Think You Know How To Manage Office 365? By: Eric Raff

Quick Introduction Joined JourneyTEAM in April 2015 In IT industry for 20+ years Cloud Solutions Architect Identity & Access Management Architect SharePoint Architect Exchange Server Engineer OCS/Lync Engineer GroupWise Guy Published Author Teacher

Identities in the Microsoft Cloud Types of Identities Office 365 Services Member Exchange Online SharePoint Online Guest - #EXT# EXO SPO Microsoft Account B2C User (another time) Backend replication AAD Service (Microsoft Accounts) Azure AD Service (Work/school accts) Azure Services Associated AAD Directory Subscription AAD Directory Ericraffoutlook.onmicrosoft.com Associated B2B AAD Directory Subscripton

O365 Admin Centers * No Powershell Exchange (EXO) Skype for Business (S4B) SharePoint (SPO) OneDrive (ODfB) Yammer * PowerApps * Flow * Security & Compliance Azure AD (AAD) https://aad.portal.azure.com – special AD admin center Intune * Cloud App Security * * No Powershell

O365 Management Options Powershell O365 Admin Portal https://www.powershellgallery.com O365 Admin Portal https://portal.office.com Microsoft Azure Portal (ARM/Ibiza) https://portal.azure.com Windows Azure Portal (OLD - deprecated) https://manage.windowsazure.com O365 Admin Mobile App (W10, Mobile) See this for more info GREAT for cloud only users

Powershell Access AzureAD – V1 (SDK) and V2 (Graph API) V1: Connect-MsolService (Install-module MSOnline) V2: Connect-AzureAD (Install-module AzureAD) Exchange Online – IE/Edge download required Exchange Admin Center | hybrid | Online powershell Connect-EXOPSSession SharePoint Online - Download here $orgName="<your Office 365 tenant>“ Connect-SPOService -Url https://$orgName-admin.sharepoint.com Skype for Business Online – Download here Import-Module SkypeOnlineConnector Security and Compliance Center – Uses EXO install Connect-IPPSSession Teams – Announced Nov 7th See blog here Install-Module MicrosoftTeams Single script with MFA support here

Azure AD General Tenant Settings Attributes, Attributes, Attributes – Drive Dynamic Groups - Document and Normalize Department, Location, Title, EmployeeID & Type etc. Phone # Format +1 (801) 555-1212 (for MFA calling) Properties Directory Name – very important when B2B in play Global Admin can Manage Azure Subscriptions Company Branding If using ADFS, brand both to match Mobility (MDM and MAM) To Auto Enroll or not?

Azure AD User & Groups Settings User Settings Guest users permissions are limited - YES Guests can invite – Really? Restrict access to AzureAD admin portal – YES Group Settings Who can create/manage Groups? O365 Group Expiration – CONFIGURE THIS! Enable “All users” Group – Includes EVERYONE! TIP: Create “All Members”, “All Guests” dynamic groups Device Settings Who can Join? Require MFA to join - SUGGESTED Sync settings & app data across devices - YES

Azure AD Connect Health AAD Connect Agent Get on latest AAD Connect version. See version history Sync Errors Password Hash Sync AuthN status/state ADFS Agent ADFS servers WAP servers AD DS Agent Install on each DC See info here on agent download and install info. TIP: port 5671 is more efficient for health status but if not open will fall back to 443 for outbound connectivity to Azure services.

Licensing - GBL has arrived Group Based Licensing AAD Basic or Premium required DEMO Powershell script to remove direct assignments is here TIP: At the very bottom of this site.

O365 General Tenant Settings Release Preferences Custom Themes Company Branding A Word on Trusted IE Sites *.microsoftonline.com *.sharepoint.com *.outlook.com *.lync.com *.office365.com *.office.com *.microsoftstream.com *.sway.com *.powerapps.com

Exchange Online Settings Exchange Advanced Threat Protection Enable Modern AuthN Set-OrganizationConfig -OAuth2ClientProfileEnabled $true Get-OrganizationConfig | select *Oauth* SPAM Settings Security SPF DKIM DMARC Conf Rooms for scheduling Working hours, booking options Message Size Limits Get-MailboxPlan | Set-MailboxPlan -MaxSendSize 75MB -MaxReceiveSize 75MB Mailbox Auditing Get-mailbox –ResultSize Unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditLogAgeLimit 180 - AuditOwner MailboxLogin,HardDelete}

SharePoint Online Settings Hide Everyone principles Set-SPOTenant -ShowEveryoneClaim $false Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false Set-SPOTenant -ShowAllUsersClaim $false OneDrive Sync Button – Check your tenant Sharing with External users

Skype for Business Settings Enable Modern Authentication Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed Get-CsOAuthConfiguration Organization profile General External Communications

THANK YOU