Student Lab Manual

MS100.3x: Microsoft 365 Identity

Management

Lab Scenario
You are the system administrator for Adatum Corporation, and you have Microsoft 365 deployed in a
virtualized lab environment. In this lab, you will set manage your Microsoft 365 identity environment,
and you will implement Identity Synchronization.

There are two labs in this course. Lab 1 should be performed after you complete Module 1, and Lab 2
should be completed after you finish Module 2. For a successful outcome to each lab, the exercises and
their corresponding tasks must be completed in order. The two labs include:

Lab 1 - Managing your Microsoft 365 Identity environment (after completing Module 1)

- Exercise 1: Setting up your lab environment

▪ Task 1 - Obtain your Office 365 credentials
▪ Task 2 - Create a Microsoft 365 tenant account

- Exercise 2: Managing your Microsoft 365 identity environment using

the Microsoft 365 admin center
▪ Task 1 - Create user accounts
▪ Task 2 – Edit Microsoft 365 users
▪ Task 3 – Verify user settings
▪ Task 4 – Create security groups and add users to each group
▪ Task 5 – Manage security groups

- Exercise 3: Managing your Microsoft 365 identity environment using

Windows PowerShell
▪ Task 1 – Install Microsoft Azure Active
▪ Task 2 - Create new users and assign licenses
▪ Task 3 – Modify user accounts
▪ Task 4 – Configure groups and group membership
▪ Task 5 – Configure user passwords

Page 1
 ▪ Task 6 – Assign service administrators in the Microsoft 365
admin center
▪ Task 7 – Manage service administration with Windows
PoweShell
▪ Task 8 – Verify service administration

Lab 2 – Implementing Identity Synchronization (after completing

Module 2)

- Exercise 1: Setting up your organization for identity synchronization

▪ Task 1 – Configure your UPN suffix
▪ Task 2 – Prepare problem user accounts
▪ Task 3 - Run the IdFix tool and fix identified issues
▪ Task 4 - Enable Directory Synchronization
▪ Task 5 – Set Up Azure AD Connect
▪ Task 6 – Create a new user and group account
▪ Task 7 – Change group membership

- Exercise 2: Implement Identity Synchronization

▪ Task 1 – Force synchronization
▪ Task 2 – Validate the results of Directory Synchronization
▪ Task 3 – Deploy Azure AD Pass-Through Authentication
▪ Task 4 – Enable High Availability

Lab Design
This lab manual provides two sets of instruction for each lab:

• High-level, summarized instructions

• Detailed, step-by-step instructions, also known as the Lab Solution

IMPORTANT: Start with the high-level, summarized instructions

You are encouraged to perform the labs using the high-level instructions. These summarized
instructions offer you guidance on what tasks need to be performed and what, if any, data needs to be
entered, but they do not provide detailed click-by-click instruction on how to complete each task.

The point of the labs is to apply what you’ve learned in the course by working your way through the
tasks without being guided through each mouse click. Using these high-level, summarized lab
instructions forces you to work your way through the problems, which provides a far better learning
experience for students as opposed to being told how to solve each task.

Page 2
When to use the Lab Solution
Should you find yourself stuck or unsure on how to proceed with a certain task, or if you are unable to
complete a lab exercise successfully, then refer to the detailed, step-by-step lab solution at the back of
this manual. Please challenge yourself by following the high-level instructions first, and only refer to the
lab solution if you find yourself needing help.

Getting a lab for the lab exercises

The lab exercises in this course require you to log on to the Microsoft Labs Online environment to do
the lab steps in a virtual environment.

WARNING – Be prepared for UI changes

Given the dynamic nature of Microsoft cloud tools, you may experience user interface (UI) changes that
were made following the development of this training content that do not match up with lab
instructions presented in this lab manual.

The Microsoft Learning team will update this training course as soon as any such changes are brought to
our attention. However, given the dynamic nature of cloud updates, you may run into UI changes before
this training content is updated. If this occurs, you will have to adapt to the changes and work through
them in the labs as needed.

Page 3
 SUMMARIZED LAB INSTRUCTION

This section of the Student Lab Manual contains the summarized lab instructions for each lab exercise. It
is recommended that you perform the labs using these high-level instructions, which offer you
guidance on what tasks need to be performed and what, if any, data needs to be entered. However,
these summarized instructions typically do not provide detailed click-by-click instruction on how to
complete each task (that can be found in the Lab Solution).

Try to complete the labs using these summarized instructions, which will emulate more of a real-world
scenario than simply following the click-click-instruction in the Lab Solution. You should only refer to the
Lab Solution should you find yourself stuck or unable to successfully complete the labs using these
summarized, high-level instructions.

Lab 1: Managing your Microsoft 365 Identity environment

NOTE: This lab should be performed after you complete Module 1.

In this lab, you must create a tenant account in Office 365 to set up an integrated environment.

Exercise 1: Setting up your lab environment

Task 1 - Obtain Your Office 365 Credentials
Once you launch the lab, a free trial tenant will be automatically created for you to access Azure in the
Microsoft Virtual Lab environment. This tenant will be automatically assigned a unique user name and
password. You must retrieve this user name and password so that you can sign into Azure within the
Microsoft Virtual Lab environment.

1. On the XtremeLabs Online menu bar at the top of the screen, click on the Files drop-down arrow.
2. Click on O365 Credentials. A window will open with your credentials.
3. This is the user name and password you will need to sign in to Azure. Keep this page open as you will
need the information later.
4. When the lab directs you to sign in to the Azure portal at https://portal.azure.com, you will sign in
using the credentials you obtained in this task.

Page 4
Task 2 - Create the tenant account
1. At the top of the screen, click the Virtual machine drop-down field and select LON-DC1.
2. On the VM titled LON-DC1, you are already logged on as the adatum\administrator account.
3. Open Internet Explorer. Navigate to Tools > Internet Options > Security tab.
4. In the Internet zone, click Custom Level. Scroll down and under the Downloads section, you must
enable the File download setting.
5. Then in the Trusted Sites zone, you need to add the following sites:
• https://outlook.office365.com/
• https://outlook.office.com/
• https://portal.office.com/
6. In Internet Explorer, sign in to Office 365 by navigating to https:\\portal.office.com and logging in
with the O365 Credentials (username and password) that you retrieved in the prior task.
7. On the Stay signed in? page, click Yes to stay signed in.
8. Select Admin.
9. Under Active users, you should add a user account for Jenna Glover with the following attributes:
• Username: jenna
• Domain: leave as is
• Location: United States
• Password: Pa$$w0rd (uncheck the Make user change their password when they first sign
in option)
• Role: Global Administrator
• Product licenses: Office 365 Enterprise E5
10. After adding the user, in the User was added window, review the information for correctness.
Unselect the Send password in email check box.
11. Close the window and sign out.

Exercise 2: Managing your Microsoft 365 identity

environment using the Microsoft 365 admin center

Task 1: Create user accounts

1. On LON-CL1, verify that you signed in as ADATUM\Holly.
2. Open Microsoft Edge, and then browse to https://portal.office.com/.
3. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
4. Navigate to the Active Users list.
5. Create a new user account with the following attributes:
• First name: Lindsey
• Last name: Gates

Page 5
 • Display name: Lindsey Gates
• Username: Lindsey
Verify that xxyyzza.xtremelabs.us (where xxyyzza is your unique UPN name) is listed in the
text box after the at sign (@).
• Password: Select Let me create the password and enter a password of Pa$$w0rd. Uncheck
Make this user change their password when they first sign in.
6. Repeat the prior step, adding user records for the following users (for the Username, use the
user’s first name):

• Christie Thomas
• Amy Santiago
• Sallie McIntosh
• Francisco Chaves
7. After the last user is added, click Send email and close.

Task 2: Edit Microsoft 365 users

1. In the admin center, in the Active Users list, select Francisco Chaves.
2. Edit Francisco’s Contact Information by typing Accounts in the Department text box.
3. Edit Francisco’s Sign in status by selecting the Block the user from signing in option.
4. In the Active Users list, delete Lindsey Gates account record.
5. View the list of Deleted users.
6. Restore Lindsey Gates’ account record.
7. On the Restore page, select Let me create the password, set the password to Pa$$w0rd, and
uncheck the Make this user change their password when they first sign in.
8. After restoring, click Send email and close.
9. Verify that Lindsey Gates appears in the Active Users list.
10. Close Microsoft Edge.

Task 3: Verify user settings

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com/.
2. Sign in as [email protected] with the password Pa$$w0rd.
3. Verify that you can access the Office 365 portal home page.
4. Open Microsoft Edge, and then browse to https://portal.office.com/.
5. Sign in as [email protected] with the password Pa$$w0rd.
6. Verify that you cannot sign in and that the message states that your account has been locked.
7. Open Microsoft Edge, and then browse to https://portal.office.com/.
8. Sign in as [email protected] with the password Pa55w.rd.
9. On the Office 365 portal, click Admin.

Page 6
10. Navigate to the Active Users list and select Francisco Chaves.
11. Click Unblock sign in.
12. Change his sign-in status to Allow this user to sign in.
13. Open Microsoft Edge, and then browse to https://portal.office.com/.
14. Sign in as [email protected] with the password Pa$$w0rd.
15. Verify that you can now access the Office 365 portal.
16. Close Microsoft Edge.

Task 4: Create security groups and add users to each group

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com/.
2. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
3. In the admin center, navigate to Groups and add a group with the following attributes:
• Type = Security
• Name = Sales
• Description = Sales department users
4. After adding the group, add Lindsey Gates and Christie Thomas as members.
5. Add another group record with the following attributes:
• Type = Security
• Name = Accounts
• Description = Accounts department users
6. After adding the group, add Francisco Chaves and Sallie McIntosh as members.

Task 5: Manage security groups

1. In the Office 365 admin center, verify that you can see the following groups:
• Sales
• Accounts

2. Add the Amy Santiago to the Sales group.

3. Open the Sales details page and ensure that Amy Santiago appears in the Members list.
4. Delete the Sales group.
5. Navigate to the list of Active users.

Page 7
6. Confirm that Amy Santiago's account still exists in the list of active users even though the group
she was a member of has been deleted.
7. Close Microsoft Edge.

Exercise 3: Managing your Microsoft 365 identity

environment using Windows PowerShell

Task 1: Install Microsoft Azure Active Directory

1. On LON-CL1, open Microsoft Edge, and browse to http://aka.ms/t01i1o
2. Under Microsoft Online Services Sign-In Assistant for IT Professionals RTW, click Download.
3. Select the en\msoidcl_64.msi check box, and then click Next.
4. Wait for the download to finish.
5. When the download finishes, click Run.
6. In the Microsoft Online Services Sign-in Assistant Setup wizard, click I accept the terms in the
License Agreement and Privacy Statement, and then click Install.
7. In the User Account Control dialog box, click Yes.
8. On the Completed the Microsoft Online Services Sign-in Assistant Setup Wizard page, click Finish.
9. Close Microsoft Edge.
10. Right click on Start and click Windows PowerShell (Admin).
11. At the prompt, type Install-Module MSOnline command.
12. If prompted to install the NuGet provider, type Y and press ENTER.
13. If prompted to install the module from PSGallery, type Y and press ENTER.

Task 2: Create new users and assign licenses

1. On LON-CL1, run Windows PowerShell (Admin).
2. At the command prompt, type the following command, and then press Enter:

Page 8
 Connect-MsolService

3. In the Enter Credentials dialog box, sign in as [email protected], where

yyxxxxx is your unique Adatum number, with the password Pa55w.rd.
4. At the command prompt, type the following command, and then press Enter; xxyyzza is your
unique domain name:

New-MsolUser -UserPrincipalName [email protected] -DisplayName

"Catherine
Richard" -FirstName "Catherine" -LastName "Richard" -Password 'Pa55w.rd' -
ForceChangePassword
$false -UsageLocation "CH"

5. At the command prompt, type the following command, and then press Enter; xxyyzza is your
unique domain name:
New-MsolUser -UserPrincipalName [email protected] -DisplayName "Tameka
Reed" -
FirstName "Tameka" -LastName "Reed" -Password 'Pa55w.rd' -ForceChangePassword
$false -
UsageLocation "CH"

6. To determine which users are unlicensed, at the command prompt, type the following command,
and then press Enter:

Get-MsolUser -UnlicensedUsersOnly

7. To view the available licenses, at the command prompt, type the following command, and then
press Enter:

Get-MsolAccountSku

8. To license Catherine Richard, at the command prompt, type the following command, and then
press Enter; replace Adatumyyxxxxx in the -AddLicenses attribute with the onmicrosoft.com
domain name provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName [email protected] -

AddLicenses
"Adatumyyxxxxx:ENTERPREMIUM

9. To license Tameka Reed, at the command prompt, type the following command, and then press
Enter; replace Adatumyyxxxxx in the -AddLicenses attribute with the onmicrosoft.com domain
name provided by the hosting provider:

Page 9
 Set-MsolUserLicense -UserPrincipalName [email protected] -AddLicenses
"Adatumyyxxxxx:ENTERPRISEPREMIUM"

10. To prevent a user from signing in, at the command prompt, type the following command, and then
press Enter; xxyyzza is your unique domain name:

Set-MsolUser -UserPrincipalName [email protected] -BlockCredential

$true

11. To delete a user, at the command prompt, type the following command, and then press Enter;
xxyyzza is your unique domain name:

Remove-MsolUser -UserPrincipalName [email protected] -Force

12. To view the Deleted Users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser -ReturnDeletedUsers

13. Verify that Catherine Richard is in the list of deleted users. Note that it specifies that she is still
licensed.
14. To restore a deleted user, at the command prompt, type the following command, and then press
Enter; xxyyzza is your unique domain name:

Restore-MsolUser -UserPrincipalName [email protected]

15. To view the deleted users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser -ReturnDeletedUsers

16. Verify that Catherine Richard is no longer in the list of deleted users.
17. To view the active users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser

18. Verify that Catherine Richard is in the active users list.

19. To allow a user to sign in, at the command prompt, type the following command, and then press
Enter; xxyyzza is your unique domain name:
Set-MsolUser -UserPrincipalName [email protected] -BlockCredential
$false

Page 10
Task 3: Modify user accounts
1. On LON-CL1, on the taskbar, click File Explorer.
2. Navigate to C:\labfiles, right-click O365users.csv, point to Open with, and then click Notepad.
3. In Notepad, click Edit, and then click Replace.
4. In the Find what text box, type yourdomain.hostdomain.com
5. In the Replace with text box, type your unique public domain name value xxyyzza.xtremelabs.us
(where xxyyzza is your unique UPN name), and then click Replace All.
6. In the Find what text box, type Adatumyyxxxx
7. In the Replace with text box, type your unique Adatumyyxxxxx value and then click Replace All.

Note: Adatumyyxxxx in this step must be the onmicrosoft.com domain name.

8. Close O365users.csv, and then in the Notepad message box, click Save.
9. To bulk import several users from a comma-separated value (CSV) file, copy and paste this code
into the Administrator: Microsoft Azure Active Directory Module for Windows PowerShell window
on LON-CL1, and then press Enter: PLEASE COPY TO A NOTE PAD.

Import-Csv -Path C:\labfiles\O365Users.csv | ForEach-Object { New-MsolUser -

UserPrincipalName
$_."UPN" -AlternateEmailAddresses $_."AltEmail" -FirstName $_."FirstName" -
LastName
$_."LastName" -DisplayName $_."DisplayName" -BlockCredential $False -
ForceChangePassword
$False -LicenseAssignment $_."LicenseAssignment" -Password $_."Password" -

PasswordNeverExpires $True -Title $_."Title" -Department $_."Department" -Office

$_."Office"
-PhoneNumber $_."PhoneNumber" -MobilePhone $_."MobilePhone" -Fax $_."Fax" -
StreetAddress
$_."StreetAddress" -City $_."City" -State $_."State" -PostalCode $_."PostalCode" -
Country
$_."Country" -UsageLocation $_."UsageLocation" }

10. To view the Active Users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser

11. Open Microsoft Edge, and then browse to https://portal.office.com/.

12. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.

Page 11
13. On the Home page, click Admin, point to Users and click Active Users.
14. Review the active users that you just imported.

Task 4: Configure groups and group membership

1. To create a Marketing group, at the command prompt, type the following command, and then
press Enter:

New-MsolGroup -DisplayName "Marketing" -Description "Marketing department users"

2. To configure a variable for the group, at the command prompt, type the following command, and
then press Enter:

$MktGrp = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Marketing"}

3. To configure a variable for the first user account, at the command prompt, type the following
command, and then press Enter:

$Catherine = Get-MsolUser | Where-Object {$_.DisplayName -eq "Catherine Richard"}

4. To configure a variable for the second user account, at the command prompt, type the following
command, and then press Enter:

$Tameka = Get-MsolUser | Where-Object {$_.DisplayName -eq "Tameka Reed"}

5. To add Catherine Richard to the Marketing group, at the command prompt, type the following
command, and then press Enter:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User" -

GroupMemberObjectId $Catherine.ObjectId

6. To add Tameka Reed to the Marketing group, at the command prompt, type the following
command, and then press Enter:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User" -

GroupMemberObjectId $Tameka.ObjectId

7. To verify the members of the Marketing group, at the command prompt, type the following
command, and then press Enter:

Get-MsolGroupMember -GroupObjectId $MktGrp.ObjectId

Page 12
Task 5: Configure user passwords
1. At the command prompt, type the following command, and then press Enter; yyxxxxx is your
unique Adatum number:
Set-MsolPasswordPolicy -DomainName "Adatumyyxxxxx.onmicrosoft.com" -ValidityPeriod
"90" -NotificationDays "14"

2. At the command prompt, type the following command, and then press Enter; yourdomain is your
unique domain name:

Set-MsolUserPassword -UserPrincipalName "[email protected]" -

NewPassword 'Pa55w.rd123'

3. At the command prompt, type the following command, and then press Enter:

Get-MsolUser | Set-MsolUser -PasswordNeverExpires $false

Task 6: Assign service administrators in the Microsoft 365 admin

center
This task does not use Windows PowerShell, but it does set up your service administrators so that you
can manage them in the next task using PowerShell.

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com.

2. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
3. Navigate to the list of Active users and select Francisco Chaves.
4. Assign Francisco to the Customized administrator and Billing administrator roles, and enter
[email protected] as his Alternate email address.
5. Repeat these steps for Tameka Reed. Assign Tameka to the Customized administrator and
Password administrator roles, and enter [email protected] as her Alternate email address.
6. Repeat these steps for Christie Thomas. Assign Christie to the Customized administrator and User
Management administrator roles, and enter [email protected] as her Alternate email address.
7. Close Microsoft Edge.

Page 13
Task 7: Manage service administration with Windows
PowerShell
1. In the Windows PowerShell window, at the command prompt, type the following command, and
then press Enter (where xxyyzza is your unique UPN name):

Add-MsolRoleMember -RoleName "Service Support Administrator" -

RoleMemberEmailAddress "[email protected]"

2. At the command prompt, type the following command, and then press Enter (where xxyyzza is
your unique UPN name):

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress

"[email protected]"

3. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Service Support Administrator"

4. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.
6. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Billing Administrator"

7. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.
9. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Company Administrator"

10. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

Page 14
11. Verify that Amy Santiago is in the list of users who have the Company Administrator role. You
should also see Holly Dickson on the list.
12. Close the Windows PowerShell window.

Task 8: Verify service administration

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com.
2. Sign in as [email protected], where xxyyzza is your unique domain name, with the
password Pa55w.rd123.
3. On the Update your password page, in the Current password text box, type Pa55w.rd123.
4. In the New password and Confirm password text boxes, type a unique password, and then click
Update password and sign in.
5. On the Office 365 portal, click Admin.
6. If prompted, sign in again as [email protected] using the password you chose in
Step 4.
7. Navigate to the Active Users list.
8. Select Jessica Jennings. Note that you cannot perform any administrative tasks.
9. Reset Jessica’s password.
10. Write down the temporary password here for future reference, and then click Send email and
close.
11. Close and reopen Microsoft Edge, and then browse to https://portal.office.com.
12. Sign in as [email protected], using the password Pa$$w0rd.
13. In the Office 365 portal, click Admin.
14. If asked about update your admin contact information, click on the Cancel button to skip this
request.
15. In the Office 365 admin center, navigate to the Active Users and select Jessica Jennings.
16. Update Jessica’s Contact information by changing her Office Phone to 555-1234 and her sign-in
status to Block the user from signing in.
17. Add a new user account with the following attributes:
• First name: Chris
• Last name: Breland
• Display name: Chris Breland
• Username: Chris
• Product license: Office365 E3 is turned On (enabled)
In the First name text box, type Chris.
18. After adding Chris’ user account, you should delete the account.
19. Close Microsoft Edge.

Page 15
Lab 2: Implementing Identity Synchronization
NOTE: This lab should be performed after you complete Module 2.

You are now ready to start the directory synchronization process. In this lab exercise you to first make
sure your local Active Directory is ready to start the directory synchronization process by adding a
custom domain to the forest and configuring Exchange to use the new custom domain.

Exercise 1: Setting up your organization for identity

synchronization

Task 1: Configure your UPN suffix

1. On LON-DC1, log on as ADATUM\Administrator and password Pa55w.rd.
2. Using Windows PowerShell, update the UPN suffix for the domain and on the UPN on every user in
AD DS with “@xxyyzza.xtremelabs.us” (where xxyyzza is your unique UPN name) for the domain
name. To do this, run the following command (remember to change xxyyzza to your unique UPN
name):
Set-ADForest -identity "adatum.com" -UPNSuffixes
@{replace="xxyyzza.xtremelabs.us"}

3. Next type the follow command (remember to change xxyyzza to your unique UPN name):
Get-ADUser –Filter * -Properties SamAccountName | ForEach-Object { Set-ADUser $_ -
UserPrincipalName ($_.SamAccountName + "@xxyyzza.xtremelabs.us" )}

Task 2: Prepare problem user accounts

1. On the LON-DC1, in the Windows PowerShell prompt, type the following command, and then
press Enter:
CD C:\labfiles\

2. At the Windows PowerShell prompt, type the following command, and then press Enter:

Set-ExecutionPolicy Unrestricted

3. To confirm the execution policy change, press Enter.

4. At the Windows PowerShell prompt, type the following command, and then press Enter:

Page 16
 .\CreateProblemUsers.ps1

Note: Wait until the script has completed before proceeding to the next step.

5. This Windows PowerShell script will make the following changes in AD DS:
• Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.
• Brad Sutton. Replace the existing string with "[email protected]" for the emailAddress
attribute.
• Don Funk. Replace the existing string with "[email protected]" for the emailAddress attribute.
• Holly Dickson. Replace the existing string with "holly @adatum.com" for the EmailAddress
attribute.
• Kelly Rollin. Replace the existing string with " " for the emailAddress attribute.

Task 3: Run the IdFix tool and fix identified issues

1. On LON-CL1, open Microsoft Edge, and then connect to https://www.microsoft.com/en-
us/download/details.aspx?id=36832
2. Download the IdFix DirSync Error Remediation Tool.
3. Wait for the download to complete, and then click Open.
4. In the File Explorer window, browse to the Downloads folder, right-click IdFix.zip, and then click
Extract All...
5. In the Extract Compressed (Zipped) Folders dialog box, in the destination box, type
C:\Deployment Tools\IdFix, and then click Extract.
6. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix.exe, and then click Run
as administrator.
7. In the IdFix Privacy Statement message box, click OK.
8. Click Query. You should see several errors.
9. Click the ERROR column to sort the character errors to the top of the list. Note: Ignore
topleveldomain errors, which cannot be fixed by the IdFix tool.

10. In the Amr Zaki row, in the ACTION column, select EDIT.
11. In the Holly Dickson row, in the ACTION column, select EDIT. 13. In the Kelly Rollin row, in the
ACTION column, select EDIT
12. On the toolbar, click Apply.
13. In the Apply Pending dialog box, click Yes; note the COMPLETE status in the ACTION column
indicating successful writes.
14. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-click Verbose <date>
<time>.txt to view the updated transactions in the transaction log.

Page 17
15. Switch back to the IdFix tool.
16. On the toolbar, click Query.
17. Click in the UPDATE column to locate the Don Funk error, and replace the string with
[email protected], and then in the ACTION column, select EDIT.
18. Click in the UPDATE column to locate the Kelly Rollin error, and replace the string with
[email protected], and then in the ACTION column, select EDIT.
19. On the toolbar, click Apply.
20. In the Apply Pending box, click Yes.
21. On the toolbar, click Query and verify that errors are corrected.

Note: Where there are format and duplicate errors for distinguished names, the UPDATE column
either contains the same string as the VALUE column, or the UPDATE column entry is blank; in
either case, this means that IdFix cannot suggest a remediation for the error. You can either fix
these errors outside IdFix, or manually remediate them within IdFix. You can also export the
results and use Windows PowerShell to remediate many errors.

Task 4: Enable Directory Synchronization

1. On LON-DS1, if necessary, log on as ADATUM\Administrator and password Pa55w.rd.
2. Open Internet Explorer. Navigate to Tools > Internet Options > Security tab.
3. In the Internet zone, click Custom Level. Scroll down and under the Downloads section, you must
enable the File download setting.
4. Then in the Trusted Sites zone, you need to add the following sites:
• https://outlook.office365.com/
• https://outlook.office.com/
• https://portal.office.com/
5. Browse to https://portal.office.com/.
6. Sign in as [email protected] with the password Pa55w.rd (where XXYYZZ is
your unique Adatum O365 Blob).
7. Click Admin.
8. If asked about update your admin contact information click on the Cancel button to skip this
request.
9. Navigate to the Active Users.
Note: If you see the Active Directory synchronization is being activated warning, you can ignore it
at this time, but you will not be able to run directory synchronization later in this exercise. You
must wait until directory synchronization is activated. However, you can complete the following
steps, even if you do see the warning message.

10. Select Holly Dickson.

11. Edit Holly’s alias by changing it to Holly and ensure that xxyyzza.xtremelabs.us domain is selected.

Page 18
12. Click Set as primary and then read the warning and save your change.
13. You should be signed out automatically, but if not click on the top right corner of Holly Dickson’s
profile icon and click Sign Out.
14. Close Internet Explorer.
15. Open Internet Explorer.
16. Sign in as [email protected] with the password Pa55w.rd (where XXYYZZ is your UPN
domain).
17. Click Admin.
18. If asked about update your admin contact information click on the Cancel button to skip this
request.

19. In the left-hand navigation, select the user’s icon ( ) and select Active users, click on More on
the top menu and choose Directory Synchronization.
20. Click on the Go to the DirSync readiness wizard.
21. On the next screen choose 51-250 for the number of users you will move to the cloud, click Next.
22. Click Next on the Sync your local directory with the cloud screen.
23. Click continue manually to skip checking your directory since it was already fixed.
24. Click Next to configure the domains.
25. Click Ok I’ve added and verified all my domains to continue.
26. Click Next to continue the process (Skip IdFix).
27. Click on Download to go to the download page for Azure AD Connect.
28. Click Download again to download Azure AD Connect application.
29. Click Save and Run the download.

Task 5: Set up Azure AD Connect

1. On the Azure AD Connect setup wizard, proceed through the wizard.
2. Click on Use express settings.
3. On the Connect to Azure AD screen enter your Office 365 admin username of
[email protected] with password Pa55w.rd (where XXYYZZ is your UPN domain) and
click Next.

4. On the Connect to AD DS screen enter your domain administrator ADATUM\Administrator and

password Pa55w.rd and click Next.
5. Click Next on the Azure AD sign-in configuration screen.
6. On the Ready to configure screen click the check box for Start the synchronization process when
configuration completes and click on Install.
7. Wait for the installation to complete.
8. Click on Exit.

Page 19
9. Click on Start, search for the Synchronization Service application and open it.
10. Monitor the synchronization process by looking at the operations tab. Wait for the Export profile
to complete (Status: success)
11. Return to the Run Azure Active Directory Connect screen in Internet Explorer and click on Next.

Note: The web page should say Directory synchronization enabled. If it doesn’t then refresh the
page to see the that the Directory synchronization is enabled. If status does not update continue
to the next step if the export was successful.

12. Click Next on the Make sure sync worked as expected screen.
13. Click Next on the Activate users screen.
14. Click Finish on the You’re all set up screen.

Task 6: Create a new user and group account

1. On LON-DC1, in Server Manager, navigate to Active Directory Users and Computers.
2. In the console tree, expand Adatum.com, right-click Research, then add a new user.
3. In the First name box, type Perry.
4. In the Lastname box, type Brill.
5. In the User logon name box, type Perry, and select your lab domain UPN (not Adatum.com).
6. In the Password and Confirm password boxes, type Pa55w.rd, clear the User must change
password at next logon checkbox, select the Password never expires checkbox, click Next, and
then click Finish.
7. In the Research OU user list, double-click the Perry Brill user.
8. In the Properties dialog box, in the E-mail box, type [email protected], and then click
OK.
9. In the console tree, right-click the Research OU, click New, and then click Group.
10. In the New Object - Group window, in the Group name: box, type Project Team, click Universal,
click Distribution, and then click OK.
11. In the Research OU, double-click the Project Team group.
12. In the Properties dialog window, in the E-mail box, type [email protected].
13. On the Members tab, click Add.
14. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select, type the following names, and then click Check Names:
• Anil Elson
• Deepak Kumar
• Olivier Renaud

15. Click OK twice.

Page 20
Task 7: Change group membership
1. In the console tree of Active Directory Users and Computers, click Research.
2. View the members of this group.
3. Select the following three users, and then remove them:
• Chloe Brussard
• Chris Sells
• Florian Stiller

Exercise 2: Implement identity synchronization

Task 1: Force synchronization
1. On LON-DS1, from the taskbar, right-click the Windows PowerShell shortcut, and then click Run as
administrator.

2. At the Windows PowerShell prompt, type the following, and then press Enter:

Start-ADSyncSyncCycle -PolicyType Delta

Note: The Delta switch is used here so that only the updates are synchronized.

3. Wait until synchronization has completed before proceeding to the next task.

Task 2: Validate the results of directory synchronization

1. To verify the new user you created, on LON-CL1, open the Office 365 Admin Center in Microsoft
Edge by typing https://portal.office.com/admin/default.aspx in the address bar.
2. Sign in using the following credentials: User name: [email protected], Password:
Pa55w.rd
3. If you are connected to the previous Office 365 admin center, click that banner at the top of the
page to connect to the new Office 365 admin center.
4. Navigate to the Active Users.
5. In the Active Users list, verify that Perry Brill has a value of Synced with Active Directory in the
Sync Type column.

Page 21
 Note: You might need to wait up to 10 minutes before the account appears. Refresh the list until
you see Perry Brill's account.

6. In the Active Users list, select Perry Brill.

7. Edit Perry’s Product licenses as follows:
• Location = United Kingdom
• Product License = Office 365 Enterprise E3
8. Repeat steps 6-7 to assign an Office 365 license for user Anil Elson.
9. Navigate to Groups to verify that you have created the new group.
10. In the Groups list, verify that the Project Team appears.

Note: You might need to wait up to 10 minutes before the group appears. Refresh the list until
you see the object.
11. In the Groups list, select the Project Team group.
Note: In the right pane, notice that Edit Members is unavailable. This is because group
membership is maintained by Active Directory. To view the membership, you need to use
Windows PowerShell.

12. On LON-CL1, on the desktop, if PowerShell is not already open, then then open it by clicking Run
as administrator.
13. If PowerShell wasn’t open, at the command prompt, type the following command, and then press
Enter:

Connect-MsolService

14. If necessary, in the Enter Credentials dialog box, sign in as

[email protected], where yyxxxxx is your unique Adatum number, with the
password Pa55w.rd.

15. Type the following command, and then press Enter:

Get-MsolGroup

16. Verify that you can see the Research and Project Team groups. Copy the ObjectID value for these
two groups.
17. To verify that you updated the group membership in AD DS, type the following command at the
Windows PowerShell prompt, and then press Enter (where <<ObjectID for Research group>> is the
ObjectID of the group):

Get-MsolGroupMember -GroupObjectId <<ObjectID for Research group>>

Page 22
18. Verify the membership of the group does not contain the users removed in AD DS. The users who
were removed from the group are:
• Chloe Brussard
• Chris Sells
• Florian Stiller

19. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolAccountSku

Note: This command shows the current license consumed units.

Task 3: Deploy Azure AD Pass-through Authentication

1. Sign in to the LON-DS1 virtual machine as ADATUM\Administrator with a password of Pa$$word.
2. On the Desktop, double click the Microsoft Azure AD Connect application.
3. Select Change user Sign-in and then click Next.
4. Click configure.
5. Sign in to Azure AD.
6. Select Pass-Through Authentication and then click Next.
7. Upon successful completion, Pass-Through Authentication will be enabled.
8. To verify that Pass-Through Authentication is successfully enabled, open an Edge Browser.
9. Sign in to https://aad.portal.azure.com/.
10. Select Azure Active Directory on the left pane.
11. Verify the Pass-Through Authentication feature appears as ENABLED.
12. Select Pass-Through Authentication. The Pass-Through authentication pane lists the servers
where your authentication agents are installed.

End of lab

Page 23
 LAB SOLUTION

This section of the Student Lab Manual contains the detailed, step-by-step lab instructions for each lab
exercise. It is recommended that you only refer to these instructions should you find yourself stuck or
unable to successfully complete the labs using the summarized, high-level instructions.

Lab 1: Managing your Microsoft 365 Identity environment

NOTE: This lab should be performed after you complete Module 1.

In this lab, you must create a tenant account in Office 365 to set up an integrated environment.

Exercise 1: Setting up your lab environment

Task 1 - Obtain Your Office 365 Credentials
Once you launch the lab, a free trial tenant will be automatically created for you to access Azure in the
Microsoft Virtual Lab environment. This tenant will be automatically assigned a unique user name and
password. You must retrieve this user name and password so that you can sign into Azure within the
Microsoft Virtual Lab environment.

1. On the XtremeLabs Online menu bar at the top of the screen, click on the Files drop-down arrow.
2. Click on O365 Credentials. A window will open with your credentials.
3. This is the user name and password you will need to sign in to Azure. Keep this page open as you will
need the information later.
4. When the lab directs you to sign in to the Azure portal at https://portal.azure.com, you will sign in
using the credentials you obtained in this task.

Task 2 - Create the tenant account

1. At the top of the screen, click the Virtual machine drop-down field and select LON-DC1.
2. On the VM titled LON-DC1, you are already logged on as the adatum\administrator account.
3. Click the Windows icon in the lower left corner of the task bar and then click on the Internet
Explorer tile.
4. In Internet Explorer, click on the gear icon in the top right corner to display the Tools drop-down
menu.
5. In the drop-down menu, click Internet Options.

Page 24
6. Click on the Security tab.
7. Click Internet. Click Custom Level. Scroll down and under the Downloads section, under File
download, select Enable. Click OK.
8. Click Yes to confirm you want to change the settings for this zone.
9. Click Trusted sites and then click Sites.
10. In the Trusted Sites window, you will add the following three sites as Trusted Sites:
• In the Add this website to the zone field, type in https://outlook.office365.com/ and then
click Add.
• Type in https://outlook.office.com/ and then click Add.
• Type in https://portal.office.com/ and then click Add.
• All three URL’s should appear in the Websites box. Click Close.
11. Click OK to close the Internet Options window.
12. To sign in to Microsoft 365, go to Internet Explorer and type in https:\\portal.office.com as the
URL, and then hit Enter. This will open the Sign in window.
13. In the Email, phone, or Skype field, enter the Tenant email from your O365 Credentials (or you can
copy and paste in the Tenant email from the O365 Credentials window if you still have it open; if
you closed the O365 Credentials window, click the Files drop down arrow again and click O365
Credentials). After entering your tenant email, click Next.
14. On the Enter Password window, in the Password field, enter the Tenant password from your O365
Credentials (or you can copy and paste in the Tenant password from the O365 Credentials window
if you still have it open) and then click Sign In.
15. On the Stay signed in? page, click Yes to stay signed in.
16. On the Office 365 portal, if the Get your work done with Office 365 window appears in the middle
of the page, click the right arrow 5 times to show the 5 slides. The window will scroll off the page.
From the main page, click Admin.
17. This opens the Microsoft 365 admin center. If a Welcome to the Office 365 Admin Center window
appears, click Skip.
18. Under Active users, click Add a user.
19. In the New User window, create a user named Jenna Glover.
20. Type Jenna in the First name field.
21. Type Glover in the Last name field.
22. Click in the Display name field and Jenna Glover will automatically appear.
23. Type jenna in the Username field. For the purposes of this labs, the Domain field is prefilled with
the domain from your O365 Credentials. Leave this as is.
24. Leave United States as the Location.
25. Click on Password.
26. Select the Let me create the password option. Type Pa$$w0rd in the Password field.
27. Uncheck the box that says Make user change their password when they first sign in.
28. Click on Roles.
29. Select the Global Administrator option.

30. Product licenses is already set to Office 365 Enterprise E5, so no change is required.
31. Click Add.
32. In the User was added windows, review the information for correctness. Unselect the Send
password in email check box.

Page 25
33. Click Close.
34. If the We would love to hear from you window appears, click Cancel.
35. While still on the Microsoft 365 admin center screen, click on the User Profile Icon in the top right
corner of the browser. It will be a grey circle with the letters “CA”.
36. Click Sign-Out.
37. Once the screen indicates you are signed out, Close Internet Explorer. Select Close all tabs.

Exercise 2: Managing your Microsoft 365 identity

environment using the Microsoft 365 admin center

Task 1: Create user accounts

1. On LON-CL1, verify that you signed in as ADATUM\Holly.
2. Open Microsoft Edge, and then browse to https://portal.office.com/.
3. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
4. On the Microsoft 365 portal, click Admin.
5. On the menu on the left side, point to Users, and then click Active Users.
6. Click Add a user with the following information:
• First name: Lindsey.
• Last name: Gates.
• Display name: Lindsey Gates.
• Username: Lindsey.
7. Verify that xxyyzza.xtremelabs.us (where xxyyzza is your unique UPN name) is listed in the text
box after the at sign (@).
8. Under Password, select Let me create the password and enter a password of Pa$$w0rd. Uncheck
Make this user change their password when they first sign in.
9. Click Add. On the User was added page, click on Add another user under Next Steps.
10. Repeat steps 6 through 9 to create the following users (for the Username, use the Firstname):

• Christie Thomas
• Amy Santiago
• Sallie McIntosh
• Francisco Chaves
11. After added the last user, click Send email and close.

Page 26
Task 2: Edit Microsoft 365 users
1. In the Office 365 admin center, in the Active Users list, click the Francisco Chaves user object.
2. On the Contact Information section, click Edit.
3. On the Edit contact information page, expand Contact information, and in the Department text
box, type Accounts, click Save, and then click Close.
4. On the right-side menu, in the Sign in status section, click Edit.
5. Click Block the user from signing in, click Save, and then click Close.
6. Close the Francisco Chaves page.
7. In the Active Users list, click the Lindsey Gates user object.
8. Click Delete user.
9. On the Delete user page, click Delete user. Click Confirm Changes then click Close.
10. In the left navigation pane, point to Users, and click Deleted users.
11. Verify that Lindsey Gates is in this list.
12. In the Deleted users list, select Lindsey Gates.
13. On the toolbar, click Restore.
14. On the Restore page, select Let me create the password, set the password to Pa$$w0rd, and
uncheck the Make this user change their password when they first sign in.
15. Click Restore, then click Send email and close.
16. On the left navigation pane, point to Users, and click Active Users.
17. Verify that Lindsey Gates is in this list.
18. Close Microsoft Edge.

Task 3: Verify user settings

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com/.
2. Sign in as [email protected] with the password Pa$$w0rd.
3. Verify that you can access the Office 365 portal home page.
4. Close Microsoft Edge.
5. Open Microsoft Edge, and then browse to https://portal.office.com/.
6. Sign in as [email protected] with the password Pa$$w0rd.
7. Verify that you cannot sign in and that the message states that your account has been locked.
8. Close Microsoft Edge.
9. Open Microsoft Edge, and then browse to https://portal.office.com/.
10. Sign in as [email protected] with the password Pa55w.rd.
11. On the Office 365 portal, click Admin.

Page 27
12. On the left menu, point to Users, and then click ActiveUsers.
13. In the Active Users list, click Francisco Chaves.
14. Click Unblock sign in.
15. On the Edit sign-in status page, select Allow this user to sign in, click Save, and then click Close.
16. Close Microsoft Edge.
17. Open Microsoft Edge, and then browse to https://portal.office.com/.
18. Sign in as [email protected] with the password Pa$$w0rd.
19. Verify that you can access the Office 365 portal.
Note: It may take several minutes before the blocked user message no longer shows.
20. Close Microsoft Edge.

Task 4: Create security groups and add users to each group

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com/.
2. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
3. In the Office 365 admin center, click Admin.
4. On the left side menu, point to Groups, click Groups, and then click Add a group.
5. On the New Group page, in the Type drop-down box, click Security, and in the Name text box,
type Sales.
6. In the Description text box, type Sales department users, click Add, and then click Close.
7. Select the Sales group, and then on the Sales page, next to Members, click Edit.
8. Click Add members, type Lindsey in the search box and select Lindsey Gates.
9. Type Christie in the search box and select Christie Thomas.
10. Expand the Adding drop-down to verify both users are being added. Click Save, and then click
Close three times.
11. Click Add a group.
12. On the New Group page, in the Type drop-down box, click Security, and then in the Name text
box, type Accounts.
13. In the Description text box, type Accounts department users, click Add, and then click Close.
14. Select the Accounts group, and then on the Accounts page, next to Members, click Edit.
15. Click Add members, type Francisco in the search box and select Francisco Chaves.
16. Type Sallie in the search box and select Sallie McIntosh.
17. Expand the Adding drop-down to verify both users are being added. Click Save, and then click
Close three times.
18. Click Add members, click Francisco Chaves, click Sallie McIntosh, click Save, and then click Close
three times.

Page 28
Task 5: Manage security groups
1. In the Office 365 admin center, verify that you can see the following groups:
• Sales
• Accounts

2. In the Groups list, select the Sales group, and then on the Sales page, next to Members, click Edit.
3. Click Add members, click Amy Santiago, click Save, and then click Close three times.
4. Open Sales details page, and ensure that Amy Santiago now lists under the Members list.
5. Click Delete group.
6. On the Delete group page, click Delete, and then click Close.
7. On the left side menu, point to Users, and then click Active users.
8. Confirm that Amy Santiago's account still exists in the list of users.
9. Close Microsoft Edge.

Exercise 3: Managing your Microsoft 365 identity

environment using Windows PowerShell

Task 1: Install Microsoft Azure Active Directory

1. On LON-CL1, open Microsoft Edge, and browse to: http://aka.ms/t01i1o
2. Under Microsoft Online Services Sign-In Assistant for IT Professionals RTW, click Download.
3. Select the en\msoidcl_64.msi check box, and then click Next.
4. Wait for the download to finish.
5. When the download finishes, click Run.
6. In the Microsoft Online Services Sign-in Assistant Setup wizard, click I accept the terms in the
License Agreement and Privacy Statement, and then click Install.
7. In the User Account Control dialog box, click Yes.
8. On the Completed the Microsoft Online Services Sign-in Assistant Setup Wizard page, click Finish.
9. Close Microsoft Edge.
10. Right click on Start and click Windows PowerShell (Admin).
11. At the prompt, type Install-Module MSOnline command.
12. If prompted to install the NuGet provider, type Y and press ENTER.
13. If prompted to install the module from PSGallery, type Y and press ENTER.

Page 29
Task 2: Create new users and assign licenses
1. On LON-CL1, run Windows PowerShell (Admin).
2. If a User Account Control dialog box appears, click Yes.
3. At the command prompt, type the following command, and then press Enter:

Connect-MsolService

4. In the Enter Credentials dialog box, sign in as [email protected], where

yyxxxxx is your unique Adatum number, with the password Pa55w.rd.
5. At the command prompt, type the following command, and then press Enter; xxyyzza is your
unique domain name:

New-MsolUser -UserPrincipalName [email protected] -DisplayName

"Catherine
Richard" -FirstName "Catherine" -LastName "Richard" -Password 'Pa55w.rd' -
ForceChangePassword
$false -UsageLocation "CH"

6. At the command prompt, type the following command, and then press Enter; xxyyzza is your
unique domain name:
New-MsolUser -UserPrincipalName [email protected] -DisplayName "Tameka
Reed" -
FirstName "Tameka" -LastName "Reed" -Password 'Pa55w.rd' -ForceChangePassword
$false -
UsageLocation "CH"

7. To determine which users are unlicensed, at the command prompt, type the following command,
and then press Enter:

Get-MsolUser -UnlicensedUsersOnly

8. To view the available licenses, at the command prompt, type the following command, and then
press Enter:

Get-MsolAccountSku

9. To license Catherine Richard, at the command prompt, type the following command, and then
press Enter; replace Adatumyyxxxxx in the -AddLicenses attribute with the onmicrosoft.com
domain name provided by the hosting provider:

Page 30
 Set-MsolUserLicense -UserPrincipalName [email protected] -
AddLicenses
"Adatumyyxxxxx:ENTERPREMIUM

10. To license Tameka Reed, at the command prompt, type the following command, and then press
Enter; replace Adatumyyxxxxx in the -AddLicenses attribute with the onmicrosoft.com domain
name provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName [email protected] -AddLicenses

"Adatumyyxxxxx:ENTERPRISEPREMIUM"

11. To prevent a user from signing in, at the command prompt, type the following command, and then
press Enter; xxyyzza is your unique domain name:

Set-MsolUser -UserPrincipalName [email protected] -BlockCredential

$true

12. To delete a user, at the command prompt, type the following command, and then press Enter;
xxyyzza is your unique domain name:

Remove-MsolUser -UserPrincipalName [email protected] -Force

13. To view the Deleted Users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser -ReturnDeletedUsers

14. Verify that Catherine Richard is in the list of deleted users. Note that it specifies that she is still
licensed.
15. To restore a deleted user, at the command prompt, type the following command, and then press
Enter; xxyyzza is your unique domain name:

Restore-MsolUser -UserPrincipalName [email protected]

16. To view the deleted users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser -ReturnDeletedUsers

17. Verify that Catherine Richard is no longer in the list of deleted users.
18. To view the active users list, at the command prompt, type the following command, and then
press Enter:

Page 31
 Get-MsolUser

19. Verify that Catherine Richard is in the active users list.

20. To allow a user to sign in, at the command prompt, type the following command, and then press
Enter; xxyyzza is your unique domain name:
Set-MsolUser -UserPrincipalName [email protected] -BlockCredential
$false

Task 3: Modify user accounts

1. On LON-CL1, on the taskbar, click File Explorer.
2. Navigate to C:\labfiles, right-click O365users.csv, point to Open with, and then click Notepad.
3. In Notepad, click Edit, and then click Replace.
4. In the Find what text box, type yourdomain.hostdomain.com
5. In the Replace with text box, type your unique public domain name value xxyyzza.xtremelabs.us
(where xxyyzza is your unique UPN name), and then click Replace All.
6. In the Find what text box, type Adatumyyxxxx
7. In the Replace with text box, type your unique Adatumyyxxxxx value and then click Replace All.

Note: Adatumyyxxxx in this step must be the onmicrosoft.com domain name.

8. Close O365users.csv, and then in the Notepad message box, click Save.
9. To bulk import several users from a comma-separated value (CSV) file, copy and paste this code
into the Administrator: Microsoft Azure Active Directory Module for Windows PowerShell window
on LON-CL1, and then press Enter: PLEASE COPY TO A NOTE PAD.

Import-Csv -Path C:\labfiles\O365Users.csv | ForEach-Object { New-MsolUser -

UserPrincipalName
$_."UPN" -AlternateEmailAddresses $_."AltEmail" -FirstName $_."FirstName" -
LastName
$_."LastName" -DisplayName $_."DisplayName" -BlockCredential $False -
ForceChangePassword
$False -LicenseAssignment $_."LicenseAssignment" -Password $_."Password" -

PasswordNeverExpires $True -Title $_."Title" -Department $_."Department" -Office

$_."Office"
-PhoneNumber $_."PhoneNumber" -MobilePhone $_."MobilePhone" -Fax $_."Fax" -
StreetAddress
$_."StreetAddress" -City $_."City" -State $_."State" -PostalCode $_."PostalCode" -
Country
$_."Country" -UsageLocation $_."UsageLocation" }

Page 32
10. To view the Active Users list, at the command prompt, type the following command, and then
press Enter:

Get-MsolUser

11. Open Microsoft Edge, and then browse to https://portal.office.com/.

12. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
13. On the Home page, click Admin, point to Users and click Active Users.
14. Review the active users that you just imported.

Task 4: Configure groups and group membership

1. To create a Marketing group, at the command prompt, type the following command, and then
press Enter:

New-MsolGroup -DisplayName "Marketing" -Description "Marketing department users"

2. To configure a variable for the group, at the command prompt, type the following command, and
then press Enter:

$MktGrp = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Marketing"}

3. To configure a variable for the first user account, at the command prompt, type the following
command, and then press Enter:

$Catherine = Get-MsolUser | Where-Object {$_.DisplayName -eq "Catherine Richard"}

4. To configure a variable for the second user account, at the command prompt, type the following
command, and then press Enter:

$Tameka = Get-MsolUser | Where-Object {$_.DisplayName -eq "Tameka Reed"}

5. To add Catherine Richard to the Marketing group, at the command prompt, type the following
command, and then press Enter:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User" -

GroupMemberObjectId $Catherine.ObjectId

6. To add Tameka Reed to the Marketing group, at the command prompt, type the following
command, and then press Enter:

Page 33
 Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User" -
GroupMemberObjectId $Tameka.ObjectId

7. To verify the members of the Marketing group, at the command prompt, type the following
command, and then press Enter:

Get-MsolGroupMember -GroupObjectId $MktGrp.ObjectId

Task 5: Configure user passwords

1. At the command prompt, type the following command, and then press Enter; yyxxxxx is your
unique Adatum number:
Set-MsolPasswordPolicy -DomainName "Adatumyyxxxxx.onmicrosoft.com" -ValidityPeriod
"90" -NotificationDays "14"

2. At the command prompt, type the following command, and then press Enter; yourdomain is your
unique domain name:

Set-MsolUserPassword -UserPrincipalName "[email protected]" -

NewPassword 'Pa55w.rd123'

3. At the command prompt, type the following command, and then press Enter:

Get-MsolUser | Set-MsolUser -PasswordNeverExpires $false

Task 6: Assign service administrators in the Microsoft 365 admin

center
This task does not use Windows PowerShell, but it does set up your service administrators so that you
can manage them in the next task using PowerShell.

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com.

2. Sign in as [email protected], where yyxxxxx is your unique Adatum
number, with the password Pa55w.rd.
3. In the Office 365 admin center, click Admin.
4. On the left-hand side, point to Users, click Active users, and then click Francisco Chaves.
5. On the Francisco Chaves page, in the Roles section, click Edit.
6. Under Edit user role, click Customized administrator, select Billing administrator from the list, in
the Alternate email address text box, click Edit, type [email protected], click Save, and then click
Close twice.
7. In the list view, click Tameka Reed.
8. On the Tameka Reed page, in the Roles section, click Edit.
9. Under Edit user role, click Customized administrator, and then select Password administrator
from the list.

Page 34
10. In the Alternative email address text box, click Edit, type [email protected], and then click Save, and
then click Close twice.
11. In the list view, click Christie Thomas.
12. On the Christie Thomas page, in the Roles section, click Edit.
13. Under Assign role, click Customized administrator, and then select User management
administrator from the list.
14. In the Alternative email address text box, click Edit, type [email protected], click Save, and then click
Close twice.
15. Close Microsoft Edge.

Task 7: Manage service administration with Windows

PowerShell
1. In the Windows PowerShell window, at the command prompt, type the following command, and
then press Enter (where xxyyzza is your unique UPN name):

Add-MsolRoleMember -RoleName "Service Support Administrator" -

RoleMemberEmailAddress "[email protected]"

2. At the command prompt, type the following command, and then press Enter (where xxyyzza is
your unique UPN name):

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress

"[email protected]"

3. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Service Support Administrator"

4. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.
6. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Billing Administrator"

7. At the command prompt, type the following command, and then press Enter:

Page 35
 Get-MsolRoleMember -RoleObjectId $role.ObjectId

8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.
9. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole -RoleName "Company Administrator"

10. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

11. Verify that Amy Santiago is in the list of users who have the Company Administrator role. You
should also see Holly Dickson on the list.
12. Close the Windows PowerShell window.

Task 8: Verify service administration

1. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com.
2. Sign in as [email protected], where xxyyzza is your unique domain name, with the
password Pa55w.rd123.
3. On the Update your password page, in the Current password text box, type Pa55w.rd123.
4. In the New password and Confirm password text boxes, type a unique password, and then click
Update password and sign in.
5. On the Office 365 portal, click Admin.
6. If prompted, sign in again as [email protected] using the password you chose in
Step 4.
7. On the Home page, click Active Users.
8. Click Jessica Jennings. Note that you cannot perform any administrative tasks.
9. Click Reset passwords.
10. On the Reset password page, click Reset.
11. Write down the temporary password here for future reference, and then click Send email and
close.
12. Close and reopen Microsoft Edge, and then browse to https://portal.office.com.
13. Sign in as [email protected], using the password Pa$$w0rd.
14. In the Office 365 portal, click Admin.
15. If asked about update your admin contact information click on the cancel button to skip this
request.

Page 36
16. In the Office 365 admin center, on the Home page, click Active Users, and then click Jessica
Jennings.
17. On the Jessica Jennings page, in the Contact information section, click Edit.
18. On the Edit contact information page, expand Contact information.
19. In the Office Phone text box, type 555-1234, click Save, and then click Close.
20. In the Sign-in status section, click Edit, click Block the user from signing in, click Save, and then
click Close twice.
21. In the Office 365 admin center, click Add a user.
22. In the First name text box, type Chris.
23. In the Last name text box, type Breland.
24. Notice the Display name text box is automatically completed as Chris Breland.
25. In the User name text box, type Chris, click Add, in Product licenses section, enable Office365 E3
license, and then click Send email and close.
26. In the Active users list, click Chris Breland.
27. On Chris Breland page, click the Delete user.
28. On the Delete user page, click Delete, and then click Close.
29. Close Microsoft Edge.

Page 37
Lab 2: Implementing Identity Synchronization
NOTE: This lab should be performed after you complete Module 2.

You are now ready to start the directory synchronization process. In this lab exercise you to first make
sure your local Active Directory is ready to start the directory synchronization process by adding a
custom domain to the forest and configuring Exchange to use the new custom domain.

Exercise 1: Setting up your organization for identity

synchronization
Task 1: Configure your UPN suffix
1. On LON-DC1, log on as ADATUM\Administrator and password Pa55w.rd.
2. Using Windows PowerShell, update the UPN suffix for the domain and on the UPN on every user in
AD DS with “@xxyyzza.xtremelabs.us” (where xxyyzza is your unique UPN name) for the domain
name. To do this, run the following command (remember to change xxyyzza to your unique UPN
name):
Set-ADForest -identity "adatum.com" -UPNSuffixes
@{replace="xxyyzza.xtremelabs.us"}

3. Next type the follow command (remember to change xxyyzza to your unique UPN name):
Get-ADUser –Filter * -Properties SamAccountName | ForEach-Object { Set-ADUser $_ -
UserPrincipalName ($_.SamAccountName + "@xxyyzza.xtremelabs.us" )}

Task 2: Prepare problem user accounts

1. On the LON-DC1, in the Windows PowerShell prompt, type the following command, and then
press Enter:
CD C:\labfiles\

2. At the Windows PowerShell prompt, type the following command, and then press Enter:

Set-ExecutionPolicy Unrestricted

3. To confirm the execution policy change, press Enter.

4. At the Windows PowerShell prompt, type the following command, and then press Enter:

Page 38
 .\CreateProblemUsers.ps1

Note: Wait until the script has completed before proceeding to the next step.

5. This Windows PowerShell script will make the following changes in AD DS:
• Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.
• Brad Sutton. Replace the existing string with "[email protected]" for the emailAddress
attribute.
• Don Funk. Replace the existing string with "[email protected]" for the emailAddress
attribute.
• Holly Dickson. Replace the existing string with "holly @adatum.com" for the EmailAddress
attribute.
• Kelly Rollin. Replace the existing string with " " for the emailAddress attribute.

Task 3: Run the IdFix tool and fix identified issues

1. On LON-CL1, open Microsoft Edge, and then connect to https://www.microsoft.com/en-
us/download/details.aspx?id=36832
2. On the IdFix DirSync Error Remediation Tool page, click Download.
3. Wait for the download to complete, and then click Open.
4. In the File Explorer windows, browse to the Downloads folder, right-click IdFix.zip, and then click
Extract All...
5. In the Extract Compressed (Zipped) Folders dialog box, in the destination box, type
C:\Deployment Tools\IdFix, and then click Extract.
6. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix.exe, and then click Run
as administrator.
7. In the User Account Control dialog box, click Yes.
8. In the IdFix Privacy Statement message box, click OK.
9. Click Query. You should see several errors.
10. Click the ERROR column to sort the character errors to the top of the list. Note: Ignore
topleveldomain errors, which cannot be fixed by the IdFix tool.

11. In the Amr Zaki row, in the ACTION column, select EDIT.
12. In the Holly Dickson row, in the ACTION column, select EDIT. 13. In the Kelly Rollin row, in the
ACTION column, select EDIT
14. On the toolbar, click Apply.
15. In the Apply Pending dialog box, click Yes; note the COMPLETE status in the ACTION column
indicating successful writes.

Page 39
16. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-click Verbose <date>
<time>.txt to view the updated transactions in the transaction log.
17. Switch back to the IdFix tool.
18. On the toolbar, click Query.
19. Click in the UPDATE column to locate the Don Funk error, and replace the string with
[email protected], and then in the ACTION column, select EDIT.
20. Click in the UPDATE column to locate the Kelly Rollin error, and replace the string with
[email protected], and then in the ACTION column, select EDIT.
21. On the toolbar, click Apply.
22. In the Apply Pending box, click Yes.
23. On the toolbar, click Query and verify that errors are corrected.

Note: Where there are format and duplicate errors for distinguished names, the UPDATE column
either contains the same string as the VALUE column, or the UPDATE column entry is blank; in
either case, this means that IdFix cannot suggest a remediation for the error. You can either fix
these errors outside IdFix, or manually remediate them within IdFix. You can also export the
results and use Windows PowerShell to remediate many errors.

Task 4: Enable Directory Synchronization

1. On LON-DS1, if necessary, log on as ADATUM\Administrator and password Pa55w.rd.
2. Open Internet Explorer, click on the gear icon ( ) in the top right corner.
3. Choose Internet Options.
4. Click on the Security tab.
5. Click Internet. Click Custom Level. Scroll down and under the Downloads section, under File
download, select Enable. Click OK
6. Click Yes to confirm you want to change the settings for this zone.
7. Click on Trusted sites and click on Sites.
8. Type in https://outlook.office365.com/, click on Add.
9. Type in https://outlook.office.com/, click on Add.
10. Type in https://portal.office.com/, click on Add and Close.
11. Click Ok.
12. Browse to https://portal.office.com/.
13. Sign in as [email protected] with the password Pa55w.rd (where XXYYZZ is
your unique Adatum O365 Blob).
14. Click Admin
15. If asked about update your admin contact information click on the cancel button to skip this
request.

Page 40
16. In the left side menu, click Users, and then click Active Users.
Note: If you see the Active Directory synchronization is being activated warning, you can ignore it
at this time, but you will not be able to run directory synchronization later in this exercise. You
must wait until directory synchronization is activated. However, you can complete the following
steps, even if you do see the warning message.

17. Click Holly Dickson.

18. On the Holly Dickson page, click Edit in the User name / Email section.
19. In the Aliases section, type Holly in the Alias textbox and ensure that xxyyzza.xtremelabs.us
domain is selected. Click Add.
20. Click Set as primary and then read the warning and click Save.
21. You should be signed out automatically, but if not click on the top right corner of Holly Dickson’s
profile icon and click Sign Out.
22. Close Internet Explorer.
23. Open Internet Explorer.
24. Sign in as [email protected] with the password Pa55w.rd (where XXYYZZ is your UPN
domain).
25. Click Admin
26. If asked about update your admin contact information click on the cancel button to skip this
request.

27. In the left-hand navigation, select the user’s icon ( ) and select Active users, click on More on
the top menu and choose Directory Synchronization.
28. Click on the Go to the DirSync readiness wizard.
29. On the next screen choose 51-250 for the number of users you will move to the cloud, click Next.
30. Click Next on the Sync your local directory with the cloud screen.
31. Click continue manually to skip checking your directory since it was already fixed.
32. Click Next to configure the domains.
33. Click Ok I’ve added and verified all my domains to continue.
34. Click Next to continue the process (Skip IdFix).
35. Click on Download to go to the download page for Azure AD Connect.
36. Click Download again to download Azure AD Connect application.
37. Click Save and Run the download.

Task 5: Set up Azure AD Connect

1. On the Welcome screen, click in the check box I agree to the license terms and privacy notice.
2. If asked, click on Continue.
3. Click on Use express settings.

Page 41
4. On the Connect to Azure AD screen enter your Office 365 admin username
[email protected] with password Pa55w.rd (where XXYYZZ is your UPN domain) and
click Next.

5. On the Connect to AD DS screen enter your domain administrator ADATUM\Administrator and

password Pa55w.rd and click Next.
6. Click Next on the Azure AD sign-in configuration screen.
7. On the Ready to configure screen click the check box for Start the synchronization process when
configuration completes and click on Install.
8. Wait for the installation to complete.
9. Click on Exit.
10. Click on Start, search for the Synchronization Service application and open it.
11. Monitor the synchronization process by looking at the operations tab. Wait for the Export profile
to complete (Status: success)
12. Return to the Run Azure Active Directory Connect screen in Internet Explorer and click on Next.

Note: The web page should say Directory synchronization enabled. If it doesn’t then refresh the
page to see the that the Directory synchronization is enabled. If status does not update continue
to the next step if the export was successful.

13. Click Next on the Make sure sync worked as expected screen.
14. Click Next on the Activate users screen.
15. Click Finish on the You’re all set up screen.

Task 6: Create a new user and group account

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In the console tree, expand Adatum.com, right-click Research, click New, and then click User.
3. In the First name box, type Perry.
4. In the Lastname box, type Brill.
5. In the User logon name box, type Perry, select your lab domain UPN (not Adatum.com), and then
click Next.
6. In the Password and Confirm password boxes, type Pa55w.rd, clear the User must change
password at next logon checkbox, select the Password never expires checkbox, click Next, and
then click Finish.
7. In the Research OU user list, double-click the Perry Brill user.
8. In the Properties dialog box, in the E-mail box, type [email protected], and then click
OK.

Page 42
9. In the console tree, right-click the Research OU, click New, and then click Group.
10. In the New Object - Group window, in the Group name: box, type Project Team, click Universal,
click Distribution, and then click OK.
11. In the Research OU, double-click the Project Team group.
12. In the Properties dialog window, in the E-mail box, type [email protected].
13. On the Members tab, click Add.
14. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select, type the following names, and then click Check Names:
• Anil Elson
• Deepak Kumar
• Olivier Renaud

15. Click OK twice.

Task 7: Change group membership

1. In the console tree of Active Directory Users and Computers, click Research.
2. In the right pane, double-click Research.
3. In the Research Properties dialog box, click the Members tab.
4. Select the following three users, and then click Remove. In the confirmation dialog box, click Yes.
• Chloe Brussard
• Chris Sells
• Florian Stiller
5. Click OK.

Exercise 2: Implement identity synchronization

Task 1: Force synchronization
1. On LON-DS1, from the taskbar, right-click the Windows PowerShell shortcut, and then click Run as
administrator.

Note: If a User Account Control dialog box appears, click Yes.

2. At the Windows PowerShell prompt, type the following, and then press Enter:

Start-ADSyncSyncCycle -PolicyType Delta

Page 43
 Note: The Delta switch is used here so that only the updates are synchronized.

3. Wait until synchronization has completed before proceeding to the next task.

Task 2: Validate the results of directory synchronization

1. To verify the new user you created, on LON-CL1, open the Office 365 Admin Center in Microsoft
Edge by typing https://portal.office.com/admin/default.aspx in the address bar.
2. Sign in using the following credentials:
• User name: [email protected]
• Password: Pa55w.rd
3. If you are connected to the previous Office 365 admin center, click that banner at the top of the
page to connect to the new Office 365 admin center.
4. In the Office 365 Admin Center, in the left navigation, click Users, and then click Active Users.
5. In the Active Users list, verify that Perry Brill has a value of Synced with Active Directory in the
Sync Type column.

Note: You might need to wait up to 10 minutes before the account appears. Refresh the list until
you see Perry Brill's account.

6. In the Active Users list, click the Perry Brill.

7. Under the Product licenses section, click Edit.
8. On the Product licenses page, in the Location drop-down menu, select United Kingdom, and then
click on the icon next to Office 365 Enterprise E3.
9. Click Save, and then click Close twice.
10. Repeat the steps 8-11 to assign an Office 365 license for user Anil Elson.
11. To verify that you have created the new group, in Office 365 admin center, in the left navigation,
click Groups, and then click Groups.
12. In the Groups list, verify that the Project Team appears.

Note: You might need to wait up to 10 minutes before the group appears. Refresh the list until
you see the object.
13. In the Groups list, select the Project Team group.
Note: In the right pane, notice that Edit Members is unavailable. This is because group membership
is maintained by Active Directory. To view the membership, you need to use Windows PowerShell.
14. On LON-CL1, on the desktop, if PowerShell is not already open,and then click Run as
administrator.
15. If a User Account Control dialog box appears, click Yes.
16. If PowerShell wasn’t open, at the command prompt, type the following command, and then press
Enter:

Page 44
 Connect-MsolService

17. If necessary, in the Enter Credentials dialog box, sign in as

[email protected], where yyxxxxx is your unique Adatum number, with the
password Pa55w.rd.

18. Type the following command, and then press Enter:

Get-MsolGroup

19. Verify that you see Research and Project Team groups. Copy the ObjectID value for these two
groups.
20. To verify that you updated the group membership in AD DS, type the following command at the
Windows PowerShell prompt, and then press Enter (where <<ObjectID for Research group>> is the
ObjectID of the group):

Get-MsolGroupMember -GroupObjectId <<ObjectID for Research group>>

21. Verify the membership of the group does not contain the users removed in AD DS. The users who
were removed from the group are:
• Chloe Brussard
• Chris Sells
• Florian Stiller

22. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolAccountSku

Note: This command shows the current license consumed units.

Task 3: Deploy Azure AD Pass-through Authentication

1. Sign in to the LON-DS1 virtual machine as ADATUM\Administrator with a password of Pa$$word.
2. On the desktop, double click the Microsoft Azure AD Connect application.
3. Select Change user Sign-in and then click Next.
4. Click configure.
5. Sign in to Azure AD.

Page 45
6. Select Pass-Through Authentication and then click Next.
7. Upon successful completion Pass-Through Authentication will be enabled.
8. To verify that Pass-Through Authentication is successfully enabled, open an Edge Browser.
9. Sign in to https://aad.portal.azure.com/.
10. Select Azure Active Directory on the left pane.
11. Verify pass-through authentication feature appears as ENABLED.
12. Select Pass-Through Authentication. The Pass-Through authentication pane lists the servers
where your authentication agents are installed.

End of lab

Page 46