Module 2 Module 2: Managing Users and Groups in Office 365 Module Overview After setting up your Office 365 tenant, the next stage is to give access to users. In this module, you will earn how to create, manage and license users in Office 365, via PowerShell and using synchronization with on- premises directory services. This module also introduces the different types of groups available in Office 365 and how they are used, ‘You will then learn how to manage administrative access using Role Based Access Control (RBAC). Objectives ‘After completing this module, students willbe able to: 1 Manage User Accounts and Licences in the Cloud + Configure Office 365 Password Policies = Manage Security Groups and Microsoft 365 Groups in the Cloud + Manage Users and Groups vie PowerShell + Configure Administrative Access + Plan and Prepare for Directory Synchronization = Implement Directory Synchronization using Azure Active Directory Connect Manage User and Groups in Office 365 using Directory Synchronization Lesson 1 - Managing User Accounts and Licenses Describe the user account types User accounts for the Microsoft cloud including Office 365 are held in Azure Active Directory (AAD). You can. ‘maintain the identities solely in the cloud (AAD) or synchronize them with your on-premises identity provider, Active Directory Domain Services (AD DS).User Account Types Cloud identities: Exist only in AAD Primarily small organizations Guest Accounts Synchronized identities: Exist in AD DS and AAD Can synchronize passwords ‘Are managed in AD DS Federated identities: Add SSO for synchronized identities Require AD FS You can implement pass-through authentication as an altemative to AD FS Cloud Only Identities Cloud only identities are managed in AAD or the Microsoft 365 Admin Center, ‘These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself ‘Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted ‘The main drawback to using cloud identities is the additional management associated with them, if you use both cloud and on-premises identity provision. However with the device management tools in Microsoft 365 and the ability to use AAD as an identity provider for apps and services outside of the Microsoft Cloud, it no longer accurate to say that cloud only identities are ‘only suitable for smaller organizations. This option is primarily used by smaller or new organizations, as they typically do not have existing such an investment in on-premises architecture to connect with. Cloud only identities are also used for quest users from other organizations. ‘Synchronized Identi s ‘These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their authoritative source is usually an on-premises Windows Server Active Directory environment. ‘A synchronized identity is an identity (user) that exists in both on-premises AD DS and in Azure Active Directory (AAD). A user's on-premises AD DS identity and AAD identity are two different objects that are linked together Using a subset of the on-premises account attributes. Changes made to the user account in AD DS are automatically synchronized to AAD. While AD DS is the authoritative source for most information, authentication for synchronized identities occurs in ‘AAD. The username and password are evaluated in AAD without any reliance on the on-premises infrastructure. Federated Identities Microsoft 365 supports federated identity. This means that instead of performing the validation of credentials itself, Microsoft 365 refers the connecting user to a federated authentication server that Microsoft 365 trusts. If the user's credentials are correct, the federated authentication server issues a security token that the client then sends to Microsoft 365 as proof of authentication. Federated identity allows for the offloading and scaling up of authentication for a Microsoft 365 subscription and advanced authentication and security scenarios,‘The main benefit of using federated identities is single sign-on (SSO). Users authenticate at a domain-joined workstation by using their credentials. SSO uses these credentials to automatically authenticate to Microsoft 365, services. When you use synchronized identities, the users typically need to enter in their credentials manually when accessing Microsoft 365 services. For an overview of identity in Office 365 see https://aka.gd/3HKetKS Create and manage Microsoft 365 user accounts Creating User Accounts @,° User provisioning options include: + Azure Active Directory Portal Microsoft 365 admin center + Impor multiple users + Windows PowerShell Directory synchronization Cloud only user accounts can be created in a number of different ways: = Microsoft 365 Admin Center + Manually Import multiple users from a comma-separated values file (CSV) = Azure Active Directory Portal + Manually + Import muttiple users from a comma-separated values file (CSV) = Windows PowerShell Directory Synchronization Creating users with the Microsoft 365 admin center Whilst there are multiple ways in which to create users for Microsoft/Office 365, using Microsoft 365 admin Center is the simplest method for creating a single cloud only identity or 2 small number of user accounts. To create a single user you can carry out the following steps: 1, Sign into the Microsoft 365 admin center with credentials that has permissions to create users. 2. On the Microsoft 365 admin center Home page, in the left-hand navigation pane, expand Users , and then select Active users 3, On the menu bar, select Add a user 4, Follow the steps in the wizard completing the user information, administrator role(s) if applicable, user location, licenses and any optional information. 5, Specify whether the user will be assigned a password, or send a confirmation email that contains a temporary password and requires the user to enter his or her new password at frst log-in.6. Create the user account: Note: The password is sent as plaintext in the email as per the screenshot below: Microsoft A user account has been created or modified User name: demo.accountd) Temporary passviord: Tam64349 Here's what to do next: + Shara this information with your users, + Once they've signed in with their temporary password, they can create ‘their own by following the instructions on the sign in page. Bulk Import users option You can use the Import multiple users option in the Microsoft 365 admin center to import large numbers of Users in one operation by using a CSV file, Although this is not common in industry, a typical example maybe a new intake of university students. The entire intakes details is exported from an enrollment system and given to you as an Office 365 administrator to import and create the users You can download an empty template and/or a sample CSV file to make the process easier. For more information on creating user accounts see _https://aka.gd/3JoxIPr Manage User LicensesManage User Licences ‘While assigning Office 365 service licenses to users, you can: + Replace existing licenses + Add to existing licenses Ea @ ‘Adele Vance ‘You can view license information such as: + Unlicensed users ‘ + Number of used licenses Users must be assigned a license in order to use services such as Microsoft Office, Exchange Online, SharePoint Online, and Microsoft Teams. license can be assigned when creating the users or post creation. Once a license has been allocated to a user, the service provisions access to the service. For example in Microsoft Exchange, the user's mailbox is provisioned automatically. There is no additional administration to be Assigning licenses to users In order to assign and manage licenses you need the Global Admin role or the User Management Admin role, ‘You can bulk assign and/or remove licenses for a user or multiple users at one time, To do this, you can use the Microsoft 365 admin center or Windows PowerShell. To assign or remove licenses for multiple users in the Microsoft 365 admin center: 1. On the Microsoft 365 admin center Home page, select Users. in the left-hand navigation pane and then select Active Users 2. Onthe Active users page, select the users that you want to assign or remove licenses for and then select Manage product licenses. on the menu bar 3, Onthe Manage product licenses. pane, you can select or unselect the services, as required and then select Save changes Note : You can assign licenses for specific services by expanding the Apps section and selecting or unselecting the apps as required Warnins example, their email and OneDrive assets will be deleted. ‘Once you remove a license from a users, any data that is associated with that user is deleted, For You have a 30-day grace periad in which you can recover the data, Once this period has expired the data is no longer retrievable, Viewing license information You can use the Microsoft 365 admin center to view important information about your organization's user license sage, such as how many licenses have been assigned, how many are remaining, and which users are currently unlicensed, ‘To view the number of licenses remaining1. In the Microsoft 365 admin center, on the left navigation pane, select Bil menu, and then select Licenses . ing on the left-hand navigation 2. Onthe Licenses page, note how many licenses are valid and how many licenses have been assigned. To view any unlicensed users: 1. On the Microsoft 365 admin center Home page, select Users in the left-hand navigation pane and then select Active users 2. Onthe Aetive users page, select Filter on the menu bar, and then in the menu that appears, select Unlicensed users For more information on assigning user licenses see ttps:/ /aka.gd/33d9h1y Delete and Restore Microsoft User Accounts Manage User Licences ‘While assigning Office 365 service licenses to users, you can: + Replace existing licenses + Add to existing licenses Ea @ ‘Adele Vance You can view license information such as: + Unlicensed users + Number of used Hienses However you provision user accounts, you can still manage user account settings by using either the Microsoft 365 admin center, AAD portal or PowerShell cmdlets, Ei ing Users You can use the Microsoft 365 admin center to edit a single user or multiple users at one time. To edit user Properties, follow this procedure: 1, On the Microsoft 365 admin center Home page, select Users in the left-hand navigation pane and then select Active users . 2, Onthe Active users page, select the user account that you want to edit to open the User Properties page. 3, The User Properties page includes the following tabs for maintaining user account information: = Account tab, You can view and edit account properties including: = Username, email address, and email aliases Group and role membership + Contact information + Office activations + Multifactor authentication= Devices tab. You can view any devices the user has registered in Azure Active Directory (Azure AD). + Licenses and Apps tab. You can choose which licenses and apps are assigned to the user and specify user location, ‘= Mail tab, You can view and edit information including + Mailbox permissions Mail apps + Email forwarding + Automatic replies = OneDrive tab. You can maintain settings relating to: + File access + Storage usage + File sharing Deleting and Recovering User Accounts When users no longer require a user account, you must delete their user accounts to ensure they can no longer access services or data. When you delete a user account, the assigned license for that user becomes available and can be reassigned To delete one or more users: 1. In the Microsoft 365 admin center, Home page, select Users in the left-hand navigation pane and then select Active users . 2. Onthe Active users page, select the users that you want to delete, and then select Delete users on the menu bar. 3. Inthe Delete pane, select how you want to handle the user's licences, mailbox, and OneDrive and then select Delete user 4, Once the user is deleted and changes applied to licences, mailbox and OneDrive select Close When you delete a user account, the account becomes inactive and the user cannot sign in to access the services. However, you can also restore a user's account after deletion. The account is retained as a soft deleted inactive account for 30 days after deletion; this enables you to restore the account within that 30-day window. Restoring a user: 1, In the Microsoft 365 admin center, select Users. in the left-hand navigation pane and then select Deleted users 2. Onthe Deleted users page, select the user that you want to restore, and then select Restore user on the menu bar, 3. Inthe Restore pane, select how you want to assign the user password, and then select Restore 4. Once the user is restored, select Close Lab 2Lab 2: Managing Users in Office 365 Lab scenario In this lab you will then create several additional user accounts in the Microsoft 365 admin center, each which you will later add to new security groups that you'll also create. While Enterprise Admins typically not add user accounts, this isa otime task that you need to perform to prepadatum'stest environment for future lab exercises in this course. Objectives Task 1: Task 2: Task 3: Create Microsoft 365 Edit Microsoft 365 Verify User Settings users users Important: As a best practice in your real-world deployments, you should ahvays write down the first global admin account's eredentials (in this lab, the MOD Administrator) and store it away for security reasons. This account is non-persohalized identity that owns the highest privileges possible in a tenant. Itis not MFA activated (because it is not personalized) and the password for this account is typically shared among several Users. Therefore, ths frst global admin isa perfect target for attacks, so it’s always recommended to create personalized service admins and keep as few global admins as possible. For those global admins that you do create, they should each be mapped to a single identity Gust as you're doing in ths task for Holly), and they should each have MFA enforced. For the purpose of this lab environment, you will turn on MFA for Holly in the next lab exercise, which focuses on setting password policies. Lab Review Question: In the Iab you created cloud only accounts? What other methods of user creation are available off Lesson 2 - Managing Passwords and Authentication (One of the biggest security risks comes from unauthorized use of user accounts. In this lesson, you will examine how you can increase the security posture in Office 365 using password policies ‘and mult-factor authentication. ‘After completing this lesson, you will be able to: 1 Describe password policy options. ‘Describe self-service password management. ‘+ Describe the concept of multifactor authentication (MFA). ‘= Plan and implement password policies and authentication Password Policy OptionsPassword Policy Options Password policy: + Specify the number of days for password expiration + Specify the number of days for the password expiration warning Disable password expiration Resetting user passwords: + Create a new temporary password for users Resetting admin passwords: + Askanother administrator to reset it for you Reset it youself onthe sign in screen By setting password options induding expiry we help to protect user passwords which in tum helps to mitigate against password leaks. Be sure to consider all the features together when determining the required options to gain maximum protection alongside maximum useabilty. For example, passwordless sign in combined with passwords that do not expire may give a better solution for your organization than expiring passwords and self- service password reset, Setting password expiration ‘The default password expiration in Office 365 is set to 90 days by default. Users receive notification of impending password expiration 14 days before it occurs. ‘As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire, By default, passwords are set to never expire for your organization. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers. We recommend enabling mutt-factor authentication. Follow the steps below if you want to set user passwords to expire after a speci amount of time 1, In the Microsoft 365 admin center, goto the Security & privacy tab under Org Settings. 2. tf you aren't a global admin, you won't see the Securty and privacy option 3. Select Password expiration policy. 4. If you don't want users to have to change passwords, uncheck the box next to Set user passwords to expire after a number of days. 5. Type how often passwords should expire. Choose a number of days from 14 to 730. 6, In the second box type when users are notified that their password will expire, and then select Save. Choose ‘a number of days from 1 to 30. If user does not change their password before the expiration time has elapsed, they will see the Password update page the next time they sign in. Password expiry settings for single users can be set using PowerShell. For more details on password expiration policy see https://aka.gd/3BcnPvK Resetting user passwordsIf necessary, you can reset a password for one or more users on the Active users page. You can assign a new, randomly-generated password or a password of your choice. You can also select whether users need to change their password at their next sign in. For more details on resetting user password see https://aka.gd/3sp4LGE Resetting admin passwords As a an administrator, you have two options if you forget your own administrator password: = Ask another Microsoft 365 administrator to reset it for you. A Global admin, a User Management ‘admin, or 2 Password admin can reset passwords. However, only a Global admin, can reset the password for another Global admin, = Reset the password yourself. On the Microsoft 365 sign-in page, you can use the Can‘t access your ‘account? link to reset your password. For this to work, you must have previously supplied an alternative ‘email address in your account settings. Additionally, if you use a custom domain name or you are using