├── .github
    ├── PULL_REQUEST_TEMPLATE.md
    ├── ISSUE_TEMPLATE.md
    └── CONTRIBUTING.md
├── Allfiles
    ├── Demos
    │   └── 01
    │   │   └── azuredeploy.json
    └── Labs
    │   └── 01
    │       └── Starter
    │           └── azuredeploy.json
├── _config.yml
├── index.md
├── LICENSE
├── _build.yml
├── Instructions
    ├── Demos
    │   └── DEMO_deploying_an_arm_template.md
    └── Labs
    │   ├── LAB_AK_06_Lab6_Ex3_SharePoint_Permission_Alert.md
    │   ├── LAB_AK_06_Lab6_Ex1_Prepare_Alert_Policies.md
    │   ├── LAB_AK_05_Lab5_Ex1_Safe_Attachments.md
    │   ├── LAB_AK_06_Lab6_Ex4_eDiscovery_Alert.md
    │   ├── LAB_AK_06_Lab6_Ex2_Mailbox_Permission_Alert.md
    │   ├── LAB_AK_08_Lab8_Ex2_Test_DLP_Policy.md
    │   ├── LAB_AK_07_Lab7_Ex1_Retention_Policies.md
    │   ├── LAB_AK_06_Lab6_Ex6_AttackSim_PW_attack.md
    │   ├── LAB_AK_03_Lab3_Ex1_Prepare_Identity_Synch.md
    │   ├── LAB_AK_05_Lab5_Ex2_Safe_Links.md
    │   ├── LAB_AK_08_Lab8_Ex1_Manage_DLP_Policies.md
    │   ├── LAB_AK_06_Lab6_Ex5_AttackSim_Phishing_attack.md
    │   ├── LAB_AK_02_Lab2_Ex2_Monitor_Microsoft_365.md
    │   ├── LAB_AK_06_Lab6_Ex7_Validate_Alerts_And_Attacks.md
    │   ├── LAB_AK_04_Lab4_Ex3_PIM_Self_Approval.md
    │   └── LAB_AK_02_Lab2_Ex3_M365_Apps.md
└── readme.md


/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | # Module: 00
 2 | ## Lab/Demo: 00
 3 | 
 4 | Fixes # .
 5 | 
 6 | Changes proposed in this pull request:
 7 | 
 8 | -
 9 | -
10 | -


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | # Module: 00
 2 | ## Lab/Demo: 00
 3 | ### Task: 00
 4 | #### Step: 00
 5 | 
 6 | Description of issue
 7 | 
 8 | Repro steps:
 9 | 
10 | 1.
11 | 1.
12 | 1.


--------------------------------------------------------------------------------
/Allfiles/Demos/01/azuredeploy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |     },
 6 |     "variables": {
 7 |     },
 8 |     "resources": [
 9 |     ],
10 |     "outputs": {
11 |     }
12 |   }


--------------------------------------------------------------------------------
/Allfiles/Labs/01/Starter/azuredeploy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |     },
 6 |     "variables": {
 7 |     },
 8 |     "resources": [
 9 |     ],
10 |     "outputs": {
11 |     }
12 |   }


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
 1 | remote_theme: MicrosoftLearning/Jekyll-Theme
 2 | exclude:
 3 |   - readme.md
 4 |   - .github/
 5 | header_pages:
 6 |   - index.html
 7 | author: Microsoft Learning
 8 | twitter_username: mslearning
 9 | github_username:  MicrosoftLearning
10 | plugins:
11 |   - jekyll-sitemap
12 |   - jekyll-mentions
13 |   - jemoji
14 | markdown: kramdown
15 | kramdown:
16 |    syntax_highlighter_opts:
17 |       disable : true
18 | 


--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Online Hosted Instructions
 3 | permalink: index.html
 4 | layout: home
 5 | ---
 6 | 
 7 | # Content Directory
 8 | 
 9 | Hyperlinks to each of the lab exercises and demos are listed below.
10 | 
11 | ## Labs
12 | 
13 | {% assign labs = site.pages | where_exp:"page", "page.url contains '/Instructions/Labs'" %}
14 | | Module | Lab |
15 | | --- | --- | 
16 | {% for activity in labs  %}| {{ activity.lab.module }} | [{{ activity.lab.title }}{% if activity.lab.type %} - {{ activity.lab.type }}{% endif %}]({{ site.github.url }}{{ activity.url }}) |
17 | {% endfor %}
18 | 
19 | ## Demos
20 | 
21 | {% assign demos = site.pages | where_exp:"page", "page.url contains '/Instructions/Demos'" %}
22 | | Module | Demo |
23 | | --- | --- | 
24 | {% for activity in demos  %}| {{ activity.demo.module }} | [{{ activity.demo.title }}]({{ site.github.url }}{{ activity.url }}) |
25 | {% endfor %}
26 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Sidney Andrews
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/_build.yml:
--------------------------------------------------------------------------------
 1 | name: '$(Date:yyyyMMdd)$(Rev:.rr)'
 2 | jobs:
 3 |   - job: build_markdown_content
 4 |     displayName: 'Build Markdown Content'
 5 |     workspace:
 6 |       clean: all
 7 |     pool:
 8 |       vmImage: 'Ubuntu 16.04'
 9 |     container:
10 |       image: 'microsoftlearning/markdown-build:latest'
11 |     steps:
12 |       - task: Bash@3
13 |         displayName: 'Build Content'
14 |         inputs:
15 |           targetType: inline
16 |           script: |
17 |             cp /{attribution.md,template.docx,package.json,package.js} .
18 |             npm install
19 |             node package.js --version $(Build.BuildNumber)
20 |       - task: GitHubRelease@0
21 |         displayName: 'Create GitHub Release'
22 |         inputs:
23 |           gitHubConnection: 'github-microsoftlearning-organization'
24 |           repositoryName: '$(Build.Repository.Name)'
25 |           tagSource: manual
26 |           tag: 'v$(Build.BuildNumber)'
27 |           title: 'Version $(Build.BuildNumber)'
28 |           releaseNotesSource: input
29 |           releaseNotes: '# Version $(Build.BuildNumber) Release'
30 |           assets: '$(Build.SourcesDirectory)/out/*.zip'
31 |           assetUploadMode: replace
32 |       - task: PublishBuildArtifacts@1
33 |         displayName: 'Publish Output Files'
34 |         inputs:
35 |           pathtoPublish: '$(Build.SourcesDirectory)/out/'
36 |           artifactName: 'Lab Files'
37 | 


--------------------------------------------------------------------------------
/Instructions/Demos/DEMO_deploying_an_arm_template.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | demo:
 3 |     title: 'Demo: Deploying an ARM Template'
 4 |     module: 'Module 1: Exploring Azure Resource Manager'
 5 | ---
 6 | 
 7 | # Demo: Deploying an ARM Template
 8 | 
 9 | ## Instructions
10 | 
11 | 1. Quisque dictum convallis metus, vitae vestibulum turpis dapibus non.
12 | 
13 |     1. Suspendisse commodo tempor convallis. 
14 | 
15 |     1. Nunc eget quam facilisis, imperdiet felis ut, blandit nibh. 
16 | 
17 |     1. Phasellus pulvinar ornare sem, ut imperdiet justo volutpat et.
18 | 
19 | 1. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. 
20 | 
21 | 1. Vestibulum hendrerit orci urna, non aliquet eros eleifend vitae. 
22 | 
23 | 1. Curabitur nibh dui, vestibulum cursus neque commodo, aliquet accumsan risus. 
24 | 
25 |     ```
26 |     Sed at malesuada orci, eu volutpat ex
27 |     ```
28 | 
29 | 1. In ac odio vulputate, faucibus lorem at, sagittis felis.
30 | 
31 | 1. Fusce tincidunt sapien nec dolor congue facilisis lacinia quis urna.
32 | 
33 |     > **Note**: Ut feugiat est id ultrices gravida.
34 | 
35 | 1. Phasellus urna lacus, luctus at suscipit vitae, maximus ac nisl. 
36 | 
37 |     - Morbi in tortor finibus, tempus dolor a, cursus lorem. 
38 | 
39 |     - Maecenas id risus pharetra, viverra elit quis, lacinia odio. 
40 | 
41 |     - Etiam rutrum pretium enim. 
42 | 
43 | 1. Curabitur in pretium urna, nec ullamcorper diam. 
44 | 


--------------------------------------------------------------------------------
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing to Microsoft Learning Repositories
 2 | 
 3 | MCT contributions are a key part of keeping the lab and demo content current as the Azure platform changes. We want to make it as easy as possible for you to contribute changes to the lab files. Here are a few guidelines to keep in mind as you contribute changes.
 4 | 
 5 | ## GitHub Use & Purpose
 6 | 
 7 | Microsoft Learning is using GitHub to publish the lab steps and lab scripts for courses that cover cloud services like Azure. Using GitHub allows the course’s authors and MCTs to keep the lab content current with Azure platform changes. Using GitHub allows the MCTs to provide feedback and suggestions for lab changes, and then the course authors can update lab steps and scripts quickly and relatively easily.
 8 | 
 9 | > When you prepare to teach these courses, you should ensure that you are using the latest lab steps and scripts by downloading the appropriate files from GitHub. GitHub should not be used to discuss technical content in the course, or how to prep. It should only be used to address changes in the labs.
10 | 
11 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students.  Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only.
12 | 
13 | > As an alternative to pointing students directly to the GitHub repository, you can point students to the GitHub Pages website to view the lab instructions. The URL for the GitHub Pages website can be found at the top of the repository.
14 | 
15 | To address general comments about the course and demos, or how to prepare for a course delivery, please use the existing MCT forums.
16 | 
17 | ## Additional Resources
18 | 
19 | A user guide has been provided for MCTs who are new to GitHub. It provides steps for connecting to GitHub, downloading and printing course materials, updating the scripts that students use in labs, and explaining how you can help ensure that this course’s content remains current.
20 | 
21 | <https://microsoftlearning.github.io/MCT-User-Guide/>
22 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # MS-102T00: Microsoft 365 Administrator Essentials
 2 | 
 3 | 
 4 | - **[Download Latest Student Handbook and AllFiles Content](../../releases/latest)**
 5 | - **Are you a MCT?** - Have a look at our [GitHub User Guide for MCTs](https://microsoftlearning.github.io/MCT-User-Guide/)
 6 | - **Need to manually build the lab instructions?** - Instructions are available in the [MicrosoftLearning/Docker-Build](https://github.com/MicrosoftLearning/Docker-Build) repository
 7 | 
 8 | ## What are we doing?
 9 | 
10 | - To support this course, we will need to make frequent updates to the course content to keep it current with the Azure services used in the course.  We are publishing the lab instructions and lab files on GitHub to allow for open contributions between the course authors and MCTs to keep the content current with changes in the Azure platform.
11 | 
12 | - We hope that this brings a sense of collaboration to the labs like we've never had before - when Azure changes and you find it first during a live delivery, go ahead and make an enhancement right in the lab source.  Help your fellow MCTs.
13 | 
14 | ## How should I use these files relative to the released MOC files?
15 | 
16 | - The instructor handbook and PowerPoints are still going to be your primary source for teaching the course content.
17 | 
18 | - These files on GitHub are designed to be used in conjunction with the student handbook, but are in GitHub as a central repository so MCTs and course authors can have a shared source for the latest lab files.
19 | 
20 | - It will be recommended that for every delivery, trainers check GitHub for any changes that may have been made to support the latest Azure services, and get the latest files for their delivery.
21 | 
22 | ## What about changes to the student handbook?
23 | 
24 | - We will review the student handbook on a quarterly basis and update through the normal MOC release channels as needed.
25 | 
26 | ## How do I contribute?
27 | 
28 | - Any MCT can submit a pull request to the code or content in the GitHub repro, Microsoft and the course author will triage and include content and lab code changes as needed.
29 | 
30 | - You can submit bugs, changes, improvement and ideas.  Find a new Azure feature before we have?  Submit a new demo!
31 | 
32 | ## Notes
33 | 
34 | ### Classroom Materials
35 | 
36 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students.  Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only.
37 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex3_SharePoint_Permission_Alert.md:
--------------------------------------------------------------------------------
 1 | # Learning Path 6 - Lab 6 - Exercise 3 - Implement a SharePoint Permission Alert
 2 | 
 3 | 
 4 | In this exercise you will configure and test an alert that notifies Lynne Robbins when a user is added as a site collection administrator for a SharePoint site collection.
 5 | 
 6 | ### Task 1 – Create a SharePoint Permission Alert
 7 | 
 8 | 1. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.
 9 | 
10 | 2. In your Edge browser, select the **Alert policy - Microsoft Defender** tab, which displays the **Microsoft Defender** portal.
11 | 
12 | 3. In the **Microsoft Defender** portal, you should still be in the **Alert policy** window from the prior lab exercise (if not, then in the navigation pane, select **Policies & rules** and then select **Alert policy**).
13 | 
14 | 4. In the **Alert policy** window, select **+New Alert Policy** on the menu bar. This initiates the **New Alert Policy** wizard.
15 | 
16 | 5. On the **Name your alert, categorize it, and choose a severity** window, enter the following information:
17 | 
18 | 	- Name: **Add user as a Site Collection administrator**
19 | 
20 | 	- Description: **This alert notifies Lynne Robbins when a user is added to the Site Collection administrators on a SharePoint site collection.**
21 | 
22 | 	- Severity: **Medium**
23 | 
24 | 	- Category: **Permissions**
25 | 
26 | 6. Select **Next**.
27 | 
28 | 7. On the **Choose an activity, conditions and when to trigger the alert** window, enter the following information:
29 | 
30 | 	- Activity is: select the **Select an activity** field, then in the menu that appears, scroll down to the **Site administration activities** section and select **Added site collection admin**
31 | 
32 | 	- How do you want the alert to be triggered? **Every time an activity matches the rule**
33 | 
34 | 8. Select **Next**.
35 | 
36 | 9. On the **Decide if you want to notify people when this alert is triggered** window, enter the following information:
37 | 
38 | 	- Email recipients: Remove **Holly Dickson** and add **Lynne Robbins**
39 | 
40 | 	- Daily notification limit: **No limit**
41 | 
42 | 10. Select **Next**.
43 | 
44 | 11. On the **Review your settings** page, under the **Do you want to turn the policy on right away?** option, select **Yes, turn it on right away** and then select **Submit**. 
45 | 
46 | 12. On the **New Alert Policy** window, select **Done**.
47 | 
48 | 13. Verify your new alert policy appears in the list on the **Alert policy** page, its **Type** is set to **Custom**, and its **Status** in **On**.
49 | 
50 | 14. Leave all the Edge browser tabs open for the next task.
51 | 
52 | You have now configured an additional alert policy that monitors when a user is added as a site collection administrator for a SharePoint Online site collection.
53 | 
54 | ### Task 2 – Test the SharePoint Permissions Alert
55 | 
56 | In the prior task, you configured an alert designed to notify Lynne Robbins when a user is added as a site collection administrator for a site collection. In this task, you will test this alert by adding Alex Wilber as a site collection admin to the global SharePoint Communication site. This activity should trigger the alert policy that you created, which should send an alert notification email to Lynne Robbins’ mailbox. You will validate whether Lynne received this alert notification email in Exercise 7, task 2.
57 | 
58 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
59 | 
60 | 2. In your **Microsoft Edge** browser, open a new tab and enter **https://xxxxxZZZZZZ.sharepoint.com/_layouts/15/settings.aspx**
61 | 
62 | 	(replace xxxxxZZZZZZ with the tenant prefix provided by your lab hosting provider). This opens the **Site Settings** for the global SharePoint Communication site.
63 | 
64 | 3. On the **Site Settings** window, under the **Users and Permissions** section, select **Site permissions**. 
65 | 
66 | 4. In the ribbon at the top of the page, the **Permissions** tab is displayed by default. Under the **Manage** group, select **Site Collection Administrators**.
67 | 
68 | 5. In the **Site Collection Administrators** dialog box, the **Global administrator** account that was assigned by default to this role group is displayed in the data entry field. To the right of this account, enter **Alex**, select **Alex Wilber** from the list of users that appears, and then select **OK**.  <br/>
69 | 
70 | 	**Note:** This activity should trigger the alert policy that you created, which should send an alert notification email to Lynne Robbins’ mailbox. Rather than waiting up to 15 minutes for the email notification to be generated to validate this SharePoint permission alert, you will validate this alert in Exercise 7, task 2 of this lab.
71 | 
72 | 6. In your Edge browser, close the **Permissions: Communication site** tab. Leave the other tabs open and proceed to the next exercise.
73 | 
74 | 
75 | # Proceed to Lab 6 - Exercise 4
76 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex1_Prepare_Alert_Policies.md:
--------------------------------------------------------------------------------
 1 | # Learning Path 6 - Lab 6 - Exercise 1 - Prepare for Alert Policies
 2 | 
 3 | Alerts are policies designed to automatically notify administrators when key actions have occurred in their Microsoft 365 tenant. Alerts can be an easy way to ensure that change logs are up-to-date and that business policies are being followed inside your Microsoft 365 tenant.
 4 | 
 5 | In your role as Holly Dickson, Adatum’s new Microsoft 365 Administrator, you have Microsoft 365 deployed in a virtualized lab environment. One of Adatum’s business requirements is to set up an alert notification system so that targeted administrators are automatically notified through email when certain actions occur. As you proceed with your Microsoft 365 pilot project, you want to test out Microsoft 365’s alert notification system by creating and validating several types of alerts.
 6 | 
 7 | There are two requirements to implementing alerts in Microsoft Defender XDR – turning on Audit Logging and assigning the proper Role Based Access Control (RBAC) permissions to the users who will view alerts. 
 8 | 
 9 | - **Audit logging.** If you recall, towards the end of Lab 1 you turned on Audit Logging. You performed this task in Lab 1 because it can take an hour or two to propagate that setting through the system before you can successfully implement alerts. This propagation should have completed by now, and you should be ready to go.
10 | 
11 | - **RBAC permissions.** In this exercise, you will assign the necessary RBAC role group to Lynne Robbins, who is the user that Holly selected for testing alerts in Adatum's Microsoft 365 pilot project. 
12 | 
13 | ### Task 1 – Assign RBAC Permissions for Alert Notification Testing
14 | 
15 | The alerts a user can see on the **View alerts** page are dependent on the user's assigned RBAC roles, which determine the depth of insight and control a user has. How is this accomplished? The management roles assigned to users (based on their membership in role groups in Microsoft 365) determine which alert categories a user can see on the **View alerts** page (this was covered in the topic on Alerts in the previous module). 
16 | 
17 | For Adatum’s pilot project, Lynne Robbins has been selected to test the alert notification system. For Lynne to be able to view alerts and receive alert notifications, she must first be assigned appropriate RBAC permissions in Microsoft Defender XDR.
18 | 
19 | The three alerts that you will create in this lab are assigned to two Alert categories: **Permissions** and **Data Loss Prevention**. The Compliance Data Administrator role group, which includes the Compliance Administrator role, provides permissions for these two alert categories; therefore, assigning Lynne Robbins to this role group will enable her to view the alerts that are created in this lab.
20 | 
21 | 
22 | |                               | **Data governance** | **Data loss prevention** | **Mail flow** | **Permissions** | **Threat Management** | **Others** |
23 | |:-------------------------------:|:---------------------:|:--------------------------:|:---------------:|:-----------------:|:-----------------------:|:------------:|
24 | | Compliance Data Administrator | X                   | X                        |               | X               |                       | X          |
25 | 
26 | Perform the following steps to assign Lynne Robbins the Compliance Data Administrator role group, which includes the Compliance Administrator role.
27 | 
28 | 1. At the end of the prior lab, you were logged into LON-CL2. This lab will use LON-CL1.  <br/>
29 | 
30 |     Switch to **LON-CL1**. 
31 | 
32 | 2. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
33 | 
34 | 3. If necessary, select the **Microsoft 365 admin center** tab in your browser. In the navigation pane, under the **Admin centers** group, select **Security**. This opens the Microsoft Defender portal in a new tab.
35 | 
36 | 4. In the **Microsoft Defender** portal, scroll down towards the bottom of the navigation pane and select **System** to expand this section, and then select **Permissions**.
37 | 
38 | 5. On the **Permissions** page, there are four sections - Microsoft Defender XDR, Microsoft Entra ID, Email & collaboration roles, and Cloud Apps. Under the **Email & collaboration roles** section, select **Roles**. 
39 | 
40 | 6. In the list of roles that appears, select the **Name** column heading to sort the roles in ascending alphabetical name order. Select the **Compliance Data Administrator** role group (select the name of the role group and not the check box). 
41 | 
42 | 7. In the **Compliance Data Administrator** pane that appears, note the list of roles that have been assigned to this role group. Scroll to the bottom of the pane and note that there are no members in this role group. Scroll back to the top of the pane and select the **Edit** option. 
43 | 
44 | 8. In the **Edit members of the role group** window, select the **Choose users** button. 
45 | 
46 | 9. In the **Choose users** window, a partial, unsorted list of users appears. Enter **Lynne** in the **Search** field and hit Enter. A list of users appears whose name includes Lynne. Select the check box next to **Lynne Robbins** and then select the **Select** button at the bottom of the pane.
47 | 
48 | 10. In the **Edit members of the role group** window, Lynne's name should appear. Select **Next**.
49 | 
50 | 11. In the **Review the role group and finish** window that appears, note that Lynne also appear here as a member of the role group. Select **Save.**
51 | 
52 | 12. In the **You successfully updated the role group** pane, select **Done**.
53 | 
54 | 13. Leave all tabs in your Edge browser open for the next lab exercise.
55 | 
56 | You have now added Lynne Robbins to the Compliance Data Administrator role group.
57 | 
58 | 
59 | # Proceed to Lab 6 - Exercise 2
60 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_05_Lab5_Ex1_Safe_Attachments.md:
--------------------------------------------------------------------------------
 1 | # Learning Path 5- Lab 5 - Exercise 1 - Implement a Safe Attachments policy 
 2 | 
 3 | In this phase of Adatum's Microsoft 365 pilot project, Holly Dickson wants to create a Safe Attachments policy and turn on Microsoft Defender for Office 365. Doing so will provide advanced threat protection for SharePoint, OneDrive, and Microsoft Teams.
 4 | 
 5 | **Note:** You will not be able to validate the Safe Attachments policy that you create. To do so would require that you attach a virus or malware-infected file to an email, which is something that Microsoft does not recommend.
 6 | 
 7 | ### Task 1 – Create a Safe Attachment policy and turn on Microsoft Defender for Office 365
 8 | 
 9 | In this task, you will turn on Microsoft Defender for Office 365, which provides advanced threat protection for SharePoint, OneDrive, and Microsoft Teams. You will also create a Safe Attachments policy that will test email attachments for malware that are sent to recipients within the xxxxxZZZZZZ.onmicrosoft.com domain created for this lab by your lab hosting provider. You will configure the policy so that if an attachment is blocked, it will be removed from the email that is sent to the recipient, and a copy of the email will be redirected to Joni Sherman for additional review.
10 | 
11 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.
12 | 
13 | 2. In your Edge browser, select the **Microsoft 365 admin center** tab. In the navigation pane, under **Admin centers**, select **Security**. This will open a new tab in your browser for **Microsoft Defender**. 
14 | 
15 | 3. In the **Microsoft Defender** portal, select **Email & collaboration** in the navigation pane to expand this section, and then select **Policies & rules**.
16 | 
17 | 4. In the **Policies & rules** window, select **Threat policies**.
18 | 
19 | 5. In the **Threat policies** window, under the **Policies** section, select **Safe attachments**.
20 | 
21 | 6. In the **Safe attachments** window, select **Global settings** on the menu bar.
22 | 
23 | 7. In the **Global settings** pane that appears, set the following options and then select **Save** (if necessary):
24 | 
25 |     - **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** - verify the toggle switch is set to **On** (set it to **On** if necessary). This enables Microsoft Defender for Office 365.
26 | 
27 |     - **Turn on Safe Documents for Office clients** - verify the toggle switch is set to **On** (set it to **On** if necessary)
28 | 
29 |     **Note:** If both toggle switches are already set to **On**, then the **Save** button at the bottom of the pane will remain disabled since no changes were made. In this case, select **Cancel**.
30 | 
31 | 8. On the **Safe attachments** window, select **+Create** on the menu bar to initiate the **Create Safe Attachments policy** wizard.
32 | 
33 | 9. On the **Name your policy** page, enter **AttachmentPolicy1** in the **Name** field and then select **Next**.
34 | 
35 | 10. On the **Users and domains** page, you can define specific users, groups, and domains to which the new policy will apply. Since **AttachmentPolicy1** will apply to all users and groups in Adatum's xxxxxZZZZZZ.onmicrosoft.com domain, you're only going to enter that domain value. <br/>
36 | 
37 |     Enter **on** in the **Domains** field. In the menu that appears showing the suggested domains that include this value, select Adatum's **xxxxxZZZZZZ.onmicrosoft.com** domain (where xxxxxZZZZZZ equals the tenant prefix provided by your lab hosting provider). Adatum's domain will now appear below the **Domains** field. Select **Next**.
38 | 
39 | 11. On the **Settings** page, select the **Dynamic Delivery (Preview messages)** option. This option will deliver all email messages; however, for an email with attachments, it will hold the files, test them, and then reattach the files to the messages once the files are scanned and marked acceptable. 
40 | 
41 | 12. Under the **Redirect messages with detected attachments** section, select the **Enable redirect** check box. 
42 | 
43 | 13. In the **Send messages that contain monitored attachments to the specified email address** field, enter **JoniS@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider), and then select **Next**.
44 | 
45 | 14. On the **Review** page, review the options that you configured. If any need to be corrected, select the appropriate **Edit** option and make the necessary corrections. Once all the settings are correct, select **Submit**.
46 | 
47 | 15. On the **New Safe Attachments policy created** page, select **Done**. The new **AttachmentPolicy1** policy that you just created should now appear in the list of Safe Attachment policies.
48 | 
49 | 16. Leave all the tabs in your Edge browser open for the next lab.
50 | 
51 | **NOTE:** Unfortunately, we are unable to create a training lab in which you can validate the Safe Attachments policy that you just created. To do so, you must send an email that contains a malicious attachment. There are some common test viruses that are available, such as the EICAR test virus. However, with well-known test viruses such as EICAR, the messages in which they are attached get quarantined by mail servers before they can be processed by Microsoft Defender for Office 365. Since the Safe Attachments functionality is meant to protect against unknown and zero-day viruses and malware, it is very difficult, and not recommended, to create such an attachment.
52 | 
53 | That being said, after you have defined Safe Attachment policies in your real-world environment, one good way to see how the service is working is by viewing the security-related reports in Microsoft Defender for Office 365. For more information on using these reports to validate your Safe Links and Safe Attachment policies, see [View Defender for Office 365 reports in the Microsoft Defender portal](https://learn.microsoft.com/microsoft-365/security/office-365-security/view-reports-for-mdo).
54 | 
55 | 
56 | # Proceed to Lab 5 - Exercise 2
57 | 
58 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex4_eDiscovery_Alert.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 6 – Lab 6 – Exercise 4 – Test the Default eDiscovery Alert
  2 | 
  3 | In this exercise you will test a default Microsoft 365 alert policy that notifies all tenant administrators, such as Holly Dickson, whenever an eDiscovery search has been created or exported.
  4 | 
  5 | **Note:** Creating an eDiscovery alert of this nature is important because an eDiscovery search, when left unregulated, can pull sensitive content that can be exported to an unauthorized source.
  6 | 
  7 | ### Task 1 – Assign RBAC Permissions for Search Notification Testing
  8 | 
  9 | In this task, you will assign Holly Dickson the necessary eDiscovery permissions so she can test the default alert policy.
 10 | 
 11 | 1. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.  
 12 | 
 13 | 2. In your browser, open the **Microsoft 365 admin center**. Under the **Admin centers** group, select **Microsoft Purview**. 
 14 | 
 15 | 3. In the **Welcome to the new Microsoft Purview portal** dialog, select the checkbox next to **I agree to the terms**, and then select **Get started**.  
 16 | 
 17 | 4. In the **Microsoft Purview** portal, select **Settings**.  
 18 | 
 19 | 5. In the navigation pane, select **Roles and scopes**, and then select **Role groups**.  
 20 | 
 21 | 6. In the list of role groups, select **eDiscovery Manager** (select the name, not the check box).  
 22 | 
 23 | 7. In the **eDiscovery Manager** pane, select **Edit**.  
 24 | 
 25 | 8. In the **Manage eDiscovery Manager** window, select the **Choose users** button.  
 26 |    - In the **Choose users** pane, search for and select **Holly Dickson**, and then select **Select**.  
 27 |    - Holly’s name should now appear in the list. Select **Next**.  
 28 | 
 29 | 9. In the **Manage eDiscovery Administrator** window, select the **Choose users** button.  
 30 |    - Search for and select **Holly Dickson**, and then select **Select**.  
 31 |    - Holly’s name should now appear in the list. Select **Next**.  
 32 | 
 33 | 10. In the **Review the role group and finish** window, verify Holly is listed as a member of both role groups, and then select **Save**.  
 34 | 
 35 | 11. In the confirmation pane, select **Done**.
 36 | 
 37 | 12. Sign out of Microsoft Purview, and then sign back in as **Holly Dickson**.  
 38 |    - This step helps ensure the updated permissions are recognized during the next task.
 39 | 
 40 | You have now added Holly Dickson to the **eDiscovery Manager** and **eDiscovery Administrator** role groups.  
 41 | 
 42 | ### Task 2 – Review the Default eDiscovery Alert
 43 | 
 44 | In this task, you will verify whether a default Microsoft 365 alert is triggered when somebody in your tenant creates an eDiscovery search or exports data from an existing search. Since Holly Dickson is assigned the **Global Administrator** role, she is automatically a member of the **Tenant Admins** and will be one of the recipients of this alert.  
 45 | 
 46 | 1. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.  
 47 | 
 48 | 2. In your Edge browser, select the **Alert policy – Microsoft Defender** tab. This tab should still be displaying the **Alert policy** window from the prior lab exercise (if not, in the navigation pane, select **Policies & rules**, and then select **Alert policy**).  
 49 | 
 50 | 3. On the **Alert policy** page, search for the policy named **eDiscovery search started or exported**. In the **Search** field at the top, enter **eDiscovery**, and then press **Enter**.  
 51 | 
 52 | 4. In the policy list, select the **eDiscovery search started or exported** policy that appears.  
 53 | 
 54 | 5. An **eDiscovery search started or exported** pane should appear. Scroll down and verify the default settings for this predefined policy are configured as follows:  
 55 | 
 56 |    - Status: **On**  
 57 | 
 58 |    - Conditions: Select the down arrow for the **Create alert settings** section, then verify the following settings:  
 59 |      - Conditions: **Activity is eDiscoverySearchStartedOrExported**  
 60 |      - Aggregation: **Single event**  
 61 |      - Scope: **All users**  
 62 | 
 63 |    - Email recipients: Select the down arrow for the **Set your recipients** section, then verify the following settings:  
 64 |      - Recipients: **TenantAdmins**  
 65 |      - Daily notification limit: **No limit**  
 66 | 
 67 | 6. At the top of the pane, select the **Edit policy** button.  
 68 | 
 69 | 7. On the **eDiscovery search started or exported** window that appears, note that the only setting that can be edited is the **Email recipients** list. You will not change the value here—leave it as **TenantAdmins**.  
 70 | 
 71 |    Instead, observe how you could edit this in real-world implementations if needed. Select **Cancel** at the bottom of the window.  
 72 | 
 73 | 8. On the **eDiscovery search started or exported** pane, select the **X** in the upper-right corner to close it.  
 74 | 
 75 |    **Note:** You can also edit a policy’s setting by selecting the vertical ellipsis icon under the **Actions** column at the far-right end of the policy’s row on the **Alert Policy** window.  
 76 | 
 77 | You have now reviewed the default Microsoft 365 eDiscovery alert that notifies tenant admins when an eDiscovery search is created or exported.  
 78 | 
 79 | ### Task 3 – Test the Default eDiscovery Alert
 80 | 
 81 | To test this default alert, Holly Dickson will create an eDiscovery search. This activity should trigger the alert policy, which will send an alert notification email to all Tenant Admins. Holly is a Global admin. By default, Global admins are members of the Tenant Admin group; therefore, she should receive the email notification generated by this alert. You will validate whether Holly received the email in **Exercise 7** of this lab.  
 82 | 
 83 | 1. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.  
 84 | 
 85 | 2. In your Edge browser, select the **Microsoft Purview** admin center tab.  
 86 | 
 87 | 3. In the **Microsoft Purview** portal, in the navigation pane, select **Solutions**, and then select **eDiscovery**.  
 88 | 
 89 | 4. Under **eDiscovery**, select **Content Search**.  
 90 | 
 91 | 5. On the **Searches** tab, select **Create a search**. This initiates the **New search wizard**.  
 92 | 
 93 | 6. In the **New search wizard**, on the **Name and description** page, enter **Confidential search** in the **Name** field, and then select **Create**.  
 94 | 
 95 | 7. In the **Confidential search** window, select **Add sources**.  
 96 |    - In the search pane, locate and select the **Sales and Marketing** mailbox (or, if not available, select **All mailboxes**).  
 97 |    - Select **Save and close**.  
 98 | 
 99 | 8. On the **Query** tab, in the condition builder, enter **Confidential** in the keyword field, and then press **Enter**.  
100 | 
101 | 9. Select the **Run query** button.  
102 | 
103 | 10. On the **Choose search results** page, leave the default values, and then select **Run query** again.  
104 | 
105 | 11. Back on the **Confidential search** window, the **Statistics** tab should now display results.  
106 | 
107 |    **Note:** Running this search should trigger the **eDiscovery alert**, which generates an email notification to all users with Tenant Admin permissions. It may take several minutes for the email to be delivered. Instead of waiting, proceed to the next exercise. You will validate this alert email in **Exercise 7, Task 3**.  
108 | 
109 | Leave your browser open in **LON-CL1** and do not close any tabs.  
110 | 
111 | # Proceed to Lab 6 – Exercise 5
112 | 
113 | 
114 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex2_Mailbox_Permission_Alert.md:
--------------------------------------------------------------------------------
 1 | # Learning Path 6 - Lab 6 - Exercise 2 - Implement a Mailbox Permission Alert
 2 | 
 3 | In this exercise you will configure and test an alert that will notify Lynne Robbins when FullAccess permissions are granted to any mailbox within Adatum.
 4 | 
 5 | **Important:** This lab includes three exercises in which you will create alert notifications (Exercises 2 through 4) and two exercises in which you will implement simulated attack scenarios that also create alert notifications (Exercises 5 and 6). In each of these five excercises, you must perform a final task to validate whether the alert was created or an email was received. In all five exercises, it can take up to 15 minutes for the system to create the corresponding alert or email. Rather than having to wait up to 15 minutes after having created each alert or simulated attack to validate whether the task worked (which is 75 minutes of wait time; 5 exercises x 15 minutes each), the validation tasks for all five exercises have been moved to the final exercise in this lab (Lab 6, Exercise 7). By the time you get to the final exercise, hopefully all alerts and emails for these five exercises have been generated and you will not have to endure any wait time.
 6 | 
 7 | ### Task 1 – Create a Mailbox Permission Alert
 8 | 
 9 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as Holly Dickson. 
10 | 
11 | 2. The **Microsoft Defender** portal should still be open in your Edge browser from the prior task. Select the **Microsoft Defender** tab now. In the navigation pane, under the **Email & collaboration** section, select **Policies & rules**. 
12 | 
13 | 3. On the **Policies & rules** window, select **Alert policy**. If a dialog box appears indicating the alert policy portal has been updated, select the **Dismiss** button.
14 | 
15 | 4. In the **Alert policy** window, note the message at the top of the page indicating the fact that mail flow alerts have moved to the Exchange admin center. Mail flow alerts can no longer be maintained in the Microsoft Defender security portal. Since you will be creating a mailbox permission alert and not a mail flow alert, you can continue on with this task in the Microsoft Defender portal. <br/> 
16 | 
17 | 	In the **Alert Policy** window, review the list of preconfigured alert policies that are available in Microsoft 365. Select **+New Alert Policy** on the menu bar. This initiates the **New Alert Policy** wizard.
18 | 
19 | 5. On the **Name your alert, categorize it, and choose a severity** page, enter the following information:
20 | 
21 | 	- Name: **Mailbox permission change**
22 | 
23 | 	- Description: **This alert notifies Lynne Robbins when FullAccess permissions are granted to any mailbox in Adatum Corporation**
24 | 
25 | 	- Severity: **Medium**
26 | 
27 | 	- Category: **Permissions**
28 | 
29 | 6. Select **Next**.
30 | 
31 | 7. On the **Choose an activity, conditions and when to trigger the alert** page, enter the following information:
32 | 
33 | 	- Activity is: You must select a predefined activity. Select in the field, which displays a long list of activities. To filter the list to mail-related activities only, enter **mail** in the field and then select **Granted mailbox permission** from the list of activities containing **mail**. **Note:** This activity implies granting FullAccess permission to a mailbox.
34 | 
35 | 	- How do you want the alert to be triggered?: **Every time an activity matches the rule**
36 | 
37 | 8. Select **Next**.
38 | 
39 | 9. On the **Decide if you want to notify people when this alert is triggered** page, enter the following information:
40 | 
41 | 	- Email recipients: Select the "X" to the right of **Holly Dickson's** account to remove her, then enter **Lynne** in the field, and then select **Lynne Robbins** from the list of users whose first name starts with **Lynne**
42 | 
43 | 	- Daily notification limit: **No limit**
44 | 
45 | 10. Select **Next**.
46 | 
47 | 11. On the **Review your settings** page, review the settings and if anything needs to be corrected, select its corresponding **Edit** option and make the necessary corrections. <br/>
48 | 
49 | 	When everything is correct, under the **Do you want to turn the policy on right away?** setting, select **Yes, turn it on right away**. Select **Submit**.
50 | 
51 | 12. On the **New Alert Policy** window, select **Done**.
52 | 
53 | 13. Verify your new alert policy appears in the list on the **Alert policy** page, its **Type** is set to **Custom**, and its **Status** in **On** (depending on the size of your monitor, you may have to scroll to the right to view the **Status** column).
54 | 
55 | 14. Leave the **Alert policy** tab in your Edge browser open for the next task.
56 | 
57 | You have now created an activity alert in Microsoft Defender XDR that is triggered when FullAccess permissions are granted to any mailboxes.
58 | 
59 | ### Task 2 – Test the Mailbox Permission Alert
60 | 
61 | In the prior task, you configured an alert designed to notify Lynne Robbins when FullAccess permissions are granted to any mailbox within Adatum. In this task, you will test this alert by changing the permission on Alex Wilber’s mailbox by granting Joni Sherman FullAccess to his mailbox. This activity should trigger the alert that you created, which should send an alert notification email to Lynne Robbins’ mailbox. You will validate whether the email is generated in Exercise 7.
62 | 
63 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
64 | 
65 | 2. In your Edge browser, select the **Microsoft 365 admin center** tab, and then in the navigation pane, under the **Admin centers** group, select **Exchange**. This opens the Exchange admin center for Exchange Online.
66 | 
67 | 3. In the **Exchange admin center**, the **Manage mailboxes** window appears by default (if it doesn't, then in the navigation pane under the **Recipients** group, select **Mailboxes**). 
68 | 
69 | 4. In the **Manage mailboxes** window, select **Alex Wilber** from the list of mailboxes (select Alex's name; do not select the check box to the left of his name).
70 | 
71 | 5. In the **Alex Wilber** pane that appears, the **General** tab is displayed by default. Select the **Delegation** tab.
72 | 
73 | 6. On the **Delegation** tab, there are three mailbox permissions that can be updated: **Send as**, **Send on behalf**, and **Read and manage (Full Access)**. You want to add each of these permissions for Alex's mailbox to **Joni Sherman**. For EACH permission, perform the following steps to add Joni to that permission: <br/>
74 | 
75 | 	- Select the **Edit** button for the permission. 
76 | 	- On the **Manage mailbox delegation** pane, select **+Add members**.
77 | 	- In the list of users that appears, select the check box for **Joni Sherman** and then select **Save**.
78 | 	- In the **Add delegate permissions?** pane, select **Confirm**.
79 | 	- Once the mailbox permission is added to Alex's mailbox, select the back arrow at the top of the pane. 
80 | 	- This returns you to the **Delegation** tab on the **Alex Wilber** pane, which displays the three permissions. Repeat these steps for each of the two remaining permissions. 
81 | 
82 | 7. Once you have assigned Joni to each of the three permissions on the **Delegation** tab, select the **X** in the top corner of the **Alex Wilber** pane to close it. <br/>
83 | 
84 | 	**Note:** This activity should trigger the alert policy that you created, which should send an alert notification email to Lynne Robbins’ mailbox. Rather than waiting up to 15 minutes for the email notification to be generated to validate this mailbox permission alert, you will validate this alert in Exercise 7, task 1 of this lab.
85 |    
86 | 8. In your Edge browser, close the **Exchange admin center** tab. Leave the other tabs open and proceed to the next exercise.
87 | 
88 | 
89 | # Proceed to Lab 6 - Exercise 3
90 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_08_Lab8_Ex2_Test_DLP_Policy.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 8 - Lab 8 - Exercise 2 - Test the DLP Policy
  2 | 
  3 | Holly Dickson is now at the point in her pilot project where she wants to test the DLP policy related to emails that contain sensitive information that you created in the previous lab exercise. 
  4 | 
  5 | **NOTE:** We have intermittently experienced issues in the past where DLP policies and policy tips do not work as expected in this lab exercise. This is due to throttling issues that sometimes occur between our VM lab environment and the Microsoft 365 trial tenant. This is not indicative of the normal experience within Microsoft 365 production environments. It is also not indicative of the normal training experience. We apologize if you run into this issue during this lab exercise.
  6 | 
  7 | ### Task 1 – Test the first DLP Policy rule
  8 | 
  9 | In the previous exercise, you created a custom DLP policy that searches emails for sensitive information related to IP addresses in your Adatum tenant. This policy included two rules - one that checked for emails containing a single IP address, and another that checked for emails containing two or more IP addresses. 
 10 | 
 11 | In this task, you will send an email from Holly Dickson to Lynne Robbins that tests the first rule (single IP address). When this rule is triggered, an email policy tip is displayed in the sender's Outlook mailbox that informs the sender the email contains sensitive data. The sender will also receive an email notification, but the email will still be sent to the recipient.
 12 | 
 13 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 14 | 
 15 | 2. You will now send an email from Holly to Lynne Robbins, and you will include an IP address in the body of the email. <br/>
 16 | 
 17 | 	In **Microsoft Edge**, select the **Home | Microsoft 365** tab, and then select the **Outlook** icon in the column of app icons on the left-side of the screen. When Outlook on the web opens, you should be automatically logged in as Holly Dickson.  <br/>
 18 | 
 19 | 	**Note:** If **Outlook on the web** was already open, then verify that you're logged in as **Holly** by checking the user icon in the upper right corner (the **HD** circle). If Outlook was open for any other user, then close the tab and repeat the instructions in this step to open Outlook on the Web for Holly.
 20 | 
 21 | 3. In the upper left corner of the screen, select **New mail**. 
 22 | 
 23 | 4. In the message pane that appears on the right-side of the screen, enter the following information:
 24 | 
 25 | 	- To: enter **Lynne** and then select **Lynne Robbins** from the user list that appears
 26 | 
 27 | 	- Add a subject: **DLP Policy Test 1**
 28 | 
 29 | 	- Message area: **Hey Lynne - I will configure this IP address: 192.168.0.1**
 30 | 
 31 | 	**Note:** When drafting this email with sensitive data (in this case, one IP address), it will trigger the IP address policy that you previously created, and specifically, the single IP address rule. As such, a **Policy tip** should be displayed indicating the email message violates an organizational policy. You'll ignore this policy tip and send the email anyway in order to test the remainder of the DLP policy, which will send a Notification email to Holly.
 32 | 
 33 | 5. Once the policy tip is displayed, select **Send.**
 34 | 
 35 | 6. Select Holly's **Sent Items** folder to verify the email was sent.
 36 | 
 37 | 7. Select Holly's **Inbox** folder. Holly should receive an email from **Microsoft Outlook** with the subject: **Notification: DLP Policy Test 1**. Select this email and review its content. 
 38 | 
 39 | 8. Switch to **LON-CL2**. 
 40 | 
 41 | 9. If you need to sign into the VM, the local **LON-CL2\admin** account should appear by default, so enter **Pa55w.rd** in the **Password** field to log in. 
 42 | 
 43 | 10. On the taskbar, select the icon for the **Edge** browser.
 44 | 
 45 | 11. In the Edge browser, enter the following URL: **https://outlook.office365.com**
 46 | 
 47 | 12. In the **Pick an account** window, select Lynne Robbins' account (**LynneR@xxxxxZZZZZZ.onmicrosoft.com**, where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider). In the **Enter password** window, enter the New User Password that you assigned to Lynne's account and then select **Sign in**. 
 48 | 
 49 | 13. On the **Stay signed in** window, select the **Don't show this again** check box and select **Yes**.
 50 | 
 51 | 14. In Lynne's Inbox, verify that she received the email from Holly Dickson that has the subject line: **DLP Policy Test 1**. Select the message to verify the content containing the IP address was not removed. 
 52 | 
 53 | 15. Leave the Outlook tab open in the Edge browser for the next task.
 54 | 
 55 | 16. Switch back to **LON-CL1**.
 56 | 
 57 | 	
 58 | ### Task 2 – Test the second DLP Policy rule
 59 | 
 60 | In the previous exercise, you created a custom DLP policy that searches emails for sensitive information related to IP addresses in your Adatum tenant. This policy included two rules - one that checked for emails containing a single IP address, and another that checked for emails containing two or more IP addresses. 
 61 | 	
 62 | In this task, you will send an email from Holly Dickson to Lynne Robbins that tests the second rule (multiple IP addresses). When this rule is triggered, an email policy tip is displayed in the sender's Outlook mailbox that informs the sender the email contains sensitive data. The email will be blocked, but the sender can override the blocked email and allow it to be sent.  
 63 | 
 64 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 65 | 	
 66 | 2. You will now send a second message from Holly to Lynne that contains multiple IP addresses. Repeat the process as before for creating an email to Lynne Robbins with the following information: 
 67 | 
 68 | 	- Add a subject: **DLP Policy Test 2**
 69 | 
 70 | 	- Message area: **Hey Lynne - I will test the following IP addresses: 192.168.0.1 and 172.16.0.1**
 71 | 
 72 | 	**Note:** When drafting this email with sensitive data (in this case, multiple IP addresses), it will trigger the IP address policy that you previously created, and specifically, the multiple IP address rule. As such, a **Policy tip** should be displayed indicating the email message violates an organizational policy. You'll ignore this policy tip and send the email anyway in order to test the remainder of the DLP policy, which will block the email. Once you test the email block, you'll override the blockage by entering a business justification for sending this sensitive data, and then you'll try and send the email again.
 73 | 
 74 | 3. Once the policy tip is displayed, select **Send**. You should immediately receive a **Send blocked** dialog box that indicates the message includes one or more recipients who aren't authorized to receive sensitive information. Select **OK**. <br/>
 75 | 
 76 | 	**Hint:** Normally you would override the block before sending it, but in this case we wanted you to experience the block to see how it works. In the next steps, you'll override the block and attempt to re-send the email.
 77 | 
 78 | 4. Select Holly's **Sent Items** folder to verify the email was not sent.
 79 | 
 80 | 5. Select Holly's **Inbox** folder. Note that the email message is no longer displayed. Select Holly's **Drafts** folder, which contains a copy of the email. Select the email.
 81 | 
 82 | 6. To send this email, you must override the block BEFORE you select the **Send** button. To override the block, in the policy tip that appears at the top of the message, select **Show details**.
 83 | 
 84 | 7. In the detail message that appears in the policy tip, select **Override**.
 85 | 
 86 | 8. In the dialog box that appears, the **I have a business justification** option is selected by default. Leave this option selected and enter **Lynne must be informed of the IP addresses I'm testing** in the **Enter explanation here** field. Select **Override**.	<br/>
 87 | 
 88 | 	Note how the policy tip message has changed to indicate you have chosen to send the message even though it appears to contain sensitive information.
 89 | 
 90 | 9. Select Holly's **Sent Items** folder to verify the email was sent.
 91 | 
 92 | 10. Select Holly's **Inbox** folder. Holly should receive an email from **Microsoft Outlook** with the subject: **Notification: DLP Policy Test 2**. Select this email and review its content.
 93 | 	
 94 | 11. Switch to **LON-CL2**. 
 95 | 
 96 | 12. You should still be logged into **Outlook on the Web** in the LON-CL2 VM as **Lynne Robbins**. In your **Edge** browser, Lynne’s mailbox should still be open in **Outlook on the web** from when you last used it in the previous task.
 97 | 
 98 | 13. In Lynne's Inbox, verify that she received the email from Holly Dickson that has the subject line: **DLP Policy Test 2**. Select the message to verify the content containing the IP addresses was not removed. 
 99 | 
100 | 14. Leave the Outlook tab open in the Edge browser for the next task.
101 | 
102 | 15. Switch back to **LON-CL1**.
103 | 
104 | 
105 | # End of Lab 8
106 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_07_Lab7_Ex1_Retention_Policies.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 7 - Lab 7 - Exercise 1 - Configure In-place Archiving and Retention Policies  
  2 | 
  3 | In this exercise, you will use the the Microsoft Exchange admin center to enable In-place archiving for Holly Dickson's mailbox. You will then configure two retention policies through the Microsoft Purview portal. 
  4 | 
  5 | ### Task 1 – Activate In-Place Archiving for a new user's mailbox
  6 | 
  7 | In this next phase of your Adatum pilot project, you will access the Microsoft Exchange admin center to activate Holly Dickson’s archive mailbox. After Holly's archive mailbox is enabled, the default retention policy that's assigned to her mailbox does the following: <br/>
  8 | 
  9 | - Moves items that are two years or older from Holly's primary mailbox to her archive mailbox.
 10 | - Moves items that are 14-days or older from the Recoverable Items folder in Holly's primary mailbox to the Recoverable Items folder in her archive mailbox.
 11 | 
 12 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.
 13 | 
 14 | 2. In Microsoft Edge, in the **Microsoft 365 admin center**, under the **Admin centers** group, select **Exchange** to open the Exchange admin center.
 15 | 
 16 | 3. In the **Exchange admin center**, if the **Recipients** group is already expanded in the navigation pane, then select **Mailboxes**, which appears in the group under it. If **Recipients** is not expanded, then select it to expand the group and then select **Mailboxes**. 
 17 | 
 18 | 4. On the **Manage mailboxes** page, in the list of users, note the ones who have an **Archive status** that is set to **Active**. These archive mailboxes were enabled when the VM lab environment was built for this training course and these users were preconfigured in the tenant. However, since you added Holly's user account in one of the first labs at the start of this course, her archive mailbox is **Disabled** by default. <br/>
 19 | 
 20 | 	To enable Holly’s archive mailbox, select **Holly Dickson** in the user list. In the **Holly Dickson** pane that appears, the **General** tab is displayed by default. Select the **Others** tab. In the **Mailbox archive** section, note that Holly's archive mailbox is Disabled. In this group, select **Manage mailbox archive**. 
 21 | 
 22 | 5. In the **Manage mailbox archive** pane that appears, select the toggle switch for **Mailbox archive status** to change it to **Enabled**. Select **Save** and then close the pane.
 23 | 
 24 | 6. It might take a few moments to create Holly's archive mailbox. Once a message appears indicating **Mailbox archiving successfully updated**, selec the X in the upper right corner of th pane to close it. 
 25 | 
 26 | 7. On the **Manage mailboxes** page, select the **Refresh** icon on the menu bar above the list of users. Holly's archive mailbox should now be **Active** once the archive mailbox is created. You may have to wait a minute or two and refresh again until **Active** appears.
 27 | 
 28 | 8. In your Microsoft Edge browser, leave your Edge browser and all its tabs open for the next task. 
 29 |  
 30 | 
 31 | ### Task 2 – Create an email retention policy for test users
 32 | 
 33 | As part of your pilot project for Adatum, you will configure email retention through the Microsoft Purview portal by creating a new retention policy. You will then assign this retention policy to Joni Sherman and Lynne Robbins’ mailboxes. Joni and Lynne are Holly's two test users for compliance testing. Holly wants to use this policy to test email retention for these two test users before creating a second retention policy in the next task that will be applied across the entire organization.
 34 | 
 35 | 1. On LON-CL1, select the tab for the **Microsoft 365 admin center**. Under the **Admin centers** section in the navigation pane, select **Microsoft Purview**. Doing so will open the **Microsoft Purview** portal.
 36 | 
 37 | 2. In the **Microsoft Purview** portal, select **Solutions** in the navigation pane. In the **Solutions** menu that appears, select **Data Lifecycle Management**.
 38 | 
 39 | 3. In the **Data lifecycle management** window, select **Policies** in the navigation pane, and then select **Retention policies**.
 40 | 
 41 | 4. On the **Retention policies** page, select **+New retention policy** on the menu bar. This initiates the **Create retention policy** wizard.
 42 | 
 43 | 5. On the **Name your retention policy** page, enter **Test user email retention** in the **Name** field and then select **Next**.
 44 | 
 45 | 6. On the **Policy Scope** page, you can choose the admin units that you want to apply the policy to. Since Holly wants this policy to apply to the entire organization rather than just a select group of admin units, select **Next**.
 46 | 
 47 | 7. On the **Choose the type of retention policy to create** field, select **Static** and then select **Next**.
 48 | 
 49 | 8. On the **Choose where to apply this policy** page, note the **Exchange mailboxes** location. It's currently turned **On** and set to include **All mailboxes**. You want to change this to just apply to Joni Sherman and Lynne Robbins' mailboxes. Under **All mailboxes**, select **Edit**.
 50 | 
 51 | 9. In the **Exchange mailboxes** pane that appears, select the check boxes for **Joni Sherman** and **Lynne Robins** and then select **Done**.
 52 | 
 53 | 10. On the **Choose where to apply this policy** page, the **Exchange email** location should now indicate that **2 mailboxes** are included. <br/>
 54 | 
 55 | 	Since this policy will only apply to Exchange email for Joni and Lynne, set the **Status** toggle switch to **Off** for all other locations in which it's currently set to On (**SharePoint classic and communcation sites**, **OneDrive accounts**, and **Microsoft 365 Group mailboxes & sites**). 
 56 | 	
 57 | 11. Select **Next**.
 58 | 
 59 | 12. On the **Decide if you want to retain content, delete it, or both** page, verify the **Retain items for a specific period** option is selected (if necessary, select it now). Then enter the following information for this option: <br/>
 60 | 
 61 | 	- Retain items for a specific period - select in this field, and in the drop-down menu that appears, select **Custom**. Three fields will appear - years, months, and days. For testing purposes, Holly wants to test email retention for emails in Joni and Lynne's mailboxes by only retaining emails that are less than one year old. As such, set the time periods to the following values: **Years - 1, Months - 0, Days - 0**.
 62 | 
 63 | 	- Start the retention period based on - **When items were created**
 64 | 
 65 | 	- At the end of the retention period - **Delete items automatically**
 66 | 
 67 | 13. Select **Next**.
 68 | 
 69 | 14. On the **Review and finish** page, review your selections. If anything needs to be changed, select the appropriate **Edit** link and make the necessary changes. Once everything is correct, select **Submit**.
 70 | 
 71 | 15. On the **You successfully created a retention policy** window, select **Done**.
 72 | 
 73 | 16. On the **Retention policies** page, you should see your new policy in the list of retention policies.
 74 | 
 75 | 17. Leave the **Retention policies** page open in your Edge browser as you will create another retention policy in the next task.
 76 | 
 77 | 
 78 | ### Task 3 – Create an email retention policy for all users
 79 | 
 80 | Holly has concluded her testing of email retention on Joni and Lynne's mailboxes using the **Test user email retention** policy that you created in the prior task. Holly now wants to create a retention policy that preserves the content of all Exchange Online mailboxes from deletion for 5 years after the last modification. Since Holly has completed her email retention testing, she wants to first disable the **Test user email retention** policy. By doing so, Joni and Lynne's mailboxes will be governed by the retention policy that you create in this task that applies to all Adatum mailboxes. 
 81 | 
 82 | 1. On LON-CL1, your Edge browser should still have the **Microsoft Purview** portal open from the prior task, and it should be displaying the **Retention policies** window.
 83 | 
 84 | 2. On the **Retention policies** page, select the check box next to **Test user email retention**, and then select the **Disable policy** icon on the menu bar.  <br/>
 85 | 
 86 | 	**Note:** It may take a couple of minutes for the policy that you created in the prior task to propagate through the system. During that time, you won't be able to disable the policy, and you'll receive a **Failed** message. You may have to wait a couple of minutes for the policy to finish propagating before you can disable it. 
 87 | 
 88 | 3. Once the policy is disabled, a message will briefly appear at the top of the page indicating the policy is disabled. To test whether the policy is, in fact, disabled, select the check box next to **Test user email retention**. Note that the menu bar includes an **Enable policy** option. This option indicates the policy is currently disabled. Now that you have verified the policy is disabled, you can complete the remaining steps in this task to create Adatum's official, organization-wide email retention policy.
 89 | 
 90 | 4. On the **Retention policies** page, select **+New retention policy** on the menu bar. This initiates the **Create retention policy** wizard.
 91 | 
 92 | 5. On the **Name your retention policy** page, enter **Adatum email retention** in the **Name** field and then select **Next**.
 93 | 
 94 | 6. On the **Policy Scope** page, you can choose the admin units that you want to apply the policy to. Since Holly wants this policy to apply to the entire organization rather than just a select group of admin units, select **Next**.
 95 | 
 96 | 7. On the **Choose the type of retention policy to create** field, select **Static** and then select **Next**.
 97 | 
 98 | 8. On the **Choose where to apply this policy** page, this policy will only apply to **Exchange mailboxes**. Ensure that it's **Status** is set to **On**. Set the **Status** toggle switch to **Off** for all other locations that are turned **On** by default. **Exchange mailboxes** should be the only location whose **Status** is set to **On**. <br/>
 99 | 
100 | 	**Note:** For the **Exchange mailboxes** location, note that it's currently set to include **All mailboxes**. Do not change this value, since Holly wants this policy to apply to all mailboxes at Adatum.  <br/>
101 | 
102 | 	Select **Next**.
103 | 
104 | 9. On the **Decide if you want to retain content, delete it, or both** page, verify the **Retain items for a specific period** option is selected (if necessary, select it now). Then enter the following information for this option: <br/>
105 | 
106 | 	- Retain items for a specific period - **5 years**
107 | 
108 | 	- Start the retention period based on - **When items were last modified**
109 | 
110 | 	- At the end of the retention period - **Delete items automatically**
111 | 
112 | 10. Select **Next**.
113 | 
114 | 11. On the **Review and finish** page, review your selections. If anything needs to be changed, select the appropriate Edit link and make the necessary changes. Otherwise, if everything is correct, select **Submit**.
115 | 
116 | 12. On the **You successfully created a retention policy** window, select **Done**.
117 | 
118 | 13. On the **Retention policies** page, you should see your new policy in the list of retention policies.
119 | 
120 | 14. In your Edge browser, leave all the tabs open as you proceed to the next exercise.
121 | 
122 | You have now created a new retention policy in the Microsoft Purview portal that retains all Exchange emails from all mailboxes for 5 years after the last modification.
123 | 
124 |  # End of Lab 7 
125 |  
126 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex6_AttackSim_PW_attack.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 6 - Lab 6 - Exercise 6 - Conduct a Drive-by URL attack using Attack Simulation training
  2 | 
  3 | Holly Dickson is concerned that some of the users at Adatum may require training about avoiding URL links to familiar websites that are either fake or have been hacked. This type of attack is known as a Drive-by URL attack. With this type of attack, a target receives an email containing a URL link, and when the target selects the link, they are taken to a website that runs background code whose sole purpose is to gather information about the target or deploy arbitrary code to their device. As part of her pilot project, Holly has decided to use the Microsoft 365 Attack simulation training feature to determine her users' susceptibility to Drive-by URL attacks.
  4 | 
  5 | ### Task 1: Configure and launch a Drive-by URL attack 
  6 | 
  7 | In a Drive-by URL attack, the website attempting to lure the target will typically be a well-known website that has been compromised in some fashion, or a clone of a well-known website itself. The hacker hopes that familiarity with the website builds trust in the target, to the point where the target feels that it's safe to select the URL link. Holly wants to create a Drive-by URL attack using a rip-off of the Tailspin Toys website. Tailspin Toys is a nationally known toy store that is constantly offering promotions on TV and throughout social media. Holly wants to use this familiarity with the Tailspin Toys name brand to offer an enticing promotion for free toys as part of her attack simulation training. This will enable her to see how many Adatum employees are susceptible to this type of attack. 
  8 | 
  9 | In the prior lab, you created a simulation that was sent to all Adatum users. You also used an existing payload template for the simulation. In this lab exercise, you will only roll out the simulation to Lynne Robbins, and you will create your own custom payload.  
 10 | 
 11 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 12 | 
 13 | 2. After the previous lab exercise, you should still be in the **Microsoft Defender** portal. If not, then in the **Microsoft 365 admin center**, under the **Admin centers** group in the navigation pane, select **Security**.
 14 | 
 15 | 3. In the **Microsoft Defender** portal, you should still be on the **Attack simulation training** page; if not, then in the navigation pane, under the **Email & collaboration** section, select **Attack simulation training**.
 16 | 
 17 | 4. On the **Attack Simulation training** page, the **Overview** tab is displayed by default. Select the **Simulations** tab, and then select the **+Launch a simulation** option that appears on the menu bar. This initiates the **Simulation** wizard.
 18 | 
 19 | 5. On the **Select technique** page in the **Simulation** wizard, scroll down and select the **Drive-by URL** option. Under this option, select the **View details of Drive-by URL** link. This opens a **Drive-by URL** pane on the right. Review the **Description** and the **Simulation steps** for this type of attack. When you're done, close the **Drive-by URL** pane and select **Next**.
 20 | 
 21 | 6. On the **Name Simulation** page, enter **Custom payload** in the **Simulation name** field and then select **Next**.
 22 | 
 23 | 7. On the **Select payload and login page**, the **Global payloads** tab is displayed by default. Select the **Tenant payloads** tab, and then select **+Create a payload** on the menu bar. This initiates the **Payload** wizard.
 24 | 
 25 | 8. On the **Select type** page of the **Payload** wizard, the **Email** option should be selected by default (it may also be grayed out so that you can't change this option).  Select **Next**. 
 26 | 
 27 | 9. On the **Select technique** page, the **Drive-by URL** attack type should be selected by default (all other options are disabled since you already selected this option back in step 5). Select **Next**.
 28 | 
 29 | 10. On the **Payload Name** page, enter the following information: <br/>
 30 | 
 31 | 	- Payload name: **Free gift offer**
 32 | 	- Description: **This payload is for Drive-by URL threats offering free prizes and gifts that are too good to be true**
 33 | 
 34 | 11. Select **Next**.
 35 | 
 36 | 12. On the **Configure Payload** page, enter the following information: <br/>
 37 | 
 38 | 	- From name: **Klemen Sic**
 39 | 	- From email: **klemens@tailspintoys.com**
 40 | 	- Email subject: **Free toy giveaway promotion from Tailspin Toys**
 41 | 	- Select a URL you want to be your phishing link: select the **Select URL** button, which opens a pane of predefined phishing link URLs; select **https://www.prizegives.com** from the list of fictitious URLs (to quickly find this URL, enter **prizegives** in the Search box). and then select **Confirm** 
 42 | 	- Theme: **Personalized Offer**
 43 | 	- Industry: **Retail**
 44 | 	- Current Event: **Yes**
 45 | 	- Select the language for payload : **English** 
 46 | 	- Email message: Under the Text tab in this **Email message** section, enter the following text in the message box; this message will be displayed in the body of the email message: **Tailspin Toys is offering you a FREE, one-time only giveaway of a toy of your choice as part of our 25th anniversary celebration! Please click on the following link to select the toy of your choice:** 
 47 | 	- After entering the prior message, select the **Phishing link** button that appears just above the message box (to the right of **Dynamic tag**). In the **Name Phishing Url** dialog box that appears, enter **Free25thAnniversaryGift@tailspintoys.com** in the **Name** field and then select **Confirm**.
 48 | 
 49 | 	The message should now appear as: 
 50 | 
 51 | 	Tailspin Toys is offering you a FREE, one-time only gift of the toy of your choice as part of our 25th anniversary celebration! Please click on the following link to select the toy of your choice: **Free25thAnniversaryGift@tailspintoys.com** (make sure you have a space between the colon and the start of the link to make it look nice)
 52 | 
 53 | 13. Select **Next**.	
 54 | 
 55 | 14. On the **Add Indicators** page, select **Add Indicator**.
 56 | 
 57 | 15. On the **Add Indicator** pane that appears on the right, enter the following information: <br/>
 58 | 
 59 | 	- Select an indicator you would like to use: **Too good to be true offers**
 60 | 	- Where do you want to place this indicator on payload: **From the Body of the Email**
 61 | 
 62 | 16. A **Select Text** button will appear. Select this button.
 63 | 
 64 | 17. In the **Select the required text** pane that appears on the right, drag your cursor from the start of the code block to the end, so that the entire code block is highlighted. This will enable the **Select** button. Select this button. This returns you to the **Add indicator** pane. 
 65 | 
 66 | 18.  In the **Indicator Description** field, replace the default description with the following text, enter **Free gifts or other one-time only promotional giveaways**.
 67 | 
 68 | 19. Select inside the **Indicator Preview** area to see a preview of the indicator message. Then select outside the **Indicator Preview** field to exit the preview. 
 69 | 
 70 | 20. Select the **Add** button at the bottom of the **Add Indicator** pane.
 71 | 
 72 | 21. On the **Add Indicators** page, the indicator that you just created should be displayed. Select **Next**.
 73 | 
 74 | 22. On the **Review Payload** page, review the entered information. If anything needs to be changed, select the appropriate **Edit** option to make the change, or select **Back** to enter any of the information in the Configure section. Once everything is correct, select **Submit**. After a few moments you will receive a confirmation stating **New payload created**. Select **Done**. 
 75 | 
 76 | 23. On the **Select payload and login page** window, the **Free gift offer** payload that you just created should appear in the list. Select the check box to the left of the **Free gift offer** payload, and then select **Next**. 
 77 | 
 78 | 24. On the **Target Users** page, verify the **Include only specific users and groups** option is selected (if not, select it now), and then select **+Add Users**. 
 79 | 
 80 | 25. In the **Add Users** pane that appears, in the **Search for Users or Groups** field at the top of the pane, enter **Lynne** and then hit Enter. In the list of users that appears whose name starts with Lynne, select **Lynne Robbins** and then select **Add 1 User(s)**.
 81 | 
 82 | 26. On the **Target Users** page, Lynne Robbins should be displayed as the targeted user. Select **Next** and then select **Next** again on the **Exclude users** page. 
 83 | 
 84 | 27. On the **Assign Training** page, under the **Preferences** section, the **Assign training for me (Recommended)** option should be selected by default (if not, select it now). Select the **Due Date** field. In the drop-down menu that appears, select **7 days after Simulation ends** and then select **Next**.
 85 | 
 86 | 28. On the **Select Phish landing page** window, the **Global landing pages** tab should be displayed by default. Select the **Microsoft Landing Page Template 1** name to preview the page. 
 87 | 
 88 | 29. A preview of the **Microsoft Landing Page Template 1** appears in the pane on the right. This preview panel provides an example of what the landing page will look like when someone experiences a Drive-by URL attack and the simulation uses **Microsoft Landing Page Template 1**. Scroll down through this preview panel and review the features of this template. When you're finished, select the **Close** button at the bottom of the preview panel. 
 89 | 
 90 | 30. You will now look at some of the other landing page templates until you find one that you want to use for this simulation. On the **Select Phish landing page** window, select one of the other templates (select the name of the template and not its checkbox). Examine the preview panel and note how the landing page for this template is different from **Microsoft Landing Page Template 1**. When you're finished, select the **Close** button at the bottom of the preview panel.
 91 | 
 92 | 31. Repeat the prior step and select another template. Note how this template is different from the other two you looked at.<br/>
 93 | 
 94 | 	Repeat this step as many times as you would like until you find a template that you want to use for this simulation. Once you're satisfied with a template, select the checkbox for that template on the **Select Phish landing page** and then select **Next**.
 95 | 
 96 | 32. On the **Select end user notification** page, choose how you want the end user to be notified. For the purpose of this lab, select **Microsoft default notification (recommended)**. In the list of notifications that appears, configure the following notifications:
 97 | 
 98 | 	 - Microsoft default positive reinforcement notification - set **Delivery preferences** to **Deliver after simulation ends**
 99 | 	 - Microsoft default training reminder notification - set **Delivery preferences** to  **Weekly**
100 | 
101 | 33. Select **Next**.
102 | 
103 | 34. On the **Launch Details** page, select the **Launch this simulation as soon as I'm done** option and then select **Next**.
104 | 
105 | 35. On the **Review Simulation** page, review the entered information. If anything needs to be changed, select the appropriate **Edit** option to make the change. Once everything is correct, select **Submit**. It may take a few minutes before you receive a confirmation stating **Simulation has been scheduled for launch**. Select **Done**.  <br/>
106 | 
107 | 	**Note:** Once the simulated drive-by URL attack is launched, an email should be sent to Lynne Robbins. It can take up to 15 minutes for the email to be generated. Rather than waiting for the email to be generated, you will validate the email and review the diagnostic results of the attack in Exercise 7, task 5.
108 | 
109 | 36. Leave your Edge browser and all tabs open and proceed to the next exercise.
110 | 
111 | 
112 | # Proceed to Lab 6 - Exercise 7
113 |  
114 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_03_Lab3_Ex1_Prepare_Identity_Synch.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 3 - Lab 3 - Exercise 1 - Prepare for Identity Synchronization  
  2 | 
  3 | As in the previous lab exercises, you will take on the role of Holly Dickson, Adatum Corporation’s new Microsoft 365 Administrator. Adatum has recently subscribed to Microsoft 365, and you have been tasked with deploying the application in Adatum’s virtualized lab environment. In this lab, you will perform the tasks necessary to manage your Microsoft 365 identity environment using both the Microsoft 365 admin center and Windows PowerShell. 
  4 | 
  5 | During this exercise you will set up and manage Microsoft Entra Connect. You will create on-premises users and validate the sync process so that their identity is moved to the cloud. Some of the user and group maintenance steps may feel familiar from previous exercises; however, in this case they are needed to validate the synchronization process.
  6 | 
  7 | ### Task 1: Configure your UPN suffix
  8 | 
  9 | In Active Directory, the default User Principal Name (UPN) suffix (i.e. the tenant prefix) is the DNS name of the domain where the user account was created. The Microsoft Entra Connect wizard uses the userPrincipalName attribute, or it lets you specify the on-premises attribute (in a custom installation) to be used as the user principal name in Microsoft Entra ID. This is the value that is used for signing into Microsoft Entra ID. 
 10 | 
 11 | If you recall, your VM environment was created by your lab hosting provider with an on-premises domain titled **adatum.com**. This domain included several on-premises user accounts, such as Holly Dickson, Laura Atkins, and so on. Then in an earlier lab in this course, you created a custom, accepted domain for Adatum titled **xxxUPNxxx.xxxCustomDomainxxx.xxx** (where xxxUPNxxx was the unique UPN name assigned to your tenant, and xxxCustomDomainxxx.xxx was the name assigned to the domain by your lab hosting provider).
 12 | 
 13 | In this task, you will use PowerShell to change the user principal name of the domain for the entire Adatum Corporation by replacing the originally established **adatum.com** domain with the custom **xxxUPNxxx.xxxCustomDomainxxx.xxx** domain. In doing so, you will update the UPN suffix for the primary domain and the UPN on every on-premises user account in AD DS with **@xxxUPNxxx.xxxCustomDomainxxx.xxx**. 
 14 | 
 15 | A company may change its domain name for a variety of reasons. For example, a company may purchase a new domain name, or a company may change its name and it wants its domain name to reflect the new company name, or a company may be sold and it wants its domain name to reflect the new parent company’s name. Regardless of the underlying reason, the goal of changing a domain name is typically to change the domain name on each user’s email address. 
 16 | 
 17 | For this lab, Adatum has purchased the new xxxUPNxxx.xxxCustomDomainxxx.xxx domain (provided by your lab hosting provider); therefore, it wants to change the domain name of all its users’ email addresses from @adatum.com to @xxxUPNxxx.xxxCustomDomainxxx.xxx.
 18 | 
 19 | 1. Switch to **LON-DC1**, which is Adatum's domain controller, where you should still be logged in as **ADATUM\Administrator** and password **Pa55w.rd**. 
 20 | 
 21 | 2. If **Windows PowerShell** is still open, then select the **PowerShell** icon on your taskbar; otherwise, you must open **Windows PowerShell** by selecting the magnifying glass (**Search**) icon on the taskbar, typing **power** in the Search box that appears,  right-clicking on **Windows PowerShell** (do not select Windows PowerShell ISE), and selecting **Run as administrator** in the drop-down menu. When Windows PowerShell opens, maximize the window.
 22 | 
 23 | 3. Using **Windows PowerShell**, you must replace the on-premises **adatum.com** domain with the **xxxUPNxxx.xxxCustomDomainxxx.xxx** domain (where you will replace xxxUPNxxx with the unique UPN name assigned to your tenant, and you will replace xxxCustomDomainxxx.xxx with your lab hosting provider's custom domain). In doing so, you will update the UPN suffix for the primary domain and the UPN on every user in AD DS with **@xxxUPNxxx.xxxCustomDomainxxx.xxx**.
 24 | 
 25 | 	>In the following PowerShell command, the **Set-ADForest** cmdlet modifies the properties of an Active Directory forest, and the **-identity** parameter specifies the Active Directory forest to modify. To perform this task, run the following command to set the **UPNSuffixes** property for the **adatum.com** forest (remember to change xxxUPNxxx to your unique UPN name and xxxCustomDomainxxx.xxx to your lab hosting provider's custom domain name):
 26 | 
 27 | 	```powershell
 28 | 	Set-ADForest -identity adatum.com -UPNSuffixes @{replace="xxxUPNxxx.xxxCustomDomainxxx.xxx"}
 29 | 	```
 30 | 
 31 | 4. You must then run the following command that changes all existing adatum.com accounts to the new UPN @xxxUPNxxx.xxxCustomDomainxxx.xxx domain (remember to change xxxUPNxxx to your unique UPN name and xxxCustomDomainxxx.xxx to your lab hosting provider's custom domain name):
 32 | 
 33 | 	```powershell
 34 | 	Get-ADUser -Filter * | ForEach-Object { Set-ADUser $_  -UserPrincipalName ($_.SamAccountName + "@xxxUPNxxx.xxxCustomDomainxxx.xxx" )}
 35 | 	```
 36 | 
 37 | 5. You will continue using PowerShell on LON-DC1 in the next task.
 38 | 
 39 | 
 40 | ### Task 2: Prepare problem user accounts   
 41 | 
 42 | Integrating your on-premises Active Directory with Microsoft Entra ID makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. However, errors can occur when identity data is synchronized from Windows Server Active Directory (AD DS) to Microsoft Entra ID. 
 43 | 
 44 | For example, two or more objects may have the same value for the **ProxyAddresses** attribute or the **UserPrincipalName** attribute in on-premises Active Directory. There are a multitude of different conditions that may result in synchronization errors. Organizations can correct these errors by running Microsoft's IdFix tool, which performs discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Microsoft Entra ID. 
 45 | 
 46 | In this task, you will run a script that breaks an on-premises user account. As part of your Adatum pilot project, you are purposely breaking an identity object so that you can run the IdFix tool in the next task to see how you can fix the broken account. 
 47 | 
 48 | 1. On your Domain Controller VM (LON-DC1), in the Windows PowerShell window, run the following command to change the root source to **C:\labfiles** so that you can access any files from that location: <br/>
 49 | 
 50 | 	```cmd
 51 | 	CD C:\labfiles\
 52 | 	```
 53 | 
 54 | 3. Enter the following command that runs a PowerShell script that creates a problem user account. This script, which is stored in the C:\labfiles folder, will purposely create an issue with the userPrincipalName for Klemen Sic's on-premises user account; this will enable you to troubleshoot this account in the next task using the IdFix tool.  <br/>
 55 | 
 56 | 	```powershell
 57 | 	.\CreateProblemUsers.ps1
 58 | 	```
 59 | 
 60 | 	
 61 | 	>**Important:** Wait until the script has finished before proceeding to the next task. This Windows PowerShell script will make the following change in AD DS:
 62 | 
 63 | 	- **Klemen Sic**. Update the userPrincipalName for Klemen to include an extra "@" character. 
 64 | 
 65 | 4. Minimize your Windows PowerShell window.
 66 | 
 67 | 
 68 | ### Task 3: Run the IdFix tool and fix identified issues 
 69 | 
 70 | In this task you will download and use the IdFix Directory Synchronization Error Remediation Tool to fix Klemen Sic's on-premises user account that you purposely broke in the previous task. Running the IdFix tool will correct any user account errors prior to synchronizing identity data between your on-premises environment and Microsoft Entra ID.
 71 | 
 72 | 1. You should still be logged into **LON-DC1** as the **Administrator** from the prior task. 
 73 | 
 74 | 2. On **LON-DC1**, select the **Microsoft Edge** icon on the taskbar. In your **Microsoft Edge** browser, open a new tab and enter the following URL in the address bar to access the Microsoft -IdFix Overview page: <br/>
 75 | 
 76 | 	**https://microsoft.github.io/idfix**
 77 | 	
 78 | 3. On the **Microsoft - IdFix** page, in the navigation pane on the side of the screen, select **Step 2: Install IdFix**. 
 79 | 
 80 | 4. On the **Step 2: Install IdFix** page, the first line in the instruction says: **Select *setup.exe* to download and install the IDFix tool on your Windows machine.**  <br/>
 81 | 
 82 | 	In this instruction, select **setup.exe** to download the IdFix application to your machine. 
 83 | 
 84 | 5. Once the **setup.exe** file is downloaded, a **Downloads** window will appear at the top-right of the page. In this window, under **setup.exe**, select **Open file** to install the file on LON-DC1. This will initiate the **Application Install** wizard.
 85 | 
 86 | 6. In the **Do you want to install this application?** page in the **Application Install** wizard, select **Install**.
 87 | 
 88 | 7. In the **IdFix Privacy Statement** message box, select **OK**. Once the IDFix tool is installed, the **Application Install** wizard will close and the **IDFix** tool will automatically open. 
 89 | 
 90 | 8. In the **IdFix** tool that appears, maximize the window. On the menu bar at the very top of the screen, select **Query** to query the directory. After a short wait, you should see several errors. <br/>
 91 | 
 92 | 	**Note:** If a **Schema Warning** dialog box appears, select **Yes** to continue.
 93 | 
 94 | 9. Select the **ERROR** column heading to sort the records in alphabetical error sequence. <br/>
 95 | 
 96 | 	>**Note:** If any **topleveldomain** errors appear, then ignore them as they cannot be fixed by the IdFix tool.  
 97 | 
 98 | 10. In the **Klemen Sic** row, note the text in the **VALUE** column. It currently includes two **@@** signs, which occurred when you ran the script in the prior task that purposely broke Klemen's UserPrincipalName. Now note the text in the **UPDATE** column, which is the value the IDFix tool will change the UPN name to, should you direct it to do so. <br/>
 99 | 
100 | 	You want the IDFix tool to fix Klemen's UPN value, so select the drop-down arrow in Klemen's **ACTION** field and select **EDIT**. <br/>
101 | 
102 | 	>**Note:** Do NOT update either of the remaining two user accounts. Ignore those for now.
103 | 
104 | 11. On the menu bar at the top of the window, select **Apply**. 
105 | 
106 | 12. In the **Apply Pending** dialog box that appears, select **Yes**. <br/>
107 | 
108 | 	>**Note:** Notice the value in the **Action** column changed from **EDIT** to **COMPLETE** for Klemen Sic. This indicates the IdFix tool corrected the error by updating Klemen Sic's user object. 
109 | 
110 | 13. On the menu bar at the top of the page, select **Query**. If a **Schema Warning** dialog box appears, select **Yes** to continue. If a dialog box appears indicating an unhandled exception has occurred, select **Continue**.<br/>
111 | 
112 | 	In the query results, note how the Klemen Sic row no longer appears in the results, since the IdFix tool just fixed this user record. <br/>	
113 | 
114 | 	As you can see, there are still two users whose errors have not been fixed (**An Dung Dao** and **Ngoc Bich Tran**). We are purposely leaving these errors alone so that you can see what happens during the synchronization process using the Microsoft Entra Connect tool in the next exercise when it processes users with these conditions. <br/>
115 | 
116 | 	>**Important:** When there are format and duplicate errors for distinguished names, the **UPDATE** column either contains the same string as the **VALUE** column, or the **UPDATE** column entry is blank. In either case, this means that IdFix cannot suggest a remediation for the error. You can either fix these errors outside IdFix, or manually remediate them within IdFix. You can also export the results and use Windows PowerShell to remediate many different errors. 
117 | 
118 | 14. Close the IdFix window. 
119 | 
120 | 15. Leave your Edge browser open. However, you can close the **Step 2: Install Id-Fix - Microsoft - IdFix** tab since you are done using IdFix.
121 | 
122 | # Proceed to Lab 3 - Exercise 2
123 |  
124 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_05_Lab5_Ex2_Safe_Links.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 5 - Lab 5 - Exercise 2 - Implement a Safe Links Policy
  2 | 
  3 | Having created a Safe Attachments policy, Holly Dickson now wants to create a Safe Links policy and then validate the policy to ensure that it works properly.
  4 | 
  5 | **IMPORTANT:** This lab exercise consists of two tasks. The first task creates a Safe Links policy, and then the second task validates the policy. The problem with this lab is that when you create a safe links policy, it takes at least 30 minutes for the new policy to propagate through the system. **This means that after performing Task 1, you must wait at least 30 minutes before performing Task 2. If you perform Task 2 immediately after performing Task 1, then Task 2 will fail.** After completing Task 1, you should continue with the training class. Your instructor will provide guidance on when you can perform Task 2 depending on the next break that occurs in the class schedule.
  6 | 
  7 | ### Task 1 – Create a Safe Links Policy
  8 | 
  9 | In this task, you will create a Safe Links policy that applies to all users in your tenant. You will then add the **https://tailspintoys.com** URL to the company-wide list of blocked URLs (i.e. the Tenant Block List) that you will define in the Microsoft Defender portal. The blocked URLs and other options defined in the Safe Links global settings are only applied to users who are included in active Safe Links policies. There is no built-in or default Safe Links policy, so you must create at least one Safe Links policy for these global settings to be active.  
 10 | 
 11 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.
 12 | 
 13 | 2. After finishing the previous task, you should still be in the **Microsoft Defender** portal. If not, then in your browser, enter **https://security.microsoft.com** in the address bar.
 14 | 
 15 | 3. In the **Microsoft Defender** portal, you should still be on the **Safe attachments** page after completing the previous task. In the navigation thread at the top of the page (**Policies & rules > Threat policies > Safe attachments**), select **Threat policies**. <br/>
 16 | 
 17 |     **NOTE:** If you had closed the **Safe Attachments** tab after the prior task, then navigate to the **Threat policies** page by selecting **Email & collaboration > Policies & rules** in the navigation pane, and then selecting **Threat policies**.
 18 | 
 19 | 4. In the **Threat policies** window, under the **Policies** section, select **Safe Links**. 
 20 | 
 21 | 5. On the **Safe links** page, select **+Create** on the menu bar. This initiates the **Create safe links policy** wizard.
 22 | 
 23 | 6. On the **Name your policy** page, enter **LinkPolicy1** in the **Name** field and then select **Next**.
 24 | 
 25 | 7. On the **Users and domains** page, enter **on** in the **Domains** field. In the menu of suggested domains that appears, select Adatum's **xxxxxZZZZZZ.onmicrosoft.com** domain. Adatum's domain will now appear below the **Domains** field. Select **Next**.
 26 | 
 27 | 8. On the **URL & click protection settings** page, update the following settings and then select **Next**: 
 28 | 
 29 |     - Under the **Email** section, verify that all check boxes are selected (if any are not selected by default, then select them now):
 30 |     - Under the **Click protection settings** section:
 31 |         - **Track user clicks** - Adatum does not want to track user clicks, so clear this check box if it's selected by default
 32 |    
 33 | 9. On the **Notification** page, verify the **Use the default notification text** option is selected (if necessary, select it now) and then select **Next**.
 34 | 
 35 | 10. On the **Review** page, review the options that you selected. If any need to be corrected, select the appropriate **Edit** option and make the necessary corrections. Once they all appear correct, select **Submit**. 
 36 | 
 37 | 11. On the **New Safe Links policy created** page, select **Done**. Once the **LinkPolicy1** policy is created, it will appear in the Safe links list. 
 38 | 
 39 | 12. In the navigation thread at the top of the page (**Policies & rules > Threat policies > Safe links**), select **Threat policies**.
 40 | 
 41 | 13. In the **Threat policies** page, under the **Rules** section, select **Tenant Allow/Block Lists**.
 42 | 
 43 | 14. On the **Tenant Allow/Block Lists** page, the **Domains & addresses** tab is displayed by default. Select the **URLs** tab.
 44 | 
 45 | 15. On the **URLs** tab, select **+Add** > **Block** on the menu bar. In the **Block URLs** pane that appears, enter **https://tailspintoys.com/*** in the field and then select **Add**.
 46 | 
 47 |       **Note:** When you enter the URL, make sure you enter the wildcard at the end of it. The * wildcard represents "any characters" and is used to match multiple URLs. When you enter **https://tailspintoys.com/*** , you're telling Microsoft 365 to block all URLs that start with https://tailspintoys.com/, including any subdirectories, paths, or additional characters after the domain. This ensures a broader and more effective block, covering any page or resource under the tailspintoys.com domain. If you enter https://tailspintoys.com without the wildcard (*), Microsoft 365 might interpret it as an exact match to that specific domain. As such, it may fail to block it because URLs on the web typically have paths, query strings, or other parts after the domain name. For example, https://tailspintoys.com/contact or https://tailspintoys.com/shop would not be blocked if you only specify https://tailspintoys.com without a wildcard.
 48 | 
 49 | **STOP!!** As mentioned at the start of this lab exercise, now that you have created a Safe Links policy, you must wait at least 30 minutes for the policy to propagate through the system before you can perform the next task in this exercise. 
 50 | 
 51 | **Do NOT proceed to the next task!** You can continue with the training course and perform the next task when your instructor feels it's appropriate given the class' training schedule. 
 52 | 
 53 | ### Task 2 – Validate the Safe Links policy and blocked URL functionality
 54 | 
 55 | After having waited at least 30 minutes since completing Task 1, you will now test the blocked URL and the Safe Links policy that you created. There are several tests that you will perform. 
 56 | 
 57 |    - First, you will send two emails from Holly Dickson to the MOD Administrator - one that contains an unblocked URL and another that contains the blocked http://tailspintoys.com URL.
 58 |    - You will verify that both emails appear in Holly's Sent Items folder.
 59 |    - You will then log into the MOD Administrator's Outlook mailbox and verify that the email with the unblocked URL arrived in the MOD Administrator's Inbox and the email with the blocked URL never arrived. The fact that the system sent the email with the blocked URL but it never arrived in the MOD Administrators Inbox verifies the Blocked URL functionality worked. Messages that contain unblocked URLs are held until Safe Links scanning is finished. Messages are delivered only after Safe Links confirms the URLs are safe, which is the case with the email with the unblocked URL. 
 60 |    - You will then go back into Holly's Outlook mailbox and open the email in her Sent Items folder that contains the blocked URL. You will select the hyperlinked text and verify the Safe Links policy worked when you try to access this blocked site. Safe Links immediately checks the URL before opening the website. Since the URL is blocked, Safe Links returns a malicious website warning page.
 61 | 
 62 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.
 63 | 
 64 | 2. In your **Microsoft Edge** browser, select the **Home | Microsoft 365** tab and then in the column of app icons on the left side of the screen, select the **Outlook** icon. 
 65 | 
 66 | 3. Holly Dickson's **Outlook** mailbox will open in a new tab in your browser, and Holly's **Inbox** will be displayed.
 67 |    
 68 | 4. Select the **New mail** button at the top of the screen.
 69 | 
 70 | 5. In the email form that appears, enter the following information:
 71 | 
 72 |     - To: You will be sending an email to the MOD Administrator, so enter **mod** in the **To** field and then select the **MOD Administrator** email address from the user list.
 73 | 
 74 |     - Add a subject: **Test email with an unblocked URL**
 75 | 
 76 |     - Body of the message: **This message is linked to an unblocked URL.**
 77 |   
 78 | 6. Select the entire text string that you just added in the body of the message.
 79 | 
 80 | 7. A row of formatting icons should appear. Select the **Link** icon, which depicts two half-ovals with a line in between. 
 81 | 
 82 | 8. In the **Insert link** window that appears, the text that you highlighted in the body of the message should be displayed in the **Display as** field. In the **Web address (URL)** field, enter the following URL: **http://adatum.com/aboutus**.
 83 | 
 84 | 9. Select **OK**. In the body of the email, the message should now be hyperlinked. 
 85 | 
 86 | 10. Select the **Send** button. Select Holly's **Sent Items** folder to verify the message was sent.
 87 | 
 88 | 11. Select the **New mail** button in the upper left part of the screen.
 89 | 
 90 | 12. In the email form that appears in the right-hand pane, enter the following information:
 91 | 
 92 |     - To: You will be sending an email to the MOD Administrator, so enter **mod** in the **To** field and then select the **MOD Administrator** email address from the user list.
 93 | 
 94 |     - Add a subject: **Free stuff for Adatum users**
 95 | 
 96 |     - Body of the message: **Please click on me for free toys from Tailspin Toys.**
 97 | 
 98 | 13. Select the entire text string that you just added in the body of the message.
 99 | 
100 | 14. A row of formatting icons should appear. Select the **Link** icon, which depicts two half-ovals with a line in between. 
101 | 
102 | 15. In the **Insert link** window that appears, the text that you highlighted in the body of the message should be displayed in the **Display as** field. In the **Web address (URL)** field, enter the following URL: **https://tailspintoys.com/aboutus/freetoys**.
103 | 
104 | 16. Select **OK**. In the body of the email, the message should now be hyperlinked. 
105 | 
106 | 17. Select the **Send** button. Select Holly's **Sent Items** folder to verify the message was sent.
107 | 
108 | 18. You now want to go the MOD Administrator's Inbox in Outlook and validate whether the blocked URL functionality that you configured worked on the two emails that you just sent from Holly to the MOD Administrator.<br/>
109 | 
110 |     To do this, you must first switch to the Client 2 VM (**LON-CL2**). 
111 | 
112 | 19. At the end of Lab 2, you should have logged into LON-CL2 as the local **Admin** account (lon-cl2\admin). <br/>
113 | 
114 |     If you didn't do this, and you're still logged in as Laura Atkins from the end of Lab 2, then select **Ctrl+Alt+Delete**, select **Switch user**, and then log in as **LON-CL2\Admin** with a password of **Pa55w.rd**.
115 | 
116 | 20. On **LON-CL2**, select the **Microsoft Edge** icon in the taskbar, maximize the window and then enter the following URL in the address bar: **https://outlook.office365.com**
117 | 
118 | 21. In the **Pick an account** window, select **Use another account**, and then in the **Sign in** window, enter the username for the MOD Administrator account (**admin@xxxxxZZZZZZ.onmicrosoft.com**).
119 | 
120 | 22. In the **Enter password** window, enter the MOD admin's password (either the Administrative password provided by your lab hosting provider if you were not required to change the MOD admnin's password the first time you signed in, or the New Administrative Password if you were) and select **Sign in**. 
121 | 
122 | 23. In the MOD Administrator's **Inbox**, perform the following checks:  <br/>
123 | 
124 |        - Verify that you received the first email that Holly sent that contained the Subject line "**Test email with an unblocked URL**". This email showed that the email system is working, and that an email with an unblocked URL could successfully be sent and not be blocked by Safe Links since it isn't malicious. 
125 | 
126 |       - Next, verify that Holly's email with the Subject line "**Free stuff for Adatum users**" never arrived in the MOD Administrator's Inbox. Since you already verified from Holly's Sent Items folder that the email was sent, the fact that it never arrived verifies that the email was blocked due to the blocked URL.
127 | 
128 | 24. You now want to go back to Holly's Outlook mailbox, open the email with the subject line "**Free stuff for Adatum users**" that's in Holly's Sent Items folder, and verify the Safe Links policy that you created is working.  <br/>
129 | 
130 |     To do this, you must first switch back to the Client 1 VM (**LON-CL1**). 
131 | 
132 | 25. On LON-CL1, you should still be in the **Sent Items** folder in Holly's Outlook mailbox. Select the email with the subject line "**Free stuff for Adatum users**" to open the email message, and then select the hyperlinked message in the body of the email. 
133 | 
134 | 26. A new tab should open in your **Edge** browser that attempts to take you to the **https://tailspintoys.com/aboutus/freetoys** site. The web page that appears should display the following warning message: **This website is classified as malicious.** <br/>
135 | 
136 |     **Note:** In the Safe Links policy that you created, you selected the option to have Safe Links check a list of known, malicious links whenever a user selects a link in an email. So when you selected this link in the email message to the http://tailspintoys.com URL that was on the blocked list, Safe Links returned the malicious website warning page. You just verified that the Safe Links policy that you created is working.
137 | 
138 | 27. You should now prepare LON-CL2 for the next lab that will use it. Switch back to the Client 2 VM (**LON-CL2**). 
139 | 
140 | 28. In LON-CL2, select the circle with the **MA** initials in the top corner of your Edge browser. In the **MOD Administrator** profile window that appears, select **Sign out**.
141 | 
142 | 29. Once you are signed out of Outlook, the Edge browser should close if no other tabs were open. If other tabs were still open, close those tabs now so that your Edge browser closes. LON-CL2 is now ready for use in Lab 6.
143 | 
144 | 30. Switch back to the Client 1 VM (**LON-CL1**). In your Edge browser, close the tab displaying **This website is classified as malicious.** Leave your Edge browser open and proceed to the next lab.
145 | 
146 | 
147 | # End of Lab 5
148 | 
149 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_08_Lab8_Ex1_Manage_DLP_Policies.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 8 - Lab 8 - Exercise 1 - Manage DLP Policies  
  2 | 
  3 | In your role as Holly Dickson, Adatum’s new Microsoft 365 Administrator, you have Microsoft 365 deployed in a virtualized lab environment. As you proceed with your Microsoft 365 pilot project, your next steps are to implement Data Loss Prevention (DLP) policies at Adatum. You will begin by creating a custom DLP policy in this exercise, and then you’ll test DLP policies related to email message archiving and emails with sensitive data. 
  4 | 
  5 | ### Task 1 – Create a DLP policy with custom settings
  6 | 
  7 | In this task you will create a Data Loss Prevention policy in the Microsoft Purview portal to protect sensitive data from being shared by users. The DLP Policy that you create will inform your users if they want to share content that contains IP addresses. 
  8 | 
  9 | The policy will contain two rules, or actions, each of which is dependent on the number of IP addresses in the message. If the message contains one IP address, the policy will notify people with a policy tip and still email the message. However, if the content contains two or more IP addresses, then the message will be blocked, an incident email with a high sensitivity level will be sent to the sender, and a policy tip will be displayed that allows the sender to override the email blockage if the sender provides a business justification within the policy tip.
 10 | 
 11 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 12 | 
 13 | 2. In **Microsoft Edge**, the Microsoft Purview portal should still be open; if not, then open a new tab and navigate to **https://purview.microsoft.com**.
 14 | 
 15 | 3. In the **Microsoft Purview** portal, select **Solutions** in the navigation pane. In the **Solutions** menu, select **Data Loss Prevention**. In the **Data Loss Prevention** menu, select **Policies**.
 16 | 
 17 | 4. In the **Policies** page, select the **+Create policy** option on the menu bar to start the **Create policy** wizard.
 18 | 
 19 | 5. On the **Choose what type of data to protect** page, select **Data stored in connected sources** and then select **Next** 
 20 | 
 21 | 6. On the **Start with a template or create a custom policy** page, the **Categories** column displays the policy categories. Each policy category provide Regulations that can be used to create that type of policy, except for the **Custom** category. This category does not provide any specific template; instead, it enables organizations to create custom policies from scratch. When you select a category, **Regulations** column appears that displays the available Regulations to choose from for the selected category. When you select a template, another column appears that displays the type of information that is protected in that template. <br/> 
 22 | 
 23 |     For example, select **Financial** in the side pane and then scroll through the various Regulations that you can choose from in the **Regulations** column. Select one or two of the Regulations to see what type of information it protects. If you want, select each of the remaining categories to see what type of Regulations are provided. 
 24 |   
 25 | 7. For the purpose of this lab, you will create a custom DLP policy. Select **Custom** in the **Categories** column, select the **Custom policy** template in the **Regulations** column, and then select **Next**.
 26 | 
 27 | 8. In the **Name your DLP policy** page, enter the following information and then select **Next**:  <br/>
 28 | 
 29 |       - Name: **IP Address DLP policy**
 30 |       - Description: **This policy detects the presence of IP addresses in emails. End users are notified of the detection and admins receive a notification. Emails with 2 or more IP addresses are blocked from being sent.**
 31 | 
 32 | 9. On the **Assign admin units** page, select **Next**. 
 33 | 
 34 | 10. On the **Choose where to assign the policy** page, verify the Checkbox is selected for the following locations (if any of these locations is not set to selected by default, then add them now): <br/>
 35 | 
 36 |     - **Exchange email**
 37 |     - **SharePoint sites**
 38 |     - **OneDrive accounts**
 39 |     - **Teams chats and channel messages**
 40 | 
 41 |     Set all other locations to **Off** by unchecking them, and then select **Next**.
 42 | 
 43 | 11. On the **Define policy settings** page, the **Create or customize advanced DLP rules** option should be set by default (if it isn't already selected by default, then select it now) and then select **Next**. 
 44 | 
 45 | 12. On the **Customize advanced DLP rules** page, select the **+Create rule** option on the menu bar.
 46 | 
 47 | 13. On the **Create rule** page, enter the following information:
 48 |     
 49 |       - Name: **Single IP Address rule**
 50 |     
 51 |       - Description: **Email contains an IP address**
 52 |     
 53 |       - In the **Conditions** section, select **+Add condition** and then select **Content contains** from the drop-down menu that appears. Then enter the following condition settings:
 54 |     
 55 |         - In the **Content contains** field, select the **Add** drop-down menu and then select **Sensitive info types**.
 56 |         
 57 |         - In the **Sensitive info types** pane, type **IP** inside the **Search** field and then hit Enter.
 58 |         
 59 |         - In the search results, select the **IP Address** check box and then select **Add**.
 60 |         
 61 |      - Scroll down to the **User notifications** section, set the **Use notifications to inform your users and help educate them on the proper use of sensitive info** toggle switch to **On**.
 62 | 
 63 |     - Select the **Notify users in Office 365 service with a policy tip** checkbox. In the **Policy tips** section, select the **Customize the policy tip text** check box. 
 64 | 
 65 |         - Holly wants you to customize the Policy Tip message, so enter the following text in this field: **ATTENTION! You have entered sensitive information (an IP address) in this message. You will not be prevented from sending this message, but please review whether the recipients are authorized to see this sensitive data.** 
 66 | 
 67 |     - Select the **Show the policy tip as a dialog for the end user before send (available for Exchange workload only)** checkbox. 
 68 |     
 69 |     - In the **Incident reports** section, verify the **Send an alert to admins when a rule match occurs** toggle switch is set to **On** (if necessary, set it to **On**)
 70 | 
 71 |     - Select the **Save** button at the bottom of the page.
 72 | 
 73 | 14. On the **Customize advanced DLP rules** page, the **Single IP Address rule** that you just created should now appear. Select the **+Create rule** option to create the second DLP rule. 
 74 | 
 75 | 15. On the **Create rule** page, enter the following information:
 76 |     
 77 |     - Name: **Multiple IP Address rule**
 78 |     
 79 |     - Description: **Email contains two or more IP addresses**
 80 |     
 81 |     - In the **Conditions** section, select **+Add condition** and then select **Content contains** from the drop-down menu that appears. Then enter the following condition settings:
 82 |     
 83 |         - In the **Content contains** field, select the **Add** drop-down menu and then select **Sensitive info types**.
 84 |         
 85 |         - In the **Sensitive info types** pane, type **IP** inside the **Search** field and then hit Enter.
 86 |         
 87 |         - Select the **IP Address** check box and then select **Add**.
 88 | 
 89 |         - Under the **Sensitive Info types** section, the **IP Address** info type is displayed. On the right side of the IP Address row, the **Instance count** setting is set from **1** to **Any**. Change the value of the first field from 1 to **2**. By making this change, this rule will only apply if 2 or more IP addresses appear in the email. 
 90 |     
 91 |     - In the **Actions** section, select **+Add an action**. In the drop-down menu that appears, select **Restrict access or encrypt the content in Microsoft 365 locations**. Then enter the following action settings:
 92 | 
 93 |     - If no options appear under the **Restrict access or encrypt the content in Microsoft 365 locations** section, then select it now to expand this section. This section should display the **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** option, which is selected by default. Keep this option selected.
 94 | 
 95 |     - Under the **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** option, select the **Block everyone** option.
 96 |     
 97 |     - In the **User notifications** section, set the **Use notifications to inform your users and help educate them on the proper use of sensitive info** toggle switch to **On**. 
 98 | 
 99 |     - Select the **Notify users in Office 365 service with a policy tip** checkbox. In the **Policy tips** section, select the **Customize the policy tip text** check box. 
100 | 
101 |         - Holly wants you to customize the Policy Tip message, so enter the following text in this field: **ATTENTION! You have entered sensitive information (multiple IP addresses) in this message. You will be blocked if you attempt to send this message. Overriding this block indicates you have authorized sending this sensitive data to the recipients.** 
102 | 
103 |     - Select the **Show the policy tip as a dialog for the end user before send (available for Exchange workload only)** checkbox. 
104 |     
105 |     - In the **User overrides** section, select the **Allow overrides from Microsoft 365 files and Microsoft Fabric items** check box. This enables additional settings that indicate how overrides will be handled. Select each of the check boxes for the following two options:
106 | 
107 |         - **Require a business justification to override**
108 |         - **Override the rule automatically if they report it as a false positive**
109 |     
110 |     - In the **Incident reports** section, verify the **Send an alert to admins when a rule match occurs** toggle switch is set to **On** (if necessary, set it to **On**).
111 | 
112 |     - Select the **Save** button at the bottom of the page.
113 | 
114 | 16. On the **Customize advanced DLP rules** page, both the **Single IP Address rule** and **Multiple IP Address rule** should now appear. Select **Next**.
115 | 
116 | 17. On the **Policy mode** page, select the **Turn the policy on immediately** option and then select **Next**.
117 | 
118 | 18. On the **Review and finish** page, review the policy that you just created. If anything needs to be corrected, select the appropriate **Edit** option and make your corrections. When everything appears OK, select **Submit**.
119 | 
120 | 19. It may take a minute or so for the **New policy created** page to appear. When it does, select **Done**.
121 | 
122 | 20. Leave your Edge browser open. Do not close any of the tabs.
123 | 
124 | 
125 | You have now created a DLP policy that scans for IP addresses in emails and documents that are sent or shared in your organization.
126 | 
127 | 
128 | ### Task 2 – Turn off the Send to Kindle feature that bypasses DLP policies
129 | 
130 | Holly Dickson, Adatum's Microsoft 365 administrator, recently learned about a **Send to Kindle** feature in Microsoft 365 that lets you send Microsoft Word documents directly to your Kindle library in mere minutes. A transferred file can appear like a Kindle book with adjustable font sizes or like a printed document with fixed layouts so as to preserve your page-design formatting. 
131 | 
132 | The issue with this feature is that DLP policies don't take into account Word file sharing to Kindle, which in effect bypasses the DLP controls. Since Adatum won't be using this **Send to Kindle** feature, Holly wants to turn it off to avoid any possibility of users bypassing the company's DLP policies. 
133 | 
134 | To turn off this setting, you must create a policy for Office apps in the Microsoft Intune admin center. In the policy that you create, you'll add the **Turn off Send to Kindle** setting to the policy, and you'll then enable this setting. Enabling this setting in the policy turns off the **Send to Kindle** feature once you finish creating the policy. At that point, users will no longer be able to send Word documents to their Kindle library.
135 | 
136 | **Note:** This issue is something that you should consider addressing in your real-world Microsoft 365 deployments. For more information on this **Send to Kindle** feature, see https://support.microsoft.com/en-us/office/send-to-kindle-a53d880d-9952-4bf1-abc5-6bce8db5a273.
137 | 
138 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
139 | 
140 | 2. In your Edge browser, locate the **Microsoft 365 admin center** tab. In the Microsoft 365 admin center's navigation pane, under the **Admin centers** group, select **Microsoft Intune**.
141 | 
142 | 3. In the **Microsoft Intune admin center** that opens up in a new tab, select **Apps** in the navigation pane.
143 | 
144 | 4. On the **Apps | Overview** page, in the middle navigation pane, select **Policies for Microsoft 365 apps** under the **Manage apps** section.
145 | 
146 | 5. On the **Apps | Policies for Microsoft 365 apps** page, select the **Create** button. This initiates the wizard to create a new policy. In the remaining steps, you'll enable the **Turn off Send to Kindle** setting within this policy.
147 | 
148 | 6. On the **Start with the basics** page, enter **Turn off Send to Kindle setting** in the **Name** field and then select **Next**.
149 | 
150 | 7. On the **Choose the scope** page, select the **This policy configuration applies to all users** option and then select **Next**.
151 | 
152 | 8. On the **Configure Settings** page, note the metrics that are displayed above the list of settings. There are over 2300 Office app settings for your tenant configuration. To quickly locate this setting, enter **Kindle** in the **Search** field and then press **Enter**. This should display any policies with **Kindle** in the policy name.
153 | 
154 | 9. As you can see, there's only one Kindle setting, which is **Turn off Send to Kindle**. Select this setting, which opens the **Turn off Send to Kindle** pane.
155 | 
156 | 10. In the **Turn off Send to Kindle** pane, the plaforms and applications that this setting applies to are displayed. Under the the description, select the **Show more** option. Finish reading the complete description of this setting.
157 | 
158 | 11. Select the drop-down arrow in the **Configuration setting** field. In the drop-down menu that appears, select **Enabled**.
159 | 
160 | 12. At the bottom of the pane, select the **Apply** button.
161 | 
162 | 13. On the **Configure Settings** page, the **Turn off Send to Kindle** policy should appear, and its **Status** should be set to **Configured**. Select **Next**.
163 | 
164 | 14. On the **Review configuration and create** page, select the **Create** button. 
165 | 
166 | 15. On the **Policy configuration created** page, select **Done**.
167 |  
168 | 16. Leave your Edge browser open. Do not close any of the tabs.
169 | 
170 | 
171 | By enabling this **Turn off Send to Kindle** setting in the new policy that you just created, you have turned off the **Send to Kindle** feature. This will prevent Adatum users from sending Word documents to their Kindle library, which bypasses the company's DLP policies.
172 | 
173 | 
174 | # Proceed to Lab 8 - Exercise 2 
175 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex5_AttackSim_Phishing_attack.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 6 - Lab 6 - Exercise 5 - Conduct a Spear Phishing attack using Attack Simulation training
  2 | 
  3 | Holly Dickson is concerned that some users at Adatum may require education about phishing attacks. As part of her pilot project, Holly has decided to use the Microsoft 365 Attack simulation training feature to determine her users' susceptibility to phishing attacks.
  4 | 
  5 | **Important:** To use Microsoft's Attack Simulation training feature to simulate a phishing attack, the administrator who runs the simulation must be enabled for Multifactor Authentication (MFA). Since Holly is a member of the Microsoft 365 pilot project group that is excluded from MFA per the Conditional Access policy that you created in an earlier lab, she isn't required to use MFA. So in order to run the Attack Simulation training, you must turn on MFA for Holly's user account. While most organizations will typically use Conditional Access to implement MFA - just as you did previously - you can optionally turn on MFA for a specific user account. Microsoft recommends that from a security standpoint, it's best to use this option on an exception or as needed basis. This training session is one of those situations, so you will use this method to enable Holly to complete this attack simulation training exercise.
  6 | 
  7 | ### Task 1: Enable Multifactor Authentication for the attack simulation admin
  8 | 
  9 | To use Microsoft's Attack simulation training feature to simulate a phishing attack, the admin who will run the simulation must be enabled for MFA. Since Holly is part of the Microsoft 365 pilot project group that she excluded from MFA in the earlier Conditional Access policy, she will enable MFA for her user account only. After she finishes running the Attack simulation training, she will disable MFA for her account. 
 10 | 
 11 | **Important:** To implement MFA for Holly's account, you must use your mobile phone to receive a verification code so that you can enter it into your tenant as Holly's second form of authentication. If you don't have a phone, you will have to skip this lab. If this is the case, notify your instructor, who can potentially partner you with another student to follow along through this lab.
 12 | 
 13 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**.  
 14 | 
 15 | 2. To enable MFA for Holly Dickson's user account, select the **Microsoft 365 admin center** tab in your browser. In the navigation pane, select **Users** and then select **Active users**.
 16 | 
 17 | 3. In the **Active users** window, on the menu bar at the top of the user list, select **Multi-factor authentication**. If this option does not appear on the menu bar, select the **ellipsis (More actions)** icon, and in the drop-down menu that appears, select  **Multi-factor authentication**.
 18 | 
 19 | 4. A **multi-factor authentication** window appears in a new Edge browser tab. The **users** tab is displayed by default. Note the MFA status for all existing user accounts is **Disabled**. The Conditional Access policy that you created earlier does NOT enable the MFA status for each individual user. Rather, that policy is dynamically applied at each user sign-in to determine whether MFA is required for the user who is signing in. If MFA is not applied to a user based on the policy, then the user's individual MFA status is checked on their account. <br>
 20 | 
 21 | 	Select the check box for **Holly Dickson** (the .onmicrosoft version), and in Holly's properties pane that appears on the right, select **Enable** under the **quick steps** section.
 22 | 
 23 | 5. On the **About enabling multi-factor auth** dialog box that appears, select the **enable multi-factor auth** button. When the **Updates successful** dialog box appears, select **close**.
 24 | 
 25 | 6. In the **multi-factor authentication** window, verify that Holly's MFA Status has changed to **Enabled**. 
 26 | 
 27 | 7. Close the **Multi-factor authentication** tab in your Edge browser. This should return you to the **Microsoft 365 admin center** tab.
 28 | 
 29 | 8. You must now sign out of Microsoft 365 as Holly, close your browser session (to clear cache), open a new session, and then log back into Microsoft 365 as Holly using MFA. The first time you sign back in after having MFA enabled for your user account, you will be asked for the authentication information needed for MFA, such as your phone number and authentication options. You will then be texted a verification code to validate the authentication process works. You will perform these steps in the remaining portion of this task.<br/>
 30 | 
 31 | 	You must begin by signing out of Microsoft 365 as Holly, so select the **HD** user icon in the upper right corner of the browser and in the **Holly Dickson** window that appears, select **Sign out**. 
 32 | 
 33 | 9. Once you are signed out, close your Edge browser.
 34 | 
 35 | 10. Select the **Edge** icon on your taskbar to open a new browser session. In your browser go to the **Microsoft 365 Home** page by entering the following URL in the address bar: **https://www.microsoft365.com/** 
 36 | 
 37 | 11. In the **Pick an account** window, select **Holly@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider) and then select **Next**. In the **Enter password** window, enter the new Administrative Password that you assigned to Holly's account. Select **Sign in**.
 38 | 
 39 | 12. Because MFA is enabled for Holly, a **More information required** window appears. Select **Next**.
 40 | 
 41 | 13. On the **Microsoft Authenticator** page that appears, you can download this mobile app or use a different method for MFA verification. For the purposes of this lab, we recommend you use your mobile phone so that you do not have to take time installing the Microsoft Authenticator app that you may not use again after this training class. Select the **I want to set up a different method** option at the bottom of the page (**Important:** Do NOT confuse this link with the **I want to use a different authenticator app** that appears above it). 
 42 | 
 43 | 14. On the **Choose a different method** dialog box that appears, select the drop-down arrow in the **Which method would you like to use?** field, select **Phone**, and then select **Confirm**. 
 44 | 
 45 | 15. In the **Phone** window that appears, under **What phone number would you like to use?** field, select your country or region, and then in the field next to it, enter your phone number (use your country specific formatting). Verify the **Receive a code** option is selected and then select **Next**.
 46 | 
 47 | 16. Retrieve the verification code from the text message that is sent to your phone.
 48 | 
 49 | 17. In the **Phone** window, enter the 6-digit verification code in the code field and then select **Next**. When the **Phone** window displays a message indicating your phone was registered successfully, select **Next**.
 50 | 
 51 | 18. On the **Success!** page, select **Done**.
 52 | 
 53 | 19. If a **Stay signed in?** dialog box appears, select the **Don’t show this again** check box and then select **Yes.** 
 54 | 
 55 | 20. On the **Home | Microsoft 365** tab, select the **Admin** icon that appears in the column of app icons on the side of the screen. This opens the **Microsoft 365 admin center** in a new browser tab. 
 56 | 
 57 | 21. In the **Microsoft 365 admin center**, select **Show all** in the navigation pane. Under **Admin centers**, select **Security**. This will open the **Microsoft Defender** portal. You will resume from here in the next task when you launch a spear phishing attack using Attack simulation training.  
 58 | 
 59 | 22. You have now configured MFA for Holly Dickson, you have signed into the Microsoft 365 admin center as Holly using MFA, and you're ready to run the Attack simulator training in the Microsoft Defender portal. Leave everything as is in your VM and proceed to the next task.
 60 | 
 61 | 
 62 | ### Task 2: Configure and launch a Spear Phishing attack
 63 | 
 64 | Microsoft 365 includes an Attack simulation training feature that enables you to create simulations and run them against all your users or a select group of users. Each phishing attack includes what is referred to as the "payload", which is the message in the system-generated email that contains the malicious component hackers use to gather information, deposit malicious code, and so on. The Attack simulation training feature includes a number of payload templates that you can choose from, and you can create your own payload if you so desire. 
 65 | 
 66 | In this lab exercise, you will use one of the existing payload templates. In the next lab exercise, you will create your own custom payload.
 67 | 
 68 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 69 | 
 70 | 2. You should still have the **Microsoft Defender** portal open in your **Edge** browser from the prior task. If not, enter **https://security.microsoft.com** in the address bar, and then if you receive a dialog box asking for a second form of authentication, proceed through the verification process. If not, sign-in as Holly using the **Administrative username** and **Administrative password** provided by your lab-hosting provider and if required, complete the MFA sign-in process.
 71 | 
 72 | 3. In the **Microsoft Defender** portal, under the **Email & collaboration** section in the navigation pane, select **Attack simulation training**. If a **Welcome to Attack simulation training** window appears, select **Close**.
 73 | 
 74 | 4. On the **Attack simulation training** page, Holly has decided to conduct a simulated account breach in which she will use a URL to try and obtain usernames and passwords. This is referred to in the Attack Simulator as a **Credentials Harvest** attack. <br/>
 75 | 
 76 | 	Note the tabs that appear across the top of the **Attack simulation training** page (where the **Overview** tab is displayed by default). You can launch this attack either from **Simulations** tab or by selecting the **Launch a simulation** link on the **Overview** tab. Since the **Overview** tab has additional information and is the default page when selecting the **Attack simulation training** service, it is recommended that you launch it from there so that you can learn about the specifics of this type of attack. <br/>
 77 | 	
 78 | 	On the **Overview** tab, scroll down to the **Recommendations** section. You may need to scroll up or down in this section to see the **Launch a phishing simulation using other social engineering techniques** recommendation. Under this recommended attack, select **Create another simulation with new technique**. This initiates the **Create Simulation** wizard.
 79 | 
 80 | 5. On the **Select Technique** page, review the specific information related to the **Credentials Harvest** attack type option. At the bottom of the **Credential Harvest** option, select the **View details of Credential harvest** link. This opens a **Credential Harvest** pane on the right. Review the **Description** and the **Simulation steps** for this type of attack. When you're done, close the **Credential Harvest** pane.
 81 | 
 82 | 6. On the **Select Technique** page, select the **Credentials Harvest** attack type if it's not already selected by default, and then select **Next**.
 83 | 
 84 | 7. In the **Simulation** wizard, the steps involved in the simulation are displayed in the side pane. While you can manually create a phishing campaign, it is recommended that you take advantage of the available templates that will prefill most of the information for you. The key to a successful phishing attack is to create a very intriguing, real-world looking email, and the templates provide very creative solutions. <br/>
 85 | 
 86 | 	On the **Name Simulation** page, provide the following information: 
 87 | 	- Simulation Name: **PhishingTest1**
 88 | 	- Description: **This simulation provides insight on targeted email threats against users inside the company**
 89 | 
 90 | 8. Select **Next**.
 91 | 
 92 | 9. On the **Select payload and login page** window, select the check box to the left of the **Payment for Package** payload. Select **Next**.
 93 | 
 94 | 	**Note:** If the **Payment for Package** payload does not appear, select another Payload of your choice. A payload is the link or attachment in the simulated phishing email message that's presented to users. In the real-world, you'd want to use a payload that works best for your organization.
 95 | 
 96 | 11. On the **Target Users** page, select the **Include all users in my organization** option. This will display all of Adatum's users. Select **Next**, and then on the **Exclude users** page, select **Next** again.
 97 | 
 98 | 12. On the **Assign Training** page, under the **Preferences** section, the **Assign training for me (Recommended)** option should be selected by default (if not, select it now). Select the **Due Date** field. In the drop-down menu that appears, select **7 days after Simulation ends** and then select **Next**.
 99 | 
100 | 13. On the **Select Phish landing page** window, scroll down to the **Global landing pages** tab, which should be displayed by default. This tab displays a list of predefined landing page templates. Select the **Microsoft Landing Page Template 1** name to preview the page. 
101 | 
102 | 14. A preview of the **Microsoft landing page** for this template appears in a new pane. This preview pane provides an example of what the landing page will look like when someone experiences a phishing attack and the simulation uses **Microsoft Landing Page Template 1**. Scroll down through this preview panel and review the features. When you're finished, select the **Close** button at the bottom of the preview pane. 
103 | 
104 | 15. You will now look at some of the other landing page templates until you find one that you want to use for this simulation. On the **Select Phish landing page** window, select one of the other templates (select the name of the template and not its checkbox). Examine the preview pane and note how the landing page for this template is different from **Microsoft Landing Page Template 1**. When you're finished, select the **Close** button at the bottom of the preview pane.
105 | 
106 | 16. Repeat the prior step and select another template. Note how this template is different from the other two you looked at. <br/>
107 | 
108 | 	Repeat this step as many times as you would like until you find a template that you want to use for this simulation. When you're finished reviewing templates, select the checkbox for the template that you want to use on the **Select Phish landing page** and then select **Next**.
109 | 
110 | 17. On the **Select end user notification** page, choose how you want the end user to be notified. For the purpose of this lab, select **Microsoft default notification (recommended)**. In the list of notifications that appears, configure the following notifications:
111 | 
112 | 	 - Microsoft default positive reinforcement notification - set **Delivery preferences** to **Deliver after simulation ends**
113 | 	 - Microsoft default training reminder notification - set **Delivery preferences** to  **Weekly**
114 | 
115 | 18. Select **Next**.
116 | 
117 | 19. On the **Launch Details** page, select the **Launch this simulation as soon as I'm done** option and then select **Next**.
118 | 
119 | 20. On the **Review Simulation** page, review the entered information. If anything needs to be changed, select the appropriate **Edit** option to make the change. Once everything is correct, select **Submit**. It may take a few minutes before you receive a confirmation stating **Simulation has been scheduled for launch**. Select **Done**. <br/>
120 | 
121 | 	**Note:** Once the simulated spear phishing attack is launched, it may take up to 15 minutes for the system generate the email and send it to all Adatum users. Rather than waiting for the email to be generated, you will validate the email and review the diagnostic results of the attack in Exercise 7, task 4.
122 | 
123 | 21. Leave your Edge browser and all tabs open and proceed to the next exercise.
124 |     
125 | # Proceed to Lab 6 - Exercise 6
126 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_02_Lab2_Ex2_Monitor_Microsoft_365.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 2 - Lab 2 - Exercise 2 - Monitor and Troubleshoot Microsoft 365  
  2 | 
  3 | In this exercise you will be introduced to some troubleshooting tools in Microsoft 365 that enable you to troubleshoot mail flow issues. You will then analyze Adatum’s Microsoft 365 service health by reviewing several of the key service health queries and reports that are available. You will conclude this exercise by reviewing how to submit a service request with the Microsoft Support team should you ever need assistance with a problem.
  4 | 
  5 | ### Task 1 - Troubleshoot Mail Flow in Microsoft 365  
  6 | 
  7 | Holly Dickson, Adatum's new Microsoft 365 Administrator, wants to prepare herself for any potential mail flow problems that may occur within Adatum’s Exchange environment. As part of her pilot project, she has decided to create two test scenarios to analyze some of the troubleshooting options available to her. One email will be sent to an email address with an invalid domain (@alt.none). Another will be sent to an address with an invalid mailbox in a valid domain (@outlook.com). This task guides Holly though a variety of tools that she can use to troubleshoot different mail conflict scenarios. 
  8 | 
  9 | 1. You should still be logged into LON-CL1 after having completed the prior exercise, and you should still be logged into Microsoft 365 as Holly Dickson.
 10 | 
 11 | 2. In your **Microsoft Edge** browser, select the **Home | Microsoft 365** tab to display Holly's Microsoft 365 Home page, which should still be open. If the home page isn't open, then navigate to **https://www.microsoft365.com** and log in as **Holly@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider) and where the password is the New Administrative Password that you assigned to her account.
 12 | 
 13 | 3. In the **Welcome to Microsoft 365** page, select **Apps**. On the **Apps** page, close the **Welcome to Apps** window by selecting the **X** in the upper-right corner of the window. In the row of app tiles, select **Outlook**. 
 14 | 
 15 | 4. If you're automatically signed into Outlook using Holly's account, then proceed to the next step. However, if a **Pick an account** window appears, select Holly's account of **Holly@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZis the tenant prefix provided by your lab hosting provider). <br/>
 16 | 
 17 | 	If an **Enter password** window appears, enter the New Administrative Password that you assigned to Holly's account and then select **Sign in**. <br/>
 18 | 
 19 | 	If a **Stay signed in?** window appears, select the **Don't show this again** check box and select **Yes**.
 20 | 
 21 | 5. Holly's **Inbox** will be displayed in Outlook. If a **Welcome** window appears, select the **X** in the upper-right corner of the window to close it. <br/>
 22 | 
 23 | 	In Holly’s mailbox, at the top of the navigation pane, select the **New Mail** button to create a new email.
 24 | 
 25 | 6. In this email, you will send the mail to an email address in which the domain (alt.none) is an invalid domain. In the email pane that appears, enter **user@alt.none** in the **To** field. In the drop-down menu that appears, select **Use this address: user@alt.none**. 
 26 | 
 27 | 7. Enter **Testing invalid domain** in the **Subject** field and then select **Send** to send the email.  
 28 | 
 29 | 8. Wait for the non-delivery report (NDR) message to appear in Holly’s Inbox, then double-click the message to open it in a new window. This will make it easier to copy the text of the message in the next step. 
 30 | 
 31 | 9. In the message window, scroll down through the message until you reach the body of text that says **Diagnostic information for administrators**. Select the text in the body of the message starting AFTER **Original message headers** through the end of the message. With this text selected, press **Ctrl+C** to copy it to the clipboard, and then close the message window.
 32 | 
 33 | 10. Open a new tab in your web browser and enter the following URL in the address bar: **https://testconnectivity.microsoft.com**. 
 34 | 
 35 | 11. This opens the **Microsoft Remote Connectivity Analyzer** portal. In the navigation bar on the left, select **Message Analyzer**. This opens the **Message Header Analyzer** tool.
 36 | 
 37 | 12. Take a moment to review the **Message Header Analyzer** tool. It consists of two sections: <br/>
 38 | 
 39 | 	- In the top section, you will paste in the diagnostic data that you copied from the NDR email message.
 40 | 	- In the bottom section, the tool will display its analysis of this data. 
 41 | 
 42 | 13. In the **Message Analyzer Header** window, paste the NDR diagnostic data (right-click and select **Paste**, or press **Ctrl+V**) in the field that appears below the **Insert the message header you would like to analyze** row. Then select the **Analyze headers** button. 
 43 | 
 44 | 14. SMTP message headers contain a wealth of information that allow you to determine the origins of a message and how it made its way through one or more SMTP servers to its destination. Here’s a quick summary of the information found in this header analysis: <br/>
 45 | 
 46 | 	- **Summary section**: Displays the most important properties and total delivery time at a quick glance. Depending on the diagnostic data (for example, if a message was even sent), this section may or may not appear.
 47 | 
 48 | 	- **Received headers section**: Displays the more important header properties and delivery time. Enables you to analyze the received headers and displays the longest delays quickly for each discovery of sources of message transfer delays.
 49 | 
 50 | 	- **Other headers section**: Enables you to quickly detect where the longest message transfer delays occurred. You can sort all headers by occurrence number, name, or value.   
 51 | 
 52 | 	The primary problem in this example (see the **Other headers** section, Hop 1) is that the DNS domain of the email address **(@alt.none**) does not exist. While you purposely entered an invalid domain for the purpose of this lab exercise, this error is normally caused by a typo in the recipient’s domain name that needs to be corrected to resolve the issue. 
 53 | 
 54 | 15. Select the **Clear** option that appears to the right of the **Analyze headers** button; this will reset the Message Header Analyzer window. 
 55 | 
 56 | 16. Select the **Mail - Holly Dickson - Outlook** tab in your browser. In Holly's mailbox, select **New mail** to create a new email.
 57 | 
 58 | 17. In this email, you will send the mail to a non-existent mailbox in a valid domain (outlook.com). In the **To** field, enter an email address consisting of a random series of numbers followed by your name (for example, **nnnnnnnnYourName@outlook.com**). In the drop-down menu that appears, select **Use this address: nnnnnnnnYourName@outlook.com**.
 59 | 
 60 | 18. Enter **Testing invalid mailbox** in the **Subject** field and then send the email.  
 61 | 
 62 | 19. Wait for the non-delivery report (NDR) message to appear in Holly’s Inbox, then double-click the message to open it in a new window. <br/>
 63 | 	
 64 | 	**Note:** If you do not receive an NDR reply within a minute (or less) after sending the email, then someone has created that mailbox in the outlook.com domain. If this occurs, then send another email to a different mailbox address that you feel is completely bogus. If necessary, continue trying different email addresses until you receive an NDR reply.
 65 | 
 66 | 20. In the window for the NDR reply, scroll down through the message until you reach the body of text that says **Diagnostic information for administrators**. Select the text in the body of the message starting AFTER **Diagnostic information for administrators** through the end of the message. With this text selected, press **Ctrl+C** to copy it to the clipboard, and then close the message window. 
 67 | 
 68 | 21. Select the **Message Header Analyzer** tab in your browser. 
 69 | 
 70 | 22. In the **Message Analyzer Header** window, paste the NDR diagnostic data in the field that appears below the **Insert the message header you would like to analyze** row, and then select **Analyze headers**. 
 71 | 
 72 | 23. Review the diagnostic information. In the prior email, the domain of the email address did not exist. In this email, the user mailbox was unavailable. In previous versions of this lab, Hop 1 in the **Other headers** section indicated the user's domain (outlook.com) was valid, but the user mailbox was unavailable. However, either Exchange or the Message Header Analyzer has been changed, and Hop 1 no longer indicates this issue. <br/>
 73 | 
 74 | 	Since the **Other headers** section does not indicate the error that occurred, review the NDR diagnostic data that you pasted into the message header analyzer field. Towards the top of the NDR data, you should see the error: **Remote server returned '550 5.5.0 Requested action not taken: mailbox unavailable**.  
 75 | 
 76 | 24. Close both the **Message Header Analyzer** tab and the **Microsoft Remote Connectivity Analyzer** tab in your Edge browser. 
 77 | 
 78 | 25. Select the **Microsoft 365 admin center** tab. If you had closed this tab, then select the **Home | Microsoft 365** tab in your Edge browser, select the **App launcher** icon (the square made up of 3 rows of dots) that appears above the **Home** icon in the top left corner of the screen, and then in the **Apps** pane that appears, select **Admin**; this opens the **Microsoft 365 admin center** in a new browser tab. 
 79 | 
 80 | 26. On the **Microsoft 365 admin center** page, select **Show all** (if necessary) in the navigation pane. 
 81 | 
 82 | 27. Scroll down through the navigation pane, and under **Admin centers,** select **Exchange**. This will open the Exchange admin center in a new tab. <br/>
 83 | 
 84 | 	- If a **Toolbar** window appears, select the **Next** button twice and then the **Finish** button to navigate through the three windows. 
 85 | 	- If a **Learn about the new menu** window appears, select the X to close it.
 86 | 
 87 | 28. In the **Exchange admin center**, select **Mail flow** in the navigation pane, and then select **Message trace**. 
 88 | 
 89 | 29. In the **Message trace** window, the **Default queries** tab is displayed by default. In this tab, select **+Start a trace** on the menu bar. 
 90 | 
 91 | 30. In the **New message trace** pane that appears, both the **Senders** and **Recipients** fields are set to **All** be default. Holly wants to configure the trace to just look for email messages that she sent. In the **Senders** field, enter **Holly**. This displays the list of active users whose name starts with Holly. In the list of users that appears, select **Holly Dickson**.
 92 | 
 93 | 31. Under the **Time range** section, select the slider bar below **1 day** (don't select the **1 day** heading; you must select on the slider bar itself). Note how the slider circle moved under **1 day**.
 94 | 
 95 | 32. The drop-down arrow to the right of **Detailed search options** should be selected by default. This displays options such as Delivery status, Message ID, Direction, and others. If this information isn't displayed under **Detailed search options**, then select the drop-down arrow to expand this section.  <br/>
 96 | 
 97 | 	Holly wants to customize the trace to look for failed messages. Select the **Delivery status** field, and in the drop-down menu that appears, select **Failed**.
 98 | 
 99 | 33. Note the **Report type** option is set to **Summary report**. This is the report type that you want to create, so leave this option selected. At the bottom of the page, select the **Search** button. 
100 | 
101 | 34. In the **Message trace search results** page that appears, if no failed message deliveries appear in the list, you may need to wait several minutes before selecting the **Refresh** button that appears above the item list. You should see the two failed email messages that Holly sent from Outlook - one to **user@alt.none**, and another to **nnnnnnnnYourName@outlook.com**.
102 | 
103 | 	>**Note**: Depending on the recipient mail server, the message you sent to **nnnnnnnnYourName@outlook.com** may show as delivered and may not appear when filtering for **Failed** delivery statuses.
104 | 
105 | 35. Select the date and time values (which are hyperlinked) for the first failed message to view the properties pane for that message. This displays the sender, recipient, status, and error information, as well as the **How to fix it** instructions. Select the down arrows for the **Message events** and **More information** sections to view those sections. Once you've finished reviewing the message information, select the **X** in the upper right corner of the pane to close it. <br/>
106 | 
107 | 	Repeat this step for the second failed message. 
108 | 
109 | 36. In the **Message trace search results** window, note the navigation thread at the top of the screen (**Home > Message trace > Message trace search results**). Select the **Message trace** portion of this navigation thread to display the **Message trace** window. Leave this tab open for the next task.
110 | 
111 | 37. In your Edge browser, close the **Mail - Holly Dickson - Outlook** tab, but leave the remaining tabs open for the next task.
112 |   
113 | 
114 | ### Task 2 - Monitor Service Health and Analyze Reports 
115 | 
116 | Adatum's CTO is concerned with the service health issues that have recently come to light throughout the organization. He has asked Holly to review several of the key service health queries and reports so that she becomes aware of the information that's available to help Adatum monitor its service health.
117 | 
118 | 1. On the LON-CL1 VM, select the **User Details Panel - Microsoft 365 admin center** tab within your Edge browser. This tab contains the Microsoft 365 admin center. 
119 | 
120 | 2. In the **Microsoft 365 admin center** navigation pane, select **Health** and then select **Service health**. 
121 | 
122 | 3. On the **Service health** page, the **Overview** tab is displayed by default. Select the **Issue history** tab.  
123 | 
124 | 4. In the **Issue history** tab on the **Service health** window, the default option is to display a list of items from the past 7 days (this filter option appears to the right of the **Search** field). In the list of service health incidents, select the **Title** for any entry in the list to see further details about the incident. Close the incident window when you’re done reviewing it. 
125 | 
126 | 5. In the **Microsoft 365 admin center**, select **Reports** in the navigation pane, and then select **Usage**.
127 | 
128 | 6. On the **Usage** page, scroll down and locate the **Active users - Microsoft 365 Services** chart. 
129 | 
130 | 7. On the same row as this chart, view the **Email activity** chart.  <br/>
131 | 
132 | 	‎**Note:** There may be little or no data shown due to the limited mailbox usage in the lab environment. 
133 | 
134 | 8. Under the **Email activity** chart, select the **View more** button. This displays the **Exchange** report dashboard. At the top of the dashboard, the **Email activity** tab is displayed by default. Select the **Mailbox usage** tab that appears to the right of it.
135 | 
136 | 9. The default mailbox usage that is initially displayed is **Past 30 days** (this usage factor appears on the far-right side of the row containing the **Mailbox usage** tab). Select the down-arrow that appears next to **Past 30 days** and select one of the other options that appear in the drop-down menu (**7 days**, **90 days**, and **180 days**) to see how the display changes. 
137 | 
138 | 10. Scroll down below the charts to see mailbox details for each of the active users.
139 | 
140 | 11. Scroll back to the top of the page. On the navigation thread at the top of the page (**Home > Usage > Exchange**), select **Usage** to return to the Usage Overview page. 
141 | 
142 | 12. Review the various reports on this page. While there may be limited or no data for each report, you can at least get a feel for the type of reporting that's available. 
143 | 
144 | 13. You now want to review the reports that are available in the **Exchange admin center**. In your browser, you should have the **Message trace - Exchange admin center** tab open from the prior task; if so, select it now. However, if you previously closed this tab, then in the **Microsoft 365 admin center**, under the **Admin centers** group in the navigation pane, select **Exchange**.
145 | 
146 | 14. In the **Exchange admin center**, select **Reports** in the navigation pane, and then select **Mail flow**. 
147 | 
148 | 15. In the **Mail flow reports** window, select **Inbound messages report** (this report has data to view; none of the other reports have data). Review the information displayed for this report. 
149 | 
150 | 16. On the navigation thread at the top of the page (**Reports > Mail flow > Inbound messages report**), select **Mail flow** to return to this reporting page. 
151 | 
152 | 17. In the **Mail flow reports** window, review the various reports that are available. 
153 | 
154 | 18. Once you have finished reviewing several of the reports, close the **Exchange admin center** tab in your Edge browser but leave the other tabs open for the next task.
155 |  
156 | 
157 | ### Task 3 – Submit a Help Request to Microsoft Support
158 | 
159 | If an organization runs into a situation in Microsoft 365 where it needs assistance with a problem, it must submit a service request to the Microsoft Support team. As part of Adatum's pilot project, Holly Dickson and Patti Fernandez (Adatum's Service Support Administrator) have decided to submit a test request that does not require a call back. They are performing this task to become familiar with the service request process.
160 | 
161 | 1. On LON-CL1, in the **Microsoft 365 admin center** tab of your Edge browser, select **Support** in the navigation pane, and then select **View service requests**. 
162 | 
163 | 	**Note:** If the navigation pane has been minimized and only displays icons without any text, select the Navigation menu icon (the three horizontal lines) at the top of the navigation pane to expand it and display the accompanying text. <br/>
164 | 
165 | 	The **Service request history** window displays any outstanding service request tickets. You should verify that no service request tickets appear on this page. <br/>
166 | 
167 | 2. In the navigation pane, under the **Support** group, select **Help & Support**.
168 | 
169 | 3. In the **How can we help?** pane that appears, select the **Message** field (which currently displays **Example: Can't install Office**) and type the following message: **Can't install Office**. Then select the forward arrow that appears next to the field. This displays self-help solutions with insights and recommended articles to assist with your request. 
170 | 
171 | 4. Select one of the recommended articles. After reviewing the article, close the Edge browser tab containing the article. This returns you to the **Support article** pane. 
172 | 
173 | 5. If you need further assistance and would like to speak to a Microsoft support agent, select the **headset** icon (the middle icon) at the top of the **Support article** pane to get help from a Microsoft support agent. Select the **headset** icon now.
174 | 
175 | 6. In the **Contact support** pane that appears, do NOT enter any information; instead, just review the information that you would enter to complete this request in a real-world situation. You could also attach any necessary documents before selecting **Contact me** at the bottom of the page.   <br/>
176 | 
177 | 	‎**IMPORTANT: Do NOT complete this form in your lab environment.** If you enter this request with the **Phone** option selected, you will receive a call from a Microsoft 365 support representative. We do not want to bother Microsoft Support specialists with calls from students in a training class. 
178 | 	
179 | 7. Select the **X** in the top corner of the page to close the **Contact support** window.
180 | 	
181 | 8. Leave LON-CL1 and your Edge browser open for the next lab exercise.  
182 | 
183 | 
184 | # Proceed to Lab 2 - Exercise 3
185 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_06_Lab6_Ex7_Validate_Alerts_And_Attacks.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 6 - Lab 6 - Exercise 7 - Validate alert notifications and simulated attacks
  2 | 
  3 | This lab included three exercises in which you configured Microsoft 365 to create alert notifications (Exercises 2 through 4). It also included two exercises that created simulated attacks (Exercises 5 and 6). All five exercises generated an email notification, which have to be validated to ensure the alerts and simulated attacks are working properly. 
  4 | 
  5 | For each of these exercises, it could take up to 15 minutes for the system to create its corresponding email. Rather than having you wait up to 15 minutes to receive the email at the end of each those exercises, (which is 75 total minutes of wait time; 5 exercises x 15 minutes each), you were instructed to proceed to the next exercise and validate the emails in this final Lab 6 exercise. By this time, hopefully all emails for these five exercises have been generated and you will not have to endure any wait time.
  6 | 
  7 | **Note:** The process of generating the email that's associated with each alert and simulated attack should have started when you completed its corresponding exercise. Hopefully, enough time has elapsed from when you finished the prior exercises until you reached their respective validation task in this exercise so that the email is already generated and you don't have to wait for it. If necessary, when you're looking at the respective user's Inbox in each task below, periodically select the **Refresh** icon to the left of the URL address if you're still waiting for a particular email.    
  8 | 
  9 | 
 10 | ### Task 1 – Validate the Mailbox Permission Alert
 11 | 
 12 | In Lab 6, Exercise 2, you configured an alert designed to notify Lynne Robbins when FullAccess permissions are granted to any mailbox within Adatum. You tested this alert by changing the FullAccess permission on Alex Wilber’s mailbox by granting Joni Sherman FullAccess to his mailbox. This activity should have triggered the alert policy that you created, which should have sent an alert notification email to Lynne Robbins’ mailbox. In this task, you will log into LON-CL2 as Lynne Robbins and verify whether she received this email. 
 13 | 
 14 | 1. ‎Switch to **LON-CL2**. On **LON-CL2**, you should be signed into the machine as the local **Admin** (lon-cl2\admin) account. Select the **Microsoft Edge** icon in the taskbar, maximize the window (if necessary), and then enter the following URL in the address bar: **https://outlook.office365.com**
 15 | 
 16 | 2. In the **Pick an account** window, if Lynne Robbins account (**LynneR@xxxxxZZZZZZ.onmicrosoft.com**) appears in the user list, then select it now; otherwise, select **Use another account** and sign in as **LynneR@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider). In the **Enter password** window, enter the New User Password** that you previously assigned to Lynne's account and select **Sign in**. 
 17 | 
 18 | 3. In Lynne's Outlook mailbox, you should hopefully see two emails that arrived today that were automatically sent by the Alerts notification system (**Office365Alerts@microsoft.com**). The first of these two emails should be the one that was generated by the mailbox permission alert that you created in Exercise 2. The purpose of the email is to inform Lynne that Holly Dickson has made a Mailbox permission change. <br/>
 19 | 
 20 | 4. The email contains a **View alert details** button that you could select to display details on the alert that was generated. As of August, 2025, this button no longer works due to a configuration change in the Defender XDR portal.
 21 | 
 22 | 5. In your Edge browser, open a new browser tab, navigate to **https://security.microsoft.com**.
 23 | 
 24 | 6. The **Microsoft Defender** portal displays, from the left navigation bar, expand **Incidents & alerts** and select **Email and collaboration alerts**. 
 25 | 
 26 | 7. In the **View alerts** page that opens, select the alert named **Mailbox permission change** (select the name, not the checkbox).
 27 | 
 28 | 8. Scroll down through the Mailbox permission change pane and review all the information for this activity. When you are done, select Close to close the pane.
 29 | 
 30 | 9. In your Edge browser, close the **View Alerts - Microsoft Defender** tab. Leave Lynne's **Outlook** tab open, as you will use that in the next task.
 31 | 
 32 | 10. Leave your Edge browswer opon on the LON-CL2 VM. Do not close Lynne's mailbox as you will access it again in the next task.
 33 | 
 34 | You have just successfully tested a mailbox permission alert that sent an alarm message on granting FullAccess to a user mailbox.
 35 | 
 36 | 
 37 | ### Task 2 – Validate the  SharePoint Permissions Alert
 38 | 
 39 | In Lab 6, Exercise 3, you configured an alert designed to notify Lynne Robbins when a user is added as a site collection administrator for a site collection. To test this alert, you added Alex Wilber as a site collection admin to the global SharePoint Communication site. This activity should have triggered the alert policy that you created, which should have sent an alert notification email to Lynne Robbins’ mailbox. In this task, you will validate whether Lynne received this alert notification email.
 40 | 
 41 | 1. On **LON-CL2**, you should still be logged into **Outlook on the web** as **Lynne Robbins** from the prior task. 
 42 | 
 43 | 2. In Lynne's Inbox, you should hopefully see two emails that arrived today that were automatically sent by the Alerts notification system (**Office365Alerts@microsoft.com**). The second of these two emails should be the one that was generated by the SharePoint Permissions alert that you created in Exercise 3. The email contains a **View alert details** button that you will select to display details on the alert that was generated. When testing this lab, this button did not seem to work if you opened the email. However, when you viewed the contents of the email in preview pane in Outlook, then the button worked. So select the email in the Inbox, and then in the preview pane that displays the body of the email, select the **View alert details** button. Selecting this button opens the **Microsoft Defender** portal in a new tab.
 44 | 
 45 | 3. The **Microsoft Defender** portal displays the **Alerts** window, and it automatically opens the **Add user as a site collection administrator** pane for this alert activity that triggered the email. Scroll down through this pane and review all the information for this alert activity. When you are done, select **Close** to close the pane.
 46 | 
 47 | 4. Leave your LON-CL2 VM open as you will access Lynne's mailbox in a later task in this exercise.
 48 | 
 49 | You have now successfully tested the SharePoint alert to monitor site collection admin permissions on SharePoint sites. 
 50 | 
 51 | 
 52 | ### Task 3 – Validate the default eDiscovery Alert
 53 | 
 54 | In Lab 6, Exercise 4, you created a default Microsoft 365 alert policy that notifies all tenant administrators, such as Holly Dickson, whenever an eDiscovery search has been created or exported. You then tested this alert by creating an eDiscovery search, which should have triggered the alert policy to send an alert notification email to all Tenant Admins. Holly is a Global administrator. By default, Global admins are members of the Tenant Admin group. As such, Holly should have received the email notification generated by this alert. In this task, you will validate whether Holly received this email.
 55 | 
 56 | 1. Switch to **LON-CL1**. 
 57 | 
 58 | 2. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 59 | 
 60 | 3. In your **Microsoft Edge** browser, if you have a tab open that contains Holly's Outlook mailbox, then select it now. Otherwise, select the **Home | Microsoft 365** tab, and then on the **Welcome to Microsoft 365** page, select **Outlook** in the column of apps on the left-side of the screen. 
 61 | 
 62 | 4. In Holly's Outlook mailbox, check her Inbox for an **Informational-severity alert: eDiscovery search started or exported** email that was automatically sent by the default eDiscovery alert that you enabled in Exercise 4. The purpose of this message is to inform Holly that an eDiscovery search was created or exported. The email contains a **View alert details** button that you will select to display details on the alert that was generated. When testing this lab, this button did not seem to work if you opened the email. However, when you viewed the contents of the email in preview pane in Outlook, then the button worked. So select the email in the Inbox, and then in the preview pane that displays the body of the email, select the **View alert details** button. Selecting this button opens the **Microsoft Defender** portal in a new tab.
 63 | 
 64 | 5. The **Microsoft Defender** portal displays the **Alerts** window, and it automatically opens the **eDiscovery search started or exported** pane for this alert activity that triggered the email. Scroll down through this pane and review all the information for this alert activity. When you are done, select **Close** to close the pane.
 65 | 
 66 | 6. While this exercise was about validating the alert that was generatred when running an eDiscovery search, you can perform the following steps if you're interested in viewing the statistics that were generated from this search:
 67 | 
 68 | 	- Select the **Home - Microsoft 365 admin center** tab in your Edge browser. In the **Microsoft 365 admin center**, select **Compliance** in the navigation pane to open the Microsoft Purview portal.
 69 | 	
 70 | 	- In the **Microsoft Purview** portal, select **Solutions**, and then select **eDiscovery** in the navigation pane.
 71 | 
 72 | 	- Under the **Classic eDiscovery** section, select **Content Search**.
 73 | 	
 74 | 	- On the **Content search** page, the **Search** tab is displayed by default. In the list of searches, select **Confidential search**.
 75 | 	
 76 | 	- In the **Confidential search** pane that appears, the **Summary** tab is displayed by default. Review the information for this search, and then select the **Search statistics** tab. Select each of the three sections (Search content, Condition report, and Top locations) to expand them, and then review the information that was compiled for each section. Select the **Close** button to close this pane when you're finished. 
 77 | 
 78 | 7. In your browser, leave the Outlook tab (**Mail - Holly Dickson - Outlook**) open on the LON-CL1 VM as you will use it in a later task. Leave all your other browser tabs open as well.
 79 | 
 80 | You have now successfully tested the Microsoft 365 eDiscovery system alert that monitors the creation of an eDiscovery search or the export of data from a completed search.
 81 | 
 82 | 
 83 | ### Task 4: Validate the simulated Spear Phishing attack
 84 | 
 85 | In Lab 6, Exercise 5, you configured and launched a spear phishing attack, which should have sent a very intriguing, real-world looking email to all Adatum users. In this task, you will verify that Holly received this email, you'll have her respond to the email to see what happens when a user falls for a spear phishing attack, and you'll review the results associated with the simulated attack.
 86 | 
 87 | 1. On **LON-CL1**, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. 
 88 | 
 89 | 2. In Holly's Outlook Inbox, you should see the spear phishing email that was sent by the Attack Simulator. The subject and text of the email will vary depending on the payload you selected when setting up the spear phishing simulation in the earlier exercise. For example, the subject of the message may say something like **2 Failed messages to you**. Do not open the email, since like the previous alert emails, the button inserted in the email doesn't appear to work when you open the email. Instead, simply select the email to view it in the Outlook preview pane. 
 90 | 
 91 | 3. In the email, note the message that appears. Again, the message may vary depending on the payload you selected when setting up the spear phishing simulation. For example, it may say something like: **Our server has detected some errors delivering 2 new message to your Inbox due to the synchronization delay. Click on View Returned Messages below to retrieve these messages.** Regardless of the exact message, keep in mind that its purpose is to trick the user into thinking this is a legitimate email, when in fact, it's a spear phishing attack. 
 92 | 
 93 | 4. To test this simulated attack, select the **View Returned Messages** button. Note what happens - a legitimate looking **Sign in** box appears, requesting you to sign in. This is how an attacker could capture your username and password credentials. Since this is just a simulated attack, go ahead and enter **Holly@xxxxZZZZZZ.onmicrosoft.com**, select **Next**, and then in the **Enter password** box, enter the New Administrative Password** that you assigned to Holly's account and select **Sign in**.   <br/>
 94 | 
 95 | 	Note what happens when you finish signing in. The simulated spear phishing attack displays a web page that indicates you were just phished by your security team. It also provides tips on how to identify the phishing message. Review the contents of this site, which uses the landing page template that you selected when setting up the attack simulation.  <br/>
 96 | 
 97 | 	At the bottom of this page, you have the option to navigate to some training on how to avoid being phished in the future. Select the **Go to training** button. This opens a new tab in your browser that displays training information on Web Phishing. 
 98 | 
 99 | 5. In your Edge browser, select the tab containing Holly's Outlook mailbox. Note the additional email that arrived in her Inbox from the **Security and Compliance Team**. When you configured the simulated spear phishing attack, one of the options you selected was to send a weekly Microsoft default training reminder notification to users.
100 | 
101 | 6. In your Edge browser, if you have the **Attack simulation training** tab open, then select it now. Otherwise, select the tab containing your Microsoft Defender portal, and in the navigation pane, select **Attack simulation training**.
102 | 
103 | 7.  On the **Attack simulation training** page, select the **PhishingTest1** simulation to view the diagnostic results that were captured for this simulation.
104 | 
105 | 8. A **PhishingTest1** page should appear. Review all the information collected for this simulated attack. When you're finished, select the **X** in the top corner of the window to close it. 
106 | 
107 | 9. Leave your browser open in LON-CL1 and do not close any of the tabs.
108 |     
109 | 
110 | ### Task 5: Validate the simulated Drive-by URL attack
111 | 
112 | In Lab 6, Exercise 6, you configured and launched a simulated Drive-by URL attack. In this task, you will review the results of the simulated Drive-by URL attack that you launched. When you configured this attack, you selected Lynne Robbins as the target of the attack; therefore, Lynne should have received the email that you configured in the Attack simulation training. You'll verify that Lynne received this email, you'll have her respond to the email to see what happens when a user falls for a Drive-by URL attack, and you'll review the results associated with the simulated attack.
113 | 
114 | 1. Switch to **LON-CL2**. On LON-CL2, in the Edge browser, you should have a tab open containing Lynne Robbins' Outlook mailbox from the earlier alert notification tasks. 
115 | 
116 | 2. In Lynne's Outlook Inbox, you should see the email that was sent by the Attack Simulator that's from **Klemen Sic** (klemens@tailspintoys.com). The subject of the email is **Free toy giveaway promotion from Tailspin Toys**. Do not open the email, since like the previous alert emails, the link inserted in the email doesn't appear to work when you open the email. Instead, simply select the email to view it in the Outlook preview pane. 
117 | 
118 | 3. In the email, you should recognize the message that appears, which you configured when you created this attack simulation in Exercise 6. The purpose of this message is to trick the user into thinking this is a legitimate email, when in fact, it's a Drive-by URL attack. 
119 | 
120 | 4. To test this simulated attack, select the **Free25thAnniversaryGift@tailspintoys.com** link. Note what happens - the simulated drive-by URL attack displays a web page that indicates you were just phished by your IT team. It instructs you that legitimate sounding sites such as **https://www.prizegives.com**, which was the site linked to the **Free25thAnniversaryGift@tailspintoys.com** link, have been compromised by malicious attackers. So even though you may see the underlying www.prizegives.com site and you think it's legitimate, it's in fact been compromised. This site also shows you a list of information that could have been captured had this been a real attack. 
121 | 
122 | 5. In your Edge browser, select the tab containing Lynne's Outlook mailbox. Note the additional email that arrived in her Inbox from the **Security and Compliance Team**. This is a legitimate email that was sent to Lynne. When you configured the simulated spear phishing attack, one of the options you selected was to send a weekly Microsoft default training reminder notification.
123 | 
124 | 6. In the **Outlook** tab in your Edge browser, select the picture of Lynne Robbins in the upper-right corner of the window. In Lynne's profile window that appears, select **Sign out**.
125 | 
126 | 7. Once Lynne is signed out, close the Edge browser.
127 | 
128 | 8. Switch back to **LON-CL1**.
129 | 
130 | 9. On LON-CL1, in your browser session where you are logged in as Holly Dickson, you should still be on the **Attack simulation training** page. Select the **Custom payload** simulation to view the diagnostic results that were captured for this simulation.
131 | 
132 | 10. A **Custom payload** page should appear. Review all the information collected for this simulated attack. When you're finished, select the **X** in the top corner of the window to close it. 
133 | 
134 | 11. Leave your browser open in LON-CL1. Close all tabs EXCEPT for the **Home | Microsoft 365** and **Home | Microsoft 365 admin center** tabs. 
135 | 
136 | 
137 | ### Task 6: Disable Multifactor Authentication for the attack simulation admin
138 | 
139 | To use Microsoft's Attack simulation training to simulate phishing attacks, Holly enabled Multifactor Authentication (MFA) for her user account. Now that she has completed the Attack simulation training tests, she wants to disable MFA for her account so that she doesn't have to deal with MFA for the remainder of the pilot project.
140 | 
141 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as **Holly Dickson**. Select the **Home | Microsoft 365 admin center** tab. 
142 | 
143 | 2. On the **Microsoft 365 admin center**, in the left-hand navigation pane, select **Users** and then select **Active users**.
144 | 
145 | 3. In the **Active users** window, on the menu bar at the top of the user list, select **Multi-factor authentication**.
146 | 
147 | 4. On the **multi-factor authentication** page that appears, the **users** tab at the top of the page is displayed by default. Note the MFA status for all existing user accounts is **Disabled**, except for Holly Dickson, whose status is **Enforced**.  <br/>
148 | 
149 | 	**Note:** When you enabled MFA for Holly back in Exercise 5, her status was changed from **Disabled** to **Enabled**. However, the first time you signed in as Holly after enabling MFA (right after enabling MFA in Exercise 5), the system automatically changed her MFA status from **Enabled** to **Enforced**.  <br/>
150 | 
151 | 	Select the check box for **Holly Dickson**, and in Holly's properties pane that appears on the right, select **Disable**. 
152 | 
153 | 6. On the **Disable multi-factor authentication?** dialog box, select **yes**. When the **Updates successful** dialog box appears, select **close**. 
154 | 
155 | 7. In the **multi-factor authentication** window, verify Holly's MFA Status has changed to **Disabled**. 
156 | 
157 | 8. You must now sign out of Microsoft 365 as Holly and then sign back in as Holly (without MFA). To do so, perform the following steps: <br/>
158 | 
159 | 	- Select Holly's account icon (HD in a circle) at the top-right of the screen and in Holly's profile window, select **Sign out**.
160 | 	- Once you're signed out, close your Edge browser. Doing so will clear your cache.
161 | 	- Open a new Edge browser session.
162 | 	- Enter the **https://www.microsoft365.com** URL to open the Microsoft 365 home page.
163 | 	- In the **Pick an account** window, select Holly's account.
164 | 	- In the **Enter password** window, enter the new Administrative Password that you assigned to Holly's account and select **Sign in**.
165 | 	- From the **Microsoft 365 Home** page, select the **Admin** icon to navigate to the **Microsoft 365 admin center**.
166 | 	
167 | 	You are now ready to proceed to the next lab exercise.
168 | 
169 | # End of Lab 6
170 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_04_Lab4_Ex3_PIM_Self_Approval.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 4 - Lab 4 - Exercise 3 - PIM Self-Approval
  2 | 
  3 | Since taking on her role as Adatum's Microsoft 365 Administrator, Holly Dickson has been interrupted on several occasions with user support requests that have taken her attention away from the company's Microsoft 365 pilot project. Because Holly does not have the bandwidth to respond to the requests in a timely manner, she wants Alex Wilber and Joni Sherman to begin responding to these requests. This will require that Alex and Joni have Helpdesk Administrator role permissions.  However, Holly does not want to permanently assign this role to Alex and Joni, since this is not their regular role, and she doesn't want this role to impact other services. Holly also doesn't want Alex and Joni to submit approval requests each time they need to be assigned the Helpdesk Admin role.
  4 | 
  5 | Given these requirements, Holly wants to take advantage of the Microsoft Entra ID Privileged Identity Management (PIM) feature that enables users to self-activate a Microsoft Entra role on an as-needed basis. Instead of requiring a Global admin (such as Holly) or a Privileged Role Administrator to assign a role to multiple people individually, PIM enables an organization to create a security group and then enable the group to be eligible for that specific role. When people are assigned as members of the group, they indirectly become eligible to be assigned the role. Holly wants to employ this feature at Adatum by creating a security group of eligible users (Alex and Joni) for the Helpdesk administrator role. This opportunity will be a good test of this feature in Holly's pilot project.
  6 | 
  7 | Once Alex and Joni are made eligible for this role, whenever they must respond to their first user request, they will self-activate, or self-approve the role assignment. By doing so, they will have Helpdesk administrator control for a predetermined time period. In this case, Holly wants them to remain assigned to the role for 15 days. 
  8 | 
  9 | In addition, Holly doesn't want to be forced to approve the role assignment whenever Alex and Joni require this role assignment. Instead, Holly simply wants to be notified whenever Alex or Joni self-approve the role. PIM can send email notifications to selected individuals when important events occur in their Microsoft Entra ID organization, such as when a role is assigned or activated.  
 10 | 
 11 | 
 12 | ### Task 1 - Create an eligible group for the Helpdesk Admin role
 13 | 
 14 | In the prior lab exercise, Holly Dickson limited access to the Global admin role using Privileged Identity Management. She first configured the role to require approval before it could be assigned as an eligible role for a user, and then she assigned herself as the approver whenever an eligible user requested activating the role. 
 15 | 
 16 | For this next test of PIM in Adatum's pilot project, Holly has selected Alex Wilber and Joni Sherman to be eligible for the Helpdesk admin role. However, to simplify future role assignments, Holly wants to create a security group, assign Alex and Joni to the group, and then assign the group to the Helpdesk admin role. Holly will then enable the group to be eligible for the Helpdesk admin role.
 17 | 
 18 | 1. You should still be logged into LON-CL1 as the **adatum\administrator** account, and in your Edge browser, you should still be logged into Microsoft 365 as Holly Dickson.
 19 | 
 20 | 2. In your Edge browser, select the tab containing the **Microsoft Entra admin center**, which should still be open from the prior lab exercise. 
 21 | 
 22 | 3. In the **Microsoft Entra admin center**, select **Groups** in the navigation pane, and then select **All groups**.
 23 | 
 24 | 4. In the **Groups | All groups** window, select **New group** in the menu bar.
 25 | 
 26 | 5. In the **New group** window, enter the following information:
 27 | 
 28 |     - Group type - **Security**
 29 | 
 30 |     - Group name - **PIM-Helpdesk-Administrators**
 31 | 
 32 |     - Group description - **Group of eligible users who can be assigned to the Helpdesk Administrator role in PIM**
 33 | 
 34 |     - Microsoft Entra roles can be assigned to the group - **Yes**
 35 | 
 36 |     - Membership type - **Assigned**
 37 | 
 38 |     - Owners - Select **No owners selected**. In the **Add owners** pane, enter **Holly** in the **Search** field and select the **Holly@xxxxxZZZZZZ.onmicrosoft.com** user account.
 39 | 
 40 |     - Members - Select **No members selected**. In the **Add members** pane, select **Alex Wilber**. Enter **Joni** in the Search field, and then select **Joni Sherman**.
 41 | 
 42 | 6. In the **New group** window, select the **Create** button at the bottom of the page.
 43 | 
 44 | 7. A dialog box appears at the top of the page that says: **Creating a group to which Microsoft Entra roles can be assigned is a setting that cannot be changed later. Are you sure that you want to add this capability?**. Select **Yes**.
 45 | 
 46 | 8. On the **Groups | All groups** window, if the **PIM-Helpdesk-Administrators** group does not appear below the PIM-Global-Administrators group that you created in the prior task, select **Refresh** on the menu bar.
 47 | 
 48 | 9. You must now make the **PIM-Helpdesk-Administrators** group eligible for role assignment. In the navigation pane, select **ID Governance** to expand the section, and then select **Privileged Identity Management**.
 49 | 
 50 | 10. In the **Privileged Identity Management | Quick start** window, in the middle pane under the **Manage** section, select **Microsoft Entra roles**.
 51 | 
 52 | 11. In the **Adatum Corporation | Quick start** window, under the **Assign** section, select the **Assign Eligibility** button.
 53 | 
 54 | 12. In the **Adatum Corporation | Roles** window, scroll down through the list of roles and select **Helpdesk Administrator**.
 55 | 
 56 | 13. In the **Helpdesk Administrator | Assignments** window, select **+Add assignments** on the menu bar. 
 57 | 
 58 | 14. In the **Add assignments** window, the **Membership** tab is displayed by default. Under **Select member(s)**, select **No member selected**.
 59 | 
 60 | 15. In the **Select a member** pane that appears on the right, enter **PIM** in the **Search** field. This will display the list of eligible users and groups whose name starts with **PIM**. Select the **PIM-Helpdesk-Administrators** group that appears, and then select the **Select** button.
 61 | 
 62 | 16. In the **Add assignments** window, select **Next** (this does the same thing as selecting the **Setting** tab). 
 63 | 
 64 | 17. In the **Add assignments** window, under the **Setting** tab, verify the **Assignment type** option is set to **Eligible**. Also verify the **Permanently eligible** check box is selected (if not, then do so now), and then select **Assign**. 
 65 | 
 66 | 18. In the **Helpdesk Administrator | Assignments** window, note that the **PIM-Helpdesk-Administrators** group is an eligible assignment to the Helpdesk Administrator role. Because **PIM-Helpdesk-Administrators** is a group, it means that all members of this group (which consists of Alex Wilber and Joni Sherman) are now eligible to be assigned the Helpdesk Administrator role.
 67 | 
 68 |     **Note:** Lab testing has shown that it can sometimes take up to 30 minutes for new assignments to appear under the **Eligible assignments** tab. If **PIM-Helpdesk-Administrators** doesn't appear immediately, wait a few minutes and then select the **Refresh** option on the menu bar. Continue to select the **Refresh** option every few minutes until **PIM-Helpdesk-Administrators** appears in the list of **Eligible assignments**.
 69 | 
 70 | 19. Leave all browser tabs open for the next task.
 71 | 
 72 | 
 73 | ### Task 2 - Configure the Helpdesk Administrator role for self-activation
 74 | 
 75 | Next, Holly wants to configure the Helpdesk administrator role settings and notification settings in Microsoft Entra ID. Privileged Identity Management (PIM) lets you know when important events occur in your Microsoft Entra ID organization, such as when a role is assigned or activated. PIM keeps you informed by sending you and other participants email notifications. These emails can also include links to relevant tasks, such activating or renewing a role. In this task, Holly wants to update the notifications to ensure that self-approvals are tracked in real-time in a proactive manner.
 76 | 
 77 | In the prior lab exercise involving the Global administrator role, Holly updated the role so that she had to approve any activation requests for the role. However, for the Helpdesk admin role, Holly is less concerned about eligible users abusing the role permissions given the more limited scope of the role as compared to the Global Admin role. Holly trusts that Alex and Joni won't activate the role unless they're required to do so to respond to support requests. Therefore, Holly will only require that Alex and Joni provide justification whenever they must activate the role. Holly wants the role to be active for Alex and Joni for 15 days. This way, they won't be waiting for Holly to approve their activation requests, and they can simply provide justification and get started whenever they must take on this role.
 78 | 
 79 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as Holly Dickson from the prior task.
 80 | 
 81 | 2. In your browser, you should still have the **Microsoft Entra admin center** open from the prior task. In the navigation pane, under the **ID Governance** section, select **Privileged Identity Management**.
 82 | 
 83 | 3. In the **Privileged Identity Management | Quick start** window, in the middle pane under the **Manage** section, select **Microsoft Entra roles**.
 84 | 
 85 | 4. In the **Adatum Corporation | Quick start** window, in the middle pane under the **Manage** section, select **Settings**. 
 86 | 
 87 | 5. In the **Adatum Corporation | Settings** window, select the **Helpdesk Administrator** role.  <br/>
 88 | 
 89 |     **Tip:** If the roles are not displayed in alphabetical order, select the **Role** heading to sort them in ascending alphabetical order. This will make it easier to locate the Helpdesk administrator role.
 90 | 
 91 | 6. In the **Role setting details -  Helpdesk Administrator** window, scroll through the page and review the information for role activation, assignment, and notification. Then select **Edit** on the menu bar at the top of the page.
 92 | 
 93 | 7. In the **Edit role setting - Helpdesk Administrator** window, the **Activation** tab is displayed by default. In this tab, the slider for the **Activation maximum duration (hours)** setting is set to **8**. Holly wants to increase this to the maximum allowable time, which is **24** hours. You can either move the slider to the end of the line, or you can type **24** in the field next to the slider. <br/>
 94 | 
 95 |     **Note:** If you try to enter any value greater than 24, it will automatically reset to 24.
 96 | 
 97 | 8. Below the activation slider, set the **On activation, require** setting to **None**. <br/>
 98 | 
 99 |     **Note:** In the prior lab exercise, Holly required that Patti Fernandez sign in using Microsoft Entra MFA when she requested activation of the Global admin role. In doing so, Holly verified the Microsoft Entra MFA sign-in worked. However, for the purpose of the pilot project, Holly will not require verification using multi-factor authentication when activating the Helpdesk administrator role (and since you already tested this MFA feature in the prior lab exercise, there's no reason to take time in class to do it again). 
100 | 
101 | 9. The screen then displays a group of three settings, each with a check box. Verify that all three check boxes are blank. If any check box is selected by default, then un-check (clear) it now. <br/>
102 | 
103 |     **Note:** For the pilot project, Holly does not want the **Require justification on activation** check box selected. Holly knows that Alex and Joni will only activate the role when needed, so she doesn't require a justification from them to activate the role assignment (however, in the next step, Holly will require justification when they assign the role to themselves). Leaving the **Require approval to activate** setting unchecked will enable an eligible user to self-approve, or self-activate without requiring another user's approval.
104 | 
105 | 10. You're currently in the **Activation** tab. Select the **Assignment** tab that appears next to it. When this role is assigned to Alex or Joni, Holly wants the assignment to expire after 15 days. To implement this requirement, configure the following settings on this tab: <br/>
106 | 
107 |     - Uncheck (clear) the **Allow permanent active assignment** check box. Then select the **Expire active assignments after** field, and in the drop-down menu that appears, select **15 days**.
108 | 
109 |     - Verify the **Require justification on active assignment** check box is selected (if not, select it now).
110 | 
111 | 11. At the top of the window, select the **Notification** tab.
112 | 
113 | 12. On the **Notification** tab, note the three activities that can trigger a notification being sent: **Send notifications when...**    <br/>
114 | 
115 |     - members are assigned as eligible to this role
116 |     - members are assigned as active to this role
117 |     - eligible members activate this role
118 | 
119 |     Under the **Send notifications when eligible members activate this role** section, Holly wants to be notified when Alex or Joni self-approve this role. Therefore:
120 | 
121 |     - Verify the **Role activation alert** check box is selected.
122 |     - The default recipient for the **Role activation alert** is **Admin**. This refers to the Global Administrators (Holly) and any Privileged Role Administrators. 
123 |     - Un-check (clear) the **Notification to activated user (requestor)**. Since Alex and Joni will be self-approving, they don't need to receive a notification when they do so.
124 | 
125 | 13. Select the **Update** button at the bottom of the window.
126 | 
127 | 14. Leave all browser tabs open for the next task.
128 | 
129 | 
130 | ### Task 3 - Self-activate the Helpdesk Admin role
131 | 
132 | At this point in Holly's pilot project, the **PIM-Helpdesk-Administrators** group has been made eligible for the Helpdesk administrator role. The members of the group (Alex Wilber and Joni Sherman) can now be assigned the Helpdesk Administrator role using Microsoft Entra Privileged Identity Management. Holly wants to test out the PIM process in her pilot project. In this task, you will take on the role of Alex Wilber, who will submit a request to self-approve assigning the Helpdesk Administrator role to his user account. 
133 | 
134 | 1. In LON-CL1, right-click on the **Edge** icon on the taskbar and in the menu that appears, select **New InPrivate window**. 
135 | 
136 | 2. In your InPrivate browsing session, enter the following URL in the address bar: **https://portal.azure.com**
137 | 
138 | 3. You're now going to log into Azure as Alex Wilber. In the **Sign in** window, enter **AlexW@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider) and then select **Next**. In the **Enter password** window, enter the **User Password** provided by your lab hosting provider and then select **Sign in**. <br/>
139 | 
140 |     In the **Update your password** window that appears, enter the **User Password** provided by your lab hosting provider in the **Current password** field. Then in the **New password** and **Confirm password** fields, enter the New User Password that you defined for all test users at the start of the lab. Select **Sign in**.
141 | 
142 | 4. In the **Stay signed in?** dialog box, select the **Don't show this again** check box and then select **Yes**.
143 | 
144 | 5. In the **Welcome to Microsoft Azure** dialog box that appears, select **Cancel** to skip the tour.
145 | 
146 | 6. In the **Microsoft Azure** portal, in the middle of the screen is the section of **Azure services**. This section displays a row of Azure services and their associated icons. At the end of the row, select **More services** (with the forward arrow icon). This opens the **All services** window.
147 | 
148 | 7. In the **All services** window, enter **priv** in the **Filter services** search box at the top of the page. In the list of search results, select **Microsoft Entra Privileged Identity Management**.
149 | 
150 | 8. In the **Privileged Identity Management | Quick start** window, in the **Tasks** section in the navigation pane, select **My Roles**.
151 | 
152 | 9. In the **My roles | Microsoft Entra roles** window, the **Eligible assignments** tab is displayed by default. Remember, in the prior task Holly assigned Alex as a member of the **PIM-Helpdesk-Administrators** group, which Holly later assigned as an eligible group for the Helpdesk Administrator role. As such, this role appears in the list of **Eligible assignments** for Alex. <br/>
153 | 
154 |     Select the **Active assignments** tab. Note that no Microsoft Entra roles have yet to be assigned to Alex's account. 
155 | 
156 | 10. Alex is now ready to self-approve, or self-activate the Helpdesk administrator role. Select the **Eligible assignments** tab. Under the **Action** column for the **Helpdesk Administrator** role, select **Activate**.
157 | 
158 | 11. In the **Activate - Helpdesk Administrator** pane that appears, enter **Support requests from Sales team members that require resolution** in the **Reason** field. This is the reason why Alex wants to self-activate this role. Then select the **Activate** button at the bottom of the pane. <br/>
159 | 
160 |     Note the three stages of activation that appear in the **Activate - Helpdesk Administrator** pane and the progress made on each stage. Wait for all three stages to automatically complete (Stage 2 typically takes the longest). After the final stage is completed, the **Activate - Helpdesk Administrator** pane will automatically close, and you will be returned to the **My roles | Microsoft Entra roles** window.
161 | 
162 | 12. On the **My roles | Microsoft Entra roles** window, note that you're still in the **Eligible assignments** tab. Also note the message at the top of the window indicating **Your active roles have changed. Click here to view your active roles**. Select this message. This simply displays the **Active assignments** tab, which you could have selected yourself instead of selecting the message. 
163 | 
164 | 13. In the **Active assignments** tab, note the **Helpdesk Administrator** role now appears. Prior to activating this role, remember that you checked this tab earlier and no Microsoft Entra roles appeared. Now that Alex has self-approved the **Helpdesk Administrator** role, it's now been assigned to his user account. 
165 | 
166 | 14. Close the InPrivate browser session. This should return you to the **Microsoft Entra admin center**, which should be displaying the **Adatum Corporation | Settings** page.
167 | 
168 | 15. Leave your browser and all tabs open for the next task.
169 | 
170 | As Alex Wilber, you have now self-approved the Helpdesk Administrator role. This has automatically assigned the role to Alex's user account.
171 | 
172 | 
173 | ### Task 4 -  Verify a PIM notification was issued
174 | 
175 | When you earlier configured the Helpdesk Administrator role, you set up the notification feature so that Holly would be notified any time an eligible user activated the role. Since Alex Wilber just self-activated the role, Holly should receive a notification of this activity. This task will verify that Holly received a notification. 
176 | 
177 | 1. On LON-CL1, in your Edge browser, you should still be logged into Microsoft 365 as Holly Dickson. In your Edge browser, select the **Home | Microsoft 365** tab.
178 | 
179 | 2. On the **Welcome to Microsoft 365** page, in the column of application icons on the left-side of the screen, select the **Outlook** icon. This will open Outlook for Holly Dickson's mailbox in a new tab.
180 | 
181 | 3. In Holly's Outlook mailbox, her **Inbox** is displayed by default. Verify that Holly received a PIM generated email indicating that **Alex Wilber activated the Helpdesk Administrator role assignment**. 
182 | 
183 | 4. Select the email to open it. Review the information in the email and then close it. 
184 | 
185 | 5. To review the audited list of activities related to Alex's self-approval of the Helpdesk Administrator role, select the **Microsoft Entra admin center** tab in your Edge browser. 
186 | 
187 | 6. In the **Microsoft Entra admin center**, the **Adatum Corporation - Settings** page should be displayed. This is where you left off in the prior task. In the middle pane, under the **Activity** section towards the bottom of the page, select **Resource audit**.
188 | 
189 | 7. In the **Adatum Corporation | Resource audit** page, review the list of PIM activities. Note the two most recent activities, which include Alex's request to be assigned to the Helpdesk Administrator role, and the completion of Alex's request. 
190 | 
191 | 8. Leave your browser and all tabs open for the next task.
192 | 
193 | 
194 | # Proceed to Lab 4 - Exercise 4
195 | 


--------------------------------------------------------------------------------
/Instructions/Labs/LAB_AK_02_Lab2_Ex3_M365_Apps.md:
--------------------------------------------------------------------------------
  1 | # Learning Path 2 - Lab 2 - Exercise 3 - Manage a Microsoft 365 Apps for enterprise installation
  2 | 
  3 | You have taken on the persona of Holly Dickson, Adatum's new Microsoft 365 Administrator, and you have Microsoft 365 deployed in a virtualized lab environment. In this exercise, you will perform the tasks necessary to manage a user-driven Microsoft 365 Apps for enterprise installation. Performing a user-driven Microsoft 365 Apps for enterprise installation is a two-step process: 
  4 | 
  5 | - Configuring the user account so the user is eligible to download and install the Office 365 deployment tool.
  6 | - Performing the installation. 
  7 | 
  8 | In the first two tasks in this exercise, you will verify the following conditions that affect whether a user can be blocked from downloading the Microsoft 365 Apps for enterprise suite: <br/>
  9 | 
 10 | - Whether the user has an appropriate Microsoft 365 license (which you will verify in Task 1). 	
 11 | - Whether an admin has turned off the global Office download setting that controls the downloading of mobile and desktop apps for all users (which you will verify in Task 2).
 12 | 
 13 | In the final task in this exercise, you will install the Microsoft 365 Apps for enterprise suite for one of Adatum's users.
 14 | 
 15 | 
 16 | ### Task 1 – Verify how licensing affects installing Microsoft 365 Apps for enterprise
 17 | 
 18 | In this task, Holly will test whether a user who has not been assigned an appropriate Microsoft 365 license can download Microsoft 365 Apps for enterprise. For this test, you can't use any of the existing users that appear in the **Active Users** list in the Microsoft 365 admin center. These users only have Microsoft 365 accounts (xxxxxZZZZZZ.onmicrosoft.com accounts); they do not have corresponding on-premises accounts in the Adatum domain. Without an on-premises account, you can't log into the Client 2 (LON-CL2) VM as any of these users to install Microsoft 365 Apps for enterprise on the client machine. 
 19 | 
 20 | Therefore, you must use one of Adatum's on-premises user accounts that has been loaded in its on-premises domain (adatum.com) by your lab hosting provider. For this test, you will use **Laura Atkins**. You will create a Microsoft 365 account for Laura, but initially you will not assign her a Microsoft 365 license. This will enable you to see how not having a license affects a user's ability to install Microsoft 365 Apps for enterprise. 
 21 | 
 22 | 1. On LON-CL1, you should be logged into Microsoft 365 as Holly Dickson in your Edge browser. 
 23 | 
 24 | 2. In the **Microsoft 365 admin center**, select **Users** in the navigation pane, and then select **Active users**. 
 25 | 
 26 | 3. You will begin by testing whether a user **without** an appropriate Microsoft 365 license can install Microsoft 365 Apps for enterprise. For this test, you will use **Laura Atkins**. Your lab hosting provider has already created an on-premises user account for Laura, but she does not have a Microsoft 365 user account. You will create a Microsoft 365 account for Laura, but you will NOT assign her a Microsoft 365 license.  <br/>
 27 | 
 28 | 	At the top of the **Active users** window, select **Add a user** on the menu bar. Doing so initiates the **Add a user** wizard.
 29 | 
 30 | 4. In the **Add a user** wizard, in the **Set up the basics** window, enter the following information:
 31 | 	- First name: **Laura**
 32 | 	- Last name: **Atkins** 
 33 | 	- Display name: When you tab into this field, **Laura Atkins** will appear
 34 | 	- Username: **Laura**
 35 | 
 36 | 	**IMPORTANT:** To the right of the Username field is the domain field. You want this value to be Adatum's **xxxxxZZZZZZ.onmicrosoft.com** domain (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider). However, if the custom domain that you added in a prior lab is set as the default domain, then this field will be prefilled with the custom **xxxUPNxxx.xxxCustomDomainxxx.xxx** on-premises domain (where xxxUPNxxx is your UPN number and xxxCustomDomainxxx.xxx is the custom domain). If the custom domain is displayed in this field, you must select the drop-down arrow and select the **xxxxxZZZZZZ.onmicrosoft.com** cloud domain instead.  <br/>
 37 | 
 38 | 	After configuring this field, Laura’s **Username** should appear as: **Laura@xxxxxZZZZZZ.onmicrosoft.com**
 39 | 
 40 | 	- Password settings: Clear (uncheck) the **Automatic create a password** option
 41 | 	- Password: Enter the New User Password
 42 | 	- Clear (uncheck) the **Require this user to change their password when they first sign in** check box 
 43 | 	
 44 | 5. Select **Next**.
 45 | 
 46 | 6. In the **Assign product licenses** window, select the **Create user without product license (not recommended)** option, and then select **Next**.
 47 | 
 48 | 7. In the **Optional settings** window, select **Next**. 
 49 | 
 50 | 8. On the **Review and finish** window, review your selections. If anything needs to be changed, select the appropriate **Edit** link and make the necessary changes. Otherwise, if everything looks good, select **Finish adding**. 
 51 | 
 52 | 9. On the **Laura Atkins added to active users** page, select **Close**. If a survey form appears, select **Cancel**. 
 53 | 
 54 | 10. Switch to **LON-CL2**. 
 55 | 
 56 | 11. On **LON-CL2**, you want to log into the machine as **Laura Atkins**. If the Edge browser is still open from the previous lab exercise, then close it now. You should be on the LON-CL2's desktop, where it should indicate that you are logged on as **lon-cl2\admin**. Since you want to log on to the LON-CL2 machine using Laura Atkins' local account (adatum\laura), select the **Ctrl+Alt+Delete** function for your VM environment. On the menu screen that appears, select **Switch user**. <br/>
 57 | 
 58 | 	The lower-left portion of the desktop displays the **Admin** and **Other user** options. Select **Other user**.
 59 | 
 60 | 12. In the **Other user** log in, enter **adatum\laura** in the **Username** field, enter **Pa55w.rd** as the **Password**, and then select the forward arrow to log in.  
 61 | 
 62 | 13. Select the **Microsoft Edge** icon on the taskbar.
 63 | 
 64 | 14. In **Microsoft Edge**, maximize your browser if necessary. If you receive a **Welcome to Microsoft Edge** window that displays a message indicating **Let's start by signing you in and bringing over your passwords, history, and more**, perform the following steps to initialize your Edge browser and navigate to the Microsoft 365 Home page:  <br/>
 65 | 
 66 | 	- On the first screen, select the **Start without your data** button.
 67 | 	- On the second screen, select the **Continue without this data** button.
 68 | 	- On the third screen, unselect (clear) the **Make your Microsoft experience more useful to you** check box and then select the **Confirm and start browsing** button.  
 69 | 	- In the Edge browser, go to the **Microsoft 365 Home** page by entering the following URL in the address bar: **https://www.microsoft365.com/**
 70 | 
 71 | 15. In the **Sign in** window, enter **Laura@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxZZZZZZ is the tenant prefix provided by your lab hosting provider) and then select **Next**.
 72 | 
 73 | 16. In the **Enter password** window, enter the New User Password that you assigned to Laura's account and then select **Sign in.** 
 74 | 
 75 | 17. If a **Stay signed in?** window, select the **Don't show this again** check box and then select **Yes**. In the **Save password** window, select **Never**.
 76 | 
 77 | 18. In the **Welcome to Microsoft 365** dialog box that appears in the middle of the screen, select the forward arrow twice and then the check mark. 
 78 | 
 79 | 19. In the **Welcome to Microsoft 365 Copilot** window (which is Laura's Microsoft 365 home page), notice that no column of Microsoft 365 app icons appears in the navigation pane on the side of the screen. This is because Laura has not been assigned a Microsoft 365 license. <br/>
 80 | 
 81 | 	Select the **Install apps** button, and then in the drop-down menu that appears, select **Microsoft 365 apps**. This opens the **My account** window for Laura.
 82 | 
 83 | 20. In Laura's **My account** window, under the **Office Apps & devices** tile, select **View apps & devices**. Note the message that appears at the top of page. Laura has not been assigned a license that includes the Office desktop apps, so she’s unable to install Microsoft 365 Apps for enterprise. <br/>
 84 | 	
 85 | 	>**Important:** You have just verified that a user can't download Microsoft 365 Apps for enterprise if they haven't been assigned an appropriate Microsoft 365 license. 
 86 | 	
 87 | 21. Leave LON-CL2 open and remain signed into Microsoft 365 as Laura Atkins for the next task. In your Edge browser, close the **My account** tab and the **Welcome to Microsoft Edge** tab, but leave the **Home | Microsoft 365** tab open for the next task.
 88 | 
 89 | 
 90 | ### Task 2 – Verify how the global Office download setting affects installing Microsoft 365 Apps for enterprise
 91 | 
 92 | Microsoft 365 includes a global Office download setting that controls the downloading of mobile and desktop apps for all users. Holly is now going to test whether users can be prohibited from downloading Microsoft 365 Apps for enterprise if an admin turns off this setting. In this test, Holly will once again use Laura Atkins as her test case. However, since you just proved in the prior task that Laura can't install Microsoft 365 Apps for enterprise without a proper license, you must first assign her a license. 
 93 | 
 94 | **License Note:** If you recall from the earlier lab exercise when you created Holly Dickson's Microsoft 365 account, there were no available Microsoft 365 E5 or Enterprise Mobility + Security E5 licenses available. As such, you had to first unassign one of each license from an existing user so that you could assign them to Holly. The same situation exists here with Laura. You must first unassign one of each license from an existing user so that you can assign them to Laura.
 95 | 	
 96 | 1. Switch back to **LON-CL1**. In your Edge browser, you should still be logged into Microsoft 365 as Holly Dickson, Adatum’s Microsoft 365 Administrator.
 97 | 
 98 | 2. On **LON-CL1**, Holly wants to turn off the global Office download setting. To do so, select the **Microsoft 365 admin center** tab in your browser, and then if necessary, select **...Show all** in the navigation pane. Select **Settings**, and then within the Settings group, select **Org Settings**. 
 99 | 
100 | 3. In the **Org settings** window, the **Services** tab is displayed by default. Scroll down through the list of services and select **Microsoft 365 installation options**.
101 | 
102 | 4. In the **Microsoft 365 installation options** pane that appears, the **Feature Updates** tab is displayed by default. Select the **Installation** tab that appears next to it. Then under the **Apps for Windows and mobile devices** section, the **Office (includes Skype for Business)** check box is currently selected. Select this check box to clear it. This disables the ability of users to download Office apps through Microsoft 365 Apps for enterprise. 
103 | 
104 | 5. Select **Save**. 
105 | 
106 | 6. At the top of the **Microsoft 365 app installation options** pane, select the **X** in the upper-right corner of this window to close it. 
107 | 
108 | 7. You should now test whether turning off this global download setting affects a **licensed** user from installing Microsoft 365 Apps for enterprise. In this case, you’re once again going to use **Laura Atkins**, so you must assign Laura a Microsoft 365 license. However, since there are no available licenses, you must first unassign a license from an existing Microsoft 365 user account. In this case, Holly will unassign Pradeep Gupta's licenses, since he has taken on a new role and will no longer be involved in Adatum's Microsoft 365 pilot project.  <br/>
109 | 
110 | 	In the **Microsoft 365 admin center** navigation pane, select **Users** and then select **Active users**. On the **Active users** page, select **Pradeep Gupta**.
111 | 
112 | 8. In the **Pradeep Gupta** pane that appears, the **Account** tab is displayed by default. Select the **Licenses and apps** tab. Under **Licenses (2)**, select the **Microsoft 365 E5 (no Teams)** and **Microsoft Teams Enterprise** check boxes to clear them, and then select **Save Changes**. Close the **Pradeep Gupta** pane. The licenses that were previously assigned to Pradeep are now available for Laura.  
113 | 
114 | 9. In the **Active users** list, scroll down to **Laura Atkins**. The value in the **Licenses** column for Laura currently indicates that she is **Unlicensed**. Select **Laura Atkins**.
115 | 
116 | 10. In **Laura Atkins** account pane, select the **Licenses and apps** tab. In the **Licenses** section, select the **Microsoft 365 E5 (no Teams)** and **Microsoft Teams Enterprise** check boxes and then select **Save changes**. Once the changes are saved, close Laura’s account pane. <br/>
117 | 
118 | 	In the **Active users** list, note how the value in the **Licenses** column for Laura now displays **Microsoft Teams Enterprise, Microsoft 365 E5 (no Teams)**. 
119 | 
120 | 11. You should now check whether Laura can download Microsoft 365 Apps for enterprise to her client PC when the global Office download setting has been turned Off. <br/>
121 | 
122 | 	To do this, you must first switch back to **LON-CL2**.
123 | 
124 | 12. In **LON-CL2**, your Edge browser should still be open, and you should still be logged into Microsoft 365 as Laura Atkins. <br/>
125 | 
126 | 	If you were able to earlier save your custom theme, then verify that Laura's name doesn't appear next to her **LA** initials. Because Laura's not a member of the M365 pilot project group that was assigned to the custom theme that you created, the policy setting of displaying the signed-in user's name that you configured for your custom theme doesn't apply to her. <br/>
127 | 
128 | 	However, if you weren't able to save your custom theme, then you were instructed to update the Default theme to display the sign-in user's name. If you were unable to save your custom them, then the Default theme should apply, and you should see Laura's name. 
129 | 
130 | 13. In your browser, verify you're on the **Home | Microsoft 365 Copilot** tab. When you left off after the prior lab task, this page didn't display any Microsoft 365 apps in the side pane because Laura wasn't assigned a Microsoft 365 license. Let's see what happens now that Laura has been assigned a license. <br/>
131 | 
132 | 	Select the **Refresh** icon that appears to the left of the address bar at the top of your browser. <br/>
133 | 
134 | 14. Select the **Install apps** button, and then in the drop-down menu, select **Install Microsoft 365 apps**.
135 | 	
136 | 15. This will open Laura's **My account** window. Under the **Office apps & devices** tile, select **View apps & devices**. 
137 | 
138 | 16. In the **Apps & devices** window, a message is displayed under the **Office** section that indicates the admin has turned off Office installs. <br/>
139 | 	
140 | 	>**Important:** You have just verified that a licensed user is unable to download Microsoft 365 Apps for enterprise if the global Office download setting has been turned Off.
141 | 
142 | 17. At this point Holly wants to turn the global Office download setting back On so that Laura can download Microsoft 365 Apps for enterprise. <br/>
143 | 
144 | 	To do this, switch back to **LON-CL1**. 
145 | 
146 | 18. On **LON-CL1**, you should still be logged into Microsoft 365 as Holly Dickson. In the **Microsoft 365 admin center**, under the **Settings** section in the navigation pane, select **Org Settings**. 
147 | 
148 | 19. In the **Org settings** window, the **Services** tab is displayed by default. Scroll down through the list of services and select **Microsoft 365 installation options**.
149 | 
150 | 20. In the **Microsoft 365 installation options** pane, select the **Installation** tab, then under the **Apps for Windows and mobile devices** section, the **Office (includes Skype for Business)** check box is currently blank. Select this check box so that it displays a check mark, which now turns this feature back On.
151 | 
152 | 21. Select **Save**, and then once the update has been saved, select the **X** in the upper-right corner of this window to close it. 
153 | 
154 | 22. Now that this global Office download option is turned back On, you should see if it affects Laura’s ability to download Microsoft 365 Apps for enterprise. <br/>
155 | 
156 | 	To do this, switch back to **LON-CL2**.
157 | 
158 | 23. In **LON-CL2**, your Edge browser should still be open, and you should still be logged into Microsoft 365 as Laura Atkins. The **Office apps and devices** page should be displayed along with the message that indicated your admin has turned off Office installs. Since you just turned this global option back On, you need to refresh this page to see how it affects Laura’s ability to download Microsoft 365 Apps for enterprise.
159 | 
160 | 	Select the **Refresh** icon that appears to the left of the address bar at the top of your browser. 
161 | 
162 | 24. In the **My account** window that appears, under the **Office apps & devices** tile, an **Install Office** button appears along with a message indicating you can install Office on up to 5 PCs or Macs, 5 tablets, and 5 smartphones.
163 | 	
164 | 	>**Important:** You have just verified that a user with a Microsoft 365 license is able to download Microsoft 365 Apps for enterprise if the global Office download setting is turned On. Do **NOT** select the **Install Office** button at this time. You will do that in the next task.
165 | 
166 | 25. Remain on LON-CL2 and continue to the next task to perform the user-driven installation for Laura Atkins.
167 | 
168 | 
169 | ### Task 3 – Perform a User-Driven Installation of Microsoft 365 Apps for enterprise 
170 | 
171 | In the prior task, you logged into Laura Atkins’ client PC, and you verified that she could download Microsoft 365 Apps for enterprise once she was assigned a Microsoft 365 license and the global Office download setting was turned On. In this task, you will continue the process by having Laura perform a user-driven installation of the Microsoft 365 Apps for enterprise suite from the Microsoft 365 portal.  
172 | 
173 | 1. On **LON-CL2**, your Edge browser should be open, and you should be logged into Microsoft 365 as Laura Atkins. 
174 | 
175 | 2. You should still be in Laura’s **My account** window since this is where you left off at the end of the prior task. Under the **Office apps & devices** section, the **Install Office** button now appears since Laura is assigned a Microsoft 365 E5 license and the global Office download setting is turned On.
176 | 
177 | 	>**Important:** Selecting this **Install Office** button will install the 64-bit, English version of Microsoft 365 Apps for enterprise. However, if you want to install a different language or version, then select **View apps & devices**, which opens the **Apps & devices** page; this enables you to select a different language and version of Microsoft 365 Apps for enterprise to install.  <br/>
178 | 
179 | 	Since Laura wants to install the 64-bit English version of Microsoft 365 Apps for enterprise, select the **Install Office** button now.
180 | 		
181 | 3. If a **Just a few more steps** window appears, select **Close**.
182 | 
183 | 4. In the **Downloads** window that appears at the top right-side of the page, notice the system is downloading the **OfficeSetup.exe** installation program to the LON-CL2 client PC. This is the 64-bit Microsoft 365 Apps for enterprise installation wizard.
184 | 
185 | 5. Once **OfficeSetup.exe** has finished downloading, select **Open file** that appears below **OfficeSetup.exe** in the **Downloads** window.
186 | 
187 | 6. If a **Do you want to allow this app to make changes to your device?** dialog box appears, enter **adatum\administrator** in the **username** box, type **Pa55w.rd** in the **Password** box, and then select **Yes**. 
188 | 
189 | 7. You may receive a **Continuing could be expensive** dialog box that displays a warning message indicating that it may be expensive to continue downloading because you're connected to a network that limits downloads every month. <br/>
190 | 
191 | 	**Important:** If you receive this dialog box, it may appear in the taskbar but not on the desktop. If this occurs, hover your mouse over the **Office** icon on the taskbar, and then select the **Continuing could be expensive** dialog box if it appears. If you receive this dialog box, the Office install will NOT proceed until you select **Continue** (the Office window will just keep displaying the **We’re getting things ready** message, but it won’t actually do anything). <br/>
192 | 	
193 | 	If you received the **Continuing could be expensive** dialog box, select **Continue**.
194 | 
195 | 8. The installation may take several minutes to complete. Once the installation finishes, select **Close** in the **You're all set!** window.
196 | 
197 | 9. To validate Laura's Microsoft 365 Apps for enterprise installation, select the **Start** icon in the lower-left corner of the taskbar. Note all the Office apps that were just installed on LON-CL2, including Word, PowerPoint, Outlook, OneNote, and Excel, among others.
198 | 
199 | 10. In the **Start** menu, select **Word**.
200 | 
201 | 11. On the **Sign in to get started with Word** page, select **Sign in or create account**. On the **Activate Office** page, enter **Laura@xxxxxZZZZZZ.onmicrosoft.com** (where xxxxxZZZZZZ is the tenant prefix provided by your lab hosting provider) and select **Next**. In the **Password** field, enter the New User Password that you assigned to Laura's account and select **Sign in**. 
202 | 
203 | 12. On the **Automatically sign in to all desktops apps and websites on this device?** window, select **Yes, all apps**.
204 | 
205 | 13. On the **You're all set!** window, select **Done**.
206 | 
207 | 14. On the **Accept the license agreement** window, select **Accept**, and then select **Close**.
208 | 
209 | 15. Verify that Word is functioning properly by opening a blank Word document, entering some text, and saving the document to the **Documents** folder. <br/>
210 | 
211 | 	**Note:** If a **Check out our new look** dialog box appears, select **Not now**.
212 | 
213 | 16. Close Word.
214 | 
215 | 17. Now that you have completed this lab exercise by installing Microsoft 365 Apps for enterprise, you should log out of Microsoft 365 as Laura Atkins. Select Laura's user icon in the upper-right corner of the screen (the circle with LA in it), and then in Laura's property window, select **Sign out**.
216 | 
217 | 18. Once Laura is signed out, close your Microsoft Edge browser. 
218 | 
219 | 19. You now want to log out of LON-CL2 as Laura Atkins and log back in as the local administrator. This will prepare LON-CL2 for the next lab that uses this PC. <br/>
220 | 
221 | 	On LON-CL2, select the **Ctrl+Alt+Delete** function in your VM lab environment. 
222 | 	
223 | 20. On the desktop menu, select **Sign out**. 
224 | 
225 | 21. On the login screen, select **Other user**, enter **lon-cl2\Admin** to sign-in with local credentials. Enter **Pa55w.rd** in the **Password** field and then select the forward arrow.  <br/>
226 | 
227 | 	The desktop should now display the logged-on user as **lon-cl2\admin**. LON-CL2 is now ready for the next lab that uses it.
228 | 
229 | # End of Lab 2
230 | 


--------------------------------------------------------------------------------