Microsoft 365 or Office 365 (Earlier) admin center: admin.cloud.microsoft

Intro O365
- Tenanat Account: In order to avail Microsoft/office 365 subscription, first create a tenant ID, it is the top most user in hierarchy and by default has global admin role. It has all permissions and rights.
- Domain: Default domain created when you create a tenant account username@companyname.onmicrosoft.com, it can be changed to custom domain with you registered domain.
- Azure Entra ID: On premises user identities will be stored in Active Directory while for cloud based online office 365 users will be stored in Azure Entra ID. Once you create a tenant account and required subscription has been taken, you create users/groups in Azure AD to access services.
- portal.office.com (To access O365 portal)
- aad.portal.office.com (To access Azure Active Directory)
- admin.cloud.microsoft.com (enter credentials)
- O365admin1.jpg
- code
- code
- code
- code
Users
- Active Users:
  - activeusers1.jpg
  - Add auser:
    
    click to add a user
    
    Basics:
    
    First name: Abdul Aziz
    
    Last name: Mohammed
    
    Display name: Abdul Aziz
    
    username@domain_name: a.mohammed@StarDistributors2026.onmicrosoft.com (custom domain name if conigured)
    
    Automatically create a password: check box (if not selected then enter password manually)
    
    Require this user to change their password when they first sign in: check box
    
    Product licenses:
    
    Select location: United kingdom
    
    Licenses: Assing user a product license (choose all required licenses) or Create user without proeuct license.
    
    Roles: Admin roles give users permission to view data and complete tasks in admin centers. Give users only the access they need by assigning the least-permissive role.
    
    No admin center access (user)
    
    Admin center access:
    
    AI Administrator: Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.
    
    Exchange Administrator:
    
    Global Administrator:
    
    Global Reader:
    
    Helpdesk Administrator:
    
    Service Support Administrator:
    
    SharePoint Administrator:
    
    Teams Administrator:
    
    User Administrator:
    
    User Experience Success Manager:
    
    Other roles:
    
    Collaboration: Various Roles
    
    Devices: Various Roles
    
    Global: global Administrator:
    
    Identity: Various Roles
    
    Other Various Roles
    
    Read-only: Various Roles
    
    Security & Compliance: Various Roles
    
    Profile info:
    
    Job title: IT Support Engineer
    
    Department: IT
    
    Office: London
    
    Office phone:
    
    Fax number:
    
    Mobile phone:
    
    Street address:
    
    City:
    
    State or Province:
    
    Zip or postal code
    
    Country or region: select from list.
    
    Review and finish
  - User templates:
    
    Add template:
    
    Name your template:
    
    Description:
    
    Publish this template: Make this template available to other admins who manage users.
    
    Setup the basics: select the domain, password settings (auto-generated password, let me create a password), Require the user to change their password when they first sign in.
    
    select location: select from list.
    
    Licenses: select licenses assign to user when using template.
    
    roles: select roles
    
    Profile info: enter details.
    
    Finish adding.
    
    Add users using this template
    
    Manage templates: User templates allow you to quickly add new users with a saved configuration. There are two ways to add a new template. You can add one here or, when you add a new user from the
    Active users page, you can save all the settings for that user as a template.
    
    Delete template.
    
    Edit template.
  - Add multiple users:
    
    you can enter upto 249 users, all users are given temp passwords.
    
    You can use CSV file to upload bulk users.
    
    activeusers2.jpg
    
    Download a CSV file and enter details and then upload the CSV file. make sure to maintain format. Assign licenses and finish.
  - Multi-factor authentication:
  - Delete a user
  - Reset Password:
  - Export Users:
  - User Edit:
    
    Select the user for edting/change:
    
    activeusers3.jpg
    
    Reset password: Reset user's password
    
    Block sig-in:
    
    Blocking someone prevents anyone from signing in as this user, and is a good idea when you think their password or username may have been compromised. When you block someone, it immediately stops any new sign-ins for that account, and if they’re signed in, they’ll be automatically signed out from all Microsoft services within 60 minutes.
    
    This won't stop the account from receiving mail, and doesn't delete any data.
    
    select check box and save.
    
    Delete user: select to delete the user, You can restore deleted users, and recover their data except for calendar items and aliases, for up to 30 days.
    
    Account:
    
    Manage username: you can edit username or domain.
    
    Aliases: you can use any name, but it will be use to receive mails only, can't send email using alias name(a.mohammed@stardistributors.co.uk, primary email, alias=yezdani@stardistributors.co.uk) any one can send email to yezdani@.. and you will receive all emails on a.mohammed@stardistributors.co.uk, you cannot use yezdani@stardistributors.co.uk to send the email), alias can be deleted without affecting primary email.
    
    Last sing-in: view last 30 days of sign in activity.  These are the times user manually signed in with their username and password the past ‎30 days‎. It doesn't include other types of sign-ins, like service to service authentication.
    
    Sign-out: Sign out of all sessions, it will sign out from all devices where you signed in.
    
    Alternate email address: Enter alternate email for SSPR (Self service password reset), or send code or link for password forgot.
    
    Groups: Manage groups to add/remove user from the group. all group policies will be applied to user.
    
    Roles: Manage roles, add/remove roles assign to user.
    
    Manager: add manager's email
    
    Contact information: edit all contact details including name.
    
    Microsoft 365 activations: Devices where ‎user‎ is signed in to ‎Microsoft 365, Invite ‎user to download and sign in to ‎Microsoft 365‎ on any device. Deactivating a device doesn’t remove ‎Microsoft 365‎ apps or data from a device, but it will sign the user out of ‎Microsoft 365‎ remotely. send invitation.
    
    Devices:
    
    ‎user doesn't have any devices enrolled in Intune.
    
    Licenses and apps:
    
    Add/remove licenses.
    
    Mail:
    
    Mailbox storage (xxMB/50GB)
    
    Mailbox permissions:
    
    Read and manage permissions:  These users can read emails in ‎Malak Khalil‎'s mailbox, and perform management actions such as adding and removing mailbox content. Changes can take up to 60 minutes to take effect. add users.
    
    Send as permissions: Add user mailbox permissions: These users can send emails as this account (originating name will not appear). add users.
    
    Send on behalf of permissions:  These users can send emails with both their account name and the mailbox name. Their emails will show that they were sent on behalf of ‎user. ‎ add users.
    
    Email apps: manage email apps: choose all apps where user can access microsoft 365 email (outlook on web, outlook desktop (MAPI), exchange web services, Mobile, IMAP, POP, Authenticated SMTP.
    
    Show in global address list (GAL): yes, manage global address list visibility. check box:show in my organization address list.  If you turn this off, ‎user won't appear in your organization's address list, but will still receive email.
    
    Email forwarding: check box, Forward all email sent to this mailbox. enter email, check box keep a copy of forwarded email in this mailbox.
    
    Automatic replies: Use these settings to create automatic reply (Out of Office) messages.
    
    activeusers4.jpg
    
    More actions: convert to shared mailbox:
    
    Shared mailboxes let a group of people monitor and send mail from a common email address, like info@contoso.com.
    
    When you convert a user's mailbox to a shared mailbox, all of the existing email and calendar items will be available to members of that mailbox.
    User impact:
    Users won't sign into a shared mailbox with a username and password, but people who are members of the mailbox can access it with ‎Outlook‎.
    
    It may take a few minutes before you can add members. To enable users to open the shared mailbox, add those users as shared mailbox members.
    You can manage all your shared mailboxes on the Shared mailboxes page or go to groups > shared mailboxes.
    
    OneDrive
- Contacts:
  - Users from outside organization can be created.
  - Internal users are listed through GAL (Global Address List), when you send email in outlook and enter an alphabet then it suggest the list of users to which you can select.
  - Add Contacts:
    
    click on Add a contact
    
    Enter all user details.
    
    select check box, Hide from my organization's global address list.
    
    save contact, it will also be added in GAL.
  - Add multiple contacts:
    
    Download a CSV file, fill details and upload,
    
    You can upload 40 contact per CSV file.
- Guest Users:
  - Add a guest user: It will redirect to Azure Entra ID portal.
  - Select Invite user.
- Deleted users: Recover deleted users within 30 days.
Devices
- For device registration in entra Id, ensure configuration is done so that users can register the devices.
- Active devices:
  - Fully managed: Devices appear in this list after connecting to ‎Microsoft 365 Business Premium‎. After connecting, devices are enrolled in device management, which can be defined by policies. Policies can be created for fully managed devices so that you can remove company data or reset the device to factory settings. Learn more about mobile device management
  - App managed: With app managed devices you can remove company data from the managed apps. The devices themselves are not managed but the apps installed on the devices are managed with the policies you set up. You can’t perform a factory reset of app managed devices. Learn more about unmanaged devices running managed apps
- Autopilot:
  - Devices:
    - It shows all devices enrolled for Entra ID
    - Create Device:
  - Profiles:
    - Create profile:
Teams & Groups
- Active teams & Groups
  - teams_groups1.jpg
  - Following groups can also be managed in entra admin center & Exchange admin center/Recipients/Groups.
  - Teams & Microsoft 365 groups:
    
    Add a team:
    
    A team provides a place to chat and collaborate on files in ‎Microsoft Teams‎. It includes an email address for contacting everyone on the team, and a ‎SharePoint‎ site for publishing information.
    
    we have hundreds of users, create team and attach users so that they can chat and collaborate with each other.
    
    Basics:
    
    Name of team: Star_IT
    
    Owners: Team owners can add or delete members, edit team details, and delete conversations. Add a user as a user owner of this team. All owners must have a license that includes ‎Teams‎.
    
    Members: Add members of this team, make sure users should have license.
    
    Settings: Team email address, privcy (public: people can join without approval from an owner, private: can only join if they are addded by an owner)
    
    Add team:
    
    Edit team:
    
    Email: It will open outlook to send email to team.
    
    Open in Teams: teams open
    
    View site: open Star_IT channel sharepoint
    
    Delete:
    
    General: Can edit name, email address, sharepoint site address. create Aliases.
    
    Membership: Add/remove owners & members,
    
    Channels: General
    
    Settings:
    
    Email:
    
    check box: let people outside the organization email this team.
    
    Send copies of team emails and events to team members' inboxes.
    
    Dont show team email address in outlook.
    
    Privacy:
    
    Private:
    
    Public
    
    External file share:
    
    Anyone, new and existing guests, existing guests, only people in your organization.
    
    Team Channels: Check boxes
    
    Team members canadd channels and edit existing channels.
    
    Team members can add and edit private channels.
    
    Team members can delete channels.
    
    Teams Conversations: Check boxes
    
    Allow members to edit their sent messages:
    
    Allow members to delete their send messages:
    
    Add a Microsoft 365 group:
    
    Microsoft 365 group are designed for collaboration within your organization. They come with a group email address and SharePoint site where you can share documents, notes, and meeting agendas. You can use Microsoft 365 Groups for project management, team communication, and document sharing.
    
    Code
    
    Export:
  - Distribution list:
    
    Distribution groups are used for broadcasting information and updates to people both inside and outside the organization. They can be used for sharing job updates, organizational changes, or events to a specific set of customers or employees.
    
    Use a distribution list to send emails to a group of people. It broadcast the emails to all members of the group.
    
    No license required.
    
    users can send email to group which will deliver to all members. Enable moderation to get approval to delivery email to members.
    
    Add a distribution list
    
    Code
    
    Code
    
    Moderation (Approval) configuration:Exchange admin center
    
    members of the group can send email which will deliver to all members of the group, it could be misused,
    
    emails will wait for approval and once nominated person approved then it will deliver to all members.
    
    Go to distribution list/group/settings/Advanced settings and exchange admin center will open.
    
    In Exchange admin center/Recipients/Groups/select group/settings
    
    General Settings: check box: Hide this group from global address list.
    
    Delivery management: Sender options: Only allow messages from people inside my organization Specified senders: Edit delivery management. two options: Only allow messages from people inside my organization or Allow messages from people inside and outside my organization. To restrict who can send messages to the group, add specified senders below. Only these users or groups will be allowed to email the group.Enter emails.
    
    Manage delegates: Select who can send mail for this group, and set how the messages they send will appear to email recipients.
    Send as allows the delegate to send email from this group. From the recipient's perspective, the email is sent by this group.
    Send on behalf allows the delegate to send email on behalf of this group.
    
    Message approval:
    
    Require moderator approval for messages sent to this group: No
    
    Group moderators:
    
    Add senders who don't require message approval:
    
    Notify a sender if their message is not approved: Any sender
    
    Edit message approval to make changes in the above.
    
    moderator1.jpg
    
    When a user send email to this group then a message appears that your email may be accepted or rejected.
    
    moderator2.jpg
    
    Email received to approver to approve message.
    
    Export
  - Security Groups:
    
    security_group1.jpg
    
    Security groups are designed to grant access to Microsoft 365 resources and make administration easier. They can be used to grant access to important company resources like tools, portals, reports, and devices like printers.
    
    Add a security group:
    
    Security groups give people access to resources such as ‎SharePoint‎ sites. They can also include devices, for use with mobile device management.
    
    Azure AD roles can be assigned to the group.
    
    Licenses can be assigned to group.
    
    By default All Users security group is created.
    
    +Add a security group:
    
    Name: AAA_Users
    
    Role assignment: Azure AD roles can be assigned to the group, Check this box to use this group to assign roles. Once set, the group's eligibility for role assignment is permanent
    
    Create group
    
    Manage group:
    
    Click on created group.
    
    General:
    
    Edit Basic information like, change group name & description.
    
    Add group owners
    
    Members:
    
    view and add/remove owners
    
    View and add/remove members.
    
    License and apps:
    
    Assign/remove license to this group and license will be automatically assigned to members of this group.
    
    Add a mail-enabled security group:
    
    Mail-enabled Security Groups are like security groups, but with the added capability of sending emails to all members. They can be used for sending news, promotions, and company updates to your sales team.
    
    Mail-enabled security groups give people access to resources such as ‎SharePoint‎ sites. It includes an email address for contacting everyone in the group.
    
    +Add a mail-enabled security group.
    
    Name: aaa_users_mail
    
    Assign owners: Group owners have unique permissions to manage the group. They can add and remove members, change group settings, rename the group, update its description, and more.
    
    Add members: Group members have access to everything the group can access, and will receive email messages sent to the group email address. By default, they can invite guests to join your group, but they can't edit group settings.
    
    Group email address: aaa_users@strdistributors2026.onmicrosoft.com
    
    communication: check box Allow people outside of my organization to send email to this Mail-enabled security group.
    
    Create group.
    
    Edit Group:
    
    click created group.
    
    General:
    
    Edit Basic information, Email Addresses
    
    Members:
    
    Add/Remove owners and members.
    
    Licenses and apps:
    
    Add/Remove licenses to group.
    
    Settings:
    
    Check box, Allow external senders to email this group.
    
    Advanced settings: Manage more settings in the Exchange admin center.
    
    Export:
- Policies:
  - policies1.jpg
- Deleted Groups:
  - Deleted groups can be restored within 30 days.
- Shared mailboxes:
  - A shared mailbox can be used by a group of people, like a support team, to receive and send email from the same email address. Select a shared mailbox to add or remove members, set up automatic replies, manage aliases, and more.
  - +Add a shared mailbox
    
    Name: ithelp
    
    Email: ithelp@stardistributors.onmicrosoft.com
    
    Add members to shared mailbox: add members
    
    Manage shared mailbox details:
  - Edit mailbox:
    
    select the mailbox
    
    Basic information: Edit to change mailbox name
    
    Email addresses: Edit to change primary address and Aliases.
    
    Email Forwarding: Forward all emails sent this mailbox, select checbox and enter email. keep a copy of forwarded email in this mailbox.
    
    Automatic replies: Use these settings to create automatic reply (Out of Office) messages.
    
    Send items:
    
    Copy items sent as this mailbox, or on behalf of this mailbox, to the mailbox's Sent Items folder. This lets shared mailbox members see the email other members have sent.
    
    If you don't copy sent items to the mailbox, they will only be saved to the sender's Sent Items folder.
    
    check box: Copy items sent as this mailbox.
    
    Check box: Copy items sent on behalf of this mailbox.
    
    Email Apps:
    
    Choose the apps and methods mailbox members can use to access the shared mailbox.
    
    Outlook on the web.
    
    Outlook for desktop (MAPI).
    
    Exchange Web Services.
    
    Mobile (Exchange ActiveSync)
    
    IMAP: Internet message access protocol: is a standard email protocol that allows users to access, manage, and synchronize emails across multiple devices (phone, desktop, webmail) by keeping messages on a central server. Unlike POP3, IMAP syncs changes—such as read/unread status or folder organization—in real-time, ensuring consistency everywhere
    
    POP: Post Office Protocol: is a one-way email protocol that downloads messages from a server to a single local device and typically deletes them from the server
    
    pop, imap settings for outlook
    
    Outlook and Outlook.com may be able to detect your account's mailbox settings automatically, but for other non-Microsoft accounts, you may need to contact your email provider for their settings.
    
    Members:Edit to add/remove members
    
    Manage mailbox permissions:
    
    Read and manage permissions: These users can read emails in the shared mailbox, and perform management actions such as adding and removing mailbox content. Changes can take up to 60 minutes to take effect.
    
    Send as permissions: These users can send emails as this account (originating name will not appear).
    
    Send on behalf of permissions: These users can send emails with both their account name and the shared mailbox name. Their emails will show that they were sent on behalf of ‎ithelp‎.
    
    Show in global address list: Choose whether to show this mailbox in your organization's global address list. If you don't show it, new shared mailbox members won't be able to add it to their ‎Outlook‎ profile until the shared mailbox is again shown in the address list.
    
    Exchange settings: It will open exchange admin center
Roles
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Resources
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Marketplace
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Billing
- Your products
  - your_products1.jpg
- Licenses
  - Subscriptions:
  - licenses1.jpg
  - Request: Any pending request
  - Auto-claim policy: Auto-claim policies save you and your users time by allowing them to claim a product license the first time they sign in to an app. Set which app a person uses to claim a license, and which product the license will come from.
  - Perpetual software: This view gives the complete license position for this billing account across different purchases by their versions and billing profiles.
- Bills & Payments:
  - Invoices: list of invoices.
  - Payment methods: Added payment methods (card details)
- Billing accounts: Billing accounts manage your purchasing relationship with Microsoft. Each billing account contains defining info about your organization, like addresses, contact info, and any tax info that applies. Purchases made with your billing account are covered by the agreement that you signed with Microsoft.
- Payment methods: Added payment methods (card details)
- Billing notifications: We send billing notification emails to share important information with your organization. These emails include information about changes to your subscriptions and usually include an action to keep your subscriptions active and your account in good standing.
- Pay-as-you-go: With Pay-as-you-go billing, service usage is charged to an ‎Azure‎ subscription. Create billing policies to connect to an ‎Azure‎ subscription, then choose those policies when you configure the service.
- Cost management:
Support
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Settings
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Setup
- code
  - code
  - code
  - code
- code
- code
- code
- code
- code
- code
Reports
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
Health
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
Admin Centers
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
All Admin centers
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
Customize navigation
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
16
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
17
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
18
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
19
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
20
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
21
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
22
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
23
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
24
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code
25
- code
- code
- code
- code
- code
- code
- code
- code
- code
- code

Microsoft 365 or Office 365 (Earlier):

Main core components are:

Exchange online
Skype or Lync
Sharepoint
Office 365 Pro Plus (Desktop),

other components are:

Yammer (social networking like facebook, Instagram, twitter),
Flow (automation tool)
Powerapps (create application for phone and tablets)
Teams (Mobile application like whatsapp, chat with each other in the company)
Delve (like book shelf, documents are stored in multiple places like onedrive, sharepoint etc. scattered, documents listed in a list no matter where it is stored)
Sway

Microsoft 365 online (Online/Cloud Version)
- Home/Personal Subscription
- Business Subscription
- Enterprise Subscription (E1 E3 E5)
Office 365 pro plus (Destop version)

Identities	O365 Outlook,
User Management, Password Management,	Migration of Mail boxes,
Roles, Groups, MFA,	Exchange online, Exchange 2016, Exchange Access,
Custom Domain,	Exchange Online Admin,
Active Directory Synchronization,	External Email Warning Rule
Office 365 Installation,

Identities:

Cloud IDs (Azure AD)	Synchronised IDs (on prem Active Directory)	Federated IDs
users create on O365, maintain in Azure AD	users of on prem Active Directory - synchronised with O365	ADFS (Active Directory Federated Services), SSO,
users can be deleted in O365,	users cannot be delete/modify in O365 (users are maintained in on prem Active directory) it sysnchronise with O365.	Sysnchronised IDs can be federated,

MultiFactor Authentication: Additional security to authenticate a user credentials.

Admin Center/Settings/Org Settings/Multi-Factor Authentication/select user and enable multi factor authentication.
go to users service settings to add various verification options
- Text message to phone
- Notification through mobile app
- verifiation code from mobile app or hardware token

Roles:

Global Admin role is assigned to tenant user by default. It is top most admin role. There are other number of admin roles like user mgmt, psswd admin, billing admin, service admin, Exchange online, skype online, sharepoint online etc..

Groups: There are four types of groups can be created.

Microsoft 365: It is mail enabled group, if you send email to this group then it will deliver to all users of this group.
Distribution list: Create a group of a department, it will distribute to all members of the department group.
Mail-Enabled Security:
Security:

Resources:

Custom Domain: By default you get domain like abc@companyname.onmicrosoft.com,

Define custom domain:

DNS server of service provider: DNS is used from service provider than login into control panel of domain service provider and go to DNS and add TXT or MX record. O365 will verify to confirm ownership of the domain.

portal.office.com/admin Center/Settings/Domains/add domain/enter domain name
1. verify domain: add a txt record or mx record in DNS server, it is used to the ownership of domain, copy TXT name, TXT value and TTL and add it in DNS record. verify and connect domain.
txt_record_domain_ownership.jpg
After confirmation of domain ownership, add further records in DNS of whatever service you want to use like exchange online(3 records), skype, MDM etc.
1. Exchange online:
  - 3 MX record (Exchange):
    - TXT (for SPF (Sender Policy Framework: anti spam protection)),
    - CNAME (Autodiscover)
    - MX (Point to the Exchange Server of O365)
  - exchange_record1.jpg
  - exchange_record2.jpg
2. Skype for Business online SKBO:
  - 2CNAME records(one for Autodiscover of client and second for Autodiscover for webapp),
  - 2SRV Records (one for tcp (5061 port) and another tls(port 443))
3. Mobile Device Management:
  - 2CNAME Records (one for Intune of microsoft, second for msoID (for latency purpose)
Domain is configured now edit user with new user principal name (your domain)
user_principal_name.JPG
To test the connectivity of online service after adding records in DNS, visit testconnectivity.microsoft.com

On Prem DNS server:

On Premise DNS server> Go to forward lookup zone > right click and create a TXT record by adding the value given.

Active Directory Synchronization: use the tool Azure AD connect.

Users, groups, permission in Microsoft/office 365 are stored in azure AD. On premise users, groups and computers are stored in ADDS. Through directory synchronization objects of AD will be sync between on premise ADDS and o365 AAD.
To access azure active directory aad.portal.azure.com
Use the tool Azure AD Connect.
CD (connected Datasource) on both ends. For synchronization connectors are required, on premise is called AD connector and azure AD connector.
Required permission to create, Enterprise administrator permission on ADDS and global administrator on Azure AD.
MV (Meta Verse): both side MV is combined
CS(connected source): objects from on prem AD will be imported to CS. This cycle is called import.
In MV objects will be synchronized. CS will provide all information about objects while you need only particular object which need to synchronized. In MV it removed other data and leave required data.
The other side data from Meta Verse goes to connected source and with the help of connector it goes to connected source in azure AD. This cycle is called Export.
Import Synchronize Export
Azure AD connect will have its database on its own, separate SQL database or can have by default SQL Express database.
Sync cycle run every 30 minutes. Can change to required time. Manually sync can be perform. Password is modified then it won’t wait for 30 minutes. It is triggered event means as soon as in AD password changed it automatically run sync cycle.
Password sync will always have carried out in hash values not plain text. Passwords in AD is always stored in hash values, in password sycn it again hashed the password is like hash of the hash password sync.
Sync will be carried full or data, first time it runs full sync cycle. Subsequent cycle will be data.
3 types of filtering: OU, domain filtering (multiple domain), attribute filtering.
Staging Mode: you will have all the features except synchronization and it will be like backup or high availability, in case primary sync server goes down then you can use staging to promote.
It is two-way synchronization but you cannot do user right back, it means if you create a user in Azure AD but cannot be sync to on prem AD. Password write back, group write back, device write back can be synchronized. User write back was there until 2015.
Syncronized ID should be deleted or modified in on prem AD.
Before performing synchronization remove any ID errors from AD by using tool It is ID remedial tool is offered by Microsoft.
Earlier we use to have FIM(Microsoft Forefront Identity manager) then MIS (Microsoft Identity Information Service) then DIRSYNC then Azure AD Connect which used to manage identities.
idfix (tool is used to correct any mistakes in AD)

on Prem ADDS LAB:

Install a VM server and add role AD & DNS. Create zone stardistributors.co.uk
Create some users which need to sync with O365. If users are already in the AD with different domain, you can change by going to Active directory domain and trust > right click on active directory domain and trust > properties and enter alternate UPN suffix with new domain name. go to user properties and change UPN in account.
Download IDFix and Run IDFix tool to check errors in active directory.
Download and install AD connect> express (default) or customized settings>passthrough sync, password hash sync, ADFS, enable sso. Enter credential of Azure AD (global admin) create a user and assign a role of global admin although tenant ID have got global admin rights but this user cannot be used and this user must be created in azure AD either in default domain or custom domain, credential of ADDS (enterprise admin) this user must have enterprise admin rights.
Domain should be verified, local domain and external domain will be verified, if local domain is not verified then you can continue by select option to continue without verified domain.
Ready to configure, it will create synchronization engine which will create connectors on both side for synchronization,
By default, synchronization starts option is selected, if you continue then it will start all objects of your AD will start synchronize. In production full or all objects will not have synchronized but only required and selected object will be synchronized.
By default it will start creating express sql database if no sql database is defined, it will create in c:\windows\ Microsoft SQL server
By default a service account is created in Active directory, which can be checked in services: Microsoft Azure AD sync, it should be in running state which make synchronization with Azure AD.
To start initial synchronization: you can do with powershell or start azure AD connect tool.

Synchronization with powershell:

First need to install module: go to powershell of Active Directory server, run as administrator and run PS:\install-module adsync
If getting error then import module by going to directory it: PS:\cd c:\program files\microsoft azure ad sync\bin\adsync\import-module .\adsync.psd1
Run get-adsynchscheduler
synchronization will take place by default every 30 minutes, if you want to run synchronization then go to Microsoft ad connect tool and select customize synchronization option and after providing credentials select selected OU for synchronization, you can check password writeback check box. Password hash synchronization take place every 2 minutes. If a user changed password at Active directory which will sync in 2 minutes and if a user changed password at Azure or cloud services then it will not sync with Active directory and old password at active directory will sync in 2 minutes, if you have selected password writeback in this case if a user changed password at cloud services then it will sync new password with active directory.

Seamless single sign on: single sign on can be enabled with federated synchronization, Microsoft has introduced new feature where single sign on can be performed with password hash or pass through synchronization.
By default sync will perform every 30 minutes, if you reduce time in powershell command but still it give message that sync will take place in 30 minutes. You can perform manual sync, PS:\set-adsyncscheduler –customizedsynccyleinterval 00:05:00
Initial sync and delta synch, in initial sync all object will be synchronized while in delta synch any changes will be sync.
- For delta sync: PS:\start-adsyncsynccycle –policytype Delta
- For a full sync: PS:\start-adsyncsynccycle –policytype initial
- Disable scheduler : PS:\set-adsyncscheduler –synccycleenabled $false
- Enable scheduler: PS:\set-adsyncscheduler –synccycleenabled $true
For single sign on to work after selecting sing sign on in configuration and seamless sign on without ADFS, need to add this url in internet exporer: go to IE > tools>options> security>local intranet> sites>advanced> https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nstatc.net
You can apply the above two url through group policy which will included in all users. Go to user configuration\administrative templates\windows components\internet explorer\internet control pan\security page and select site to zone assignment list
Install-module msonline
Import-module msonline
Connect-msolservice

Office365 pro plus installation:

it is run on go where you can use office 365 while it is installing in the background, you can install office365 pro plus in two ways.
- user installation (log on to O365 account and install)
- Managed installation (using office deployment tool kit, download tool kit and share it on the network)
  - you will have setup.exe and configuration.xml file
  - go to command prompt c:/cd to setup.exe and configuration.xml folder/setup.exe /download /configuration.xml (a folder will be created, all streamed file will be downloaded in the folder, wait until command prompt goes to next line)
  - share the folder with everyone.
  - Through group policy, push centrally for installation.
    - Go to domain controller: Active Directory users & computers/create organizational unit(0365proplus)/move computer account in this folder(computer in which o365proplus need to install).
    - apply group policy to this o365proplus organizational unit.
    - Go to Active Directory machine/tools/group policy management/go to domain/0365proplus
    - right click and create GPO in this domain and link it here, give name of GPO
    - right click on GPO/edit/computer configuration/policies/windows settings/scripts (startup shutdown), startup /add /browser/new txt document/edit (\\location of folder\o365proplus\setup.exe /configure \\location of folder\o365proplus\configuration.xml save as o365proplus.cmd (delete new txt document created as script file is created), select script file and apply.
    - Refresh group policy
    - go to computer in which you want to install, cmd>gpupdate /force
    - restart the system, application will install.

Office365 professional 2013, 2016:

Intall using MSI (Download the complete package and install)

O365 Outlook:

To login outlook and Exchange in office 365:
- outlook.office.com/ecp (access Exchange online admin panel)
- outlook.office.com/owa (Access outlook)

Migration of Exchange mailboxes from on premises to exchange online

Cutover Migration: you migrate complete mailboxes to exchange online and decommissioned on premise or removing everything from on premises and shifting it to o365.
IMAP Migration: it is non Microsoft environment used for email system.
Hybrid Migration: Mailboxes are maintained on both on prem and online.
Stage Migration: Exchange 2003 and 2007, older version it was like cutover migration.
PST Migration:

mail_flow.jpg

MX Record Point: Suppose you have on prem and online exchange server, if you want mail should come first to exchange online and then to on-prem then your MX record should point to exchange online.
If you want mail to come first to on-prem and then to exchange online then your MX record should point to on-prem exchange server.
In the above chart an email is sent to both Julie and david where Julie’s mail box is at on-prem while David’s mailbox is at online exchange. MX record is pointing to online exchange for mail delivery, all mails will come to exchange online where we have compliance and filtering feature EOP (Exchange online protection which is anti-spam, anti-malware) protection. Exchange online will check if mailboxes are there, David’s mail box is there and it will deliver while Julie’s mail box is not there? Through internal connectors send and receive connectors between online and on-prem exchange, the mail to Julie will transfer to on-prem exchange.
How exchange online will decide whether mailbox is at online or on prem. If you create a mailbox in online then there will be two mailboxes created, one is xys@companyname.onmicrosoft.com and second is abc@domainname,
Email will deliver to online mailbox when there is xyz@companyname.onmicrosoft.com alias name is there.

Exchange admin Center Access:

portal.office.com/ecp
https://localhost/ecp

Exhange Online Administration: portal.office.com/admin/exchange

Classic Exchange Admin Center: classic_exchange_admin.jpg

New Exchange Admin Center: new_exchange_admin.jpg

Recipients: recipients.jpg

Mailboxes: types of mailboxes can be created:employee(user), group(o365group, DL, mail enabled security group, dynamic DL), room mailbox, equipment mailbox, mail user, mail contact, shared mailbox. Double click name to add further details.
- General: user details, name, alias, user ID, Hide from Address list etc..
- Mailbox usage: Mailbox usage, how much of the total mailbox quota has been used.
- Contact information: user contact information, address, phone, fax etc..
- Organization: position in the organization, title, department, company
- email address: Each email address type has one default reply address. The default reply address is displayed in bold. To change the default reply address, select the email address that you want to set as the default, and then double-click to edit it.
  - SIP:
  - SMTP:
  - SPO:
- mailbox features:
  - define policies: sharing, role assignment, Retention, address book policy.
  - phone and voice features:mobile devices, disable exchange activesync, disable OWA for devices,
  - email connectivity: outlook on the web enabled/disabled.
  - IMAP: enabled/disabled.
- member of: group
- MailTip: You can create a MailTip to display when people send email to this user. The MailTip can have a maximum of 175 characters.
- mailbox delegation:
  - Send As: The Send As permission allows a delegate to send email from this mailbox. The message will appear to have been sent by the mailbox owner.
  - Send on Behalf: The Send on Behalf permission allows the delegate to send email on behalf of this mailbox. The From line in any message sent by a delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.
Groups: Create groups
- Office365 group: A shared email address people can use to email each other, with access to past conversations and attachments.
- Distribution list:
- Mail enabled security group: Mail-enabled security groups can be used to distribute messages and to assign access permissions to Active Directory resources.
- Dynamic distribution list: In dynamic distribution groups, the membership list is calculated every time a message is sent to the group. This calculation is based on rules you define when you create the group. When an email message is sent to a dynamic distribution group, it's delivered to all recipients that match the rules you've defined.
Resource: can create group for
- room mailbox: A room mailbox is a resource mailbox that's assigned to a physical location. Users can easily reserve rooms by including room mailboxes in meeting requests. Just select the room mailbox from the list and edit properties, such as booking requests or mailbox delegation
- equipment malbox: An equipment mailbox is a resource mailbox assigned to a resource such as a laptop, projector or company car. Users can easily reserve the equipment by including equipment mailboxes in meeting requests. Just select the equipment mailbox from the list and edit properties, such as booking requests or mailbox delegation
Contacs:
- Mail Contact: users without mail boxes, users with contact details only.
- Mail User: users with mail boxes,
Shared:Email can be sent to and from the name and email address of the shared mailbox, rather than an individual. After you create the shared mailbox, you can add members who can read and reply to email. Example IT department, users of this shared mail boxes can reply the mail on behalf of IT department not individual.
Migration:create endpoints. it is channel batch in which you are connecting exchange server with office365.

Permissions/Roles:

Admin roles: predefined admin roles.
OWA Mailbox Policy:
- Features: owa_mailbox_policy.jpg
  - Exchange Activesync : If it is checked then users can access mailboxes in their mobile devices. users can access owa in their mobile devices.
- file access:
- offline access:
Default Role Assignment Policy: default user role assignment policy. users can make changes to their mailboxes. default_user_role_assignment.jpg

Compliance Management:

In-place eDiscovery & hold: This feature has been retired.
Auditing:
Data loss prevention:
Retention Policies:
Retention Logs:
Journal Rules:

Exchange 2016:

Installation :

Create a VM 2016 (EX-SVR1) server in Azure, logon to server and assign DNS address in the NIC of DC, it will restart and then join it to domain.
Login to EX-SRV1 with domain administrator (stardistributors.co.uk\administrator1) and install the following
.Net framework 4.8 download and install
Microsoft Unified Communication Manager 4.0 download and install
Exchange 2016 server ISO download and install.
Open exchange management shell and run the following commands.
PS:\install-windowsfeature
Go to exchange server and open browser http://localhost/ecp to access exchange admin center. Use the login details which are used for installation.
There will be only one mailbox of default account. Create few users with script or manual.
Create Host A record in the DNS for mail. Go to DC, create host A record, name = mail, IP address of exchange server.
Import certificate for OWA (user access for outlook) is required.

Step 1 – Connect to Exchange Online

Load the exchange online module:

https://www.powershellgallery.com/packages/ExchangeOnlineManagement/

1. PS C:\WINDOWS\system32> Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.1.0

2. NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
'C:\Users\Admin\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

3. Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A

4. PS C:\WINDOWS\system32> Install-Module -Name PowerShellGet -Force

5. Open PowerShell in an elevated mode
Press Windows key + X and choose Windows PowerShell (admin)
6. Install PowerShellGet
We need to install PowerShellGet before we can install the EXO V3 Module.

Install-Module -Name PowerShellGet -Force

7.Install EXO V3 module
We can now install the latest Exchange Online PowerShell module with the Install-Module cmdlet

Install-Module -Name ExchangeOnlineManagement -Force

8. Automatically check if EXO Module is installed
Are you going to use the Exchange Online module in a script? Then make sure you automatically check if the module is installed before your try to connect.

PS C:\WINDOWS\system32> (Get-Module -ListAvailable -Name ExchangeOnlineManagement) -ne $null
True

10. Connect to Exchange Online with PowerShell
With the Exchange Online Module installed we can now easily connect to Exchange Online with a single cmd in PowerShell:

PS C:\WINDOWS\system32> Connect-ExchangeOnline -UserPrincipalName aziz27uk@outlook.com -ShowProgress $true (personal emails will not work)

Enter password in the popup window.

Step 2 – Enable external tagging
The next step is to enable the external tagging in Exchange Online.

Set-ExternalInOutlook -Enabled $true

You can verify the settings with the following cmdlet:

Get-ExternalInOutlook

Step 3 – Add domains to allow list (optional)
It’s possible to exclude domains from the external tag. This can be useful if your organization has different tenants or work closely with specific partners.

By using the @{add=""} syntax we make sure that any existing domain in the list is preserved. Without it, all existing domains in the AllowList would be removed.

Set-ExternalInOutlook -AllowList @{Add="outlook.com", "outlook.com"}

We can verify the settings with the following cmdlet

Get-ExternalInOutlook