Planning a O365 Implementation and Implementing Networking Security

Question 1

What things should you take into consideration with proxy server?

Answer 1

• Most proxy servers have some form of authentication setup with them as default and often time this is usually enabled.
• You’ll need to do one of two thing to enable them to communicate with O365.
○ Disable all authentication
Disable O365 authentication

Question 2

What tools can be used to measure bandwidth that will be consumed by clients as they access O365?

Answer 2

• Microsoft Message Analyer
  
  • Microsoft Remote connectivity analyser
  • Microsoft Support and Recovery Assistant for O365
  • Skype for Business Synchronization Calculator
  • Exchange Client Network Bandwidth

Question 3

What is RMS?

Answer 3

Windows Right managements services provide an extra level of security to documents.
Encryption to limit who can access a doc or web page and what can be done with it.

Question 4

What is Azure Right management services?

Answer 4

A policy- based enterprise solution used to protect your valuable information by controlling who you share it with and what access they get to it.
Two component:
• Information Rights Management (IRM) capabilities
○ Protects emails against unauthorized access
○ Enhances security in SharePoint libraries
○ Protects online and offline information
§ Even if you have a document in O365 and download it to your client machine, the restrictions will stay with it.
○ Integrates with office documents
○ Applied using templates
• Message Encryption
○ Safely share files in email or OneDrive
○ Contains company brand
○ Integrate with exchange transport rules
○ Provides clean user interface
○ Helps protect entire email conversation

Question 5

How can azure rights management be activated?

Answer 5

• Can be activated using GUI (Graphical User Interface)
○ Azure admin center
• Activate using PowerShell (requires:)
○ 64 -bit Microsoft Online Services Sign-in Assistant
○ 64-bit Azure AD module
○ Install Azure Rights management admin tool
○ Run Connect-AadrmService
§ This will connect to the azure right management service.
○ Run command Enable-Aadrm (To disable it use the Disable-Aadrm command.)
§ This is what actually activates it.

Question 6

What is the super user roll on rights management?

Answer 6

Full control usage right.
○ Reads files of employees who have left the company
○ Modify current protection policy
○ Manage exchange mailboxes
○ Bulk decrypt files for auditing for legal reasons
○ Recover Documents and protect files
§ PowerShell
§ Download and install the RMS protection tool module
§ Unprotect-RMSFile
§ Protect-RMSFile

Question 7

Is the superuser roll enable by default?

Answer 7

No.

Question 8

How do you enable the superuser roll using powershell?

Answer 8

○ Enable-AadrmSuperUserFeature
			§ Enables the feature
		○ Add-AadrmSuperUser
			§ Add users to the roll
		○ Set-AadrmSuperUseGroup
			§ Allows you to add users to the new roll
		○ Add-AadrmRoleBasedAdministrator
			§ Adds users to the azure rights management administrator roll

Question 9

What 7 things should you take into consideration when planning O365 for On-premise infrastructure.

Answer 9

• Networking
• Identity
• Windows 10 enterprise
• Office 365 Pro Plus
• Office 365 Workloads like EXO, SPO, OD4BO, Teams
• Mobile Device Management
• Information Protection.

Question 10

How should you check the connectivity of each office before enabling O365 services?

Answer 10

Check the connectivity from each office, use Ping, TraceRT, PSPING & Telnet command to check the connectivity and network performance.
• Ensure users are connecting to Office 365 egress endpoints on their region. Ping command to respective service urls can help you identify it. For example – Ping Outlook.Office365.com for Exchange Online.

Question 11

How should you prepare for Windows 10 Enterprise?

Answer 11

Microsoft recommends to add and verify the domain that your users are going to use to access Office 365 service, could be UPN or primary email address domain. User addition to Office 365 & assigning license is optional at this time and install Office 365 Pro Plus.
Do an in place upgrade for Windows 7 and 8.1 using SCCM and for the new devices use Windows Auto Pilot Deployment.
• Monitor the device health and ensure it is secure by having Windows Defender.

Question 12

How can O365 Pro plus be deployed?

Answer 12

Office 365 Pro plus deployment can be done either via SCCM or Office Deployment Tool, we need to consider office updates channels and the frequency.
• Deployment can be through SCCM, ODT from Cloud, ODT from local Source or directly from Office Portal.

Question 13

Whats an important thing to consider when implementing O365 pro plus?

Answer 13

The update channel that will be used.

Question 14

Whats an important thing to consider if you deploy O365 using Office Deployment tools?

Answer 14

It has setup file and the configuration information xml to control what needs to be installed on machines.

Question 15

What does Channel= “Monthly” mean?

Answer 15

Monthly Update Channel

Question 16

What does Channel= “Broad” mean?

Answer 16

Semi Annual (Jan & July)

Question 17

What does Channel= “Targeted” mean?

Answer 17

Semi Annual Targeted (March & September)

Question 18

What does AllowCdnFallback do when set as True?

Answer 18

Will refer back to O365 instead of local share when the specified language pack is not available.

Question 19

What does MDM do (mobile device management)?

Answer 19

When users enrol their device, they are managed devices, and can receive any policies, rules and settings used by your organisation.

Question 20

What is MAM?

Answer 20

MAM policies will control the application from a non-managed device by forcing the user to enter a PIN to secure the application access by an authorised user.

Question 21

What are the steps of MDM deployment.

Answer 21

1. Prerequisites – Intune Subscription, Office 365 Subscription, Azure AD Premium, MDM Push certificate for IOS are required.
2. Setup Intune – Check whether the devices are Supported -> Ensure the domain verification completed -> Sign in to Intune -> enable Device Management -> Add Users.
3. Enroll Devices -> Users have to enroll their devices to make it Intune Managed. Set up enrollment restrictions and policies for users and devices.
4. Deploy the apps
5. Create Compliance Policies and Conditional Access Policies like only managed devices can access the office 365 services.

Question 22

What does information protection include?

Answer 22

• Information protection is a set of policies and technologies that define how you transmit, store, and process sensitive information.
• Information Protection Includes Data Loss Prevention, Office 365 Labels and Azure Information Protection labelling and classification, Threat Management Policies, Sharing Policies in SharePoint, Office 365 Secure Score, Office 365 Cloud App Security and PAIM for just-in-time access for task-based activities.

Question 23

Why is it important to plan identity?

Answer 23

Required to provide secure access to O365 service this includes:
• Synchronising user accounts to O365
• Designating admin roles
• Protecting Global admin accounts
• Enabling MFA to users
• Monitoring identity synchronising health
• Licensing
• Monitoring tenant and sign in activity logs.

Question 24

What is Federation Authentication with ADFS?

Answer 24

Most Companies prefer to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD.

Question 25

What is Password Hash Synchronisation Authentication?

Answer 25

Not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

○ When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user will be provided security token to the authenticate the service\application. Switching from one application to other, prompts the user to validate the credential when this sign-in option used.

Question 26

What is Pass-through Authentication?

Answer 26

If we use the Pass-through authentication, user name the password will be gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication.

○ When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent
component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Question 27

What is Azure AD seamless SSO?

Answer 27

Enabled when choosing PHS or PTA.
• Azure AD Seamless SSO allow users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases their usernames alone required.
Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

Question 28

What should do before a migration?

Answer 28

Identify data to be migrated and the method.

Question 29

What is the monthly update channel for pro plus updates?

Answer 29

Updates monthly, provides newest features as soon as they are available.
Its the default update channel for Visio Online Plan 2
Project Online Desktop Client
Office 365 Business which is the version of office that comes with some O365 plans.

Question 30

What is the semi-annual channel?

Answer 30

Provides new features of office every 6 months in Jan and July for O365 Pro Plus.

Question 31

What is the Semi-annual channel (Targeted)?

Answer 31

Provide pilot users and application compatibility testers the opportunity to test next semi-annual channel.
Every 6 months in March and September.