Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
342 Cards in this Set
- Front
- Back
Which Office 365 Enterprise Plan contains Microsoft Access? |
All of the Enterprise Plans
|
|
What are the three Office 365 SME Plans?
|
Business Essentials Business Premium |
|
Which Office 365 SME plan contains just Office? |
Business |
|
What are the Office 365 Enterprise Plans? |
Pro Plus - Office Only
E3 - Exchange/Apps/Azure Rights Management/Skype/Yammer/Business Intel |
|
What Office 365 Plans have support for unlimited users? |
All of the Enterprise plans |
|
What is the size limit off an Exchange Online mailbox? |
100GB |
|
What is the size limit of the Enterprise Exchange Online Archive? |
Unlimited |
|
What are the other Office 365 Licencing Plans? (Not SME / Enterprise) |
E4 - No longer available Education Licencing - Heavily Discounted licensing |
|
Which Office 365 Packages come with Advanced Business Intelligence and PSTN features? |
Enterprise E5 |
|
What Office 365 Plans come with Compliance/e-discovery (Litigation Hold, In-Place Hold) and Data Loss Prevention? |
Enterprise E3 & E5 Plans |
|
Which Office 365 Plans contain Microsoft Project and Microsoft Visio? |
None of the plans include these products. They must be purchased as a Standalone Product. |
|
Which Office 365 Products can be purchased separately? |
Exchange Online OneDrive for Business |
|
What is the default Microsoft Office 365 domain name? |
onmicrosoft.com |
|
How do you rename the Sharepoint Online Team site URL to your custom URL? |
This isn't possible, Sharepoint will use your Microsoft Tenant domain and cannot be customised. |
|
How do you change the Country/Region of your tenant after creating it? |
You can't as the Tenant Country/Region selection effects the following: |
|
Can you change the Region that the users are located in Office 365? |
Yes, the user's location/region can be changed. The Tenant Region/Location can not. |
|
What is the Office 365 Password Requirements? |
Passwords must be 8-16 Characters long, contain 3 out of the four characters listed (Upper case, lower case, number and symbols) |
|
What are the 5 Tenant Admin Roles and Permissions? |
|
|
What is the URL for the Office 365 Admin Centre? |
https://portal.office.com |
|
Which two Admin roles can assign licenses to users in Office 365? |
Global Administrators User Management Administrators |
|
Can you mix licenses between organisation types (Business/Non-Profit)? |
No, you cannot mix between organisation license types (Business/Enterprise, Non-Profit, Education, Government) |
|
Can you have both a Business Premium licence and an E3 licence in the same Tenant? |
Yes. You cannot, however, mix licence types ( Business/Enterprise, Non-Profit, Education, Government) |
|
What happens when you delete an Office 365 user account? |
- The users Office 365 licence will be removed - The deleted user data will be permanently deleted after 30 days (Soft Delete) - A hard delete will delete the users data immediately but must be done via Powershell |
|
What do you need to install in order to connect to Office 365 via Powershell? |
- Microsoft Online Service Sign-In Assistant (64-Bit) - Windows Azure Active Directory Module for Windows Powershell (64-Bit) |
|
Which Command do you use to connect to Office 365 via PowerShell? |
Import-Module MSOnline |
|
What does the following command do?
Set-ExecutionPolicy Unrestricted |
Allows PowerShell to run all Scripts with zero Restrictions |
|
What Powershell cmdlet is used to return all the subscriptions that the company has purchased? |
Get-MsolSubscription |
|
What Powershell cmdlet returns all SKU's that the company owns? |
Get-MsolAccountSku |
|
What does the New-MsolLicenceOptions command do? |
The New-MsolLicenceOptions cmdlet creates a new Licence Options Object. The cmdlet disabled specific service plans when assigning a user licence using Add-MsolUser and Set-MsolUserLicence cmdlets |
|
What does the Set-MsolUserLicence Cmdlet do? |
The Set-MsolUserLicence cmdlet can be used to adjust the licences for a user. This can include, adding a new licence, removing a licence, updating the licence options or a combination of these. |
|
What are the two installation methods for Office? |
Click-To-Run |
|
What are the two update channels? |
Current Channel - Updates Every Month
First Release for Deferred Channel - Early access for validation testing. |
|
What are the three methods for setting update channels for Office 365 Users? |
Portal Download - Allows users to install/reinstall Office with new Update and release preferences set via Office 365 Admin Centre Office Deployment Tool (ODT) - Uses XML File set configuration options. Deploys to users from local install path via setup.exe or SCCM |
|
Can Windows Update, WSUS and SCCM be used to push Office 365 updates? |
No. |
|
Where can you change the Software download settings in the Office 365 Admin Portal? |
Services & add-ins > Software Download Settings You can also set what is available from here. |
|
Where are the release preferrences set in the Office 365 Admin Center |
Organization Profile > Release preferences |
|
What is the URL for the Office 365 Roadmap website? |
http://fasttrack.microsoft.com/roadmap |
|
Where is the Group Policy Admin templates located? |
C:\Windows \PolicyDefinitions If you're missing the Microsoft Office options in Group Policy it is because you have not imported the Policies. |
|
|
Global Admin |
|
|
Subscription Notes |
|
|
Tenant Names |
|
|
Licence & Subscription notes |
|
|
Powershell and Subscription Notes |
|
|
New Features and Updates |
|
What are the 4 steps in the Domain Setup Wizard |
- Add Domain - Verify Domain - Setup your online services - Update DNS |
|
How do you add a domain via the Office 365 Admin Center? |
Setup> Domains |
|
Why can't the domain company.local be added to Office 365? |
Because it is a non-routable domain |
|
What are the two ways to verify a domain? |
- TXT Record |
|
What are Microsofts Office 365 Name Servers if you wanted to move DNS to Office 365? |
- ns1.bdm.microsoftonline.com - ns2.bdm.microsoftonline.com |
|
What is the command to add a new domain to Office 365? |
New-MsolDomain Example: |
|
What is the command to set the default domain? |
Set-MsolDomain -Name o365.davidatkin.com -IsDefault |
|
What is the command to List domains in Office 365?
|
Get-MsolDomain |
|
What Powershell command is used to remove a domain in Office 365? |
Remove-MsolDomain -DomainName o365.davidatkin.com -Force |
|
Powershell Command to verify the records needed to verify domain ownership in Office 365? |
Get-MsolDomainVerificationDNS |
|
What is the Powershell command to confirm DNS records (Ownership & Services)? |
Confirm-MsolDomain Example: |
|
|
Add Domain |
|
|
Set Domains as default |
|
|
Moving DNS to MS |
|
|
Powershell Domain Management |
|
What two commands in Powershell use -Name instead of -DomainName? |
New-MsolDomain -Name |
|
What does Microsoft recommend the criteria for pilot users? |
- 5% of User base |
|
What is the limit on Office 365 message sizes? |
150MB Max |
|
What is the web address for the Office 365 Health, Readiness and connectivity checks? |
https://portal.office.com/tools |
|
What are the Health Readiness check pre-requisites? |
Must have a 64-Bit version of Windows 7 or later with .NET 3.5 |
|
What is the new name for DIRSync? |
Azure Active Directory Connect (A AS Sync) |
|
What tool is used to fix DirSync/Azure AD Connect issues?
|
IdFix - Stand-alone ".exe" - No installation |
|
What is the IdFix min specification? |
4GB RAM 10GB HDD Space |
|
Where can you find the resources to create a test plan? |
https://fasttrack.microsoft.com |
|
What are the three Office365 FastTrack phases? |
Envision |
|
Exchange Migrations Notes (1): |
- Cannot Install 3rd Party add-ins - Distribution lists can be converted to Office 365 groups (If all users are in the tenant and not managed or nested) |
|
Exchange Migrations Notes (2): |
- 150MB Message Limit (25MB default) |
|
OneDrive for Businesses Migration Notes: |
- 10GB File Limit |
|
Sharepoint Online Migration Notes: |
Team sites can be migrated or individual components (lists, calendars etc) can be migrated |
|
Skype for Business Notes: |
Cannot use Skype for Business, Lync 2013, and Lync 2010 all Simultaneously (2 out of 3 is OK) |
|
What does SMART stand for when referring to FastTrack? |
S Specific |
|
What does SPF stand for? |
Sender Policy Framework |
|
What does SCP stand for in AD? |
Service Connection Point |
|
What does the Include: mean in an SPF Record. |
Includes any other SPF records specified in that domain - Nested records |
|
What port does the SIPFederationTLS SRV Records use in Office 365? |
5061 |
|
What port does the SIP SRV record use in Office 365? |
443 |
|
Which record needs to be changed in order to receive mail from Sharepoint Online? |
The SPF Record. It needs to be changed to: "v=spf1 includes:sharepointonline.com ~all" The office protection SPF is nested in the above. |
|
Should you use a Proxy server with Office 365? |
No - Avoid using a proxy, this is because it can have issues with the amount of SSL and Authentication traffic that will be going to the Proxy to get to Office 365. If the Proxy is needed then it's suggested that you whitelist various URL's and IPs which can be found on Microsofts Sites. |
|
What ports need to be open to communicate with Skype for Business? (Destination Ports) |
Destination Ports: |
|
What ports need to be open for streaming media with Skype for Business? |
TCP/UDP |
|
What does DTS mean in Skype for Business? |
Desktop Sharing |
|
What tools can be used for recommending Bandwidth for Office 365 |
Exchange Client Network Bandwidth Calc |
|
What tool is required to use Office 2007 and Office 2010 in Office 365? |
Office Desktop Setup Tool |
|
When will support for Office 2007 end? |
October 2017 |
|
What is Azure Rights Management? |
A Cloud base service which provides:
|
|
What are the benefits of Azure Rights Management? |
Protect All file types |
|
What is Rights Management? |
Generic Term for assigning and controlling permissions for a resource |
|
What is Digital Rights Management (DRM)? |
Various access control technology for restricting usage |
|
What is Information Rights Management? |
Implementation of one or more technologies in support of a Policy |
|
What does FCI stand for? |
File Classification Infrastructure |
|
What is ARM? |
ARM - Azure Rights Management |
|
What is Azure IP?
|
Azure Information Protection |
|
What Office 365 plans include ARM? |
E3/E5 Subscription |
|
What is BYOK? |
Bring your own Key |
|
What do you need in order to manage Azure Rights Management (ARM) via Powershell? |
Download the Azure Rights Management Module for PowerShell |
|
How do you connect to Azure Active Directory Rights Management (AADRM) via PowerShell? |
Import-Module aadrm |
|
What is the Powershell command for controlling which Security Groups can protect documents and who cannot? |
Controlling users via AD Security Group:
*This must be a security group, not a user* |
|
What is the Powershell command for controlling which users can protect documents and who cannot - By their Subscription license? |
Set-aadrmOnboardingControlPolicy -UserRmsUserLicence $true -Scope All |
|
Where do you enable Azure Rights Management? |
Services & Add-ins > Microsoft Azure Information Protection (For Advanced Feature you need an Azure Subscription) |
|
What are the Azure Rights Management Integration Options?
|
Native Office Integration |
|
What Microsoft Office packages come with Azure RM Native Office Integration? |
Microsoft Office 2013 |
|
What are the Two types of protection for Documents in RMS? |
Native Generic |
|
What do you get with Native RMS Protection? |
Native Office Files - No changes to the file extensions Supported text & Image files - Wrapper in new file type - Adds a 'p' to file extensions (.pdocx, .pgif) *Features - Authorisation & Restricted Access |
|
What do you get with Generic RMS Protection? |
Files not supported by Native RM Protection |
|
What are the two templates you start off with in Azure RM? |
Read-Only - Specific permission: View Content |
|
How do you restrict access to an Office Document in Office? |
File > Info > Protect Document/Workbook > Restrict Access |
|
Which two roles can manage the Azure RIgnts Management Environment? |
Office 365 Tenant (Global Administrator) Azure RM Administrator (AadrmRoleBasedAdministrator) |
|
What is an Azure Rights Management Super User? |
It's a backup door user that has access to decrypt and view all protected documents and files. Used to access leavers files etc |
|
How does an Azure Rights Management Administrator manage ARM Settings? |
Via Powershell |
|
How do you become a SuperUser in Azure Rights Management? |
The Azure Active Directory Rights Management Admin or Global Admin must first enable the SuperUser Ability. |
|
What PowerShell command is used to Add Azure RMS Administrator roles from groups or users? |
Add-AadrmRoleBasedAdministrator Note - Even though the -SecurityGroupDisplayName says 'Group', you can also define a 'User' |
|
What PowerShell command is used to View a list of Azure RMS Administrators? |
Get-AadrmRoleBasedAdministrator |
|
What PowerShell command is used to Remove an Azure RMS Administrator role from groups or users? |
Remove-AadrmRoleBasedAdministrator -SecurityGroupDisplayName -EmailAddress -ObjectID Note Even though the -SecurityGroupDisplayName says 'Group', you can also define a 'User' |
|
What is the command to Enable the Azure Active Directory Super User Feature? |
Enable-AadrmSuperUserFeature |
|
How do you assign the Azure RM SuperUser role to a User? |
Add-AadrmSuperUser -EmailAddress |
|
How do you assign the Azure RM SuperUser role to a Group? |
Add-AadrmSuperUserGroup
|
|
How do you get a list of current SuperUsers? |
Get-AadrmSuperUser
|
|
How do you get a list of the current SuperUser Groups?
|
Get-AadrmSuperUserGroup |
|
How do you remove the SuperUser Group from your organisation? |
Clear-AadrmSuperUserGroup |
|
How does an Azure RM SuperUser recover documents? |
It needs to be done via the Azure RM Protection Tool
Powershell module |
|
As an Azure Active Directory Rights Management SuperUser, how do you get the status of a file to see if it is protected by RMS? |
Get-RMSFileStatus |
|
What is the command to import the RMS protection tool in PowerShell? |
Import-Module RMSProtection |
|
How does a SuperUser protect a file or folder? |
Powershell: |
|
How does a SuperUser unprotect a file or folder? |
PowerShell: Unprotect-RMSFile -File -Folder -InPlace -Recurse |
|
How do you get a list of RMS Templates? |
Get-RMSTemple -Force |
|
What PowerShell cmdlet is used to enable RMS Exchange Integration? |
Connect to Exchange First Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc" Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online" Set-IRMConfiguration -InternalLicensingEnabled $true Test-IRMConfiguration -Sender |
|
How do you connect to Exchange Online with PowerShell? |
$Cred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection Import-PSSession $Session |
|
How Often are the Custom ARM templates refreshed? |
Every 7 days in Office 2013 / 2016 Once a day if the RMS Application Sharing is installed Exchange must have its templates manually refreshed with the following command: Import-RMSTrustedPublishingDomain |
|
What does RBAC stand for? |
Role Based Access Control |
|
What does DAC stand for? |
Discretionary Access Control |
|
What does MAC stand for when talking about permissions?
|
Mandatory Access Control |
|
What can a Billing Administrator do? |
- Make Purchases
- Manage Subscriptions - Manage Support Tickets - Monitors Service Health |
|
What can a Password Administrator do? |
Can only reset passwords for users - Only Non-Admins |
|
What can a Service Administrator do?
|
Read Only access to most of Office 365 |
|
What can a User Management Administrator do? |
- Reset Passwords |
|
Which 4 Office 365 roles allows a user to be a Skype for Business Administrator?
|
Global Administrator
Password Administrator Skype for Business Administrator User Management Administrator |
|
How do you get a list of Roles in Office 365? |
Get-MsolRole -ObjectName |
|
What command is used to list Global Admins in Office 365 PowerShell? |
$role = Get-MsolRole -RoleName "Company Administrator" |
|
How do you Add or Remove an Office 365 Role member?
|
Add-MsolRoleMember
Remove-MsolRoleMember -RoleName -RoleObjectId -RoleMemberEmailAddress -RoleMemberObjectId |
|
How do you set a UsageLocation in Office 365 PowerShell? |
Set-MsolUser -UserPrincipalName -UsageLocation GB
|
|
How do you assign an Office 365 Licence in PowerShell? |
Get-MsolAccountSku |
|
Admin Roles in Office 365 |
|
|
How do you set the password policy for the entire tenant in Office 365? |
Set-MsolPasswordPolicy -DomainName -NotificationDays -ValidityPeriod |
|
How do you set a Password Policy for a specific user to never expire? |
Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true |
|
When you setup Azure Connect what happens to the password expiration policy in Office 365? |
They get set to Never Expire. If the local AD Passwords expire, the old passwords may still work in Office 365 until it's reset. |
|
Can you have the following password in Office 365: ad*2869.@ |
No, you can't have a password with the following in it (in succession): .@ |
|
How do you disable Strong Passwords in Office 365? |
Set-MsolUser -UserPrincipleName -StrongPasswordRequired $false |
|
How do you reset a user password via Office 365? |
Set-MsolUserPassword -UserPrincipleName -NewPassword -ForceChangePassword $true |
|
What is the default password history in Office 365? |
1 Password |
|
Which two fields are required when importing users into Office 365 via CSV: |
Username (Login Name) Display Name Note: Username Domain needs to exist in the tenant |
|
What is the max amount of users you can import with CSV? |
250 Max 2 Minimum |
|
What are the User Name field limits in Office 365? |
30 Characters before @ Max 79 Characters including the @ |
|
How do you get information of a deleted user in PowerShell |
Get-MsolUser -UserPrincipleName -ReturnDeletedUsers |
|
What are the three Authentication Factors? |
Knowledge Factor - What you know |
|
Max amount of App Passwords in Office 365? |
40 |
|
What are App Passwords for in MFA? |
It's so that you can assign a specific password to Apps like Office. It stops the App from needing MFA and uses a one-time generated password. |
|
Security Groups |
- Additional SID in Azure |
|
Mail-Enabled Security Group |
Security Group and Distribution Group |
|
Office 365 Groups |
Shared Mailbox + OneDrive (SharePoint Site) |
|
What are the MFA Statuses in Office 365? |
Disabled - Not Enabled |
|
How do you hard delete an Office 365 user when it has been soft deleted? |
Remove-MsolUser -UserPrincipleName -RemoveFromRecycleBin |
|
What does Sku in AccountSku mean? |
Stock Keeping Unit |
|
What is the description for the OFFICESUBSCRIPTION service plan? |
Office Professional Plus |
|
What is the description for the SHAREPOINTWAC service plan? |
Office Online |
|
What is the description for the MCOSTANDARD Service Plan? |
Skype for Business Online |
|
How do you get a list of unlicenced Office 365 users? |
Get-MsolUser -UnlicensedUsersOnly |
|
What does CRUD stand for? |
Create New- |
|
What are the main MsolUser switches? |
New- |
|
How do you change a users UserPrincipalName? |
Set-MsolUserPrincipalName |
|
How do you specify a role with the Get-MsolRole cmdlet? |
By ObjectID |
|
How do you list roles assigned to a user? |
Get-MsolUserRole |
|
How do you set a licence for a user? |
Set-MsolUserLicence |
|
How do you set single sign on with a domain? |
Set-MsolDomainAuthentication |
|
What does the Set-MsolUser cmdlet do? |
Sets the following: User Info |
|
What does the Set-MsolUserPassword do? |
Sets User Passwords |
|
What does the Set-MsolPasswordPolicy Cmdlet do?
|
Tenant-Wide expiration days and notification days |
|
What does the Set-MsolUserLicense cmdlet do? |
Assigns and removes user licenses |
|
What does the Set-MsolUserPrincipalName cmdlet do? |
Changes a UserPrincipalName |
|
What can't the Set-MsolUser cmdlet NOT modify? |
UserPrincipalName |
|
How many Azure Tenants can an Azure AD Connect sync server sync to? |
Just one. Each Azure AD Connect can only sync to one Azure Tenant Each Azure Tenant can only have one AD Connect Sync Server |
|
What is GALSync? |
A program to sync from multiple forests into multiple Azure Tenants. User A is created as a User in Azure Tenant A User A is created as a contact in Azure Tenant B |
|
What is Azure AD Connect Staging Mode? |
It's where you have an identical sync server used for redundancy or for testing purposes. The Staging server is set to read only mode and does not write to Azure which is why it does not break the Azure/AD Sync 1:1 rule. |
|
How do you add a UPN domain suffix in Active Directory? |
Active Directory Domains and Trusts
|
|
Active Directory cleanups prior to Sync |
|
|
What Azure AD Connect filtering can you do?
|
Domain |
|
Does Azure AD Connect support AD Writeback?
|
No Writeback is writing from one local AD to another local AD Or from one Azure AD to another local AD |
|
What fields do Azure use by default to associate an AD user with their azure user account? |
Active Directory ObjectGUID Azure Immutable ID |
|
What is needed for Azure Password Writeback? |
An Azure Premium account |
|
Azure AD Connect - On-Prem requirements |
|
|
What is the minimum server operating system required if you wanted to install Azure AD Connect with Password Sync?
|
Windows Server 2008 R2 SP1 Azure AD connect can be installed onto a Windows Server 2008 but will not have Password Sync. |
|
What is the minimum Active Directory Domain and Forest level requirements for Azure AD Connect? |
Windows 2003 |
|
What is the minimum RAM and HDD requirements for Azure AD Connect? |
RAM: 4GB (<50K objects), 16GB (50K-100k), 32GB (100k+) HDD: 70GB (<50k objects), 100GB (50k-100k), 300GB (100k-300k), 450GB (300k-600k) CPU: |
|
Can Azure AD Connect be installed on Server Core? |
No - It needs GUI It also cannot be installed on SBS and Server Essentials. |
|
What attributes need to be present for the user in order for Azure AD Connect to synchronise a user to Azure AD?
|
ObjectGUID (Or another defined SourceAncor) UserPrincipalName |
|
What are the SQL Requirements for Azure AD Connect?
|
SQL Server 2008 SP4 to SQL Server 2014 |
|
What program is used to manage the Azure AD Connect sync after it has been setup? |
Synchronisation Service Manager |
|
When is the Group filtering applied in Azure AD Connect? |
The Azure AD Connect Metaverse |
|
What is the Azure AD Connect sync order? |
Active Directory Import Azure AD Import Active Directory Full/Delta Synchronisation Azure AD Full/Delta Synchronisation Azure AD Export Active Directory Export |
|
What will happen to a users Office 365 account if you filter them out of the synchronisation when they already have an account in Office 365? |
The user will be soft deleted.
|
|
AD syncs into the connector space as User Schema and enters the Metaverse as... |
Person Schema |
|
Why would you do a Full AD Connect Sync over a Delta? |
If an Office 365 Admin has changed the password of a synced user via Office 365 a Full Sync must be fun.
A Delta sync won't fix this problem. |
|
What is the cmdlet to get the AD Connect scheduler? |
Get-ADSyncScheduler |
|
What is the shortest sync cycle in AD Connect? |
30 Minutes |
|
How do you force an immediate sync cycle? |
Start-ADSyncSyncCycle -Policy Type Initial is a 'Full' Sync Cycle |
|
How do you force a stop of immediate sync cycle? |
Stop-ADSyncSyncCycle |
|
How do you change the AD Connect Sync Cycle in Powershell? |
Set-ADSyncScheduler -CustomizedSyncCycleInterval |
|
How do you check the current status of an AD Connect Sync in powershell? |
Get-ADSyncConnectorRunStatus |
|
What do you do if you have multiple users provisioned in Office 365 due to the user not being recognised on Sync? |
Remove the User from the Sync OU, or assign an attribute to the user in AD and create an Attribute rule in Sync service manager.
Sync up to remove the duplicate user Then run a command in Office 365 to get the ImmutableID of the removed (synced user) Delete user from Office 365 Recycle Bin Assign the ImmutableID to the unsynced user (The one previously managed by O365) Move user back in Syncable OU in AD (Or remote Attrib filter) and re-sync |
|
How does Office 365 validate a user in ADFS? |
With its Token and Claims (issued by the federation server) |
|
What type of redirect is used by Office 365to send an ADFS user back to the Federation Server for authentication? |
302 Redirect |
|
What is the format of the Token, claims and session info called when presenting to Office 365? |
SAML Assertion |
|
What is the process for an internal ADFS user to authenticate with Office 365? |
User goes to portal.office.com and enters login details User is redirected to the Federation Server via a 302 Redirection User logs into Federation Server Federation server checks AD and validates credentials AD Server assigns Token and Claims, the Federation server passes back to the user. Redirects back to Office 365 |
|
What is the process for an external ADFS user to authenticate with Office 365? |
User goes to portal.office.com and enters login details User is redirected to the WAP Proxy Server via a 302 Redirection User logs into Proxy Server Proxy Server speaks to the Federation Server Federation server checks AD and validates credentials AD Server assigns Token and Claims, the Federation server passes back to the Proxy and the Proxy passes back to the user. Redirects back to Office 365 (302) |
|
What is Modern Authentication? |
OAuth |
|
What kind of Token is used in Modern Authentication? |
JSON Web Token JWT |
|
What is an STS? |
Secure Token Server |
|
ADFS Versions: |
Version 2.0 - Windows Server 2008 / 2008 R2 (Req Download) Version 2.1: Windows Server 2012 Windows Server 2012 R2 |
|
What has changed in ADFS version 3.0? |
- WAP replaces Web Proxy - No more IIS Requirements - Modern Authentication / OAuth2 / ADAL - Support for Azure MFA - No more stand-alone servers (Farms only) |
|
What is the most important ADFS Service/Server Name?
|
The Federation Service Name This is the name that all clients, servers and applications use. This should be different from the Federation Server names Used for both FS Cluster and WAP/Proxy |
|
What do you need in order to use multiple WAP Servers?
|
A Network Load Balancer |
|
How does the WAP/Proxy know where the Federation Server(s) is? |
It is done via a manual entry to the HOST file on each WAP / Proxy. |
|
What certificates are required for ADFS? |
Server Authentication (SSL) Certificate - Public CA) - Same Cert as Servrer Auth Cert -Token-Signing Certificate (Self-Signed) |
|
What are the two types of Databases that can be used for ADFS Federated Servers? |
Windows Internal Database (Best Practice)
|
|
ADFS - Windows Internal Database - Up to 30 Servers (<=100 Trusts, ADFS 3.0) - Up to 5 Server ( >100 Trusts or ADFS 2, 2.1 - Less cost, no additional licensing - HA (1 Primary, Additional Db's read only) - LB - No Token Replay Detection - Can be converted to SQL Later |
ADFS - Windows SQL (Not on same server) - No limit of Servers - More Cost, requires SQL Licensing - HA (leveraging SQL Clustering) - LB - SAML Artifact Resolution - Token Replay Detection - Cannot be converted to WID |
|
ADFS capacity planning: |
< 1000 Users Dedicated NLB 3 - 5 x Dedicated FS Server Dedicated NLB |
|
In ADFS 3.0, how do you install the WAP/Proxy? |
It's installed under the Remote Access Role |
|
In ADFS 2.1, how do you install the WAP/Proxy? |
It's an option with the ADFS Role |
|
What port is needed for ADFS ClientTLS? |
49443 |
|
What DNS records can you use for ADFS |
A-Records only. |
|
How do you stop a user from being able to log into Office 365 when ADFS is enabled? |
Issue Claim Authorisation Rules |
|
How would you stop a user from logging into Office 365 using their first name when ADFS is enabled? |
Create an Acceptance claim rule and a new Authorisation deny rule. By default active directory only sets claim rules on certain attributes. Need to add a transformation rule to push the attribute and then a Claim Authorisation Rule to deny users based on that attribute. |
|
Where can you find the deny logs in Windows for ADFS? |
Event Viewer > Applications and Services > AD FS > Admin |
|
What are the two Passive ADFS authentication methods? |
SAML - /adfs/ls |
|
How do you enable Modern Authentication in Exchange online? |
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true Verify with: |
|
How do you enable Modern Authentication in Skype for Business online? |
Set-CdOAuthConfiguration -ClientAfalAuthOveride Allowed
Get-CdOAuthConfiguration |
|
What is the reason for being unable to connect to the MSolService internally from PowerShell once you've enabled Azure MFA Server?
|
By default internal MFA authentication only supports Windows Authentication, when you connect to MsolService it is doing it via Form Based Authentication. You need to enable Form Based Authentication internally via the Azure MFA Server. |
|
Should an ADFS Proxy server be joined to a Domain? |
No! AD FS Proxy servers should not be joined to the domain. |
|
What are acceptance Rules in ADFS? |
Set of tule run when authentication is required |
|
What are Authorization rules in ADFS? |
Set of rules when authentication is granted or denied |
|
What are Issuance Rules in ADFS? |
Set of rules run when deciding what claims rules to send to requesting party |
|
What is the purpose for the ADFS Service Account? |
It Runs the "Active Directory Federations Services" Service. It performs Kerberos Authentication tasks |
|
What is the AD FS Service Account requirements? |
It needs to be a Domain User It needs "Logon as a service" rights on FS It needs a Password does not expire to be set It needs the same account on all Federation Servers in Farms It needs "Logon as a Batch Job" rights (Only if you run Scheduled tasks |
|
How do you enable Group Managed Service Accounts in Windows Server 2012? |
Done by PowerShell:
Add-KdsRootKey -EffectiveImmediately **Mandatory 10 Hour Wait** |
|
Is Windows Network Load Balancer supported on a Domain Controller? |
No |
|
What is the PowerShell cmdlet to install ADFS? |
Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools
|
|
What is the PowerShell Cmdlet to install an additional ADFS Server into an existing ADFS Farm? |
Add-AdfsFarmNode -PrimaryComputerName -CertificateThumbprint -GroupServiceAccountIdentifier |
|
Modules required for Converting an Office 365 Domain to an ADFS Domain |
Active Directory Powershell Module Azure AD Powershell Module Microsoft Online services Sign-In Assistant |
|
What is the PowerShell command to convert an Office 365 standard domain to a Federate domain? |
Convert-MsolDomainToFederated -DomainName |
|
What command is used to specify the primary Federated Server if running the Convert-MsolDomainToFederated from a workstation? |
Set-MsolADFSContect -Computer |
|
What does the New-AdfsOrganization command do? |
It can be used to create an object in order to pipe information into the Set-AdfsProperties cmdlet to set the ADFS Organization Properties |
|
PS Cmdlet to get ADFS Settings from PowerShell? |
Get-MsolDomainFederationSettings |
|
How do you set a new SSL Certificate on Federation Servers? |
Set-AdfsCertificate -Thumbprint Must be run on all FS Servers. Restart the service afterwards. |
|
How do you set a new SSL Certificate on ADFS WAP Servers? |
Set-WebApplicationProxySslCertificate -Thumbprint |
|
|
|
|
How do you set a new ADFS Service Communications Certificate in PS? |
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint |
|
What command is used to customize Web Links and wording on the ADFS Login Pages?
|
Set-AdfsGlobalWebContent |
|
What command is used to customize the imaging on the ADFS Login Pages? Logo & Illustration |
Set-AdfsWebTheme |
|
Customizing ADFS 2.0/2.1 Web Page - Location: |
Logo - Web.config
Page Title - CommonResources.en.resx Authorized Use - MasterPage.master.cs |
|
How do you change the theme for the ADFS login Page?
|
Set-AdfsWebConfig -ActiveThemeName |
|
Create a new Theme for the ADFS login |
New-AdfsWebTheme -TargetName "Name" |
|
A Managed Domain is any domain that doesn't depend on Federated services. |
Office 365 or Azure AD Sync |
|
How do you convert a Federated Domain back to a Managed Domain? |
Convert-MsolDomainToStandard |
|
How do you convert a Federated Office 365 User back to a Managed User? |
Convert-MsolFederatedUser |
|
How do you turn off Federated sign in for a domain when a Federated server is not reachable? |
Set-MsolDomainAuthentication -DomainName -Authentication |
|
What is the max number of objects in the Windows Internal Database? |
100,000 |
|
How did you launch the Proxy configuration wizard in ADFS 2.0 / 2.1 |
Run FspConfigWizard.exe
|
|
AdfsGlobalWebContent |
Text & URLs |
|
AdfsWebTheme |
Logo's, Css, Illustrations, Loading Scripts |
|
Set-AdfsWebConfig |
Sets the default theme |
|
What are the two categories of reports? |
Activity Usage |
|
Office 365 Reports: |
Activations Report: Licence Type (Pro Plus / Business) Active Users Report: Licenced? (Exchange, One Drive....) |
|
Exchange Service Reports |
Email Activity Email App Usage Mailbox Usage |
|
One Drive / Sharepoint Reports: |
OneDrive Activity User |
|
Skype Business Reports |
P2P Conference Organized |
|
How do you import reports directly into Excel? |
Reporting Web Service - OData Data Feed |
|
Exchange Reports: |
Auditing
|
|
Mail Flow Reports: Get-MailTrafficTopReport |
Top Mail Senders |
|
What is a BCL |
Bulk Complaint Level 0 Good |
|
Malware Reports: |
Top Malware for Mail Malware Detections Number of malware detections |
|
Spam Detection Reports:
Get-MailDetailSpamReport |
Spam Detections |
|
Rules Reports |
Content or content filtering rules |
|
DLP Reports: |
Top DLP Policy matches for mail |
|
Audit log reports check activity for Office 365 services |
User Activity Admin Activity |
|
How do you turn on user Mailbox Auditing in Office 365? Done per mailbox |
Set-Mailbox -Identity -AuditEnabled $true |
|
How do you add Owner actions to the Mailbox Audit? |
Set-Mailbox -AuditOwner MailboxLogin,HardDelete.... (What you want to track is after the command) |
|
How do you get to the Unified Office 365 Audit log reports? |
Security & Compliance Center |
|
Which audit report do you run to see what an external admin or Microsoft have been going? |
External Admin Audit Log report |
|
Office 365 Audit Log: |
- Off by default - 90 Day limit - Dates and times are in UCP - Only the most recent 1000 Entries show up - Must be a Global Admin |
|
Powershell Exchange Audit log commands: |
Instantly Generated: Search-MailboxAuditLog |
|
How do you turn on/off the Office 365 admin audit log? |
Set-AdminAuditLogConfig |
|
What is a Portal Email Hygiene Report? |
Exchange Online reports for: Inactive Mailboxes Storage Quotas |
|
What are the Powershell cmdlets for Exchange Stale Mailbox Reports? |
Get-StaleMailboxReport Get-StaleMailboxDetailReport |
|
What are the Commands for the Exchange usage report(s)? |
Get-MailboxUsageReport Get-MailboxUsageDetailedReport |
|
What command is used for doing a Message Trace command in Powershell? Results are for last 7 days |
Get-MessageTrace Get-MessageTraceDetail |
|
What is the command to do a Message Trace with Powershell for items upto 90 Days old? |
Start-HistoricalSearch Get-HistoricalSearch |
|
GTUBE - Test for Spam |
Google the content |
|
How do you get Alerted when there is an issue with Office 365? |
The Office 365 Admin App |
|
What is the Max Service Health History on the Service Health Dashboard |
30-Days |
|
How do you monitor Office 365 Status in SCOM? |
Office 365 Management Pack for System Center Operations Manager Comes as a .mpb file |
|
What are the two types of Support in Office 365? |
Concierge Support - < 50 Users General Support - >50 Users |
|
What are the Connectivity Analyzer tools? |
Remote Connectivity Analyser Tool (RCAT) Microsoft Connectivity Analyser Tool (MCAT) Lync Connectivity Analyser (LCA) |
|
Remote Connectivity Analyser - RCA Validate/Troubleshoot Office 365 Eliminate On-Prem Configuration |
Microsoft Connectivity Analyser Tool - MCA Locally Installed Test End-To-End Connectivity |
|
RCA: Exchange DNS POP/IMAP EWS (Sync, Notifications etc) Lync Connectivity - On-Prem Lync Only |
MCAT: Lync/Skype DNS / Autodiscover (Onsite only) Lync Connectivity - On-Prem Lync Only |
|
LCA Tests: |
Lync/Skype DNS / Autodiscover (Onsite only) Lync Connectivity - On-Prem Lync Only |
|
What are the 3 Free / Busy Sharing Tools? |
Hybrid Free/Busy Troubleshooting Tools Remote Connectivity Analyser Microsoft Connectivity Analyser Tool. |
|
What is the only Supported Diagnostic Tool? |
Microsoft Support & Recovery Assistant for Office 365 For troubleshooting Client login issues for individual user or their profile. |
|
Where can a user access the Microsoft Support & Recovery Assistant for Office 365? |
Outlook > File > Support |
|
Microsoft Support & Recovery Assistant for Office 365 - What can it troubleshoot? |
Office Activation Outlook Configuration Outlook for Mac Configuration Mobile Devices Outlook on the Web Dynamix CRM OneDrive for Business Advanced Diagnostics (Exchange Online |
|
What version of .NET and PowerShell is needed for Azure Rights Management? |
PowerShell V2 .NET 4.5 |
|
How do you enable Azure Rights Management Integration in Sharepoint? |
Step 1: Settings> Information Rights Management> User the IRM Service Step 2: Modify properties IRM tab for library object |
|
How do you enable Azure Rights Management integration in OneDrive? |
Settings> Site Contents> Documents> Settings, permissions and Mgmt> IRM |
|
What is the ARM PowerShell and .NET requirements? |
PowerShell 4.0 .NET 4.5 |
|
What Powershell commands are used to get the all members in an Office 365 Role? |
$role = Get-MsolRole -RoleName "name" Get-MsolRoleMember -RoleObjectId $role.ObjectId |
|
Notes about Exchange Online Administrator roles:
|
- Organisation Management is the most privileged role - Office 365 Global Admins are members of 'Company Administrators' which is nested inside Organisation Management |
|
Notes about Sharepoint Online Administrator Roles: |
- SharePoint Online Administrator - Full SPO Privileges - Site Collection Administrator - There can be multiple site collection admins but one must be primary - Cannot Access SharePoint Admin Center |
|
Which Administrator Role has Full Skype Privileges in Office 365? |
Skype for Business Admin
|
|
What happens to OneDrive files and Skype for business history information when a user is deleted? |
The contents are removed after 30-Days. |
|
What does the % symbol mean when used in PowerShell? |
It means ForEach-Object |
|
Where does an ADFS SSL Certificate need to be installed? |
All Federation Server
All Proxies |
|
ADFS 3.0 Notes: - .NET 4.5 - No IIS or ASP.NET Required - Schema - Windows 2008+ - FARM Only |
ADFS 2.1 Notes: - Windows Server 2012 - IIS 8 - .NET 4.5 - ASP.NET 4.5 - DC- Windows 2012 - -Schema Windows Server 2003 SP1 - SQL Server 2005 / 2008 / 2012 |
|
ADFS 2.0 Notes: - Windows Server 2008 & 2008 R2 - IIS 7 - DC - Windows Server 2008 & 2008 R2 - Schema Windows Server 2003 SP1+ |
Under 1000 Users = ADFS can be installed on Domain Controllers |
|
ADFS Claims: Claims are pieces of information about the authenticating user. They usually included data about the user queried from the Attribution Store (AD) or the login session. |
Claim rules can be used to determine whether or not to issue authentication to the relying party, or what authentication flow should be, including whether to perform MFA.
|
|
What are the Three parts of the Claims Engine (aka Claims Pipeline)? |
- Acceptance Rules (Claims Provider Trust) - Authorisation Rules (Relying Party Trust) Set of rules when auth is granted/denied - Issuance Rules (Relying Party Trust) |
|
Add Additional ADFS Servers: Install-WindowsFeature ADFS-Federation -IncludeManagementTools Add-AdfsFarmNode (Windows 2012 R2) |
ADFS 2.0 / 2.1 GUI - fsconfigwizard.exe PS - fsconfig.exe |
|
When must the command Set-ADFSContext be run in PowerShell? |
When you are converting an Office 365 Domain Name to a Federated Domain but you're not doing it from the Primary ADFS Server Set-AdfsContext -computer |
|
Windows Roles for ADFS: ADFS 3.0 -Remote Access - Web Application Proxy (Feature) ADFS 2.1 |
ADFS Proxy Roles: ADFS 3.0 ADFS 2.0/2.1 - Web Server Role (IIS) - Windows Process Activation Services |
|
Where can you change the Release preferences in the Offcie 365 admin center? |
Organization> Release preferences |
|
Where can you find the Health, Readiness and connection checks for the installation of Office? |
https://portal.office.com/tools |
|
What is the minimum requirement for installing the Health, Readiness and connection checks? |
Windows 7+ 64-Bit .NET 3.5 IE 9.0 |
|
What are the idFix minimum installation requirements? |
64-bit windows .NET 4.0 4GB RAM 10GB HDD |
|
What port does _sipfederationtls._tcp use?
|
5061 |
|
What ports do you need to have open for Outbound requests for Office 365?
|
80 443 |
|
What are the Skype SOURCE ports?
|
50,000 - 50,019 AUDIO 50,020 - 50,039 VIDEO 50,040 - 50,059 DTS |
|
What are the requirements for Azure Rights Management? |
PowerShell v2 |
|
What report needs to be run to filter on Sender, IP, Reputation or Content? |
Spam detection Report |
|
Is ARM BYOK compatible with Exchange Online? |
No
To encrypt attachments and messages you will need to use the Azure Keys. |
|
What PowerShell command must be used to convert a Federated Domain back to a Managed Domain when the ADFS Server is unreachable? |
Set-MsolDomainAuthentication |
|
How do you update a current Office 365 configuration to enable Multiple Federated Domain support? |
Update-MSOLFederatedDomain -SupportMultipeDomain |