20347A-ENU-Companion.pdf

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

20347A Enabling and Managing Office 365 Companion Content

ii

Enabling and Managing Office 365

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2016 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/trademarks http://www.microsoft.com/trademarks are are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20347A Released: 05/2016

ii

Enabling and Managing Office 365

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2016 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/trademarks http://www.microsoft.com/trademarks are are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20347A Released: 05/2016

MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below for each license you acquire. 1.

DEFINITIONS. a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time. b. “Authorized Training Session” means the instructor-led instructor-led training class using Microsoft Instructor-Led Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. c. “Classroom Device” means one (1) dedicated, dedicated, secure computer that an Authorized Learning Learning Center owns or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware. d. “End User” means an individual who who is (i) duly enrolled in and attending an Authorized Training Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft Microsoft Instructor-Led Courseware or Trainer Content. f. “Microsoft Certified Trainer” or “MCT” means an individual individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program. g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded Microsoft-branded instructor-led training training course that educates IT professionals and developers on Microsoft techno logies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware. h. “Microsoft IT Academy Program Member” Member” means an active member of the Microsoft IT Academy Program. i. “Microsoft Learning Competency Competency Member” means an active member of the Microsoft Partner Network Network program in good standing that currently holds the Learning Competency status. j. “MOC” means the “Official Microsoft Microsoft Learning Product” instructor-led instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies. k. “MPN Member” means an active Microsoft Partner Network program program member in good standing.

l.

“Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT. o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One N ote packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines.

2.

USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis , such that you must acquire a license for each individual that accesses or uses the Licensed

Content. 2.1

Below are five separate sets of use rights. Only one set of rights apply to you. a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content,

provided you comply with the following:

iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware. b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or 2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.

c.

If you are a MPN Member : i.

Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers. d. If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session.

ii.

You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices. 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included for your information only. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement.

3.

LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“ Pre-release”), then in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its technology, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement. c.

Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.

4.

SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content, publicly display, or make the Licensed Content available for others to access or use, copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, work around any technical limitations in the Licensed Content, or reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation. •

•

• • •

• •

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content.

6.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

7.

SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8.

TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control.

9.

LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. 14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, o or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne: tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et. les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur. •

•

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. Revised July 2013

Planning and provisioning Office 365 1-1

Module 1 Planning and provisioning Office 365 Contents: Lesson 1: Overview of Office 365

2

Lesson 2: Provisioning an Office 365 tenant

4

Lesson 3: Planning a pilot deployment

6

Module Review and Takeaways

8

Lab Review Questions and Answers

9

1-2 Enabling and Managing Office 365

Lesson 1

Overview of Office 365 Contents: Question and Answers

3

Resources

3


Question and Answers Discussion: How will you use Office 365 in your organization? Question: What are your organization’s business requirements? Answer: Answers will vary, because each organization will have its own scenario for Office 365 deployment. Question: How will Office 365 meet your organization’s business requirements? Answer: Answers will vary, because each organization will have its own scenario for Office 365 deployment. Question: Which Office 365 subscription would be most suitable for your organization? Answer: Answers will vary, because each organization will have its own scenario for Office 365 deployment.

Resources Office 365 core components Additional Reading: For more information, refer to Office 365 Service Descriptions: http://aka.ms/iv18pg

Office 365 Education, Nonprofit, and Government subscriptions Additional Reading: For more information, refer to Office 365 Education: http://aka.ms/c2imoj Additional Reading: For more information, refer to Office 365 Nonprofit plans and pricing: http://aka.ms/wnd4wq Additional Reading: For more information, refer to Office 365 plans at Government pricing: http://aka.ms/knev43


Lesson 2

Provisioning an Office 365 tenant Contents: Question and Answers

5

Resources

5


Question and Answers Question: What are the steps involved in the process of creating a tenant account for Office 365? Answer: The steps involved in the process of creating a tenant account for Office 365 are: 1.

Select the Office 365 plan you will use for a trial.

2.

Ensure you have a valid email account (organizational or Live ID will work fine).

3.

Click the trial link on the Office 365 website.

4.

Enter the correct information for your organization.

5.

Complete the sign-in process by validating the text message or phone call.

Question: What factors should you consider when planning a custom domain? Answer: Consider the following factors when you planning a custom domain: •

•

•

•

Multiple domains. Plan to add the main domain that your company currently uses, along with any other domain that it uses for email messages within the organization. Subdomains. You might want to register subdomains if you need them for your organization subsidiaries. Domain adding order. You must add root domains before subdomains. DNS record hosting. Communicate with the organization that will host your domains about the changes needed for Office 365 deployment, such as A, CNAME, TXT and MX records.

Resources Configuring DNS records for custom domains Additional Reading: For more information, refer to External Domain Name System records for Office 365: http://aka.ms/d67qkh


Lesson 3

Planning a pilot deployment Contents: Question and Answers

7

Resources

7


Question and Answers Question: How does an Office 365 pilot compare to the traditional deployment process? Answer: Some of the main differences between an Office 365 pilot and the traditional deployment process are: •

•

With the traditional deployment approach, it might take the organization several weeks or even months to reach the migration phase. With the Office 365 pilot FastTrack deployment approach, customers can: o

Experience the value of Office 365 much earlier than with traditional deployment methodologies.

o

Evolve into features as and when required.

o

Determine how far to proceed with Office 365 migration.

Resources Comparing an Office 365 pilot to the traditional deployment process Additional Reading: For more information, refer to FastTrack for Office 365: http://aka.ms/il5z8i

Gathering customer requirements Additional Reading: For more information, refer to Office 365 FastTrack Planning: http://aka.ms/se9j3a

Overview of deployment tools Additional Reading: For more information, refer to FastTrack for Office 365: http://aka.ms/il5z8i Additional Reading: For more information, refer to Office 365 for IT pros: http://aka.ms/kl703e Additional Reading: For more information, refer to FastTrack for Office Blogs: http://aka.ms/t1mgkg Additional Reading: For more information, refer to Office 365 Trust Center: http://aka.ms/j0074t Additional Reading: For more information, refer to Office 365 Service Descriptions: http://aka.ms/gxsbad Additional Reading: For more information, refer to Office 365 Roadmap: http://aka.ms/Kgo4ds Additional Reading: For more information, refer to Software Assurance Planning Services: http://aka.ms/leudft


Module Review and Takeaways Best Practices Best practices for this stage of the Office 365 deployment process are: • • • •

Ensure that you understand the organization’s need for Office 365. Identify any in-house services that are not going to transition to Office 365. Recruit the right people to be pilot users. Check that you have suitable infrastructure to support a connection to Office 365.

Review Question(s) Question: If you are selected to lead the Pilot at A. Datum Corporation, what personal qualities, skills, and experience would you need to demonstrate to maximize the probability of the organization moving to the pilot phase? Answer: If time permits, facilitate the discussion. The following qualities will be useful: •

Professional appearance

•

Confidence

•

Technical knowledge

•

Listening skills

•

Effective note-taking

•

Experience of chairing meetings

All of these qualities, skills, and experience will help ensure that the organization has confidence in your ability to deliver the pilot and then move the organization to Office 365.


Lab Review Questions and Answers Lab: Provisioning Office 365 Question and Answers Question: Why is it important to specify the correct country when you set up an Office 365 account? Answer: It is important to specify the correct country because some facilities are restricted on a country-by-country basis, and you cannot change the country after you have set up the account. Question: What ports need to be open to ensure client communications with the Office 365 environment, and for what are those ports and protocols used? Answer: The main port that must be open is 443 for encrypted web traffic. Protocol /Port TCP 443

Usage Office 365 My Company Portal Outlook 2010 and Office Outlook 2007 Microsoft Entourage 2008 for Mac Exchange Web Services/Outlook for Mac 2011 Outlook Web App SharePoint Online

PSOM/TLS 443

Skype for Business Online (outbound data sharing sessions)

STUN/TCP 443

Skype for Business Online (outbound audio, video, and application sharing sessions)

TCP 10106***

Connects to xsi.outlook.com for Outlook Web App (not essential)

TCP 995

POP3(S)

TCP 587

SMTP(S) Relay with POP3

STUN/UDP 3478

Skype for Business Online (outbound audio and video sessions)

TCP 5223

Skype for Business mobile client push notifications

RTP/UDP 50000-50019

Outbound Skype for Business (outbound audio sessions)

RTP/UDP 50020-50039

Outbound Skype for Business (outbound video sessions)

TCP 50040-50059

Outbound Skype for Business Application sharing and file transfer

Managing Office 365 users and groups 2-1

Module 2 Managing Office 365 users and groups Contents: Lesson 1: Managing user accounts and licenses

2

Lesson 2: Managing passwords and authentication

4

Lesson 3: Managing security groups in Office 365

6

Lesson 4: Managing Office 365 users and groups with Windows PowerShell

8

Lesson 5: Configuring administrative access

10


12


14


Lesson 1

Managing user accounts and licenses Contents: Question and Answers

3

Resources

3


Question and Answers Question: What types of user accounts are available in Office 365? Answer: The following types of user accounts are available in Office 365: •

•

•

Cloud identities—when using these, you create and manage users in Office 365 only. Directory synchronized identities by using an on-premises directory service to synchronize with Office 365. Federated identities by using Active Directory Federation Services (AD FS).

Resources Deleting and recovering user accounts Additional Reading: For more information, refer to How to troubleshoot deleted user accounts in Office 365, Azure, and Intune: http://aka.ms/prede5 For more information, refer to Manage inactive mailboxes in Exchange Online: http://aka.ms/qlb3b1


Lesson 2

Managing passwords and authentication Contents: Question and Answers

5


Question and Answers Question: What password policy options are available in Office 365? Answer: The following password policy options are available in Office 365: •

Password expiration policy: o

o

•

Specify the number of days for the user notification warning about the password expiration.

Resetting user passwords: o

•

Specify the number of days until the password expires.

Create a new temporary password for users.

Resetting admin passwords: o

You can ask another administrator to reset it for you.

o

Reset it yourself.

Question: How can you enable multi-factor authentication in Office 365 and what multi-authentication options are available? Answer: An administrator enables multi-factor authentication on a per-user basis. Multi-factor authentication options in Office 365 include: •

Call my mobile phone

•

Text code to my mobile phone

•

Call my office phone

•

Notify me through app

•

Show one-time code in app


Lesson 3

Managing security groups in Office 365 Contents: Question and Answers

7


Question and Answers Question: List the three types of mail-enabled groups in Exchange Online in Office 365. Answer: The three types of mail-enabled groups in Exchange Online in Office 365 are: •

•

•

Distribution groups. Use these groups only to distribute messages to a set of recipients. Mail-enabled security groups. Use these groups to distribute messages and to provide access to resources. Dynamic distribution groups. These groups do not have a predefined member list, because they use recipient filters and conditions that you define to determine membership dynamically at the time that messages are sent.


Lesson 4

Managing Office 365 users and groups with Windows PowerShell Contents: Resources

9


Resources Overview of managing Office 365 by using Windows PowerShell Additional Reading: For a detailed list of Azure management cmdlets, refer to AzureADHelp: http://aka.ms/rlunlo

Managing users and licenses by using Windows PowerShell Additional Reading: For more information, refer to How to troubleshoot deleted user accounts in Office 365, Azure, and Intune: http://aka.ms/g5rx76


Lesson 5

Configuring administrative access Contents: Question and Answers

11


Question and Answers Question: What are the administrator roles that you can assign in Office 365? Answer: The administrator roles that you can assign: •

Global administrator

•

Billing administrator

•

Password administrator

•

Service administrator

•

User management administrator

•

Exchange Online administrator

•

Skype for Business Online administrator

•

SharePoint Online administrator


Module Review and Takeaways Best Practices •

•

•

•

Always perform detailed planning for user and group management, and check the plan in a test Office 365 tenant before deploying in production. Plan and test user administrative tasks to improve user management efficiency and to eliminate errors in the production environment, especially when running Windows PowerShell scripts. Plan for multi-factor authentication to help administrators choose the authentication method that suits their organizational security requirements. Plan administrative roles to distribute administrative tasks according to organizational security and business requirements.

Review Question(s) Question: What is the most efficient way of creating user accounts if your organization decides to migrate to Office 365? Answer: Answers will vary depending on the type of identities that you use in an organization. The types of identities include: •

•

•

Cloud identities. An administrator exports user accounts from the Active Directory site and performs bulk import into Office 365. Directory synchronized identities by using an on-premises directory service to synchronize with Office 365. Federated identities by using AD FS. When using federated identities, administrators manage users on-premises and synchronize on-premises directory objects with Office 365. The process where users sign in only once is referred to as single sign-on (SSO).

Question: How will you configure Office 365 password policies in your organization, and will you use multi-factor authentication? Answer: Answers might vary, but possible answers might include: •

•

Some organizations configure a longer period before passwords expire, and some organizations shorten the period because of security restrictions. Some organizations want to strengthen security and enable multi-factor authentication.

Question: Why is it more convenient to assign permissions to security groups than to users? Answer: Assigning permissions to security groups helps makes administering security for resources easier and more efficient. When you assign permissions to groups, administrators control group membership only to provide users with appropriate permission levels. For example, if a user needs a permission level, the administrator includes that user as a member of the appropriate group that has preassigned permissions. Removing the user from the group removes permissions from the user that were assigned because of a group membership. Question: In which management scenarios will you use Office 365 with Windows PowerShell rather than the Office 365 admin center? Answer: Use Windows PowerShell in scenarios where bulk object management is necessary, whereas, if you need to configure a single setting, the Office 365 admin center is more convenient. Question: In which scenarios will you use RBAC in Office 365?


Answer: Use RBAC in enterprise organizations where multiple administrator teams have responsibilities for different aspects of Office 365 administration, such as managing users, groups, subscriptions, and passwords. Smaller organizations might not use RBAC because only a few administrators are responsible for all types of administrative tasks.


Lab Review Questions and Answers Lab A: Managing Office 365 users and passwords Question and Answers Question: After creating a user account, what account settings are available for you to edit in the Active Users window of the Office 365 admin center? Answer: In the Active Users window of the Office 365 admin center, an administrator can perform the following editing tasks for a user account: •

Reset password, edit user roles, delete, edit, and add to group

•

Edit the primary email address

•

Edit the assigned license

•

Edit Microsoft Office installations

•

Edit mailbox permissions

•

Edit Exchange properties

•

Edit Skype for Business properties

Question: What password policy settings are available in Office 365? Answer: In Office 365, the following password policy settings are available: •

Set passwords to never expire

•

Number of days before passwords expire

•

Days before a user is notified that their password will expire

Lab B: Managing Office 365 groups and administration Question and Answers Question: How would you design your group structure to minimize adding and removing people from groups? Answer: Use nested groups and assign permissions to the group rather than to individual users. Question: What should you do before you can use Windows PowerShell to administer users and groups in Office 365? Answer: Run Azure AD module for Windows PowerShell with administrative rights, and then run the Connect-msol command. Provide the credentials of an account that has global admin or user management admin rights. Question: Why would you create multiple administrative roles in Office 365 by using role-based access control (RBAC)? Answer: RBAC provides predefined permissions assigned to different users or groups. By using RBAC, you can separate administrative tasks for different administrators according to organizational security and business requirements. For example, some administrators are responsible for managing user and group accounts, and other administrators are responsible for assigning appropriate Office 365 licenses to users.

Configuring client connectivity to Microsoft Office 365 3-1

Module 3 Configuring client connectivity to Microsoft Office 365 Contents: Lesson 1: Planning for Office 365 clients

2

Lesson 2: Planning connectivity for Office 365 clients

4

Lesson 3: Configuring connectivity for Office 365 clients

6


8


9


Lesson 1

Planning for Office 365 clients Contents: Resources

3


Resources Office Online Additional Reading: For more information, refer to Differences between using a document in the browser and in Word: http://aka.ms/b2wwul Additional Reading: For more information, refer to Differences between using a notebook in the browser and in OneNote: http://aka.ms/js6f8w Additional Reading: For more information, refer to How certain features behave in PowerPoint Online: http://aka.ms/edhcwl Additional Reading: For more information, refer to Differences between using a workbook in the browser and in Excel: http://aka.ms/sc8n0n Additional Reading: For more information on browser requirements, refer to Office Online browser support: http://aka.ms/jv2cok


Lesson 2

Planning connectivity for Office 365 clients Contents: Question and Answers

5

Resources

5


Question and Answers Question: Which tools will you use for evaluating network connectivity for Office 365? Answer: The Office 365 health, readiness, and connectivity checks; Microsoft Office 365 Best Practices Analyzer; and the Microsoft Office 365 Client Performance Analyzer tool. Question: What is Autodiscover? Answer: The Autodiscover service in Office 365 provides configuration information that Outlook requires to create a client’s configuration profile. The Autodiscover service provides profile settings to Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, and Lync and Skype fo r Business clients. Question: Which tools will you use to troubleshoot client connectivity with Office 365? Answer: You will use the Microsoft Remote Connectivity Analyzer tool and the Office 365 Client Performance Analyzer tool.

Resources Requirements for network infrastructure Additional Reading: For more information on the list of ports, refer to Ports and protocols used by Office 365: http://aka.ms/ifj2gl Additional Reading: For more information on IP-based filtering, refer to Office 365 URLs and IP address ranges: http://aka.ms/Rploze

Requirements for network bandwidth Additional Reading: For more information, refer to Exchange Client Network Bandwidth Calculator: http://aka.ms/r7m054 Additional Reading: For more information, refer to Skype for Business, Bandwidth Calculator: http://aka.ms/i6jsff

What is Autodiscover? Additional Reading: You can find the Remote Connectivity Analyzer tool at the following URL: http://aka.ms/ppl6h8

Troubleshooting client connectivity Additional Reading: For more information on the specific error conditions that are identified by the Microsoft Connectivity Analyzer Tool, and for help on resolving the issue, refer to the Microsoft Connectivity Analyzer Tool: http://aka.ms/aphk3s


Lesson 3

Configuring connectivity for Office 365 clients Contents: Question and Answers

7

Resources

7


Question and Answers Question: Outlook uses which protocols to connect to Office 365? Answer: Outlook can connect to Office 365 by using either MAPI over HTTP or Outlook Anywhere (RPC over HTTP). Question: What steps should you perform to enable MDM in Office 365? Answer: To enable MDM in Office 365, you must perform the following steps: 1.

Activate MDM in Office 365.

2.

Set up MDM for Office 365.

3.

Set up device security policies.

4.

Enroll users.

5.

Manage devices.

Resources Working with Office Online Additional Reading: For more information on Office Online, refer to Office Online Service Description: http://aka.ms/qla0s5

Configuring the OneDrive for Business client Additional Reading: For more information, refer to What is OneDrive for Business?: http://aka.ms/p9wzus


Module Review and Takeaways Best Practice •

Planning is the key to a successful Office 365 client deployment, and your planning process should include: Analyzing Office 365 clients and deciding which clients meet the organization’s business o requirements. Performing a detailed review of all DNS record changes that are needed for Office 365 o deployment process. Without a proper DNS configuration, there might be issues when clients connect to Office 365 services. o Planning network connectivity. When you migrate your infrastructure to Office 365, all of your organization’s resources are hosted in the cloud. Therefore, you need a reliable Internet connection to support client connections to Office 365. Planning changes that you need to configure in your organization’s network o infrastructure, such as firewalls and internal DNS servers that provide connectivity to Office 365. Preparing a thorough support plan for users to help them transition to Office 365 o services.


Lab Review Questions and Answers Lab: Configuring client connectivity to Office 365 Question and Answers Question: Why do you need to edit the DNS configuration, and add the canonical name (CNAME), service (SRV), and MX records? Answer: You add the CNAME and SRV records to configure the Autodiscover service, and then after you configure the CNAME and SRV records, Outlook and Skype for Business clients are able to connect to Exchange Online and Skype for Business Online services in Office 365. You also configure the MX record so that external email servers can locate and send email to Exchange Online in Office 365. Question: How can you verify that the Autodiscover service in Office 365 is properly configured? Answer: Use Remote Connectivity Analyzer to simulate client connections. Open Outlook and Skype for Business clients, and then verify that the clients can connect to Exchange Online and Skype for Business Online services in Office 365.

Planning and configuring directory synchronization 4-1

Module 4 Planning and configuring directory synchronization Contents: Lesson 1: Planning and preparing for directory synchronization

2

Lesson 2: Implementing directory synchronization by using Azure AD Connect

4

Lesson 3: Managing Office 365 identities with directory synchronization

6


8


10


Lesson 1

Planning and preparing for directory synchronization Contents: Resources

3


Resources Planning directory synchronization Additional Reading: For more information, refer to the Azure Hybrid Identity Design Considerations Guide: http://aka.ms/ibuqek

Prerequisites for directory synchronization Additional Reading: For more information, refer to You receive a "This company has exceeded the number of objects that can be synchronized" error in a directory synchronization report: http://aka.ms/r4x1q4 Additional Reading: For more information, refer to Prepare Active Directory and domains: http://aka.ms/xwdxic Additional Reading: For more information, refer to Prepare for directory synchronization: http://aka.ms/esbu4f

Preparing for directory synchronization Additional Reading: For more information, refer to Directory synchronization and source of authority: http://aka.ms/fvexdc Additional Reading: For more information, refer to Prepare for directory synchronization: http://aka.ms/e1d0ft Additional Reading: For more information, refer to Readiness Checks: http://aka.ms/b3lsxp Additional Reading: For more information, refer to IdFix DirSync Error Remediation Tool: http://aka.ms/sr02nb


Lesson 2

Implementing directory synchronization by using Azure AD Connect Contents: Resources

5


Resources Azure AD Connect requirements Additional Reading: For more information, refer to Office 365 URLs and IP address ranges: http://aka.ms/A4c1kq

Azure AD Connect customized synchronization Additional Reading: For more information, refer to Configuring Alternate Login ID: http://aka.ms/nqh5gc

Azure AD Connect monitoring features Additional Reading: For more information, refer to Monitor your on-premises identity infrastructure and synchronization services in the cloud: http://aka.ms/dqaaps


Lesson 3

Managing Office 365 identities with directory synchronization Contents: Resources

7


Resources Managing users with directory synchronization Additional Reading: For more information on how to troubleshoot deleted user accounts in Office 365 is available at the following link, refer to: http://aka.ms/cmof9n Additional Reading: For more information, refer to Getting all Licensed Office 365 users with PowerShell: http://aka.ms/me03qp Additional Reading: For more information, refer to How to Use PowerShell to Automatically Assign Licenses to Your Office 365 Users: http://aka.ms/pwr39r

Modifying directory synchronization Additional Reading: For more information, refer to Azure AD Connect sync: Configure Filtering: http://aka.ms/au8smo

Monitoring directory synchronization Additional Reading: For more information, refer to AzureADHelp: http://aka.ms/pfsm1x

Troubleshooting directory synchronization Additional Reading: For more information, refer to Directory synchronization and source of authority: http://aka.ms/cdm2kk Additional Reading: For more ore information, refer to How to troubleshoot Azure Active Directory Sync tool installation and Configuration Wizard errors: http://aka.ms/bz5cjw


Module Review and Takeaways Best Practices • • • • • •

You must have a proper project plan. If using filtering, it should be set up before synchronizing any objects. You should work with a cloud services partner. You should perform thorough capacity planning. You should remediate AD DS before deploying directory synchronization. You should add all SMTP domains as verified domains before synchronizing.

Review Question(s) Question: What are some of the typical issues that can arise if UPN suffixes are not properly configured before directory synchronization is deployed? Answer: If directory synchronization has already been deployed, the user’s UPN for Office 365 might not match the user’s on-premises UPN defined in AD DS; this can occur if the user was assigned an Office 365 subscription license before the domain was verified.

Real-world Issues and Scenarios Because directory synchronization is the link between your on-premises AD DS objects and the services in Office 365, be very careful when making changes to Azure AD Connect or the Synchronization Service Manager after production deployment. For example, a minor mistake in filtering could accidentally delete all user mailboxes in Office 365 very quickly. In some environments, you might test all changes on a separate directory synchronization server in test that is connected to a separate Office 365 tenant (trial). In addition, you should manually initiate run profiles for each management agent in Synchronization Service Manager and observe the pending actions before exporting to Office 365. In some cases, it might be a good idea to create a new run profile for exporting to Azure AD that includes a maximum limit on the number of allowed deletions.

Tools IdFix. The Office 365 IdFix tool provides you the ability to identify and remediate the majority of object synchronization errors in your AD DS forests in preparation for deployment to Office 365.

Common Issues and Troubleshooting Tips Common Issue

Troubleshooting Tip

Directory synchronization filtering is no longer working.

It is important to be on the latest version of the directory synchronization tool, because the link on the Office 365 admin center is always directed to the most current release. However, when upgrading to a new version of the tool, all existing filters and other management agent customizations will not automatically import into the new installation. If you are upgrading to a newer version of directory synchronization, you must always manually reapply filtering configurations after you upgrade, but before you run the first synchronization cycle.

After installing Azure AD Connect, you might be prompted with the following

Add the appropriate Azure AD Connect domain user account to the ADSyncAdmins group and sign


Common Issue error message when you open Synchronization Service Manager: "Unable to connect to the Synchronization Service."

Troubleshooting Tip out and then sign in. The domain user account that is signed in during installation of Azure AD Connect is automatically added to group, but will still need to sign off/on before successfully opening Synchronization Service Manager.


Lab Review Questions and Answers Lab: Configuring directory synchronization Question and Answers Question: How do you configure OU level filtering for directory synchronization? Answer: Synchronization Service Manager is used to configure details of the synchronization tasks to be performed during directory synchronization operations, including configuration of OU level filtering. Feedback: While there are two tools for managing the three filtering configuration types of Azure AD Connect (Synchronization Service Manager and Synchronization Rules Editor), the Synchronization Service Manager is the only tool you can use to manage filtering of OU’s in Azure AD Connect.

Planning and deploying Office 365 ProPlus 5-1

Module 5 Planning and deploying Office 365 ProPlus Contents: Lesson 1: Overview of Office 365 ProPlus

2

Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments

4

Lesson 3: Planning and managing centralized deployments of Office 365 ProPlus

6

Lesson 4: Office Telemetry and reporting

8


10


Lesson 1

Overview of Office 365 ProPlus Contents: Resources

3


Resources Overview of Office 365 deployment Additional Reading: For more information, refer to Uninstall Office 2013, Office 2016, or Office 365 from a Windows computer: http://aka.ms/imbv8i Additional Reading: For more information, refer to Office 2016 Deployment Guides for Admins: http://aka.ms/v9e5xl

Office 365 ProPlus update branches Additional Reading: For more information, refer to Reference for Click-to-Run configuration.xml file: http://aka.ms/clh5x3 and Install the First Release build for Office 365 for business customers: http://aka.ms/Qpy0w7


Lesson 2

Planning and managing user-driven Office 365 ProPlus deployments Contents: Resources

5


Resources Managing user-driven installations Additional Reading: For more information, refer to 64-bit editions of Office 2013: http://aka.ms/qovxa7

Considerations for user-driven deployments Additional Reading: For more information, refer to System requirements for Office: http://aka.ms/ghq4zw Additional Reading: For more information, refer to Office 365 mobile setup – Help: http://aka.ms/Ca6hpo


Lesson 3

Planning and managing centralized deployments of Office 365 ProPlus Contents: Resources

7


Resources Overview and customization of Office Deployment Tool Additional Reading: For information, refer to Office Deployment Tool for Click-to-Run: http://aka.ms/uic22i Additional Reading: For more information, refer to Reference for Click-to-Run configuration.xml file: http://aka.ms/clh5x3

Managing and deploying Office with Group Policy Additional Reading: For more information, refer to Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool: http://aka.ms/bengwp


Lesson 4

Office Telemetry and reporting Contents: Resources

9


Resources Deploying and configuring Office Telemetry Additional Reading: For more information, refer to Manage the privacy of data monitored by telemetry in Office: http://aka.ms/qhi35p

Office Telemetry considerations Additional Reading: For more information, refer to Troubleshooting Telemetry Dashboard deployments: http://aka.ms/ovxlg9


Lab Review Questions and Answers Lab: Managing Office 365 ProPlus installations Question and Answers Question: Why do you need to edit the configuration.xml file when preparing to use managed deployments of Office 365 ProPlus? Answer: You use this configuration file to specify the Universal Naming Convention (UNC) path to the shared folder containing the Office 365 Pro Plus source files, and also to specify products and languages to install. Question: How can you verify that the Click-to-Run service is running? Answer: Use Task Manager, and in the Processes list, under Background processes, look for Microsoft Office Click-to-Run. You can also click the Details tab, and look for officeclicktorun.exe in the task list.

Planning and managing Exchange Online recipients and permissions 6-1

Module 6 Planning and managing Exchange Online recipients and permissions Contents: Lesson 1: Overview of Exchange Online

2

Lesson 2: Managing Exchange Online recipients

4

Lesson 3: Planning and configuring Exchange Online permissions

6


8


9


Lesson 1

Overview of Exchange Online Contents: Question and Answers Resources

3 3


Question and Answers Question: How will your organization use Exchange Online? Answer: Answers will vary based on students’ organizational needs.

Resources Exchange Online features Additional Reading: For more information on the new features in the latest version of Exchange Online, refer to What's new in Exchange Online: http://aka.ms/S44j3g

Connect to Exchange Online from Windows PowerShell Additional Reading: You can obtain the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center: http://aka.ms/vl42dg Additional Reading: You can download the Azure Active Dire ctory Module for Windows PowerShell (64-bit version) here: http://aka.ms/Pwx3a9


Lesson 2

Managing Exchange Online recipients Contents: Question and Answers Resources

5 5


Question and Answers Question: A mail user is the same as a mailbox user.

( ) True ( ) False Answer:

( ) True (√) False

Feedback: A mail user combines some of the attributes of a full mailbox user with the characteristics of a contact. The main difference between a mail user and a mailbox user is that the mail user does not have a mailbox, although, unlike a contact, the ma il user can sign in to your Office 365 tenant.

Resources Bulk importing contacts Additional Reading: To download the sample .csv file, refer to Sample CSV file to bulkcreate external contacts in Exchange Online: http://aka.ms/t6ip2e


Lesson 3

Planning and configuring Exchange Online permissions Contents: Question and Answers

7


Question and Answers Question: What requirements does your organization have for assigning Exchange Online permissions? Does your organization use a centr alized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange administrators will likely maintain full control of the Exchange environment, while another team might need permissions to create mailboxes. Other organizations might have complicated administrative scenarios in which different groups need ma ny different permission levels.


Module Review and Takeaways Review Question(s) Question: What do you need to do to manage your Exchange Online tenant by using Windows PowerShell? Answer: Before you can use Windows PowerShell to manage Exchange Online, you must connect to it by following this procedure:

1.

2.

Install the Microsoft Azure Active Directory (Azure AD) module: a.

Microsoft Online Services Sign-In Assistant for IT Professionals

b.

Azure Active Directory Module

Run the following Windows PowerShell script: $credential = Get-Credential Import-Module MsOnline connect-msolservice –credential $credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange ConnectionUri "https://outlook.office365.com/powershell-liveid/" Credential $credential -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking

Question: What types of groups can you use in Exchange Online? Answer: Exchange Online provides additional group features, which enable the creation of the following group types: •

Mail-enabled security groups

•

Mail-enabled distribution groups

•

Mail-enabled dynamic distribution groups


Lab Review Questions and Answers Lab: Managing Exchange Online recipients and permissions Question and Answers Question: What Windows PowerShell cmdlet can you use to a dd a mail-enabled security group to your Exchange Online subscription? Answer: You can use the New-DistributionGroup cmdlet. For example:

New-DistributionGroup -Name "File Server Managers" -Alias fsadmin -Type security Question: In the lab, you ran the Set-CalendarProcessing "Conference Room" -AutomateProcessing AutoAccept cmdlet. What do the -AutomateProcessing AutoAccept switches do? Answer: The switches configure the room mailbox to process booking requests automatically.

Planning and configuring Exchange Online services 7-1

Module 7 Planning and configuring Exchange Online services Contents: Lesson 1: Planning and configuring email flow in Office 365

2

Lesson 2: Planning and configuring email protection in Office 365

4

Lesson 3: Planning and configuring client access policies

6

Lesson 4: Migrating to Exchange Online

8


12


13


Lesson 1

Planning and configuring email flow in Office 365 Contents: Question and Answers

3

Resources

3


Question and Answers Question: You have a trouble ticket to resolve that indicates that automatic replies and automatically forwarded messages are being delivered outside of your Exchange organization. Furthermore, the ticket indicates that this behavior needs to stop, and that you should not allow rule generated messages outside your organization. What is the best way to implement these changes? ( ) Modify the default remote domain to block automatic replies and automatic forwarding. ( ) Create a new remote domain that blocks automatic replies and automatic forwarding. ( ) Use Set-OrganizationConfig to block automatic replies and automatic forwarding. ( ) Use a script to block automatic replies and automatic forwarding for all users. ( ) Create a transport rule to block automatic replies and automatic forwarding. Answer: (√) Modify the default remote domain to block automatic replies and automatic forwarding. ( ) Create a new remote domain that blocks automatic replies and automatic forwarding. ( ) Use Set-OrganizationConfig to block automatic replies and automatic forwarding. ( ) Use a script to block automatic replies and automatic forwarding for all users. ( ) Create a transport rule to block automatic replies and automatic forwarding. Feedback: The default remote domain applies to all outbound messages by using the address space of *. You must modify this to block automatic replies and automatic forwarding. Question: After adding a domain to Office 365, you need to configure it as an accepted domain before Exchange Online can use it for email reception. ( ) True ( ) False Answer: ( ) True (√) False Feedback: When you add a domain to Office 365, Office 365 adds it automatically as an accepted domain.

Resources Overview of email flow in Office 365 Additional Reading: For information about customizing SPF records, refer to Customize an SPF record to validate outbound email send from your domain: http://aka.ms/Bg0478


Lesson 2

Planning and configuring email protection in Office 365 Contents: Question and Answers

5

Resources

5


Question and Answers Question: Selecting the Enable safe list option in the connection filter reduces the risk of false positives. ( ) True ( ) False Answer: (√) True ( ) False Feedback: The safe list is a list of email senders that Microsoft maintains that it knows to be safe senders. Selecting the Enable safe list option ensures that EOP does not mark messages from those safe senders as spam. Question: What is the difference between spam and high-confidence spam? Answer: Each incoming message receives an SCL value. The higher the SCL value, the higher the likelihood that the message is spam. Messages marked as spam have an SCL value of 5 or 6. Messages marked as high-confidence spam have an SCL value of 7 or higher.

Resources Integrating EOP with on-premises Exchange servers Additional Reading: For a list of IP addresses that EOP uses, refer to Exchange Online Protection IP addresses: http://aka.ms/Jbnjfg


Lesson 3

Planning and configuring client access policies Contents: Question and Answers

7


Question and Answers Question: How does Office 365 differentiate between public and private computers that attempt to connect to it? Answer: By default, Office 365 considers all computers to be private. The differentiation between public and private is relevant only when you have configured AD FS for single sign on (SSO). In this scenario, Office 365 considers a sign-in from the internal network to be private and a sign-in from the external network to be public. Question: The default configuration for mobile devices quarantines all devices until an administrator approves them. ( ) True ( ) False Answer: ( ) True (√) False Feedback: The default configuration for mobile devices allows any type of mobile device to connect as long as the user has Exchange ActiveSync enabled. Exchange ActiveSync is enabled for all users by default.


Lesson 4

Migrating to Exchange Online Contents: Question and Answers Resources

9 11


Question and Answers Question: Your organization currently is using Gmail and Google Docs, and has decided to migrate to Office 365 for email and file sharing. Which migration type should you use so your end users experience the least amount of downtime? ( ) Cutover Exchange migration ( ) Staged Exchange migration ( ) IMAP migration ( ) PST migration ( ) Exchange Online hybrid mode Answer: ( ) Cutover Exchange migration ( ) Staged Exchange migration (√) IMAP migration ( ) PST migration ( ) Exchange Online hybrid mode Feedback: For a non-Exchange email system, the only two migration options are IMAP or PST. An IMAP migration results in less downtime, because there is no lag waiting for historical data to be imported. Question: Your organization has an on-premises Exchange Server 2010 deployment, and wants to migrate to Office 365. Your organization has 3,000 mailboxes, with an average mailbox size of 1 GB. Which migration type should you use? ( ) Cutover Exchange migration ( ) Staged Exchange migration ( ) IMAP migration ( ) PST migration ( ) Exchange Online hybrid mode Answer: ( ) Cutover Exchange migration ( ) Staged Exchange migration ( ) IMAP migration ( ) PST migration (√) Exchange Online hybrid mode Feedback: Exchange Online hybrid mode is the best choice for migrating from Exchange Server 2010 to Office 365. In hybrid mode, you can do an incremental migration, and there is no enduser downtime. You cannot perform a cutover or staged Exchange migration, because those migration types are for Exchange 2007 or Exchange 2003 only. An IMAP migration does migrate calendars and contacts., and end users must wait for historical data to import to their new mailboxes if you use a PST.


Question: A cutover migration batch continues synchronizing until you remove it. ( ) True ( ) False Answer: (√) True ( ) False Feedback: After a cutover migration batch does an initial synchronization, it continues to perform incremental synchronization until you remove the cutover migration batch. It is important that the cutover migration batch is not removed until after you configure mail routing to Office 365. Sequencing Activity Put the following steps for a staged Exchange migration in order, numbering each to indicate the correct order from 1 through 9. Steps Assign Office 365 licenses to users Convert on-premises mailboxes to mail-enabled users. Update Autodiscover DNS records Create the staged migration batch. Configure directory synchronization. Create a migration endpoint. Delete all staged migration batches. Configure a migration administrator account with Full Access permissions to the source mailboxes. Assign Office 365 licenses to users Update MX records to change mail routing to Office 365. Answer: Steps 7

Assign Office 365 licenses to users

5

Convert on-premises mailboxes to mail-enabled users.

9

Update Autodiscover DNS records

4

Create the staged migration batch.

2

Configure directory synchronization.

3

Create a migration endpoint.


Steps 8

Delete all staged migration batches.

1

Configure a migration administrator account with Full Access permissions to the source mailboxes.

7

Assign Office 365 licenses to users

6

Update MX records to change mail routing to Office 365.

Resources Implementing a cutover Exchange migration Additional Reading: For additional detailed information about performing a cutover migration, refer to Perform a cutover migration email to Office 365: http://aka.ms/jhw5t9

Implementing a staged Exchange migration Additional Reading: For more detailed information, refer to Convert Exchange 2007 mailboxes to mail-enabled users after a staged Exchange migration: http://aka.ms/nncsic This link also has scripts to simplify the conversion process. Additional Reading: For additional detailed information about performing a staged Exchange migration, refer to Perform a staged migration of email to Office 365: http://aka.ms/m3lpyu

Implementing an IMAP migration Additional Reading: For additional information about IMAP migration, refer to What you need to know about migrating your IMAP mailboxes to Office 365: http://aka.ms/crn236

Implementing a PST migration Additional Reading: For detailed information about Importing PST files into Office 365, refer to Import PST files to Office 365: http://aka.ms/G2n2p7

Implementing a public-folder migration Additional Reading: For detailed information about migrating public folders to Office 365, refer to Use batch migration to migrate legacy public folders to Office 365 and Exchange Online: http://aka.ms/F6ncbt


Module Review and Takeaways Review Question(s) Question: Why is it important not to remove the last on-premises Exchange server when directory synchronization is in place? Answer: Directory synchronization make the on-premises AD DS authoritative for most user attributes. Therefore, all changes to users occur in AD DS. The Exchange management tools require an Exchange server to be present on-premises to manage user attributes. Question: You recently migrated all of your organizational mailboxes to Office 365. Many of your users have mobile devices that connect by using Exchange ActiveSync. You security officer was shocked when he saw that a user did not have a password on his mobile device. Why did this happen, and how can you fix it? Answer: The default mobile-device mailbox policy in Office 365 does not enforce any security settings. You should work with your security officer to identify appropriate security settings and modify the default mobile-device mailbox policy to enforce those settings.


Lab Review Questions and Answers Lab A: Configuring message transport in Exchange Online Question and Answers Question: Why did you configure the journal rule to send messages to [email protected] instead of an Office 365 mailbox? Answer: When you create a journal rule, it must point to an external email system. It is not possible to configure a journal rule to send messages to an Office 365 mailbox. Question: What formatting options are there for disclaimers in a transport rule? Answer: You can format disclaimer text in a transport rule by using HTML. The
tag that this lab uses is HTML code for a horizontal rule that displayed when you sent the message to [email protected].

Lab B: Configuring email protection and client policies Question and Answers Question: Why did you configure different anti-spam settings for members of the sales group? Answer: A false positive for Sales group members could result in lost sales, which might affect business negatively. The separate anti-spam policy for the Sales group ensures that even if there is a false positive, users still have access to the messages in their mailboxes. Question: Why is it important to require a password on mobile devices? Answer: It is easy to lose mobile devices, because they are small, and they can be targets for thieves. When a mobile device is lost, a password provides some assurance that unauthorized users do not have access to the device’s data.

Planning and deploying Skype for Business Online 8-1

Module 8 Planning and deploying Skype for Business Online Contents: Lesson 1: Planning and configuring Skype for Business Online service settings

2

Lesson 2: Configuring Skype for Business Online users and client connectivity

5

Lesson 3: Planning voice integration with Skype for Business Online

7


10


11


Lesson 1

Planning and configuring Skype for Business Online service settings Contents: Question and Answers Resources

3 3


Question and Answers Question: You are preparing your Windows 10 workstation to ma nage Skype for Business Online by using the Windows PowerShell command-line interface. What software do you need to install on the computer?

( ) Windows PowerShell 3.0 ( ) Microsoft Online Services Sign-In Assistant ( ) Skype for Business Online module for Windows PowerShell ( ) Windows Azure Active Directory module for Windows PowerShell Answer:

( ) Windows PowerShell 3.0 ( ) Microsoft Online Services Sign-In Assistant (√) Skype for Business Online module for Windows PowerShell

( ) Windows Azure Active Directory module for Windows PowerShell Feedback: Windows PowerShell is already installed on the Windows 10 operating system, and the Microsoft Online Services Sign-In Assistant is not required. The Microsoft Azure Active Directory module for Windows PowerShell is r equired to manage Office 365 accounts, but not to manage Skype for Business Online. Question: You can invite users from outside of your organization to Skype Meeting Broadcast, but only as attendees, not as presenters.

( ) True ( ) False Answer: (√) True

( ) False Feedback: Event team members must be from your organization.

Resources Skype for Business Online subscription options Additional Reading: For more information, refer to Skype for Business Compare plans: http://aka.ms/vqcfmt Additional Reading: For more information on the Skype for Business options that are provided with Office 365 and Skype for Busines s Online stand-alone subscriptions, refer to Skype for Business Online Service Description: http://aka.ms/eljskd

Network requirements for Skype for Business Online Additional Reading: For more information on the domain names, URLs, IP addresses, and port numbers that Office 365 and Skype for Business Online require, r efer to Office 365 URLs and IP address ranges: http://aka.ms/Ef9aum Additional Reading: The Skype for Business Bandwidth Calculator is a tool that you can use to calculate bandwidth requirements. You can download this tool from: http://aka.ms/h028y7


Additional Reading: For more information on Internet bandwidth usage for Office 365 services, refer to Network planning and per formance tuning for Office 365: http://aka.ms/i09jrk

Connecting to Skype for Business Online by using Windows PowerShell Additional Reading: For more information on using Windows PowerShell to perform common administrative tasks in Skype for Business Online, refer to Quick reference: Using Windows PowerShell to do common Skype for Business Online ma nagement tasks: http://aka.ms/tbf95p Additional Reading: For more information on specific Windows PowerShell cmdlets to administer and configure Skype for Business Online, refer to The Skype for Business Online cmdlets: http://aka.ms/b0gp7b

Configuring external communications Additional Reading: For more information on how to configure an on-premises environment to federate with Skype for Business Online, r efer to Managing federation and external access to Lync Server 2013: http://aka.ms/v748ur


Lesson 2

Configuring Skype for Business Online users and client connectivity Contents: Question and Answers Resources

6 6


Question and Answers Question: You need to ensure that only specific us ers in your organization can communicate with users in other organizations who are using Skype for Business. However, all other users in your organization should be blocked. How would you configure Skype for Business Online to achieve this? Answer: To configure this, you must first allow external access for the or ganization, and then you must disable external communication for the users who should be blocked from communicating with external users.

Resources Skype for Business Online client options Additional Reading: For more information on the available Skype for Business features for different clients, refer to Client comparison tables for Skype for Business Server 2015: http://aka.ms/us67gj Additional Reading: For more information on the available Skype for Business features for different mobile device platforms, refer to Mobile client comparison tables for Skype for Business: http://aka.ms/mrxvgx


Lesson 3

Planning voice integration with Skype for Business Online Contents: Question and Answers Resources

8 8


Question and Answers Question: Cloud PBX is a relatively new offering in Skype for Business Online. Do you think that your organization will be interested in this feature? What changes would you need to make in your organization to start using Cloud PBX? Answer: Answers will vary. Cloud PBX is likely to appeal to organizations that are bas ed in the United States and that are looking at replacing a PBX system. Most organizations would need to plan carefully to ensure that their Internet connection has enough bandwidth and is reliable enough to support telephony.

Resources Overview of voice integration options Additional Reading: For more information on the licensing r equirements for each of the voice integration options, refer to Skype for Business Online licensing overview: http://aka.ms/tm4tg0

Planning dial-in conferencing Additional Reading: For more information on the features that ACPs and Microsoft dial-in conferencing provide, refer to Dial-in conferencing in Office 365: http://aka.ms/Dt6jbp

PSTN Calling service Additional Reading: For more information on the PSTN voice-calling plans, refer to Skype for Business Online PSTN services use terms: http://aka.ms/gv7f7f Additional Reading: For more information on now to port existing phone numbers to Office 365, refer to Transfer phone numbers over to Skype for Business Online: http://aka.ms/I3rygm Additional Reading: For more information on how to configure an emergency address, refer to Add or remove an emergency address for your organization: http://aka.ms/meu76q

PSTN connectivity with an on-premises solution Additional Reading: For more information on how to plan f or and configure PSTN connectivity through an existing Skype for Business Server deployment, r efer to: http://aka.ms/jawfqa http://aka.ms/ul1d3b Reference Links: For more information on how to plan for a nd configure Cloud Connector edition, refer to: http://aka.ms/otqqzu http://aka.ms/hmurjm


Planning a Cloud PBX solution Additional Reading: For more information, refer to ExpressRoute and QoS in Skype for Business Online: http://aka.ms/edfrbb


Module Review and Takeaways Tools •

•

•

Skype for Business admin center. Accessible from the Office 365 admin center, use this tool to configure Skype for Business Online service settings and user settings. Skype for Business Server Management Shell. Use this tool to configure Skype for Business Online settings. The Skype for Business Online module for Windows PowerShell. This provides the Windows PowerShell commands that are required to configure Skype for Business Online when you use the Skype for Business Server Management Shell.


Users cannot authenticate to Skype for Business Online.

Troubleshooting Tip

Depending on your deployment, you might have to check if the correct Domain Name System (DNS) resource records are configured and if directory synchronization is working. You might also have to check the firewall settings. Use the Microsoft Remote Connectivity Analyzer (http://aka.ms/btyn1z) to test connectivity to Skype for Business Online. If connectivity fails, the analyzer can provide detailed informa tion about what failed.


Lab Review Questions and Answers Lab: Configuring Skype for Business Online Question and Answers Question: How will you change the Windows PowerShell steps that you r an in the lab if you want to block all communication with external domains except for litware.com? Answer: Run the following commands if you want to block all communication with external domains except for litware.com:

$x = New-CsEdgeDomainPattern -Domain "litware.com" $newAllowList = New-CsEdgeAllowList -AllowedDomain $x Set-CsTenantFederationConfiguration -AllowedDomains $newAllowList The key difference in these commands compared to the ones that you ran in the lab is the NewCsEdgeAllowList cmdlet in the second command. In the lab, you used the NewCsEdgeAllowAllKnownDomains cmdlet, which allows all domains except for blocked domains. Question: Do you think that your organization will use Skype Meeting Broadcast? Answer: Answers will vary. Very large organizations or organizations that frequently make online presentations to large numbers of users will likely use this feature. Smaller organizations are more likely to meet their requirements just by using normal Skype for Business meetings.

Planning and configuring SharePoint Online 9-1

Module 9 Planning and configuring SharePoint Online Contents: Lesson 1: Configuring SharePoint Online services

2

Lesson 2: Planning and configuring SharePoint Online site collections

4

Lesson 3: Planning and configuring external user sharing

7


10


11


Lesson 1

Configuring SharePoint Online services Contents: Question and Answers

3

Resources

3


Question and Answers Question: Discuss the advantages and possible disadvantages between SharePoint on-premises versus SharePoint Online. Answer: Answers will vary. SharePoint Online is a standardized service. In SharePoint Online, no custom code solutions are available and for SharePoint on-premises, there is no need to size hardware. Question: The maximum file size in SharePoint Online is 2 GB. ( ) True ( ) False Answer: ( ) True (√) False Feedback: The new attachment size limit in SharePoint Online is 10 GB, according to the service limits and boundaries.

Resources Overview of the SharePoint admin center Additional Reading: For more information, refer to SharePoint Online and OneDrive for Business software boundaries and limits: http://aka.ms/jns65q

Configuring SharePoint Online settings Additional Reading: For more information, refer to Turn scripting capabilities on or off: http://aka.ms/Okimfj


Lesson 2

Planning and configuring SharePoint Online site collections Contents: Question and Answers

5

Resources

6


Question and Answers Question: Which of the following sites do you find in the Enterprise section of the site collection

templates in the SharePoint admin center? (Select all that apply). ( ) Document Center site ( ) Community site ( ) Enterprise Wiki ( ) Search Center site ( ) Records Center site Answer:

(√) Document Center site ( ) Community site ( ) Enterprise Wiki (√) Search Center site (√) Records Center site Feedback: Community site and Enterprise Wiki are not available in the Enterprise section of the

site collection templates in the SharePoint admin center. Question: If you delete a site collection, you can restore it from the Recycle Bin for 30 days.


(√) True ( ) False Feedback: When you delete a site collection, it stays in the Recycle Bin for 30 days before it is

permanently deleted; this gives you a 30-day window of opportunity to restore the entire site collection if it was deleted in error or your situation has changed and you want to retain it. Question: Which of the following actions do you need to perform during the creation of a site collection?

(Select all that apply.) ( ) Define an administrator ( ) Define the sharing settings ( ) Define a second administrator ( ) Set the language ( ) Set the storage quota Answer:

(√) Define an administrator ( ) Define the sharing settings ( ) Define a second administrator (√) Set the language ( ) Set the storage quota


Feedback: You can define sharing settings, a second administrator, and the storage quota after the creation of a site collection.

Resources Managing site collections by using Windows PowerShell Additional Reading: For more information, refer to Introduction to the SharePoint Online Management Shell: http://aka.ms/Yj9ioq Additional Reading: For more information, refer to Use Windows PowerShell cmdlets to administer site collections in SharePoint Online: http://aka.ms/rbb2c1


Lesson 3

Planning and configuring external user sharing Contents: Question and Answers

8

Resources

9


Question and Answers Question: What is the correct definition for external users? ( ) Users with a non-Microsoft account ( ) Users with a Microsoft account ( ) Users inside your organization’s Azure Active Directory ( ) Users outside your organization’s Azure Active Directory ( ) Users in any Azure Active Directory Answer: ( ) Users with a non-Microsoft account ( ) Users with a Microsoft account ( ) Users inside your organization’s Azure Active Directory (√) Users outside your organization’s Azure Active Directory ( ) Users in any Azure Active Directory Feedback: Users outside your organization’s Azure Active Directory are referred to as external users. Question: From a user perspective, you can share content in SharePoint Online for internal users in the same way as for external users. ( ) True ( ) False Answer: (√) True ( ) False Feedback: With the appropriate settings, users can share content internally and externally with the same user experience. Question: Where can administrators enable external sharing for the Office 365 tenant? (Select all that apply.) ( ) In the Office 365 admin center, use the setup menu ( ) In the Office 365 admin center, use the external sharing menu ( ) In the SharePoint admin center, use the site collections menu ( ) In the SharePoint admin center, use the apps menu ( ) In the SharePoint admin center, use the settings menu Answer: ( ) In the Office 365 admin center, use the setup menu (√) In the Office 365 admin center, use the external sharing menu ( ) In the SharePoint admin center, use the site collections menu ( ) In the SharePoint admin center, use the apps menu (√) In the SharePoint admin center, use the settings menu


Feedback: There are two options where Office 365 administrators can configure external user sharing: with the external sharing m enu of the Office 365 admin center and with the settings menu in the SharePoint admin center.

Resources Considerations for external user sharing Additional Reading: For more information, refer to Manage external sharing for your SharePoint Online environment: http://aka.ms/adaoao

Configuring external user sharing Additional Reading: For more information on configuring external user sharing for a tenant or site collection, refer to Manage external sharing for your SharePoint Online environment: http://aka.ms/adaoao

Managing external user sharing by using Windows PowerShell Additional Reading: For more information, refer to Windows PowerShell for SharePoint Command Builder: http://aka.ms/n3apxc For more information, refer to Index of Windows PowerShell for SharePoint Online cmdlets: http://aka.ms/bccasb


Module Review and Takeaways Best Practice SharePoint Online offers several configuration options; planning a collaboration solution and configuring SharePoint Online are tasks that you must do upfront to have a good SharePoint Online environment where your users can start working with. The main points you should consider are: • • •

Do proper planning before you start with user onboarding. Create a sharing policy that is consistent throughout the service. Automate site collection generation as much as possible.

Review Question(s) Question: Create a checklist for proper site collection planning. Answer: While planning for site collections, you need to plan for the following: •

Site collections side-by-side or top-down

•

Permissions inheritance

•

Branding

•

External user sharing permissions

•

Possible site quotas


Lab Review Questions and Answers Lab: Configuring SharePoint Online Question and Answers Question: What is the best way to verify access to external sites? Answer: The best ways can be to test access with external test users or to create external test users who test access later. Question: What is the best way to configure user profile settings and where do you get all the data? Answer: Check if Azure Active Directory (Azure AD) Connect is in place and configure synchronization of data from Active Directory to Azure AD. Azure AD fields will synchronize with the Profile Fields section.

Planning and configuring an Office 365 collaboration solution 10-1

Module 10 Planning and configuring an Office 365 collaboration solution Contents: Lesson 1: Planning and managing Yammer Enterprise

2

Lesson 2: Planning and configuring OneDrive for Business

5

Lesson 3: Configuring Office 365 groups

8


10


11


Lesson 1

Planning and managing Yammer Enterprise Contents: Question and Answers

3


Question and Answers Question: Select the three Office 365 subscr iptions with which Yammer Enterprise is available.

( ) Basic Network with SharePoint Online ( ) Enterprise Network and Office 365 ( ) Basic Network and Office 365 ( ) Enterprise Network ( ) Enterprise Network and SharePoint Online Answer:

( ) Basic Network with SharePoint Online (√) Enterprise Network and Office 365

( ) Basic Network and Office 365 (√) Enterprise Network (√) Enterprise Network and SharePoint Online Question: Which three features are available only in a Yammer Enterprise Network?

( ) Secure Enterprise Social Networking ( ) Enterprise Administrator ( ) Group Administrator ( ) Verified Administrator ( ) Enterprise Integrations Answer:

( ) Secure Enterprise Social Networking (√) Enterprise Administrator

( ) Group Administrator (√) Verified Administrator (√) Enterprise Integrations Question: Which two things must be in place before you enable Yammer Enterprise within Office 365?

( ) A verified custom domain ( ) A paid Yammer Enterprise network ( ) A Global Administrator in Office 365 ( ) A Global Administrator in Office 365 with the verified Domain ( ) A verified Administrator in Yammer Answer: (√) A verified custom domain

( ) A paid Yammer Enterprise network ( ) A Global Administrator in Office 365 (√) A Global Administrator in Office 365 with the verified Domain


( ) A verified Administrator in Yammer


Lesson 2

Planning and configuring OneDrive for Business Contents: Question and Answers Resources

6 7


Question and Answers Question: Select all the OneDrive for Business attributes.

( ) Provides up to unlimited Storage ( ) Provides free Online Storage for personal use ( ) Available from any device ( ) Included in Office 365 and SharePoint Online Plans ( ) Allows uploading files up to 15 GB in size Answer: (√) Provides up to unlimited Storage

( ) Provides free Online Storage for personal use (√) Available from any device (√) Included in Office 365 and SharePoint Online Plans

( ) Allows uploading files up to 15 GB in size Question: With the OneDrive for Business next-generation sync client, selective sync is possible.

( ) True ( ) False Answer: (√) True

( ) False Question: Select three characters that are not supported in filenames that you store in OneDrive for Business and SharePoint Online.

( )# ( ){ ( )& ( )% ( )? Answer: (√) #

( ){ ( )& (√) % (√) ?


Resources OneDrive for Business client configuration and synchronization Additional Reading: For more information, refer to System requirements for Office: http://aka.ms/ghq4zw Additional Reading: Download OneDrive for Business sync app in different languages and for the x86 and x64 platforms from: http://aka.ms/we3v3g Additional Reading: For more information, refer to Deploying the OneDrive for Business Next Generation Sync Client in an enterprise environment: http://aka.ms/Q8m3fx Additional Reading: For more information, refer to Deploying the OneDrive Next Generation Sync Client on OS X and configuring work or school accounts: http://aka.ms/xdv82u Additional Reading: For more information, refer to Meet the OneDrive for Business Next Generation Sync Client: http://aka.ms/tvnzw1 Additional Reading: For more information, refer to Which OneDrive sync client am I using?: http://aka.ms/p17elm

Migrating files to OneDrive for Business Additional Reading: Download the MicrosoftEasyFix20150 utility from: http://aka.ms/rq11p3 Additional Reading: For more information, refer to Types of files that cannot be added to a list or library: http://aka.ms/orzefl Additional Reading: For more information, refer to SharePoint Online and OneDrive for Business: software boundaries and limits at: http://aka.ms/Ywqifr Additional Reading: For more information on a list of third-party tools that you can use during migration, refer to Migrating File Shares to OneDrive for Business: http://aka.ms/oo1zjq Additional Reading: To download the SkyDrive Pro client for Windows, go to: http://aka.ms/elihab Additional Reading: To check your upload speed, you can use a speed test service such as http://www.speedtest.net

Planning a OneDrive for Business implementation Additional Reading: For more information on the required prerequisites and configuration settings, and how to plan for OneDr ive for Business in SharePoint Server 2013, r efer to Plan for OneDrive for Business in SharePoint Server 2013 at: http://aka.ms/irhv85 Additional Reading: For more information, refer to How to redirect users to Office 365 for OneDrive for Business at: http://aka.ms/j5ttiy


Lesson 3

Configuring Office 365 groups Contents: Question and Answers

9


Question and Answers Question: Select two services with which Office 365 groups a re already integrated.

( ) OneDrive for Business ( ) Yammer ( ) Delve ( ) OneNote ( ) Skype for Business Answer: (√) OneDrive for Business

( ) Yammer ( ) Delve (√) OneNote

( ) Skype for Business Question: Office 365 groups provide polls.


( ) True (√) False Question: Which Windows PowerShell cmdlet do you use to disable groups?

( ) Set-OwaMailboxPolicy -Identity test.com\OwaMailuserPolicy-Default -GroupCreationEnabled $true ( ) Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false ( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false ( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailUserPolicy-Default -GroupCreationDisabled $true ( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationDisabled $true Answer:

( ) Set-OwaMailboxPolicy -Identity test.com\OwaMailuserPolicy-Default -GroupCreationEnabled $true (√) Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default -Gr oupCreationEnabled $false

( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false ( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailUserPolicy-Default GroupCreationDisabled $true ( ) Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default GroupCreationDisabled $true


Module Review and Takeaways Best Practices • • • • •

• •

•

Always enable Yammer Enterprise as the primary Enterprise Social Network within Office 365. Design a usage policy. Familiarize yourself with the administration options within Yammer Enterprise. Support users during their initial experience of using Yammer. Familiarize yourself with the different OneDrive for Business sync clients and their limitations and features. Create a consistent sharing policy across Office 365. Decide if and when you should use Office 365 groups, because they are essential to some of the Office 365 components. Decide if Office 365 groups will be user centric or centrally managed.

Review Question(s) Question: Discuss the differences between Office 365 groups and Yammer and possible use cases where you need one tool or the other. Answer: Some of the differences between Yammer and Office 365 groups are: •

External users can be invited to Yammer and participate there.

•

Office 365 planner needs Office 365 groups.

•

Yammer can also work as a stand-alone tool.


Synchronization is not working in OneDrive for Business

Troubleshooting Tip • • • •

Multiple Yammer Networks exist for different Office 365 domains

• • •

Office 365 groups are enabled and used without administrative awareness

•

•

Check the limitations of the sync client Check the filenames Check the file name length Check the file size

Define a consolidation plan Inform users in both networks Create a migration plan

Familiarize yourself with the continuous changes within Office 365 Check groups and define a naming policy


Lab Review Questions and Answers Lab: Planning and configuring an Office 365 collaboration solution Question and Answers Question: If you enforce Office 365 identities in Yammer, what is the impact for Yammer users with no Office 365 identities? Answer: If you implement federated identity model in Office 365, the user will log in by using SSO. A user with a Yammer identity cannot sign in any longer. Question: Which Windows PowerShell cmdlets can you use to create an Office 365 group and to add the group owner? Answer: First you need to connect to Exchange Remote PowerShell. Then, to create an Office 365 group, use the New-UnifiedGroup cmdlet, and to add an owner of the group, use the New-UnifiedGroupLinks cmdlet.

Planning and configuring Rights Management and compliance 11-1

Module 11 Planning and configuring Rights Management and compliance Contents: Lesson 1: Overview of the compliance features in Office 365

2

Lesson 2: Planning and configuring Azure Rights Management in Office 365

5

Lesson 3: Managing the compliance features in Office 365

7


9


10


Lesson 1

Overview of the compliance features in Office 365 Contents: Question and Answers

3

Resources

3


Question and Answers Question: What are the customer compliance setting elements? ( ) DLP ( ) A data processing agreement ( ) The Rights Management service for file-level access restrictions ( ) ISO 27018 ( ) S/MIME for security-enhanced, certificate-based email access Answer: (√) DLP ( ) A data processing agreement (√) The Rights Management service for file-level access restrictions ( ) ISO 27018 (√) S/MIME for security-enhanced, certificate-based email access Question: What are the role groups that exist in the Protection Center? ( ) eDiscovery Manager ( ) Legal Hold Manager ( ) Service Assurance User ( ) ComplianceUser ( ) ComplianceReviewer Answer: (√) eDiscovery Manager ( ) Legal Hold Manager (√) Service Assurance User ( ) ComplianceUser ( ) ComplianceReviewer

Resources Compliance and security features in Office 365 Additional Reading: For more information about data regions, refer to Where is my data?: http://aka.ms/l4tjga Additional Reading: For more information, refer to Office 365 Trust Center: http://aka.ms/vjvvco

Overview of the Protection Center for Office 365 Additional Reading: For more information, refer to Office 365 Service Trust Portal: http://aka.ms/vqu38w


Additional Reading: Office 365 Secure Score is in preview at the time of this writing, so its features and availability might change. For more information, refer to Office 365 Secure Score: http://aka.ms/h7br1z


Lesson 2

Planning and configuring Azure Rights Management in Office 365 Contents: Question and Answers

6

Resources

6


Question and Answers Question: Which groups are available for custom Azure RMS templates? ( ) Viewer ( ) Author ( ) Reader ( ) Blocker ( ) Co-Author Answer: (√) Viewer ( ) Author ( ) Reader ( ) Blocker (√) Co-Author Question: To use Azure RMS between two organizations, a trust must be defined in a direct, point-topoint relationship. ( ) True ( ) False Answer: ( ) True (√) False

Resources Planning Azure RMS integration with Office 365 Additional Reading: For more information, refer to Azure Rights Management Administration Tool: http://aka.ms/u8tiut

Configuring Azure RMS integration Additional Reading: For more information about downloading the mobile applications and the application for the desktop client, refer to Microsoft Rights Management: http://aka.ms/j19a1v


Lesson 3

Managing the compliance features in Office 365 Contents: Question and Answers

8

Resources

8


Question and Answers Question: Select the types of possible retention tags actions. ( ) A unique name ( ) A delete action ( ) An allow recovery action ( ) A do not allow recovery action ( ) A create action Answer: (√) A unique name (√) A delete action (√) An allow recovery action ( ) A do not allow recovery action ( ) A create action Question: Preservation policies help to keep the content you need by preserving email and documents. ( ) True ( ) False Answer: ( ) True (√) False

Resources Configuring audit reports Additional Reading: For more information, refer to Search the audit log in the Office 365 Protection Center: http://aka.ms/V27n6z


Module Review and Takeaways Best Practice Security enhancement is a continuous process. Good planning and tenant preparation helps to secure the environment for users.

Common Issues and Troubleshooting Tips Common Issue Encrypted content is not accessible.

Troubleshooting Tip Configure a super user account to get access to the content.


Lab Review Questions and Answers Lab: Configuring Rights Management and compliance Question and Answers Question: What is the best approach to protect organizational financial data? Answer: The best approach is to create a DLP rule and use Azure RMS to help protect all the files and emails containing that information. Question: Retention policies are helpful for reducing space in your mailbox. ( ) True ( ) False Answer: ( ) True (√) False

Monitoring and troubleshooting Microsoft Office 365 12-1

Module 12 Monitoring and troubleshooting Microsoft Office 365 Contents: Lesson 1: Troubleshooting Office 365

2

Lesson 2: Monitoring Office 365 service health

4


7


8


Lesson 1

Troubleshooting Office 365 Contents: Question and Answers

3

Resources

3


Question and Answers Question: Which of the following are options or tools that you can use for monitoring and troubleshooting Office 365? ( ) Service Health ( ) Protection Center ( ) Service Requests ( ) Notification Center ( ) Alert Center Answer: (√) Service Health ( ) Protection Center (√) Service Requests ( ) Notification Center ( ) Alert Center Feedback: For monitoring and troubleshooting Office 365, you can use the Service Health and Service Requests options. Question: The Microsoft Office 365 Support and Recovery Assistant is a new tool that users can run to fix common Outlook problems. ( ) True ( ) False Answer: (√) True ( ) False

Resources Overview of Office 365 troubleshooting Additional Reading: For information on which tools you should use for specific Office 365 problems, refer to Tools and Diagnostics: http://aka.ms/ude7mv

Hybrid environment free/busy troubleshooter Additional Reading: To access the hybrid environment free/busy troubleshooter, go to: http://aka.ms/wbpavu


Lesson 2

Monitoring Office 365 service health Contents: Question and Answers

5

Resources

5


Question and Answers Question: A service in the Service Health dashboard can have which of following statuses? ( ) Normal service ( ) Service anomaly ( ) Extended recovery ( ) Investigating ( ) Operations aborted Answer: (√) Normal service ( ) Service anomaly (√) Extended recovery (√) Investigating ( ) Operations aborted Question: How can you open a service request in Office 365? ( ) Via Skype for Business ( ) Via email ( ) Via phone ( ) Via the Office 365 admin center ( ) Via the Office 365 App launcher Answer: ( ) Via Skype for Business ( ) Via email (√) Via phone (√) Via the Office 365 admin center ( ) Via the Office 365 App launcher

Resources Managing Exchange Online reports by using Windows PowerShell Additional Reading: To view a list of all Exchange Online Protection cmdlets, refer to: http://aka.ms/i09sv9

Office 365 service requests Additional Reading: For more information, refer to Additional support options: http://aka.ms/pfvct8


Monitoring Office 365 with Operations Manager Additional Reading: For more information on how to obtain and set up this management pack, refer to System Center Management Pack for Office 365: http://aka.ms/it7q1b


Module Review and Takeaways Best Practice Many tools are available to help troubleshoot issues in Office 365. As a starting point, you can use the Office 365 do-it-yourself troubleshooter for an initial diagnosis.

Review Question(s) Question: Describe how supporting on-premises systems differs from supporting Office 365. Answer: With on-premises systems, you have complete control and access to the entire environment, so you can perform detailed troubleshooting of system failures or other incidents. With Office 365, Microsoft manages the network, hardware, and virtual machine environments, and you do not have any access to review the environment or make any changes. You can only create service requests when you see failures or other incidents.


Troubleshooting Tip

Outlook client connectivity issues

Look for Autodiscover issues in the Microsoft Remote Connectivity Analyzer.

Unable to connect to the Skype for Business client

Use the Microsoft Office 365 Support and Recovery Assistant tool.


Lab Review Questions and Answers Lab: Configuring Rights Management and compliance Question and Answers Question: How would you view all the failed messages for a group of users? Answer: In the Exchange Online admin center, sign in as an administrator, click mail flow, click message trace, and then click Select Members. Question: What is the first tool you will use to search for service incidents and failures? Answer: The Service Health dashboard is the first tool that you will use.

Planning and configuring identify federation 13-1

Module 13 Planning and configuring identify federation Contents: Lesson 1: Understanding identity federation

2

Lesson 2: Planning an AD FS deployment

5

Lesson 3: Deploy AD FS for identity federation with Office 365

7

Lesson 4: Planning and implementing hybrid solutions (Optional)

9


11


Lesson 1

Understanding identity federation Contents: Question and Answers

3

Resources

4


Question and Answers Question: Discussion: Comparing federated identities and synchronized identities Directory Services and SSO are key parts of integrating your on-premises environment and online services. You are planning for the deployment of your company’s Office 365 tenant. To ensure your users are able to use their credentials from your on-premises AD DS, you need to evaluate which identity solution to deploy based on your business requirements. The business requirements include: Passwords updated by users in on-premises AD DS should be available for use in accessing Office 365 services within five minutes. Password complexity should comply with policies in on-premises AD DS. Password expiration should comply with policies in on-premises AD DS. After discussing these requirements with your engineering staff, which option for authentication should your team consider for deployment? Password synchronization in Azure AD Connect Federated (SSO) authentication with AD FS Federated (SSO) with AD FS, and password synchronization in Azure AD Connect Answer: The only supported option that meets all of your business requirements is federated (SSO) authentication with AD FS. The only supported option that meets all of your business requirements is federated (SSO) authentication with AD FS. With Azure AD Connect, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The Password Sync feature checks every two minutes as to whether passwords need to be synchronized. When you enable the Password Sync feature, the password complexity policies configured in the on-premises AD DS override any complexity policies that might be defined in Office 365 for synchronized users. If a user is in the scope of the Password Sync feature, the cloud account password is set to Never Expire. This means that it is possible for a user's password to expire in the on-premises environment, but they can continue to sign in to Office 365 using their expired password. The password sync feature will not synchronize passwords for users with federated identities, and is not supported. This limitation has several implications, including: •

If an initially managed user with a password that has been synchronized to Office 365 is converted to a federated user and then converted back to a managed user, the password that was initially synchronized is lost.

If an initially federated user that has updated a password on-premises is converted to a managed user, the password will not be synchronized to the cloud. Consequently, the user will not be able to use the password that has been set in on-premises AD DS to access services in Office 365.


Resources Claims-based authentication Additional Reading: For a full list of definitions of terms associated with claims-based identity, see Claims-based identity term definitions at http://aka.ms/wnc2ys

What is AD FS? Additional Reading: For more information about using devices for MFA and SSO, see Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications, at: http://aka.ms/cnmkt7


Lesson 2

Planning an AD FS deployment Contents: Resources

6


Resources Planning a highly available AD FS deployment Additional Reading: For more information on the high availability solutions of SQL Server refer to: http://aka.ms/lsr6m4

Capacity planning Additional Reading: For more information about The AD FS Capacity Planning Sizing spreadsheet, or to download it, refer to: http://aka.ms/n0uyfb

AD FS requirements Additional Reading: For more information on the complete list of attribute stores supported by AD FS, go to: http://aka.ms/vgazki Additional Reading: For more information about the AD FS requirements, refer to: http://aka.ms/m2kpbf


Lesson 3

Deploy AD FS for identity federation with Office 365 Contents: Resources

8


Resources Installing and configuring AD FS Additional Reading: For more information, refer to Federation Server Farm Using SQL Server at: http://aka.ms/mok3lw Additional Reading: For more information on all the available updates for AD FS, refer to: http://aka.ms/r8x4zf

Installing and configuring AD FS proxy Additional Reading: For more information on customizing the proxy forms sign-in page, see Customizing the AD FS forms based login page at: http://aka.ms/jyk1xa

Comparing federated identities and synchronized identities Additional Reading: For more information on how to download and install the cmdlets for Azure AD Module for Windows PowerShell, refer to: http://aka.ms/lq99g4

Managing an AD FS deployment Additional Reading: To learn more about and download the Microsoft Office 365 Federation Metadata Update Automation Installation Tool, go to: http://aka.ms/i1hw8d

Verifying SSO Additional Reading: More information on how to pilot SSO in a production environment is available at: http://aka.ms/exjg1q Additional Reading: For more information about the access to the Microsoft RCA tool, refer to: http://aka.ms/bz5gll


Lesson 4

Planning and implementing hybrid solutions (Optional) Contents: Resources

10


Resources Overview of Exchange Server hybrid deployment Additional Reading: For more information about configuring hybrid Exchange Server with strong authentication, refer to: http://aka.ms/l5e665

Configuring Exchange Server hybrid deployment Additional Reading: For more information about The Microsoft Exchange Server Deployment Assistant, refer to: http://aka.ms/nxvn6i

Configuring SharePoint Server deployment Additional Reading: For more information on the configuration of these hybrid features refer to: http://aka.ms/vaq5da


Module Review and Takeaways Review Question(s) Question: As you might have experienced, when a user authenticates to AD FS for accessing online services, they are required to authenticate the first time. On subsequent attempts to the same online services, they are not required to authenticate because the client will present the same token again – up to the lifetime of the token. While all clients (internal/external) will eventually have to request a new token, your organization’s security policies require that external users request a new token at least once every 5 minutes and internal users request a new token at least once every 10 minutes. What settings or policies should you use to enforce this? Answer: On the Web Application Proxy servers: •

Use the Windows PowerShell Set-AdfsWebApplicationProxyRelyingPartyTrust – TokenLifeTime cmdlet to set the Web Application Proxy Token Lifetime value to five minutes. On the AD FS servers:

Use the Windows PowerShell Set-AdfsProperties –SSOLifeTime cmdlet to set the AD FS SSO Cookie Lifetime value to 10 minutes. Use the Windows PowerShell Set-AdfsRelyingPartyTrust –TokenLifeTime cmdlet to set the Relying Party Trust Token Lifetime value to 20 minutes. Feedback: While there are many token lifetime settings in AD FS, these are critical as they affect most client requests for tokens. For external requests, all three settings are considered. The Web Application Proxy Token Lifetime should be set lower for external requests. When this token expires, the client will be redirected to AD FS for a new token. •

•

For internal requests, only the AD FS SSO Cookie Lifetime and the Relying Party Trust Token Lifetime are considered. These values should be set higher for internal requests. Although the value for the Relying Party Trust Token Lifetime is 20 minutes, each of the Relying Party Trust Token Lifetime settings is skewed forward by +10 minutes. This is because the default value for SharePoint’s SPSecurityTokenServiceConfig –LogonTokenCacheExpirationWindow is set to 10. This setting instructs the SharePoint Security Token Service to invalidate a SAML token 10 minutes before it expire so a user can obtain a fresh token without disruption.

Real-world Issues and Scenarios When accessing cloud services with SSO, the credentials prompt can only be avoided when you are accessing the cloud service using the same account used to sign in to the workstation. You might experience the following issues when you choose to save credentials: •

•

If a user selects the Save password check box in the credential prompt, they are choosing to save their credentials in the Credentials Manager by for use with AD FS. The saved credentials will only provide an SSO experience until the user changes their password. If the Credential Manager is not updated with the user’s new password, it will continue to use old credentials. After a number of failed attempts with the stale saved credentials, the Credential Manager will prompt the user for good credentials. If user A is logged on to the workstation and wants to access user B’s mailbox, user B’s credentials must be provided, and consequently AD FS will prompt you for user B credentials. Once user B’s credentials have been entered and the user is authenticated, the browser could cache user B’s credentials and would reuse them if the same instance of of the browser is used to access the same application or authenticate via the same AD FS service. Therefore, a user might need to sign out and sign back in, or restart the computer to clear the browser cache.

20347A-ENU-Companion.pdf

Recommend Documents