Microsoft 365 or Office 365 (Earlier):

Main core components are:

• Exchange online
• Skype or Lync 
• Sharepoint 
• Office 365 Pro Plus (Desktop),

other components are:

• Yammer (social networking like facebook, Instagram, twitter),
• Flow (automation tool)
• Powerapps (create application for phone and tablets)
• Teams (Mobile application like whatsapp, chat with each other in the company)
• Delve (like book shelf, documents are stored in multiple places like onedrive, sharepoint etc. scattered, documents listed in a list no matter where it is stored)
• Sway

• Microsoft 365 online (Online/Cloud Version)
  • Home/Personal Subscription
  • Business Subscription
  • Enterprise Subscription (E1 E3 E5)
• Office 365 pro plus (Destop version)

Tenanat Account: In order to avail Microsoft/office 365 subscription, first create a tenant ID, it is the top most user in hierarchy and by default has global admin role. It has all permissions and rights.

Domain: Default domain created when you create a tenant account username@companyname.onmicrosoft.com, it can be changed to custom domain with you registered domain.

Azure AD:  On premises user identities will be stored in Active Directory while for cloud based online office 365 users will be stored in Azure A.D.  Once you create a tenant account and required subscription has been taken, you create users/groups in Azure AD to access services.

• portal.office.com (To access O365 portal)
• aad.portal.office.com (To access Azure Active Directory)

Identities:

User Management:  users can be created with the following

• O365 console (GUI based) and create Users/Groups.
• Powrshell (Command line)
  • .Net Framework required 3.5 or above
  • Microsoft Online Services Sign in  Assistant (To connect to O365 remotely)
  • Windows Azure AD Module for Powershell
  • ps:/connect-msolservice (enter username and password of tenant)
• CSV file (Bulk user creation)

Creating Users:

• O365 Console:
  • Go to portal.office.com/Admin Center/users/Active Users/ add a user
    • enter user details (user1), set password, select send password in email if needed. user1@stardistributors786.onmicrosoft.com (set custom domain).
    • product license: with or without product lincense.
    • Optional Settings: Roles (select pre defined roles), portfolio info ( user address, mobile number)
    • create template for the above user for later use (optional)
• Powershell
  • Install ms online service sign in assistant
  • Install azure ad module for windows powershell
    • while installing if getting error, go to services.msc and restart microsoft sign in assistance service,  if still showing error then restart computer.
    • shortcut will be create run as administrator.
    • Ps c:/Connect-MsolService (username and password)
  • .Net framework is installed by default. 
• CSV File
  
  • add multiple users at a time or upload with csv file.
  • Go to Center/users/Active Users/ add multiple users

Password Management:

MultiFactor Authentication: Additional security to authenticate a user credentials. 

• Admin Center/Settings/Org Settings/Multi-Factor Authentication/select user and enable multi factor authentication.
• go to users service settings to add various verification options
  • Text message to phone
  • Notification through mobile app
  • verifiation code from mobile app or hardware token

Roles:

• Global Admin role is assigned to tenant user by default.  It is top most admin role.  There are other number of admin roles like user mgmt, psswd admin, billing admin, service admin, Exchange online, skype online, sharepoint online etc..

Groups: There are four types of groups can be created.

1. Microsoft 365:  It is mail enabled group, if you send email to this group then it will deliver to all users of this group.
2. Distribution list: Create a group of a department, it will distribute to all members of the department group.
3. Mail-Enabled Security:
4. Security:

Resources:

Custom Domain: By default you get domain like abc@companyname.onmicrosoft.com,

Define custom domain:

DNS server of service provider: DNS is used from service provider than login into control panel of domain service provider and go to DNS and add TXT or MX record.  O365 will verify to confirm ownership of the domain.

• portal.office.com/admin Center/Settings/Domains/add domain/enter domain name
  1. verify domain: add a txt record or mx record in DNS server, it is used to the ownership of domain, copy TXT name, TXT value and TTL and add it in DNS record.  verify and connect domain. 
• txt_record_domain_ownership.jpg
• After confirmation of domain ownership, add further records in DNS of whatever service you want to use like exchange online(3 records), skype, MDM etc.
  1. Exchange online:
     • 3 MX record (Exchange):
       • TXT (for SPF (Sender Policy Framework: anti spam protection)),
       • CNAME (Autodiscover)
       • MX (Point to the Exchange Server of O365)
     • exchange_record1.jpg
     • exchange_record2.jpg
  2. Skype for Business online SKBO:
     • 2CNAME records(one for Autodiscover of client and second for Autodiscover for webapp),
     • 2SRV Records (one for tcp (5061 port) and another tls(port 443))
  3. Mobile Device Management:
     • 2CNAME Records (one for Intune of microsoft, second for msoID (for latency purpose)
• Domain is configured now edit user with new user principal name (your domain)
• user_principal_name.JPG
• To test the connectivity of online service after adding records in DNS, visit testconnectivity.microsoft.com

On Prem DNS server:

• On Premise DNS server> Go to forward lookup zone > right click and create a TXT record by adding the value given. 

Directory Synchronization: use the tool Azure AD connect.

• Users, groups, permission in Microsoft/office 365 are stored in azure AD. On premise users, groups and computers are stored in ADDS.  Through directory synchronization objects of AD will be sync between on premise ADDS and o365 AAD.
• To access azure active directory aad.portal.azure.com
• Use the tool Azure AD Connect.
• CD (connected Datasource) on both ends. For synchronization connectors are required, on premise is called AD connector and azure AD connector. 
• Required permission to create, Enterprise administrator permission on ADDS and global administrator on Azure AD.
• MV (Meta Verse): both side MV is combined
• CS(connected source): objects from on prem AD will be imported to CS. This cycle is called import.
• In MV objects will be synchronized. CS will provide all information about objects while you need only particular object which need to synchronized.  In MV it removed other data and leave required data.
• The other side data from Meta Verse goes to connected source and with the help of connector it goes to connected source in azure AD. This cycle is called Export.
• Import                       Synchronize                            Export
• Azure AD connect will have its database on its own, separate SQL database or can have by default SQL Express database.
• Sync cycle run every 30 minutes. Can change to required time.  Manually sync can be perform.  Password is modified then it won’t wait for 30 minutes. It is triggered event means as soon as in AD password changed it automatically run sync cycle.
• Password sync will always have carried out in hash values not plain text. Passwords in AD is always stored in hash values, in password sycn it again hashed the password is like hash of the hash password sync.
• Sync will be carried full or data, first time it runs full sync cycle. Subsequent cycle will be data.
• 3 types of filtering: OU, domain filtering (multiple domain), attribute filtering.
• Staging Mode: you will have all the features except synchronization and it will be like backup or high availability, in case primary sync server goes down then you can use staging to promote.
• It is two-way synchronization but you cannot do user right back, it means if you create a user in Azure AD but cannot be sync to on prem AD. Password write back, group write back, device write back can be synchronized.  User write back was there until 2015.
• Syncronized ID should be deleted or modified in on prem AD.
• Before performing synchronization remove any ID errors from AD by using tool It is ID remedial tool is offered by Microsoft.
• Earlier we use to have FIM(Microsoft Forefront Identity manager) then MIS (Microsoft Identity Information Service) then DIRSYNC then Azure AD Connect which used to manage identities.

on Prem ADDS:

• Install a VM server and add role AD & DNS. Create zone stardistributors.co.uk
• Create some users which need to sync with O365. If users are already in the AD with different domain, you can change by going to Active directory domain and trust > right click on active directory domain and trust > properties and enter alternate UPN suffix with new domain name.  go to user properties and change UPN in account.
• Download IDFix and Run IDFix tool to check errors in active directory.
• Download and install AD connect> express (default) or customized settings>passthrough sync, password hash sync, ADFS, enable sso. Enter credential of Azure AD (global admin) create a user and assign a role of global admin although tenant ID have got global admin rights but this user cannot be used and this user must be created in azure AD either in default domain or custom domain, credential of ADDS (enterprise admin) this user must have enterprise admin rights.
• Domain should be verified, local domain and external domain will be verified, if local domain is not verified then you can continue by select option to continue without verified domain.
• Ready to configure, it will create synchronization engine which will create connectors on both side for synchronization,
• By default, synchronization starts option is selected, if you continue then it will start all objects of your AD will start synchronize. In production full or all objects will not have synchronized but only required and selected object will be synchronized.
• By default it will start creating express sql database if no sql database is defined, it will create in c:\windows\ Microsoft SQL server
• By default a service account is created in Active directory, which can be checked in services: Microsoft Azure AD sync, it should be in running state which make synchronization with Azure AD.
• To start initial synchronization: you can do with powershell or start azure AD connect tool.

Synchronization with powershell:

• First need to install module: go to powershell of Active Directory server, run as administrator and run PS:\install-module adsync
• If getting error then import module by going to directory it: PS:\cd c:\program files\microsoft azure ad sync\bin\adsync\import-module .\adsync.psd1
• Run get-adsynchscheduler
• synchronization will take place by default every 30 minutes, if you want to run synchronization then go to Microsoft ad connect tool and select customize synchronization option and after providing credentials select selected OU for synchronization, you can check password writeback check box. Password hash synchronization take place every 2 minutes.  If a user changed password at Active directory which will sync in 2 minutes and if a user changed password at Azure or cloud services then it will not sync with Active directory and old password at active directory will sync in 2 minutes, if you have selected password writeback in this case if a user changed password at cloud services then it will sync new password with active directory.

• Seamless single sign on: single sign on can be enabled with federated synchronization, Microsoft has introduced new feature where single sign on can be performed with password hash or pass through synchronization.
• By default sync will perform every 30 minutes, if you reduce time in powershell command but still it give message that sync will take place in 30 minutes. You can perform manual sync, PS:\set-adsyncscheduler –customizedsynccyleinterval 00:05:00
• Initial sync and delta synch, in initial sync all object will be synchronized while in delta synch any changes will be sync.
  • For delta sync: PS:\start-adsyncsynccycle –policytype Delta
  • For a full sync: PS:\start-adsyncsynccycle –policytype initial
  • Disable scheduler : PS:\set-adsyncscheduler –synccycleenabled $false
  • Enable scheduler: PS:\set-adsyncscheduler –synccycleenabled $true
• For single sign on to work after selecting sing sign on in configuration and seamless sign on without ADFS, need to add this url in internet exporer: go to IE > tools>options> security>local intranet> sites>advanced> https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nstatc.net
• You can apply the above two url through group policy which will included in all users. Go to user configuration\administrative templates\windows components\internet explorer\internet control pan\security page and select site to zone assignment list
• Install-module msonline
• Import-module msonline
• Connect-msolservice

O365 Outlook:

• To login outlook and Exchange in office 365:
  • outlook.office.com/ecp (access Exchange online admin panel)
  • outlook.office.com/owa (Access outlook)

Migration of mailboxes from on premises to exchange online

• Cutover Migration: you migrate complete mailboxes to exchange online and decommissioned on premise or removing everything from on premises.
• IMAP Migration: it is non Microsoft environment used for email system.  
• Hybrid Migration: Mailboxes are maintained on both on prem and online.
• Stage Migration: Exchange 2003 and 2007, older version it was like cutover migration.

mail_flow.jpg

• Support you have on prem and online exchange server, if you want mail should come first to exchange online and then to on-prem then your MX record should point to exchange online.
• If you want mail to come first to on-prem and then to exchange online then your MX record should point to on-prem exchange server.
• In the above chart an email is sent to both Julie and david where Julie’s mail box is at on-prem while David’s mailbox is at online exchange. MX record is pointing to online exchange for mail delivery, all mails will come to exchange online where we have compliance and filtering feature EOP (Exchange online protection which is anti-spam, anti-malware) protection.  Exchange online will check if mailboxes are there, David’s mail box is there and it will deliver while Julie’s mail box is not there? Through internal connectors send and receive connectors between online and on-prem exchange, the mail to Julie will transfer to on-prem exchange.
• How exchange online will decide whether mailbox is at online or on prem. If you create a mailbox in online then there will be two mailboxes created, one is xys@companyname.onmicrosoft.com and second is abc@domainname, 
• Email will deliver to online mailbox when there is xys@companyname.onmicrosoft.com alias name is there.

Exhange Online:

• Add a domain in office 365
• Create a Mailbox
• SMTP Address
• Re-Assign User License
• Recover Deleted User
• Block a user sign in
• Add CNAME Record for Web Access
• Configure Outlook
• Group Types
• Mail Contacts
• Mail Users
• Email Forwarding to External Recipient
• Shared Mailbox
• Public Folder
• User defined settings in outlook
• Azure Active Directory in Office 365
• Message Trace
• Exchange Online Power Shell
• Offline Access
• Mobile Device
• Exchange Online Protection (EOP)
• Outlook Webapp Policies

Exchange 2016:

Installation :

• Create a VM 2016 (EX-SVR1) server in Azure, logon to server and assign DNS address in the NIC of DC, it will restart and then join it to domain.
• Login to EX-SRV1 with domain administrator (stardistributors.co.uk\administrator1) and install the following
• .Net framework 4.8 download and install
• Microsoft Unified Communication Manager 4.0 download and install
• Exchange 2016 server ISO download and install.
• Open exchange management shell and run the following commands.
• PS:\install-windowsfeature
• Go to exchange server and open browser http://localhost/ecp to access exchange admin center. Use the login details which are used for installation.
• There will be only one mailbox of default account. Create few users with script or manual.
• Create Host A record in the DNS for mail. Go to DC, create host A record, name = mail, IP address of exchange server.
• Import certificate for OWA (user access for outlook) is required.