Managing Office 365 Identities and Requirements

Topic 1, Provision Office 365

1.1 Provision tenants

1.1.1 Configure the tenant name

1.1.2 Configure the tenant region

QUESTION NO: 62

You administer the Office 365 environment for a company that has offices around the world. All of the offices use the same Office 365tenant.

You need to ensure that all users can access the services that are available in their regions.

Which setting or service should you update?

A. User location settings

B. User licenses

C. Service usage address

D. Rights management

Answer: A

Explanation:

A: The User Location settings will allow you to set sign-in status and user locations for all the users that are on your network notwithstanding the physical location where they find themselves.

Incorrect Answers:

B: The User Licenses service is used to assign licenses to make use of Office 365 Plans. Access to services in the user’s location is setup from another setting.

C: The service usage address the synonymous with the billing address for Office 365 and it is used to determine the currency and tax that your account gets.

D: Rights Management is an extension of DLP to manage internal documents and information by means of Active Directory and rights management are available only in the Enterprise plan.

References:

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, pp 160, 439

Collins, Mark and Michael Mayberry, Pro Office 365 Development , Apress Media, New York, 2012, pp 5, 6

1.1.3 Configure the global administrator

QUESTION NO: 57

Your company purchases an Office 365 plan. The company has an Active Directory Domain Services domain.

User1 must manage Office 365 delegation for the company.

You need to ensure that User1 can assign administrative roles to other users.

What should you do?

A. Create an Office 365 tenant and assign User1 the password administrator role.

B. Use a password administrator account to assign the role to User1.

C. Use a user management administrator account to assign the role to User1.

D. Create an Office 365 tenant and assign User1 the global administrator role.

Answer: D

Explanation:

D: The Global Administrator account is similar to the Company administrator. Users in this role have access to everything or the permission to add them to a dedicated role where they do not have permission (such as discovery management and assigning administrative roles to other users).

Incorrect Answers:

A: The Password Administrator account cannot manage delegations; it can only reset passwords of users and other administrators at the same level of permissions.

B: Password Administrator can reset only passwords of users and other administrators at the same level of permissions.

C: User Management Administrator account can assign licenses and passwords but cannot make changes to other admin accounts that have more privileges than they do.

References:

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, pp 366, 369, 373

QUESTION NO: 18 DRAG DROP

A company plans to implement an Office 365 environment to manage email.

All user accounts must be configured to use only a custom domain.

You need to provision an Office 365 tenant for the company.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="2" x2="387" y1="48" y2="106" ss="0" a="0" /><m x1="3" x2="384" y1="118" y2="160" ss="0" a="0" /><m x1="2" x2="385" y1="167" y2="209" ss="0" a="0" /><m x1="4" x2="385" y1="218" y2="261" ss="0" a="0" /><m x1="404" x2="781" y1="49" y2="120" ss="1" a="0" /><m x1="403" x2="781" y1="136" y2="200" ss="1" a="0" /><m x1="403" x2="788" y1="209" y2="265" ss="1" a="0" /><c start="2" stop="0" /><c start="0" stop="1" /><c start="3" stop="2" /></map>

Box 1:

Box 2:

Configure the global administrator account recovery information

Box 3:

Explanation:

The tenant is your Office 365 account, including hosted Exchange, Lync, SharePoint, and your Office 365 Active Directory. The first account that you create when you first purchase Office 365 is the “owner” of your tenant. This account should be an admin account, not a person. This account does not normally require an Office 365 license. Relating to SharePoint, all of your site collections are within your tenant. You can have any number of domains within your tenant (with e-mail accounts), but you will have only one root SharePoint URL: https://xxxx.sharepoint.com.

The Global Administrator account is similar to the Company administrator. Users in this role have access to everything or the permission to add them to a dedicated role where they do not have permission (such as discovery management and assigning administrative roles to other users).

When setting up Office 365 the first step is to purchase your subscription which includes choosing the plan. Step 2 involves the selection of the sign-on method and this is where the global administrator account is of consequence. Step 3 involves the collecting of information such as domain names and DNS, locations, etc…

Step4 is the actual migration plan and schedule, step 5 – the Microsoft account and organizational account, step 6 – the SkyDrive and SkyDrive Pro, and step 7 – the Windows Intune section.

Thus you should perform step 1 through 3 to ensure that all user accounts to make use of a custom domain for their e-mail.

References:

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, pp 87- 93, 373

http://office.microsoft.com/en-gb/office365-suite-help/add-your-domain-to-office-365-HA102818660.aspx

1.1.4 Manage tenant subscriptions

QUESTION NO: 85

Your company has 100 user mailboxes. The company purchases a subscription to Office 365 for professionals and small businesses. You need to enable the Litigation Hold feature for each mailbox.

What should you do first?

A. Purchase a subscription to Office 365 for midsize business and enterprises.

B. Enable audit logging for all of the mailboxes.

C. Modify the default retention policy.

D. Create a service request.

Answer: A

Explanation:

A: The first step will always be the purchasing the correct Office 365 plan to suit your needs. There are three plans of Office 365: Professional, Mid-Size Businesses, and Enterprise. The Office 365 Mid-sized businesses and Enterprise plans will allow you to enable Litigation Hold. The Professional plan is not compliant with this setting. User mailboxes that are placed under litigation hold with the external audit enabled meet all compliance requirements, because the data is immutable.

Incorrect Answers:

B: Audit logging is a part of Litigation Hold. This is used for tracking purposes in Office 365. However the first step still remains purchasing the correct Office 365 subscription.

C: The Default Retention Policy is composed of a set of retention tags to govern the way data is retained and moved to the archive. A retention policy is in essence a business process definition.

D: By creating a service request you are actually asking Microsoft to aid you with technical support such as installation and setup and configuration. Litigation hold is a service/configuration that needs to be set up / configured.

References:

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, p 443

https://technet.microsoft.com/en-us/library/office-365-support.aspx

1.1.5Manage the licensing model

1.2 Add and configure custom domains

1.2.1 Specify domain name

QUESTION NO: 14

Contoso, Ltd. plans to use Office 365 for email services and Lync Online. Contoso has four unique domain names.

You need to migrate domain names to Office 365.

Which two domain names should you exclude from the migration? Each correct answer presents part of the solution.

A. contoso.us

B. contoso

C. contoso.local

D. contoso.co

Answer: B, C

Explanation:

There are no practical limits on the number of domains that can be verified to Office 365 Enterprise. The rules are simple: you need to verify a domain, and you need to assign the domain based on the needs (or Domain Intent). Domain Intent is what the domain services will be configured as; there are three different types of services for Domain Intent.

A top-level domain (TLD) is the part of the domain name located to the right of the dot (" . "). The most common TLDs are .com, .net, and .org. Some others are .biz, .info, and .ws. These common TLDs all have certain guidelines, but are generally available to any registrant, anywhere in the world.

B: contoso - single labeled domain / or also known as a second-level domain - not valid

C: contoso.local - internal labeled domain - not valid

Incorrect Answers:

A: contoso.us - valid TLD Domain

D: contoso.co - valid TLD Domain

References:

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, p. 375

QUESTION NO: 19

A company plans to use Office 365 to provide email services for users.

You need to ensure that a custom domain name is used.

What should you do first?

A. Add the custom domain name to Office 365 and then verify it.

B. Verify the existing domain name.

C. Create an MX record in DNS.

D. Create a CNAME record in DNS.

Answer: A

Explanation:

A: DNS actually tells the Internet where to send email to. Thus you need to make sure that your custom name that you intend using for email is added to Office 365 and verified. When you put the right information into the right DNS records for your domain, the DNS system routes everything correctly so your email, for example, arrives in Office 365 instead of somewhere else.

Incorrect Answers:

B: The existing domain name is not necessarily a custom domain name. you first need to add the custom domain name and verify it.

C: MX (mail exchanger) record is used to point to where your email should be sent. It also has a priority field so that you can send mail to different servers in a priority order. But you still need to add the custom domain name to Office 365 and then verify it because the MX record is also a DNS record that works with the domain.

D: CNAME (alias or canonical) record is used to redirect one domain to another in the DNS system. When a name server looks up a domain and finds that it has a CNAME record, the server replaces the first domain name with the CNAME, and then looks up the new name.

References:

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

1.2.2 Confirm ownership

QUESTION NO: 55 DRAG DROP

Fabrikam has the Office 365 Enterprise E3 plan.

You must add the domain name fabrikam.com to the Office 365 tenant. You need to confirm ownership of the domain.

Which DNS record types should you use? To answer, drag the appropriate DNS record type to the correct location or locations in the answer area. Each DNS record type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="4" x2="93" y1="47" y2="71" ss="0" a="0" /><m x1="2" x2="91" y1="79" y2="104" ss="0" a="0" /><m x1="3" x2="92" y1="115" y2="136" ss="0" a="0" /><m x1="2" x2="90" y1="150" y2="170" ss="0" a="0" /><m x1="3" x2="89" y1="180" y2="204" ss="0" a="0" /><m x1="294" x2="385" y1="96" y2="120" ss="1" a="0" /><m x1="292" x2="384" y1="133" y2="160" ss="1" a="0" /><c start="2" stop="0" /><c start="4" stop="1" /></map>

Explanation:

TXT record is used for verification. When you have added the record at your domain registrar's site, you'll go back to Office 365 and request Office 365 to look for the record. When Office 365 finds the correct TXT record, your domain is verified.

MX (mail exchanger) record points to where your email should be sent. It also has a priority field so that you can send mail to different servers in a priority order.

Incorrect Answers:

A record (address record) associates a domain name with an IP address.

CNAME (alias or canonical) record redirects one domain to another in the DNS system. When a name server looks up a domain and finds that it has a CNAME record, the server replaces the first domain name with the CNAME, and then looks up the new name.

SRV (service) record is used by Lync Online and Exchange Online to coordinate the flow of information between Office 365 services. For example, the SRV records are required to see presence in Outlook Web App, and to use Lync, Skype, or other instant messaging tools with people in other companies.

References:

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

https://support.office.com/en-in/article/Create-DNS-records-at-11-Internet-for-Office-365-5762c3ca-1de2-4999-bfe5-4c5e25a8957e

1.2.3 Specify domain purpose

1.2.4 Move ownership of DNS to Office 365

1.3 Plan a pilot

1.3.1 Designate pilot users

QUESTION NO: 22 HOTSPOT

A company has an Active Directory Domain Service (AD DS) domain. All servers run Windows Server 2008. You have an on-premises Exchange 2010 server.

The company plans to migrate to Office 365.

In the table below, identify the required action for each phase of the pilot. Make only one selection in each column. Each correct selection is worth one point.

Answer: <map><m x1="198" x2="224" y1="67" y2="86" ss="0" a="0" /><m x1="57" x2="86" y1="96" y2="113" ss="0" a="0" /></map>

Explanation:

During migration which first step is to have the domain validated, the step that follows is to add users and assign licenses. Microsoft found that it is better tp complete the domain configuration (with the exception of changing the MX records) and add users after the domain has been defined when migrating to Office 365.

Planning for the migration involves preparation to synchronize the Active Directory.

Incorrect Answers:

There is no need to upgrade your exchange server when you intend to migrate to Office 365. And this does not happen in either the planning or migration phase.

Raising the forest functional level is irrelevant and does not have to change in either the planning or migrating phase.

References:

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, pp 131, 143

QUESTION NO: 59 HOTSPOT

Fabrikam, Inc. employs 500 users and plans to migrate to Office 365.

You must sign up for a trial plan from the Office 365 website. You have the following requirements:

  • Create the maximum number of trial users allowed.

  • Convert the trial plan to a paid plan at the end of the trial that supports all of Fabrikam's users.

You need to create an Office 365 trial plan.

How should you configure the trial plan? Select the correct answer from each list in the answer area.

Answer: <map><m x1="78" x2="231" y1="112" y2="125" ss="0" a="0" /><m x1="452" x2="471" y1="76" y2="94" ss="0" a="0" /></map>

Explanation:

Office 365 Enterprise E 3 offers include unlimited number of users and since you are signing up for a trail to develop into a paid plan. Making use of 25 users in the trial will suffice.

Office 365 Business can accommodate a maximum of 300 users only.

References:

https://technet.microsoft.com/en-us/office/dn788955

https://technet.microsoft.com/en-us/library/office-365-plan-options.aspx

https://technet.microsoft.com/en-us/library/office-365-platform-service-description.aspx

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, pp 84-87

1.3.2 Identify workloads that don’t require migration

1.3.3 Run the Office 365 onramp readiness tool

QUESTION NO: 17

An organization prepares to implement Office 365.

You have the following requirements:

  • Gather information about the requirements for the Office 365 implementation.

  • Use a supported tool that provides the most comprehensive information about the current environment.

You need to determine the organization's readiness for the Office 365 implementation.

What should you do?

A. Run the Windows PowerShell cmdlet Get-MsolCompanylnformation.

B. Run the OnRamp for Office 365 tool.

C. Install the Windows Azure Active Directory Sync tool.

D. Run the Office 365 Deployment Readiness Tool.

Answer: B

Explanation:

B: OnRamp for Office 365 is available to assist you with discovery activities related to Office 365 deployments. The tool can be used to check and provide important information about your on-premises environment.

Incorrect Answers:

A: The cmdlet is used to check Overall Provisioning Status of ‘CompanyInformation’ in Office 365, to retrieve is used for retrieving information about the user accounts within an Office365 tenancy.

C: The Windows Azure Active Directory Sync tool is used to enable your global address list and single sign-on in Office 365. And is an important step when validating your active Directory. OnRamp also checks this.

D: The Deployment readiness tool is used to check credentials, network, domain, users and groups, Lync, sites and other software in verification prior to deployment Office 365.

References:

https://technet.microsoft.com/en-us/library/hh852435.aspx

Katzer, Matthew and Don Crawford, Office 365 Migrating and Managing your Business in the Cloud , Apress Media, New York, 2013, p 553

1.3.4 Create a test plan or use case

1.3.5 Connect existing email accounts for pilot users, service descriptions

Topic 2, Plan and implement networking and security in Office 365

2.1 Configure DNS records for services

2.1.1 Creating DNS records for Exchange

QUESTION NO: 39 DRAG DROP

You implement Office 365 for an organization.

You must create the correct DNS entries needed to configure Office 365.

Which DNS entries should you create? To answer, drag the appropriate DNS record type to the correct purpose. Each DNS record type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="1" x2="88" y1="47" y2="72" ss="0" a="0" /><m x1="5" x2="87" y1="81" y2="107" ss="0" a="0" /><m x1="7" x2="88" y1="117" y2="141" ss="0" a="0" /><m x1="5" x2="88" y1="152" y2="173" ss="0" a="0" /><m x1="3" x2="85" y1="184" y2="208" ss="0" a="0" /><m x1="460" x2="544" y1="107" y2="131" ss="1" a="0" /><m x1="460" x2="542" y1="153" y2="180" ss="1" a="0" /><m x1="459" x2="543" y1="202" y2="228" ss="1" a="0" /><c start="4" stop="0" /><c start="2" stop="1" /><c start="1" stop="2" /></map>

Explanation:

TXT record is used for verification. When you have added the record at your domain registrar's site, you'll go back to Office 365 and request Office 365 to look for the record. When Office 365 finds the correct TXT record, your domain is verified.

MX (mail exchanger) record points to where your email should be sent. It also has a priority field so that you can send mail to different servers in a priority order.

CNAME (alias or canonical) record redirects one domain to another in the DNS system. When a name server looks up a domain and finds that it has a CNAME record, the server replaces the first domain name with the CNAME, and then looks up the new name.

Incorrect Answers:

A record (address record) associates a domain name with an IP address.

SRV (service) record is used by Lync Online and Exchange Online to coordinate the flow of information between Office 365 services. For example, the SRV records are required to see presence in Outlook Web App, and to use Lync, Skype, or other instant messaging tools with people in other companies.

References:

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

https://support.office.com/en-in/article/Create-DNS-records-at-11-Internet-for-Office-365-5762c3ca-1de2-4999-bfe5-4c5e25a8957e

QUESTION NO: 54

An organization plans to deploy Exchange Online.

You must support all Exchange Online features.

You need to create the required DNS entries.

Which two DNS entries should you create? Each correct answer presents part of the solution.

A. A

B. SRV

C. MX

D. CNAME

Answer: C, D

Explanation:

C: The MX record is used to send incoming mail for your domain to the Exchange Online service in Office 365.

D: The CNAME record is used to help Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users.

Incorrect Answers:

A: A records (address record) associates a domain name with an IP address.

B: SRV records (service) record is used by Lync Online and Exchange Online to coordinate the flow of information between Office 365 services. For example, the SRV records are required to see presence in Outlook Web App, and to use Lync, Skype, or other instant messaging tools with people in other companies.

References:

http://technet. microsoft.com/en-us/library/hh852557.aspx

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

https://support.office.com/en-in/article/Create-DNS-records-at-11-Internet-for-Office-365-5762c3ca-1de2-4999-bfe5-4c5e25a8957e

2.1.2 Creating DNS records for Lync

2.1.3 Creating DNS records for SharePoint

QUESTION NO: 42 HOTSPOT

You are the SharePoint Online administrator for Contoso, Ltd. The company purchases an Office 365 Enterprise El plan.

The public-facing website must use SharePoint Online and the custom domain contoso.com.

You need to configure the DNS settings for the public-facing SharePoint site.

How should you configure the DNS settings? Select the appropriate options from each list in the answer area.

Answer: <map><m x1="17" x2="66" y1="148" y2="164" ss="0" a="0" /><m x1="147" x2="263" y1="133" y2="149" ss="0" a="0" /><m x1="344" x2="535" y1="185" y2="203" ss="0" a="0" /></map>

Explanation:

The CNAME record is used to r edirect one domain to another in the DNS system. When a name server looks up a domain and finds that it has a CNAME record, the server replaces the first domain name with the CNAME, and then looks up the new name.

Incorrect Answers:

A record (address record) associates a domain name with an IP address.

SRV (service) record is used by Lync Online and Exchange Online to coordinate the flow of information between Office 365 services. For example, the SRV records are required to see presence in Outlook Web App, and to use Lync, Skype, or other instant messaging tools with people in other companies.

MX (mail exchanger) record points to where your email should be sent. It also has a priority field so that you can send mail to different servers in a priority order.

References:

http://technet. microsoft.com/en-us/library/hh852557.aspx

https://support.office.com/en-in/article/DNS-basics-854b6b2b-0255-4089-8019-b765cff70377

https://support.office.com/en-in/article/Create-DNS-records-at-11-Internet-for-Office-365-5762c3ca-1de2-4999-bfe5-4c5e25a8957e

2.2 Enable client connectivity to Office 365

2.2.1 Configure proxy server to allow anonymous access to Office 365 URLs

2.2.2 Configure firewalls for outbound port access to Office 365

QUESTION NO: 40

You deploy Lync Online for a company that has offices in San Francisco and New York. The two offices both connect to the Internet. There is no private network link between the offices.

Users in the New York office report that they cannot transfer files to the users in the San Francisco office by using Lync Online.

You need to ensure that users in both offices can transfer files by using Lync Online.

What should you do?

A. Configure the firewall to open Transmission Control Protocol (TCP) ports 50060-50079.

B. Configure the firewall to open Transmission Control Protocol (TCP) ports 50040-50059.

C. Create a private network connection to share files.

D. Upgrade all of the Lync Online clients to use Lync 2013.

Answer: B

Explanation:

B: Lync Online will allow for file sharing if the firewall is configured accordingly since it is mentioned that Lync Online is already deployed. And there is connectivity by both offices to the Internet. If the TCP port number 50040-50059 is configured open on the firewall you will be able to share Audio, Video and application as well as Desktop sharing content and files.

Incorrect Answers:

A: TCP port 5000-50079 is not used for file transfers by Lync Online/Skype.

C: Creating a private network is not required since the company is already making use of Lync Online which enables users to share files.

D: Upgrading is not the issue here since Lync Online has been deployed already.

References:

https://support.office.com/en-IE/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO

QUESTION NO: 44 DRAG DROP

A company deploys an Office 365 tenant. All employees use Lync Online.

You need to configure the network firewall to support Lync Online.

Which ports must you open? To answer, drag the appropriate port number to the correct feature or features. Each port number may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="5" x2="94" y1="51" y2="71" ss="0" a="0" /><m x1="3" x2="95" y1="83" y2="107" ss="0" a="0" /><m x1="4" x2="93" y1="119" y2="140" ss="0" a="0" /><m x1="5" x2="93" y1="155" y2="172" ss="0" a="0" /><m x1="5" x2="92" y1="187" y2="209" ss="0" a="0" /><m x1="373" x2="466" y1="99" y2="127" ss="1" a="0" /><m x1="376" x2="465" y1="142" y2="172" ss="1" a="0" /><c start="0" stop="0" /><c start="2" stop="1" /></map>

Explanation:

Transport Control Protocol (TCP), User Datagram Protocol (UDP) ports, and Protocol Numbers are important to TCP/IP networking, intranets, and the Internet. Ports and protocol numbers provide access to a host computer. However, they also create a security hazard by allowing uninvited access. Therefore, knowing which port to allow or disable increases a network's security. If the wrong ports or protocol numbers are disabled on a firewall, router, or proxy server as a security measure, essential services might become unavailable.

Port 443 is used for Audio, video and application sharing sessions as well as data sharing sessions - For HTTPS.

Port 5223 is used for mobile push notifications - Extensible Messaging and Presence Protocol (XMPP) client connection over SSL.

Incorrect Answers:

Port 3478 uses the STUN/UDP protocol for audio and video sessions/ basically for NAT traversal.

Port 80 uses TCP, SCTP and UDP for HTTP, etc.

Port 389 uses UDP protocol for LDAP (Lightweight Directory Access Protocol)

References:

http://onlinehelp.micros oft.com/en-ca/office365-enterprises/hh416761.aspx

https://support.office.com/en-IE/article/Set-up-your-network-for-Skype-for-Business-Online-d21f89b0-3afc-432e-b735-036b2432fdbf

https://support.office.com/en-IE/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

QUESTION NO: 58 HOTSPOT

A company plans to deploy an Office 365 tenant.

You have the following requirements:

  • Administrators must be able to access the Office 365 admin center.

  • Microsoft Exchange Online must be used as a Simple Mail Transfer Protocol (SMTP) relay for a line-of-business application that sends email messages to remote domains.

  • All users must be able to use the audio and video capabilities in Microsoft Lync 2013.

You need to configure the ports for the firewall.

Which port should you use for each application? Select the correct answer from each list in the answer area.

Answer: <map><m x1="323" x2="373" y1="65" y2="84" ss="0" a="0" /><m x1="323" x2="381" y1="183" y2="199" ss="0" a="0" /><m x1="319" x2="466" y1="285" y2="301" ss="0" a="0" /><m x1="317" x2="475" y1="382" y2="396" ss="0" a="0" /></map>

Explanation:

Transport Control Protocol (TCP), User Datagram Protocol (UDP) ports, and Protocol Numbers are important to TCP/IP networking, intranets, and the Internet. Ports and protocol numbers provide access to a host computer. However, they also create a security hazard by allowing uninvited access. Therefore, knowing which port to allow or disable increases a network's security. If the wrong ports or protocol numbers are disabled on a firewall, router, or proxy server as a security measure, essential services might become unavailable.

TCP port 25 is used for simple mail transfer protocol which is used to e-mail routing between mail servers.

TCP port 443 is used for Audio, video and application sharing sessions as well as data sharing sessions.

RTP/UDP port 50020-50039 must be used for outbound video sessions.

RTP/UDP port 50000-50019must be used for outbound audio sessions.

Incorrect Answers:

TCP port 587 is used for e-mail message submission.

TCP port 80 is used for HTTP

TCP port 10106 is not assigned yet.

References:

http://onlinehelp.micros oft.com/en-ca/office365-enterprises/hh416761.aspx

https://support.office.com/en-IE/article/Set-up-your-network-for-Skype-for-Business-Online-d21f89b0-3afc-432e-b735-036b2432fdbf

https://support.office.com/en-IE/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

QUESTION NO: 86

Your company has a subscription to Office 365 for midsize business and enterprises. The company uses Microsoft Lync Online.

You need to open ports on the network firewall to enable all of the features of Lync Online.

Which port or ports should you open? (Each correct answer presents part of the solution. Choose all that apply.)

A. inbound TCP 443

B. outbound TCP 5061

C. outbound UDP 3478

D. outbound TCP 443

E. outbound UDP 50000 to outbound UDP 59999

F. inbound TCP 8080

Answer: A, C, D, E

Explanation:

A. inbound TCP 443 is the port for the Lync for Business client service.

C. outbound UDP 3478 is the UDP port for Lync audio and video sessions.

D. outbound TCP 443 is the port for the Lync data sharing sessions as well as the Video and Audio and application sharing sessions.

E. outbound UDP 50000 to outbound UDP 59999 is the port for Lync audio and video sessions.

Incorrect Answers:

B. outbound TCP 5061 is used for the sips service.

F. inbound TCP 8080 is used for http-alt OR HTTP Proxy service.

References:

http://onlinehelp.microsoft.com/en-ca/office365-enterprises/hh416761.aspx

https://support.office.com/en-IE/article/Set-up-your-network-for-Skype-for-Business-Online-d21f89b0-3afc-432e-b735-036b2432fdbf

https://support.office.com/en-IE/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

http://ahandyblog.wordpress.com/cloud-technologies/firewall-ports-for-office-365

2.2.3 Recommend bandwidth, Internet connectivity for clients

QUESTION NO: 46

An organization plans to migrate to Office 365.

You need to estimate the post-migration network traffic.

Which tool should you use?

A. Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Kit

B. Microsoft Network Monitor

C. Lync 2013 Bandwidth Calculator

D. Microsoft Remote Connectivity Analyzer

Answer: C

Explanation:

Explanation:

C: There are calculators available to assist you with estimating network bandwidth requirements. These calculators work for on-premises as well as Office 365 deployments. You can use the Exchange client network bandwidth calculator to estimate the bandwidth required for a specific set of Outlook, Outlook Web App, and mobile device users in your Office 365 deployment. With the Skype for Business and 2013 bandwidth calculator, you enter information about users and the Skype for Business features you want to deploy, and the calculator helps you determine bandwidth requirements.

Lync 2010 and 2013 Bandwidth Calculator - A Microsoft Excel spreadsheet that calculates WAN bandwidth requirements for a Lync Server deployment based on administrator-specified user profiles and network information.

Incorrect Answers:

A: The MOSDAL support tool kit is used to troubleshoot issues with Office 365, however, this tool is not available anymore.

B: Microsoft Network Monitor is used to capture network traffic, view and analyze it.

D: Microsoft Remote Connectivity Analyzer is a web-based tool that provides administrators and end users with the ability to run connectivity diagnostics for our servers to test common issues with Microsoft Exchange, Lync and Office 365.

References:

http ://technet.microsoft.com/en-us/library/hh852542.aspx

2.2.4 Deploy desktop setup for previous versions of Office clients

2.3 Administer rights management (RM)

2.3.1 Activate rights management

2.3.2 Office integration with rights management

2.3.3 Assign roles for Microsoft Azure Active Directory RM

2.3.4 Enable recovery of protected document

QUESTION NO: 45 DRAG DROP

You are the Office 365 administrator for your company.

You need to ensure that trusted applications can decrypt rights-protected content.

Which four Windows PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Answer: <map><m x1="3" x2="305" y1="48" y2="84" ss="0" a="0" /><m x1="3" x2="305" y1="98" y2="143" ss="0" a="0" /><m x1="1" x2="307" y1="150" y2="183" ss="0" a="0" /><m x1="6" x2="301" y1="203" y2="238" ss="0" a="0" /><m x1="9" x2="304" y1="254" y2="291" ss="0" a="0" /><m x1="5" x2="304" y1="303" y2="344" ss="0" a="0" /><m x1="371" x2="672" y1="44" y2="96" ss="1" a="0" /><m x1="373" x2="675" y1="107" y2="159" ss="1" a="0" /><m x1="375" x2="676" y1="171" y2="222" ss="1" a="0" /><m x1="376" x2="672" y1="235" y2="299" ss="1" a="0" /><c start="0" stop="0" /><c start="5" stop="1" /><c start="4" stop="2" /><c start="2" stop="3" /></map>

Box 1:

Box 2:

Box 3:

Box 4:

Explanation:

Microsoft Azure Rights Management (previously known as Windows Azure Active Directory Rights Management). To be able to decrypt rights protected documents you need to make sure that Microsoft Azure Rights Management is set up. Also you will need to enable a SuperUser account because The Active Directory Rights Management Services (AD RMS) super users group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

The super users group is not enabled and is not assigned a group by default.

This can be done by running the appropriate commands in sequence which are:

Import-Module AADRM

Connect-AADRMService

Enable-AADRM

Enable-AADRMSuperUserFeature

References:

https://technet.microsoft.com/en-us/library/dn569291.aspx

https://technet.microsoft.com/en-us/library/dn151475%28v=exchg.150%29.aspx

QUESTION NO: 81

Your company has an Office 365 subscription. You create a new retention policy that contains several retention tags. A user named Test5 has a client computer that runs Microsoft Office Outlook 2007. You install Microsoft Outlook 2010 on the client computer of Test5. Test5 reports that the new retention tags are unavailable from Outlook 2010.

You verify that other users can use the new retention tags. You need to ensure that the new retention tags are available to Test5 from Outlook 2010.

What should you do?

A. Instruct Test5 to repair the Outlook profile.

B. Modify the retention policy tags.

C. Run the Set-Mailbox cmdlet.

D. Force directory synchronization.

Answer: A

Explanation:

A: When deploying retention policies it is part of the procedure to create the tags and add it to the retention policies prior to the deployment. Also part of the procedure is to determine which Microsoft Outlook client versions are in use. In this case the Test5 version has been changed and Test5 will then have to repair his/her Outlook profile accordingly.

Incorrect Answers:

B: Making changes to the retention policy tags does not ensure that it is available to Test5 since it was his Outlook client version that has changed.

C: The Set-Mailbox cmdlet is used to modify the settings of an existing mailbox. In this case the existing mailbox/ Outlook version has been changed.

D: The Directory is not the reason why Test5 cannot access the new retention tags; it is the Outlook version that has been changed.

References:

https://technet.microsoft.com/en-us/library/dd297955%28v=exchg.150%29.aspx

https://technet.microsoft.com/en-us/library/ee364743%28v=exchg.150%29.aspx

https://technet.microsoft.com/en-us/library/bb123981%28v=exchg.150%29.aspx

2.4 Manage administrator roles in Office 365

2.4.1 Permission model

2.4.2 Create or revoke assignment of administrative roles or the administrative model

2.4.3 Determine and assign global administrator, billing administrator and user administrator

QUESTION NO: 7 DRAG DROP

You are the Office 365 administrator for your company. The company has two administrators named User1 and User2.

Users must be able to perform the activities as shown in the following table:

You need to grant the appropriate administrative role to each user.

What should you do? To answer, drag the appropriate role to the correct user. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="5" x2="208" y1="61" y2="80" ss="0" a="0" /><m x1="4" x2="205" y1="93" y2="116" ss="0" a="0" /><m x1="2" x2="206" y1="127" y2="151" ss="0" a="0" /><m x1="5" x2="209" y1="160" y2="185" ss="0" a="0" /><m x1="398" x2="602" y1="100" y2="125" ss="1" a="0" /><m x1="397" x2="602" y1="144" y2="173" ss="1" a="0" /><c start="0" stop="0" /><c start="3" stop="1" /></map>

Explanation:

User1 has to be the Password administrator which will allow for User1 to reset passwords, manage service requests, and monitor service health. Password admins are limited to resetting passwords for users and other password admins.

User2 has to be the global administrator to have access to all administrative features. Global admins are the only admins who can assign other admin roles. This will enable User2 the ability to reset passwords for all administrator accounts.

Incorrect Answers:

Billing administrator is only allowed to make purchases, manage subscriptions and monitor service health.

Delegate administrator is used only in the event where you want someone else or a partner to do your administrative tasks.

References:

https://support.office.com/en-IN/article/assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac

QUESTION NO: 20

You create an Office 365 tenant. You assign administrative roles to other users. You hire a new user named User2.

User2 must NOT be able to change passwords for other users.

You need to assign an administrative role to User2.

Which role should you assign?

A. Service administrator

B. Global administrator

C. Delegate administrator

D. Password administrator

Answer: A

Explanation:

A: Being the Service Administrator will allow User2 to mage service requests and monitor service health, while not allowing User2 to ability to change passwords for other users.

Incorrect Answers:

B: A global administrator role will allow User2 the ability to change passwords for other users.

C: A delegate administrator is a partner that has the ability to do all the administrative tasks which includes changing passwords for all users.

D: A password administrator has the ability to reset passwords.

References:

https://support.office.com/en-US/Article/Assigning-admin-roles-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US#__choose_an_admin

https://support.office.com/en-IN/article/assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac

https://support.office.com/en-IN/article/partners-add-or-delete-a-delegated-admin-201ccb3b-6011-4bf1-a6b2-84e7cc1ee2d0

QUESTION NO: 41

A company deploys an Office 365 tenant. You assign the roles to users as shown in the following table:

User3 must be able to monitor the health of the Exchange Online service. You must use the principle of least privilege to assign permissions to User3.

You need to assign permissions to User3.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Assign User3 the service administrator role in Office 365.

B. Sign in to the Office 365 portal as User1.

C. Sign in to the Office 365 portal as User2.

D. Grant User3 administrative permissions in Exchange Online.

E. Assign User3 the global administrator role in Office 365.

Answer: A, B, D

Explanation:

A: User3 must be the Service administrator role because that role allows for managing service requests and monitoring service health.

B: User1 has the global administrator role assigned. Only the global administrator can delegate service administrator role. This means that you should sign in with the User1 account for that will allow you to assign other admin roles.

D: If User3 is to monitor the health of the Exchange Online service he/she will require the appropriate administrative permissions.

Incorrect Answers:

C: User2 has the User Management administrator role assigned and this will not allow User2 to monitor the health of the Exchange Online service.

E: Assigning User3 the global administrator role will allow User3 the ability to monitor the health of the Exchange Online Service and more other permissions than is required.

References:

http: //onlinehelp.microsoft.com/en-in/office365-enterprises/ff637584.asp

https://support.office.com/en-IN/article/assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac

QUESTION NO: 43

A company deploys an Office 365 tenant.

You must provide an administrator with the ability to manage company information in Office 365.

You need to assign permissions to the administrator by following the principle of least privilege.

Which role should you assign?

A. Global administrator

B. Service administrator

C. Billing administrator

D. User management administrator

Answer: A

Explanation:

A: Global admin: Has access to all administrative features. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. The person who signs up to purchase Office 365 becomes a global admin. Only the global administrator role will allow you to manage company information by means of editing the organization profile. None of the other roles are enabled to manage organization information.

Incorrect Answers:

B: Service admin: Manages service requests and monitors service health.

C: Billing admin: Makes purchases, manages subscriptions, and monitors service health.

D: User management admin: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for billing, global, and service admins.

References:

https://support.office.com/en-IN/article/assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac

http://technet.microsoft.com/en-us/library/hh852557.aspx

http://onlinehelp.microsoft.com/en-in/office365-enterpr ises/gg243432.aspx#bkmk_EditProfile

QUESTION NO: 56 HOTSPOT

You manage a team of three administrators for an organization that uses Office 365.

You must assign roles for each of the administrators as shown in the table. You must assign the minimum permissions required to perform the assigned tasks.

Which administrative role should you configure for each user? Select the correct answer from each list in the answer area.

Answer: <map><m x1="421" x2="548" y1="100" y2="115" ss="0" a="0" /><m x1="417" x2="546" y1="182" y2="199" ss="0" a="0" /><m x1="416" x2="616" y1="343" y2="361" ss="0" a="0" /></map>

Explanation:

Admin1 must be the global admin that will grant him/her access to all administrative features. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. The person who signs up to purchase Office 365 becomes a global admin.

Admin2 must be the billing admin to enable him/her to make purchases, manage subscriptions, and monitor service health.

Admin 3 must be the User Management admin to allow him/her to reset passwords, monitor service health, and manage user accounts, user groups, and service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for billing, global, and service admins.

References:

https://support.office.com/en-IN/article/assigning-admin-roles-d58b8089-cbfd-41ec-b64c-9cfcbef495ac

http://onlinehelp.microsoft.com/en-in/office365-enterprises/gg243432.aspx#bkmk_EditProfile

2.4.4 Delegated administrator

2.4.5 Control password resets

Topic 3, Manage cloud identities

3.1 Configure password management

3.1.1 Expiration policy

QUESTION NO: 49 DRAG DROP

You are the Office 365 administrator for your company.

Users report that their passwords expire too frequently, and they do not receive adequate notice of password expiration.

Account passwords must remain active for the longest duration allowed. Users must receive password expiration notifications as early as possible.

You need to configure the password expiration policy.

How should you set the policy on the password page of the Office 365 admin center? To answer, drag the appropriate duration to the correct location. Each duration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="7" x2="106" y1="28" y2="49" ss="0" a="0" /><m x1="6" x2="102" y1="61" y2="84" ss="0" a="0" /><m x1="6" x2="104" y1="95" y2="118" ss="0" a="0" /><m x1="8" x2="104" y1="130" y2="152" ss="0" a="0" /><m x1="9" x2="102" y1="162" y2="184" ss="0" a="0" /><m x1="7" x2="104" y1="197" y2="216" ss="0" a="0" /><m x1="6" x2="103" y1="231" y2="254" ss="0" a="0" /><m x1="6" x2="104" y1="263" y2="284" ss="0" a="0" /><m x1="136" x2="235" y1="172" y2="201" ss="1" a="0" /><m x1="141" x2="238" y1="230" y2="256" ss="1" a="0" /><c start="5" stop="0" /><c start="2" stop="1" /></map>

Explanation:

The maximum number of days you can set the 'Days before password expire' to is 730. This will make the password valid for the longest duration.

To be notified as early as possible on that the password is about to expire, we should set the maximum value, which is 30, to the ' days before users are notified that their password will expire' setting.

Note: Set a user's password expiration policy

  • Sign in to Office 365 with your work or school account.

  • Go to the Office 365 admin center.

  • Go to Service settings > Passwords.

  • If you don't want users to have to change passwords, select Passwords never expire. If you select this option, users won't get any reminders anymore to change their passwords.

  • If you want user passwords to expire, type the number of days before the password should expire. Choose a number of days from 14 to 730.

  • Type the number of days before users are notified that their password will expire, and then click Save. Choose a number of days from 1 to 30.

References:

https://support.office.com/en-us/article/Set-a-users-password-expiration-policy-0f54736f-eb22-414c-8273-498a0918678f

3.1.2 Password complexity

QUESTION NO: 4 DRAG DROP

A company has 50 employees that use Office 365.

You need to enforce password complexity requirements for all accounts.

How should you complete the relevant Windows PowerShell command? To answer, drag the appropriate Windows PowerShell segment to the correct location or locations. Each Windows PowerShell segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="2" x2="302" y1="49" y2="73" ss="0" a="0" /><m x1="1" x2="300" y1="82" y2="105" ss="0" a="0" /><m x1="2" x2="302" y1="115" y2="137" ss="0" a="0" /><m x1="1" x2="300" y1="150" y2="172" ss="0" a="0" /><m x1="4" x2="302" y1="183" y2="207" ss="0" a="0" /><m x1="362" x2="683" y1="62" y2="90" ss="1" a="0" /><m x1="365" x2="685" y1="105" y2="130" ss="1" a="0" /><m x1="703" x2="1024" y1="98" y2="128" ss="1" a="0" /><c start="0" stop="0" /><c start="0" stop="1" /><c start="3" stop="2" /></map>

Explanation:

We use Get –MsolUser to get all users. We then enforce strong password complexity to each of these users through StrongPassWordRequired parameter of the Set –MsolUser command. The output of get command is used in the set command through the concatenating function (the symbol |).

Box 1: -MsolUser

The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. An individual user will be retrieved if the ObjectId or UserPrincipalName parameter is used.

Box 2: MsolUser

The Set-MsolUser cmdlet is used to update a user object. This cmdlet should be used for basic properties only.

Parameter: -StrongPasswordRequired <Boolean>

Sets whether or not the user requires a strong password.

Incorrect Answers:

The Get-MsolUserRole cmdlet is used to retrieve all of the administrator roles that the specified user belongs to, but we need all users not just the administrators.

The Set-MsolUserPassword cmdlet is used to change the password of a user, but we need to change the password policy.

MsolUser - StrongAuthenticationRequirements sets the multi-factor authentication settings of the user, but these settings are not related to password complexity.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx

https://msdn.microsoft.com/en-us/library/azure/dn194133.aspx

3.1.3 Password resets

QUESTION NO: 5 DRAG DROP

You are the Office 365 administrator for your company. Your company uses Office 365 for collaboration.

You must reset the password for all of the employees in your company.

You need to ensure that all employees create a new password the next time they sign in to Office 365.

How should you complete the relevant Windows PowerShell command? To answer, drag the appropriate Windows PowerShell segment to the correct location or locations. Each Windows PowerShell segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="1" x2="248" y1="42" y2="68" ss="0" a="0" /><m x1="3" x2="251" y1="77" y2="100" ss="0" a="0" /><m x1="0" x2="252" y1="112" y2="134" ss="0" a="0" /><m x1="2" x2="251" y1="142" y2="171" ss="0" a="0" /><m x1="3" x2="248" y1="177" y2="200" ss="0" a="0" /><m x1="1" x2="251" y1="213" y2="236" ss="0" a="0" /><m x1="340" x2="589" y1="98" y2="128" ss="1" a="0" /><m x1="610" x2="859" y1="103" y2="127" ss="1" a="0" /><c start="1" stop="0" /><c start="3" stop="1" /></map>

Explanation:

Box 1: -MsolUserPassword

The Set-MsolUserPassword cmdlet is used to change the password of a user.

Box 2: -NewPassword Pass#123#

The Set-MsolUserPassword -NewPassword <string>

sets the new password for the user.

Incorrect Answers:

-MsolUser

The Set-MsolUser cmdlet is used to update a user object. This cmdlet should be used for basic properties only. The licenses, password, and User Principal Name for a user can be updated through the  Set-MsolUserLicenseSet-MsolUserPassword , and  Set-MsolUserPrincipalName  cmdlets respectively.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194140.aspx

QUESTION NO: 47 DRAG DROP

You are the Office 365 administrator for Contoso, Ltd.

User1 is unable to sign in.

You need to change the password for User1 and ensure that the user is prompted to reset her password the next time she signs in.

How should you complete the relevant Windows PowerShell command? To answer, drag the appropriate Windows PowerShell segments to the correct location or locations. Each Windows PowerShell segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="4" x2="212" y1="44" y2="73" ss="0" a="0" /><m x1="4" x2="221" y1="82" y2="103" ss="0" a="0" /><m x1="5" x2="215" y1="114" y2="136" ss="0" a="0" /><m x1="4" x2="217" y1="149" y2="171" ss="0" a="0" /><m x1="4" x2="214" y1="180" y2="206" ss="0" a="0" /><m x1="5" x2="214" y1="215" y2="240" ss="0" a="0" /><m x1="4" x2="215" y1="249" y2="272" ss="0" a="0" /><m x1="6" x2="215" y1="282" y2="304" ss="0" a="0" /><m x1="416" x2="629" y1="63" y2="86" ss="1" a="0" /><m x1="642" x2="853" y1="60" y2="88" ss="1" a="0" /><c start="5" stop="0" /><c start="1" stop="1" /></map>

The Set-MsolUserPassword cmdlet is used to change the password of a user.

The parameter -UserPrincipalName is used to specify the user to set the password for.

The following command resets the password for user@contoso.com. A random password will be generated. The user will be required to reset the password on next sign in.

Set-MsolUserPassword -UserPrincipalName user@contoso.com

Incorrect Answers:

-TenantID: The tenant ID refers to the user that is executing this command.

-ImmutableID: The Set-MsolUserPassword does not have an –ImmutableID parameter.

User1\contsoso, not contoso\User1: We need to specify the user using the syntax with the @-sign (e-mail syntax).

-NewPassword: We need to specify the user. We do not need to specify the password as a new password would be generated at random.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194140.aspx

3.1.4 Administration Center

3.2 Manage user and security groups

3.2.1 Bulk import, Azure Active Directory Graph API

3.2.2 Soft delete

3.2.3 Administration Center

QUESTION NO: 83

Your company has a hybrid deployment of Office 365. You need to create a group. The group must have the following characteristics:

  • Group properties are synchronized automatically.

  • Group members have the ability to control which users can send email messages to the group.

What should you do?

A. Create a distribution group and configure the Mail Flow Settings.

B. Create a dynamic distribution group.

C. Create a new role group.

D. Create a distribution group and configure the Membership Approval settings.

Answer: C

Explanation:

The member of the role group can all do administrative tasks. When you create a role group you can select between the following three roles:

  • Application Impersonation

  • Distribution Groups

  • Mail Recipients.

In this case we should use a Mail Recipients role group as we want this group to receive mails.

Incorrect Answers:

A: A distribution group does not have any Mail Flow settings.

B: Only one person can manage the dynamic distribution group. A dynamic distribution group can have only one owner. The group owner appears on the Managed by tab of the object in Active Directory Users and Computers.

Note: A dynamic distribution group is a type of distribution group whose list of recipients is recalculated every time you send a message based on filters and conditions that you define.

D: Membership Approval is used to choose whether people need approval to join or leave the group. Membership Approval does not affect who can send email messages to the group.

References:

http://help.elasticbeanstalk.com/ShowInTab.action?ProdId=EVCA_ARCHADMHELP&vid=v97524112_v102515759&locale=EN_US&context=EVCA1.0

QUESTION NO: 23 DRAG DROP

You are the Office 365 administrator for your company. The company has Office 365 Enterprise E3 licenses for each of its 250 employees. The company does not allow email or Lync Online licenses to be assigned to external contractors.

User1 is an external contractor who requires access to SharePoint and Office Web Apps only.

You need to add a license for User1's account.

What should you do? To answer, drag the appropriate action to the correct location or locations. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="0" x2="369" y1="49" y2="72" ss="0" a="0" /><m x1="1" x2="366" y1="81" y2="107" ss="0" a="0" /><m x1="4" x2="369" y1="116" y2="139" ss="0" a="0" /><m x1="1" x2="368" y1="148" y2="174" ss="0" a="0" /><m x1="1" x2="368" y1="182" y2="207" ss="0" a="0" /><m x1="498" x2="891" y1="132" y2="159" ss="1" a="0" /><m x1="497" x2="895" y1="211" y2="247" ss="1" a="0" /><c start="0" stop="0" /><c start="2" stop="1" /></map>

Explanation:

  • First we sign in to the Admin center.

  • Click purchase services on the left hand side. On this page, you will be able to purchase your Dynamics CRM Online and Office 365 licenses.

  • Add the required software (here we add Office Web App and SharePoint (Plan 1) plan. Finish the purchase.

  • Now we need to assign the purchased license to the user. We select the user and groups option.

  • Finally we assign the license to User1.

Incorrect Answers:

Not Select the licensing options. You must use the purchase services option.

Not Enable External Users in SharePoint. There is no need to enable external users.

Not Add an Office 35 Enterprise E3 license for User1. An Office Web App with SharePoint (Plan1) plan is the only license that is required.

References:

http://crmbook.powerobjects.com/system-administration/office-365/purchasing-licenses/#purchasing

QUESTION NO: 69

A company uses Office 365 services. You implement the Windows Azure Active Directory Sync tool in the local environment.

An employee moves to a new department. All Office 365 services must display the new department information for the employee.

You need to update the employee's user account.

Where should you change the value of the department attribute for the employee?

A. The Active Directory management page in the Windows Azure Management Portal

B. The Users and groups page in the Office 365 admin center

C. The on-premises Active Directory

D. The Metaverse Designer

Answer: C

Explanation:

The Active Directory Synchronization allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes will appear on Office 365 SharePoint. So if you want to change the user information of employee you must use the On-Premises Active Directory.

Incorrect Answers:

A: As the Active Directory has not been migrated to Windows Azure we cannot use Windows Azure Management Portal to update the user information, we would still need to update the on-premises Active Directory.

B: As the Active Directory has not been migrated to Windows Azure we cannot use Office 365 admin center to update the user information, we would still need to update the on-premises Active Directory.

D: Metaverse Designer is used to create and configure object types and their attributes in the schema of Microsoft Forefront Identity Manager (FIM) 2010 R2. Metaverse Designer is not used to update user information in an Office 365 environment where you use Active Directory Synchronization

References:

http://en.share-gate.com/blog/migrate-to-office-365-part2

3.2.4 Multi-factor authentication

QUESTION NO: 8 DRAG DROP

A company deploys an Office 365 tenant.

You need to enable multi-factor authentication for Office 365.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Box 1: Create a multi-factor authentication provider with the Per Enabled User usage model.

Box 2: Enable multi-factor authentication for all user accounts.

Box 3: Instruct users to use a mobile phone to complete the registration process.

Explanation:

Adding Multi-Factor Authentication to Azure Active Directory (for Office 365 users)

Step 1: First we create the usage model of the MFA provider.

We should use Per Enabled User which is used for Office 365.

Note:

  • Per Authentication – purchasing model that charges per authentication. Typically used for scenarios that use the Azure Multi-Factor Authentication in an application.

  • Per Enabled User – purchasing model that charges per enabled user. Typically used for scenarios such as Office 365.

Step 2: Enable Multi-Factor Authentication for all your user accounts.

You need to enable multi-factor authentication on your Office 365 users.

Step 3: Have a user sign-in and complete the registration process.

The users can use their mobile phones to complete the auto-enrollment process.

Details: After being enrolled for multi-factor authentication, the next time a user signs in, they see a message asking them to set up their second authentication factor. Using the enrollment process the users will be able to specify your preferred method of verification.

The following methods exist: Mobile Phone Call, Mobile Phone Text Message, Office Phone Call, or Mobile App.

Incorrect Answers:

The users do not use a single-use password to complete the registration. Instead they can use their mobile phone. This is one of the two notification modes of Azure Multi-Factor Authentication.

The Per Authentication provider model is not used for Office 365.

References:

http://technet.microsoft.com/library/dn249466.aspx

https://msdn.microsoft.com/library/azure/dn376346.aspx#create

QUESTION NO: 71

You are the Office 365 administrator for your company. The company uses Active Directory Federation Services (AD FS) to provide single sign-on to cloud-based services. You enable multi-factor authentication.

Users must NOT be required to use multi-factor authentication when they sign in from the company's main office location. However, users must be required to verify their identity with a password and token when they access resources from remote locations.

You need to configure the environment.

What should you do?

A. Disable AD FS multi-factor authentication.

B. Configure an IP blacklist for the main office location.

C. Disable the AD FS proxy.

D. Configure an IP whitelist for the main office location.

Answer: D

Explanation:

With ADFS you now got the option to whitelist an IP for multi-factor authentication (MFA).

For example, if you enable multi- factor authentication. Users must NOT be required to use multi-factor authentication when they sign in from the company's main office location. However, users must be required to verify their identity with a password and token when they access resources from remote locations.

Incorrect Answers:

A: We cannot disable MFA, as the user's identity need to be verified both by password and token; this is MFA, when they are outside the main office location.

B: We must configure an IP Whitelist, not an IP Blacklist. There is no MFA IP Blacklist configuration.

C: Disabling an AD FS proxy would not affect MFA.

References:

http://www.edunnewijk.nl/fatshark/index.php?/archives/640-Multi-Factor-Authentication-for-Office-365-and-IP-whitelist-for-Internal-users.html

QUESTION NO: 51 DRAG DROP

A company deploys an Office 365 tenant.

All employees in the human resources (HR) department must use multi-factor authentication. They must use only the Microsoft Outlook client to access their email messages. User1 joins the HR department.

You need to help User1 configure his account.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Box 1: Enable multi-factor authentication for User1.

Box 2: Instruct User1 to use a mobile phone to complete the registration process.

Box 3: Instruct User1 to create an app password.

Explanation:

(Step 1) First we need to enable multi-factor authentication for this Office 365 users.

(Step 2) After being enrolled for multi-factor authentication, the next time a user signs in, they see a message asking them to set up their second authentication factor.

Any of the following may be used for the second factor of authentication: Mobile Phone Call, Mobile Phone Text Message, Office Phone Call, or Mobile App.

(Step 3) Configure app passwords for non-browser apps (such as …Outlook etc.).

User1 should create an app password. The app password should then be used to set up Microsoft Outlook.

After the registration process (step 2) has been completed, users can setup application passwords for non-browser apps (such as …Outlook etc.). This is required because the non-browser apps (such as …Outlook etc.) do not support multi-factor authentication and you will be unable to use them unless an app password is configured.

Incorrect Answers:

The app password is used to set up Microsoft Outlook. Use the mobile phone to complete the registration process.

A one-time password is not used to complete the registration process, instead a mobile phone is used.

References:

http://technet.microsoft.com/library/dn249466.aspx

https://msdn.microsoft.com/library/azure/dn376346.aspx#create

QUESTION NO: 79

Your company subscribes to an Office 365 Plan E3. A user named User1 installs Office Professional Plus for Office 365 on a client computer. From the Microsoft Online Services portal, you assign User1 an Office Professional Plus license. One month after installing Office, User1 can no longer save and edit Office documents on the client computer. User1 can open and view Office documents.

You need to ensure that User1 can save and edit documents on the client computer by using office.

What should you do?

A. Install the Office Customization Tool.

B. Reinstall Office Professional Plus.

C. Install the Microsoft Online Services Sign-in Assistant.

D. Upgrade the subscription to Plan E4.

Answer: C

Explanation:

Office 365 ProPlus is offered as a monthly subscription. The subscription for User1 has run out and the program has been deactivated. The user should choose Sign In to activate Office 365 ProPlus. This is done through the Microsoft Online Services Sign-in Assistant.

Incorrect Answers:

A: The Office Customization Tool is used to adjust the installed Office programs. It cannot be used to activate a deactivated product.

B: Reinstalling would not help as the license has run out.

D: Upgrading the license from Plan E3 to Plan E4 would add functionality to Office 365, but it would help to activate the product as the license has run out.

Furthermore, the extra functionality is not required. User1 just need to be able to edit the document again.

References:

http://technet.microsoft.com/en-us/library/gg702619(v=office.15).aspx

3.3 Manage cloud identities with Windows PowerShell

3.3.1 Configure passwords to never expire

QUESTION NO: 48

You are the Office 365 administrator for your company. A user named User1 from a partner organization is permitted to sign in and use the Office 365 services.

User1 reports that the password expires in ten days. You must set the password to never expire. Changes must NOT impact any other accounts.

You need to update the password policy for the user.

Which Windows PowerShell cmdlet should you run?

A. Set-MsolPasswordPolicy

B. Set-MsolPartnerlnformation

C. Set-MsolUser

D. Set-MsolUserPassword

Answer: C

Explanation:

The Set-MsolUser cmdlet is used to update a user object.

The parameter-PasswordNeverExpires <Boolean>

Sets whether or not the user's password will expire periodically.

So the command Set-MsolUser –PasswordNeverExpires $true would make the appropriate configuration.

Incorrect Answers:

A: With Set-MsolPasswordPolicy you can configure two settings, but not that the password never expires. The Set-MsolPasswordPolicy cmdlet can be used to update the password policy of a specified domain or tenant. Two settings are required, the first is to indicate the length of time that a password remains valid before it must be changed and the second is to indicate the number of days before the password expiration date that will trigger when users will receive their first notification that their password will soon expire.

B: There is no command Set-MsolPartnerlnformation.

D: The Set-MsolUserPassword cmdlet can only be used to change the password of a user. It cannot be used to configure the password to never expire.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx

QUESTION NO: 50 DRAG DROP

A company has 50 employees that use Office 365.

You need to disable password expiration for all accounts.

How should you complete the relevant Windows PowerShell commands? To answer, drag the appropriate Windows PowerShell segment to the correct location in the answer area. Each Windows PowerShell segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="0" x2="190" y1="36" y2="62" ss="0" a="0" /><m x1="3" x2="191" y1="69" y2="93" ss="0" a="0" /><m x1="6" x2="189" y1="105" y2="128" ss="0" a="0" /><m x1="5" x2="188" y1="143" y2="162" ss="0" a="0" /><m x1="5" x2="189" y1="172" y2="193" ss="0" a="0" /><m x1="6" x2="189" y1="208" y2="227" ss="0" a="0" /><m x1="8" x2="189" y1="242" y2="260" ss="0" a="0" /><m x1="3" x2="190" y1="273" y2="295" ss="0" a="0" /><m x1="3" x2="187" y1="307" y2="331" ss="0" a="0" /><m x1="4" x2="189" y1="338" y2="363" ss="0" a="0" /><m x1="342" x2="531" y1="63" y2="91" ss="1" a="0" /><m x1="300" x2="487" y1="132" y2="160" ss="1" a="0" /><m x1="272" x2="457" y1="168" y2="198" ss="1" a="0" /><m x1="521" x2="710" y1="168" y2="194" ss="1" a="0" /><c start="2" stop="0" /><c start="3" stop="1" /><c start="0" stop="2" /><c start="0" stop="3" /></map>

Explanation:

(Box 1) Import-Module –MSOnline

To connect to MS Online in PowerShell first open a PowerShell session and then import the MS Online Module using the following command:

Import-Module MsOnline

(Box 2) Connect-MsolService

Connect with your Microsoft Online tenant account using:

Connect-MsolService

Use your tenant account e.g. admin@contoso.onmicrosoft.com.

(box 3) The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. As no ObjectId or UserPrincipalName is used here a list of all users will be retrieved and send to next command (Set-MsolUser) with the | operator.

(box 4) The command Set-MsolUser –PasswordNeverExpires $true would set the password to never expire.

References:

http://www.msdigest.net/2012/03/how-to-connect-to-office-365-with-powershell/

https://msdn.microsoft.com/en-us/library/azure/dn194133.aspx

https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx

3.3.2 Bulk update of user properties

3.3.3 Bulk user creation

QUESTION NO: 3 HOTSPOT

A company deploys an Office 365 tenant.

You prepare to use the bulk add tool to add users to Office 365.

You need to prepare a file to use with the bulk add tool.

Which fields must you include in the file? To answer, drag the appropriate response to each field. Each response may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="125" x2="156" y1="64" y2="82" ss="0" a="0" /><m x1="129" x2="162" y1="137" y2="158" ss="0" a="0" /><m x1="129" x2="151" y1="223" y2="238" ss="0" a="0" /><m x1="131" x2="150" y1="288" y2="306" ss="0" a="0" /><m x1="130" x2="153" y1="349" y2="368" ss="0" a="0" /></map>

Explanation:

How to add multiple users with bulk import in Office 365

Only the user name and display name are required entries.

The bulk import feature of Office 365 allows you to import multiple users’ information into Office 365 from a single file source. The file must be a comma-separated values (CSV) file and adhere to the required format. It will then automatically do the rest of the thing for you. Only the user name and display name are required entries in the CSV file.

Incorrect Answers:

First Name, Last Name, and Job Title are not required fields.

References:

http://www.thewindowsclub.com/add-create-multiple-users-bulk-import-office-365

QUESTION NO: 11

You use a centralized identity management system as a source of authority for user account information. You export a list of new user accounts to a file on a daily basis. Your company uses a local Active Directory for storing user accounts for on-premises solutions. You are configuring the Windows Azure Active Directory Sync tool.

New user accounts must be created in both the local Active Directory and Office 365. You must import user account data into Office 365 daily.

You need to import the new users. What should you do?

A. Use the Office 365 admin center to import the file.

B. Create a Windows PowerShell script to import account data from the file into Active Directory.

C. Use the Windows Azure Management Portal to import the file.

D. Create a Windows PowerShell script that uses the MSOnline module to import account data from the file.

Answer: B

Explanation:

To force a sync with the Windows Azure Active Directory Sync tool:

Open Powershell (as admin)

Type Import-Module DirSync

Then Type Start-OnlineCoExistenceSync

To simplify further you can write the commands as a PowerShell script.

Incorrect Answers:

A: The sync tool is used from the PowerShell command prompt, not from the Office 365 admin.

C: The sync tool is used from the PowerShell command prompt, not from the Windows Azure Management Portal.

D: You should write a PowerShell script, but the required script does not use the MSOnline module, it uses the DirSync model.

References:

http://www.computer-boffins.ca/2014/06/azure-active-directory-sync-force-a-sync-updated/

3.3.4 Azure Active Directory cmdlets

QUESTION NO: 52 DRAG DROP

You are the Office 365 administrator for your company. You audit the Windows Azure Active Directory Rights Management configuration for the company.

You need to view a log of the recent administrative commands performed against the Microsoft Rights Management Service.

Which three Windows PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="6" x2="296" y1="45" y2="89" ss="0" a="0" /><m x1="4" x2="298" y1="102" y2="139" ss="0" a="0" /><m x1="3" x2="294" y1="148" y2="187" ss="0" a="0" /><m x1="3" x2="297" y1="202" y2="237" ss="0" a="0" /><m x1="2" x2="297" y1="252" y2="293" ss="0" a="0" /><m x1="3" x2="298" y1="303" y2="341" ss="0" a="0" /><m x1="314" x2="613" y1="48" y2="107" ss="1" a="0" /><m x1="312" x2="611" y1="120" y2="186" ss="1" a="0" /><m x1="313" x2="611" y1="200" y2="264" ss="1" a="0" /><c start="2" stop="0" /><c start="3" stop="1" /><c start="0" stop="2" /></map>

Box 1: Import-AadrmTpd

Box 2: Connect-AadrmService

Box 3: Get-AadrmAdminLog

Explanation:

Although you can activate Azure Rights Management by using the Office 365 admin center or the Azure Management Portal, you can also use the Windows PowerShell module for Azure Rights Management to do this. First we active Azure Rights Management by import it through Import-AadrmTpd, then we connect to the service with Connect-AadrmService, and finally we generate the log with Get-AadrmAdminLog.

Step 1: The Import-AadrmTpd cmdlet imports an Active Directory Rights Management Services (AD RMS) trusted publishing domain (TPD) over the Internet into your tenant for Azure Rights Management so that you can migrate Rights Management from on-premises to the cloud.

Step 2: The Connect-AadrmService cmdlet connects you to the Azure Rights Management service. This cmdlet can also be used by a partner company that manages your tenant.

Connect by using this cmdlet before you configure Rights Management by using other cmdlets in this module.

Step 3: The Get-AadrmAdminLog cmdlet generates logs for all Rights Management administrative commands.

References:

http://technet.microsoft.com/en-us/library/jj585027.aspx

QUESTION NO: 53

You plan to deploy an Office 365 tenant to multiple offices around the country.

You need to modify the users and groups who are authorized to administer the Rights Management service.

Which Windows PowerShell cmdlet should you run?

A. Add-MsolGroupMember

B. Get-Add rm Role Based Administrator

C. Remove-AadrmRoleBasedAdministrator

D. Enable AadrmSuperUserFeature

Answer: D

Explanation:

The Enable-AadrmSuperUserFeature cmdlet enables the super user feature. With this feature enabled, you can add or remove super users for Azure Rights Management. By default, the super users feature is not enabled, and no users are assigned to this feature. By enabling this feature we can modify the users and groups that are able to administer the Rights Management service.

Incorrect Answers:

A: The Add-MsolGroupMember cmdlet is used to add members to a security group, but firstly we do want to modify users not to add them, and secondly security groups are not directly used for the Rights Management service.

B: The Get-AadrmRoleBasedAdministrator cmdlet gets the role-based administrators for Azure Rights Management, but we does not need a list of these users. We want to modify which users have these rights.

C: The Remove-AadrmRoleBasedAdministrator cmdlet removes administrative rights for a user or group from Azure Rights Management for your organization, but we want to modify users not to remove them.

References:

https://msdn.microsoft.com/library/azure/dn629400.aspx

QUESTION NO: 60 DRAG DROP

A company plans to use Office 365 to provide email services to employees. The company obtains a custom domain name to use with Office 365.

You need to add the domain name to Office 365.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="4" x2="393" y1="37" y2="74" ss="0" a="0" /><m x1="2" x2="392" y1="90" y2="128" ss="0" a="0" /><m x1="2" x2="389" y1="136" y2="197" ss="0" a="0" /><m x1="3" x2="390" y1="208" y2="262" ss="0" a="0" /><m x1="5" x2="394" y1="276" y2="333" ss="0" a="0" /><m x1="4" x2="391" y1="341" y2="387" ss="0" a="0" /><m x1="405" x2="800" y1="46" y2="118" ss="1" a="0" /><m x1="409" x2="799" y1="134" y2="210" ss="1" a="0" /><m x1="413" x2="800" y1="224" y2="310" ss="1" a="0" /><c start="5" stop="0" /><c start="0" stop="1" /><c start="3" stop="2" /></map>

Box 1:

Box 2:

Box3:

Explanation:

Manage Azure AD using Windows PowerShell

You can use the Azure Active Directory Module for Windows PowerShell cmdlets for Azure AD administrative tasks such as user management, domain management and for configuring single sign-on.

Step 1: Install the Azure AD Module

Step 2: Connect to Azure AD

Click the Microsoft Azure Active Directory Module for Windows PowerShell shortcut to open a Windows PowerShell workspace that has the cmdlets. Alternatively, you can load the cmdlets manually by typing import-module MSOnline at the Windows PowerShell command prompt.

Step 3: The New-MsolDomain cmdlet is used to create a new domain object. This cmdlet can be used to create a domain with managed or federated identities

Incorrect Answers:

Remote PowerShell is used for remote administration. There is no need of remote administration here.

A federated domain in Office 365 is a domain name which has been enabled single sign-on (SSO), but here SSO is not mentioned so we not use commands for federated domains. We set up a new domain, not a new federated domain.

References:

http://technet.microsoft.com/en-us/library/jj151815.aspx

https://technet.microsoft.com/en-us/library/e1ef403f-3347-4409-8f46-d72dafa116e0#BKMK_ManageDomains

QUESTION NO: 61 DRAG DROP

Fabrikam Inc. plans to use the domain fabrikam.com for Office 365 user identities, email addresses. Session Initiation Protocol (SIP) addresses, and a public-facing home page.

Single sign-on (SSO) between Office 365 and the on-premises Active Directory is NOT required.

You need to configure the Office 365 plan.

Which four Windows PowerShell cmdlets should you run in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="2" x2="296" y1="51" y2="87" ss="0" a="0" /><m x1="0" x2="299" y1="98" y2="144" ss="0" a="0" /><m x1="0" x2="293" y1="152" y2="192" ss="0" a="0" /><m x1="1" x2="295" y1="205" y2="244" ss="0" a="0" /><m x1="1" x2="297" y1="253" y2="298" ss="0" a="0" /><m x1="0" x2="297" y1="306" y2="342" ss="0" a="0" /><m x1="3" x2="295" y1="358" y2="396" ss="0" a="0" /><m x1="316" x2="623" y1="45" y2="113" ss="1" a="0" /><m x1="318" x2="625" y1="125" y2="183" ss="1" a="0" /><m x1="317" x2="622" y1="197" y2="255" ss="1" a="0" /><m x1="320" x2="623" y1="265" y2="326" ss="1" a="0" /><c start="3" stop="0" /><c start="2" stop="1" /><c start="5" stop="2" /><c start="1" stop="3" /></map>

Box 1: New-MsolDomain

Box 2: Get-MsolDomainVerificationDNS

Box 3: Confirm-MsolDomain

Box 4: Set-MsolDomain

Explanation:

Box1. First we need to add the domain.

The New-MsolDomain cmdlet is used to create a new domain object. This cmdlet can be used to create a domain with managed or federated identities.

Box2. Next we need to check the DNS before the domain can be confirmed.

The Get-MsolDomainVerificationDns cmdlet is used to return the DNS records that need to be set to verify a domain.

Box3. Now we can confirm the domain.

The Confirm-MsolDomain cmdlet is used to confirm ownership of a domain. In order to confirm ownership, a custom TXT or MX DNS record must be added for the domain. The domain must first be added using the New-MsolDomain cmdlet (step 1), and then the Get-MsolDomainVerificationDNS cmdlet (step 2) should be called to retrieve the details of the DNS record that must be set.

Box4. Next we can set fabrikam.com as the default domain.

The Set-MsolDomain cmdlet is used to update settings for a domain. This cmdlet can be used to change the default domain setting for the company.

Incorrect Answers:

A federated domain in Office 365 is a domain name which has been enabled single sign-on (SSO), but here SSO is not required so we not use commands for federated domains.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194117.aspx

QUESTION NO: 70

You have an Office 365 environment. Synchronization between the on-premises Active Directory and Office 365 is enabled.

You need to deactivate directory synchronization.

Which Windows PowerShell cmdlet should you run?

A. Update-MsolFederatedDomain

B. Remove-MsolDomain

C. Remove-MsolFederatedDomain

D. Set-MsolDirSyncEnabled

Answer: D

Explanation:

The Set-MsolDirSyncEnabled cmdlet is used to enable or disable directory synchronization for a company. The complete command to disable directory Sync is Set-MsolDirSyncEnabled –EnableDirSync $false

Incorrect Answers:

A: The Update-MSOLFederatedDomain cmdlet changes settings in both the AD FS server and Microsoft Online Services, but it cannot be used to disable directory synchronization.

B: The Remove-MsolDomain cmdlet is used to delete a domain from the Microsoft Azure Active Directory (Microsoft Azure AD), but we do not want to delete a domain we just need to deactivate directory synchronization.

C: The Remove-MSOLFederatedDomain cmdlet removes the specified single sign-on domain from Microsoft Online Services and the associated relying party trust settings in AD FS), but we do not want to delete a domain we just need to deactivate directory synchronization.

References:

http://support.microsoft.com/kb/2619062

QUESTION NO: 84

Your company has a hybrid deployment of Office 365. You need to verify whether free/busy information sharing with external users is configured.

Which Windows PowerShell cmdlet should you use?

A. Test-OutlookConnectivity

B. Test-FederationTrust

C. Get-OrganizationRelationship

D. Get-MSOLDomainFederationSettings

Answer: C

Explanation:

How to troubleshoot free/busy issues in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365

Use the Get-OrganizationRelationship cmdlet to retrieve settings for an organization relationship that has been created for federated sharing with other federated Exchange organizations or for hybrid deployments with Exchange Online. You can use this information to troubleshoot free/busy issues in a hybrid deployment.

In more detail (see step 4 below):

To help troubleshoot this issue, follow these steps:

  • On an on-premises computer that's running Microsoft Exchange 2010 Server Service Pack 1 (SP1), click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

  • At the command line, type the following command, and then press Enter: Get-FederationInformation -domainname <Office 365 Domain> In this command, the <Office 365 Domain> placeholder represents the default Office 365 domain (for example, adatum.onmicrosoft.com).

  • In the results, note the TargetApplicationUri and TargetAutodiscoverEpr values. These are the settings that the target domain must have to make sure that the federation trust is set up correctly.

  • To display the trust information that is currently set up for the default Office 365 domain, run the following command: Get-OrganizationRelationship | FL

Incorrect Answers:

A: The Test-OutlookConnectivity cmdlet is used to test end-to-end Microsoft Outlook client connectivity in the Microsoft Exchange Server 2013 organization, but it isn't used to troubleshoot free/busy issues in a hybrid deployment.

B: The Test-FederationTrust cmdlet is used to verify that the federation trust is properly configured and functioning as expected. It isn't used to troubleshoot free/busy issues in a hybrid deployment.

C: The Get-OrganizationRelationship cmdlet used to retrieve settings for an organization relationship that has been created for federated sharing with other federated Exchange organizations or for hybrid deployments with Exchange Online. It isn't used to troubleshoot free/busy issues in a hybrid deployment.

References:

https://support.microsoft.com/en-us/kb/2555008

3.3.5 Bulk user license management

QUESTION NO: 1

A company migrates to Office 365. 2,000 active users have valid Office 365 licenses assigned.

An additional 5,000 user accounts were created during the migration and testing processes. These users do not have any licenses assigned.

You need to remove the Office 365 user accounts that do not have any licenses assigned by using the least amount of administrative effort.

Which Windows PowerShell command should you run?

A. Get-MsolUser -All -EnabledFilter "DisabledOnly" | Remove-MsolUser -Force

B. Get-MsolUser-EnabledFilter "DisabledOnly" | Remove-MsolUser -Force

C. Get-MsolUser -All -UnlicensedUsersOnly | Remove-MsolUser -Force

D. Get-MsolUser -UnlicensedUsersOnly | Remove-MsolUser–Force

Answer: C

Explanation:

Step 1: Get all unlicensed users:

The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. We must use both the –All and the –UnlicensedUsersOnly parameters to retrieve all unlicensed users.

Parameters include:

-All [<SwitchParameter>]

If present, then all results will be returned.

-UnlicensedUsersOnly [<SwitchParameter>]

The filter for only users who are not assigned a license.

Step 2: Remove these users through the Remove-MsolUser –Force command.

Incorrect Answers:

A: We are not interested in the disabled users.

B: We are not interested in the disabled users.

D: We must use the –All parameter as well to retrieve all unlicensed users.

ReferenceS:

http://technet.microsoft.com/en-us/library/dn194133.aspx

QUESTION NO: 2 DRAG DROP

Litware Inc. has an Office 365 Enterprise El plan. Employees have access to all Office 365 services.

Employees in the human resources (HR) department must continue to use the on-premises SharePoint 2013 deployment due to legal requirements.

You need to disable access to SharePoint Online for all HR department employees.

How should you complete the relevant Windows PowerShell commands? To answer, drag the appropriate Windows PowerShell segment to the correct location or locations in the answer area. Each Windows PowerShell segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="17" x2="224" y1="18" y2="42" ss="0" a="0" /><m x1="17" x2="226" y1="50" y2="74" ss="0" a="0" /><m x1="15" x2="226" y1="81" y2="105" ss="0" a="0" /><m x1="19" x2="226" y1="114" y2="136" ss="0" a="0" /><m x1="16" x2="226" y1="146" y2="168" ss="0" a="0" /><m x1="18" x2="225" y1="177" y2="203" ss="0" a="0" /><m x1="17" x2="223" y1="210" y2="232" ss="0" a="0" /><m x1="18" x2="224" y1="242" y2="263" ss="0" a="0" /><m x1="16" x2="225" y1="273" y2="298" ss="0" a="0" /><m x1="429" x2="638" y1="111" y2="134" ss="1" a="0" /><m x1="445" x2="654" y1="177" y2="201" ss="1" a="0" /><m x1="348" x2="559" y1="211" y2="235" ss="1" a="0" /><m x1="356" x2="563" y1="243" y2="271" ss="1" a="0" /><c start="6" stop="0" /><c start="8" stop="1" /><c start="0" stop="2" /><c start="5" stop="3" /></map>

Explanation:

Box 1: -MsolLicenseOptions

We must create license object. The New-MsolLicenseOptions cmdlet creates a new License Options object.

Box 2: SHAREPOINTSTANDARD

We must disable SharePoint Online. SharePoint Online is denoted by SHAREPOINTSTANDARD.

The New-MsolLicenseOptions -DisabledPlans <string[]>

produces a list of service plans to disable when assigning this license to the user.

Box 3: We get all HR department users through the Get –MsolUser –All –Department "HR" command.

The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users.

Box 4: For these retrieved users we use the Set-MsolUserLicense command to apply the license we constructed.

The Set-MsolUserLicense cmdlet can be used to adjust the licenses for a user.

Incorrect Answers:

There are no commands New-MsolUserLicense or New-MsolSubscription.

SHAREPOINTWAC stands for Office Web Apps, but we are interested in SharePoint online.

The Get-MsolSubscription cmdlet returns all the subscriptions that the company has purchased, but we need to retrieve the HR users.

References:

https://msdn.microsoft.com/en-us/library/azure/dn194116.aspx

QUESTION NO: 80

Your company uses Office 365. You need to identify which users do NOT have a Microsoft Exchange Online license assigned to their user account.

Which Windows PowerShell cmdlet should you use?

A. Get-ManagementRoleAssignment

B. Get-User

C. Get-RoleGroupMember

D. Get-LogonStatistics

E. Get-RemovedMailbox

F. Get-MSOLContact

G. Get-Recipient

H. Get-Mailbox

I. Get-Group

J. Get-MailboxStatistics

K. Get-MSOLUser

L. Get-MailContact

Answer: K

Explanation:

We use the Get-MsolUser –UnlicensedUsersOnly command to retrieve all users which do not have an Microsoft Exchange Online license.

The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users.

The -UnlicensedUsersOnly [<SwitchParameter>] parameter filters for only users who are not assigned a license.

Incorrect Answers:

A: The Get-ManagementRoleAssignment cmdlet to retrieve management role assignments, not unlicensed users.

B: The Get-User command applies to on-premises Exchange Server 2013 and not to Office 365.

C: The Get-RoleGroupMember command applies to on-premises Exchange Server 2013 and not to Office 365.

D: The Get-LogonStatistics cmdlet retrieves logon statistics, not unlicensed users.

E: The Get-RemovedMailbox cmdlet retrieves deleted mailboxes, not unlicensed users.

F: The Get-MsolContact cmdlet retrieves contact objects, not unlicensed users.

G: The Get-Recipient command applies to on-premises Exchange Server 2013 and not to Office 365.

H: The Get-Mailbox command applies to on-premises Exchange Server 2013 and not to Office 365.

I: The Get-Group command applies to on-premises Exchange Server 2013 and not to Office 365.

J: The Get-LogonStatistics cmdlet retrieves mailbox information, not unlicensed users.

L: The Get-MailContact cmdlet retrieves contact information, not unlicensed users.

References:

http://social.technet.microsoft.com/wiki/contents/articles/11349.office-365-license-users-for-office-365-workloads.aspx

3.3.6 Hard delete users

Topic 4, Implement and manage identities by using DirSync

4.1 Prepare on-premises Active Directory for DirSync

4.1.1 Plan for non-routable domain names

4.1.2 Clean up existing objects

4.1.3 Plan for filtering Active Directory

QUESTION NO: 16

You are the Office 365 administrator for your company. The company synchronizes the local Active Directory objects with a central identity management system.

The environment has the following characteristics:

  • Each department has its own organizational unit (OU).

  • The company has OU hierarchies for partner user accounts.

  • All user accounts are maintained by the identity management system.

You need to ensure that partner accounts are NOT synchronized with Office 365.

What should you do?

A. Configure OU-based filtering by using the Windows Azure Active Directory Sync tool.

B. In the Windows Azure Active Directory portal, configure OU-based filtering.

C. Configure user attribute-based filtering by using the Windows Azure Active Directory Sync tool.

D. In the Windows Azure Active Directory portal, configure user attribute-based filtering.

Answer: A

Explanation:

You can use the Windows Azure Active Directory Sync tool to enable Active Directory synchronization filtering. This allows you to filter out objects that should not be synchronized to the cloud. The objects that can be filtered are: Organizational-units (OUs), domains, and user-attributes.

Incorrect Answers:

B: You can use OU-based filtering to stop the specified OUs from being synchronized to the cloud but this is performed using the Windows Azure Active Directory Sync tool, not the Windows Azure Active Directory portal.

C: You can use user attribute-based filtering through this will require you to update each user object that is to be filtered in your on-premises Active Directory. As you current environment has the user accounts organized in OUs, it would be more efficient to use OU-based filtering.

D: You can use user attribute-based filtering through this will require you to update each user object that is to be filtered in your on-premises Active Directory. As you current environment has the user accounts organized in OUs, it would be more efficient to use OU-based filtering. Furthermore, user attribute-based filtering, as well as OU-based filtering, is performed using the Windows Azure Active Directory Sync tool, not the Windows Azure Active Directory portal.

References:

http://technet.microsoft.com/en-us/library/jj710171.aspx

4.1.4 Support for multiple forests

4.2 Set up DirSync [WAAD sync tool]

4.2.1 Soft match filtering and identify synchronized attributes

QUESTION NO: 10

An organization plans to migrate to Office 365. You use the Windows Azure Active Directory (AD) Sync tool.

Several users will not migrate to Office 365. You must exclude these users from synchronization. All users must continue to authenticate against the on-premises Active Directory.

You need to synchronize the remaining users.

Which three actions should you perform? Each correct answer presents part of the solution.

A. Populate an attribute for each user account.

B. Disable the user accounts in Active Directory.

C. Perform a full synchronization.

D. Configure the connection filter.

E. Run the Windows PowerShell command Set-MsolDirSyncEnabled -EnableDirSync $false.

Answer: A, C, D

Explanation:

To implement user attribute-based Directory synchronization filtering you need to add an attribute to each user object that is to be filtered in your on-premises Active Directory. Then you need to enable Active Directory synchronization filtering and configure the connection filter to use the user attribute. Finally, you must perform a full synchronization.

Incorrect Answers:

B: You cannot disable the user accounts in Active Directory as this will not allow the users to continue to authenticate against the on-premises Active Directory.

D: The Set-MsolDirSyncEnabled -EnableDirSync $false cmdlet disables directory synchronization which means that none of the organizations user accounts will be synchronized to the cloud.

References:

http://technet.microsoft.com/en-us/library/jj710171.aspx

https://msdn.microsoft.com/en-us/library/azure/dn194097.aspx

QUESTION NO: 12 DRAG DROP

An organization plans to deploy an Office 365 tenant. The company has two servers named SERVER1 and SERVER2. SERVER1 is a member server of the Active Directory forest that you are synchronizing. SERVER2 is a standalone server. Both servers run Windows Server 2012.

You need to use the Windows Azure Active Directory Sync tool to provision users.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="3" x2="391" y1="48" y2="108" ss="0" a="0" /><m x1="4" x2="393" y1="117" y2="174" ss="0" a="0" /><m x1="3" x2="390" y1="187" y2="242" ss="0" a="0" /><m x1="1" x2="391" y1="255" y2="296" ss="0" a="0" /><m x1="3" x2="390" y1="307" y2="363" ss="0" a="0" /><m x1="407" x2="808" y1="47" y2="126" ss="1" a="0" /><m x1="407" x2="809" y1="149" y2="228" ss="1" a="0" /><m x1="406" x2="806" y1="254" y2="338" ss="1" a="0" /><c start="1" stop="0" /><c start="2" stop="1" /><c start="3" stop="2" /></map>

Box 1:

Box 2:

Box 3:

Explanation:

You must activate directory synchronization before you install the Directory Sync tool.

The Directory Sync tool must be installed on a computer that is joined to the Active Directory forest that you plan to synchronize. As SERVER2 is a standalone server, it is not joined to the Active Directory forest and cannot be used for synchronization.

Finally, assign license to activate services for the synchronized users.

Incorrect Answers:

The Directory Sync tool must be installed on a computer that is joined to the Active Directory forest that you plan to synchronize. As SERVER2 is a standalone server, it is not joined to the Active Directory forest and cannot be used for synchronization.

The Directory Sync tool must be installed on a computer that is joined to the Active Directory forest that you plan to synchronize. It need not be a domain controller. Therefore there is no need to install Active Directory Domain services on another member server.

References:

https://technet.microsoft.com/en-us/library/dn144766.aspx

http://technet.microsoft.com/en-us/library/jj151831.aspx

https://technet.microsoft.com/en-us/library/jj151800.aspx

http://office365support.ca/getting-started-with-office-365-the-basics/

4.2.2 Password sync

Site Search:

Close

Close
Download Free Demo of VCE
Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.


Simply submit your e-mail address below to get started with our interactive software demo of your free trial.


Enter Your Email Address

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.