Microsoft 365 Administrator MS-102 Exam Guide E-Book

Microsoft 365 Administrator MS-102 Exam Guide

Master the Microsoft 365 Identity and Security Platform and confidently pass the MS-102 exam

Aaron Guilmette

BIRMINGHAM—MUMBAI

Microsoft 365 Administrator MS-102 Exam Guide

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Author: Aaron Guilmette

Reviewer: Paweł Serwan

Publishing Product Manager: Anindya Sil

Development Editor: Arunkumar Govinda Bhat

Senior Editor: Ketan Giri

Production Editor: Shantanu Zagade

Editorial Board: Vijin Boricha, Megan Carlisle, Ketan Giri, Alex Mazonowicz, Aaron Nash, Abhishek Rane, and Ankita Thakur

Production reference: 1181223

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-83508-396-3

www.packtpub.com

Contributors

About the Author

Aaron Guilmette is a Principal Architect at Planet Technologies, providing architectural guidance as well as taking specifications from customers and giving them to engineers. He primarily focuses on collaborative and automation technologies, including Microsoft Exchange and Teams, Power Automate, and scripting solutions.

He has been involved with technology since 1998, working with customers that span the government, education, and commercial sectors. Aaron has also worked on certification exams, and a dozen other technical books.

Aaron lives in Detroit, Michigan, with his five kids. When he's not busy solving technical problems, writing, or teaching yet another child to drive, he's trying to decide whether to make pizza or tacos.

I'd like to thank my girlfriend, Christine, who always believes me when I say, “This is the last book this year.” I'd also like to thank my children because I’d never hear the end of it if I didn’t mention them. And of course, my great friend and coauthor, Yura, who has put up with me through four books now.

I'd like to thank my girlfriend, Christine, who graciously tolerates my throngs of adoring fans. Throngs? I meant tens. I'd also like to thank my children because without them, I’d probably be able to retire sooner.

I wish to thank the team at Packt for another great opportunity to help the Microsoft technical community level up quickly by getting this book out the door.

Finally, I want to thank Microsoft for continuing to develop products that empower all of us to do more, even if it doing more includes taking tests.

About the Reviewer

Paweł Serwan is a senior IT architect and IT consultant with 15 years of professional experience in topics related to identity and access management, security, end user computing, and the Microsoft 365 platform. He currently works as a senior principal architect at SoftwareOne, where he provides strategic advisory to customers implementing Microsoft 365 services in their organizations.

Paweł also regularly speaks at conferences and user group meetings, both in person and virtually. Together with his colleagues, he runs a blog (ITContructors.com). He is a local leader of the Microsoft 365 User Group in Poland.

Table of Contents

Preface

1

Implementing and Managing a Microsoft 365 Tenant

Making the Most out of This Book - Your Certification And Beyond

Microsoft 365 Tenant

Creating a Tenant

Planning a Tenant

Selecting a Tenant Type

Selecting a Managed Domain

Provisioning a Tenant

Implementing and Managing Domains

Acquiring a Domain Name

Third-party Registrar

Microsoft

Configuring a Domain Name

Managing DNS Records Manually

Configuring a Default Domain

Configuring Organizational Settings

Services

Security & Privacy

Organization Profile

Identifying and Responding to Service Health Issues

Configuring Notifications for Service Health

Monitoring Adoption and Usage

Microsoft 365 Usage Reports

Viva Insights

Personal Insights

Teamwork Habits

Organization Trends

Advanced Insights

Adoption Score

People Experiences

Technology Experiences

Special Reports

Summary

Exam Readiness Drill - Chapter Review Questions

2

Managing Users and Groups

Creating and Managing Users

Creating and Managing Cloud Users

Creating and Managing Synchronized Users

Creating and Managing Guest Users

Creating and Managing Contacts

Microsoft 365 Admin Center

Exchange Admin Center

Creating and Managing Groups

Microsoft 365 Admin Center

Azure AD Portal

Managing and Monitoring Microsoft 365 License Allocations

Performing Bulk User Management

Microsoft 365 Admin Center

Azure AD Portal

PowerShell

Installing Modules

Connecting to Azure AD

Working with PowerShell

Retrieving User Data

Updating Users

Updating Licenses

Creating Users

Summary

Exam Readiness Drill - Chapter Review Questions

3

Managing Roles in Microsoft 365

Managing Roles in Microsoft 365 and Azure AD

Planning for Role Assignments

Managing Roles in the Microsoft 365 Admin Center

Managing Role Groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 Workloads

Microsoft Defender

Microsoft Purview

Microsoft 365 Workloads

Managing Administrative Units

Creating Administrative Units

Viewing and Updating Administrative Units

Planning and Implementing Privileged Identity Management

Creating a Role Assignment

Reviewing Role Assignments

Alerting

Summary

Exam Readiness Drill - Chapter Review Questions

4

Implementing and Managing Identity Synchronization with Azure AD

Preparing for Identity Synchronization by Using IdFix

Configuring and Managing Directory Synchronization by Using Azure AD Connect

Planning and Sizing

Installing the Synchronization Service

Configuring Azure AD Connect Filters

Domain and Organizational Unit-Based Filtering

Group-Based Filtering

Attribute-Based Filtering

Monitoring Synchronization by Using Azure AD Connect Health

Azure AD Connect Health

Azure AD Connect Health for Sync

Azure AD Connect Health for Directory Services

Azure AD Connect Health for Active Directory Federation Services

Troubleshooting Azure AD Connect Synchronization

Configuring and Managing Directory Synchronization by Using Azure AD Connect Cloud Sync

Installing the Provisioning Agent

Configuring the Provisioning Service

Customizing the Provisioning Service

Scoping Filters

Attribute Mapping

Troubleshooting Azure AD Connect Cloud Sync Synchronization

Summary

Exam Readiness Drill - Chapter Review Questions

5

Implementing and Managing Authentication

Implementing and Managing Authentication Methods

Choosing an Authentication Mechanism

Windows Hello for Business

Microsoft Authenticator App

FIDO2 Security Keys

Comparison

Configuring Windows Hello

Configuring Microsoft Authenticator

Configuring the Authentication Policy

Registering Devices

Configuring FIDO2

Configuring the Authentication Policy

Registering Devices

Implementing and Managing Self-Service Password Reset

Configuring SSPR

Managing SSPR

Authentication Methods

Registration

Notifications

Customization

On-premises integration

Implementing and Managing Azure AD Password Protection

Custom smart lockout

Custom banned passwords

Password protection for Windows Server Active Directory

Configuring and Managing Multifactor Authentication

Per-User Multifactor Authentication

Security Defaults

Conditional Access

Additional Multifactor Authentication Behavior Settings

Investigating and Resolving Authentication Issues

Summary

Exam Readiness Drill - Chapter Review Questions

6

Implementing and Managing Secure Access

Planning for Identity Protection

Investigating Risks

Remediating risks

Implementing and Managing Azure Identity Protection

Planning Conditional Access Policies

Assignments

Conditions

Access Controls

Implementing and Managing Conditional Access Policies

Creating Conditional Access Policies

Reporting on Conditional Access Policies

Configuring a Log Analytics Workspace

Integrating Azure AD or Entra ID Logs

Reviewing the Workbook

Summary

Exam Readiness Drill - Chapter Review Questions

7

Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal

Instructions to Unlock the Free Practice Resources

Reviewing and Taking Action to Improve the Microsoft Secure Score in the Microsoft 365 Defender Portal

Reviewing and Responding to Security Incidents and Alerts in Microsoft 365 Defender

Reviewing alerts and incidents

Attack story

Alerts

Assets

Investigations

Evidence and Response

Responding to Alerts and Incidents

Reviewing and Responding to Issues Identified in Security and Compliance Reports in Microsoft 365 Defender

General

Endpoints

Email and Collaboration

Cloud Apps

Reviewing and Responding to Threats Identified in Threat Analytics

Overview

Analyst Report

Related Incidents

Impacted Assets

Endpoints Exposure

Recommended Actions

Summary

Exam Readiness Drill - Chapter Review Questions

8

Implementing and Managing Email and Collaboration Protection by Using Microsoft Defender for Office 365

Implementing Policies and Rules in Defender for Office 365

Deploying the Preset Security Policies

Configuring Standalone Policies

Anti-Phishing

Anti-Spam

Anti-Malware

Safe Attachments

Safe Links

Configuring Rules

Tenant Allow/Block Lists

Email Authentication Settings

Advanced Delivery

Enhanced Filtering

Quarantine Policies

Using the Configuration Analyzer

Reviewing and Responding to Threats Identified in Defender for Office 365

Email & Collaboration Alerts

Investigations

Explorer and Real-Time Detections

All Email

Malware

Phish

Campaigns

Content Malware

URL Clicks

Creating and Running Campaigns

Creating a Phishing Campaign

Creating a Training Simulation

Reviewing Reports

Unblocking Users

Configuring Alerts

Removing Restrictions

Summary

Exam Readiness Drill - Chapter Review Questions

9

Implementing and Managing Endpoint Protection by Using Microsoft Defender for Endpoint

Overview of Microsoft Defender for Endpoint

Features

Requirements

Deployment Architectures

Configuring Defender for Endpoint Settings

Configuring Defender for Endpoint Options

Integrating Defender for Endpoint with Intune

Establishing a Service-to-Service Connection

Enabling Compliance Policy Evaluation

Enabling App Protection Policy Evaluation

Configuring a Compliance Policy

Configuring a Conditional Access Policy

Onboarding Devices to Defender for Endpoint

Onboarding Windows Devices

Onboarding with Intune

Endpoint Detection and Response (EDR) Policy

Other Onboarding Alternatives

Onboarding macOS Devices

Onboarding a Configuration Profile

Extensions Configuration Profile

Full Disk Access Configuration Profile

Network Filter Configuration Profile

Notifications Configuration Profile

Background Services Configuration Profile

Onboarding iOS Devices

All Devices

Supervised Devices

Unsupervised Devices

Onboarding Android Devices

Bring Your Own Device

Enterprise Enrolled Devices

Reviewing and Responding to Endpoint Vulnerabilities

Recommendations

Remediation

Inventories

Weaknesses

Event Timeline

Baseline Assessment

Creating a Security Profile

Reviewing Assessment Results

Creating and Managing Exceptions

Reviewing and Responding to Risks

Investigate

Attack Story

Alerts

Assets

Investigations

Evidence and Response

Respond

Taking Actions

Resolve

Tuning

Automate

Summary

Exam Readiness Drill - Chapter Review Questions

10

Implementing Microsoft Purview Information Protection and Data Lifecycle Management

Implementing and managing sensitive info types using keywords, keyword lists, or regular expressions

Managing sensitive information types

Using keywords

Using regular expressions

Using built-in functions

Using document fingerprinting

Using Exact Data Match

Testing and editing sensitive information types

Implementing retention labels, retention label policies, and retention policies

Implementing retention policies

Implementing retention labels

Implementing retention label policies

Publishing a label

Auto-applying a label

Implementing sensitivity labels and sensitivity label policies

Implementing sensitivity labels

Enabling sensitivity labels for Teams, M365 groups, and SharePoint sites

Enabling co-authoring for files protected with sensitivity labels

Creating a label

Creating a sublabel

Implementing sensitivity label policies

Label policies

Auto-labeling policies

Summary

Exam Readiness Drill - Chapter Review Questions

11

Implementing Microsoft Purview data loss prevention (DLP)

Implementing DLP for Workloads

Prerequisites

Configuring Workload Protection

Exchange Online, SharePoint Online, OneDrive for Business, and Teams

Power BI

On-Premises File Servers

Implementing Endpoint DLP

Reviewing and Responding to DLP Alerts

Microsoft Purview Compliance Portal Alerts Dashboard

Microsoft Purview Compliance Portal Activity Explorer

Microsoft 365 Defender Alerts Dashboard

Microsoft 365 Defender Incidents Dashboard

Summary

Exam Readiness Drill - Chapter Review Questions

Other Books You May Enjoy

Preface

Microsoft 365 is a productivity and collaboration platform designed to help you achieve more with a mix of innovative, intelligent cloud services and intuitive apps. It includes several integrated Software-as-a-Service (SaaS) applications, including Exchange Online, SharePoint Online, and Microsoft Teams, as well as security and data governance products.

The Microsoft 365 platform suite is used by millions of users and businesses every day to enhance communications, build relationships, connect communities, and create new experiences.

This book, Microsoft 365 Administrator Exam MS-102 Guide, has been designed from the ground up to help you learn how to administer the Microsoft 365 platform effectively.

This book will focus on the following key exam areas:

The MS-102 exam tests you on the core tasks to get a Microsoft 365 tenant up and running, including adding domains and configuring identity synchronization with Active Directory. Approximately 25% of the exam focuses on the Microsoft 365 Defender platform, including the Microsoft 365 Defender portal and incident management, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint.

This book will also help you understand the privacy and data governance capabilities of Microsoft 365, including labeling, retention, eDiscovery, and other features of the Microsoft Purview compliance portal.

By the end of this book, you’ll not only be equipped to pass the exam but also to confidently administer Entra ID and Microsoft 365 Defender.

Who This Book Is For

Microsoft 365 Administrator: Exam MS-102 Guide is targeted at Microsoft 365 administrators who want to prove their knowledge across Entra ID, Defender, and Microsoft Purview by passing the MS-102 certification exam. The qualified exam candidate should be able to demonstrate foundational knowledge of identity concepts as well as intermediate experience with the Microsoft 365 Defender and Microsoft Purview compliance products. You can learn more about this exam a https://learn.microsoft.com/en-us/credentials/certifications/exams/ms-102/.

What This Book Covers

Chapter 1, Implementing and Managing a Microsoft 365 Tenant, begins by explaining the foundational concepts of a Microsoft 365 tenant.

Chapter 2, Managing Users and Groups, expands your knowledge into areas such as creating users, contacts, and groups as well as administering Microsoft 365 licensing.

Chapter 3, Managing Roles in Microsoft 365, explains the concepts around Entra ID roles, privileged identity management, and administrative units.

Chapter 4, Implementing and Managing Identity Synchronization with Azure AD, helps you link on-premises identities to the cloud using both Entra Connect (formerly Azure AD Connect) and Entra Connect cloud sync (formerly Azure AD Connect cloud sync).

Chapter 5, Implementing and Managing Authentication, provides guidance for deploying common authentication features such as multi-factor authentication and self-service password reset.

Chapter 6, Implementing and Managing Secure Access, discusses ID protection as well as planning and implementing Conditional Access policies.

Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal, explores managing threats, alerts, and incidents using the Microsoft 365 Defender portal.

Chapter 8, Implementing and Managing Email and Collaboration Protection by Using Microsoft Defender for Office 365, expands Microsoft 365 Defender products to collaboration workloads such as Exchange Online, SharePoint Online, and Teams, and covers features such as Safe Links, Safe Attachments, and managing threats with Explorer. Microsoft Defender for Office 365 also includes a training product to help educate users on responding to phishing attacks.

Chapter 9, Implementing and Managing Endpoint Protection by Using Microsoft Defender for Endpoint, introduces the Microsoft 365 Defender for Endpoint product to protect computer and mobile device endpoints. This chapter also explores the Vulnerability Management dashboard.

Chapter 10, Implementing Microsoft Purview Information Protection and Data Lifecycle Management, explores key features of compliance, governance, and data protection, including sensitive info types, retention concepts, and sensitivity labeling.

Chapter 11, Implementing Microsoft Purview data loss prevention (DLP), provides guidance on configuring and deploying data loss prevention policies to cloud workloads and endpoints.

To Get the Most Out of This Book

The Microsoft 365 platform is best experienced with either a laptop or desktop computer running a modern operating system, such as Windows 10 or later or macOS X 10.12 or later. Additionally, modern browsers such as Microsoft Edge or a current version of Chrome, Safari, or Firefox are necessary for the Office 365 portal user interface to render properly. Older versions of Microsoft Internet Explorer may not work correctly.

A Microsoft 365 tenant will also be required to follow along with some of the configuration examples. You can sign up for a trial tenant (no credit card required) at https://www.microsoft.com/en-us/microsoft-365/business/compare-more-office-365-for-business-plans. Some configuration options will require an Entra ID Premium subscription, which you can obtain as part of a Microsoft 365 trial or by activating an Entra ID Premium trial within the Azure portal (https://portal.azure.com) once you have obtained a trial Microsoft 365 tenant.

Some examples may require various tools, such as the SharePoint Online Management Shell (https://www.microsoft.com/en-us/download/details.aspx?id=35588), the Microsoft Teams module (https://www.powershellgallery.com/packages/MicrosoftTeams/), or the Office Deployment Tool (https://www.microsoft.com/en-us/download/details.aspx?id=49117).

Download the Color Images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/MS102graphics.

Conventions Used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example of a dummy URL: “When you sign up for a Microsoft 365 subscription, you are prompted to choose a name from Microsoft’s onmicrosoft.com managed namespace. The name you select will need to be unique across all other Microsoft 365 customers.”

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “To export a list of audit log entries, an administrator can open the audited data and click on Export results.”

Any command-line input or output is written as follows:

Get-AzureADUser -Top 10 -Filter "Department eq 'Project Management'" |

Select DisplayName,UserPrincipalName,Department

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Practice Resources – A Quick Tour

IMPORTANT

Before you start using the free online resources, you’ll need to unlock them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the beginning of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal for unlock instructions.

This book will equip you with all the knowledge necessary to clear the exam. As important as learning the key concepts is, your chances of passing the exam are much higher if you apply and practice what you learn in the book. This is where the online practice resources come in. With interactive mock exams, flashcards, and exam tips, you can practice everything you learned in the book on the go. Here’s a quick walkthrough of what you get.

A Clean, Simple Cert Practice Experience

You get a clean, simple user interface that works on all modern devices, including your phone and tablet. All the features work on all devices provided you have a working internet connection. From the Dashboard (Figure 0.1), you can access all the practice resources that come with this book with just a click. If you want to jump back to the book, you can do that from here as well.

Figure 0.1 – Dashboard interface on a desktop device

Practice Questions

The Quiz Interface (Figure 0.2) is designed to help you focus on the question without any clutter. You can navigate between multiple questions quickly and skip a question if you don’t know the answer. The interface also includes a live timer that auto-submits your quiz if you run out of time. Click End Quiz if you want to jump straight to the results page to reveal all the solutions.

Figure 0.2 – Practice Questions Interface on a desktop device

Be it a long train ride to work with just your phone or a lazy Sunday afternoon on the couch with your tablet, the quiz interface works just as well on all your devices as long as they’re connected to the internet.

Figure 0.3 shows a screenshot of how the interface looks on mobile devices:

Figure 0.3 – Quiz interface on a mobile device

Flashcards

Flashcards are designed to help you memorize key concepts. Here’s how to make the most of them:

Figure 0.4 – Flashcards interface

Exam Tips

Exam Tips (see Figure 0.5) are designed to help you get exam-ready. From the start of your preparation journey to your exam day, these tips are organized such that you can review all of them in one go. If an exam tip comes in handy in your preparation, make sure to mark it as helpful so that other readers.

Figure 0.5 – Exam Tips Interface

Chapter Review Questions

You’ll find a link to Chapter Review Questions at the end of each chapter, just after the Summary section. These are designed to help you consolidate your learning from a chapter before moving on to the next one. Each chapter will have a benchmark score, aim to match that score or beat it before picking up the next chapter. On the Chapter Review Questions page, you’ll find a summary of the chapter for quick reference, as shown in Figure 0.6:

Figure 0.6 – Chapter Review Questions Page

Share Feedback

If you find any issues with the platform, the book, or any of the practice materials, you can click the Share Feedback button from any page and reach out to us. If you have any suggestions for improvement, you can share those as well.

Back to the book

To make switching between the book and practice resources easy, we’ve added a link that takes you back to the book (see Figure 0.7). Click it to open your book in Packt’s online reader. Your reading position is synced so you can jump right back to where you left off when you last opened the book.

Figure 0.7 – Jump back to the book from the dashboard

Note

After the publishing of this book, certain elements of the website might change over time and thus may end up looking different from how they are represented in the screenshots.

Share Your Thoughts

Once you’ve read Microsoft 365 Administrator MS-102 Exam Guide, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a Free PDF Copy of This Book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835083963

1

Implementing and Managing a Microsoft 365 Tenant

Making the Most out of This Book - Your Certification And Beyond

This book and its accompanying online resources are designed to be a complete preparation tool for your MS-102 exam.

The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips, to help you work on your exam readiness from now till your test day.

Before You Proceed

You need to unlock these resources before you start using them. Unlocking takes less than 10 minutes, can be done from any device, and needs to be done only once. Head over to the start of Chapter 7, Managing Security Reports and Alerts by Using the Microsoft 365 Defender Portal in this book for instructions on how to unlock them.

Figure 1.1 – Dashboard Interface Of MS-102 Practice Resources

Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:

Microsoft 365 Tenant

The Microsoft 365 tenant is the security and content boundary for your organization. While deploying a tenant is a simple task of entering contact and payment details, there are many considerations that go into designing and implementing a tenant. These considerations will be used to securely provide access to an organization’s data.

In this chapter, you’ll explore the core components of planning your Microsoft 365 experience as it pertains to the MS-102 exam. The objectives and skills covered in this chapter include the following:

By the end of this chapter, you should be able to articulate the core concepts around planning and implementing a Microsoft 365 tenant successfully.

Creating a Tenant

A tenant, from a Microsoft 365 perspective, is the top-level structure that identifies your organization. It’s a boundary that separates your users and data from those of other organizations that use the Microsoft 365 service. Creating the tenant is the primary prerequisite step to working with Microsoft 365. The first step in creating a tenant is to plan a tenant, followed by provisioning a tenant.

Planning a Tenant

There are a number of early planning stages for creating a Microsoft 365 tenant, but the one you’ll carry out first will be deciding which kind of tenant to acquire. Tenants are available for organizations of different sizes as well as different industry verticals. Many of these early planning choices can’t be changed later, so you want to make sure you have a thorough understanding of all of the options before hastily clicking through selection screens.

Selecting a Tenant Type

Microsoft has made a variety of packages available, targeting different types of organizations, as shown in Figure 1.2:

Figure 1.2 – Types of tenants

Table 1.1 below lists the types of tenants available for customers to choose from:

Tenant type

Target customer

Microsoft 365 Personal

Single person or home user

Microsoft 365 Family

Single person, up to 6 users

Microsoft 365 Business

Up to 300 users

Microsoft 365 Enterprise

Unlimited users

Microsoft 365 for US Government

Unlimited users

Microsoft 365 for Education

Unlimited users

Table 1.1 – Tenant types and target customers

For the purposes of the MS-102 exam, you’ll focus on the Microsoft 365 Enterpriseservice plans.

Tenant Type Deep Dive

The MS-102 exam focuses on the feature set and product, or service bundles, available in Microsoft 365 Enterprise plans, though the technologies available are largely the same across all plans. Microsoft 365 for US Government is available only for local, state, and federal government customers (and their partners or suppliers) and has a subset of the currently commercially available features, trailing by anywhere from 6 months to 2 years, depending on the certification level of the environment. Microsoft 365 for Education has the same feature set as the commercial enterprise set, with a few added features targeted to educational institutions. Microsoft 365 for Education is only available to schools and universities.

Selecting a Managed Domain

After choosing what type of tenant you’ll acquire, one of the next steps you’ll be faced with is naming your tenant. When you sign up for a Microsoft 365 subscription, you are prompted to choose a name from Microsoft’s onmicrosoft.com managed namespace. The name you select will need to be unique across all other Microsoft 365 customers.

Tenant Name Considerations

The tenant name (or managed domain name) cannot be changed after it has been selected. As such, it’s important to select one that is appropriate for your organization. The tenant name is visible in a handful of locations, so be sure to select a name that doesn’t reveal any privacy information and looks professionally appropriate for the type of organization you’re representing.

Provisioning a Tenant

The act of provisioning a tenant is a relatively simple affair, requiring you to fill out a basic contact form and choose a tenant name. Microsoft periodically changes what plans are available for new trial subscriptions. As of the time of writing, Office 365 E3 is available for a trial subscription. Currently, the available public trial subscriptions require the addition of payment information, which will cause a trial to roll over into a fully paid subscription after the trial period ends. See Figure 1.3:

Figure 1.3 – Starting a trial subscription

The signup process may prompt for a phone number to be used during verification (either a text/SMS or call) to help ensure that you’re a valid potential customer and not an automated system.

After verifying your status as a human, you’ll be prompted to select your managed domain, as shown in Figure 1.4:

Figure 1.4 – Choosing a managed domain

In the Domain name field, you’ll be prompted to enter a domain name. If the domain name value you select is already taken, you’ll receive an error and be prompted to select a new name.

Region Selection

Microsoft automatically provisions your tenant based on a combination of your source IP address and what type of tenant (enterprise, government, or personal) you’re selecting. You need to ensure that you’re not using any external VPN services that mask your location. Region selection determines not only where your tenant data is located physically but also, in some cases, what services are available. Once your tenant is provisioned into a region, it can’t be changed.

After you’ve finished, you can enter payment information for a trial subscription. Note the end date of the trial; if you fail to cancel by that time, you’ll be automatically billed for the number of licenses you have configured during your trial!

Implementing and Managing Domains

The managed domain is a part of the Microsoft 365 tenant for its entire life cycle. While it is a fully functioning domain namespace (complete with its own Microsoft-managed publicly available domain namespace), most organizations will want to use their organization’s domain name—especially when it comes to sending and receiving email or communicating via Microsoft Teams. You cannot add custom DNS records to the managed namespace.

Organizations can use any public domain name with Microsoft 365. Microsoft supports configuring up to 900 domains in a tenant; you can configure both top-level domains (such as contoso.com) as well as subdomains (such as businessunit.contoso.com) with your Microsoft 365 tenant.

Acquiring a Domain Name

Many organizations begin their Microsoft 365 journey with an existing domain name. In addition, you can purchase new domain names to be associated with your tenant.

Third-party Registrar

Most large organizations have existing relationships with third-party domain registrars, such as Network Solutions or GoDaddy. You can use any ICANN-accredited registrar in your region to purchase domain names.

About ICANN

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization tasked with providing guidance and policy around the internet’s unique identifiers (domains). It was chartered in 1998. Prior to 1998, Network Solutions operated the global Domain Name System (DNS) registry under a subcontract from the United States Defense Information Systems Agency.

You can search a list of domain registrars here: https://www.icann.org/en/accredited-registrars.

Microsoft

In addition to choosing a third-party registrar, organizations may also wish to use Microsoft as the registrar. Depending on your subscription, you may be able to directly purchase domain names from within the Microsoft 365 admin center, as shown in Figure 1.5:

Figure 1.5 – Purchasing a domain through the Microsoft 365 admin center

When purchasing a domain through Microsoft, you can select from the following top-level domains:

Domain purchases will be billed separately from your Microsoft 365 subscription services. When purchasing a domain from Microsoft, you’ll have limited ability to manage the DNS records. If you require custom configuration (such as configuring an MX record to point to a non-Microsoft 365 server), you’ll want to purchase a domain separately.

Configuring a Domain Name

Configuring a domain for your tenant is a simple procedure and requires access to your organization’s public DNS service provider. Many large organizations may host DNS themselves, while other organizations choose to pay service providers (such as the domain registrar) to host the services.

In order to be compatible with Microsoft 365, a DNS service must support configuring the following types of records:

In order to use a custom domain (sometimes referred to as a vanity domain) with Microsoft 365, you’ll need to add it to your tenant.

To add a custom domain, follow these steps:

Figure 1.6 – Domains page of the Microsoft 365 admin center

Figure 1.7 – Add domain page

Figure 1.8 – Verify domain ownership

If you choose any of the additional verification options (such as Add a TXT record to the domain’s DNS records), you’ll need to manually add DNS records at your DNS service provider. Microsoft provides the value configuration parameters necessary for you to configure with your own service provider. After entering the values in your service provider’s DNS console, you can come back to the wizard and select Verify, as shown in Figure 1.9:

Figure 1.9 – Completing verification records manually

Figure 1.10 – Authorizing Domain Connect with GoDaddy to update DNS records

Figure 1.11 – Connecting domain to Microsoft 365

Figure 1.12 – Adding DNS records

You can continue adding as many domains as you need (up to the tenant maximum of 900 domains).

Adding a Domain Deep Dive

To review alternative steps and more information about the domain addition process, see https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain.

Managing DNS Records Manually

If you’ve opted to manage DNS records manually, you may need to go back to the Microsoft 365 admin center and view the settings. To do this, you can navigate to the Domains page, select your domain, and then select Manage DNS, as shown in Figure 1.13:

Figure 1.13 – Managing DNS settings for a domain

On the Connect domain page, click More options to expand the options, and then select Add your own DNS records. From here, you can view the specific DNS settings necessary per service by record type. You can also download a CSV file or a zone file that can be uploaded to your own DNS server. See Figure 1.14:

Figure 1.14 – Viewing DNS settings

The CSV output is formatted as columns, while the zone file output is formatted for use with standard DNS services and can be imported or appended to BIND or Microsoft DNS server zone files.

Configuring a Default Domain

After adding a domain, Microsoft 365 automatically sets the first custom domain as the default domain that will be used when creating new users. However, if you have additional domains, you may choose to select a different domain to be used as the default domain when creating objects.

To manage which domain will be set as your primary domain, select the domain from the Domains page and then click Set as default to update the setting, as shown in Figure 1.15:

Figure 1.15 – Setting the default domain

The default domain will be selected automatically when creating cloud-based users and groups, though it can be changed.

Custom Domains and Synchronization

When creating new cloud-based objects, you can select from any of the domains available in your tenant. However, when synchronizing from an on-premises directory, objects will be configured with the same domain configured with the on-premises object. If the corresponding domain hasn’t been verified in the tenant, synchronized objects will be set to use the tenant-managed domain.

Next, you’ll look at the core organizational settings in a tenant.

Configuring Organizational Settings

Organizational settings, as the name implies, are configuration options that apply to the entire tenant. They are used to enable or disable features at the service or tenant level. In many instances, organizational settings are coarse controls that can be further refined by the configuration settings inside each individual service.

To access the organizational settings, follow these steps:

Figure 1.16 – Org settings in the Microsoft 365 admin center

The Org settings page has three tabs, as shown in Figure 1.16:

In the next section, each of these settings will be explained in detail.

Services

The Services tab displays settings available for workloads, services, and features available in the Microsoft 365 tenant. Table 1.2 lists the services that have configurable options in the tenant:

Service

Description

Adoption Score

Manage privacy levels for Adoption Score as well as setting the scope for users to be included or excluded.

Azure Speech Services

Manage whether Azure Speech Services can work using content in your tenant to improve the accuracy of speech services. Disabled by default.

Bookings

Choose whether the Bookings service is available for use in the tenant. If Bookings is enabled, you can also configure specific options, such as whether social sharing options are available or whether Bookings can be used by users outside the organization, as well as restricting the collection of customer data.

Briefing email from Microsoft Viva

Choose whether to allow users to receive the Viva briefing email. By default, the briefing email is enabled. Users can unsubscribe themselves.

Calendar

Choose whether to enable users to share their calendars outside the organization. If sharing is enabled, choose what level of detail is supplied.

Cortana

Choose whether to allow Cortana on devices to connect to data in your Microsoft 365 tenant.

Directory synchronization

Provides a link to download the Azure AD Connect synchronization tool.

Dynamics 365 Applications

Choose whether to allow insights for each user, aggregated insights for other users (non-identifiable), or identifiable insights for other users.

Dynamics 365 Customer Voice

Configure email parameters for collecting survey data from Dynamics 365.

Mail

There are no org-wide settings to manage here; however, there are links to various tools in the Exchange admin center and Microsoft Defender 365 portal for things such as transport rules and anti-malware policies.

Microsoft Azure Information Protection

There are no settings to manage for this feature; it is a link to documentation for configuring Azure Information Protection settings.

Microsoft communication to users

Choose whether to enable Microsoft-generated training and education content delivery to users.

Microsoft Edge product messaging for users

Provides information on configuring the Edge Spotlight experience for end users.

Microsoft Edge site lists

Manage lists of sites and specify which browser experience (Edge or Internet Explorer) users should receive when navigating to those sites.

Microsoft Forms

Manage external sharing settings for Microsoft Forms as well as capturing the names of internal organization users who fill out forms.

Microsoft Graph Data Connect

Choose this to enable Microsoft Graph Data Connect for bulk transfer of data to Azure.

Microsoft Planner

Choose whether Planner users can publish to Outlook or iCal.

Microsoft Search in Bing homepage

Customize the Bing.com search page for organization users.

Microsoft Teams

Choose whether to enable Teams organization-wide. Disabling Teams from this interface will make it unavailable for all users, including users who are already licensed. Also, choose the coarse control for whether guest access is allowed in Teams.

Microsoft To Do

Choose to provide internal users the ability to join and contribute to external task lists and receive push notifications.

Microsoft Viva Insights (formerly MyAnalytics)

Manage which Viva Insights settings users have access to. By default, all options are selected (Viva Insights web experience, Digest email, Insights Outlook add-in and inline suggestions, and Schedule send suggestions).

Microsoft 365 Groups

Configure guest access and ownership settings for Microsoft 365 Groups.

Modern authentication

Provides links to information on configuring modern authentication and viewing basic authentication sign-in reports.

Multi-factor authentication

Provides links to information on configuring and learning about multi-factor authentication.

News

Choose organization and industry settings used to display relevant news information on the Bing home page as well as settings for delivering Microsoft-generated industry news to your organization users.

Office installation options

Choose an update channel for Microsoft 365 apps.

Office on the web

Choose whether to allow users to connect to third-party cloud storage products using Office on the web products.

Office Scripts

Configure Office Scripts settings for Excel on the web.

Reports

Choose how to display users’ personally identifiable information in internal reports and whether to make data available to Microsoft 365 usage analytics.

Search & intelligence usage analytics

Choose whether to allow usage analytics data to be filtered by country, occupation, department, or division.

SharePoint

Choose whether to enable external sharing.

Sway

Choose whether to allow sharing of sways outside the organization as well as what content sources are available (Flickr, Pickit, Wikipedia, and YouTube).

User consent to apps

Choose whether users can provide consent to OAuth 2.0 apps that access organization data.

User owned apps and services

Choose whether to allow users to auto-claim licenses as well as start trials and access the Office Store.

Viva Learning

Choose which content provider data sources to use for Viva Learning. By default, LinkedIn Learning, Microsoft Learn, Microsoft 365 Training, and Custom Uploads are enabled. You can also manage the level of diagnostic data sent to Microsoft.

What’s new in Office

Choose whether to display messages to users about new features available. This does not change the availability of the feature—only the display of the notification message.

Whiteboard

Choose whether to allow the Whiteboard app to be used. Additionally, manage the amount of diagnostic data collected.

Table 1.2 – Organizational service settings

You should spend time exploring the options for the services in the Microsoft 365 admin center.

Security & Privacy

The Security & privacy tab houses settings that govern various security controls for the organization. On this page, you’ll find access to the settings listed in Table 1.3:

Setting

Description

Bing data collection

Choose whether to allow Bing to collect organization query data.

Idle session timeout

Configure the idle session timeout period for Office web apps.

Password expiration policy

Choose whether to enable password expiration. Password expiration is disabled by default (and the password policy is governed by the on-premises Active Directory if password hash sync has been configured).

Privacy profile

Configure a URL for the organization’s privacy policy and the organization’s privacy contact. The privacy URL is displayed on the Privacy tab of the Settings & Privacy page in the user account profile and when a sharing request is sent to an external user.

Self-service password reset

Provides a link to the Azure portal to configure self-service password reset.

Sharing

Choose whether to allow users to add guests to the organization.

Table 1.3 – Security & privacy settings

These options can be used to broadly configure security and privacy settings for your organization. As with the settings on the Services tab, these are coarse controls. Fine-grained control is available for some of these items inside their respective admin centers.

Organization Profile

Settings on the Organization profile tab are largely informational or used to manage certain aspects of the user experience. On this tab, you’ll find the settings listed in Table 1.4:

Setting

Description

Custom app launcher tiles

Configure additional tiles to show up on the Microsoft 365 app launcher.

Custom themes

Create and apply themes to the Microsoft 365 portal for end users, including mandating the theme as well as specific organization logos and colors.

Data location

View the regional information where your tenants’ data is stored.

Help desk information

Choose whether to add custom help desk support information for end users to the Office 365 help pane.

Keyboard shortcuts

View the shortcuts available for use in the Microsoft 365 admin center.

Organization information

Update your organization’s name and other contact information.

Release preferences

Choose the release settings for Office 365 features (excluding Microsoft 365 apps). The available options are Standard release for everyone, Targeted release for everyone, and Targeted release for select users. The default setting is Standard release for everyone.

Support integration

Use the settings on this page to configure integration with third-party support tools such as ServiceNow.

Table 1.4 – Organization profile settings

Like the other Org settings tabs, the settings on this page will be used infrequently—typically when just setting up your tenant and customizing the experience. As with the other Organization profile setting areas, you should spend some time in a test environment navigating the tenant to view these settings and updating them to see their effects.

Identifying and Responding to Service Health Issues

Service health information is available from the Microsoft 365 admin center (https://admin.microsoft.com). Microsoft provides health information for a variety of services and features, including SaaS services such as Exchange Online and SharePoint Online, the health of the directory synchronization environment, as well as Windows operating system feature issues and service health.

You can check the overall service health by navigating to the health dashboard (Health | Dashboard), as shown in Figure 1.17:

Figure 1.17 – Service health dashboard

The health dashboard contains the current health status of all Microsoft 365 services. Normally, services will appear as healthy, though this status will be updated when a service is experiencing an issue.

The Service health page (Health | Service health or https://aka.ms/servicehealth) will display the most detailed and comprehensive information on any ongoing or resolved issues. See Figure 1.18.

Figure 1.18 – Service health page

If a service has an advisory or incident, you can expand the issue item under Active issues to display relevant events, as shown in Figure 1.19:

Figure 1.19 – Service health active issues

Selecting an individual item reveals expanded information about the particular issue. See Figure 1.20 for an example:

Figure 1.20 – Expanded active issue

Each service incident will display a status. Possible statuses include the following: