• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

342 Cards in this Set

  • Front
  • Back

Which Office 365 Enterprise Plan contains Microsoft Access?

All of the Enterprise Plans
What are the three Office 365 SME Plans?

Business Essentials

Business Premium

Which Office 365 SME plan contains just Office?


What are the Office 365 Enterprise Plans?

Pro Plus - Office Only

E1 - Exchange & Online Apps

E3 - Exchange/Apps/Azure Rights Management/Skype/Yammer/Business Intel

E5 - Also has DLP/Compliance/PSTN and Advanced Threat Protection`

What Office 365 Plans have support for unlimited users?

All of the Enterprise plans

What is the size limit off an Exchange Online mailbox?


What is the size limit of the Enterprise Exchange Online Archive?


What are the other Office 365 Licencing Plans? (Not SME / Enterprise)

E4 - No longer available

K1 - Kiosk Licences (Used for Shared computers)

Non-Profit - Available in E1 / E3 / E5 / Business Essentials / Business Premium models

Education Licencing - Heavily Discounted licensing

Which Office 365 Packages come with Advanced Business Intelligence and PSTN features?

Enterprise E5

What Office 365 Plans come with Compliance/e-discovery (Litigation Hold, In-Place Hold) and Data Loss Prevention?

Enterprise E3 & E5 Plans

Which Office 365 Plans contain Microsoft Project and Microsoft Visio?

None of the plans include these products.

They must be purchased as a Standalone Product.

Which Office 365 Products can be purchased separately?

Exchange Online
Sharepoint Online

OneDrive for Business
Skype for Business
Office Apps
Project Online
Business Intelligence
Visio Pro
Azure Rights Management

What is the default Microsoft Office 365 domain name?


How do you rename the Sharepoint Online Team site URL to your custom URL?

This isn't possible, Sharepoint will use your Microsoft Tenant domain and cannot be customised.

How do you change the Country/Region of your tenant after creating it?

You can't as the Tenant Country/Region selection effects the following:

- Location of Data Center
- Performance
- Available Service Offerings
- Compliance
- Billing Currency

Can you change the Region that the users are located in Office 365?

Yes, the user's location/region can be changed.

The Tenant Region/Location can not.

What is the Office 365 Password Requirements?

Passwords must be 8-16 Characters long, contain 3 out of the four characters listed (Upper case, lower case, number and symbols)

What are the 5 Tenant Admin Roles and Permissions?

What is the URL for the Office 365 Admin Centre?


Which two Admin roles can assign licenses to users in Office 365?

Global Administrators

User Management Administrators

Can you mix licenses between organisation types (Business/Non-Profit)?

No, you cannot mix between organisation license types (Business/Enterprise, Non-Profit, Education, Government)

Can you have both a Business Premium licence and an E3 licence in the same Tenant?

Yes. You cannot, however, mix licence types ( Business/Enterprise, Non-Profit, Education, Government)

What happens when you delete an Office 365 user account?

- The users Office 365 licence will be removed

- The deleted user data will be permanently deleted after 30 days (Soft Delete)

- A hard delete will delete the users data immediately but must be done via Powershell

What do you need to install in order to connect to Office 365 via Powershell?

- Microsoft Online Service Sign-In Assistant (64-Bit)

- Windows Azure Active Directory Module for Windows Powershell (64-Bit)

Which Command do you use to connect to Office 365 via PowerShell?

Import-Module MSOnline
$UserCredential = Get-CredentialConnect-MsolService -Credential $UserCredential

What does the following command do?

Set-ExecutionPolicy Unrestricted

Allows PowerShell to run all Scripts with zero Restrictions

What Powershell cmdlet is used to return all the subscriptions that the company has purchased?
(Licence Type)


What Powershell cmdlet returns all SKU's that the company owns?
(Licence Count)


What does the New-MsolLicenceOptions command do?

The New-MsolLicenceOptions cmdlet creates a new Licence Options Object. The cmdlet disabled specific service plans when assigning a user licence using Add-MsolUser and Set-MsolUserLicence cmdlets

What does the Set-MsolUserLicence Cmdlet do?

The Set-MsolUserLicence cmdlet can be used to adjust the licences for a user. This can include, adding a new licence, removing a licence, updating the licence options or a combination of these.

What are the two installation methods for Office?

- Deployed via Portal Download
- Deployed via Office Deployment Tool (Setup.exe or SCCM)

Windows Installed
- MSI Install downloaded from Microsoft (Offline Installer)

What are the two update channels?

Current Channel

- Updates Every Month
- Default for Office 365 Business
-Includes Monthly Security & Non-Security Updates

Deferred Channel
- Updates 3 x per year (4 Month Schedule)
- Default for Office 365 ProPlus (Enterprise)
-Includes Monthly Security Updates & Non-Security Updates

First Release for Deferred Channel

- Early access for validation testing.

What are the three methods for setting update channels for Office 365 Users?

Portal Download - Allows users to install/reinstall Office with new Update and release preferences set via Office 365 Admin Centre

Office Deployment Tool (ODT) - Uses XML File set configuration options. Deploys to users from local install path via setup.exe or SCCM

Group Policy Administration Templates - Downloaded ADMX from Microsoft and install to GPMC/Gpedit to set channel for local machines

Can Windows Update, WSUS and SCCM be used to push Office 365 updates?


Where can you change the Software download settings in the Office 365 Admin Portal?

Services & add-ins > Software Download Settings

You can also set what is available from here.

Where are the release preferrences set in the Office 365 Admin Center

Organization Profile > Release preferences

What is the URL for the Office 365 Roadmap website?


Where is the Group Policy Admin templates located?

C:\Windows \PolicyDefinitions

If you're missing the Microsoft Office options in Group Policy it is because you have not imported the Policies.

Global Admin

Subscription Notes

Tenant Names

Licence & Subscription notes

Powershell and Subscription Notes

New Features and Updates

What are the 4 steps in the Domain Setup Wizard

- Add Domain

- Verify Domain

- Setup your online services

- Update DNS

How do you add a domain via the Office 365 Admin Center?

Setup> Domains

Why can't the domain company.local be added to Office 365?

Because it is a non-routable domain

What are the two ways to verify a domain?

- TXT Record
- MX Record

What are Microsofts Office 365 Name Servers if you wanted to move DNS to Office 365?

- ns1.bdm.microsoftonline.com

- ns2.bdm.microsoftonline.com

What is the command to add a new domain to Office 365?



New-MsolDomain -Name o365.davidatkin.com -Authentication "managed"

What is the command to set the default domain?

Set-MsolDomain -Name o365.davidatkin.com -IsDefault

What is the command to List domains in Office 365?


Get-MsolDomain -DomainName o365.davidatkin.com

What Powershell command is used to remove a domain in Office 365?

Remove-MsolDomain -DomainName o365.davidatkin.com -Force

Powershell Command to verify the records needed to verify domain ownership in Office 365?

Get-MsolDomainVerificationDNS -DomainName o365.davidatkin.com
Get-MsolDomainVerificationDNS -DomainName o365.davidatkin.com -Mode (DnstxtRecord / Dnsmxrecord)

What is the Powershell command to confirm DNS records (Ownership & Services)?


Confirm-MsolDomain -DomainName o365.davidatkin.com

Add Domain

Set Domains as default

Moving DNS to MS

Powershell Domain Management

What two commands in Powershell use -Name instead of -DomainName?

New-MsolDomain -Name
Set-MsolDomain -Name

What does Microsoft recommend the criteria for pilot users?

- 5% of User base
- Mix Age, Experience and Seniority
- Select Full time employees
-Different Parts of the organisation
- Min of 6 months with the company
- Already trained on company software
- Willing to provide feedback (Positive & Negative)

What is the limit on Office 365 message sizes?

150MB Max
25MB by default

What is the web address for the Office 365 Health, Readiness and connectivity checks?


What are the Health Readiness check pre-requisites?

Must have a 64-Bit version of Windows 7 or later with .NET 3.5

Internet Explorer 9.0

Windows Powershell V2.0

What is the new name for DIRSync?

Azure Active Directory Connect (A AS Sync)

What tool is used to fix DirSync/Azure AD Connect issues?


- Stand-alone ".exe" - No installation
- Do not run on a domain controller. Run on Domain joined PC
- .NET 4.0 required
- 64-Bit machine needed
- Run with a user account that had r/w access to AD.

What is the IdFix min specification?


10GB HDD Space

Where can you find the resources to create a test plan?


What are the three Office365 FastTrack phases?

- Define Vision, Identify Scenarios, Create Plan

- Self Deployment, Qualified Partner, Microsoft FastTrack Assistance (>50 Users Required)

Drive Value
-Engage, Measure, Manage

Exchange Migrations Notes (1):

- Cannot Install 3rd Party add-ins
- IMAP migrations will not include calendar and contacts
- Public folders need to be public folder mailboxes (Available in Exchange 2013 +)

- Distribution lists can be converted to Office 365 groups (If all users are in the tenant and not managed or nested)

Exchange Migrations Notes (2):

- 150MB Message Limit (25MB default)
- 50GB Mailbox Limit
- Bulk email senders may violate Exchange Online frequency limits
- Mailboxes can stay on-premise in Hybrid Scenarios

OneDrive for Businesses Migration Notes:

- 10GB File Limit
- Cannot Migrate files with unsupported filenames or filenames that are too long

Sharepoint Online Migration Notes:

Team sites can be migrated or individual components (lists, calendars etc) can be migrated

Skype for Business Notes:

Cannot use Skype for Business, Lync 2013, and Lync 2010 all Simultaneously (2 out of 3 is OK)

What does SMART stand for when referring to FastTrack?

S Specific
M Measurable
A Attainable
R Relevant
T Timely

What does SPF stand for?

Sender Policy Framework
Sender Protection Framework

What does SCP stand for in AD?

Service Connection Point

What does the Include: mean in an SPF Record.

Includes any other SPF records specified in that domain

- Nested records

What port does the SIPFederationTLS SRV Records use in Office 365?


What port does the SIP SRV record use in Office 365?


Which record needs to be changed in order to receive mail from Sharepoint Online?

The SPF Record.

It needs to be changed to:

"v=spf1 includes:sharepointonline.com ~all"

The office protection SPF is nested in the above.

Should you use a Proxy server with Office 365?

No - Avoid using a proxy, this is because it can have issues with the amount of SSL and Authentication traffic that will be going to the Proxy to get to Office 365.

If the Proxy is needed then it's suggested that you whitelist various URL's and IPs which can be found on Microsofts Sites.

What ports need to be open to communicate with Skype for Business? (Destination Ports)

Destination Ports:

- SIP/PSOM/Control - TCP 80/443
- A/V/DTS - UDP 3478, 3479,3480, 3481
- Apple iOS Push Notifications - TCP 5223

What ports need to be open for streaming media with Skype for Business?

Type: Souce:

Audio 50,000-50,019
Video 50,020-50,039
DTS 50,040-50,059

Destination Ports are:
50,000 - 59,999

What does DTS mean in Skype for Business?

Desktop Sharing

What tools can be used for recommending Bandwidth for Office 365

Exchange Client Network Bandwidth Calc

Skype for Business Bandwidth Calculator

What tool is required to use Office 2007 and Office 2010 in Office 365?

Office Desktop Setup Tool

When will support for Office 2007 end?

October 2017

What is Azure Rights Management?

A Cloud base service which provides:

Identity Management
Secure Files and Folders

Works across multiple devices

What are the benefits of Azure Rights Management?

Protect All file types
Protect files anywhere
Share Files Securely by Email
Auditing and Monitoring
Support B2B
File classification
Easy activation

Comes with a free downloader

What is Rights Management?

Generic Term for assigning and controlling permissions for a resource

What is Digital Rights Management (DRM)?

Various access control technology for restricting usage

For digital content - Films and series etc

What is Information Rights Management?

Implementation of one or more technologies in support of a Policy

What does FCI stand for?

File Classification Infrastructure

- Automates classification processes on Windows Server file servers
- Giving certain types of files certain permissions

What is ARM?
What is AD RMS?

ARM - Azure Rights Management

AS RMS - On-Premise Active Directory Rights Management

What is Azure IP?

Azure Information Protection

Cloud based solution to classify, label and protect documents and emails.

What Office 365 plans include ARM?
(Azure Rights Management)

E3/E5 Subscription

Standalone -
Acure Infroamtion Protection premium P1 / P2

Free -
Microsoft Rights Management Service (RMS) for individuals

What is BYOK?

Bring your own Key

What do you need in order to manage Azure Rights Management (ARM) via Powershell?

Download the Azure Rights Management Module for PowerShell
(Azure Rights Management Administration Tool)

PowerShell v2
.NET Framework 4.5

How do you connect to Azure Active Directory Rights Management (AADRM) via PowerShell?

Import-Module aadrm

$UserCredential = Get-Credential

Connect-AadrmService -Credential $UserCredential

What is the Powershell command for controlling which Security Groups can protect documents and who cannot?

Controlling users via AD Security Group:

Set-AadrmOnboardingControlPolicy -SecurityGroupObjectID "ID"

*This must be a security group, not a user*

What is the Powershell command for controlling which users can protect documents and who cannot - By their Subscription license?

Set-aadrmOnboardingControlPolicy -UserRmsUserLicence $true -Scope All

*Cmdlet allows only users who have a license assigned to protect content by Azure Rights Management*

Where do you enable Azure Rights Management?

Services & Add-ins > Microsoft Azure Information Protection

(For Advanced Feature you need an Azure Subscription)

What are the Azure Rights Management Integration Options?

Native Office Integration

RMS Sharing Applications (Windows)
RMS Sharing Applications (MAC)

Azure Information Protection App (iOS/Roid)

Exchange Online Integration

Sharepoint Online/One-Drive for Business Integration

What Microsoft Office packages come with Azure RM Native Office Integration?

Microsoft Office 2013
Microsoft Office 2016
Microsoft Office 2016 (Mac)

Microsoft Office 2010*
*Needs RMS Sharing Application

What are the Two types of protection for Documents in RMS?

- Office Files
- Supported text & Image files


What do you get with Native RMS Protection?

Native Office Files

- No changes to the file extensions
- No wrapper

Supported text & Image files

- Wrapper in new file type

- Adds a 'p' to file extensions (.pdocx, .pgif)

*Features - Authorisation & Restricted Access

What do you get with Generic RMS Protection?

Files not supported by Native RM Protection
- Wrapper in new file type
- File extensions changed (Adds a "p" - .ppdf, .pgif)

Authoisation Only
- No restricted access once opened

What are the two templates you start off with in Azure RM?

- Display Name:

- Specific permission: View Content

Read or Modify
- Display Name: -Confidential
- Specific permission:

How do you restrict access to an Office Document in Office?

File > Info > Protect Document/Workbook > Restrict Access

Which two roles can manage the Azure RIgnts Management Environment?

Office 365 Tenant (Global Administrator)

Azure RM Administrator (AadrmRoleBasedAdministrator)

What is an Azure Rights Management Super User?

It's a backup door user that has access to decrypt and view all protected documents and files.

Used to access leavers files etc

Must be granted permission by an RM Administrator of Global Administrator

How does an Azure Rights Management Administrator manage ARM Settings?

Via Powershell

How do you become a SuperUser in Azure Rights Management?

The Azure Active Directory Rights Management Admin or Global Admin must first enable the SuperUser Ability.

Once the SuperUser ability is turned on it must be enabled.

What PowerShell command is used to Add Azure RMS Administrator roles from groups or users?


Note - Even though the -SecurityGroupDisplayName says 'Group', you can also define a 'User'

What PowerShell command is used to View a list of Azure RMS Administrators?


What PowerShell command is used to Remove an Azure RMS Administrator role from groups or users?




-ObjectID Note

Even though the -SecurityGroupDisplayName says 'Group', you can also define a 'User'

What is the command to Enable the Azure Active Directory Super User Feature?


To Disable:

Note, this is Tenant wide. You're enabling/disabling the SuperUser feature on the tenant

How do you assign the Azure RM SuperUser role to a User?



This is for users only. There is another command for Groups

How do you assign the Azure RM SuperUser role to a Group?


You can only have one SuperUser Group!

How do you get a list of current SuperUsers?

How do you get a list of the current SuperUser Groups?


How do you remove the SuperUser Group from your organisation?


How does an Azure RM SuperUser recover documents?

It needs to be done via the Azure RM Protection Tool

Powershell module
Supplement to Azure Rights Management PowerShell Module

As an Azure Active Directory Rights Management SuperUser, how do you get the status of a file to see if it is protected by RMS?


What is the command to import the RMS protection tool in PowerShell?

Import-Module RMSProtection

How does a SuperUser protect a file or folder?


-InPlace (Will replace the file. By default a new one is created in addition to the original)

How does a SuperUser unprotect a file or folder?







How do you get a list of RMS Templates?


-RMSServer (used for on prem)

What PowerShell cmdlet is used to enable RMS Exchange Integration?

Connect to Exchange First

Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"

Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online"

Set-IRMConfiguration -InternalLicensingEnabled $true Test-IRMConfiguration -Sender

How do you connect to Exchange Online with PowerShell?

$Cred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

How Often are the Custom ARM templates refreshed?

Every 7 days in Office 2013 / 2016

Once a day if the RMS Application Sharing is installed

Exchange must have its templates manually refreshed with the following command:


What does RBAC stand for?

Role Based Access Control

- Permissions are grouped into Roles

What does DAC stand for?

Discretionary Access Control


What does MAC stand for when talking about permissions?

Mandatory Access Control

Labels, Classifciations

What can a Billing Administrator do?

- Make Purchases
- Manage Subscriptions
- Manage Support Tickets
- Monitors Service Health

What can a Password Administrator do?

Can only reset passwords for users - Only Non-Admins

What can a Service Administrator do?

Read Only access to most of Office 365

- Opens Support Tickets and Management
- Viewing User information
- View Health Status

What can a User Management Administrator do?

- Reset Passwords
- Monitor Service Health
- Manage User Accounts
- Manage Service Requests

Which 4 Office 365 roles allows a user to be a Skype for Business Administrator?
Global Administrator
Password Administrator
Skype for Business Administrator
User Management Administrator

How do you get a list of Roles in Office 365?




What command is used to list Global Admins in Office 365 PowerShell?

$role = Get-MsolRole -RoleName "Company Administrator"

Get-MsolRoleMember -RoleObjectID $role.ObjectId

How do you Add or Remove an Office 365 Role member?



How do you set a UsageLocation in Office 365 PowerShell?

Set-MsolUser -UserPrincipalName -UsageLocation GB

How do you assign an Office 365 Licence in PowerShell?

(gets name of licence)

Set-MsolUserLicence -UserPrincipleName -AddLicenses

Admin Roles in Office 365

How do you set the password policy for the entire tenant in Office 365?

Set-MsolPasswordPolicy -DomainName -NotificationDays -ValidityPeriod

How do you set a Password Policy for a specific user to never expire?

Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true

When you setup Azure Connect what happens to the password expiration policy in Office 365?

They get set to Never Expire.

If the local AD Passwords expire, the old passwords may still work in Office 365 until it's reset.

Can you have the following password in Office 365:


No, you can't have a password with the following in it (in succession):


How do you disable Strong Passwords in Office 365?

Set-MsolUser -UserPrincipleName -StrongPasswordRequired $false

How do you reset a user password via Office 365?

Set-MsolUserPassword -UserPrincipleName -NewPassword -ForceChangePassword $true

What is the default password history in Office 365?

1 Password

You can't use your previous password.

Which two fields are required when importing users into Office 365 via CSV:

Username (Login Name)

Display Name


Username Domain needs to exist in the tenant

What is the max amount of users you can import with CSV?

250 Max

2 Minimum

What are the User Name field limits in Office 365?

30 Characters before @
48 Characters after @

Max 79 Characters including the @

How do you get information of a deleted user in PowerShell

Get-MsolUser -UserPrincipleName -ReturnDeletedUsers

What are the three Authentication Factors?

Knowledge Factor - What you know

Possession Factor - What you have
Tokens / Cards

Inherence Factor - What you are

Max amount of App Passwords in Office 365?


What are App Passwords for in MFA?

It's so that you can assign a specific password to Apps like Office.

It stops the App from needing MFA and uses a one-time generated password.

Security Groups

- Additional SID in Azure
- Used for assigning permissions
- Cannot be used for E-Mail

Mail-Enabled Security Group

Security Group and Distribution Group

Office 365 Groups

Shared Mailbox + OneDrive (SharePoint Site)

What are the MFA Statuses in Office 365?

Disabled - Not Enabled
Enabled - Enabled but not setup yet
Enforced - Enabled and being used

How do you hard delete an Office 365 user when it has been soft deleted?

Remove-MsolUser -UserPrincipleName -RemoveFromRecycleBin

What does Sku in AccountSku mean?

Stock Keeping Unit

Billable unit

What is the description for the OFFICESUBSCRIPTION service plan?

Office Professional Plus

What is the description for the SHAREPOINTWAC service plan?

Office Online

What is the description for the MCOSTANDARD Service Plan?

Skype for Business Online

How do you get a list of unlicenced Office 365 users?

Get-MsolUser -UnlicensedUsersOnly

What does CRUD stand for?

Create New-
Read Get-
Update Set-
Delete Remove-

What are the main MsolUser switches?


How do you change a users UserPrincipalName?


How do you specify a role with the Get-MsolRole cmdlet?

By ObjectID

How do you list roles assigned to a user?


How do you set a licence for a user?


How do you set single sign on with a domain?


What does the Set-MsolUser cmdlet do?

Sets the following:

User Info
Password Expiration
Password Complexity

What does the Set-MsolUserPassword do?

Sets User Passwords

What does the Set-MsolPasswordPolicy Cmdlet do?

Tenant-Wide expiration days and notification days

What does the Set-MsolUserLicense cmdlet do?

Assigns and removes user licenses

What does the Set-MsolUserPrincipalName cmdlet do?

Changes a UserPrincipalName

What can't the Set-MsolUser cmdlet NOT modify?


How many Azure Tenants can an Azure AD Connect sync server sync to?

Just one.

Each Azure AD Connect can only sync to one Azure Tenant

Each Azure Tenant can only have one AD Connect Sync Server

What is GALSync?

A program to sync from multiple forests into multiple Azure Tenants.

User A is created as a User in Azure Tenant A

User A is created as a contact in Azure Tenant B

What is Azure AD Connect Staging Mode?

It's where you have an identical sync server used for redundancy or for testing purposes.

The Staging server is set to read only mode and does not write to Azure which is why it does not break the Azure/AD Sync 1:1 rule.

How do you add a UPN domain suffix in Active Directory?

Active Directory Domains and Trusts

Active Directory cleanups prior to Sync

What Azure AD Connect filtering can you do?

OU Filtering
Security Group Filtering (No nested groups)
Attribute filtering

Does Azure AD Connect support AD Writeback?


Writeback is writing from one local AD to another local AD

Or from one Azure AD to another local AD

What fields do Azure use by default to associate an AD user with their azure user account?

Active Directory ObjectGUID

Azure Immutable ID

What is needed for Azure Password Writeback?

An Azure Premium account

Azure AD Connect - On-Prem requirements

What is the minimum server operating system required if you wanted to install Azure AD Connect with Password Sync?

Windows Server 2008 R2 SP1

Azure AD connect can be installed onto a Windows Server 2008 but will not have Password Sync.

What is the minimum Active Directory Domain and Forest level requirements for Azure AD Connect?

Windows 2003

What is the minimum RAM and HDD requirements for Azure AD Connect?


4GB (<50K objects),

16GB (50K-100k),

32GB (100k+)


70GB (<50k objects),

100GB (50k-100k),

300GB (100k-300k),

450GB (300k-600k)


Can Azure AD Connect be installed on Server Core?

No - It needs GUI

It also cannot be installed on SBS and Server Essentials.

What attributes need to be present for the user in order for Azure AD Connect to synchronise a user to Azure AD?

ObjectGUID (Or another defined SourceAncor)


AccountEnabled (userAccountControl Attrib)

What are the SQL Requirements for Azure AD Connect?

SQL Server 2008 SP4


SQL Server 2014

What program is used to manage the Azure AD Connect sync after it has been setup?

Synchronisation Service Manager

When is the Group filtering applied in Azure AD Connect?

The Azure AD Connect Metaverse

What is the Azure AD Connect sync order?

Active Directory Import

Azure AD Import

Active Directory Full/Delta Synchronisation

Azure AD Full/Delta Synchronisation

Azure AD Export

Active Directory Export

What will happen to a users Office 365 account if you filter them out of the synchronisation when they already have an account in Office 365?

The user will be soft deleted.

AD syncs into the connector space as User Schema and enters the Metaverse as...

Person Schema

Why would you do a Full AD Connect Sync over a Delta?

If an Office 365 Admin has changed the password of a synced user via Office 365 a Full Sync must be fun.

A Delta sync won't fix this problem.

What is the cmdlet to get the AD Connect scheduler?


What is the shortest sync cycle in AD Connect?

30 Minutes

How do you force an immediate sync cycle?

Start-ADSyncSyncCycle -Policy Type

Initial is a 'Full' Sync Cycle

How do you force a stop of immediate sync cycle?


How do you change the AD Connect Sync Cycle in Powershell?

Set-ADSyncScheduler -CustomizedSyncCycleInterval

How do you check the current status of an AD Connect Sync in powershell?


What do you do if you have multiple users provisioned in Office 365 due to the user not being recognised on Sync?

Remove the User from the Sync OU, or assign an attribute to the user in AD and create an Attribute rule in Sync service manager.

Sync up to remove the duplicate user

Then run a command in Office 365 to get the ImmutableID of the removed (synced user)

Delete user from Office 365 Recycle Bin

Assign the ImmutableID to the unsynced user (The one previously managed by O365)

Move user back in Syncable OU in AD (Or remote Attrib filter) and re-sync

How does Office 365 validate a user in ADFS?

With its Token and Claims (issued by the federation server)

What type of redirect is used by Office 365to send an ADFS user back to the Federation Server for authentication?

302 Redirect

What is the format of the Token, claims and session info called when presenting to Office 365?

SAML Assertion

What is the process for an internal ADFS user to authenticate with Office 365?

User goes to portal.office.com and enters login details

User is redirected to the Federation Server via a 302 Redirection

User logs into Federation Server

Federation server checks AD and validates credentials

AD Server assigns Token and Claims, the Federation server passes back to the user.

Redirects back to Office 365

What is the process for an external ADFS user to authenticate with Office 365?

User goes to portal.office.com and enters login details

User is redirected to the WAP Proxy Server via a 302 Redirection

User logs into Proxy Server

Proxy Server speaks to the Federation Server

Federation server checks AD and validates credentials

AD Server assigns Token and Claims, the Federation server passes back to the Proxy and the Proxy passes back to the user.

Redirects back to Office 365 (302)

What is Modern Authentication?


What kind of Token is used in Modern Authentication?

JSON Web Token


What is an STS?

Secure Token Server
(Federation Server)

ADFS Versions:

Version 2.0

- Windows Server 2008 / 2008 R2 (Req Download)

Version 2.1:

Windows Server 2012

Version 3.0:

Windows Server 2012 R2

What has changed in ADFS version 3.0?

- WAP replaces Web Proxy

- No more IIS Requirements

- Modern Authentication / OAuth2 / ADAL

- Support for Azure MFA

- No more stand-alone servers (Farms only)

What is the most important ADFS Service/Server Name?

The Federation Service Name

This is the name that all clients, servers and applications use.

This should be different from the Federation Server names

Used for both FS Cluster and WAP/Proxy

What do you need in order to use multiple WAP Servers?

A Network Load Balancer

How does the WAP/Proxy know where the Federation Server(s) is?

It is done via a manual entry to the HOST file on each WAP / Proxy.

What certificates are required for ADFS?

Server Authentication (SSL) Certificate - Public CA)
- Secure incoming communications from clients to ADFS authentication endpoints

Secure Communications Certificate (Public CA)
-Provides WCF messaging security for internal communications

- Same Cert as Servrer Auth Cert

-Token-Signing Certificate (Self-Signed)
Signed Tokens sent to relying parties

- Token Decryption Certificate (Self Signed)
Decrypt encrypted tokens received from idPs

What are the two types of Databases that can be used for ADFS Federated Servers?

Windows Internal Database (Best Practice)

Windows SQL (Not on same server)

ADFS - Windows Internal Database

- Up to 30 Servers (<=100 Trusts, ADFS 3.0)

- Up to 5 Server ( >100 Trusts or ADFS 2, 2.1

- Less cost, no additional licensing

- HA (1 Primary, Additional Db's read only) - LB
- No SAML Artifact Resolution

- No Token Replay Detection

- Can be converted to SQL Later

ADFS - Windows SQL (Not on same server)

- No limit of Servers

- More Cost, requires SQL Licensing

- HA (leveraging SQL Clustering) - LB

- SAML Artifact Resolution

- Token Replay Detection

- Cannot be converted to WID

ADFS capacity planning:

< 1000 Users
You can install ADFS on existing DCs
Shared NLB

1000-15,000 User
2 x Dedicated FS Servers

Dedicated NLB

15K - 60K users

3 - 5 x Dedicated FS Server

Dedicated NLB

In ADFS 3.0, how do you install the WAP/Proxy?

It's installed under the Remote Access Role

In ADFS 2.1, how do you install the WAP/Proxy?

It's an option with the ADFS Role

What port is needed for ADFS ClientTLS?


What DNS records can you use for ADFS

A-Records only.

How do you stop a user from being able to log into Office 365 when ADFS is enabled?

Issue Claim Authorisation Rules

How would you stop a user from logging into Office 365 using their first name when ADFS is enabled?

Create an Acceptance claim rule and a new Authorisation deny rule.

By default active directory only sets claim rules on certain attributes. Need to add a transformation rule to push the attribute and then a Claim Authorisation Rule to deny users based on that attribute.

Where can you find the deny logs in Windows for ADFS?

Event Viewer > Applications and Services > AD FS > Admin

What are the two Passive ADFS authentication methods?

SAML - /adfs/ls
Oauth - /adfs/oauth

How do you enable Modern Authentication in Exchange online?

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Verify with:
Get-Organizationconfig | FT Name,Oauth*

How do you enable Modern Authentication in Skype for Business online?

Set-CdOAuthConfiguration -ClientAfalAuthOveride Allowed


What is the reason for being unable to connect to the MSolService internally from PowerShell once you've enabled Azure MFA Server?

By default internal MFA authentication only supports Windows Authentication, when you connect to MsolService it is doing it via Form Based Authentication.

You need to enable Form Based Authentication internally via the Azure MFA Server.

Should an ADFS Proxy server be joined to a Domain?


AD FS Proxy servers should not be joined to the domain.

What are acceptance Rules in ADFS?

Set of tule run when authentication is required

What are Authorization rules in ADFS?

Set of rules when authentication is granted or denied

What are Issuance Rules in ADFS?

Set of rules run when deciding what claims rules to send to requesting party

What is the purpose for the ADFS Service Account?

It Runs the "Active Directory Federations Services" Service.

It performs Kerberos Authentication tasks

What is the AD FS Service Account requirements?

It needs to be a Domain User

It needs "Logon as a service" rights on FS

It needs a Password does not expire to be set

It needs the same account on all Federation Servers in Farms

It needs "Logon as a Batch Job" rights (Only if you run Scheduled tasks

How do you enable Group Managed Service Accounts in Windows Server 2012?

Done by PowerShell:

Add-KdsRootKey -EffectiveImmediately

**Mandatory 10 Hour Wait**

Is Windows Network Load Balancer supported on a Domain Controller?


What is the PowerShell cmdlet to install ADFS?

Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools

What is the PowerShell Cmdlet to install an additional ADFS Server into an existing ADFS Farm?

Add-AdfsFarmNode -PrimaryComputerName -CertificateThumbprint -GroupServiceAccountIdentifier

Modules required for Converting an Office 365 Domain to an ADFS Domain

Active Directory Powershell Module

Azure AD Powershell Module

Microsoft Online services Sign-In Assistant

What is the PowerShell command to convert an Office 365 standard domain to a Federate domain?

Convert-MsolDomainToFederated -DomainName

What command is used to specify the primary Federated Server if running the Convert-MsolDomainToFederated from a workstation?

Set-MsolADFSContect -Computer

What does the New-AdfsOrganization command do?

It can be used to create an object in order to pipe information into the Set-AdfsProperties cmdlet to set the ADFS Organization Properties

$MyOrg = New-AdfsOrganization -DisplayName "Org Name" -OrganizationUrl "http://"

Set-AdfsProperties -OrganizationInfo $MyOrg

PS Cmdlet to get ADFS Settings from PowerShell?


How do you set a new SSL Certificate on Federation Servers?

Set-AdfsCertificate -Thumbprint

Must be run on all FS Servers. Restart the service afterwards.

How do you set a new SSL Certificate on ADFS WAP Servers?

Set-WebApplicationProxySslCertificate -Thumbprint

How do you set a new ADFS Service Communications Certificate in PS?

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint

What command is used to customize Web Links and wording on the ADFS Login Pages?


What command is used to customize the imaging on the ADFS Login Pages?

Logo & Illustration


Customizing ADFS 2.0/2.1 Web Page - Location:

Logo - Web.config

Example - CommonResources.en.resx
Instructions - CommonResources.en.resx

Page Title - CommonResources.en.resx

Hostname Header - MasterPage.master.cs

Authorized Use - MasterPage.master.cs

How do you change the theme for the ADFS login Page?

Set-AdfsWebConfig -ActiveThemeName

Create a new Theme for the ADFS login

New-AdfsWebTheme -TargetName "Name"

A Managed Domain is any domain that doesn't depend on Federated services.

Office 365


Azure AD Sync

How do you convert a Federated Domain back to a Managed Domain?


How do you convert a Federated Office 365 User back to a Managed User?


How do you turn off Federated sign in for a domain when a Federated server is not reachable?

Set-MsolDomainAuthentication -DomainName -Authentication

What is the max number of objects in the Windows Internal Database?


How did you launch the Proxy configuration wizard in ADFS 2.0 / 2.1

Run FspConfigWizard.exe


Text & URLs


Logo's, Css, Illustrations, Loading Scripts


Sets the default theme

What are the two categories of reports?



Office 365 Reports:


Activations Report:

Licence Type (Pro Plus / Business)
What Device it's on

Active Users Report:

Licenced? (Exchange, One Drive....)
Last Activity Date
Licence Assigned Date
Products Assigned

Exchange Service Reports


Email Activity

Email App Usage

Mailbox Usage

One Drive / Sharepoint Reports:


OneDrive Activity User

OneDrive Usage Site URL

Skype Business Reports



Conference Organized
Conference Participated

How do you import reports directly into Excel?

Reporting Web Service - OData Data Feed

Exchange Reports:





Mail Flow Reports:


Top Mail Senders

Top Mail Recipients

Top Spam Recipients

Top Malware Recipients

What is a BCL

Bulk Complaint Level

0 Good
9 Definitely Spam

Malware Reports:


Top Malware for Mail
Top 10 Malware Agents

Malware Detections

Number of malware detections

Spam Detection Reports:


Spam Detections

Spoof Mail Report (E5 ATP Only)
Spoof Senders

Rules Reports

Content or content filtering rules

Top rules matches for mail
Rule matches for mail

DLP Reports:

Top DLP Policy matches for mail

Top DLP rule matches for mail

DLP policy matches by severity for mail

DPL policy matches, overrides, and false positives for mail

Audit log reports check activity for Office 365 services

User Activity

Admin Activity

How do you turn on user Mailbox Auditing in Office 365?

Done per mailbox
None Owner actions

Set-Mailbox -Identity -AuditEnabled $true

How do you add Owner actions to the Mailbox Audit?

Set-Mailbox -AuditOwner MailboxLogin,HardDelete....

(What you want to track is after the command)

How do you get to the Unified Office 365 Audit log reports?

Security & Compliance Center


Which audit report do you run to see what an external admin or Microsoft have been going?

External Admin Audit Log report

Office 365 Audit Log:

- Off by default

- 90 Day limit

- Dates and times are in UCP

- Only the most recent 1000 Entries show up
- Can Export Search or download all result (50K)

- Must be a Global Admin
- Must have Audit log or view Audit log permissions

Powershell Exchange Audit log commands:

Instantly Generated:


Sent via email:

How do you turn on/off the Office 365 admin audit log?


What is a Portal Email Hygiene Report?

Exchange Online reports for:

Inactive Mailboxes

Storage Quotas
Message Tracing

What are the Powershell cmdlets for Exchange Stale Mailbox Reports?



What are the Commands for the Exchange usage report(s)?



What command is used for doing a Message Trace command in Powershell?

Results are for last 7 days



What is the command to do a Message Trace with Powershell for items upto 90 Days old?


(Shows Historical Search history - Past 10 Days)

GTUBE - Test for Spam

Google the content

How do you get Alerted when there is an issue with Office 365?

The Office 365 Admin App

What is the Max Service Health History on the Service Health Dashboard


How do you monitor Office 365 Status in SCOM?

Office 365 Management Pack for System Center Operations Manager

Comes as a .mpb file

What are the two types of Support in Office 365?

Concierge Support - < 50 Users

General Support - >50 Users

What are the Connectivity Analyzer tools?

Remote Connectivity Analyser Tool (RCAT)

Microsoft Connectivity Analyser Tool (MCAT)

Lync Connectivity Analyser (LCA)

Remote Connectivity Analyser - RCA

Validate/Troubleshoot Office 365

Eliminate On-Prem Configuration

Microsoft Connectivity Analyser Tool - MCA

Locally Installed

Test End-To-End Connectivity


Exchange DNS
Outlook Connectivity
SMTP MailFlow


EWS (Sync, Notifications etc)

Lync Connectivity - On-Prem Lync Only
Lync/Skype DNS / Autodiscover (Onsite Only)


Exchange DNS
Outlook Connectivity
ActiveSync - On-Prem Exchange Only
SMTP Mailflow
Other Outlook Config Settings

Lync/Skype DNS / Autodiscover (Onsite only)

Lync Connectivity - On-Prem Lync Only

LCA Tests:

Lync/Skype DNS / Autodiscover (Onsite only)

Lync Connectivity - On-Prem Lync Only

What are the 3 Free / Busy Sharing Tools?

Hybrid Free/Busy Troubleshooting Tools

Remote Connectivity Analyser

Microsoft Connectivity Analyser Tool.

What is the only Supported Diagnostic Tool?

Microsoft Support & Recovery Assistant for Office 365

For troubleshooting Client login issues for individual user or their profile.

Where can a user access the Microsoft Support & Recovery Assistant for Office 365?

Outlook > File > Support

Microsoft Support & Recovery Assistant for Office 365 - What can it troubleshoot?

Office Activation

Outlook Configuration

Outlook for Mac Configuration

Mobile Devices

Outlook on the Web

Dynamix CRM

OneDrive for Business

Advanced Diagnostics (Exchange Online

What version of .NET and PowerShell is needed for Azure Rights Management?

PowerShell V2

.NET 4.5

How do you enable Azure Rights Management Integration in Sharepoint?

Step 1:

Settings> Information Rights Management> User the IRM Service

Step 2:

Modify properties IRM tab for library object

How do you enable Azure Rights Management integration in OneDrive?

Settings> Site Contents> Documents> Settings, permissions and Mgmt> IRM

What is the ARM PowerShell and .NET requirements?

PowerShell 4.0

.NET 4.5

What Powershell commands are used to get the all members in an Office 365 Role?

$role = Get-MsolRole -RoleName "name"

Get-MsolRoleMember -RoleObjectId $role.ObjectId

Notes about Exchange Online Administrator roles:

- Organisation Management is the most privileged role

- Office 365 Global Admins are members of 'Company Administrators' which is nested inside Organisation Management

Notes about Sharepoint Online Administrator Roles:

- SharePoint Online Administrator - Full SPO Privileges

- Site Collection Administrator
- Manage a Site Collection

- There can be multiple site collection admins but one must be primary

- Cannot Access SharePoint Admin Center

Which Administrator Role has Full Skype Privileges in Office 365?

Skype for Business Admin

What happens to OneDrive files and Skype for business history information when a user is deleted?

The contents are removed after 30-Days.

What does the % symbol mean when used in PowerShell?

It means ForEach-Object

Where does an ADFS SSL Certificate need to be installed?

All Federation Server
All Proxies

ADFS 3.0 Notes:
- Windows Server 2012 R2

- .NET 4.5

- No IIS or ASP.NET Required
- DC - Windows 2012 R2-

- Schema - Windows 2008+
- SQL Server 2008 / 2012 / 2014

- FARM Only

ADFS 2.1 Notes:

- Windows Server 2012

- IIS 8

- .NET 4.5

- ASP.NET 4.5

- DC- Windows 2012 -

-Schema Windows Server 2003 SP1

- SQL Server 2005 / 2008 / 2012

ADFS 2.0 Notes:

- Windows Server 2008 & 2008 R2

- IIS 7
- .NET 3.5.1
- .ASP.NET 2.0

- DC - Windows Server 2008 & 2008 R2

- Schema Windows Server 2003 SP1+
SQL - 2005 / 2008

Under 1000 Users = ADFS can be installed on Domain Controllers

ADFS Claims:

Claims are pieces of information about the authenticating user. They usually included data about the user queried from the Attribution Store (AD) or the login session.

Claim rules can be used to determine whether or not to issue authentication to the relying party, or what authentication flow should be, including whether to perform MFA.

What are the Three parts of the Claims Engine (aka Claims Pipeline)?

- Acceptance Rules (Claims Provider Trust)
Set of rules when authentication is requested

- Authorisation Rules (Relying Party Trust)

Set of rules when auth is granted/denied

- Issuance Rules (Relying Party Trust)
Set of rules run when deciding what claims to send over to the RP

Add Additional ADFS Servers:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

Add-AdfsFarmNode (Windows 2012 R2)

ADFS 2.0 / 2.1

GUI - fsconfigwizard.exe

PS - fsconfig.exe

When must the command Set-ADFSContext be run in PowerShell?

When you are converting an Office 365 Domain Name to a Federated Domain but you're not doing it from the Primary ADFS Server

Set-AdfsContext -computer

Windows Roles for ADFS:

ADFS 3.0

-Remote Access

- Web Application Proxy (Feature)

ADFS 2.1
- Active Directory Federation Services
- Federation Server Proxy Role Service

ADFS Proxy Roles:

ADFS 3.0
- Web Application Proxy

ADFS 2.0/2.1

- Web Server Role (IIS)

- Windows Process Activation Services

Where can you change the Release preferences in the Offcie 365 admin center?

Organization> Release preferences

Where can you find the Health, Readiness and connection checks for the installation of Office?


What is the minimum requirement for installing the Health, Readiness and connection checks?

Windows 7+ 64-Bit

.NET 3.5

IE 9.0
Windows Powershell 2.0

What are the idFix minimum installation requirements?

64-bit windows

.NET 4.0



What port does _sipfederationtls._tcp use?


What ports do you need to have open for Outbound requests for Office 365?



UDP - 3478 / 3479 / 3480 / 3481 - A / V / DTS

5223 - Apple iOS push
TCP/UDP - 50,000 - 59,999

What are the Skype SOURCE ports?

50,000 - 50,019 AUDIO

50,020 - 50,039 VIDEO

50,040 - 50,059 DTS

What are the requirements for Azure Rights Management?

PowerShell v2
.NET 4.5

What report needs to be run to filter on Sender, IP, Reputation or Content?

Spam detection Report

Is ARM BYOK compatible with Exchange Online?


To encrypt attachments and messages you will need to use the Azure Keys.

What PowerShell command must be used to convert a Federated Domain back to a Managed Domain when the ADFS Server is unreachable?


How do you update a current Office 365 configuration to enable Multiple Federated Domain support?

Update-MSOLFederatedDomain -SupportMultipeDomain