Lab Answer Key: Module 3:

Administering and troubleshooting

directory synchronization and directory
objects

Lab: Administering directory

synchronization, users, and groups in
Office 365
Exercise 1: Configuring Azure AD Connect

Task 1: Implement directory synchronization with Azure AD Connect

1. On the LON-DS1 computer, open Internet Explorer and then navigate

to https://www.microsoft.com/en-us/download/details.aspx?id=47594.
2. Choose to download Microsoft Azure Active Directory Connect. If needed,
add https://download.microsoft.com to Trusted Sites in Internet Explorer.
3. After AzureADConnect.msi downloads, run it. Wait until it installs necessary
components.
4. On the Welcome to Azure AD Connect page, select I agree to the license terms
and privacy notice, and then clickContinue.
5. On the Express Settings page, review the tasks that will be performed, and then
click Use express settings.
6. On the Connect to Azure AD page, type [email protected],
where yyxxxxx is your unique Adatum number, in USERNAME text box, type Holly's
password in the PASSWORD text box, and then click Next.
7. On the Connect to AD DS page, type Adatum\Administrator in
the USERNAME text box, type Pa55w.rd in the PASSWORD text box, and then
click Next.
8. On the Azure AD sign-in configuration page, select Continue without matching
all UPN suffixes to verified domains, and then click Next.
9. On the Ready to configure page, click Install.
10. After Azure AD Connect configuration completes, click Exit, and then wait for 4-5
minutes for the initial synchronization to finish.
 11. Open Internet Explorer on LON-DS1, and then navigate to https://portal.office.com.
Sign in [email protected], where yyxxxxx is your unique
Adatum number, with Holly's password.
12. Click Admin, navigate to Users, and then click Active users.
13. Verify that you can see users from your on-premises AD DS.
14. Minimize the Internet Explorer window that has the Microsoft 365 admin center open.

Task 2: Run the Azure AD Connect wizard to modify sync options

1. On the LON-DS1 computer, double-click the Azure AD Connect icon on the

desktop.

2. In the Microsoft Azure Active Directory Connect window, click Configure.

3. On the Additional tasks page, click View current configuration, and then

click Next.

4. On the Review Your Solution page, review the configured options for

directory synchronization. These options were configured when initial
synchronization was performed in previous task.

5. Click the Previous button.

6. On the Additional tasks page, click Customize synchronization options, and

then click Next.

7. On the Connect to Azure AD page, if needed,

type [email protected], where yyxxxxx is your
unique Adatum number, in the USERNAME field, type Holly's password in
the PASSWORD field, and then click Next.

8. On the Connect your directories page, verify that Adatum.com (Active

Directory) is listed as the configured directory, and then click Next.

9. On the Domain and OU filtering page, select Sync selected domain and

OUs, and then expand Adatum. com. Select only
the IT, Marketing and Managers organizational units (OUs), deselect others,
and then click Next.

10. On the Optional features page, review the selected options. Verify that

only Password hash synchronization is selected. Select Password writeback,
and then click Next.

11. On the Ready to configure page, click Configure. Wait until the process of

configuration completes. This should take few minutes.
 12. On the Configuration complete page, click Exit. Wait 4-5 minutes until
synchronization completes.

Task 3: Configure synchronization services for OUs and object attributes

1. On LON-DS1, click Start, expand the Azure AD Connect folder, and then

click Synchronization Service.

2. In the Synchronization Service Manager on LON-DS1 window, on

the Operations tab, verify that the tasks listed are successful. Note: Some tasks
might have in-progress status which is normal if synchronization is in progress.
Also, some tasks might appear as Completed-export-errors and completed-
no-objects. Wait until synchronization is completed before proceeding to the
next step.

3. Click the Connectors tab.

4. In the Connectors tab, double-click Adatum.com.

5. In the Properties dialog box, click Configure Directory Partitions.

6. Click Containers.

7. In the Credentials dialog box, enter the following credentials, and then

click OK:

 User name: Administrator

 Password: Pa55w.rd

 Domain: Adatum.com

8. In the Select Containers dialog box, select the Development check box, and

then click OK.

9. Click Select Object Types in the left navigation menu.

10. In the list of object types, select device.

11. On the navigation menu on the left, click Select Attributes.

12. In the list of attributes, select the secretary and street attributes.

13. To close the Properties dialog window, click OK.

14. On LON-DS1, open the Start screen, expand the Azure AD Connect folder,

and then click Synchronization Rules Editor.
 15. In Synchronization Rules Editor, in Direction, select Inbound, and then
click Add new rule.

16. In the Create inbound synchronization rule dialog box, in the Name text

box, type In from AD - User DoNotSyncFilter.

17. In the Connected System drop-down list, select Adatum.com.

18. In the Connected System Object Type drop-down list, select user.

19. In the Metaverse Object Type drop-down list, select person.

20. In the Link Type drop-down list, select Join.

21. In the Precedence text box, type 50.

22. Click Next.

23. In the Create inbound synchronization rule dialog box, on the Scoping

filter tab, click Add Group, and then click Add Clause.

24. In the Add scoping filters form:

 In the Attribute drop-down list, select msDS-cloudExtensionAttribute15.

 In the Operator drop-down list, select EQUAL.

 In the Value text box, type NoSync.

25. Click Next.

26. On the Add join rules page, click Next.

27. On the Add transformations page, click Add transformation.

28. In the FlowType drop-down list, select Constant.

29. In the Target Attribute drop-down list, select cloudFiltered.

30. In the Source text box, type True.

31. To save the rule, click Add, and then close the Synchronization Rules
Editor window.

32. Open Windows PowerShell from the Start menu. In Windows PowerShell, type

the following command, and then press Enter:

Start-ADSyncSyncCycle -PolicyType Initial

Note: This command will manually start synchronization process between AD DS and
Azure AD. If you get an error when executing this command, type Import-Module
"C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1",
press Enter and then repeat Start-ADSyncSyncCycle command.
Result: After completing this exercise, you should have configured Azure AD
Connect.

Exercise 2: Managing Office 365 users and groups by

using the Microsoft 365 admin center

Task 1: Assign and manage licenses for users

1. In the Microsoft 365 admin center, expand Users and then in the Active

users list, select Abbi Skinner.

2. In the right pane, click Edit in the Product licenses section.

3. On the Product licenses page, in the Location drop-down list, select United

Kingdom.

4. Enable the Office 365 Enterprise E5 license.

5. Review all enabled features in this license plan.

6. Click Save, and then click Close twice.

7. Repeat steps 1 to 6 for Ada Russell, Adam Hobbs, and Beth Burke.

8. In the Active users list, click Ada Russell.

9. In the right pane, click Edit in the Product licenses section.

10. Disable the following features: PowerApps for Office 365, Sway and Flow

for Office 365.

11. Click Save, and then click Close twice.

Task 2: Create Office 365 groups

1. In the Microsoft 365 admin center, click Home.

2. On the navigation menu, expand Groups, click Groups, and then click Add a

group.
 3. On the New Group page, in the Type drop-down box, click Security group,
and in the Name text box, type Production.

4. In the Description text box, type Production department users, click Add,

and then click Close.

5. Select the Production group, and then on the Production page, next

to Members, click Edit.

6. Click Add members, click Lindsey Gates, click Christie Thomas, click Save,

and then click Close three times.

7. Click Add a group.

8. On the New Group page, in the Type drop-down box, click Office 365 group,

and then in the Name text box, type Accounts. Ensure that Group email
address field is also populated with same value.

9. In the Description text box, type Accounts department users.

10. In the Privacy drop-down list, select Private - Only members can see group

content.

11. Click Select owner. Select Abbi Skinner.

12. Click Add, and then click Close.

13. Select the Accounts group, and then on the Accounts page, next

to Members, click Edit.

14. Click Add members, click Francisco Chaves, click Sallie McIntosh, click Save,

and then click Close three times.

Task 3: Manage Office 365 groups

1. In the Microsoft 365 admin center, verify that you can see groups that are synced with
your on-premises Active Directory and that you can see the following groups created
in cloud:

 Production

 Accounts

2. In the Groups list, select the Production group, and then on

the Production page, next to Members, click Edit.
 3. Click Add members, click Amy Santiago, click Save, and then
click Close three times.

4. Open the Production page, and ensure that Amy Santiago now appears in

the Members list.

5. Click Delete group.

6. On the Delete group page, click Delete, and then click Close.

7. On the navigation menu, point to Users, and then click Active users.

8. Confirm that the Amy Santiago account still exists in the list of users.

9. Leave the browser window open.

Result: After completing this exercise, you should have created users and groups in
Office 365 and managed user licenses.

Exercise 3: Managing Office 365 password policies

Task 1: Configure the Office 365 password policy

1. On the navigation menu in the Office 365 admin portal, point to Settings, and
then click Security & privacy.

2. In the Password policy area, click Edit.

3. On the Password policy page, in the Days before passwords expire text box,

type 14.

Note: You would not do this in the real world. This is a classroom example that allows
you to verify the policy applied in the next exercise task.

4. In the Days before a user is notified about expiration box, leave the default

value of 14, and then click Save.

5. Verify that the Password policy has been updated message appears at the

top of the page, and then click Close.

6. Close Internet Explorer.

Task 2: Validate the password policy

1. Open Internet Explorer, and then browse to https://portal.office.com.

 2. Sign in as [email protected], where yyxxxxx is
your unique Adatum number, with the temporary password you noted before.

3. On the Update your password page, type the temporary password in

the Current password text box, type a new password in the New
password and Confirm password text boxes, and then click Update
password and sign in.

4. On the upper-right side of the window, verify that the notification appears
with the following information: Time to change your password. Your
password will expire in 13 days.

Note: It might take a several minutes before the password change notification
appears. You can safely proceed with other tasks in this lab even if you don't get
notification.
Note: You have now verified that your password policy is applied. In a real-world
scenario, after you verified that the password policy was applied, you would need to
increase the number of days before the password expired, according to your
organizational policy.

5. Close Internet Explorer window.

Task 3: Configure Office 365 multi-factor authentication

1. Open Internet Explorer, and then browse to https://portal.office.com.

2. Sign in as [email protected], where yyxxxxx is your

unique Adatum number, with Holly's password.

3. In the Microsoft Office 365 portal, click Admin.

4. On the Home page, on the navigation menu, point to Settings, and then

click Services & add-ins.

5. On the Services & add-ins page, click Azure multi-factor authentication.

6. On the Azure multi-factor authentication page, click Manage multi-factor

authentication.

7. On the multi-factor authentication page, select the Amy Santiago check

box, and then click Enable.

8. In the About enabling multi-factor auth pop-up, click enable multi-factor

auth, and then click close.

9. On the multi-factor authentication page, click service settings.

 10. Under verification options, clear the Call to phone check box, and then
select the Allow users to remember multi-factor authentication on devices
they trust option.

11. Click save, and then click close.

12. Close Internet Explorer.

Result: After completing this exercise, you should have configured the Office 365
password policy and validated the policy.

Exercise 4: Troubleshooting synchronization issues

with user objects in Office 365

Task 1: Produce a problem

1. On LON-CL1, click Start, type powershell and then click Windows PowerShell.

2. In the Windows PowerShell prompt, type the following command, and then
press Enter:

CD C:\Labfiles\Mod03\

3. At the Windows PowerShell prompt, type the following command, and then press
Enter:

Set-ExecutionPolicy Unrestricted

4. Type Y and then press Enter.

5. At the Windows PowerShell prompt, type the following command, and then
press Enter:

.\Mod3_CreateProblem.ps1
Note: Wait until the script completes and notice the following changes.
This Windows PowerShell script will make the following changes in AD DS:

 Klemen Sic. Adds the "@" character to the beginning of "Adatum" for
the UserPrincipalName attribute.

 Lara Raisic. Replaces the existing email with "[email protected]?" for

the emailAddress attribute.

 Logan Boyle. Replaces the existing string with "[email protected]@" for

the emailAddress attribute.
  Maj Hojski. Replaces the existing string with " " for the emailAddress attribute.

Task 2: Resolve synchronization issues

1. On LON-CL1, ensure that you are signed in as Adatum\Holly with

password Pa55w.rd.

2. Open Microsoft Edge, and then connect to https://www.microsoft.com/en-

us/download/details.aspx?id=36832.

3. On the IdFix Directory Synchronization Error Remediation Tool page,

click Download. Click Save.

4. Wait for the download to complete.

5. In the File Explorer window, browse to the Downloads folder, right-

click IdFix.zip, and then click Extract All.

6. In the Extract Compressed (Zipped) Folders dialog box, in the destination

box, type C:\Deployment Tools\IdFix, and then click Extract.

7. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix,

and then click Run as administrator.

8. In the User Account Control dialog box, click Yes.

9. In the IdFix Privacy Statement message box, click OK.

10. Click Query. You should see several errors.

11. Click the ERROR column to sort the character errors to the top of the list.

Note: Ignore top-level domain errors, which cannot be fixed by the IdFix tool.

12. In the Klemen Sic row, verify the proposed solution in the UPDATE column, and then
in the ACTION column, select EDIT.
13. In the Lara Raisic row, verify the proposed solution in the UPDATE column, and then
in the ACTION column, select EDIT.
14. In the Logan Boyle row, verify the proposed solution in the UPDATE column, and
then in the ACTION column, select EDIT. In the Update column for Logan Boyle,
type [email protected].
15. In the Maj Hojski row, verify the proposed solution in the UPDATE column, and then
in the ACTION column, select EDIT.
16. On the toolbar, click Apply.
17. In the Apply Pending dialog box, click Yes. Notice the COMPLETE status in
the ACTION column, which indicates successful writes.
 18. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-
click Verbose <date> <time>.txt to view the updated transactions in the transaction
log.
19. Switch back to the IdFix tool.
20. On the toolbar, click Query.
21. Click in the UPDATE column to locate the Maj Hojski error, replace the string
with [email protected], and then in theACTION column, select EDIT.
22. For An Dung and Ngoc Bich, select EDIT in the ACTION column.
23. On the toolbar, click Apply.
24. In the Apply Pending dialog box, click Yes.
25. On the toolbar, click Query, and then verify that the errors are corrected. If you see
other errors present, correct them using the same method.

Note: Where there are format and duplicate errors for distinguished names,
the UPDATE column either contains the same string as the VALUE column, or
the UPDATE column entry is blank; in either case, this means that IdFix cannot
suggest a remediation for the error. You can either fix these errors outside of IdFix or
manually remediate them within IdFix. You can also export the results and use
Windows PowerShell to remediate a large number of errors.
Result: After completing this exercise, you should have troubleshot synchronization
issues with user objects in Office 365.