Troubleshooting Microsoft Exchange Online v1.0 (MS-220)

Answer :

Step 1: Navigate to Compliance Management
Use the classic EAC to create a journal rule
In the EAC, go to Compliance management > Journal rules, and then click Add Add Icon..
In Journal rule, provide a name for the journal rule and then compete the following fields.
Etc.
Step 2: Navigate to Journal Rules.
Step 3: Create journal rules.
Reference: https://docs.microsoft.com/en-us/exchange/security-and-compliance/journaling/manage-journaling

Answer :

Box 1: Get-MigrationUser -
This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
Use the Get-MigrationUser cmdlet to view information about move and migration users.

Syntax: Get-MigrationUser -
[-BatchId <MigrationBatchIdParameter>]
[-Status <MigrationUserStatus>]
[-StatusSummary <MigrationUserStatusSummary>]
[-DomainController <Fqdn>]
[-ResultSize <Unlimited>]
[-Partition <MailboxIdParameter>]
[<CommonParameters>]
Incorrect:
* Get-MailboxStatistics has no parameter batchID

Box 2: -Status -
The Status parameter returns information about migration users that have the specified status state. Use one of the following values:

Completed -

CompletedWithWarnings -

Completing -

CompletionFailed -

CompletionSynced -

Corrupted -

Failed -

IncrementalFailed -

IncrementalStopped -

IncrementalSynced -

IncrementalSyncing -

Provisioning -

ProvisionUpdating -

Queued -

Removing -

Starting -

Stopped -

Stopping -

Synced -

Syncing -

Validating -

Box 3: Failed -
Incorrect:
* -BatchId
The BatchId parameter specifies the name of the migration batch for which you want to return users.
Reference:
https://docs.microsoft.com/en-us/exchange/mailbox-migration/manage-migration-batches

Answer :

Box 1: Get-FederationTrust -

Cause -
This issue occurs if the certificate, and other metadata information, in the Microsoft Federation Gateway (or in the on-premises environment) becomes outdated or invalid.

Resolution -
To resolve this issue, refresh the metadata by running the Get-FederationTrust | Set-FederationTrust -RefreshMetadata command.

Box 2: Set-FederationTrust -

Box 3: -RefreshMetadata -
Reference: https://docs.microsoft.com/en-us/exchange/troubleshoot/calendars/freebusy-lookups-stop-working

Answer : A

The Get-IntraOrganizationConfiguration mdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
Use the Get-IntraOrganizationConfiguration cmdlet to view the component settings of a hybrid Exchange deployment.
Note: A hybrid Exchange deployment results in one logical organization made up of a number of physical Exchange instances. Hybrid Exchange environments contain more than one Exchange instance and support topologies like two on-premises Microsoft Exchange forests in an organization, an Exchange on-premises organization and an Exchange Online organization or two Exchange Online organizations.
Incorrect:
* Get-IntraOrganizationConnector
Intra-Organizational connectors enable features and services between divisions in your Exchange organization. It allows for the expansion of organizational boundaries for features and services across different hosts and network boundaries, such as between Active Directory forests, between on-premises and cloud-based organizations, or between tenants hosted in the same or different datacenters.
* Use the Get-OrganizationRelationship cmdlet to retrieve settings for an organization relationship that has been created for federated sharing with other federated Exchange organizations or for hybrid deployments with Exchange Online.
* Use the Get-AvailabilityAddressSpace cmdlet to view existing availability address space objects that are used to share free/busy data across Exchange organizations.
Reference: https://docs.microsoft.com/en-us/powershell/module/exchange/get-intraorganizationconfiguration

Answer :

Box 1: Set-OrganizationRelationShip
Use the Set-OrganizationRelationship cmdlet to modify existing organization relationships. Organization relationships define the settings that are used with external Exchange organizations to access calendar free/busy information or to move mailboxes between on-premises Exchange servers and Exchange Online as part of hybrid deployments.

Box 2: -TargetAutodiscoverEpr -
-TargetAutodiscoverEpr
The TargetAutodiscoverEpr parameter specifies the Autodiscover URL of Exchange Web Services for the external organization, for example, https://contoso.com/autodiscover/autodiscover.svc/wssecurity. Exchange uses Autodiscover to automatically detect the correct Exchange server endpoint to use for external requests.
Incorrect:
* Set-HybridConfiguration
Use the Set-HybridConfiguration cmdlet to modify the hybrid deployment between your on-premises Exchange organization and Exchange Online in a Microsoft 365 for enterprises organization.
Syntax:

Set-HybridConfiguration -
[-ClientAccessServers <MultiValuedProperty>]
[-Confirm]
[-DomainController <Fqdn>]
[-Domains <MultiValuedProperty>]
[-EdgeTransportServers <MultiValuedProperty>]
[-ExternalIPAddresses <MultiValuedProperty>]
[-Features <MultiValuedProperty>]
[-Name <String>]
[-OnPremisesSmartHost <SmtpDomain>]
[-ReceivingTransportServers <MultiValuedProperty>]
[-SecureMailCertificateThumbprint <String>]
[-SendingTransportServers <MultiValuedProperty>]
[-ServiceInstance <Int32>]
[-TlsCertificateName <SmtpX509Identifier>]
[-TransportServers <MultiValuedProperty>]
[-WhatIf]
[<CommonParameters>]
* Set-OnPremisesOrganization
Use the Set-OnPremisesOrganization cmdlet to modify the parameters of the OnPremisesOrganization object on the Microsoft 365 tenant.
Syntax:

Set-OnPremisesOrganization -
[-Identity] <OnPremisesOrganizationIdParameter>
[-Comment <String>]
[-Confirm]
[-HybridDomains <MultiValuedProperty>]
[-InboundConnector <InboundConnectorIdParameter>]
[-OrganizationName <String>]
[-OrganizationRelationship <OrganizationRelationshipIdParameter>]
[-OutboundConnector <OutboundConnectorIdParameter>]
[-WhatIf]
[<CommonParameters>]
Reference: https://docs.microsoft.com/en-us/powershell/module/exchange/set-organizationrelationship

Answer :

Box 1: Get-MoveRequest -

Example -
Get-MoveRequest -MoveStatus InProgress | Suspend-MoveRequest
This example suspends all move requests that are in progress by using the Get-MoveRequest cmdlet to retrieve all move requests with a MoveStatus value of InProgress and then pipelining the output to the Suspend-MoveRequest cmdlet.

Box 2: InProgress -

Box 3: Suspend-MoveRequest -
Reference: https://docs.microsoft.com/en-us/powershell/module/exchange/suspend-moverequest

Answer : A

Use the Stop-MigrationBatch cmdlet to stop the processing of a migration batch that's in progress.
Use the Start-MigrationBatch cmdlet to start a move request or migration batch that was created with the New-MigrationBatch cmdlet.

Note: Cause -
The issue can occur if the public folder mailbox migration request that is associated with the migration user is missing or corrupted.

Resolution -
Stop the migration batch.Note: Terminating the migration batch may take some time to finish.
Make sure that the migration batch has reached the "Stopped" state.
Restart the migration batch. This will re-create the missing public folder migration request.
Reference: https://docs.microsoft.com/en-us/powershell/module/exchange/stop-migrationbatch https://docs.microsoft.com/en-us/powershell/module/exchange/start-migrationbatch https://docs.microsoft.com/en-us/exchange/troubleshoot/migration/subscription-wasnt-found-for-user-error

Answer : D

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can use mail flow rules (also known as transport rules) to identify and take action on messages that flow through your organization.
Mail flow rules are similar to the Inbox rules that are available in Outlook and Outlook on the web (formerly known as Outlook Web App). The main difference is mail flow rules take action on messages while they're in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
Reference: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

Answer :

Get the certificate, and then set both connectors (Send and Receive)
Incorrect:
No need to use wizards.
Reference: https://practical365.com/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/

Answer :

Box 1: No -
p=none - Policy is set to none
sp=reject
Note: The 'p=none' part of the record above specifies the requested policy that mail receivers should apply. A policy of 'none' means this DMARC record won't affect the delivery of your email, but it will provide you with reports on where your outbound email appears to be coming from.
Start with a simple monitoring-mode record for a sub-domain or domain that requests that DMARC receivers send you statistics about messages that they see using that domain. A monitoring-mode record is a DMARC TXT record that has its policy set to none (p=none). Many companies publish a DMARC TXT record with p=none because they're unsure about how much email they may lose by publishing a more restrictive DMARC policy.

Box 2: No -
p=quarantine
sp=reject
How to handle subdomains?
It's important to note that you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top-level domain.
A wildcard SPF record (*.) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:
*.subdomain.contoso.com. IN TXT "v=spf1 -all"

Box 3: Yes -
p=recect
sp=reject
pct=50
pct=50 indicates that this rule should be used for 50% of email.
Note: How Microsoft 365 handles inbound email that fails DMARC
If the DMARC policy of the sending server is p=reject, Exchange Online Protection (EOP) marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can define the action to take on messages classified as spoof within the anti-phishing policy.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email

Answer :

Step 1: Open the Microsoft 365 Defender portal (1 below)
Step 2: Select Email & collaboration (1 below)
Step 3: Select Review (1 below)
Step 4: Select Quarantine.. (1-3 below)
Use the Microsoft 365 Defender portal to manage quarantined email messages

View quarantined email -
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine. To go directly to the Quarantine page, use https://security.microsoft.com/quarantine.
On the Quarantine page, verify that the Email tab is selected.
You can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
Time received*
Subject*
Etc.
4. To filter the results, click Filter. Etc.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide

Answer : D

Message trace in the modern Exchange admin center (modern EAC) follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
Message trace in the modern EAC improves upon the original message trace that was available in the classic Exchange admin center (classic EAC). You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
Incorrect:
Not C: This applies only to Exchange Server.
The message tracking log is a detailed record of all activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use message tracking for message forensics, mail flow analysis, reporting, and troubleshooting.
Reference: https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/message-trace-modern-eac https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking

Answer : C

IPV=CAL- The message skipped spam filtering because the source IP address was in the IP Allow List.
Note: SFV=SPM indicates that the message is filtered for spam.
SRV=BULK - The message was identified as bulk email by spam filtering and the bulk complaint level (BCL) threshold.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers

Answer :

Step 1: Launch the Exchange admin center.
Step 2: Navigate to Mail flow and create a new rule.
Step 3: Select apply this rule if drop down list and select File extension includes these words.
Step 4: Enter .zip as the file extension to block and select block the message action.
How to reduce malware threats through file attachment blocking in Exchange Online Protection
To create a rule to block attachments that contain executable content in Exchange Online Protection, follow these steps:
Sign in to the Exchange admin center.
Select mail flow, select rules, select New ( ), and then select Create a new rule.
In the Name box, specify a name for the rule, and then select More options.
Under Apply this rule if, point to Any attachment, and then select has executable content near the bottom of the page.
Under Do the following, point to Block the message, and then select the action that you want.
Select save.
Reference: https://docs.microsoft.com/en-us/exchange/troubleshoot/antispam-and-protection/how-to-reduce-malware-threats-via-file-attachment-blocking

Answer :

Step 1: New-ExchangeCertificate -
New-ExchangeCertificate with the GenerateRequest switch.
Create an Exchange Server certificate request for a certification authority.
* You can create new self-signed certificates and configure the certificates for Exchange services in one step.

Or -
* The procedures are the same for an internal CA (for example, Active Directory Certificate Services) or a commercial CA.
Step 2: Import-ExchangeCertificate
Import-ExchangeCertificate - After you receive the certificate file or files from the CA, you install them on the Exchange server.
Complete a pending Exchange Server certificate request
Step 3: Enable-ExchangeCertificate
Assign certificates to Exchange Server services.
Use the Exchange Management Shell to assign a certificate to Exchange services
To assign a certificate to Exchange services, use the following syntax:
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services <Service1>,<Service2>... [-Server <ServerIdentity>]
This example assigns the certificate that has the thumbprint value 434AC224C8459924B26521298CE8834C514856AB to the POP, IMAP, IIS, and SMTP services.
Enable-ExchangeCertificate -Thumbprint 434AC224C8459924B26521298CE8834C514856AB -Services POP,IMAP,IIS,SMT
Reference: https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificate-procedures https://docs.microsoft.com/en-us/exchange/architecture/client-access/assign-certificates-to-services