Module 3: Administering and

troubleshooting directory
synchronization and directory objects

Lab: Administering directory

synchronization, users, and groups in
Office 365
Scenario
Now that the Office 365 tenant is configured and ready for deployment, you are
ready to start creating user and group accounts in Office 365. You and your team
need to be familiar with how to configure these accounts by using the Microsoft 365
admin center, because this will be your primary tool for managing the environment
once the pilot is fully functional. In addition, you need to make sure that directory
synchronization is enabled and that the password policy for Office 365 users matches
the password policy for on-premises users.

Objectives
After completing this lab, you will be able to:

 Configure Azure AD Connect.

 Manage Office 365 users and groups.

 Manage Office 365 password policies.

 Troubleshoot users and directory synchronization.

Note: The lab steps for this course change frequently due to updates to Office 365.
Microsoft Learning updates the lab steps frequently, so they are not available in this
manual. Your instructor will provide you with the lab documentation.

Lab setup
Estimated time: 75 minutes
Virtual machines: 10997B-LON-DC1, 10997B-LON-DS1, and 10997B-LON-CL1

User name: Adatum\Administrator

Password: Pa55w.rd

For this lab, you will use the available virtual machine environment. Before you begin
the lab, if necessary, you must complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then

click Hyper-V Manager.

2. In Hyper-V Manager, click MT17B-WS2016-NAT, and then in

the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. In Hyper-V Manager, click 10997B-LON-DC1, and then in the Actions pane,

click Start.

5. In the Actions pane, click Connect. Wait until the virtual machine starts.

6. Sign in by using the following credentials:

 User name: Administrator

 Password: Pa55w.rd

 Domain: Adatum

7. Repeat steps 4 through 6 for 10997B-LON-DS1 and 10997B-LON-CL1.

In all tasks:

 Where you see references to Adatumyyxxxxx.onmicrosoft.com,

replace yyxxxxx with your unique Office 365 name, that you choose in Lab 1 -
Exercise 1, Task 1.

Exercise 1: Configuring Azure AD Connect

Scenario
After you establish initial directory synchronization between your AD DS and Azure
AD, you want to perform further configuration to optimize this process. You want to
enable password write back feature and also you want to configure user attribute that
can filter users from being synchronized.
The main tasks for this exercise are as follows:

1. Implement directory synchronization with Azure AD Connect

2. Run the Azure AD Connect wizard to modify sync options

3. Configure synchronization services for OUs and object attributes

Task 1: Implement directory synchronization with Azure AD Connect

1. On the LON-DS1 computer, download and install latest version of Azure AD

Connect by navigating to: https://www.microsoft.com/en-
us/download/details.aspx?id=47594
2. Start Azure AD Connect wizard after installation completes.
3. Use Express Settings to establish synchronization, without verifying domains.
4. Wait for 4-5 minutes for the initial configuration to complete.
5. Open Microsoft 365 admin center, and then verify that you can see users from
your on-premises AD DS.

Task 2: Run the Azure AD Connect wizard to modify sync options

1. Run the Azure AD Connect configuration.

2. Review the current configuration for directory synchronization.

3. Choose to modify the current configuration.

4. Use the Holly@Adatumyyxxxxx.onmicrosoft.com account to connect to

Azure AD.

5. Synchronize the IT, Marketing and Managers OUs. Deselect all other OUs.

6. Enable the password writeback feature.

Task 3: Configure synchronization services for OUs and object attributes

1. On LON-DS1, configure the Active Directory Connector in Synchronization

Service Manager for the Development OU.

2. Add the device object to the synchronization list.

3. Add the secretary and street attributes to the synchronization list.

4. On LON-DS1, use the Synchronization Rules Editor to configure a filter on

the inbound synchronization rule with the following information:
  Name: In from AD - User DoNotSyncFilter

 Connected System: Adatum.com

 CS Object Type: User

 Metaverse Object Type: Person

 Link Type: Join

 Precedence: 50

 Scoping filter: Attribute: MSDS-cloudExtensionAttribute15

Operator: EQUAL

Value: NoSync

 Transformation: FlowType: Constant

Target Attribute: cloudFiltered

Source: True

5. Use Windows PowerShell to start the synchronization by running the following

command:

Start-ADSyncSyncCycle -PolicyType Initial

Result: After completing this exercise, you should have configured Azure AD
Connect.

Exercise 2: Managing Office 365 users and groups by

using the Microsoft 365 admin center

Scenario
You have configured the Office 365 tenant. Now you need to start creating users and
groups in Office 365 and managing the user licenses.

The main tasks for this exercise are as follows:

1. Assign and manage licenses for users

2. Create Office 365 groups

3. Manage Office 365 groups

Task 1: Assign and manage licenses for users

1. Use the Microsoft 365 admin center to assign an Office 365 Enterprise E5
license to Abbi Skinner, Ada Russell, Adam Hobbs, and Beth Burke.

2. Disable the Microsoft PowerApps and Sway and Flow for Office 365
functionalities for Ada Russell.

Task 2: Create Office 365 groups

1. In the Microsoft 365 admin center, create a new security group

named Production, with a description of Production department users.

2. Add Lindsey Gates and Christie Thomas as group members.

3. In the Microsoft 365 admin center, create a new Office 365 group
named Accounts, with a description of Accounts department users.

4. Add Francisco Chaves and Sallie McIntosh as group members.

Task 3: Manage Office 365 groups

1. In the Microsoft 365 admin center, verify that you can see the following
groups:

 Production

 Accounts

2. Add Amy Santiago as a member of the Sales group.

3. Delete the Production group, and then confirm that Amy Santiago still exists

in the list of Active users.

Result: After completing this exercise, you should have created users and groups in
Office 365 and managed user licenses.

Exercise 3: Managing Office 365 password policies

Scenario
Your organization has configured a password policy for on-premises users that
requires a complex password, requires users to change their passwords every 60 days,
and prevents users from reusing old passwords 15 times. You need to ensure that the
password policy for the pilot users on Office 365 matches the policy for on-premises
users, and report any settings that can't be configured to match.

The main tasks for this exercise are as follows:

1. Configure the Office 365 password policy

2. Validate the password policy

3. Configure Office 365 multi-factor authentication

Task 1: Configure the Office 365 password policy

1. In the Microsoft 365 admin center, in Settings, browse to Security & privacy.

2. Set the password expiration policy to 14 days before the passwords expire.

Note: You would not do this in the real world. This is a classroom example that allows
you to verify the policy applied in the next exercise task.

3. In the Days before a user is notified about expiration box, leave the default

value of 14.

4. Verify that the Password policy has been updated message appears at the

top of the page.

Task 2: Validate the password policy

1. Open Internet Explorer, and then browse to https://portal.office.com.

2. Sign in as Lindsey@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is

your unique Adatum number, by using temporary password noted before.
Update the password to a new password that meets the complexity
requirements.

3. On the upper-right side of the window, verify that the notification appears
with the following information: Time to change your password. Your
password will expire in 13 days.

Note: It might take a several minutes before the password change notification
appears. You can safely proceed with other tasks in this lab even if you don't get
notification.

Note: You have now verified that your password policy is applied. In a real-world
scenario, after you verified that the password policy was applied, you would need to
increase the number of days before the password expired, according to your
organizational policy.
Task 3: Configure Office 365 multi-factor authentication

1. Open Internet Explorer, and then browse to https://portal.office.com.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your

unique Adatum number, with Holly's password.

3. In the Microsoft Office 365 portal, in Settings, browse to Services & add-ins.

4. Manage multi-factor authentication and enable multi-factor authentication

for Amy Santiago.

5. In service settings for multi-factor authentication, remove Call to phone as a

verification option. Enable the option to remember multi-factor authentication
on trusted devices.

6. Close the browser window.

Result: After completing this exercise, you should have configured the Office 365
password policy and validated the policy.

Exercise 4: Troubleshooting synchronization issues

with user objects in Office 365

Scenario
You noticed that some user objects are not synchronizing properly to Azure AD. You
suspect that some attributes on these objects do not have proper values. You want to
use the IdFix tool to verify potential issues with user objects in your organization that
can prevent object synchronization to Azure AD.

The main tasks for this exercise are as follows:

1. Produce a problem

2. Resolve synchronization issues

Task 1: Produce a problem

 On LON-CL1, set the Execution policy in Windows PowerShell

to Unrestricted, change the path to C:\Labfiles\Mod03, and then run the
Windows PowerShell cmdlet .\Mod3_CreateProblem.ps1. This Windows
PowerShell script will make the following changes in AD DS:
 o Klemen Sic. Adds the "@" character to the beginning of "adatum" for
the UserPrincipalName attribute.

o Lara Raisic. Replaces the existing email with "lara@adatum.com?" for

the emailAddress attribute.

o Logan Boyle. Replaces the existing string with "logan@adatum.com@"

for the emailAddress attribute.

o Maj Hojski. Replaces the existing string with " " for
the emailAddress attribute.

Task 2: Resolve synchronization issues

1. On LON-CL1, sign in as Adatum\Administrator with password Pa55w.rd.

2. On LON-CL1, download the IdFix tool from https://www.microsoft.com/en-

us/download/details.aspx?id=36832.

3. Extract the files to C:\Deployment Tools\IdFix, and then run IdFix as an

administrator.

4. In the IdFix tool, click Query, and then sort the errors by the ERROR column.

5. On the Actions menu, select Edit for each of these objects, and then

click Apply:

 Klemen Sic

 Lara Raisic

 Logan Boyle

 Maj Hojski

6. Click Query.

7. Click to sort the errors by the UPDATE column. For each of these objects,

replace the mail attribute with the appropriate string. On the Actions menu,
select EDIT. For:

 Logan Boyle. The mail attribute should be "logan@adatum.com".

 Maj Hojski. The mail attribute should be "maj@adatum.com".

8. Click Apply, and then click Query.

9. Remediate any remaining issues using similar approach.

Result: After completing this exercise, you should have troubleshot synchronization
issues with user objects in Office 365.

Question How do you configure OU-level filtering for directory synchronization?

Question Which options you can use for multi-factor authentication in Office 365?