MS-500 Microsoft 365 Security Administration-Securing Microsoft 365 Hybrid Environments Part 2

3. A foundation of the Microsoft Cloud Services

Okay? So I want to talk with you now about the concept of cloud computing. Okay? So first off and foremost, the concept of cloud computing is really not a new concept. A lot of people think it is a new concept. It’s not. First off, the term cloud has been around for a very long time. Although the term cloud cloud now definitely means a few different things than it used to 20 years ago, the concept of cloud computing now is you are hosting something as a service on the Internet. Now, this is not a new concept. I like to use this analogy. Essentially think about my cars that I own. So I have a wife and I have some daughters. My daughters have their own vehicles. And so I’ve got to deal with a bunch of vehicles in my driveway. And of course, my vehicles, sometimes they break down.

Okay? So let’s say that I want to manage the repairs of my vehicle myself. My vehicle. What I could do is I could purchase all the equipment needed to make myself an auto mechanic shop out of my garage. I could turn my garage into an auto mechanic shop, and I could deal with the repairs myself. I could get a hydraulic lift. I could buy all the tools. I could get all the training, everything that’s needed to do these auto mechanic procedures myself, okay? Or instead of me spending the money to do all that and get all the knowledge and keep the equipment updated and all that, I could pay an auto mechanic shop that does that job as a service, okay? And I don’t have to deal with it, guys, that’s what cloud computing is.

You’re basically paying somebody else. You’re paying for a service to be hosted for you. So here’s what’s happened. Companies like Amazon and Microsoft and IBM, they’ve built these huge data centers full of equipment. So you’re talking lots of server blades. You’re talking tons of processing power, tons of Ram, tons of storage. You’re talking fiber optic network equipment, the best of the best, load balancing equipment, firewall equipment. Everything is built in these warehouses that have been placed strategically all over the world so that they get a tremendous amount of redundancy, okay? And so from there, these data centers, this is what makes up what these companies are calling their cloud.

This is connected. These clouds are connected to the Internet. All these data centers are connected to the Internet. And they’re all connected together. And it’s an ever changing thing. It can grow. It can shrink. Different locations can be opened up. Now, Microsoft’s main cloud technology is called Azure. Now, I want to introduce you to an acronym on that. IaaS. IaaS is infrastructure as a service. And Microsoft Azure is Microsoft’s infrastructure as a service product. Also want to throw out. That’s how I pronounce that word azure. Some of you guys may pronounce it as your Azure. Azure one time I actually went out and tried to research the proper way to say that word and I was watching the developer videos of the Microsoft guys who created it.

And guess what? They all pronounce it different too. Some of them call it Azure. Some of them call it azure. Azure? So tomato tomato. But Azure is Microsoft’s infrastructure as a service cloud product. And what it is, is basically you will get access to their cloud if you get an Azure tenant subscription and you can host virtual machines out on their cloud. So if I wanted to, I could actually host all of these things that you see on premise. I could host them on their cloud if I wanted to in their cloud environment. And they give me access to a directory service called Azure ad, azure Active Directory that’s going to let me link to all of my user accounts, passwords and all that.

And if I wanted to link these two together, my onprem Active Directory and Azure Ad, I could, but not going to get into that just yet. So I get access to virtual machines. I get access to Azure ad. And the great thing about it is I just pay for what I use. I pay for the CPU usage I use, I pay for the Ram that I use, storage, networking, and some of the appliances like load, balancers and things like that, that I use. And they give me access to all that. Now there are two other cloud terms that I want to introduce you to. The first is PaaS and the second is SaaS. PaaS is platform as a service and SaaS is software as a service. Now. Originally Microsoft was calling their PaaS and SaaS technology.

They were calling it Office 365. But this confused everybody because when you hear that term Office 365, everybody thinks of Word and Excel and PowerPoint and all that. This cloud environment is a lot more than that. So what they ended up doing in the last year or so, they renamed this to Microsoft 365. So what you’re going to find is when they are referring to the IaaS portion of their cloud, they use the term Azure.When they’re referring to the PaaS and SaaS version of their cloud, they’re talking about Microsoft 365. Okay, so what do you get with those? So platform as a service means they’re hosting a software based platform for you that you can use and manage and deploy and all of that. So like for example, I get Office 365. I get the platform of that for deploying Office 365.

But I also get something called Office Online, which is a software as a service version of that, which is where I’ve got apps that users can access to the cloud. I also get the Exchange online platform. So I get Exchange, Email and all that hosted in the cloud. I get SharePoint online. So I essentially get SharePoint available to my people I get Skype for business, which of course is now becoming Teams, which is their big collaboration technology that you’re going to use for collaborating and chatting, video conferencing, voiceover IP, all that good stuff. As part of the deal, I get this thing called Intune, which is Microsoft MDM technology that gets into the concept that you can control smartphones, tablets, laptops, as well as even desktops in your own environment.

And this is very similar to what Sccm does if you know what that product is, system Center Configuration Manager. But it doesn’t necessarily completely replace that. It’s a cloud solution for managing your devices. And you even get a feature called Autopilot that I’m going to talk more about, which is being able to automate the deployment of your computers. So you get a tremendous amount of capabilities. You get something called Security as a service, okay, which you get access to all these tools for managing classifications and encryptions and being able to do ediscovery for forensics and evidence collection. There’s so many things that they’re giving you. I don’t have enough room, honestly, in my little cloud diagram to draw everything that you get because you just get so much.

You also get OneDrive for business. I’ll just put four B, one drive for Business, which is a cloud storage solution. You get so many things with it, and it acts as a subscription service. Now, the other thing I want to mention is that you can link your on Prem Environment, which is Adds. Your on prem environment from Active Directory standpoint is called adds. Adds. Stands for active Directory domain services. Okay? Active directory domain services. That’s what that acronym stands for. And so what you can do is you can connect Active Directory Domain Services with Azure Ad if you want, and you can synchronize things. I can set up a server called Azure Ad Connect.

All right? Azure Ad Connect is a special server that you can use to synchronize your on premise Active Directory user accounts passwords into the cloud. Now, do you have to have a separate server? It can actually be a domain controller, but it is recommended that it is a separate server, and that server is going to synchronize whatever you want. Do you have to synchronize all of your users passwords groups out to the cloud? Absolutely not. You have control over what actually gets synchronized. They call this a hybrid solution. A hybrid solution is where we link our on premise Active Directory with our cloud scenarios, our cloud functions, and synchronize whatever we want to synchronize. So this is giving you an idea of where Microsoft is going. Microsoft is definitely heading towards the cloud now.

Are they just abandoning everything on premise? Absolutely not. We still have access to all of that stuff. It’s still available. But what they’re trying to encourage everybody to do is to utilize their cloud environment. Now, one thing I want to point out real quick that’s different with Azure, the IaaS service that they’re using that you’re going to pay for the usage of the CPU, the memory, the storage. With Microsoft Three and 165, you’re just paying a subscription fee for these products and you can use them as much as you want. There’s not like a limitation on CPU memory, any of that. You’re going to actually find that the two technologies complement each other. So when you actually get a Microsoft 365 account, you’re going to still have access to some of the Azure stuff.

And if you want to host things like VMs and all that, you can. So the great thing about the cloud is with the creation of virtualization and Elasticity, this is what cloud computing really is all about. You’re able to host this stuff online and it can use Elasticity. You need more CPU. Power. It can give it to you instantly. You need more Ram, it can give it to you instantly. You need more storage network, whatever it is, they can scale you out. And then when you’re not using all those resources, they can scale you back. Okay? So hopefully this gives you guys a really decent foundation understanding of where things were kind of the present situation we’re in and then kind of where microsoft is headed. And as you can see, as they say, their heads are in the clouds right now. They’re definitely trying to coerce people to moving in clouds. And even in all they’re different exams and courses, this is sort of the big things that they’re focused on right now.

4. Setting up custom domain settings toprepare for Azure AD Connect

Now that we’ve explored user identities, user profiles, we’ve gotten an understanding of getting into Azure Active Directory, I want to begin moving us in the direction of connecting our on premise Active Directory. Adds active Directory domain services with Azure ad. Okay. Now, in order to do that, there are some considerations. First off, we need to consider what our domain name is in Active Directory. In my little lab environment here, my domain name is Examlabpractice. com. I can go into click Start here on my Domain Controller, go to Server Manager, and I can open up Tools, and then Active Directory users and computers. And you can clearly see what my domain name is here. I’ll zoom in on that for you. It’s examlabpractice. com.

Okay. And I have a DNS database that would need to be accessible for the Internet in order for me to register that name in my Azure ad. So here’s the thing. What we’re going for here when we connect our on prem domain and our Azure ad, most people want to achieve something called Seamless SSO. Seamless. SSO stands for single sign on. Seamless single sign on. And the goal there is to make it where when your users log on to the on premise domain, they’re also going to automatically get logged on into the cloud, right? That’s what we’re trying to get to here. But in order to do that, we need to make sure that we have the access to use this name out in the cloud. In order to do that, first off, we have to have a DNS server that is accessible from the Internet.

We’re going to say, that my DNS server here. I’m going to click Tools, and then I’m going to go to Group Policy, I’m sorry, DNS. And then we’ll zoom in on that for you. Here’s my DNS server. And I have a database called forward lookup zones. Okay? Now, if I had another DNS name here that I wanted to make available, I could create another DNS database. I’ll create another database and not to turn this into a server class and get into the concepts completely behind DNS right now, but I’m just going to create a little database that I could create DNS records in. And I’m going to call this little database, we’ll call it Abccorp. com. Just a random company name. Abccorp. com. Click next. And then we’ll click finish. We’ve now got a database called ABC Corp. But here’s the problem.

Currently, if you wanted any of your users to also be known as Abccorp.com, you would have to tell Active Directory that because right now, Active Directory is only going to allow this name right here to be associated with your users, okay? For example, if I open up Back, if I pull up Active Directory users and computers again, and I go to a user like Jane Doe, and I double click on Jane Doe, and I go to the Account tab here, then notice that Jane DOE’s name is Jane Doe@examlabpractice. com. By the way. They call that a UPN, a user principled names, basically like an email address, okay? Jane Doe@examlabpractice. com. If I drop that down, there is no ability for me to put ABC Corp in there, even though I’ve created a DNS database for it.

There’s no way for me to do that. So let me show you how to do that actually. Okay, so I’m going to go back into Server Manager here. I’m going to go to Tools and I’m going to open up this tool called Active Directory Domains and Trust. So let’s open that tool up and inside that tool I can actually specify additional domain names. So let’s zoom in on that. All right. And I’m going to right click active directory domains and trust. And I’m going to go to properties. And right here I can add an additional UPN that Active Directory will allow my users to be associated with. So I could go right here and say ABC Corporate. com. I can add that. I can click, OK, let’s close out of that. Let’s go back into active Directory users and computers again. Let’s double click on Jane Doe, go back to Account and notice that now I can drop that down and Jane Doe could be known as ABC Corporate. com.

I could have both of these names if I wanted. And if you start getting into Exchange online where you’re wanting to have all your email hosted in the Microsoft 365 services, which of course is part of the Office subscription, then the great thing about that is when I do link my on premise environment, my adds environment with the cloud, it’ll already be set up and ready to go. Okay, so this is what’s got to happen on the Active Directory side. In order to have names registered, keep in mind that your DNS server is going to get checked from the cloud. So you do have to make sure that you have what we call an Internet facing DNS server. That means it’s a DNS server that the cloud that Microsoft 365 is going to query to verify that you actually do have that name, that you do own that name. Okay, which I’m going to talk more about coming up in this next little lesson that gives you an idea of understanding what’s going to happen on the, on prem side, on prem premises in order to make all that work.

5. Setting up custom domain name setting in AzureAD

Okay, so here we are on Admin Microsoft. com, also known as Portal Microsoft. com, also known as the Microsoft 365 Admin Center. Okay, so this is where I’m going to go and I’m going to add a custom domain. So you saw me in the previous segment. I did the adds side of things to prepare the DNS for my on premise active directory. But now I’ve actually got got to tell the cloud about it so that I can link all this together. Okay? In order to do that I’m going to click Show All. I’m going to drop down settings and I’m going to click Domains, okay, from Domains. Now I’m going to add a new domain and in order to add a domain, I’m going to type that new domain in.

Okay? Now here’s the thing. If you own the name and you’re hosting it through somebody like GoDaddy, microsoft has an agreement with GoDaddy. So you can actually put in a name. Like the examlabpractice. com name is hosted through GoDaddy. And so GoDaddy is all I had to do there is just put my GoDaddy credentials in and it will do everything I need. I didn’t have to do anything special in order to do that. However, if I was hosting my DNS on a Microsoft server like I showed you in the last lecture, then I could put the name here. We’ll say Abccorp. com. Now keep in mind I don’t really own that name, okay. But we’re going to pretend like I do and that my server has been set up with DNS and I want to show you what would have to happen in order to get this all to work.

So I’m going to say use this domain. It’s processing. It says, okay, here’s the deal. If you own the name, verify that you actually own the name. So there are two ways that I can verify that I actually own a domain name, okay? One way is to create this record called a text record in my DNS server, which is just a generic record, you can put anything you want in a text record in the real world and whatever people query against that record, it’s going to display whatever. You could put somebody’s phone number in there if you wanted. Now in this case though, what they’re doing is they’re saying, hey, if you really own this name Abccorp. com, you then create a text record with this value right here.

Okay? Now once you do that, what will happen is when you click Verify down at the bottom, it’s going to query that DNS server for that name and it’s going to verify that the record is there.If the record is there, then it says, okay, you must really own the name because you were able to create the record. Okay? So it’s almost like one of those one time passwords that they would text your phone or send you via email or whatever. Now alternatively, you could do this with an MX record as well. An MX record is a mail exchange record. So you can do the same thing.

You could create an MX record on the DNS server with this value here. And then at that point it would check that it’s important if you’re taking the exam that you know those two main ways that you would verify who you are. Keep in mind though, that the third way is Microsoft is partnered up with GoDaddy and companies like that. So you could put your credentials in.If this was a GoDaddy DNS address, it would prompt me for that. But what you want to remember for the exam is that you can create a text record or an MX record. So now what I’m going to do is I’m going to go back and I’m going to create this record, this text record in my DNS server. I’m back over here now on my DNS server.

And I’m going to zoom in for you here. And we’re looking at the ABC Corp database right here. So all I would need to do is right click this and I would click other new records. I’m going to scroll down and find the text record right here. Okay. Click create. And you’re actually not going to put anything for the record name right here. You’re going to leave that blank and you would type in the code that they gave us. And the code they gave me was Ms equals lowercase ms 463-73-7721. So then I would click OK, click done. And I’ve now got this record created. And that’s pretty much it on the server side. You’ve got that in there? As long as this is a server that is Internet facing, meaning it can be hit from the Internet, at that point, it would be able to verify that name.

So jumping back over to the Microsoft 365 portal, we can see here this is the record that I created and I could then click Verify, and it would be able to verify it. Granted, again, I don’t really own that name. I do own the name examlabpractice. com, but that of course, has already been registered when I initially set up this tenant, this cloud tenant. So I click Verify and it really would be able to verify, though it’s is going to throw an error because again, I don’t really own that name. But that gives you guys an idea of what you got to do on the active directory side, the on prem side, and then what you got to do on the cloud side in order to get your DNS names registered.