rlevchenko

What is the exam 70-346?

70-346 is one of the two exams (+70-347) that you have to pass to achieve MCSA: Office 365.

This exam checks your skills in administration, licensing (o365 plans and scenarios), planning and deploying hybrid solutions (on-premises <> cloud).

How many questions in the exam?

What types of questions exam has?

There are a lot of drag-and-drop . multiple-choice questions.

How to prepare for an exam?

Get the free trial of O365 E3 Plan

Fill out the required form. Make sure you provided the active phone number.

You will receive a verification code that is required to finalize creating new O365 account.

Click on “You’re ready to go …” and you will be redirected to the main page of portal.

To get status of trial subscription or to view all available plans click on “Purchase” at the top-right corner of the screen

Note “days left” and parameters (expiration date, quantity of purchased users) of trial subscription

Go to pricing and plans and try to remember the main differences between business and enterprise plans!

For example,

Business/Enterprise : 300 users maximum and unlimited respectively

Free trial option: Only for Business, Business Premium, E3

If you are not familiar with what O365 offers or want to get deep knowledge about plans and services go to these documents:

Office 365 service description

Office 365 service comparison

Just for your information :

MS has E4 plan (to enhance unified messaging experience) and going to add new plan called E5 before the end of this year

Education and Government plans are not widely presented in the exam so you can be free to omit them.

Prepare your workstation

To be able manage O365 with PowerShell you have to install some required software on your machine.

Microsoft Online Services Sign-In Assistant for IT Professionals RTW
Azure AD Module for Windows PowerShell (x86 (discontinued) or x64)
Azure Rights Management Services Tool
Sharepoint Online PowerShell Shell (optional, required for 70-347 exam)
Skype For Business Online, PowerShell Module (optional, required for 70-347 exam)
Connect Exchange Online using remote PowerShell (optional, required for 70-347 exam)

In my environment I use only the following modules (RMS+Azure AD) :

Then go to the exam’s official page and explore 6 categories of skills :

Open your Office 365 portal and run Azure AD PowerShell machine.

You have to be ready to repeat all described steps below in web GUI and PowerShell as well.

Provision Office 365

Where is? Portal –> Domains , Portal –> Setup

Provision Tenants

Add and configure custom domains
Plan a pilot

GUI: https://www.microsoftpressstore.com/articles/article.aspx?p=2419713

PS: https://msdn.microsoft.com/en-us/library/azure/dn919677.aspx

Plan and implement networking and security

Where is ? Service Settings –> Rights Management , Portal –> Users

PowerShell: https://msdn.microsoft.com/en-us/library/dn629398.aspx

Example:How to activate RMS using PowerShell

#Import Rights Management module 
Import-Module aadrm

#Get credentials (global administrator)
$cred=Get-Credential -Credential rlevchenko@<tenantname>.onmicrosoft.com

#Connect to RM Service and activate it. 

Connect-AadrmService -Credential $cred -Verbose

VERBOSE: https://admin.eu.aadrm.com/adminV2/admin.svc
A connection to the Windows Azure AD Rights Management (AADRM) service was opened for rlevchenko@<tenantname>.onmicrosoft.com.

Enable-Aadrm -Verbose

The Rights Management service has been successfully enabled although additional
 configuration of other services might be required. For more information, see h
ttp://go.microsoft.com/fwlink/?LinkId=251909.

#Add user to RMS administrators group

Add-AadrmRoleBasedAdministrator -EmailAddress "user1@<tenantname>.onmicrosoft.com"
user1@<tenantname>..onmicrosoft.com was added to the list of administrators for the
Rights Management service.

#Disconnect from RM Service

Disconnect-AadrmService -Verbose
Connection to the AADRM service closed.

Manage administrator roles in Office 365

PowerShell: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx

Example: How to create a new user and assign to one of administrators group

#Connect to MS Online. 
Connect-MSOnline -Credential $cred

#Create new user DisplayName and UserPrincipalName are REQUIRED! 
#Note: Password is automatically generated

New-MsolUser -DisplayName "User2" -UserPrincipalName user2@<tenantname>.onmicrosoft.com

Password            UserPrincipalName   DisplayName         isLicensed
--------            -----------------   -----------         ----------
Jura4110            user2@<tenantname>... User2               False

#List of available administrator roles

Get-MsolRole|ft Name

Name
----
Compliance Administrator
Exchange Service Administrator
Device Managers
Partner Tier1 Support
Company Administrator
Helpdesk Administrator
Lync Service Administrator
Directory Readers
Directory Writers
Device Join
Device Administrators
Billing Administrator
Workplace Device Join
Directory Synchronization Accounts
Device Users
Partner Tier2 Support
Service Support Administrator
SharePoint Service Administrator
User Account Administrator

#Add user to Helpdesk Administrator

Add-MsolRoleMember -RoleName "Helpdesk Administrator" -RoleMemberEmailAddress "user2@<tenantname>.onmicrosoft.com" -Verbose

#Check

$role=Get-MsolRole -RoleName "HelpDesk Administrator"
Get-MsolRoleMember -RoleObjectId $role.ObjectId

RoleMemberType      EmailAddress        DisplayName         isLicensed
--------------      ------------        -----------         ----------
User                user2@<tenantname>...       User2                    False

Manage cloud identities

Where is ? Portal –> Users, <Billing>, <Service Settings –> Passwords>

Configure password management
- Add, edit and delete user accounts (GUI)
- Reset a user’s password (GUI)
- Set a user’s password expiration policy (GUI)
- Set an individual user’s password to never expire (GUI)

PowerShell example:

#I have already connected to MS online so it's not necessary to execute Connect-MSolService.  

#Reset user's password to random password. User will be required to set new password on the next sign in.

Set-MsolUserPassword -UserPrincipalName user2@<tenantname>.onmicrosoft.com
Toha1184

#....Not to random password
Set-MsolUserPassword -UserPrincipalName user2@<tenantname>.onmicrosoft.com -NewPassword Pass123!
Pass123!

#Set expiration of password
Set-MsolUser -UserPrincipalName user2@<tenantname>.onmicrosoft.com -PasswordNeverExpires $true

#Set password expiration policy

Set-MsolPasswordPolicy -DomainName <tenantname>.onmicrosoft.com -ValidityPeriod 90 -NotificationDays 14

#Get password expiration policy
Get-MsolPasswordPolicy -DomainName <tenantname>.onmicrosoft.com

ExtensionData                        NotificationDays            ValidityPeriod
-------------                        ----------------            --------------
System.Runtime.Serializ...                         14                        90

Manage user and security groups (+see examples and links above)

Examples:

#Soft delete, no confirm 

Remove-MsolUser -UserPrincipalName user3@<tenantname>.onmicrosoft.com -Force

#List of deleted users

Get-MsolUser -ReturnDeletedUsers

UserPrincipalName          DisplayName                isLicensed
-----------------          -----------                ----------
user3@<tenantname>.onmicros... User3                      False

#Restore user after soft delete

Restore-MsolUser -UserPrincipalName user3@<tenantname>.onmicrosoft.com

UserPrincipalName          DisplayName                isLicensed
-----------------          -----------                ----------
user3@<tenantname>.onmicros... User3                      False

Manage cloud identities with Windows PowerShell

How to do “hard delete” users:

#First step it is to delete user with "soft" option

Remove-MsolUser -UserPrincipalName user3@<tenantname>.onmicrosoft.com -Force

#Delete user from recycle bin = hard delete

Remove-MsolUser -UserPrincipalName user3@<tenantname>.onmicrosoft.com -RemoveFromRecycleBin -Force

License management:

#Get list of unlicensed users

Get-MsolUser -UnlicensedUsersOnly

UserPrincipalName          DisplayName                isLicensed
-----------------          -----------                ----------
user2@<tenantname>.onmicros... User2                      False

#Get list of SKUs (as shown, 25 licenses are provided by trial)

Get-MsolAccountSku

AccountSkuId                    ActiveUnits     WarningUnits    ConsumedUnits
------------                    -----------     ------------    -------------
<tenantname>:ENTERPRISEPACK         25              0               2


#User must have UsageLocation
Set-MsolUser -UserPrincipalName user2@@<tenantname>.onmicrosoft.com -UsageLocation RU

#Add license to user
Set-MsolUserLicense -UserPrincipalName user2@<tenantname>.onmicrosoft.com -AddLicenses <tenantname>:ENTERPRISEPACK

#To remove license
Set-MsolUserLicense -UserPrincipalName user2@<tenantname>.onmicrosoft.com -RemoveLicenses <tenantname>:ENTERPRISEPACK

Some very important facts:

soft delete – user will be in Recycle Bin for 30 days
hard delete – user will be permanently removed from Recycle Bin
Days before password expire: min 14 , max 730 days
Days before a user is notified that their password will expire: min 1, max 30 days