MS 102 Notes
What is tenant?
Your own unique environment within MS 365 eco-system
How MS 365 licenses can be managed?
There are many license options to choose from. They may be purchased separately and combined later on. Each user may have some licenses while others may not have them at all. That's how company can save money.
What 2 things you cannot change later on when creating your new tenant?
1. Location
2. Default onmicrosoft.com domain
Can you change domain (tenant's name) after signing up for the first time? What to do in this case?
No. You can create a new tenant and migrate everything there.
What things (3) global admin can do?
1) Add and remove subscriptions
2) Create and delete users
3) Make configuration changes withing the tenant
How many global admin accounts should you create while signing up? Why?
2. In case you lose access to the first one.
What is Role-based access control (RBAC)? What does it help to do?
Method for managing user access to systems, networks, or resources based on their role within an organization.
It helps protect sensitive data from improper access.
What is domain name in the following:
EkaterinaAbramovich@FerretsFence.onmicrosoft.com
FerretsFence
What are 4 ways to add users to the tenant?
1) Manually in Admin Center
2) Bulk upload using an Excel file
3) PowerShell
4) AzureAD Connect (alt. Entra Connect) to sync existing users from Active Directory on-premises
What does to be "on-premises" mean?
That means within a local (on-premises) network environment. It's used by organizations to manage and control network resources, such as computers, users, groups, and security policies.
What is the purpose of user settings template?
User templates allow you to quickly add similar users in the future by saving a set of shared settings such as domain, password, product licenses, and roles.
What is the process of adding multiple users in Admin Center (3 steps)?
1) Download a blank CSV file with all listed columns.
2) Required columns are only User Name and User Display Name.
2) Fill it in using Excel and re-upload.
What way is better to use when creating multiple users to give temp password - paper or email? Why?
Paper. It is more secure since emailed passwords will be sent to one person (admin).
What Release preference is the most secure? Why?
Targeted release for select users. Release can be tested out before letting it onto the rest of the org.
What is DNS?
DNS, or Domain Name System, is a crucial part of the internet's infrastructure. It functions like a phonebook for the internet by translating human-friendly domain names (like www.example.com) into IP addresses (like 192.0.2.1).
What is TTL?
TTL, or Time to Live, is a value in the Domain Name System (DNS) that specifies the duration in seconds that a DNS record should be cached by a DNS resolver before it must query the DNS server for an updated record. Essentially, it determines how long a DNS record is considered valid.
What is TXT value?
A TXT (Text) record is a type of DNS record that allows domain administrators to store text information in the DNS. These records are used to provide information to external sources or to validate domain ownership.
How to change tenant domain from "onmicrosoft.com" to the custom one (ex. example.com) that will be featuring in domain for email and user identities (4 steps)?
1. In "Domains" Section click Add domain.
2. Verify that you own the domain (ex. example.com) by adding a TXT record to your domain's DNS settings.
3. Go to your domain registrar or DNS hosting provider and add the TXT record to your DNS zone.
4. After verification, Microsoft will guide you to set up additional DNS records (MX, CNAME, etc.) for services like email, Teams, and more.
Does newly addedand verified domain change users account names autoatically?
No. You have to do it in Admin Center (or via PowerShell) in "Manage Sign-in Details" section.
How to add a new domain as a secondary email address? So the user will have: username.ferretsfence.onmicrosoft.com AND username.example.com.
Do it from MS365 Admin Center or Exchange Admin Center.
You cannot do it with multiple users (individually only). Click on User, go to Aliases, and add new email address.
There will be two (or maybe more) email addresses that will be receiving different correspondence.
Which one is indicating primary email address: smtp or SMTP?
SMTP
What is MX record?
An MX (Mail Exchange) record is a type of DNS record that specifies the mail server responsible for receiving email messages on behalf of a domain.
What is CNAME?
A CNAME (Canonical Name) record is a type of DNS that allows you to associate one domain name with another, effectively making one domain an alias of another.
What is SRV? How it fiffers from other DNS records?
An SRV (Service) record is a type of DNS used to define the location (hostname and port) of servers for specified services.
Unlike other DNS records, such as A records or CNAME records that point to an IP address or another domain name, SRV records are used to specify the location of services within a domain.
What is A record?
An A record (Address record) is a type of DNS record that maps a domain name to an IPv4 address (a 32-bit number that uniquely identifies a device's connection to the internet).
It is used to direct web traffic to the correct server by translating human-readable domain names (like example.com) into numerical IP addresses (like 192.0.2.1), which computers use to identify each other on the internet.
What is the difference between _sip and _sipfederationtls SRV Records?
_sip SRV Record: Directs standard SIP traffic for initiating sessions like VoIP calls within a domain.
_sipfederationtls SRV Record: Directs SIP traffic for secure, federated communication between different domains or organizations using TLS.
Definition and use for the below domains:
1. Authoritative
2. Internal Relay
3. External Relay
1. Authoritative
- Hosted by your org Exchange server,
- Any email that Exchange doesn't know about will be rejected
- You can have multiple authoritative domains
- Gets configured in Exchange Online as authoritative for that domain
2. Internal Relay
- Your org Exchange server hosts some, but not all the mailboxes for that domain
- Any email that Exchange doesn't know about (like from gmail.com) will be forwarded to your other mail provider
- You don't need to configure a specific connector when your domain is an internal relay domain HOWEVER if you've changed your MX records to point to Exchange Online already, then you will need a connector set up to route to your external mail host
3. External Relay
- Used when Exchange server will recieve email for a domain but does not host any of the mailboxes (will route all email to Authoritative Exchange servers)
- Cannot be configured in Exchange Online
What should be added and verified first - parent domain or subdomain(s)? Why?
Parent domain. Sub domains will be verified based on the parent domain.
Definition of Pilot Office 365 Services
Testing phase where a subset of users within an organization are given access to Office 365 services before a full rollout.
Parameters to run a pilot with Office 365 (includes apps like Word, Excel, PowerPoint, Outlook, and OneDrive, that can be installed on PCs) using a few users on my new domain.
1. Make sure Microsoft is not managing my DNS
2. Mannually configure settings with DNS provider so that DNS records like Autodiscover and MX records are still pointing back to my primary email service.
3. Make sure the new domain is Internal Relay (this is in case there is NO Hybrid Exchange)
Can you make Microsoft manage your DNS? Cons?
Limited Flexibility:
While Microsoft’s DNS services are comprehensive, they may not offer the same level of customization or specialized features available from dedicated DNS providers.
What is Microsoft Roadmap?
The Microsoft Roadmap refers to an official platform where Microsoft provides detailed information about upcoming features, updates, and improvements to its products and services.
What can you do with Office 365 Admin mobile app?
1. Monitor and get notifications on:
- Service Health
- Outrages
- Support Requests
- Message Center (upcoming features/changes)
2. Reset passwords from your phone
3. Assign licenses
4. Manage group memberships
5. Blocking/unblocking accounts
6. Create and monitor service requests
Definition of Incidents and Advisories in the Service health tab
Incidents - Outrages that I may need to communicate to my users since they can impact org
Advisories - Good to know info
What is OMS? What is it used for?
Operations Management Suite, a cloud-based SaaS monitoring and management solution to help orgs manage cloud worloads running across cloud platforms (Azure AD, Exchange Online, SharePoint Online).
Meaning of 3 identity models:
1. Cloud Identities
2. Synchronized Identities
3. Federated identities
Cloud Identities: managed in the cloud.
Users are created and managed directly in Azure AD. They have no connection to on-premises Active Directory.
Synchronized Identities: sync from on-premises AD.
Users' accounts are synced from on-premises AD to Azure AD using tools like Azure AD Connect. Passwords can also be synchronized, allowing users to log in with the same credentials in both environments.
Federated Identities: authenticate on-premises but access cloud resources.
Users are authenticated by an on-premises identity provider (like AD FS). Azure AD redirects authentication requests to the on-premises system, providing Single Sign-On (SSO) without syncing passwords.
What is Pass-Thru Authentication?
Method used in hybrid identity environments where on-premises Active Directory credentials are authenticated directly against Azure Active Directory (the cloud one) without storing passwords in the cloud.
Difference between Azure AD and Microsoft 365 Admin Center
Azure AD is more about security and identity, while Microsoft 365 Admin Center is for managing the entire suite. Both are cloud-based admin portals but serve different aspects of IT management.
When creating a user in the Microsoft 365 Admin Center versus Azure AD
Microsoft 365 Admin Center: If your main goal is to create and manage users for Microsoft 365 apps (like email, Teams, SharePoint), the Admin Center offers a simpler interface.
Azure AD: If you need more control over user attributes, security settings, or integration with on-premises Active Directory, use Azure AD.
What is on-premises AD and how does it look like?
It is a directory service that runs on Windows Server and is used to manage users, computers, and other resources within a network.
It provides a hierarchical tree-like view of organizational units (OUs), users, computers, and resources.
New name of Azure AD
Azure AD is now Microsoft Entra ID.
What is Azure AD Access Reviews?
Azure AD Access Reviews is a feature that allows to periodically review and manage users' access to resources in Azure AD.
It enables admins and resource owners to review and approve or deny user access (can be se a recurring).
5 methods that passcodes can be provided via:
1. Email
2. Text message
3. Phone call
4. Notification code
5. Security questions
What is MFA?
Multi-factor authetification. It allows to configure pre-approved authentification methods that users must use to autheticate before accessing resources.
Available authentification methods are (8):
1. Password
2. Security questions
3. Email address
4. Microsoft authenticator app
5. OATH hardware token
6. SMS
7. Voice call
8. App passwords
What is SSPR?
Self-Service Password Reset
What methods can be used for both MFA and SSPR?
1. Password (the only method that cannot be disabled)
2. SMS
3. Voice call
Can global admin see user's answers for security questions?
No
What are "risky" users?
User accounts that may have been compromised.
Which permission levels (3) may access data in the Sign-in activity report (besides global admin)?
1. Security Admin
2. Security Reader
3. Report Reader
What is Conditional access?
Conditional access is an evaluation to ensure the person who is seeking access to content is authorized to access the content (zero trust policy).
What is Azure Application Proxy?
Azure Application Proxy is a feature of Azure AD that allows users to securely access on-premises applications from anywhere.
It acts as a bridge between users and internal resources without requiring them to be exposed to the public internet or be moved to the cloud.
What is Azure AD B2B?
Azure AD B2B (Business-to-Business) is a feature of Azure Active Directory that allows organizations to securely collaborate with external partners, suppliers, or contractors by granting them access to internal applications, resources, or data.
It streamlines external collaboration without requiring external users to create new accounts or manage credentials in the organization's environment.
What are 5 types of groups are there in MS 365?
1. Distribution groups
2. Security groups
3. Mail-enabled security groups
4. Dynamic distribution groups
5. MS 365 groups
What is Mail-enabled security group?
Has capabilities of both Security group and Distribution group (ability to have group email address).
what is Dynamic distribution group?
Same as Distribution group but with dynamic membership which is updated every time a messege is sent to that group. This is based of pre-defined filters during the group creation.
This is the only group that is accessible through Exchange admin center.
At least __ owners should be assigned whenever you create a group (Distribution group, Security group, etc.)
2, in case one owner is not availbale.
Is IT Admin the only one who can manage groups?
No, group owners may also manage their own groups if Self-service group management feature is on in Azure AD.
4 types of user roles
1. User
2. Global admin
3. Limited admin
4. Workload-specific
For what are Workload-specific admin roles are used (3)?
1. Exchange Online
2. SharePoint Online
3. Skype for Business Online
What is RBAC?
Role-based access control.
When specific users, groups or applications may be allowed to manage only specific resources.
Definition of security principals.
Security principals are objects that represent users, groups, service principals, or managed identities that request access to Azure resources.
Difference between Owner, Contributor, Reader, and User access admin
Owner - Full access to all resources. Can delegate access to other users.
Contributor - Can create and manage all types of Azure resources but can't grant access to other users.
Reader - Can only view existing Azure resources.
User access admin - Allows to manage user access to Azure resources.
What is the term "Scope"?
Scope is a set of resources that a role's access applies to.
What is the key difference between Azure RBAC roles and Azure AD admin roles?
Custom Azure AD admin roles CANNOT be created, while Azure RBAC roles support the creation of custom roles.
Azure AD admin roles are scoped specifically at the tenant level.
Azure RBAC roles can be specified at multiple levels.
What two roles span both MS 365 Admin Center and Azure DA?
1. Global admin
2. User Admin
Out of the box, all users have the ability to create application registrations. How to change that?
Set "Users can create application registrations" option to No, and assign the user that will manage registrations to the Application Developer role.
What is Delegated Admin?
A Delegated Admin refers to a person or entity (usually an external partner or service provider) who has been granted specific administrative rights within a tenant's Microsoft 365 or Azure AD.
Can Password admins reset passwords for other admins?
No, only for end-users.
What is a Unit?
A unit is a group of resources:
- Users
- Groups
- Devices
Can a unit-scoped admin manage users profiles properties or change auth methods?
No
Can you create new users in admin unit?
No, it is just a scope of existing users
What is PIM?
Privileged Identity Management is an Azure offering that allows you to manage and control access to resources within Azure and Azure AD.
Managing PIM requires MFA. Microsoft accounts cannot register for Azure MFA, so just any user cannot access PIM.
It is always recommended to have at least 2 users assigned a Privileged Role Admin role.
What is the only admin that can enable and configure Microsoft Azure's Privileged Identity Management (PIM)?
Global admin
What are 2 assignment types available in PIM for Azure resources?
1. Eligible - assignment state will be "Activated"
Should request approval, provide business justification, and perform MFA check (may be set to expire, can be renewed).
2. Active - assignment state will be "Assigned"
Access at all times (may be set to expire, can be renewed).
What is IdFix?
The IdFix tool is a utility provided by Microsoft to help administrators prepare their Active Directory for synchronization with Azure Active Directory Azure AD in hybrid environments, such as when using Microsoft 365 or Office 365.
The primary purpose of IdFix is to identify and correct issues in the AD directory that could cause synchronization failures or problems when integrating with cloud services.
Sync between AD and Azure AD
- Usernames are synced, however, passwords are not directly synced. Instead, a password hash synchronization process is used (the transformation of user passwords into hash values, not the actual password itself)
ADFS
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution that allows users to authenticate with their on-premises Active Directory (AD) credentials to access both on-premises and cloud-based applications.
In this method, no passwords are stored in the cloud.
Important considerations (3) while planning for directory synchronization using Azure AD Connect Cloud Sync.
1. All users and groups should be uniquely identified across all forests
2. No matchingg across forests occuring with Azure AD Connect Cloud Sync
3. A user or group can only be represented once across all forests
No way to change the attribute that's used for the source anchor. If present, the ms-DS-ConsistencyGuid attribute is used.
Prerequisites for Azure AD Connect Cloud Sync
1. Before using Azure AD Connect Cloud Sync, you must create a group Managed Service Account that Azure AD Connect Cloud Sync uses to run the Cloud Sync agent
2. A managed domain account that provides automatic password management and simplified service principal name management
3. Allows management delegation to other administrators
Identity Requirements - Domain Administrator or Enterprise Administrator credentials are required to create the Azure AD Connect Cloud Sync group Managed Service. A hybrid identity administrator account for the Azure AD tenant that's not a guest user is also required.
Server Requirements for Directory Synchronization Using Azure AD Connect Cloud Sync
1. At least one on-premises Windows 2016 or later server is required for the Cloud Sync agent to be installed on.
2. Cloud Sync agent can be installed on a domain controller.
Two agents that must be shown as running after successful installation of Azure AD Cloud Sync are:
1. Microsoft Azure AD Connect Agent Updater
2. Microsoft Azure AD Connect Provisioning Agent
Azure AD doesn't allow 2 objects to have the same attribute (4):
1. The mail attribute
2. The proxyAddresses attribute
3. The signlnName attribute
4. The userPrincipalName attribute