bodies and email attachments.
Content in SharePoint sites.
Information in the body of a SharePoint file.

Information in the presentation file body within Skype for Business.
Conversations via IM or voice.
Binary large objects (BLOBs) or structured storage data (for example, Microsoft SQL Server containers)
created by a customer.
Security informationfor example, certificates, encryption keys, and passwords owned by a customer.
Inferences, and all subsequent inferences, if customer content remains.
Office 365 Advanced eDiscovery

You use machine learning, predictive coding, and text analytics capabilities within Office 365 Advanced
eDiscovery. Advanced eDiscovery is a provider of machine learning technologies for eDiscovery and
governance. This helps to sort large quantities of data for eDiscovery purposes and might include millions
of data pieces, emails, messages, and documents for a small subset of relevant files. Office 365 Advanced
eDiscovery eliminates duplicate files and helps to reconstruct email threads and identify key themes and
data relationships. Through Advanced eDiscovery machine learning mechanisms, you can train the system
to find content faster.
Advanced Threat Protection

Advanced Threat Protection is part of Exchange Online Protection. Advanced Threat Protection consists of
a collection of features, including Safe Attachments and Safe Links, designed to combat zero-day attacks.
Unknown attachments are opened in a special hypervisor environment that helps to detect malicious
activity. Safe Links is a feature that helps to prevent users from going to malicious websites when they
click them in an email. The service helps to protect internal email only.
Note: Because attachments need to be checked, they are first blocked for the recipient.
Safe Attachments launches a unique hypervisor to open an attachment, and this can result in a
delivery delay of up to 30 minutes (the average delay is 710 minutes).

Question
What are the customer compliance setting elements?
DLP
A data processing agreement
The Rights Management service for file-level access restrictions
ISO 27018
S/MIME for security-enhanced, certificate-based email access

Question
What are the role groups that exist in the Security & Compliance Center?
eDiscovery Manager
Legal Hold Manager
Service Assurance User
ComplianceUser
ComplianceReviewer
Lesson 2
Planning and configuring Azure Rights Management in
Office 365
In this lesson, you will begin to understand the integrated security features within Office 365 and how to
use them. In addition, you will look at the rights management features and how to use them. With Azure
Information Protection, your organization can help to protect content in Office 365. Various rights
management templates are available to help protect content in Office 365.
You will also learn about the differences between Active Directory Rights Management Services (AD RMS)
and Azure Active Directory (Azure AD) Rights Management.
With the integration of Azure Information Protection, you will learn how to help make Office 365 more
secure on your terms.
Lesson Objectives
Describe Microsoft Azure Information Protection in Office 365.
Explain how Azure Rights Management works.
Compare AD RMS and Azure Information Protection.

Plan Azure Information Protection integration with Office 365.
Configure Azure Information Protection integration.
Overview of Azure Information Protection in Office 365

Azure Information Protection is a cloud-based
solution that is an information protection solution
for Office 365. Users share daily information
through email, file-sharing sites, and cloud
services. Traditional security controls, such as New
Technology File System (NTFS) permissions,
firewalls, and access control lists are not effective
enough to meet these needs.
Azure Information Protection uses encryption,

identity, and authorization policies to help protect
information both within your organization and
outside your organization, and on virtually any
device. The protection enhancement remains with the datafor example, when people mail data to other
users or store it in their personal cloud drives, Azure Information Protection helps to protect it. Azure
Information Protection provides persistent protection enhancement, which helps to secure your
organizations data.
Authorized users and services (such as search and indexing) can continue to read and inspect the data
that Azure Information Protection helps to protect. This is called reasoning over data and is a crucial
element in maintaining control of your organizations data.
Azure Information Protection is included in Office 365 Enterprise E3, Office 365 Enterprise E5, Enterprise
Mobility Suite, and Enterprise Cloud Suite and is available as a standalone plan through Azure Information
Protection Premium.
To use Azure Information Protection, you must have Azure AD. You use your organizational account to
sign in to the Azure classic portal, where you can configure and manage Rights Management templates.
Activate Azure AD
1. Sign in to the Office 365 portal with your global administrator account.
2. In the app launcher, click the Admin icon.
3. In the Office 365 admin center, open Admin centers, and then click Azure AD.
4. Sign up and type your organizational data.
Note: To activate Azure AD within your Office 365 account, you do not need a credit card.
Client devices that support Azure Information Protection

Windows 10 devices (x86 and x64)
Windows 8.1 devices (x86 and x64)

Devices running Mac OS X 10.8 Mountain Lion or later

Windows Phones running Windows Phone 8.1
Android phones and tablets running Android 4.0.3 or later
iPhones and iPads running iOS 7.0 or later
Tablets running Windows RT 8.1 or Windows RT 8
Apps and Subscriptions that support Azure Information Protection

Office 365 ProPlus
Office 2016 for Mac
Office 365 Enterprise E3

Office Professional Plus 2016
Note: Currently, certain apps do not support Azure Information Protection, including:
Office for Mac 2011
OneDrive for Business in SharePoint Server 2013
XML Paper Specification (XPS) Viewer

How Azure Information Protection Works

The Azure Information Protection service (and
Microsoft) do not see or store your data as part of
the information protection process. To help
protect information, data is never sent or stored in
Azure unless you intentionally store it there or use
another cloud service that stores it in Azure.
Azure Information Protection encrypts your data

at the application level and includes a policy that
defines the authorized use for that document. If a
legitimate user or an authorized service accesses
the data, the document is decrypted, and the
rights that are defined in the policy are enforced.
A content key helps to protect an Azure Information Protection protected document. This content key is
unique for each document and is placed in the file header, where your Azure Information Protection
tenant root key helps to protect it. Microsoft either generates or manages this tenant root key, or you can
generate and manage your own tenant key.
Cryptographic controls used by Azure Information Protection

The Azure Information Protection security-enhanced protection is industry standardfor encryption,
Azure Information Protection uses the following algorithms and key lengths:
Documentation protection method. The algorithm is Advanced Encryption Standard (AES), and the
key lengths are 128 bits and 256 bits.
Key protection method. The algorithm is Rivest-Shamir-Adleman (RSA), and the key length is
2,048 bits.
Certificate signing. The algorithm is Secure Hash Algorithm (SHA)-256.

The protection process on the client works as follows:
1. The user prepares the user environment on the client in a one-time process by installing the
INFORMATION PROTECTION client application.
2. The Azure Information Protection client connects to Azure Information Protection and authenticates
the user with that users Azure AD account (Office 365 organizational account).
Note: The authentication is automatic, and no user prompts appear when the tenant
domain and users accounts are federated with Azure AD:
As soon as the user is authenticated, certificates are issued that allow the user to authenticate to
Azure Information Protection to consume protected content and to protect content offline. A copy of
the users certificate is stored in Azure Information Protection. This helps to ensure that if the user
moves to another device, that user will have access to his or her protected data.
Now that the user is protecting data, the Azure Information Protection client creates a random
content key and encrypts the document with it.
The Azure Information Protection client creates a certificate with an included policy. This policy is
based on a template or specific document rights, the policy includes:
o Rights for users and groups.
o Restrictions such as read-only or an expiration date.

After that, the organizations key is used to encrypt the policy and the symmetric content key.
The Azure Information Protection client signs the policy with the users certificate.
The policy is embedded into a file with the body of the document previously encrypted.
The policy stays with the encrypted document if it stays encrypted.
Now you can store the document virtually anywhere or share it by using essentially any method.
How content consumption works

When a user wants to consume a protected document, the Azure Information Protection client starts by
using the following process to request access to the Azure Information Protection service:
1. The authenticated user sends the document policy and the users certificates to Azure Information
Protection.
2. Azure Information Protection decrypts and evaluates the policy.
3. The service builds a rights list for the user.
4. Azure Information Protection extracts the AES content key from the decrypted policy and then
encrypts this key with the users public RSA key that was obtained with the request.
5. An encrypted user license with the list of user rights is returned to the Azure Information Protection
client.
6. The Azure Information Protection client decrypts this encrypted use license by using its own user
private key.
7. The Azure Information Protection client also decrypts the rights list and passes it to the application.
Comparing AD RMS and Azure Information Protection

You can compare Active Directory Rights
Management Services (AD RMS) with Azure
Information Protection in terms of functionality
and requirements. This topic describes in detail
the comparison between the two offerings.
AD RMS
AD RMS supports on-premises Microsoft server
products, such as Exchange Server, SharePoint
Server, and file servers that run Windows Server
and File Classification Infrastructure (FCI). When
comparing AD RMS to Azure Information
Protection, several differences exist, such as the
following:
You must define a trust between two organizations in a direct, point-to-point relationship. To define
this relationship, you can use either trusted user domains or federated trusts that you create by using
Active Directory Federation Services (AD FS).
No default policy templates are available. Instead, you need to create each policy.
Users can define their own permission sets if the templates are not sufficient.
The supported Office applications are:
o Office 2007 and later.
o Office for Mac 2011 and later.
Rights Management sharing apps for mobile devices are supported.
Sharing with people in another organization is not supported.
The supported Windows clients are those running Windows Vista with Service Pack 2 and later.
Mobile device support requires the AD RMS mobile device extension.
Smart card authentication is supported if Microsoft Internet Information Services (IIS) is configured to
request certificates.
Cryptographic Mode 1 is supported by default, and additional configuration is required to support

Cryptographic Mode 2 for stronger security enhancement.
A Rights Management license is required to protect content and to consume content.
AD RMS supports RSA-1024 and RSA-2048, and it supports SHA-1 or SHA-256 for signing operations.
AD RMS supports bring your own key for Exchange Online.
Azure Information Protection

Azure Information Protection supports online and on-premises Microsoft server products such as
Exchange Server, SharePoint Server, and file servers that run Windows Server and FCI. Azure Information
Protection does this by:
Supporting the Information Rights Management (IRM) capabilities in Microsoft online services such as
Exchange Online, SharePoint Online, and Office 365.
Supporting on-premises Microsoft server products such as Exchange Server, SharePoint Server, and
file servers that run Windows Server and FCI.
Note: On-premises systems require Azure AD Premium, which is not part of the Office 365
Enterprise services.
Allowing protected content to be shared among users within the same organization or across
organizations when the users have Office 365 or Azure Information Protection or they sign up for
Rights Management for individuals without the need to build explicit trust relationships.
Making two default rights policy templates available and allowing you to create custom templates.
You can create custom templates for only a subset of users.
Allowing users to define their own permission sets if the templates are not sufficient.
Supporting the following Office applications:
o Office 2010 and later.
o Office for Mac 2016 and later.
Supporting Rights Management sharing apps for mobile devices.
Supporting the Rights Management sharing app, which supports sharing of files with people in
another organization, document tracking, and email notifications.
Supporting Windows clients running Windows 7 or later.
Providing mobile device support.

Supporting Multi-Factor Authentication for computers and mobile devices.
Supporting Cryptographic Mode 2 without additional configuration, which provides stronger security
enhancement for key lengths and encryption algorithms.
Supporting migration from AD RMS and, if required, to AD Information Protection.
Requiring a Rights Management license to protect content. No such license is required to consume
content that has been protected by Azure Information Protection (which includes users from another
organization).
Always using RSA-2048 for public key cryptography and SHA-256 for signing operations.
Note: Azure Rights Management does not currently support bring your own key for
Exchange Online.
Planning Azure Information Protection integration with Office 365
Activate Azure Information Protection

To activate Azure Information Protection, you
need to have user accounts and groups, as cloud
accounts or synced accounts, including mail-
enabled groups in the cloud that you will use with
Rights Management.
By default, Azure Information Protection is

disabled in Office 365. Therefore, before you can
use Azure Information Protection, you need to
activate it within your Office 365 tenant. After you
activate Azure Information Protection all the users
in your organization can apply and consume information protection for their files.
Activate Rights Management from the Office 365 admin center

To activate Rights Management from the Office 365 admin center, complete the following steps:
1. Sign in to the Office 365 sign-in portal with your global administrator account.
3. In the Office 365 admin center, in the left side menu, select Settings and then click Apps.
4. Click Microsoft Azure Rights Management.
5. On the Microsoft Azure Rights Management page, click Manage Microsoft Azure Rights
Management settings.
6. On the Rights Management page, click activate.
7. When prompted with Do you want to activate Rights Management?, click activate.
Note: You can also enable Rights Management through Windows PowerShell with Enable-
Aadrm.
Configure the onboarding controls for a phased deployment

If you do not want all users to protect files immediately by using Azure Information Protection, you can
configure the user onboarding controls through Windows PowerShell.
Additional Reading: For more information, refer to: Azure Rights Management
Administration Tool at: http://aka.ms/u8tiut
If you want to help ensure that only those users who are correctly licensed to use Azure Information
Protection can protect content, use the following command:
Set-AadrmOnboardingControlPolicy -UseInformation protection UserLicense $true
Configuring Azure Information Protection integration

After you enable Azure Information Protection,
you can start to configure it. Additional
configuration points include:
Configure custom templates for Azure

Information Protection.
Log and analyze Azure Information Protection

usage.
Configure applications for Azure Information

Protection.
Configure a super user account for Azure

Information Protection.
Deploy the Azure Information Protection connector (only with Azure AD Premium).
Configure custom templates for Azure Information Protection

After Azure Information Protection activation, two templates are available:
Read-only viewing for the protected content:
o Display name: <organization name> - Confidential View Only
o Specific permission: View Content
Read or modify permissions for the protected content:
o Display name: <organization name> - Confidential
o Specific permissions: View Content, Save File, Edit Content, View Assigned Rights, Allow Macros,
Forward, Reply, Reply All
Users can set their permissions through the Rights Management sharing application. In Microsoft Outlook
and Outlook Web App, users can select the Do Not Forward option for email messages. In addition, you
can create custom templates for:
Granting rights to a group of users.
Allowing a subset of users to use departmental templates.
Defining custom rights, such as View and Edit (but not Copy or Print), for a template.
The configuration of additional options in a template includes an expiration date and whether you can
access the content without an Internet connection.
Create, configure, and publish a custom template

To create, configure and publish a custom template, complete the following steps:
1. Sign in to the Office 365 portal with your global administrator account.
3. In the Office 365 admin center, in the left side menu, select Admin centers.
4. Select Azure AD.
5. In the classic portal, click Active Directory.
6. Select Rights Management.
7. Select the directory you want to manage.

8. Select Create a new rights policy template.
9. Select Language, name and description of the template.
10. Click Manage your rights policy templates.
11. See your newly created template added to the list of templates, with a status of Archived. At this
stage, the template is created but not configured, and it is not visible to users.
12. Select the template.
13. Click Configure rights for users and groups. Get started and add the users and groups you want to
add to this template.
14. Select the following rights for the users or groups:
o Viewer
o Reviewer
o Co_Author
o Co-Owner
o Custom
15. If you want this template to be a departmental template, select scope.
16. Click GET STARTED NOW.
17. Select the users and/or groups whom you want to be able to see the template.
18. Click CONFIGURE, and then add the additional languages that users will employ together with the
name and description of the template in that language.
19. Optionally set the value for content expiration by specifying a date or a number of days starting from
the time that the protection is applied to the file. For offline access, you can specify that the content is
not available without an Internet connection or that the content is available only for a specified
number of days. When users reach this threshold, they must be reauthenticated, and their access is
logged.
20. Publish the template by selecting Publish and then saving.
Log and analyze Azure Information Protection usage

The Azure Information Protection service can log requests that it makes for your organization through:
Requests from users.
Actions performed by Rights Management administrators in your organization.
Actions performed by Microsoft operators to support your Azure Information Protection deployment.
For business purposes, this provides better business insights, monitors for abuse, and performs forensic
analysis.
Note: To enable Azure Information Protection logging, you need an Azure subscription.
Configure applications for Azure Information Protection

Configuring applications for Azure Information Protection includes installing the Rights Management
sharing application and enabling support for the IRM features in SharePoint Online or Exchange Online.
Here is what you need to configure the following applications for Azure Information Protection:
Office 365. Office 365 natively supports Azure Information Protection. Therefore, no client computer
configuration is required to support the IRM features for applications such as Microsoft Word,
Microsoft Excel, Microsoft PowerPoint, Outlook, and Outlook Web App.
Exchange Online. To configure Exchange Online to support Azure Information Protection, you must
configure the IRM service for Exchange Online. To do this, open Windows PowerShell (there is no
need to install a separate module), and run the following Windows PowerShell commands for
Exchange Online.
Set-ExecutionPolicy RemoteSigned
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session
Set-IRMConfiguration -Information Protection OnlineKeySharingLocation https://sp-
Information protection .na.aadrm.com/TenantManagement/ServicePartner.svc
Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:
For Europe: https://sp-Information protection .eu.aadrm.com/TenantManagement/ServicePartner.svc
For Asia: https://sp-Information protection .ap.aadrm.com/TenantManagement/ServicePartner.svc
For South America: https://sp-Information protection .sa.aadrm.com/TenantManagement

/ServicePartner.svc
Import-INFORMATION PROTECTION TrustedPublishingDomain -INFORMATION PROTECTION Online

-name "INFORMATION PROTECTION Online"
Set-IRMConfiguration -InternalLicensingEnabled $true
You can use the following optional command to test the configuration.
test the configuration: Test-IRMConfiguration -Sender <user email address>

Remove-PSSession $Session
SharePoint Online and OneDrive for Business. These applications support Azure Information
Protection. SharePoint Online relies on Azure Information Protection to assign usage restrictions and
encrypt messages. You need to set up Rights Management in SharePoint Online, as well. To protect
SharePoint lists and libraries, you must first activate Azure Information Protection for your
organization and then turn on IRM in SharePoint Online by completing the following steps:
a. Sign in to the Office 365 portal with your global administrator account.
b. In the app launcher, click the Admin icon.
c. In the Office 365 admin center, select Admin centers.
d. Select SharePoint.
e. In the SharePoint admin center, select settings.
f. On the Settings page, in the IRM section, select Use the IRM service specified in your
configuration, and then select Refresh IRM Settings.
After you enable IRM in SharePoint Online, you can protect SharePoint lists and libraries.
Note: After IRM is enabled for a list or library, each downloaded file is encrypted so that
only authorized users can view it.
The supported file types in SharePoint Online IRM include:
o Portable Document Format (PDF)
o Office file types
o Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint
o XPS
Client configuration
Several configuration options are available, depending on what clients you use:
Clients running Office 2016 or Office 2013. These versions of Office natively support Azure
Information Protection. Therefore, no client computer configuration is required to support the IRM
features for applications such as Word, Excel, PowerPoint, Outlook, and Outlook Web App.
Clients running Office 2010. Your users must have installed the Rights Management sharing
application for Windows.
All computers and mobile devices that support Azure Information Protection. The Rights
Management sharing application is required for client computers to use Azure Information Protection
with Office 2010, and it is recommended for all computers and mobile devices that support Azure
Information Protection. You can centrally roll out the application, or each user can download it
individually.
Additional Reading: For more information about downloading the mobile applications
and the application for the desktop client, refer to: Microsoft Rights Management at:
http://aka.ms/j19a1v
Super user accounts and the Rights Management connector

The super user account and the Rights Management connector are advanced configuration options that
allow you to:
Configure a super user account for Azure Information Protection. In certain instances, authorized
users need to access Azure Information Protection protected files. For these cases, you can configure
a super user account for your organization. The super users always have full owner rights, and they
are able to remove or change the protection that was previously applied. This ability, which is
sometimes referred to as reasoning over data, is a crucial element in maintaining control of your
organizations data. The following scenarios show why configuring super users might be necessary:
o An employee leaves the organization, and you need to read the files that he or she protected.
o You need to apply a new protection policy.
o Exchange Server needs to index mailboxes for search operations.
o You have existing IT services for DLP solutions, content encryption gateways, and antimalware
products that need to inspect files that are already protected.
o You need to decrypt files in bulk for auditing, legal, or other compliance reasons.
By default, the super user feature is not enabled, and no users are assigned this role.
If you need to manually enable the super user feature, use the Windows PowerShell cmdlet
Enable-AadInformation protection uperUserFeature, and then assign users (or service accounts)
as needed by using the Add-AadInformation protection uperUser cmdlet.
Deploy the Azure Information Protection connector (only with Azure AD Premium). The Rights
Management connector allows you to quickly enable existing on-premises servers to use their IRM
functionality with the cloud-based Azure Information Protection service. This requires an Azure AD
Premium license.

Question
Which groups are available for custom Azure Information Protection templates?
Viewer
Author
Reader
Blocker
Co-Author
Statement Answer
To use Azure Information Protection between two organizations, a trust

must be defined in a direct, point-to-point relationship.
Lesson 3
Managing the compliance features in Office 365
In this lesson, you will learn how to configure the advanced security features in Office 365. You will learn
about retention tags, archive mailboxes, and DLP.
Lesson Objectives
Configure archive mailboxes.
Configure retention tags and policies.
Configure document deletion policies in both SharePoint Online and OneDrive for Business.
Configure preservation policies.
Configure DLP policies for email.
Describe DLP policies for SharePoint Online content.
Configure Office 365 Advanced eDiscovery and compliance searching.
Configure audit reports.
Configuring archive mailboxes

Exchange Online Archiving is an Office 365, cloud-
based, enterprise-class archiving solution for
organizations that have deployed specific Office
365 plans. Exchange Online Archiving assists with
archiving, compliance, regulatory, and eDiscovery
challenges while helping to simplify the on-
premises infrastructure, reduce costs, and ease IT
burdens.
Online personal archiving is a service in Office 365

that provides an additional user mailbox for
storing old messages, such as calendar items from
two or more years ago, or sent items that are no
longer important. The online archive mailbox looks just like an ordinary mailbox, and you can create
folders in it, search it, and carry out the same administrative tasks as with a regular mailbox.
Online archiving applies only to certain plan levels in Office 365. The following plans have the service
integrated:

Office 365 Education E3
Office 365 Government G3
Exchange Online (Plan 2)

Online archiving is also available as an add-on with the following plans:
Exchange Online (Plan 1)
Exchange Online Kiosk
Office 365 Midsize Business
Office 365 Enterprise K1
Office 365 Government K1

Note: Online archives can theoretically be of unlimited size but, in fact, have an initial fair
use quota of 160 gigabytes. You can raise this limit by calling support.
Enable an In-Place Archive

To enable an In-Place Archive for a user mailbox in the Security & Compliance Center, complete the
following steps:
1. In the Security & Compliance Center, navigate to Data management and then click Archive.
2. Click a mailbox to select it.

3. In the details pane, on the Archive page, click Enable.
4. In the warning message box, click yes.
5. In the In-Place Archive section, click View details. Note that until the user signs in and opens his or
her In-Place Archive, this section provides a warning message. Click OK, and then click cancel to close
the Archive Mailbox dialog box.
You can also enable archives in bulk by selecting multiple mailboxes, and then in the details pane, clicking
Enable.
To enable an In-Place Archive by using Windows PowerShell, type the following command, and then press
Enter:
Enable-Mailbox "User Name" -Archive
To enable an archive for all users, type the following command, and then press Enter:
Get-Mailbox -Filter {ArchiveStatus -Eq "None" -AND RecipientTypeDetails eq "UserMailbox"}

| Enable-Mailbox -Archive
To check which mailboxes are enabled for archiving, type the following command, and then press Enter:
Get-Mailbox -Archive -ResultSize Unlimited

Disable an In-Place Archive

To disable an In-Place Archive, complete the following steps:
1. In the Security & Compliance Center, navigate to Data management and then click Archive.
2. Click a mailbox to select it.
3. In the details pane, on the Archive page, click Disable.
4. In the warning message box, click yes.
To disable an In-Place Archive by using Windows PowerShell, type the following command, and then
press Enter:
Disable-Mailbox -Identity "User Name" Archive
This command does not disable the mailbox.
To connect a disabled archive to a mailbox user, you must use Windows PowerShell and establish the
GUID of the disconnected archive. To do so, type the following command, and then press Enter:
Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
You then type the following command, replacing the GUID shown with the one resulting from the
previous command:
Connect-Mailbox -Identity "8734c04e-981e-4ccf-a547-1c1ac7ebf3e2" -Archive -User "User

Name"
After you enable an In-Place Archive, the user has several ways of moving messages to it:
Manually transferring messages by dragging them or using the Move command
Setting up Inbox rules to transfer messages
Configuring AutoArchive
Applying personal retention policies
Configuring retention tags and policies

A retention tag is the main component of
messaging records management (MRM). MRM
helps organizations to manage email lifecycles
and to reduce the legal risks associated with email
and other communications.
The following three types of retention tags apply

to different levels:
Default Policy Tags (DPTs). Automatically

apply to messages in an entire mailbox if no
other policy tag applies.
RPTs. Automatically apply to the default

folders, such as Inbox and Calendar.
Personal tags. Manually set to messages and folders through user assignment.
These retention tag types include some or all of the following elements:
A unique name.
A default folder (for RPTs).
A retention action. The available retention actions are:
o Delete and allow recovery.
o Permanently delete (do not allow user recovery).
o Move to archive (for archiving tags and not for RPTs).
A retention period, measured in days (with the option of Never for personal tags).
These retention tags are then linked in to a retention policy, and that policy is applied to mailboxes,
folders, and messages.
Office 365 includes the following predefined retention tags:

Personal: 1 month delete
Personal: 1 week delete
Personal: 1 year delete
Personal: 5 year delete
Personal: 6 month delete
Default: 2 year move to archive
Personal: Never delete
Personal: 1 year move to archive
Personal: 5 years move to archive

Personal: Never move to archive
If necessary, you can create additional retention tags to meet your organizations requirements and either
add those tags to the default retention policy or create a new retention policy to hold them.
In their own mailbox settings, users can select which personal retention tags to apply from all the defined
retention policies.
A retention policy is a collection of retention tags that can consist of one or two DPTs along with a
maximum number of RPTs and a virtually unlimited number of personal tags. The organization can apply
the retention policy to user mailboxes, and users can select which personal tags to apply to folders and
messages in their mailboxes.
Note: Users cannot see the retention policy names. They see only the retention tags within
those policies. However, a mailbox can have only one mailbox policy applied.
A retention policy can have two DPTs, each with a different retention action, along with one RPT for each
default folder and virtually any number of personal tags.
The default MRM policy contains the following retention tags:
Default 2 year move to archive
Never Delete
5 Year Delete
1 Year Delete
6 Month Delete
1 Month Delete
1 Week Delete
Recoverable Items 14 days move to archive
Personal 1 year move to archive
Personal 5 year move to archive
Personal never move to archive

If these retention tags meet your organizations requirements for retaining and deleting messages, you do
not have to define any more retention tags or policies. Alternatively, you can create additional retention
tags and add them to the default MRM policy.
If your organizations requirements do not align with what the default MRM policy provides, you need to
define the retention tags and create a new retention policy that includes those tags together with any of
the existing retention tags.
Alternatively, you might have a situation where, for legal or regulatory reasons, individual employees or
entire departments have different retention needs. You can then create a new retention policy for those
employees, link the appropriate retention tags, and then apply the policy to those mailboxes.
To globally manage retention tags and policies across an organization, use Windows PowerShell to
connect to Exchange Online.
You configure a retention tag through the Security & Compliance Center or by using Windows PowerShell
commands while connected to Exchange Online.
To create a retention tag through the Security & Compliance Center, complete the following steps:
1. In the Security & Compliance Center, expand Data management click Retention and then click
Manage Retention tags for mailboxes.
2. In the Retention tags window, click new, which is the plus sign (+), and then select one of the
following:
o Applied automatically to an entire mailbox (default)
o Applied automatically to a default folder
o Applied by users to items or folders
3. What you see varies, according to the option you selected.
4. Set a name, configure the retention action and retention period, and then click Save to add the
retention tag to the list of default tags.
To create a retention tag by using Windows PowerShell, open a Windows PowerShell connection to
Exchange Online by using the Connect-MsolService cmdlet and administrative credentials. Then in the
Windows PowerShell window, type the following command, and then press Enter:
New-RetentionPolicyTag "Tag name" -Type <tagtype> -AgeLimitForRetention <days> -

RetentionAction <specify retention action>
The new retention tag is visible in the Exchange admin center and can be added to retention policies.
Configure retention policies

Configuring retention policies is simply a matter of creating a new policy and then adding the tags you
want to that policy. You can complete this process by using the Security & Compliance Center or
Windows PowerShell.
To configure retention policies by using the Security & Compliance Center, complete the following steps:
1. In the Security & Compliance Center, expand Data management, click Retention, and then click
Manage Retention policies for mailboxes.
2. On the retention tags page, click new, which is the plus sign (+).
3. Type a name for the new policy.
4. Click new, which is the plus sign (+), and then select policy tags from those listed.
5. Click Save.
The equivalent Windows PowerShell cmdlet is New-RetentionPolicy, which uses the following syntax.
New-RetentionPolicy <name> -RetentionPolicyTagLinks <list of retention tags>
Assign retention policies to mailboxes

To apply a retention policy to a single mailbox or to multiple mailboxes, you can use the Security &
Compliance Center or Windows PowerShell. In the Security & Compliance Center, complete the following
steps:
1. In the Security & Compliance Center, expand Data management, click Retention, and then click
Assign retention policies for mailboxes.
2. In the list view, select the mailbox to which you want to apply the retention policy, and then click the
edit icon.
3. On the User Name page, click Mailbox features.
4. Under Retention policy, select the policy you want to apply to the mailbox, and then click Save.
For multiple recipients, use the following process:

1. In the list view, select multiple mailboxes.
2. In the details pane, click More options.
3. Under Retention Policy, click Update.
4. On the Bulk assign retention policy page, select the retention policy you want to apply to the
mailboxes, and then click Save.
To use Windows PowerShell to change the policy for one mailbox, type the following command, and then
press Enter:
Set-Mailbox "Mailbox Name" -RetentionPolicy "RetentionPolicyName"
To change policy for all mailboxes, type the following command, and then press Enter:
Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy "RetentionPolicyName"
To change an old retention policy to a new one, type the following command, and then press Enter:
$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -
RetentionPolicy "New-Retention-Policy"
To test whether a mailbox policy has been applied, type the following command, and then press Enter:
Get-Mailbox Mailbox Name | Select RetentionPolicy
Configuring document deletion policies in SharePoint Online and

Because of compliance, legal, or other business
requirements, you might be required to retain
documents for a certain time frame. However,
keeping documents longer than required can
create unnecessary legal risks. With a document
deletion policy, you can proactively reduce the
risks by deleting documents from a site after a
specific time frame has passed. With document
deletion policies, you can:
Create and manage policies your site owners

can choose from or opt out from altogether.
Enforce a single mandatory policy on all the

sites in a site collection.
Provide a default policy with a default rule that automatically applies without any action required by
site owners.
Create a policy that includes several deletion rules that a site owner can choose from.
Create a document deletion policy

To create a document deletion policy, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, select Data management, and then
click Retention. On the Retention page, in the Delete section, click Manage document deletion
policies for SharePoint Online and OneDrive for Business. The Document Deletion Policy Center
opens in a new browser tab.
2. The first time you navigate from the Security & Compliance Center to the Document Deletion Policy
Center, the policy center is automatically created for you. Alternatively, you can manually create the
policy center by creating the site collection and selecting Compliance Policy Center on the
Enterprise tab.
3. Select Deletion Policies.
4. Select a new item.
5. Type a policy name and description.
6. Select New, type a name, and then complete the following steps to create a rule:
a. Select either permanently delete or delete to the Recycle Bin. The Recycle Bin helps to provide
a second-stage safety net before an item is permanently deleted from a site.
b. Choose whether the deletion date is calculated from the date when a document was created or
when it was last modified.
c. Type a number of days, months, or years as the time frame after which a document will be
deleted.
d. Choose whether the rule is a default rule. The first rule that you create is automatically set as the
default rule. A default rule is automatically applied to all libraries in the sites that use the policy.
7. Click Save.
Assign a document deletion policy to a site collection template

To assign a document deletion policy to a site collection template, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, expand Data management, and then
click Retention. On the Retention page, in the Delete section, click Manage document deletion
policies for sites. The Document Deletion Policy Center opens in a new browser tab.
2. Click Policy Assignments for Templates.
3. Select New Item.
4. Decide whether to assign the policy to a site collection template or to OneDrive for Business.
5. Click Save.
6. Select Manage Assigned Policies, and then select the policy you want to assign.
7. Click Save.
Note: If you want to enforce the policy with no option for site owners to opt out, select the
Mark Policy as Mandatory check box.
Assign a document deletion policy to a site collection

You can also assign a policy to a specific site collection by completing the following steps:
1. In the Security & Compliance Center, in the navigation pane, expand Data management, click
Retention, and then under Delete, click Manage document deletion policies for sites. The
Document Deletion Policy Center opens in a new browser tab.
2. Select Policy Assignments for Site collections.
3. Select New Item.

4. Select Choose a site collection. You can search for the site collection by name or by URL. After you
have find it, select the appropriate site collection, and then click Save.
Delete a document deletion policy from a site collection

If you want to remove a document deletion policy, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, expand Data management, click
Retention, and then under Delete, click Manage document deletion policies for sites. The
Document Deletion Policy Center opens in a new browser tab.
2. Select either Policy Assignments for Site collections or Policy Assignments for Templates.
3. Select the assignment item you want to delete.
4. Select Delete.
5. Click OK.
Configuring preservation policies

Preservation policies help to keep the content you
need by preserving email and documents if they
are changed or deleted. Because of industry
regulations or internal policies, you might want to
preserve content for a certain time frame for your
organization.
You can preserve content in sites and mailboxes

indefinitely or for a specific duration with a
preservation policy in Office 365. To optimize the
results, you can filter the content by supplying
keywords or a date range to narrow the results.
Create a preservation policy

To create a preservation policy, complete the following steps:
click Retention.
2. On the Retention page, in the Preserve section click New, which is the plus sign (+).
3. Type a name and description, and then click Next.
4. Select what you want to preserve: Mailbox, SharePoint Online, OneDrive for Business.
5. Click Next.
6. Select the mailboxes you want to preserve.
7. Click Next.
Note: An optional step is to type the keywords you want to search for in the What do you
want to look for? (optional) box.
8. Select a start and an end date.
9. Select the time frame for preservation.
10. See the overview, and choose whether you want the preservation policy on or off.
11. Click Finish.
Edit, disable, or delete a preservation policy

To edit, disable, or delete a preservation policy, complete the following steps:
click Retention.
2. Click the preservation policy window.

3. To edit, click Edit.
4. To delete, click the Recycle Bin.
5. To enable or disable the policy, click Status info.

Configuring DLP policies for email

You use DLP policies to help protect and manage
your organizations information across various
locations. For example, you can set up policies to
block access to content, automatically encrypt
documents, or notify users if content is saved to
the wrong location.
To help protect sensitive information and prevent

its inadvertent disclosure, you use DLP within
Office 365. Examples of sensitive information
include:
Financial data
Credit card information

Personally identifiable information
Social security numbers
Health records
Sensitive information lookup is a sophisticated process and is detected by the following:
Keywords
Internal functions for checksum or composition validations

Regular expressions to find patterns
Other content examination
DLP policies help you to identify, monitor, and automatically protect sensitive information across Office
365. A DLP policy contains the location of the content to be protected, and these locations might include
Mailboxes, SharePoint Online, or OneDrive for Business. The DLP policy also contains the DLP rules, which
are built through conditions and actions.
Create a DLP policy for emails

To create a DLP policy for emails, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, expand Security policies, and then click
Data loss prevention.
2. On the Data loss prevention page, click go to the Exchange admin center.
3. A window with the DLP policies opens.
4. Select New, which is the plus sign (+).
5. Select among the following three options:
o New DLP policy from template
o Import DLP policy
o New custom DLP policy
6. Click New DLP policy from template.

7. Type a name and description for the policy.
8. Select one of the available DLP policies.
9. Click Save.
Create a custom DLP policy

To create a custom DLP policy, complete the following steps:
3. A pop-up with the DLP policies opens.

5. Click Custom DLP policy from template.
6. Type a name and description for the policy.
7. Select the state of the policy (enabled or disabled).
8. Choose a mode for the policy (Enforce, Test with policy tips, or Test without policy tips).
9. Click Save, and then wait for the policy to be created.

10. Click Edit, and then click Rules.
11. Click New, which is the plus sign (+).
12. Choose between a new rule and one of the predefined rules.
13. Click the settings you want.
14. Click Save.
View DLP policy detection reports

To view DLP policy detection reports, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, select Security policies, and then click
A pop-up with the DLP policies opens.
3. Select Reports.
4. Open the report you want.

Creating DLP policies for SharePoint Online and OneDrive for Business
You use DLP policies to help protect and manage
your organizations information across various
locations. For example, you can set up policies to
block access to content, automatically encrypt
documents, or notify users if content is saved to
the wrong location.
To help protect sensitive information and prevent

its inadvertent disclosure, you use DLP within
Office 365. In this topic, you will create DLP
policies for SharePoint Online and OneDrive for
Business.
Create a DLP policy for SharePoint Online and OneDrive for Business
To create a DLP policy for SharePoint Online and OneDrive for Business, complete the following steps:
3. Choose among the following DLP policies:
o New custom policy. This option allows you to create a new custom DLP policy without any
predefined settings.
o Financial. This option helps to detect the presence of information commonly considered to be
financial data.
o Medical. This option helps to detect the presence of information commonly considered to be
related to health records.
o Privacy. This option helps to detect the presence of information commonly considered to be
personally identifiable information.
4. Click Next.
5. Select whether the policy applies to SharePoint Online, OneDrive for Business, or both. You can also
select specific site collections.
6. Click Next.
8. Add conditions and actions for your policy.
9. Click Options to add the settings for an incident report. Add the severity level, with the available
range from Low to High, and whether to email the incident report to someone.
10. Click OK.
Note: Before you enforce DLP policies, you should consider rolling them out gradually to
assess their impact.
Edit or turn off a DLP policy

To edit or turn off a DLP policy, complete the following steps:
2. Click Edit to edit the policy, or click Delete to delete the policy.
Compliance search and Office 365 Advanced eDiscovery

Many organizations need to search content when
they perform compliance audits. As part of a DLP
strategy, you need a way to identify user data that
might violate the organizations compliance
policy.
So that you are not overwhelmed with results, you

can search for content that contains certain
keywords and then select conditions to further
scope the search query. For example, you can
search for keywords that exist in sent email
messages after a specific date, such as Sun AND
Seattle AND 2015. You can then export and
download the results for further analysis.
You can find all content and user activity by using Office 365 Advanced eDiscoverywhether that content
and activity exists in Exchange Online, SharePoint Online, or OneDrive for Businesshelping to provide
you with unified protection for your Office 365 organization.
Create a content search

1. In the Security & Compliance Center, in the navigation pane, select Search & investigation and then
click Content search.
3. In the New search box, type a name to search for.
4. Select the mailboxes you want to search, or select all mailboxes.
5. Select the sites you want to search.
6. Click Next.
7. Type the keywords you want to search for, or leave it empty to search for all content.
8. Click Search.
After a search successfully runs, you can prepare the search results for further analysis with Office 365
Advanced eDiscovery. This allows you to analyze large, unstructured data sets and reduce the amount of
data that is relevant to a legal case. The Office 365 Advanced eDiscovery features include:
Near-duplicate detection
Email threading
Predictive coding
Themes
Exporting data for review applications

Note: To analyze user data with Office 365 Advanced eDiscovery, the user must have an
Office 365 Enterprise E5 license assigned or the appropriate standalone license. Administrators
and compliance officers who are assigned to cases and use Office 365 Advanced eDiscovery to
analyze data do not need an Office 365 Enterprise E5 license.
Prepare search results for an Office 365 Advanced eDiscovery search

You can prepare the results of a compliance search listed on the Search page in the Security &
Compliance Center for a search that is associated with an Office 365 Advanced eDiscovery case. To
prepare search results for an Office 365 Advanced eDiscovery search, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, select Search & investigation.
2. Select Content search.
3. In the details pane, under Analyze, click Analyze with Equivio Analytics.
4. On the Prepare the search results page, choose if you want only indexed items or all document
versions and if you want a notification message sent to a user when the preparation is ready.
5. Click Start export with Equivio.
View the preparation status

1. In the Security & Compliance Center, in the navigation pane, select Search & investigation, and then
select Search.
2. In the details pane, under Analyze, click View analysis.
Add the search results to a case

After the preparation is finished, go to Office 365 Advanced eDiscovery, and then add the data from the
search to an Office 365 Advanced eDiscovery case:
1. In the Compliance Center, click eDiscovery, and then click Go to Equivio Analytics.
2. Navigate to the Cases page in Office 365 Advanced eDiscovery.
3. Select the case that you want to add the data to, and then click Go to case.
4. Navigate to the Process page, and then under Container, click the item that corresponds to the
results from your previous search. Note that the titles in the list match the names of searches from the
Security & Compliance Center.
5. Click Process to add the selected search results to the case database.
Configuring audit reports

You can use the auditing functionality to track
changes in Office 365. Microsoft or your
organizations administrators make changes, and
so do users who make changes to documents and
other items in the site collections of your
SharePoint Online organization. Mailbox audit
logging tracks changes made by administrators,
delegated users, and mailbox owners.
You can view audit reports and export the audit

logs. The following audit options are available:
Auditing in Exchange Online
Auditing in SharePoint Online

Azure AD sign-in and audit reports
The Security & Compliance Center makes a unified audit log search available. The advantage of the audit
log search is that you can search in one place.
User activity in SharePoint Online and OneDrive for Business:
o File and folder activities
o Sharing activities
o Invitation and access request activities
o Synchronization activities
o Site administration activities

User activity in Exchange Online:
o Exchange mailbox audit logging
o Exchange mailbox activities

Admin activity in SharePoint Online
Admin activity in Azure AD, the directory service for Office 365:
o User administration activities
o Group administration activities
o Application administration activities
o Role administration activities
o Directory administration activities
Admin activity in Exchange Online
Additional Reading: For more information, refer to: Search the audit log in the Office 365
Security & Compliance Center at: http://aka.ms/V27n6z
Audit log requirements

You must enable audit logging before you can start searching the Office 365 audit log. To enable audit
logging, click Start recording user and admin activity on the Audit log search page in the Security &
Compliance Center. This is a onetime process and might take a few hours to finish.
The Office 365 audit log records activities performed within the last 90 days. Note that after an event
occurs in Exchange Online, Azure AD, SharePoint Online, or OneDrive for Business, there might be some
delay for the corresponding audit log entry to be displayed. The Azure AD audit log contains user, group,
application, domain, and directory activities performed in the Office 365 admin center or in the Microsoft
Azure Management Portal. To run an audit log search, complete the following steps:
1. In the Security & Compliance Center, in the navigation pane, select Search & investigation.
2. Select the audit log search.
3. Select the activities you want to search.
4. Select the date range to search.
5. Optionally configure the users, files, folders, or sites you want to search.
View the search results

Your audit log search results are visible under Results on the Audit log search page. A maximum of the
most current 1,000 events are displayed.
Filter the search results

click Audit log search
2. Run an audit log search.
3. When the results display, click Filter results.
4. Adjust the filter to meet your needs.
5. To clear the filter, click Hide Filtering.
Export the search results to a file

To export the search results to a .csv file, complete the following steps:
click Audit log search.
2. Run an audit log search.
3. Click Export results.
4. Select either Save loaded results or Download all results.


Question
Select the types of possible retention tag actions.
A unique name
A delete action
An allow recovery action
A do not allow recovery action
A create action
Statement Answer
Preservation policies help to keep the content you need by preserving email
and documents.
Lab: Configuring Rights Management and compliance

Scenario
The compliance and security groups at A. Datum Corporation have concerns with the implications of
moving internal services and content to a cloud-based solution, such as Office 365. To receive project
approval, you need to show how you can use the Rights Management and compliance features to address
these concerns.
Objectives
Configure Rights Management in Office 365.
Configure compliance features in Office 365.
Lab Setup
Estimated Time: 75 Minutes
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1

Password: Pa55w.rd
In all the tasks:
Where you see references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your

Where you see references to Adatumyyxxxxx.hostdomain.com, replace Adatumyyxxxxx with your

unique hostdomain.com name displayed in the online lab portal.
LON-DC1
o Sign in as Adatum\administrator with the password Pa55w.rd.
LON-DS1
LON-CL1
o Sign in as Adatum\Holly by using the password Pa55w.rd.
Question: What is the best approach to protect organizational financial data?
Statement Answer
Retention policies are helpful for reducing space in your mailbox.


Security, compliance, and governance are key elements of Office 365. With these Office 365 features, it is
possible to work within Office 365 in a security-enhanced and protection-enhanced way.
Best Practice
Security enhancement is a continuous process. Good planning and tenant preparation helps to secure the
environment for users.

Encrypted content is not accessible.

12-1
Module 12
Monitoring and troubleshooting Office 365
Contents:
Lesson 1: Troubleshooting Office 365 12-2
Lesson 2: Monitoring Office 365 service health 12-12
Lab: Monitoring and troubleshooting Office 365 12-24
Module Overview
As an administrator, you regularly need to monitor Microsoft Office 365 services and troubleshoot any
issues that result in service interruptions. In this module, you will learn about the different troubleshooting
and monitoring options that are available for Office 365.
Objectives
Troubleshoot Office 365 connectivity and service issues.
Monitor Office 365 service health.

12-2 Monitoring and troubleshooting Office 365
Lesson 1
Troubleshooting Office 365
You can use several tools to troubleshoot a cloud service. In this lesson, you will learn about some
common tools that you can use to troubleshoot Office 365. Additionally, you will learn about some self-
service tools that you can use to analyze Office 365 issues.
Lesson Objectives
Describe the Office 365 troubleshooting tools.
Describe the Microsoft Remote Connectivity Analyzer.

Describe the Microsoft Office 365 Support and Recovery Assistant tool.
Explain how to use message tracking tools.
Describe the hybrid environment free/busy troubleshooter.
Describe the do-it-yourself troubleshooter.
Overview of Office 365 troubleshooting

You can use a range of tools and resources to
identify and isolate service interruptions.
Additionally, you can use these tools to help
troubleshoot issues in Office 365 and in related
services such as Microsoft Exchange Online, Skype
for Business Online, and Microsoft SharePoint
Online. These tools include connectivity analysis
tools and message tracking tools. You can check
network performance between your location and
Office 365 data centers by using the connectivity
analysis tools, and you can check the flow of emails
within Exchange Online by using the message
tracking tools.
Common issues with Office 365 relate to connectivity and network settings. Often you might see that
even though a service is working, your users cannot connect to it, which might be because of changes in
the firewall settings in the on-premises environment that are not working. For such issues, Microsoft
provides troubleshooting tools.
In the Office 365 admin center, in the navigation pane, you can find the following menu items that relate
to Office 365 troubleshooting and monitoring:
Health
o Service Health
o Message Center
o Directory Sync Status

Support:
o Overview
o Service Requests
Reports:
o Usage
o Security and Compliance
Settings:
o Dirsync errors
Admin centers
When you sign in to the Office 365 admin center, you get an overview of the tenants service health. The
Service Health dashboard is divided by service. This allows you to see details about affected services.
Details include an overview of each service and the logs from the past 30 days. If your organization uses
an internal monitoring solution that can consume health status notifications via an RSS feed, then you also
can subscribe to the service health status via RSS.
Note: To administer Office 365 with a mobile device, Microsoft provides the Office 365
Admin app for Windows Phone 8 and later, which you can download: http://aka.ms/kiapdx
Microsoft Remote Connectivity Analyzer

Microsoft provides several tools that you can use
to analyze connectivity issues in Office 365
deployments. You can use the Microsoft Remote
Connectivity Analyzer, which is an online tool, to
run tests directly from the
http://testconnectivity.microsoft.com website. You
can also use the Microsoft Office 365 Support and
Recovery Assistant tool to run similar tests as the
Microsoft Remote Connectivity Analyzer, but these
tests run locally from a client computer.
The Microsoft Remote Connectivity Analyzer website provides a set of tools for identifying common
connectivity issues with Microsoft Exchange Server, Skype for Business, Microsoft Lync, and Office 365.
Not all tests in the Microsoft Remote Connectivity Analyzer are for Office 365 only; several tests are also
for on-premises systems. You can access several tests from the tabs in the Microsoft Remote Connectivity
Analyzer website.
Note: Not all occurrences of Lync in the Microsoft websites and tools have been replaced
by Skype for Business at the time of writing this module.
Tab Tests
Exchange Server Microsoft Exchange ActiveSync Connectivity Tests:

o Exchange ActiveSync
o Exchange ActiveSync Autodiscover
Microsoft Exchange Web Services Connectivity Tests:
o Synchronization, Notification, Availability, and Automatic Replies
o Service Account Access (Developers)
Microsoft Office Outlook Connectivity Tests:
o Outlook Connectivity
o Outlook Autodiscover
Internet Email Tests:
o Inbound SMTP Email
o Outbound SMTP Email
o POP Email
o IMAP Email
Skype for Microsoft Skype for Business Tests:

Business/Lync
o Skype for Business Server Remote Connectivity Test
o Skype for Business Autodiscover Web Service
Tab Tests
Microsoft Lync Tests:
o Lync Server Remote Connectivity Test
o Lync Autodiscover Web Service Remote Connectivity Test
Microsoft Office Communications Server Tests:
o Office Communications Server Remote Connectivity Test
Office 365 This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This includes all the tests from the Exchange Server tab, in addition to the
tests mentioned below:
Office 365 General Tests:
o Office 365 Exchange Domain Name Server (DNS) Connectivity Test
o Office 365 Lync Domain Name Server (DNS) Connectivity Test
o Office 365 Single Sign-On Test
Free/Busy Test:
o Free/Busy
Client This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This tool checks for network connectivity from a client to Office 365 services
to identify issues that affect network performance between client PCs and
Office 365:
Microsoft Office 365 Support and Recovery Assistant
Microsoft Office 365 Client Performance Analyzer
Microsoft Lync Connectivity Analyzer Tool
Message Analyzer The Microsoft Message Analyzer strips down message headers and displays
the included values in a readable form. You can strip down an emails
message header by pasting the message header in the text box and clicking
Analyze headers.
After a test completes, the Microsoft Remote Connectivity Analyzer provides a detailed log on the test
steps that passed successfully and the steps that failed, followed by a suggested resolution. You can save
this log information to the Clipboard or to an XML or HTML file. For most tests, a Tell me more about
this issue and how to resolve it link is available that provides additional information, which might help
you fix the issue.
The Microsoft Office 365 Support and Recovery Assistant tool

The Microsoft Office 365 Support and Recovery
Assistant tool is a downloadable client app that you
can use to identify connectivity issues between
email clients and Exchange Server, and between
email clients and Office 365. Email users can use the
Microsoft Office 365 Support and Recovery
Assistant tool to identify common problems,
whereas administrators can use it to troubleshoot
Exchange Server and Office 365 deployments.
The Microsoft Office 365 Support and Recovery Assistant tool provides a wizard that presents a series of
questions that guide you into identifying the issue that you are experiencing, and then provides potential
solutions to your issue. At the time of writing this module, the tool helped troubleshoot issues related to:
Office setup
Outlook
Outlook for Mac
Mobile devices
Outlook on the web

You can install the Microsoft Office 365 Support and Recovery Assistant tool from the Microsoft Remote
Connectivity Analyzer website at http://testconnectivity.microsoft.com. The prerequisites for the Microsoft
Office 365 Support and Recovery Assistant tool include:
One of the following operating systems:
o Windows 10
o Windows 8
o Windows 7
o Windows Vista
o Windows Server 2016
o Windows Server 2012 R2

o Windows Server 2008 R2
Microsoft .NET Framework 4.5
Lync (Skype for Business) diagnostics require the Unified Communications Managed API (UCMA) 4.0
runtime, which only runs on 64-bit operating systems.
One of the following browsers:

o Microsoft Edge
o Internet Explorer
o Google Chrome with ClickOnce for Google Chrome

o Firefox with .NET Framework Assistant for Firefox
The Microsoft Office 365 Support and Recovery Assistant tool is similar to the Microsoft Remote
Connectivity Analyzer in that it provides a log with the test steps that passed successfully and the steps
that failed, and it then provides a Tell me more about this issue and how to resolve it link that makes
suggestions to help fix any reported issues. You can save the log as MCATestResults.html. The Microsoft
Office 365 Support and Recovery Assistant also provides a tool called Microsoft Office 365 Client
Performance Analyzer. By using this tool, you can diagnose network performance issues on the client side
that might prevent clients from using Office 365 services normally.
Message tracking tools

You can use several message tracking tools in the
Office 365 environment to diagnose email delivery
issues.
Message Analyzer
Email messages transmit between mail servers by
using Simple Mail Transfer Protocol (SMTP). SMTP
message headers contain information that records
the origins of a message and its path through one
or more SMTP servers to its destination. The
Message Analyzer feature can display the contents
of these headers and help diagnose any email
transfer issues. All Message Analyzer processing occurs in the browser, and no additional software is
necessary. You can use the Message Analyzer on any SMTP header, whether Exchange, Office 365, or any
other SMTP server or agent generates it.
After you receive a delivery failure message:
1. Note the reason for the failure, such as NonExistentDomain or 550 Requested action not taken:
mailbox unavailable.
2. Copy the message headers from the message.
3. Go to http://testconnectivity.microsoft.com, and then select the Message Analyzer tab.

4. Paste the message in the text box, and then click Analyze headers.
5. Diagnostic information and the time taken for the message to be rejected will display in the Message
Analyzer.
Delivery reports
Delivery reports provide an alternative method for tracking email delivery. You can run them at the
Exchange Server or Office 365 level or within Outlook on the web to track personal messages.
Two kinds of delivery reports are available: the reports that generate when you perform message tracing
with the Exchange Online message trace tool and personal delivery reports.
The Exchange Online message trace tool in the Exchange admin center
To run the Exchange Online message trace tool from the Exchange admin center, perform the following
steps:
1. Select mail flow, and then click message trace.

2. In message trace, next to Sender, click add sender, and then select the users to trace.
3. Under Date range, select one of the time periods:
o Last 24 hours
o Last 48 hours
o Last 7 days
o Custom (select start and end date and time)
4. Under Delivery status, select one of following statuses or search for all:
o Delivered
o Failed
o Pending
o Expanded
o Unknown
5. Optionally, provide a Message ID to narrow the search based on a specific Internet message ID,
which is also known as the client ID. The sending mail system generates this ID, and it is in the header
of the message with the "Message-ID:" token. Specify the full message ID of the message, which
might include angle brackets (< >).
6. Click search.
7. Double-click any returned message to view the sender, recipient, message size, message ID, IP
address information, and delivery status. The Exchange Online Message trace tool then displays a
series of events that are associated with the message; for example, RECEIVE, SUBMIT, and SEND for a
successful message; or RECEIVE, SUBMIT, and FAIL for a message that could not deliver.
Personal delivery reports in Outlook on the web

To run personal delivery reports in Outlook on the web, perform the following steps:
1. On the Settings menu, click Options.
2. On the Options page, click organize email, and then click delivery reports.
3. Provide the search criteria, and then click search.
4. Double-click a message to view the delivery report.
Note: At the time of writing this module, the Options menu for Outlook on the web was
changing. You might have to access the earlier version of the Options menu to view delivery
reports. To do this, on the Settings menu, under My app settings, click Mail. On the Options
page, click Other, and then click Go to earlier version.
Note: Personal delivery reports provide limited options when compared to Office 365
message trace delivery reports. For example, individual users cannot search all mailboxes, they
can only search for messages in their own mailbox.
Hybrid environment free/busy troubleshooter

The hybrid environment free/busy troubleshooter
is a guided walk-through tool. It helps you
troubleshoot free/busy issues in a hybrid
deployment of Exchange Online in Office 365 and
on-premises Exchange Server.
The troubleshooter also provides links to other

tools that you can use to troubleshoot free/busy
issues, including the Microsoft Remote Connectivity
Analyzer.
The troubleshooting website for a hybrid Exchange

environment.
Additional Reading: To access the hybrid environment free/busy troubleshooter, go to:

http://aka.ms/wbpavu
Using the hybrid environment free/busy troubleshooter

The hybrid environment free/busy troubleshooter provides the following options as a starting point to
troubleshoot issues:
My Cloud user cannot see Free/busy for an on-premises user

My On-premises user cannot see Free/busy for a cloud user
I want to see some common tools for troubleshooting Free/busy issues
I want to better understand how Hybrid Free/Busy is supposed to work
After selecting the appropriate option, the troubleshooter displays a series of items to check or test, along
with suggested solutions and relevant links if an item matches the tester's situation.
Do-it-yourself troubleshooter
If something is not working correctly in an Office
365 environment, a good starting point is to use the
Office 365 troubleshooter, also known as the do-it-
yourself troubleshooter, for initial diagnosis.
Note: To access the Office 365 do-it-yourself

troubleshooter directly, go to:
https://diagnostics.outlook.com
To troubleshoot issues in Office 365 by using the do-it-yourself troubleshooter, perform the following
steps:
1. Select the service with which you are having issues, such as Exchange Online.
2. Select a service area, such as Mailboxes.
3. Select an issue, such as Add or remove a license.

4. The troubleshooter then provides a list of relevant support resources in the results list, such as:
o Assign or unassign licenses for Office 365 for business
o You receive a "One or more users need an assigned license in order to retain an Exchange
Online mailbox or archive" message on the Users page of the Office 365 portal
Note: Microsoft updates the troubleshooter periodically. Microsoft regularly adds new self-
service troubleshooting steps for services such as Office 365 Groups, Skype for Business, Microsoft
Office Delve, Microsoft Office Sway, and all other Office 365 services.

Question
Which of the following are options or tools that you can use for monitoring and troubleshooting
Office 365?
Service Health
Protection Center
Service Requests
Notification Center
Alert Center
Question: Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
The Microsoft Office 365 Support and Recovery

Assistant is a new tool that users can run to fix
common Outlook problems.
Lesson 2
Monitoring Office 365 service health
In Office 365, you can monitor service health by using tools such as the RSS feed and the Service Health
dashboard. These tools provide information about planned maintenance, service updates, and historical
data. In this lesson, you will learn how to use these tools to monitor service health.
Lesson Objectives
Describe the importance of service health information in the Office 365 dashboard.
Explain the purpose of Office 365 auditing reports.

Explain the purpose of Office 365 mail and protection reports.
Explain how to manage Exchange Online reports by using Windows PowerShell.
Describe how to open Office 365 service requests.
Explain how to monitor Office 365 with Microsoft System Center Operations Manager (Operations
Manager) and Microsoft Operations Management Suite.
Service health information in the Office 365 dashboard

The Health page of the Office 365 admin center
provides information on the health of your online
services, and it provides access to information
about any impending maintenance tasks that
Microsoft plans.
The Health page

On the main Office 365 Home page, in the Service
health section, you can see an overview of the
current health of your online services. For detailed
information, access the Service health page from
the navigation pane or by clicking View the service
health on the Home dashboard.
One of the following statuses indicates an online services health:
Normal service. This indicates that the service is available and suffered no incidents during the
reporting period. The icon for this status does not link to any additional information.
Extended recovery. This indicates that steps have completed to resolve the service incident. However,
it will take an extended period for service operations to return to normal. During this time, some
service behaviors might take longer than normal to complete.
Investigating. This indicates that a potential service incident is under investigation.
Service restored. This indicates that an incident was active earlier today, but the service was restored.
Service interruption. This indicates that the service is not functioning, and users cannot access the
service.
Additional information. This indicates that an incident was active during a previous day. The incident
might be resolved or it might still be active.
Service degradation. This indicates that the service is slow or is occasionally unresponsive for brief
periods.
PIR published. This indicates that a report of the service incident has published.
Restoring service. This indicates that the service incident is in the process of resolving.
Note: In the unlikely event that the Office 365 admin center is not available, there is a
separate link to the Service Health dashboard: http://aka.ms/vlkz7v
If the issue relates to Microsoft Azure Active Directory (Azure AD), for example sign-in issues,
refer to: http://aka.ms/kfxpxv
The table that you access from the Support page displays status information for the current day and the
previous six days. This table shows the status of each of the online service components, and you can click
the status icons for more information.
You can also click View history to see further historical service health data. On the history page, you can
see specific incidents that have occurred within the last 30 days and the categories they come under,
including Office 365 Portal, Identity Service, Skype for Business Online, and Exchange Online.
To see specific incident details, find the incident in the calendar, and then click it, which gives you
chronological data about the outage or issue and any resolution to the problem. If a post-incident report
has published, you can also download or view the report for more details.
Note: The Service health page only includes information about the health of your online
services; it does not cover other items, such as network infrastructure issues.
Planned maintenance
You can view information about any upcoming Office 365 maintenance tasks in the Support page. This
page displays the date and time of any planned maintenance, and you can click the link for each
maintenance task for more information.
RSS feeds
Office365 also provides a link to an RSS feed for Office 365 service health. You can add the feed to your
Common RSS Feed List. You can view this in programs that use the Common RSS Feed List, such as
Microsoft Edge and Outlook. The feed updates each time a new incident event adds or an existing
incident event updates.
Office 365 auditing reports

Several auditing reports are available on the
Reports page of the Office 365 admin center. The
first group of reports provides information on
Office 365 usage. You can see how many active
users you have, in addition to information about
the following:
Email activity
Microsoft OneDrive files storage
SharePoint files activity
Skype for Business activity
Office application activations
Yammer activity
The second group of reports is accessible from the Security and Compliance section. The following table
lists the auditing reports that you can generate.
Report Description
Mailbox access by non-owners This report returns a list of mailboxes that anyone other than
the owners of the mailboxes accessed. This report generates
from an audit log that logs information such as the person
who accesses the mailbox, when they accessed it, what actions
they performed, and whether their actions were successful or
not.
Role group changes This report returns a list of all the changes made to Office 365
role groups by administrators in your organization. This report
generates from an audit log that logs information about who
made the change, when they did it, and what the change was.
Mailbox content search and hold This report returns a list of all the mailboxes that were put on
hold or were removed from In-Place Hold or In-Place
eDiscovery. It contains additional information about who put
the mailbox on hold and when they did it.
Mailbox litigation holds This report returns a list of all changes made to per-mailbox
litigation holds. This report generates from an audit log that
logs information about who enabled or disabled litigation hold
on a mailbox and when they did it.
Azure AD reports These reports provide you with information about Azure AD
account behavior. You can see information about anomalous
activities, such as irregular sign-in activities and frequent sign-
ins from multiple locations. You can also see information such
as password reset activities and account-provisioning activities.
Enable mailbox audit logging

You have to enable mailbox audit logging for each mailbox on which you want to run a non-owner
mailbox access report. If mailbox audit logging is not enabled for a mailbox, you will not receive any
results when you run a report for it or when you export the mailbox audit log.
To enable mailbox audit logging for a single users mailbox, perform the following steps:
1. Open the Windows PowerShell command-line interface, and then connect to Exchange Online.
Set-Mailbox user@domainname.com -AuditEnabled $true
To enable mailbox audit logging for all users mailboxes, perform the following steps:
1. Open Windows PowerShell, and then connect to Exchange Online.
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
Note: For more information on how to connect to Exchange Online by using remote
Windows PowerShell and how to enable mailbox auditing in Office 365, refer to: Enable mailbox
auditing in Office 365 at: http://aka.ms/kna8cb
Office 365 mail and protection reports

The Reports page of the Office 365 previous admin
center provides access to several mail and
protection reports.
Mail reports
Several mail-related reports are available under the
Mail section on the Reports page in the Office 365
previous admin center. The following table lists
some of these reports.
Report Description
Active and inactive mailboxes This report shows the number of active and inactive mailboxes
over a period. A mailbox is considered inactive if a user has not
accessed it for more than 30 days.
New and deleted mailboxes This report shows the number of active, new, and deleted
mailboxes.
New and deleted groups This report shows the number of created and deleted groups.
Report Description
Mailbox usage This report shows the total number of mailboxes, inactive
mailboxes, mailboxes that have exceeded their storage quota, and
mailboxes that are currently using less than a quarter of their
storage quota.
Types of mailbox connections This report shows the number of mailbox connections made over
time, which then group by connection type, such as Post Office
Protocol version 3 (POP3), Internet Message Access Protocol
(IMAP), and Outlook on the web.
All of these reports display as charts, and they provide links to view each chart as a table instead. Some of
the reports have clickable links that display the information on a daily, weekly, monthly, or yearly basis.
Note: At the time of writing this course, these reports are not available in the new Office
365 admin center, so you must use the previous admin center to access them.
Protection reports
Several protection-related reports are available under the Protection section on the Reports page in the
previous Office 365 admin center. The following table lists some of these reports.
Report Description
Top senders and recipients This report shows a list of top email users. You can view which users
are:
Top mail senders.
Top mail recipients.
Top spam recipients.
Top malware recipients.
Top malware for mail This report shows the number of malware detections in received
mail before the malware action applied. It also displays a list of top
malware recipients, showing each recipients email address and a
count of received malware.
Malware detections This report shows the number of malware detections in sent mail
before the malware action applied.
Spam detections This report shows the number of detected spam messages grouped
by spam filtering type, such as SMTP blocked, IP blocked, and
Content filtered. It also displays a list of top spam recipients,
showing each recipients email address and a count of received
spam emails.
Sent and received mail This report shows received mail grouped by the type of traffic, such
as Good mail, Malware detections, Spam detections, Rule messages.
Rule messages are received and sent messages that match at least
one transport rule or data loss prevention (DLP) policy.
All of these reports display as charts, and they provide links to view each chart as a table instead.
Additionally, they all have clickable links to enable the chart to display the information over seven-day,
14-day, 30-day, or custom date periods. All dates and times are in Coordinated Universal Time (UTC).
Downloading mail protection reports

On the Reports page of the Office 365 admin center, under Download your reports, there is a Mail
protection reports (Excel) link that enables you to download mail protection reports for Office 365. The
link opens a webpage in the Microsoft Download Center, from where you can download the Microsoft
Office 365 Excel Plugin for Exchange Online Reporting. The download is packaged as an .msi file, and you
can download 32-bit and 64-bit versions.
The download installs a Microsoft Excel 2013 reporting workbook that provides a comprehensive view of
the email protection information that is also available on the Reports page of the Office 365 admin
center.
To use the mail protection reports workbook for Office 365, perform the following steps:
1. On the desktop, double-click the Mail Protection Reports for Office 365 shortcut.
2. On the Microsoft Office Customization Installer page, click Install.
3. Select one of the worksheet tabs in the workbook, and then click the Query button in the worksheet.
4. Enter your Office 365 credentials, and then click Login.

5. In the Query dialog box, select a time interval, and then click OK.
6. On the Progress page, when it completes, click OK.
The workbook contains summary graphs for various types of email message filtering and includes
information about messages that were identified as good mail, spam, or malware. It also displays graphs
for messages that were identified by a transport rule or a DLP policy.
You also can use data slicers in Excel 2013 to perform deeper data analysis. If you notice specific trends or
unusual activities in the data, you can get more detailed information from the report by running queries
on the other tabs in the workbook and viewing more detailed information about the messages
themselves.
Note: The Mail Protection Reports for Office 365 Excel Plugin currently only works with
Excel 2013 and not with Excel 2016.
Managing Exchange Online reports by using Windows PowerShell

for reporting purposes in Exchange Online.
Auditing cmdlets
You can use the following Windows PowerShell cmdlets to configure audit logging and to view audit logs.
Cmdlet Purpose
Search-AdminAuditLog Search the contents of the administrator audit log.
Write-AdminAuditLog Add comments to the administrator audit log.
Get-AdminAuditLogConfig View how administrator audit logging is currently

configured.
New-AdminAuditLogSearch Search the contents of the administrator audit log and

send the results to the recipients that you specify.
Get-MailboxAuditBypassAssociation View the accounts that bypass mailbox audit logging.
Set-MailboxAuditBypassAssociation Specify accounts that bypass mailbox audit logging. For

example, you can specify service accounts that
frequently access mailboxes to reduce the noise in
mailbox audit logs.
Search-MailboxAuditLog Search the contents of the mailbox audit log.
New-MailboxAuditLogSearch Search the contents of the mailbox audit log and send
the results to the recipients that you specify.
Message tracking cmdlets

You can use the following Windows PowerShell cmdlets to track delivery information about messages that
any specific mailbox in your organization sends or receives.
Cmdlet Purpose
Get-MessageTrackingReport Return the data for a specific message tracking report.

This cmdlet requires you to specify the ID for the
message tracking report that you want to view.
Therefore, you first need to use the Search-
MessageTrackingReport cmdlet to find the message
tracking report ID for a specific message. You then pass
the message tracking report ID from the output of the
Search-MessageTrackingReport cmdlet to the Get-
MessageTrackingReport cmdlet.
Search-MessageTrackingReport Find the unique message tracking report based on

provided search criteria. You can then pass this message
tracking report ID to the Get-MessageTrackingReport
cmdlet to get the full message tracking information.
General reporting cmdlets

You can use the following Windows PowerShell cmdlets for general reporting in Exchange Online.
Cmdlet Purpose
Get-FailedContentIndexDocuments View the list of documents in a mailbox that Exchange

Search could not index.
Get-LogonStatistics View information about open logon sessions to a

specified mailbox, such as username, logon time, and
last access time. A user must sign out to close a logon
session; therefore, multiple sessions might appear for
users who just close their browser.
Get-MailboxFolderStatistics View information about the folders in a specified

mailbox, including the number and size of items in the
folder, the folder name and ID, and other information.
Get-MailboxStatistics View information about a specified mailbox, such as the

size of the mailbox, the number of messages it contains,
and the last time that a user accessed it.
Get-RecipientStatisticsReport View information about the total number of recipients

in your organization, including the number of
mailboxes, active mailboxes, contacts, and distribution
groups.
Additional Reading: To view a list of all Exchange Online Protection cmdlets, refer to:
http://aka.ms/i09sv9
Office 365 service requests

Office 365 administrators can request technical
assistance from the Office 365 support team by
submitting a service request online or by phone.
Office 365 offers support service all of the time.
To open a new service request, perform the

following steps:
Note: To open a new service request, you

must sign in to Office 365 as an administrator.
1. In the Office 365 admin center, in the

navigation pane, click Support, and then click Service Requests.
2. Here, you can see your current service requests and you can click the plus sign (+) above the list to
create new service request. When you click to create new service request, the Support Overview
page appears.
3. On the Support Overview page, select the topic for the service request. Find the common topics in
the Create a service request column. You can expand the list by clicking More at the end of the list.
4. Click the desired topic, for example, Mail.
Note: If you create a new service request about an issue that Microsoft is investigating
currently, you will see a corresponding note such as We're investigating a problem that may be
related to your issue. Go to Service health to see if this is the same problem your users are
having. If so, you may not need to create a service request, followed by the topic, for example,
Exchange - In extended recovery - EX41924. You then can decide if you still want to create a
new service request.
5. On the New service request page, under identify the issue, select the feature (for example, Mail
Flow), and the symptom (for example, I received a non-delivery report (NDR) for an email I sent).
Depending on the selections, the issue form expands and shows more text boxes. Fill out the text
boxes, and then click Next.
6. Click the Review suggestions links to view possible solutions for the specified problem. You should
read these before proceeding with the service request because the issue might be a common issue
that you can resolve without requesting additional support.
Note: If a service is unavailable, you should check the Service Health dashboard before
opening a new service request. If a service appears to be unavailable but there are no reports in
the Service Health dashboard, you should call the Office 365 support phone number for your
country or region.
7. On the Add details page, you then add further information to the service request, including a
summary, issue details, service availability, and the number of affected users. You can also attach
additional files to that service request. Include screenshots of any errors or other relevant documents
with the service request. Note that these files must be smaller than 5 megabytes (MB) each. Click
Next.
8. On the Confirm and submit page, check the email address and the phone number that the
Microsoft support team can use to contact you. Your data will already be filled out from your user
sign-in information. Correct the data if necessary. Click Submit request to submit the service request.
A reference number for the request is provided, and the new request will be listed in the service requests
list. Service requests pass directly to a support representative, who will respond with an email message.
The target initial response time for a new service request depends on both the severity level of the issue
and the Office 365 subscription type, as highlighted in the table below.
Microsoft assigns a severity level to a service request when it opens, based on the type of Office 365
subscription, an assessment of the issue type, and the customer impact. The three types of severity are:
Severity A (Critical). This is assigned when one or more services are not accessible or are unusable.
Severity B (High). This is assigned when the service is usable but in an impaired state.
Severity C (Non-critical). This is assigned when the issue is important but does not currently have a
significant impact on the service or productivity.
The following table shows the availability and response times for the three severity types, depending on
the Office 365 plans.
Office 365 for Enterprises and Office 365 Business and

Severity level
Government plans Education plans
Severity A (Critical) Available: 24 hours a day, seven days a Available: 24 hours a day, seven
week* days a week*
Response time: one hour Response time: one hour
Severity B (High) Available: 24 hours a day, seven days a Available: business hours
week* Response time: no commitment
Response time: next day
Severity C (Non- Available: 24 hours a day, seven days a Available: business hours
critical) week* Response time: no commitment
Response time: no commitment
* Office 365 support teams take calls and service requests 24 hours a day, seven days a week. This service
depends on the region and is available in most countries/regions.
Elevated support provides additional support options and service level agreements (SLAs) over the
standard Office 365 support. Elevated support can include service update management, end-to-end
support for clients and services, reactive and advisory services from advanced engineers, incident
management, and on-site workshops that Microsoft Premier Support Services or Microsoft partners
provide.
Additional Reading: For more information, refer to: Additional support options at:
http://aka.ms/pfvct8
After you submit a service request, any further actions that the support representatives require, such as
requests for additional information, display as Action required in the list of open requests on the Service
requests page. It is important to close the request when an issue is resolved or assistance is no longer
necessary.
Monitoring Office 365 with Operations Manager and Operations

Management Suite
You can use Operations Manager for basic
monitoring of Office 365 services, including
checking Internet connectivity and service
availability. The Operations Manager management
pack for Office 365 provides monitoring
functionality for all versions of Operations Manager
starting with System Center 2012 Operations
Manager.
You must import the Office 365 management pack for Operations Manager into System Center. After you
add an Office 365 subscription, the management pack offers monitoring for services such as:
Subscription health
Service status
Active and resolved incidents

Message Centre
Alerts
Additional Reading: For more information on how to obtain and set up this management
pack, refer to: System Center Management Pack for Office 365 at: http://aka.ms/it7q1b
As an alternative to using Operations Manager to monitor Office 365, you can use Microsoft Operations
Management Suite. This cloud-based service enables you to use the Office 365 Analytics solution to gain
insight into the activities on your Office 365 tenant. You can connect multiple Office 365 tenants to a
single Operations Management Suite workspace. At the time of writing this course, Office 365 Analytics is
still in the preview phase. It provides the following functionalities:
SharePoint monitoring. You can see details of operations such as file downloads, access requests, and
group addition operations performed on a SharePoint instance.
Exchange monitoring. You can see all the activities performed on Exchange Online. This is presented
as a list of executed Windows PowerShell commands, in addition to information about the user who
executed these commands.
Azure AD monitoring. You can see information about changes and other activities performed on the user
and group objects within the Azure AD tenant.

Question
A service in the Service Health dashboard can have which of following statuses?
Normal service
Service anomaly
Extended recovery
Investigating
Operations aborted

Question
How can you open a service request in Office 365?
Via Skype for Business
Via email
Via phone
Via the Office 365 admin center
Via the Office 365 App launcher

Lab: Monitoring and troubleshooting Office 365

Scenario
A. Datum Corporations Office 365 deployment is almost complete. As the team enters the final phase of
this project, you need to set up a suitable monitoring environment to track the status of Office 365 and to
ensure that the help desk and IT management can respond to any reported issues. Additionally, you need
to learn how to monitor and troubleshoot Office 365 issues so that you can train the support staff in these
areas.
Objectives
Analyze mail flow.
View Office 365 reports.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, and 20347A-LON-CL1

User name: Adatum\administrator, Adatum\Holly
Password: Pa55w.rd

unique Office 365 name that displays in the online lab portal.
Where you see references to Adatumyyxxxxx.hostdomain.com, replace Adatumyyxxxxx with your

unique hostdomain.com name that displays in the online lab portal.
LON-DC1
LON-DS1
LON-CL1
o Sign in as Adatum\Holly by using the password Pa55w.rd.
Question: How would you view all the failed messages for a group of users?
Question: What is the first tool you will use to search for service incidents and failures?

Review Question
Question: Describe how supporting on-premises systems differs from supporting Office 365.
Best Practice
Many tools are available to help troubleshoot issues in Office 365. As a starting point, you can use the
Office 365 do-it-yourself troubleshooter for an initial diagnosis.

Outlook client connectivity issues
Unable to connect to the Skype for Business

client
13-1
Module 13
Planning and configuring identify federation
Contents:
Lesson 1: Understanding identity federation 13-2
Lesson 2: Planning an AD FS deployment 13-11
Lesson 3: Deploy AD FS for identity federation with Office 365 13-26
Lab: Planning and configuring identity federation 13-44
Module Overview
In this module, you will learn how to plan and configure identity federation. While there are multiple
identity models for Office 365, Active Directory Federation Services (AD FS) provides identity federation
between on-premises Active Directory Domain Services (AD DS) and Microsoft Azure Active Directory
(Azure AD). This module enables multiple features with the cloud provider, including single sign-on (SSO)
with Office 365.
Objectives
After completing this module, you should be able to:
Describe how identify federation works, and how you can use AD FS to implement identity federation.
Plan an AD FS deployment to support identify federation with Office 365.
Deploy AD FS for identity federation with Office 365.
Describe hybrid solutions for Microsoft Exchange Server, Microsoft Skype for Business Server, and
Microsoft SharePoint Server.
13-2 Planning and configuring identify federation
Lesson 1
Understanding identity federation
Before you begin designing your AD FS deployment, you must understand how identify federation works,
and the advantages this identity model provides you. You will learn the core components, the various
topologies, and how you can use AD FS to implement authentication, using federated identities, in
Office 365.
Lesson Objectives
Describe the concepts of claims-based authentication and federated trusts.
Describe the underlying technologies Security Assertion Markup Language (SAML) tokens, and
security token service.
Describe AD FS, and how you can use it to implement identity federation.
Describe how SSO works with Office 365 web clients, Microsoft Outlook, and Skype for Business.
Compare identify federation, directory synchronization, and password synchronization and explain
why an organization would choose one option over another.
Claims-based authentication
When you consider identities such as Integrated
Windows authentication, Kerberos authentication,
or NT Lan Manager (NTLM), you most likely think
about Microsoft Windows user accounts and
groups. When you consider identities in Active
Server Pages (ASP), such as the ASP.NET
membership and roles provider, you probably
think about user names, passwords, and roles.
When you consider what the different
authentication mechanisms have in common, you
can abstract the individual elements of identity
and access control into two parts: a single, general
notion of claims, and the concept of an issuer or an authority.
A claim is a statement that one subject makes about itself or another subject. For example, the statement
can be about a name, identity, key, group, privilege, or capability. Claims are issued by a provider, are
given one or more values, and then packaged in security tokens that are issued by an issuer, commonly
known as a security token service (STS). You can think of a security token as an envelope that contains
claims about a user.
Additional Reading: For a full list of definitions of terms associated with claims-based
identity, refer to: Claims-based identity term definitions at: http://aka.ms/wnc2ys
Thinking in terms of claims and issuers is a powerful abstraction that supports new ways of securing your
applications. Because claims involve an explicit trust relationship with an issuer, your application believes a
claim about the current user only if it trusts the entity that issued the claim. Trust is explicit in the claims-
based approachnot implicit as in other authentication and authorization approaches with which you
might be familiar. The following table shows the relationships between security tokens, claims, and issuers.
Security token Claims Issuer
Windows token (for example, a Username and groups AD DS

security identifier, or SID)
Username token Username Application
Certificate A certificate thumbprint, a Certification authorities (for

subject, or a distinguished example, the root authority, and
name. all authorities in the chain to
the root)
The claims-based approach to identity makes it easier for users to sign in using Kerberos authentication
where it makes sense. However, it is just as easy for them to use one or more (perhaps more Internet-
friendly) authentication techniques, without you having to recode, recompile, or even reconfigure your
applications. You can support almost any authentication technique. Some of the more popular
authentication techniques are Kerberos authentication, forms authentication, X.509 certificates, smart
cards, and other information-type cards.
Here are a few situations in which claims-based identity might be the right choice for you. You might
have web-facing applications that are used by people who do not have accounts in your Active Directory
domain. Another reason might be that your company has merged with another company and you are
having trouble authenticating across two AD DS forests that do not have a trust relationship. Perhaps you
want to share identities with another company that has non.NET Framework applications or you need to
share identities between applications running on different platforms. Another situation might be an
application that needs to send email to the authenticating user or an email to their manager.
Claims-based identity allows you to factor out the authentication logic from individual applications.
Instead of the application determining who the user is, it receives claims that identify the user.
Federated trusts
At this point, you have learned about claims-
based identity where the issuer directly
authenticates the users to a claims-based
application. However, you can take this one step
further. You can expand your issuers capabilities
to accept a security token from another issuer,
instead of requiring the user to authenticate
directly. Your issuer would issue security tokens
and accept security tokens from other issuers that
it trusts. This enables you to federate identity with
other realms, which are separate security domains.
Benefits of federated trusts

Maintaining an identity database for users can require a lot of support. Even something as simple as a
database containing usernames and passwords can be difficult to manage. Users might forget their
passwords on a regular basis, and your companys security policies might not allow you to email forgotten
passwords to them. If maintaining an identity database for users inside your enterprise is difficult, imagine
the complexity of doing this for hundreds or even thousands of remote users.
Managing a role database for remote users is just as difficult. Imagine Alice, who works for a partner
company and uses your purchasing application. On the day that your information technology (IT) staff
provisioned her account, she worked in the purchasing department, so the IT staff assigned her the role of
Purchaser, which granted her permission to use the application. However, because she works for a
different company, how will your company be able to find out if she transfers to the Sales department? In
addition, what will happen if she quits employment with the partner company? In both cases, you would
want to know about her change of status, but it is unlikely that anyone in the human resources
department at her company will notify you. Any data that you store about a remote user will eventually
become outdated. Therefore, how can you safely expose an application for a partner business to use?
Another feature of claims-based identity is that you can decentralize it. Instead of having your issuer
authenticate remote users directly, you can set up a trust relationship with an issuer from a separate
company. This means that your issuer will trust their issuer to authenticate users in their realm. Therefore,
their employees would not require additional credentials to use your application. Instead, they would
continue using the same SSO mechanism they have always used in their company. In addition, your
application still works because it continues to receive the same security token it needs. Moreover, the
claims that you receive in your security token for these remote users might include their role with the
company. This is because they are not employees of your company, but your issuer is responsible for
determining the proper assignments based on their role.
Finally, your application does not need to change when a new organization becomes a partner. The ratio
of issuers to applications is a benefit of using claimsyou reconfigure one issuer and many downstream
applications become accessible to many new users. Another benefit is that claims allow you to store data
about users logically. Data can be kept in the store that is authoritative rather than in a store that is more
convenient to use or easily accessible. This allows you to grant access to users from other organizations
without creating a user account in your environment. Once your company decides which realms should
be allowed access to your claims-based application, your IT staff can set up the proper trust relationships.
How federated identity works

Federating identity across realms is similar to the previous authentication techniques, with the addition of
an initial handshake in the partners realm. For example, the following process describes what happens
when a user from A. Datum accesses an application in the Contoso organization.
1. The user starts by authenticating to the A. Datum federation server.
2. The A. Datum federation server issues the user a security token.
3. The security token is then presented to the Contoso federation server. Since a federated trust is
configured between the two organizations, the Contoso federation server accepts the token in lieu of
authenticating the user directly.
4. The Contoso federation server then issues a security token to the user.
5. Finally, the user sends the security token to the Contoso application.
Note: Users are not actively aware of this process in most scenarios the Internet browser
or smart client does this in the background on their behalf.
Because of the federated trust, your application only accepts security tokens that are signed by the issuer
that it trusts. Remote users cannot receive access if they try to send a token from their local issuer directly
to your application.
Service providers
According to the Organization for the Advancement of Structured Information Standards (OASIS) (the
organization that created SAML), a service provider is defined as a role donned by a system entity where
the system entity provides services to principals or other system entities. In essence, a service provider is
an entity that provides web services. Examples of service providers include ASPs, Storage Service Providers,
and Internet service providers (ISPs).
Identity providers
According to the OASIS, an Identity Provider (IdP) is defined as a kind of provider that creates, maintains,
and manages identity information for principals and provides principal authentication to other service
providers within a federation, such as with web browser profiles. An IdP is sometimes called an identity
service provider or identity assertion provider. In essence, an IdP is an online service or website that
authenticates users on the Internet by means of security tokens, one of which is SAML 2.0.
Service provider vs. IdP

There is an overlap when it comes to defining service providers and IdPs. A service provider relies on a
trusted IdP for authentication and authorization. In SAML, the XML-standard for exchanging datathe
security domains that information is passed betweenare a service provider and an IdP. SAMLs service
provider depends on receiving assertions from a SAML authority or asserting party, known as a SAML IdP.
In the Web services federation (WS-Federation) model, an IdP is an STS, and a federation is an association
comprising any number of service providers and IdPs. Service providers depend on an IdP, or an STS, to
do the user authentication. Open Authorization (OAuth) is an important protocol for IdP services as most
major web services also are identity providers, mainly through the use of OAuth. These web services
include Google, Facebook, Yahoo, AOL, Microsoft, PayPal, MySpace, and Flickr, among many more.
Furthermore, all major email providers offer OAuth IdP services.
In simple terms, as it relates to Identity Management, an IdP can be described as a service provider for
storing identity profiles and offering incentives to other service providers with the aim of federating user
identities.
Note: IdPs also can provide services beyond those related to the storage of identity
profiles.
What is AD FS?
Active Directory Federation Services (AD FS)
provides the infrastructure that enables a user to
authenticate in one network and use a secure
service or application in another. With Office 365,
AD FS enables users to authenticate through their
on-premises AD DS, and then use an account in
Office 365 without requiring any further
authentication prompts. AD FS also provides SSO
for users accessing Office 365 or another service,
with the same account that they sign in to their
workstation. This requirement for matching on-
premises identities with remote service accounts is why an Office 365 SSO solution requires both AD FS
and directory synchronization. When you implement AD FS, all password management and password
polices are maintained by your on-premises AD DS.
How AD FS works
In the WS-Federation model, a service provider (also known as a relying party), is a partner in a federation
that creates security tokens for users. The term arose because the application relies on an issuer to provide
information about identity. Further, an IdP (also known as a claims provider), is a partner in a federation
that consumes security tokens to provide access to applications. Upon deployment of AD FS, an implicit
claims provider trust is enabled for the Active Directory domain in which the AD FS server resides.
When a user initiates an authentication request through AD FS and when they are using an AD FS client
for example, Microsoft Edge, AD FS initially verifies the user credentials in AD DS. After successful
authentication by AD DS, the STS component of AD FS issues a security token that authorizes the user to
the application or service, such as Office 365. In this scenario, Office 365 implicitly trusts the token issuer,
or the Active Directory domain.
The security token contains claims about the user, such as user name, group membership, user principal
name (UPN), email address, manager details, and phone number. It is up to the consuming application,
such as Office 365, to decide how to use these claims, and to make appropriate authorization decisions;
the application does not make authentication decisions, as these are made by AD DS.
The trust between the parties is managed through certificates. While the certificates used for security
token signing and encryption can be self-signed by the AD FS server, typically HTTPS communications
between the issuer and the consuming application or service requires a public key infrastructure (PKI). A
primary example of this is AD FS as the issuer, and Office 365 as the consuming application or service.
Authentication
The primary AD FS authentication methods are:
Forms authentication. This authentication method is for resources published to the outside of the
corporate network and accessible from clients over the Internet. While forms authentication is
enabled by default you also can enable certificate authenticationsmart card authentication or user
client certificate authenticationthat integrates with AD DS.
Integrated Windows authentication. This authentication method is for resources that are published to
the inside of the corporate network and are accessible from intranet resources. While Integrated
Windows authentication is enabled by default, you also can enable forms authentication and/or
certificate authentication.
Note: Integrated Windows authentication is not supported on all browsers. During

authentication, AD FS detects the user agent on the users browser and determines if it supports
Integrated Windows authentication.
You can use the following Windows PowerShell command to specify alternate user agent strings
for browsers which supports Integrated Windows authentication:
Set-AdfsProperties WIASupportedUserAgents
If the clients user agent does not support Windows authentication, AD FS uses the default
authentication method of forms authentication.
You also can enable device authentication to provide multi-factor authentication (MFA). Device
authentication requires that a registered device is used before a user can access a resource. MFA requires
that you enable at least one additional authentication method.
Additional Reading: For more information about using devices for MFA and SSO, refer to:
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications at: http://aka.ms/cnmkt7
Note: Office 365 has a separate MFA process for administrator accounts that is now
extended to user accounts. This authentication process requires users to acknowledge a phone
call, text message, or app notification after correctly entering their password. The MFA feature in
Office 365 is not the same as the MFA feature in AD FS.
Attribute stores
The AD FS attribute stores are the directories or databases used to store user accounts and associated
attribute values. AD FS supports the following directories or databases as attribute stores:
AD DS in Windows Server 2003, or newer.
Microsoft SQL Server 2005, or newer.
Custom attribute stores, to enable AD FS to integrate with non-Microsoft platforms.
User experience
When a user authenticates through AD FS on the corporate intranet, the user will not be prompted for
their credentials on subsequent attempts, providing:
Internal DNS can resolve the AD FS service name to the backend AD FS servers, or to the load-
balanced IP for the AD FS service.
Any web proxy is configured to bypass the proxy for client requests to the URL for AD FS. You can use
a Group Policy Object (GPO) to add the URL for AD FS to the local intranet zone in Microsoft Internet
Explorer, or Microsoft Edge.
Internet Explorer or Microsoft Edge is enabled for Integrated Windows authentication.
A service principal name (SPN) is registered under the AD FS service account for the AD FS service.
This will enable Kerberos authentication.
The default authentication method for the AD FS service is Integrated Windows authentication.
Note: Users can avoid a credentials prompt when the access a cloud service using the same
account that they use to sign in to the workstation.
When a user authenticates through AD FS over the Internet, you might prefer to secure the access to the
AD FS server. If so, you can deploy a proxy server in the perimeter network to intercept the authentication
request. The proxy server also uses forms authentication, which displays a webpage form for users to type
their credentials. This deployment option has a smaller security footprint since it only requires opening
the SSL port (443) to the Internet. By contrast, Integrated Windows authentication requires a range of
ports and services and should not be exposed to the Internet. As opposed to the user experience for users
on the corporate intranet, the user could be prompted each time they authenticate through AD FS over
the Internet.
Note: For more information about customizing the AD FS sign-in pages, refer to:
http://aka.ms/bis6uu
AD FS versions
Versions of AD FS since the initial release include:
AD FS 1.0. AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.
AD FS 1.1. AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role.
AD FS 2.0. AD FS 2.0 was released as an installable download for Windows Server 2008 service pack 2
(SP2) or above.
AD FS 2.1 AD FS 2.1 was released with Windows Server 2012 as an installable server role.
AD FS 3.0. AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate installation of Microsoft Internet Information Services (IIS), and it includes a new
AD FS proxy role called the Web Application Proxy.
AD FS 3.1. AD FS 3.1 is an installable server role on Windows Server 2016. Similar to AD FS 3.0, there is
no requirement for a separate IIS install. AD FS includes the Web Application Proxy.
AD FS 1.x was limited in its standards support, including WS-Federation passive requestor profile
(browser), and SAML 1.0 tokens.
AD FS 2.0 extended standards support for WS-Federation. In addition, AD FS supports:
WS-Federation Password Replication Policy (PRP).
WS-Federation active requestor profile.
SAML 1.1 and SAML 2.0 tokens.
SAML 2.0 operational modes.

IdP Lite/service provider lite/eGov 1.5.
AD FS 3.0 now:
Supports any LDAP v3 directory.

Provides support for an untrusted AD DS forest.
Provides an upgrade path from AD FS 2.1.
Provides access control policies, and expands support for OAuth.

Includes support for OpenID Connect.
Note: The labs in this course use AD FS 3.1 on Windows Server 2016.
Some of the new features in AD FS 3.0 on Windows Server 2012 R2 include:

IIS dependency removed.
Deployment option for a stand-alone federation server is now removed. While you still can deploy
one federation server, the only deployment option is for a federation server farm.
Separate AD FS proxy role removed. The AD FS proxy server is replaced by the Web Application
Proxy, which is used to publish the AD FS federation server to the Internet. Web Application Proxy can
publish many other applications than just AD FS.
AD FS extranet lockout. AD DS account lockout protection is available on the AD FS proxy.
Access control based on network location to control user authentication to AD FS.

In Windows Server 2016, AD FS 3.1 has some new functionalities. Some of the most important new
features in AD FS 3.1 on Windows Server 2016 include:
Support for sign ins without passwords, by using Azure MFA
Password-less access from compliant devices
Support for Microsoft Passport and Windows Hello

Simplified password management for federated Office 365 users
Support for sign on with non-AD LDAP directories
How AD FS provides SSO for Office 365

The Azure AD service acts as a trusted token
signer for user claims to Office 365 services and
requires an STS infrastructure to provide SSO.
Azure AD currently supports the following STS
infrastructures:
Active Directory Federation Services (AD FS)
Shibboleth IdP
SAML 2.0 IdP
IdPs from other companies
Note: This course only covers using AD FS

as the STS.
How AD FS works with directory synchronization

AD FS provides SSO for Office 365 services, but only for users that have an account in both on-premises
AD DS and Office 365. The justification to require the account to exist in both directories is that the user is
always authenticating as an Office 365 account, even if SSO is not enabled.
As described earlier in the module, with SSO, authentication uses a security token from AD FS to access
Office 365 services rather than a user authenticating directly to Office 365. In the most common
environments, you create user accounts in your on-premises AD DS, and deploy directory synchronization
to synchronize the user accounts to Office 365. While policy settings are synchronized only from AD DS,
new features in the Microsoft Azure AD Connect directory synchronization tool synchronize user accounts
to both destinations. This allows you to create the user account in Office 365, and Azure AD Connect then
synchronizes it to your on-premises AD DS.
Note: It is important to understand that SSO with Office 365 is, in effect, a hybrid
environment. While most of the object attributes are the same, users have two separate accounts,
including an on-premises Active Directory account and an Azure AD account. Although you
assign Office 365 services to the Azure AD account, users do not authenticate to Office 365 with
their on-premises Active Directory account. Rather, the users on-premises Active Directory
account credentials provide them access, or authorize them, to the Azure AD Account in Office
365 through the claims within the security token.
Password synchronization in directory synchronization vs. AD FS

As discussed earlier in the module, directory synchronization supports password synchronization to Office
365. This ensures that a user's on-premises Active Directory account and Azure AD account have the same
password at all times; password resets are synchronized in near real time, unlike other attribute changes
that are subject to the default three-hour synchronization schedule. For this reason, some organizations
could decide not to deploy AD FS, but instead choose to deploy only directory synchronization. While this
scenario is supported, it only provides users with a Same Sign-On experience, rather than an SSO
experience.
One disadvantage to only deploying password synchronization in directory synchronization is that your
environment includes two separate password policieson-premises and in the cloudand password
updates require successful synchronization. However, one advantage to deploying password
synchronization within directory synchronization is that a major failure in your on-premises infrastructure
can potentially have only a minimal impact to your Office 365 services. More information on deploying
AD FS with High Availability is provided later in this module.
Note: Password write-back, or password synchronization from Office 365 to your on-
premises AD DS is now available in Azure AD Connect. However, Azure AD Premium licensing is
required.
Discussion: Comparing federated identities and synchronized identities
Directory Services and SSO are key parts of integrating your on-premises environment and
online services. You are planning for the deployment of your companys Office 365 tenant.
To ensure your users are able to use their credentials from your on-premises AD DS, you
need to evaluate which identity solution to deploy based on your business requirements.
The business requirements include:

o Passwords updated by users in on-premises AD DS should be available for use in accessing Office
365 services within five minutes.
o Password complexity should comply with policies in on-premises AD DS.

o Password expiration should comply with policies in on-premises AD DS.
After discussing these requirements with your engineering staff, which option for
authentication should your team consider for deployment?
o Password synchronization in Azure AD Connect
o Federated (SSO) authentication with AD FS
o Federated (SSO) with AD FS, and password synchronization in Azure AD Connect

Lesson 2
Planning an AD FS deployment
In this lesson, you will learn how to plan an AD FS deployment to support identify federation with Office
365. AD FS is important in order for users to access Office 365 services. You will also learn how to plan a
highly available environment based on the size of your environment.
Lesson Objectives
Describe the AD FS server roles, including AD FS proxy or Web Application Proxy.
Describe the planning considerations for deploying AD FS for Office 365.

Plan for highly available deployment of AD FS that addresses all single points of failure.
Describe the capacity planning of AD FS.
Describe the requirements for deploying AD FS, including Domain Name System (DNS) records and
certificates.
Describe the optional scenario of deploying SSO with Azure virtual machines.
AD FS server roles
Depending on the environment in your
organization, you must deploy certain AD FS
server roles to meet your business and security
requirements. You can use one or more server
roles to provide an AD FS federated identity
management solution in support of these
requirements.
Federation service
Beginning with Windows Server 2012, AD FS
includes a federation service role service. In
addition, AD FS can issue, manage, and validate
requests for security tokens and identity
management. The federation service can act as an identity provider by authenticating users to provide
security tokens to applications that trust AD FS. In addition, it also can act as a federation provider by
consuming tokens from other identity providers and then providing security tokens to applications that
trust AD FS.
Federation server farm

A federation server farm consists of two or more federation servers that run the federation service role
service, and that share the same AD FS configuration database and token-signing certificates. Although
the federation service role service is installed on each federation server in the farm, the servers work
together to act as one federation service instance. You should consider deploying a federation server farm
when you have a larger AD FS environment and you want to provide fault tolerance, load-balancing, or
scalability to your organization's federation service.
Note: While not a requirement, federation servers in a federation server farm should be
located on the same network. You typically can use Network Load Balancing (NLB) or some other
form of clustering to allocate a single IP address for the multiple federation servers.
Federation proxy
When providing extranet access to applications and services that are secured by AD FS, you might choose
to deploy a federation proxy. A federation proxy is a computer that has been configured to act as an
intermediary proxy service between the clients on the Internet and your federation service that is located
behind your firewall on the corporate network. In order to allow remote access to the cloud service, such
as from a smartphone, home computer, or Internet kiosk, you should strongly consider deploying a
federation server proxy.
Note: Federation proxies cannot produce security tokens themselves; instead, they are used
to route or redirect tokens to clients, and if necessary, route or redirect the tokens back to the
federation server. For this reason, federation proxy servers are not required for providing remote
access to cloud services. However, they are strongly recommended.
The predecessor to Web Application Proxy was limited to brokering connections between external users
and the federation service. Now, Web Application Proxy provides reverse proxy functionality for web
applications inside a corporate network to external users. In addition, it pre-authenticates access to web
applications for the federation service, and functions as an AD FS proxy.
Database
AD FS uses a database to store configuration dataand in some cases transactional datarelated to the
federation service. During deployment, you can choose to use either the built-in Windows Internal
Database (WID) or SQL Server. While most of the functions of the two database types are relatively
equivalent, one of the major differences is how they function in a federation server farm. When you
deploy a federation server farm using WID, the federation server farm replicates data between a primary
federation server and secondary federation servers.
Note: There are no feature differences between using WID or SQL Server that are required
for integration with Office 365. More information about determining which type of AD FS
configuration database to use is discussed later in this module.
Creating the first federation server in a farm also creates a new Federation Service. When you use WID for
the AD FS configuration database, the first federation server that you create in the farm is referred to as
the primary federation server. This means that this computer is configured with a read/write copy of the
AD FS configuration database. All other federation servers that you configure for this farm are referred to
as secondary federation servers because they must replicate any changes that are made on the primary
federation server to the read-only copies of the AD FS configuration database stored locally. Secondary
federation servers connect to and synchronize the data with the primary federation server in the farm by
polling it at regular intervals to verify if data has changed.
Note: The poll interval of the secondary federation servers is five minutes by default, but an
immediate synchronization can be forced at any time by using Windows PowerShell cmdlets.
The secondary federation servers exist to provide fault tolerance for the primary federation server and to
load-balance access requests across network sites. If the primary federation server is offline, all secondary
federation servers continue to process requests as normal. However, no new changes can be made to the
AD FS database until the primary federation server is brought back online, or a secondary server is
promoted to the primary federation server role. You can manage assignment of the primary and
secondary federation server in the federation server farm when you use the Set-AdfsSyncProperties
Windows PowerShell cmdlet.
Note: When you deploy a federation server farm using WID, some features of AD FS might
not be available. To have access to the full feature set when you configure your server farm,
consider using SQL Server to store the AD FS configuration database instead.
When you deploy a federation server farm using SQL Server, the term primary federation server does not
apply because all of the federation servers can equally read and write to the AD FS configuration database
that uses the same clustered SQL Server instance. More information about how to deploy a federation
server farm when you use SQL Server is discussed later in this module.
Simplified deployment experience

Deploying AD FS in Windows Server 2012 R2 or later is simplified by the following enhancements:
AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the footprint of
services, especially when AD FS is installed on Active Directory domain controllers.
Remote installation and configuration through Server Manager.
UI support for installing AD FS with SQL Server.
Group managed service account support. This enables AD FS to run with service accounts without
managing expiring service account passwords.
SQL Server merges replication support when deploying AD FS across globally dispersed data centers.
Planning an AD FS deployment for Office 365

Within Federation services is a full-featured,
potentially complex set of technologies. To deploy
AD FS successfully, your planning should consider
the following:
Planning for the kind of end-user devices and

browsers that are supported
Selection of appropriate internal topologies

and NLB for federation server farms and
federation proxies
Remediation of AD DS for non-supported

characters and invalid data
Preparation of DNS host names records
Purchase or issuing of certificates
Configuration of firewalls for AD FSrelated ports
Planning for placement of AD FS servers and proxies

Selection of appropriate AD FS database technology
Planning for AD FS high availability
Capacity planning to determine required servers and server specifications
Preparation for MFA
Planning for access filtering using claims rules
These planning considerations are examined in detail throughout the remainder of this module.
When you start planning your AD FS environment for integration with Office 365, there are a number of
design decisions you need to consider before starting the deployment process. These design decisions
include:
Remediation of AD DS
Choice of the configuration database

Use of federation proxies
Configuration of Extended Protection for Authentication
Virtualization of your AD FS infrastructure
Server placement
Remediation of AD DS
Several user attributes must be examined in AD DS before implementing AD FS. For example, the UPN
must be set for every user, and must be known by each user if used as his or her sign-in name. UPNs used
for SSO can contain only letters, numbers, periods, dashes, and underscores. If there are invalid characters
in UPNs, these must be remediated before AD FS is enabled.
The UPN domain suffix must be either the domain to be configured for SSO, or a subdomain. If the Active
Directory domain name is not a public Internet domain (for example, it ends with a .local suffix), the
UPN must be changed to include either a publically registered domain, or a subdomain of an Internet
domain name.
If the domain suffix needs to be changed and directory synchronization has already been deployed, the
UPNs for users in Office 365 might not match the UPNs for the corresponding users in your on-premises
AD DS. To remediate these UPNs, you can reset the UPNs using the Windows PowerShell cmdlet Set-
MsolUserPrincipalName.
Use the following Set-MsolUserPrincipalName cmdlet that is available in the Windows Azure AD
Module for Windows PowerShell:
Set-MsolUserPrincipalName -UserPrincipalName user@Adatum.local -NewUserPrincipalName

user@Adatum.com
Configuration database
As discussed earlier in this module, when planning for federation services, you can choose to use either
the WID or SQL Server for hosting the Configuration database. For most AD FS deployments, we
recommend deploying a federation server farm with the WID deployment topology as the default choice,
as it is easier to deploy. In addition, it supports up to five federation servers in a farm, and up to 30
federation servers in a farm with few relying parties in federated trusts. WID also provides load balancing
and fault tolerance.
While SQL Server is not subject to the same limitations of WID, it does require more setup and
management. If you choose to deploy the federation server farm with SQL Server deployment topology,
all federation servers in the farm read and write to the same SQL Server database instance. This
deployment topology is typically reserved for more advanced AD FS deployments that require one or
more of the following criteria:
Support for more than 100 claims providers or more than 100 relying parties in a federated trust.
Support for more federation servers in a farm than what is supported by WID. Federation servers in a
farm with WID has a limit of 30 federation servers if you have 100 or fewer relying parties in
federated trusts. If you have more than 100 relying parties, you are limited to five federation servers.
Geographic load balancing to distribute the higher traffic across multiple data centers based on
location.
High availability of the Configuration database.
Additional performance enhancements, including the ability to scale out using more than five
federation servers in the same federation server farm.
The need to use SAML/WS-Federation token replay detection to protect the integrity of
authentication requests by making sure that the same token is never used more than once. This helps
mitigate man-in-the-middle attacks.
The need to use SAML artifact resolution to direct browser clients with an artifact to a SAML artifact
endpoint URL for resolution. This provides an alternate mechanism for passing tokens to client
applications
Note: If you deploy a federation server farm with SQL Server, you must install AD FS using
Windows PowerShell. However, you can migrate an AD FS configuration database from WID to
an instance of SQL Server.
Federation proxies
The role of federation server proxies is to redirect client authentication requests coming from outside your
corporate network to your federation server farm. You should plan on deploying federation proxies to
your AD FS environment if any of the following scenarios apply:
Roaming work computers. These are users who are signed in to domain-joined computers with their
corporate credentials but who are not connected to the corporate network. For example, a roaming
work computer could be a work computer at a users home or at a hotel, which can access the cloud
service.
Home or public computer. When a users computer is not joined to the corporate domain, the user
must sign in with their corporate credentials to access the cloud service.
Smartphone. On a smartphone, the user must sign in with their corporate credentials to access a
cloud service such as Microsoft Exchange Online, by using Microsoft Exchange ActiveSync.
Microsoft Outlook or other email clients. The user must sign in with their corporate credentials to
access their Office 365 email if they are using Outlook or an email client that is not part of the
Microsoft Office suite such as an Internet Message Access Protocol (IMAP) or POP email client.
Extended Protection for Authentication

Certain browsers, such as Mozilla Firefox, Google Chrome, and Apple Safari do not support the Extended
Protection for Authentication capabilities that can be used across the Windows platform to protect
against man-in-the-middle attacks. To prevent this type of attack from occurring in your federation
service, AD FS requires that all federation traffic use a channel binding token to mitigate against this
threat, by default.
However, if your company supports browsers that do not support Extended Protection for Authentication,
you should consider disabling it in AD FS, thereby not requiring the channel binding token for all
federation communication. However, this could leave client credentials vulnerable to man-in-the-middle
attacks.
Virtualization
You might decide to host your federation service from a virtualized infrastructure. All of the AD FS server
roles, including the federation server and the federation proxy, are supported in virtual machines on
Microsoft Hyper-V. If you plan to use this technology to host more than one federation server or proxy,
you should consider hosting the virtual machines on separate host computers.
Server placement
The most critical component of an AD FS deployment is the federation server or server farm. Therefore,
planning your server placement strategy properly is important. The federation servers must be domain-
joined and should be deployed behind a firewall on the corporate network to prevent exposure to the
Internet. However, the federation proxy should not be domain-joined and should be deployed in the
perimeter network.
Planning a highly available AD FS deployment

The availability of your AD FS environment is
critical when services in Office 365 are enabled for
federated authentication. For example, if your
federation server is unavailable, all user
authentication requests will fail and users will not
be able to access Office 365 services. Similarly, if
your federation proxy is unavailable, external user
authentication requests will not be passed to your
federation server, and these users will not be able
to access Office 365 services. Therefore, it is
essential that preparation for AD FS deployment
include planning for high availability of your
AD FS federation servers and the AD FS federation proxy servers.
Note: AD FS availability only affects user authentication and does not affect Office 365
services. For example, if users are not able to access their email in Office 365, their mailbox in
Exchange Online will continue to receive email.
Federation server farm

With Windows Server 2012 and earlier, you can deploy the AD FS federation server as a stand-alone
server or in a federation server farm. However, we recommend that you always deploy more than one
server in a federation server farm. Even if the farm consists only of one federation server initially, this
deployment method provides you with the option of adding more federation servers later for load
balancing or fault tolerance. However, if the AD FS federation server is deployed as a stand-alone server,
then you will not be able to add additional servers later.
With Windows Server 2012 R2 and later, you can only deploy the AD FS federation server in a federation
server farm. While this deployment method provides you with the option of adding more federation
servers later, we recommend that you deploy more than one federation server in a farm for your
production environments.
NLB
You should use NLB or other forms of clustering to allocate a single IP address for multiple AD FS
federation servers. With this deployment option, failure of a single federation server should not affect the
federation services for users. Similarly, you also should use NLB to provide an AD FS proxy array in the
perimeter network to ensure that external clients are not impacted by failure of any AD FS proxy
computer.
Note: While not covered in this course, you also can deploy a hardware load balancer
instead of NLB to provide high availability to your federation servers and federation proxy
servers.
If you chose WID as your AD FS data storage, there is a copy of the Configuration database on each
server. However, if you chose SQL Server as your AD FS data storage, you need to plan for a high
availability SQL Server deployment. As opposed to WID, deploying an AD FS federation server farm with
SQL Server does not enable high availability of the configuration database, by default. For example, if the
SQL Server is unavailable, the AD FS federation server is unable to connect to the Configuration database,
and the AD FS service will not start. For this reason, you should consider deploying AD FS with a SQL
Server cluster or a SQL Server failover partner. While you can enable the SQL Server cluster at any time,
the SQL Server cluster failover partner can only be enabled during AD FS deployment or afterwards. This is
because you use AD FS to configure the failover partner.
Additional Reading: For more information on the high availability solutions of SQL Server
refer to: http://aka.ms/lsr6m4
Capacity planning
Capacity planning for federation servers helps you
assess the hardware requirements for each
federation server and the number of federation
servers to deploy. Capacity planning also helps
you estimate and prepare for growth in the size of
the AD FS configuration database.
Capacity planning sizing spreadsheet

The AD FS Capacity Planning Sizing spreadsheet
includes calculator-like functionality that takes
expected usage data about users in your
organization, and returns a recommended optimal
number of federation servers for an AD FS
production environment.
The AD FS Capacity Planning Sizing spreadsheet requires the following inputs:
A value (40, 60, or 80 percent) that best represents the percentage of total users expected to send
authentication requests to AD FS during peak usage periods.
A value (one minute, 15 minutes, or one hour) that best represents the length of time the peak usage
period is expected to last.
The total number of users that will require SSO access to the target claims-aware application, based
on whether the users are:
o Signing in to AD DS from a computer on the corporate network.

o Signing in to AD DS remotely from a computer.
o From another organization or from a SAML 2.0 identity provider.
Additional Reading: For more information about The AD FS Capacity Planning Sizing
spreadsheet, or to download it, refer to: http://aka.ms/n0uyfb
Estimation table
AD FS can scale to support tens of thousands of users, and allows you to add more federation servers to a
server farm as your company scales up. You can use the following table to help you estimate the
minimum number of AD FS federation servers and web application proxies or federation server proxies
that you will need to deploy. These estimations are based on the number of users who will require SSO
accessincluding remote accessto the cloud service.
Note: Unless otherwise noted, all of the federation servers should be deployed in a
federation server farm with a WID store for the Configuration database. While fewer federation
servers might be possible in some of the scenarios below, an additional federation server is
included to provide redundancy.
Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy
Fewer than 1,000 users 2 federation servers, With fewer users, consider deploying the
federation servers on two existing domain
2 proxies
controllers and then implement load balancing
using NLB. For the proxies, consider using two
existing web servers or proxy servers, and then
configure them both for the federation server
proxy role or the Web Application Proxy role.
1,000 15,000 users 2 federation servers, With mediumto-large organizations, consider

2 proxies deploying the federation servers on two
dedicated computers with NLB. Consider
deploying the proxies on two dedicated
computers with NLB.
15,000 60,000 users 3-5 federation For every increment of 15,000 users over 15,000,
server,; 2 proxies you should deploy an additional federation
server to the load-balanced farm, up to the
maximum of five servers that WID supportsor
more with a SQL Server database. For the
proxies, consider deploying additional nodes to
improve performance.
Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy
More than 60,000 users 5+ federation With enterprises with over 60,000 users, you
servers, 3+ proxies should implement five or more federation
servers using SQL Server for the configuration
database. You also should deploy three or more
proxies using hardware load balancing instead
of NLB.
AD FS requirements
Prior to deploying AD FS, multiple requirements
must be in place. The following are the various
requirements that you must plan for when
deploying AD FS:
Certificate
Hardware
Software
AD DS
Browser
Extranet
Network
Attribute store
Application
Authentication
Workplace join
Permissions
Certificate requirements
Certificates play the most critical role in securing communications between federation servers, Web
Application Proxy, claims-aware applications, and web clients. The requirements for certificates vary,
depending on whether you are deploying a federation server or a federation proxy computer. Within any
AD FS deployment, you are required to have the following four certificates:
Certificate type Requirements
SSL certificate. Standard SSL The certificate must be a publicly trusted X509 v3 certificate.
certificate used for securing
All clients that access AD FS must trust the certificate.
communications between
federation servers and clients. While we recommend that you use the same SSL certificate for
the Web Application Proxy, it is required to be the same when
supporting Windows Integrated Authentication endpoints,
through the Web Application Proxy, with Extended Protection
Authentication enabled.
The Subject name, or subject alternative name (SAN) on the
certificate should represent the federation service name.
Wild card certificates are supported.
Service communication certificate. While the SSL certificate is used as the service communication
Enables Windows Communication certificate, by default, you can enable another certificate.
Foundation (WCF) message security
If using the SSL certificate, you will need to enable the
for securing communications
renewed SSL certificate for the service communication
between federation servers.
certificate upon expiration, as this is not automatic.
This certificate must be trusted by clients of AD FS that use
WCF message security, so you might consider using a publicly
trusted certificate.
The certificate cannot use Cryptography Next Generation
(CNG) keys.
You can manage this certificate in the AD FS Management
console or through Windows PowerShell.
Token-signing certificate. A By default, AD FS creates this self-signed certificate and

standard X509 certificate that is renews it automatically before it expires.
used for securely signing all tokens
Although not required, you can use publicly-trusted
that the federation server issues.
certificates. However, AD FS does not renew them
automatically.
The certificate cannot use CNG keys.
console or via Windows PowerShell.
Token-decryption and encryption By default, AD FS creates this self-signing certificate and

certificate. A standard X509 renews it automatically before expiration.
certificate that is used to either
Although not required, you can use publicly trusted
decrypt or encrypt any incoming
certificates. However, AD FS does not renew them
tokens. It also is published in
automatically.
federation metadata.
The certificate cannot use CNG keys.
console, or via Windows PowerShell.
Note: Certificates that are used for token signing and token decrypting and encrypting are
critical to the stability of the federation service. If you deploy your own token-signing & token-
decrypting and encrypting certificates, you should ensure that they are backed up and are
available independently during a recovery event.
Hardware requirements
The following minimum and recommended hardware requirements apply to the AD FS federation servers
that are deployed on Windows Server 2012 R2 or Windows Server 2016:
Hardware requirements Minimum requirements Recommended requirements
Central processing unit (CPU) 1.4 gigahertz (GHz) 64-bit Quad-core, 2 GHz
speed processor
Random access memory (RAM) 512 megabytes (MBs) 4 GB
Disk space 32 gigabytes (GBs) 100 GB
Software requirements
The following software requirements apply to AD FS federation servers that are deployed on Windows
Server 2012 R2 or Windows Server 2016:
For extranet access, you must deploy the Web Application Proxy role service which is part of the
Windows Server 2012 R2 or 2016 Remote Access server role. Previous versions of a federation server
proxy are not supported with AD FS on Windows Server 2012 R2 or Windows Server 2016.
A federation server and the Web Application Proxy role service cannot be installed on the same
computer.
Active Directory requirements

Another critical component for AD FS is Active Directory requirements. Your planning should include
preparing your environment based on the Active Directory requirements. For AD FS to be supported, the
domain controllers in all of your user domains and in the domain that AD FS servers are joined to must be
running Windows Server 2008 or later and be at the domain functional level of Windows Server 2008 or
higher.
You can deploy AD FS with any standard service account. Alternatively, you might use a group managed
service account, but you are required to deploy at least one domain controller with Windows Server 2012
or higher. The AD FS service account must be trusted in every user domain that contains users who could
authenticate to the federation service. For Kerberos authentication to function properly between your
domain-joined clients and AD FS, the HOST/adfs_service_name must be registered as a SPN on the service
account. By default, AD FS will configure this automatically when deploying a new federation server farm
if it has sufficient permissions to perform this operation.
In single forest scenarios, all of the AD FS federation servers must be a joined to an Active Directory
domain, and all of the AD FS federation servers within a federation server farm must be joined to the
same Active Directory domain. In addition, the domain that the AD FS servers are joined to must trust
every user account domain that contains users who could authenticate to the federation service.
In multi-forest scenarios, the domain that the AD FS servers are joined to must trust every user account
domain or forest that contains users who could authenticate to the federation service. In addition, the
AD FS service account must be trusted in every user domain that contains users who could authenticate to
the federation service.
Configuration database requirements

AD FS requires a configuration database to store configuration data. This database can either be a
Microsoft SQL Server 2005 or newer database, or the WID included with Windows Server 2008, Windows
Server 2008 R2, and Windows Server 2012. For AD FS on Windows Server 2012 R2 and later, you can use
Microsoft SQL Server 2008 or newer, including Microsoft SQL Server 2012 and Microsoft SQL Server 2014.
Browser requirements
If you perform authentication to AD FS from a browser or browser control, your browser must meet the
following requirements:
JavaScript must be enabled.
Cookies must be turned on.
Server Name Indication (SNI) must be supported.

For user certificate & device certificate authentication, for example workplace join functionality, the
browser must support SSL client certificate authentication.
Several key browsers and platforms have undergone validation for rendering and for functionality. These
include Internet Explorer 10 or later, Firefox 21 or later, Safari 7.0 or later, and Chrome 27 or later.
Browsers and devices not referenced could still be supported if they meet the requirements listed above.
AD FS creates session-based and persistent cookies that must be stored on client computers to provide
sign-in, sign-out, SSO, and other functionality. For this reason, one of the browser requirements is that the
client browser must be configured to accept cookies. Cookies that are used for authentication are HTTPS
session-based cookies that are written for the originating server. If the client browser is not configured to
allow these cookies, AD FS might not function properly. Persistent cookies are used to preserve user
selection of the claims provider. You can disable them with a change in the configuration file for the
AD FS sign-in pages. Support for Transport Layer Security (TLS) over SSL (TLS/SSL) is required for security
reasons.
Extranet requirements
To provide extranet access to the AD FS service, you must deploy the Web Application Proxy role service
as the extranet-facing role that proxies authentication requests in a secure manner to the AD FS service.
This provides isolation of the AD FS service endpoints in addition to isolation of all security keys (such as
token-signing certificates) from requests that originate from the internet. In addition, features such as Soft
Extranet Account Lockout require the use of the Web Application Proxy.
Network requirements
Configuring the network properly is critical for the successful deployment of AD FS in your environment.
The firewall located between the Web Application Proxy and the federation server farm, and the firewall
between the clients and the Web Application Proxy must allow TCP port 443 for inbound traffic. In
addition, if client user certificate authentication is required, AD FS in Windows Server 2012 R2 and later
requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web
Application Proxy. However, this is not required on the firewall between the Web Application Proxy and
the federation servers.
All clients accessing the federation service within the corporate network must be able to resolve the AD FS
service name to the load-balanced IP of the federation server farm. All clients accessing the federation
service from the Internet must be able to resolve the AD FS service name to the load-balanced IP of the
Web Application Proxy servers. For extranet access to function properly, each Web Application Proxy
server in the perimeter network must be able to resolve the AD FS service name to the load-balanced IP
of the federation server farm. This requirement might need a DNS server in the perimeter network or a
HOSTS file on the Web Application Proxy servers. For Windows Integrated authentication to work either
inside or outside the network, for a subset of endpoints exposed through the Web Application Proxy, you
must use a host (A) resource record (not a canonical name (CNAME) record) to point to the load
balancers.
Attribute store requirements

AD FS requires at least one attribute store for use with authenticating users and extracting security claims
for those users. During deployment, AD FS creates an Active Directory attribute store automatically, by
default. Attribute store requirements depend on whether your organization is acting as the account
partner (hosting the federated users) or the resource partner (hosting the federated application).
Additional Reading: For more information on the complete list of attribute stores
supported by AD FS, go to: http://aka.ms/vgazki
Application requirements
AD FS supports claims-aware applications that use the following protocols:
WS-Federation
WS-Trust
SAML 2.0 protocol using IdP Lite, SP Lite, and eGov 1.5 profiles
OAuth 2.0 Authorization Code Grant profile

AD FS also supports authentication and authorization for any non-claims-aware applications that are
supported by the Web Application Proxy.
Authentication requirements
In most AD FS deployments, the primary authentication method for the relying party in a federated trust
is AD DS authentication. For intranet access, the following standard authentication mechanisms for AD DS
are supported:
Windows Integrated Authentication using the Negotiate option, which include Kerberos & NTLM
Forms Authentication using usernames and passwords
Certificate authentication using certificates mapped to user accounts in AD DS

For extranet access, the following authentication mechanisms are supported:
Forms authentication using usernames and passwords
Certificate authentication using certificates that are mapped to user accounts in AD DS
Windows Integrated Authentication using Negotiate (NTLM only) for WS-Trust endpoints that accept
Windows Integrated Authentication
If should consider the following if you enable certificate authentication:
The most common scenario for certificate authentication is smart card authentication with PIN
protected certificates.
The GUI for the user to enter their PIN is not provided by AD FS and is required to be part of the
client operating system that is displayed when using client TLS.
The reader and cryptographic service provider (CSP) for the smart card must work on the computer
on which the browser is located.
The smart card certificate must be trusted by a root certificate on all of the AD FS servers and Web
Application Proxy servers.
The certificate must map to the user account in AD DS by either of the following methods:
o The certificate subject name corresponds to the LDAP distinguished name of a user account in
AD DS.
o The certificate SAN extension has the UPN of a user account in AD DS.
For seamless Windows Integrated Authentication using Kerberos authentication on the intranet:
The service name must be part of the Trusted Sites or the Local intranet sites.
The HOST/adfs_service_name SPN must be set on the service account that the AD FS farm runs on.
AD FS also supports authentication using a provider model whereby you can build your own MFA adapter
that an administrator can register and use during sign in. Every MFA adapter must be built on top of
Microsoft .NET Framework 4.5. In addition, AD FS supports device authentication using certificates
provisioned by the Device Registration Service during the act of an end user workplace joining their
device.
Permissions requirements
For deployment and the initial configuration of AD FS, you must have domain administrator permissions
in the Active Directory domain, for example, the domain to which the federation server is joined.
Additional Reading: For more information about the AD FS requirements, refer to:
http://aka.ms/m2kpbf
Configuring SSO with Microsoft Azure virtual machines

Deploying a federation service imposes significant
resource and management overhead on an
organization. This is particularly true for small to
medium-sized enterprises, where the move to
Office 365 is driven by a desire to move mission-
critical IT to the cloud. As a result, the requirement
to maintain on-premises AD FS infrastructure in
order to provide access to cloud resources can
seem retrograde. For this reason, the option to
migrate the federation service to the cloud as well
should be considered.
Virtual machines on Azure

Deploying all the Office 365 federation components on virtual machines on Azure provide you some
advantages over an on-premises deployment. These advantages include rapid implementation,
predictable costs, and no requirement for additional on-premises servers. Alternatively, you can host a
subset of the federation components in Azure while deploying some components on-premises.
Although additional options are possible, these are the three optimal deployment scenarios:
All Office 365 SSO integration components deployed on-premises. This is the traditional approach. In
this scenario, you deploy directory synchronization and AD FS when you use on-premises servers.
All Office 365 SSO integration components deployed in Azure. This is the new, cloud-only approach.
In this scenario, you deploy directory synchronization and AD FS in Azure. This eliminates the need to
deploy on-premises servers.
Some Office 365 SSO integration components deployed in Azure for disaster recovery. This is the mix
of on-premises and cloud-deployed components. In this scenario, you deploy directory
synchronization and AD FS, primarily on-premises and add redundant components in Azure for
disaster recovery.
When planning to deploy these services to Microsoft Azure, you should consider:
Active Directory domain controllers in Microsoft Azure. Since AD FS requires access to AD DS, you
need to deploy AD DS to Microsoft Azure when you install an Active Directory domain controller on a
Microsoft Azure virtual machine.
AD FS in Microsoft Azure. In the third scenario described above, you would deploy AD FS on-premises
and on a virtual machine on Azure for redundancy. In case of a disaster, the failover between the on-
premises infrastructure and the hosted infrastructure is a manual operation. The failover procedures
require changing DNS records for AD FS. Until the change is effective and DNS records are
propagated, clients are unable to access Office 365 services. As such, end users would still experience
a downtime during the failover.
Directory synchronization services in Microsoft Azure. In the third scenario described above, you
would deploy directory synchronization on-premises and on a Microsoft Azure virtual machine for
redundancy. In case of a disaster, the failover between the on-premises infrastructure and the hosted
infrastructure is a manual operation. The failover procedures require the re-installation of the Azure
Active Directory Connect tool on a standby Azure virtual machine. Because directory synchronization
is required only for directory object changes, existing users can continue to access Office 365 services
with little to no disruption until the service is restored.
VPN connection to Microsoft Azure. A VPN connection is required between your corporate network
and Microsoft Azure to support directory synchronization traffic.
Lesson 3
Deploy AD FS for identity federation with Office 365
In this lesson, you will learn how to deploy AD FS for SSO with Office 365. Based on your planning, your
deployment may include multiple servers, with different server roles, in various logical networks. Your
deployment methodology might vary if you are implementing directory synchronization, if you are
adding a new domain to Office 365, or if you are converting an existing domain in Office 365.
Lesson Objectives
Install the AD FS server role.
Install and configure AD FS Proxy.
Install and configure Web Application Proxy.
Configure the AD FS server role for federation with Office 365.

Describe how to use the Azure AD Connect tool to configure AD FS and Web Application Proxy.
Convert the Office 365 tenant to federated authentication, including the implications.
Manage the AD FS server, including the certificates, migration to another server, and troubleshooting.
Verify a successful implementation of SSO.
Describe how to temporarily fall back to password synchronization.
Installing and configuring AD FS

Before deploying your federation service, you will
need to prepare the environment for the
installation of AD FS. This might include preparing
the configuration database, any required service
accounts and certificates, and preparing the DNS
host records for access from inside and outside
the corporate network.
SQL Server
If you plan to host the configuration database for
the AD FS federation server farm in Microsoft SQL
Server, you should deploy the SQL Server instance
prior to installing the first federation server. In
Windows Server 2012 R2 and later, AD FS supports two options for high availability of your federation
server farm using SQL Server. You should consider one of these options when preparing for the
configuration database:
SQL Server AlwaysOn Availability Groups
SQL Server merge replication, in support for geographically distributed high availability
Additional Reading: For more information, refer to: Federation Server Farm Using SQL
Server at: http://aka.ms/mok3lw
Service account
If possible, you should consider using a Group Managed Service Account (gMSA) for AD FS. During
deployment, the AD FS Installation Wizard creates and configures a gMSA automatically if you have
appropriate permissions to AD DS. Otherwise, you should create a gMSA in advance of the AD FS
federation server deployment.
If you are not able to use a gMSA, you should create a standard service account in AD DS and configure
for the password to never expire, prior to deploying the AD FS federation server. This service account
requires the following access rights on the AD FS federation server:
Log on as a service
Log on as a batch job
Certificate
While you can import the certificate during AD FS installation, you will need to request the appropriate
SSL certificate required for AD FS from a publicly-trust certification authority (CA) prior to deployment.
Upon receiving the certificate from the CA, install it in the Personal certificate store on the AD FS
federation server. If you are deploying a federation server farm, the Subject name (or common name
(CN)), on the SSL certificate must match the federation service name or be a wild card SSL certificate. This
certificate should be installed in the Personal certificate store on each of the federation servers in the
farm.
DNS
In addition to AD DS, one of the primary network services that are critical to the operation of AD FS is
DNS. With DNS record sets users and other service providers can locate your federation service over the
internet and on your corporate network.
When configuring DNS to support AD FS, you should consider the following:
If you are deploying a federation server farm, you will need to create a DNS host record on your
internal DNS servers of the cluster DNS name for your NLB federation server farm.
If you are deploying a standalone federation server, you will need to create a DNS host record on
your internal DNS servers of the DNS name for your federation server.
If you are deploying a federation proxy array, you will need to create a DNS host record on your
perimeter DNS servers of the load-balanced DNS name for your AD FS proxy server or your Web
Application Proxy server array.
If you are deploying a standalone federation proxy server, you will need to create a DNS host record
on your perimeter DNS servers of the DNS name for your AD FS proxy server or your Web Application
Proxy server.
If you are not deploying a federation proxy, you will need to create a DNS host record on your
perimeter DNS servers of the cluster DNS name for your NLB federation server farm, or your
federation server, on your perimeter DNS servers.
Note: You should not use CNAME records for the federation service name.
Install AD FS
In Windows Server 2012 R2 and later, AD FS 3.0 or 3.1 is installed from Server Manager as a role. The
Server Manager Configuration Wizard performs validation checks and automatically installs all the services
required by AD FS. The AD FS server role includes Windows PowerShell cmdlets that you can use to
perform Windows PowerShellbased deployment of AD FS servers and proxies.
To install the AD FS server role, use the Server Manager Add Roles and Features Wizard, and select the
AD FS server role. The Add Roles and Features Wizard automatically selects the .NET Framework, and
AD FS Management Tools features. No other features are required.
Configure AD FS
When the AD FS role is installed, the Add Roles and Features Wizard provides you the option to start the
AD FS Configuration Wizard to configure the AD FS server. The steps for the AD FS Configuration Wizard
vary depending on whether you are creating the first federation server in a federation server farm or
adding a federation server to a federation server farm. You also can start the AD FS Configuration Wizard
from Server Manager, Tools menu, or from the Start screen.
Create the first federation server in a federation server farm

To create the first federation server in a federation server farm:
1. In the AD FS Configuration Wizard, select the option to Create the first federation server in a
federation server farm.
2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.
3. On the Specify Service Properties page, select the corresponding certificate from the SSL certificate
list (or import the SSL certificate if you did not install it prior to installation), and then specify the
Federation Service Name of the federation server farm.
4. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS.
5. On the Specify Configuration Database page, select the option either to create a database using
WID, or to specify the location, host name, and instance of an existing SQL Server database.
6. On the Review Options page, the wizard displays your selections, including your service account
actions.
o If you chose to use a WID database, the wizard notes that this is the primary server in the farm
and that the WID database is installed.
o If you chose to use an existing SQL Server database, the wizard will note that this will be the first
server in the server farm, and will provide the connection string details for connecting to SQL
Server to retrieve the configuration.
7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-AdfsFarm to
deploy the first federation server in a federation server farm.
Add a federation server to a federation server farm

To add additional servers to an AD FS server farm:
1. In the AD FS Configuration Wizard, select the Add a federation server to federation service farm
option.
2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.
3. On the Specify Farm page, specify the name of the primary federation server in a farm using WID, or
specify the database host name and the instance name of an existing federation server farm using
SQL Server.
4. On the Specify SSL Certificate page, select the corresponding certificate from the SSL certificate list,
or import the SSL certificate if you did not install it prior to installation. As opposed to the other
installation option, you are not required to specify the federation service name of the federation
server farm. This is because the wizard is already aware of the federation service name based on
database information that you provided earlier.
5. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS. The account you specify must be the same account as the one used on the primary federation
server in the farm.
6. On the Review Options page, the wizard displays your selections.

o If you chose to use a WID database, the wizard notes that this is the secondary server in the farm
and that the WID database is installed and replicated from the primary server in the farm.
o If you chose to use an existing SQL Server database, the wizard notes the connection string
details for connecting to SQL Server to retrieve the configuration.
7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.
Note: Alternatively, you can use the Windows PowerShell cmdlet Add-AdfsFarmNode to
add a federation server to a federation server farm.
Update AD FS
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS. After installing and configuring your AD FS federation servers, you can use Microsoft Update to
check for available updates.
Installing and configuring AD FS proxy

After deploying the AD FS federation server farm,
you can begin implementing the AD FS proxy
server. In preparation for deploying your AD FS
proxy server, you will need to configure a few
items before installing the AD FS proxy server.
Note: You only can deploy the AD FS Proxy

on Windows Server 2012 or earlier Windows
Server operating systems. Alternatively, you need
to deploy the Web Application Proxy to proxy the
AD FS federation service on Windows Server 2012
R2, or later.
Certificates
The certificates that you use in the deployment should be obtained and installed into the Personal
certificate store on the AD FS Proxy computer. The CN on each certificate must match the AD FS service
name. When exporting certificates ready for use on the AD FS Proxy, it is important to ensure that the
private key is included in the export. Once imported to a local computer personal store, the certificate is
ready for binding in IIS as soon as IIS and the AD FS Proxy role are installed.
Load balancing
When you deploy two or more AD FS Proxy servers in an array, you will also need to configure them for
network load balancing. You can accomplish this with hardware, which is recommended for large
deployments, or with software, which is recommended for small to medium deployments. For software
load balancers, you can enable NLB for the AD FS Proxy array.
DNS
A DNS host records should also be configured on the DNS servers in the perimeter prior to installing
AD FS servers. Since the AD FS Proxy is typically placed in the perimeter network, it is recommended that
you:
Configure the proxy to use external DNS servers for external name resolution.
Add internal hostnames that the proxy needs to resolve, such as the internal AD FS farm, to the Hosts
file on the proxy.
Note: You should not use CNAME records for the AD FS proxy server name.
Install AD FS Proxy
In Windows Server 2012, AD FS proxies are installed from the Server Manager as a role, using the same
Server Manager Configuration wizard pages that were used to install AD FS servers. The configuration
wizard performs validation checks and automatically installs all the services required by the AD FS Proxy.
In a production environment, the AD FS proxy server should be placed in the perimeter network (also
known as screened subnet), not in the internal corporate LAN.
To install the AD FS proxy role, use the Server Manager Add Roles and Features Wizard, and select the
Active Directory Federation Services server role. The Add Roles and Features Wizard automatically
selects the .NET Framework, IIS, and Windows Process Activation Service features. On the Select role
services page, clear the Federation Service check box, and select the Federation Service Proxy check
box.
IIS runs once the role is installed successfully. The next task is to assign the public certificate to the default
website on the AD FS server, in order to secure the traffic between the AD FS Proxy and client computers,
and between the AD FS Proxy and AD FS itself. In IIS Manager, edit site bindings, and in the SSL certificate
list, select the previously imported certificate for use.
Configure AD FS Proxy
When the AD FS Proxy role is installed, the AD FS Federation Services Proxy Configuration Wizard
runs to configure the AD FS Proxy server. You can run the AD FS Federation Services Proxy
Configuration Wizard from the Tools menu in Server Manager, or if you run FspConfigWizard.exe,
which is located at C:\Windows\ADFS\.
In the AD FS Federation Services Proxy Configuration Wizard, on the Specify Federation Service
Name page, verify that the correct federation service name is displayed. Click Test Connection to verify a
connection to the Federation Service, and enter credentials for the AD FS service account. These
credentials are necessary to establish a trust between this federation server proxy and the Federation
Service. By default, only the service account used by the Federation Service or a member of the local
BUILTIN\Administrators group can authorize a federation server proxy.
Update AD FS Proxy
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS Proxy server. After you install and configure your Web Application Proxy servers, you can use
Microsoft Update to check for available updates.
Note: For more information on all the available updates for AD FS, refer to:
http://aka.ms/pkvgbq
Specifying a custom proxy forms sign-in page

The default sign-in page displays the federation service name, text boxes in which to enter the user name
and password, and text to describe user name format. This page can be customized. For example, you can
include a logo, change example and instruction text, change the page title, remove or change the
federation service name display, and add an "Authorized Use" disclaimer or other text at the bottom of
the page.
Additional Reading: For more information on customizing the proxy forms sign-in page,
see Customizing the AD FS forms based login page at: http://aka.ms/jyk1xa
Non-Microsoft proxy
You might prefer to use another companys proxy to publish the AD FS federation servers rather than
employ AD FS server proxies. If you plan to deploy a non-Microsoft proxy, it must be configured to do the
following:
Send an HTTP header named x-ms-proxy. The value of this header should be the DNS name of the
proxy host.
Send an HTTP header named x-ms-endpoint-absolute-path. The value of this header should be set to
the name of the proxy endpoint that receives the request.
If these headers are not configured, an AD FS 2.0 federation server proxy must be deployed behind the
non-Microsoft proxy.
Note: For more information about using a non-Microsoft proxy as a replacement to an

AD FS 2.0 federation server proxy, refer to: http://aka.ms/htsrqu
Installing and configuring Web Application Proxy for AD FS

In preparation for deploying your federation
service, you might need to prepare a few items
before you install Web Application Proxy.
However, you should not begin implementing the
Web Application Proxy until you have deployed
the AD FS federation server farm.
Note: You can deploy the Web Application

Proxy only on Windows Server 2012 R2 or later.
Alternatively, you need to deploy the AD FS proxy
in order to proxy the federation service on
Windows Server 2012 R2, or earlier.
Certificate
As you are not able to import the certificate during installation of Web Application Proxy, you need to
request the appropriate SSL certificate required for Web Application Proxy from a publicly-trust CA prior
to deployment. Upon receiving the certificate from the CA, you must install it in the Personal certificate
store on the Web Application Proxy server.
While we recommend that you use the same SSL certificate from the AD FS federation server farm for the
Web Application Proxy, it must be the same when supporting Windows Integrated Authentication
endpoints, through the Web Application Proxy, with Extended Protection Authentication enabled. If this
scenario applies to your AD FS environment, you should export the SSL certificate from one of the
federation servers in the farm, and then import it in the Personal certificate store on the Web Application
Proxy server.
With either scenario, if you deploy more than one Web Application Proxy server in support of your AD FS
environment, you need to import the appropriate SSL certificate to each of the additional Web
Application Proxy servers prior to installing Web Application Proxy. This applies to wildcard certificates as
well.
Load balancing
When you deploy two or more Web Application Proxy servers in an array, you will need to configure them
for NLB. You can accomplish this with hardware, which is recommended for large deployments, or with
software, which is recommended for small-to-medium deployments. For software load balancers, you can
enable NLB for the Web Application Proxy array.
DNS
You should configure a DNS host record on the perimeter DNS servers prior to installing the Web
Application Proxy server. Because the Web Application Proxy server is typically placed in the perimeter
network, we recommend that you:
Configure the Web Application Proxy server to use external DNS servers for external name resolution.
Add an internal hostname that the Web Application Proxy server needs to resolve, such as the
internal AD FS farm, to the Hosts file on the Web Application Proxy server.
Note: You should not use CNAME records for the Web Application Proxy server name.
Install Web Application Proxy

In Windows Server 2012 R2 and later, Web Application Proxy is installed from Server Manager as a role.
The Server Manager Configuration Wizard performs validation checks and automatically installs the
service required by Web Application Proxy. The Web Application Proxy server role service includes
Windows PowerShell cmdlets that you can use to perform Windows PowerShellbased deployment.
To install the Web Application Proxy server role service, use the Server Manager Add Roles and Features
Wizard, and select the Remote Access server role. On the Role services page, select the Web Application
Proxy role service. The Add Roles and Features Wizard automatically installs the required features,
including the Remote Access Management Console.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-WindowsFeature
Web-Application-Proxy to install the Web Application Proxy server role service.
Configure Web Application Proxy

After the Web Application Proxy role server service is installed, you need to launch the Remote Access
Management Console to configure Web Application Proxy for publishing AD FS. You can initiate the
Remote Access Management Console from the Tools menu in Server Manager, or from the Start screen.
The steps for configuring each Web Application Proxy server in your environment for AD FS are the same:
1. In the Remote Access Management console, select the option to run the Web Application Proxy
Configuration Wizard.
2. On the Federation Server page, specify the name of the federation service farm and use credentials
of an account with local administrator permissions on the AD FS federation servers.
3. On the AD FS Proxy Certificate page, select the appropriate SSL certificate to complete the
configuration.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-
WebApplicationProxy to configure Web Application Proxy for publishing AD FS.
Update Web Application Proxy

To ensure that your AD FS environment is reliable and stable, you should install the recommended
updates for Web Application Proxy. After installing and configuring your Web Application Proxy servers,
you can use Microsoft Update to check for available updates.
Configuring AD FS by using Azure AD Connect

SSO allows your users to access Microsoft cloud
services with their on-premises AD DS credentials.
When preparing your environment to support
SSO, you must deploy both an STS infrastructure
and Active Directory synchronization. In most
environments, these required tools are AD FS and
Azure AD Connect, respectively.
Prior to Azure AD Connect, directory

synchronization tools required that you deploy
these tools separately. Although the
recommended order of deployment is well
documentedfor example, that AD FS should be deployed prior to directory synchronization

organizations still ran into deployment issues because of poor planning. Many of these issues and their
corresponding resolutions are well documented as well. However, with proper planning you can avoid
many of the same mistakes when deploying SSO.
To mitigate some of the issues during deployment, Azure AD Connect employs strategic questions to
provide an easier deployment experience for synchronization and for sign-in. While you can choose to
deploy the tools separately, you also can use an optional part of Azure AD Connect to set up a hybrid
environment using an on-premises AD FS infrastructure. You then can use this part to address complex
deployments that include such things as domain-joined SSO, enforcement of Active Directory sign in
policy, and smart card or non-Microsoft MFA.
Configuring AD FS
The following list is of requirements that must be met before you can use Azure AD Connect to deploy
AD FS:
A Windows Server 2012 R2 or later server for the federation server with remote management
enabled.
A Windows Server 2012 R2 or later server for the Web Application Proxy server with remote
management enabled.
An SSL certificate for the federation service name that you intend to use (for example,
adfs.adatum.com).
You can use Azure AD Connect to deploy AD FS in the following scenarios:

Create a new AD FS farm or use an existing AD FS farm. During deployment, you can specify an
existing AD FS farm or you can choose to create a new AD FS farm. If you choose to create a new
AD FS farm, you are required to provide the SSL certificate. If the SSL certificate is protected by a
password, you are prompted to provide the password.
Deploy one or more AD FS federation servers. You can deploy one or more AD FS federation servers
by identifying the specific servers on which you want to install AD FS. The servers must be joined to
an Active Directory domain prior to performing this configuration. You can deploy additional AD FS
federation servers when you rerun Azure AD Connect, based on your capacity planning needs.
Deploy one or more Web Application Proxy servers. You can deploy one or more Web Application
Proxy servers when you identify the specific servers on which you want to install the Web Application
Proxy. Since the Web Application Proxy is deployed in your perimeter network, the server running
Azure AD Connect requires remote access to the server. You can deploy additional Web Application
Proxy servers when you rerun Azure AD Connect, based on your capacity planning needs. If you
choose to deploy Web Application Proxy servers, you are required to provide the credentials of a
local admin on the AD FS federation server for the Web Application Proxy to request a certificate
from the AD FS federation server.
Configure the AD FS service account. You can configure the domain service account that is required
by the AD FS federation service to authenticate users and look up user information in AD DS. You can
use this feature to configure the two types of service accounts supported by AD FS:
o gMSA. This type of service account allows AD FS to use a single service account without needing
to update the account password periodically. The gMSA requires a Windows Server 2012 domain
controller in the Active Directory domain to which the AD FS servers are joined. If you are logged
in as a domain administrator Azure AD Connect will automatically create the gMSA.
o Domain User Account. Based on your companys security policies, this type of service account
might require you to periodically update the password. This option is limited only to selecting an
existing domain user account scenario. Azure AD Connect does not create the domain user
account if the account does not exist in AD DS.
Configure the federated Azure AD domain. This configuration is used to set up the federation
relationship between your AD FS environment and Azure AD. It configures AD FS to issue security
tokens to Azure AD, and configures Azure AD to trust the tokens from AD FS federation service. While
this option limits you to configuring a single domain the first time you install Azure AD Connect, you
can configure additional domains at any time when you rerun the Azure AD Connect installation
wizard.
Configuring AD FS for federation with Office 365

After deploying the AD FS federation servers and
the AD FS proxy servers or Web Application Proxy
servers, you must complete the following
additional tasks to complete the AD FS federation
configuration:
Set up DNS records for the AD FS federation
service name (for example, adfs.adatum.com)
on both the intranet and the extranet. For the
intranet DNS record, ensure that you use host
(A) resource records and not CNAME records.
This is required for Windows Integrated
Authentication to work properly from your
domain-joined computers.
If you are deploying more than one AD FS server or Web Application Proxy server, ensure that you
have configured your load balancer and that the DNS records for the AD FS federation service name
point to the load balancer.
For Windows Integrated Authentication to work properly for clients using Internet Explorer on your
intranet, ensure that the AD FS federation service name is added to the intranet zone in Internet
Explorer for each client. You can manage this via Group Policy and deployed to all your domain-
joined computers.
Configure authentication mechanisms

When enabling the global authentication policy for AD FS, you can define the following options:
Enable device authentication with Device Registration Service.

Mandate the use of more secure authentication methods.
Set MFA requirements.
MFA
You can specify an authentication policy at a global scope that is applicable to all applications and
services that are secured by AD FS. You also can set authentication policies for specific applications and
services (relying party trusts) that are secured by AD FS. If either the global authentication policy or the
relying party trust authentication policy requires MFA, MFA is triggered when the user tries to
authenticate to the relying party trust.
To configure MFA in AD FS you must:
Specify the settings or conditions under which MFA is required:
o You can require MFA for specific users and groups in the Active Directory domain to which your
federation server is joined.
o You can require MFA for either registered (workplace joined) or unregistered (not workplace
joined) devices.
o You can require MFA when the access request for the protected resources comes from either the
extranet or the intranet.
Select an additional authentication method:
o For extranet resources, Forms Authentication is selected by default. In addition, you also can
enable certificate authentication.
o For intranet resources, Windows Integration Authentication is selected by default. In addition,
you also can enable forms authentication, or certificate authentication, or both.
Enable Device Registration Service for Workplace Join

You can enable the Device Registration Service on your AD FS federation servers after installing and
configuring them. As discussed earlier in the module, part of the Device Registration Service enables
Workplace Join, which provides users supported devices with an onboarding mechanism for SSO and
conditional access to on-premises company resources.
To support Workplace Join, you must enable the Device Registration Service with the following Windows
PowerShell cmdlets:
# Run the following from one of the AD FS servers:

Enable-AdfsDeviceRegistration PrepareActiveDirectory
# When prompted, use the gMSA credentials in the format domain\gMSA$
# Run the following on each node in the AD FS farm:
Enable-AdfsDeviceRegistration
# You should receive a message that device registration was successfully enabled
Configure conditional access control

Before enabling your users for SSO, you might need to assess if all the users should have access to Office
365 in every scenario. Access control in AD FS is implemented with issuance authorization claim rules that
are used to issue a permit or deny claims which will determine whether a user or a group of users are
allowed to access Office 365 services. Authorization rules can only be set on relying party trusts, and the
default template options include:
Permit All Users. When you use the Permit All Users rule template, all users will have access to the
relying party. However, you can use additional authorization rules to further restrict access.
Permit access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to permit, you can permit specific
users access to the relying party based on the type and value of an incoming claim. For example, you
can use this rule template to create a rule that will permit only users that have a group claim with a
value of Domain Users.
Deny access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to deny, you can deny users
access to the relying party based on the type and value of an incoming claim. For example, you can
use this rule template to create a rule that will deny all users that have a group claim with a value of
Domain Admins.
Note: If one rule permits a user to access the relying party, and another rule denies the
user access the relying party, the deny access overrides the permit access and the user is denied
access to the relying party.
Just a few of the scenarios where you might configure conditional access control include:
Block all extranet client access to Office 365.

Block all extranet client access to Office 365, except for devices accessing Exchange Online for
Exchange ActiveSync.
Block all extranet client access to Office 365, except for members of specific Active Directory groups.
Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to the user.
Permit access to Office 365, but only if the users identity was validated with MFA.
Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to a user whose identity has been validated with MFA.
Note: For more information about limiting access to Office 365 services based on the
location of the client, refer to: http://aka.ms/gs1054
Best practices
Consider the following best practices when installing and managing AD FS proxies:
AD FS Proxy should not be domain joined, as this would negate one of the key benefits of the AD FS
Proxy in providing a security separation between your on-premises AD DS and external clients.
AD FS Proxy should be placed in the perimeter network and not in an internal LAN, to help ensure
the integrity of the security separation between internal AD DS and external clients.
Use the AD FS Capacity Planning Sizing spreadsheet to ensure that your AD FS Proxies are able to
support the number of external clients that require authentication against the corporate AD DS.
Design a high availability AD FS infrastructure that includes highly available proxies, to ensure that
external clients are always able to authenticate against the corporate AD DS.
Verify that required ports are open on the firewall.
Do not mix AD FS Proxy and other roles on the same server, to help ensure the availability and
security of AD FS.
Develop test cases for all browsers, and for internal and external clients, to ensure that all users can
use SSO from all supported devices.
Ensure that all hotfixes and the .NET Framework version are up to date.
Ensure that certificates are configured correctly, and are exported and backed up to include the
private key.
Converting the Office365 tenant to federated authentication

To enable SSO with Office 365, you need to
download and install the Microsoft Azure Active
Directory Module for Windows PowerShell. Once
installed, you will use Windows PowerShell to
configure your Office 365 domain for federated
authentication.
Install Azure AD Module for Windows

PowerShell
The Azure AD Module for Windows PowerShell is
a download that helps you manage your
organizations data in Azure AD. This module
installs a set of cmdlets to Windows PowerShell;
you run those cmdlets to set up SSO access to Azure AD, and in turn to all of the cloud services to which
you are subscribed.
Additional Reading: For more information on how to download and install the cmdlets for
Azure AD Module for Windows PowerShell, refer to: http://aka.ms/lq99g4
Deploy a trust between Azure AD and AD FS

Each domain that you want to federate must either be added as a federated domain, or converted from a
domain with standard authentication to federated authentication (also known as SSO domain). Adding or
converting a federated domain creates a trust between your federation service and your Office 365
tenant.
Note: Setting up the trust is a one-time operation, per domain. If your environment
includes a subdomain (for example, corp.adatum.com) in addition to a top-level domain (for
example, adatum.com), then you should add the top-level domain in your cloud service before
you add any subdomains. When the top-level domain is enabled for SSO, all subdomains are
automatically enabled as well.
When you convert an existing domain to a federated domain, every licensed user in Office 365 becomes a
federated user. This means your users will specify their existing on-premises AD DS credentials to access
their cloud services in Office 365. You should use one of the following procedures to configure your
federated trust with Office 365, depending on whether you need to add a new SSO domain or convert an
existing domain with standard authentication to federated authentication.
When adding a new domain as a federated domain, you should use the Windows PowerShell cmdlet
New-MsolFederatedDomain to enable support for SSO. You should issue all of the following cmdlets in
the Microsoft Azure Active Directory Module for Windows PowerShell as follows:
$cred=Get-Credential # Use your cloud service administrator account credentials.

Connect-MsolService Credential $cred
Set-MsolAdfscontext -Computer <ADFSprimaryServer> # Step unnecessary if ran from primary
AD FS server
New-MsolFederatedDomain DomainName <domainToAdd>
# Use the information provided by the results of the New-MsolFederatedDomain cmdlet
# to create the required DNS record this verifies that you own the domain.
# Note that this may take up to 15 minutes to propagate, depending on your registrar.
# It can take up to 72 hours for changes to propagate through the system
New-MsolFederatedDomain DomainName <domainToAdd> # Same cmdlet will finalize the process
When converting an existing domain from a domain with standard authentication to federated
authentication, you use the Windows PowerShell cmdlet Convert-MsolDomainToFederated to enable
support for SSO. You should issue all of the following cmdlets in the Microsoft Azure Active Directory
Module for Windows PowerShell as follows.
$cred=Get-Credential # Use your cloud service administrator account credentials.

Connect-MsolService Credential $cred
Set-MsolAdfscontext -Computer <ADFSprimaryServer> # Step unnecessary if ran from primary
AD FS server
Convert-MsolDomainToFederated DomainName <domainToConvert>
# To verify that the conversion was successful, use the following
# to compare the settings on the AD FS server and in Azure AD:
Get-MsolFederationProperty DomainName <domainToConvert>
# If the settings do not match, use the following to sync the settings:
Update-MsolFederatedDomain DomainName <domainToConvert>
Note: If you need to support multiple top-level domains, you must use the
SupportMultipleDomain switch with the federated domain cmdlets. This includes the
New-MsolFederatedDomain cmdlet when adding a SSO domain, in addition to the
Convert-MsolDomainToFederated and Update-MsolFederatedDomain cmdlets when
converting to a SSO domain.
Managing an AD FS deployment
Although AD FS is deployed to support SSO
without much administrative overhead, after you
deploy AD FS there are many management tasks
that you might need to perform periodically.
While there are others tasks, here are a few of the
most common tasks.
Manage the certificate life cycle

In order to prevent issues from certificate
expiration, the self-signed, self-generated
certificates, that AD FS generates, support
automatic roll over which renews AD FS
certificates once a year without manual
intervention. This AD FS process, called automatic certificate rollover, generates two new token-signing
certificates every year. If Office 365 is not updated with the new token-signing certificate, no user can sign
into and use Office 365 as these certificates sign all assertions from the federation server. If an internal PKI
is used to issue the token-signing certificate, AD FS does not provide automatic certificate rollover, and
therefore you must manually renew certificates and update them in your Office 365 tenant.
You can use the AD FS Management console to view certificate expiration dates for the service
communications, token-decrypting, and token-signing certificates. In the console tree, expand Service,
and then click Certificates. You also can use Azure AD Module for Windows PowerShell to view certificate
details, when you use the Windows PowerShell cmdlet Get-ADFSCertificate.
If you prefer to use automatic certificate rollover for managing the lifecycles of your certificates, you will
need to enable the feature in AD FS and install the Microsoft Office 365 Federation Metadata Update
Automation Installation Tool. This feature is enabled in AD FS with the Set-ADFSProperties Windows
PowerShell cmdlet. After installing the tool, you can use the Update-MsolFederatedDomain Windows
PowerShell cmdlet to automatically update the Office 365 service when the AD FS token-signing
certificate renews on an annual basis. This tool should be run as a daily scheduled task on the AD FS
server; otherwise, token-signing certificate renewal on the AD FS server must be monitored manually. The
update tool script scheduled task should only be run on one AD FS server in a federation server farm.
Additional Reading: To learn more about and download the Microsoft Office 365
Federation Metadata Update Automation Installation Tool, go to: http://aka.ms/i1hw8d
Change the primary/secondary AD FS federation server

If you use WID as the AD FS data store, you can change the primary and secondary federation servers if
you use Azure AD Module for Windows PowerShell. This method allows you to change the database role
setting for the AD FS server, and then change the role.
For example, if you wanted to change the primary federation server AdfsServer1 to the secondary
federation server AdfsServer2 you would use the following procedure:
1. Identify the secondary federation server (AdfsServer2) that will become the primary federation server.
2. From the secondary federation server (AdfsServer2), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:
Set-AdfsSyncProperties -Role PrimaryComputer
3. From the primary federation server (AdfsServer1), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName AdfsServer2
The primary federation server becomes a secondary federation server with a read-only WID database, and
the secondary federation server becomes the primary federation server with a read/write WID database
from which other secondary federation servers retrieve their database copies.
Note: Switching AD FS federation server roles does not apply if SQL Server is used as the
AD FS configuration database store. This is because all AD FS federation servers have read/write
access to the SQL Server database.
Verifying SSO
After deploying SSO, you should verify that it is
working properly. Because SSO uses multiple
layers of services, systems and applications to
provide users with an SSO experience, you might
need to leverage various tools and methods to
validate the SSO functionality, and then diagnose
issues with more tools and methods, if required.
Deploy to pilot users first

Before you deploy SSO in your production
environment, you should consider using a pilot
group to validate SSO. While performing a staged
rollout of SSO is not possible because all users are
enabled for federation simultaneously, you can deploy SSO to a pilot group of production users from your
production Active Directory domain.
Pilot users should test various sign-in scenarios thoroughly to validate that SSO and the AD FS
deployment are properly deployed and ready for the remaining users in your production environment.
Some of these validations include pilots users accessing cloud services from browsers in addition to rich
client applicationsfor example, Microsoft Office 2016in the following environments:
From a domain-joined computer.
From a non-domain-joined computer inside the corporate network.
From a roaming domain-joined computer outside the corporate network.
From the different operating systems that you use in your company.
From a home computer.
From an Internet kiosk (browser only).
From a smartphone, for example a smartphone that uses Exchange ActiveSync.
Verify with Microsoft Remote Connectivity Analyzer

The Microsoft Remote Connectivity Analyzer is a cloud-based, web service tool that enables you to run
connectivity diagnostics from servers in the cloud for testing common issues with Exchange, Lync and
Office 365.
Additional Reading: For more information about the access to the Microsoft RCA tool,
refer to: http://aka.ms/bz5gll
Upon accessing the website, select the Office 365 tab, select Microsoft Single Sign-On, and then click
Next. Follow the screen prompts to perform the test. The analyzer validates your ability to sign in to the
cloud service with your on-premises AD DS credentials, and validates some basic AD FS configuration.
Verify with Microsoft Connectivity Analyzer tool

The Microsoft Connectivity Analyzer tool is a companion to the Microsoft Remote Connectivity Analyzer
website. This tool provides you with the ability to run connectivity diagnostics from your local computer
for five common connectivity symptoms. This allows you to run some of the same connectivity diagnostics
within your corporate network. After you run the tool and save the results, you might be familiar with the
HTML report due to the similarity with results from the RCA website.
You can access the Microsoft Connectivity Analyzer tool from the Microsoft Remote Connectivity Analyzer
website. Upon accessing the website, select the Client tab. The tool is available under the More Tools
section. One of the test scenarios of the tool is I cant log on with Office Outlook. This test is equivalent
to the Microsoft Remote Connectivity Analyzer test for Outlook Anywhere (RPC over HTTP), and
includes an option to run the SSO test that is available on the Parameters page.
Verify federation service

Because SSO has a core dependency on AD FS, you might need to verify the Federation Service on the
AD FS server if you are experiencing issues with SSO in your environment. To verify that the federation
server is operational, use Event Viewer, and check for events with ID 100 in Applications and Services
Logs\AD FS\Admin. This event indicates that the federation server was able to communicate successfully
with the Federation Service.
In addition, you might need to verify access to the Federation Service on the AD FS server from another
computer. Using an Internet browser from a separate computer, try to navigate to the federation
metadata website. For example, if your federation service name is fs.adatum.com, try to navigate to
https://fs.adatum.com/federationmetadata/2007-06/federationmetadata.xml.
Note: If you have not imported the root CA certificate to this computers trusted root
certificates store you could receive a certificate error. If you click Continue to this web site (not
recommended), you should see the AD FS metadata.
Using an Internet browser from a separate computer, try to navigate to the IdP-initiated sign-in page.
For example, if your federation service name is fs.adatum.com, try to navigate to
http://fs.adatum.com/adfs/ls/idpinitiatedsignon.htm. This should resolve the AD FS sign-in page.
Note: If you have not imported the root CA certificate to this computers trusted root
certificates store, you could get a certificate error. If you click Continue to this web site (not
recommended), you should be able to sign in with domain\administrator credentials with no
errors.
Temporary fall back to password synchronization

When an organization deploys AD FS to establish
SSO for Office 365, their local AD DS, as well as
AD FS, deployment becomes a critical component.
Since all authentication requests from Office 365,
or more precisely Azure AD, are redirected to AD
FS, your locally deployed directory infrastructure
must be available, so you can sign in to cloud
services. For example, if a local Internet link is not
working, users cannot sign in to Office 365 from
their home computers or their mobile phones,
even though Office 365 services are available. This
is because Office 365, when deployed in federated
scenario, expects that your local AD DS authenticates the user.
Since Office 365 requires your local AD DS to authenticate the user, it is very important to have highly
available AD FS environment. However, you can also use password synchronization, a feature of Azure AD
Connect, as a temporary fall back mechanism if your local authentication infrastructure fails. Although this
is supported solution, you should be aware that this mechanism is not automatic, but it must be
performed manually, as described later. Also, this scenario involves a downtime period for up to two
hours.
To temporarily switch authentication to Azure AD, you have to convert your domain back to standard
mode. To do this, you should first use the Connect-MsolService cmdlet to connect to Office 365g, and
then you must execute following:
Convert-MSOLDomainToStandard DomainName <federated domain name> -SkipUserConversion

$false -PasswordFile c:\userpasswords.txt
This command converts your domain to standard mode, and that automatically switches authentication to
Azure AD, when you use password hashes sync. It is important to know that this command works if your
AD FS server is available. However, if your AD FS server failed, and you cannot access it, you must use
another approach and execute following command:
Set-MsolDomainAuthentication -DomainName <federated domain name> Authentication Managed

It is recommended that you use Get-MsolDomain cmdlet after you execute one of these commands to
make sure your domain is converted. Once you solved the problem on your local infrastructure, you
should revert your domain to federated mode, by executing following command:
Convert-MsolDomainToFederated DomainName <federated domain name>

Lab: Planning and configuring identity federation

Scenario
Directory synchronization is working well, and it has resolved the issue of managing user accounts in two
locations. However, the security group at A. Datum is concerned that users will be able to log on directly
to Office 365, which reduces their options for monitoring user logons. To ensure that all users will
authenticate using the on-premises AD DS domain, you have decided to implement AD FS.
Objectives
After completing this lab, you should be able to:
Install and configure AD FS and Web Application Proxy.
Configure SSO with Office 365.

Verify that SSO is working.
Microsoft Learning updates the lab steps frequently, so they are not available in this
manual. Use the lab steps provided by the hosting partner when completing the labs in this
course.
Lab Setup
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-WAP1, and 20347A-LON-CL1
User name: Adatum/Administrator, Adatum/Holly
Password: Pa55w.rd
In all tasks:

unique Office 365 domain name provided to you by your instructor.
Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx and

hostdomain with your unique UPN name provided to you by your instructor.
LON-DC1
LON-DS1
LON-WAP1

LON-CL1

Course Evaluation
Keep this evaluation topic page if this is the final module in this course. Insert the Product_Evaluation.ppt
on this page.
If this is not the final module in the course, delete this page
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.

Ms20347a THB

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ms20347a THB

Hochgeladen von

Copyright:

Verfügbare Formate

MCT USE ONLY.

STUDENT USE PROHIBITED

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty

Product Number: 20347A

Part Number: X20-96881

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

Revised July 2013

Stan Reimer Content Developer

Damir Dizdarevic Subject Matter Expert/Content Developer

Byron Wright Content Developer

Andrew J. Warren Content Developer

Vladimir Meloski Content Developer

Clifton Leonard Content Developer

Ron Schindler Content Developer

Martina Grom Subject Matter Expert

Allan Jacobs Technical Reviewer

Lesson 1: Overview of Office 365 1-2

Lesson 2: Provisioning an Office 365 tenant 1-13

Lesson 3: Planning a pilot deployment 1-23

Lab: Provisioning Office 365 1-33

Module Review and Takeaways 1-35

Module 2: Managing Office 365 users and groups

Lesson 2: Managing passwords and authentication 2-8

Lab A: Managing Office 365 users and passwords 2-12

Lesson 5: Configuring administrative access 2-30

Module Review and Takeaways 2-36

Module 3: Configuring client connectivity to Office 365

Lesson 2: Planning connectivity for Office 365 clients 3-8

Lesson 3: Configuring connectivity for Office 365 clients 3-18

Module Review and Takeaways 3-25

Module 4: Planning and configuring directory synchronization

Lesson 1: Planning and preparing for directory synchronization 4-2

Lesson 2: Implementing directory synchronization by using Azure AD Connect 4-15

Lesson 3: Managing Office 365 identities with directory synchronization 4-31

Lab: Configuring directory synchronization 4-42

Module Review and Takeaways 4-44

Module 5: Planning and deploying Office 365 ProPlus

Lesson 1: Overview of Office 365 ProPlus 5-2

Lesson 3: Planning and managing centralized deployments of

Lesson 4: Office Telemetry and reporting 5-19

Lab: Managing Office 365 ProPlus installations 5-24

Module 6: Planning and managing Exchange Online recipients and permissions

Lesson 1: Overview of Exchange Online 6-2

Lesson 2: Managing Exchange Online recipients 6-8

Lesson 3: Planning and configuring Exchange Online permissions 6-25

Module Review and Takeaways 6-31

Module 7: Planning and configuring Exchange Online services

Lab A: Configuring message transport in Exchange Online 7-13

Lesson 2: Planning and configuring email protection in Office 365 7-14

Lesson 4: Migrating to Exchange Online 7-32

Lab B: Configuring email protection and client policies 7-45

Module 8: Planning and deploying Skype for Business Online

Lab: Configuring Skype for Business Online 8-25

Module Review and Takeaways 8-27

Module 9: Planning and configuring SharePoint Online

Lesson 1: Configuring SharePoint Online services 9-2