Microsoft 365 for enterprise
Foundation Infrastructure
Microsoft 365 for enterprise
brings together:
Office 365 Enterprise
Windows 10 Enterprise
Enterprise Mobility +
Networking
Security (EMS)
Admins: The organization network is
optimized for access to the Microsoft
Goals
network.
Users: I get consistent performance
when accessing Microsoft 365 cloud
services.
Services,
features,
Network connectivity,
performance, and latency
measuring tools
and tools
• Which local offices need Internet
Key design
connections
• Which network hairpins to bypass
and for what types of traffic
decisions
• Which edge devices to configure
traffic bypass and for what types of
traffic
Configuration
• All offices have local Internet
connections with local DNS servers
• Appropriate network hairpins are
results
bypassed
• Edge devices and browsers are
configured for traffic bypass
Onboard a
Connect them to an on-
premises network (wired or
new user
wireless)
Monitor and
Check bandwidth utilization for each
office monthly and increase or
update
decrease as needed.
http://aka.ms/m365edeployfoundation
Build a firm IT foundation upon which Microsoft 365 applications and
services can unlock creativity and teamwork in a secure environment.
Deployment phases
Identity Windows 10 Enterprise
Admins: Authentication is secured and identities are Admins: The infrastructure is in place to
protected and managed at scale using hybrid and deploy Windows 10 Enterprise to new
governance. and existing Windows devices and keep
them updated.
Users: Authentication is secured and it's easy to
manage my authentication methods, such as Users: It’s easy to upgrade and ongoing
passwords and other factors. update installation is transparent.
• Secure user accounts • Windows Analytics
• Multi-factor authentication (MFA) or password-less • Microsoft Endpoint Configuration Manager
• Azure Active Directory (Azure AD) Privileged Identity • Microsoft Deployment Toolkit (MDT)
Management (PIM) for admin accounts (E5 only) • Deployment Image Servicing and
• Azure AD Connect with password hash synchronization (PHS) Management (DISM)
or pass-through authentication (PTA) • Windows Autopilot
• Authentication and password maintenance with password • Windows Update for Business
protection, Azure AD Seamless Single Sign-On (SSO), self- • Windows Defender Antivirus
service password reset, password writeback • Windows Defender Exploit Guard
• Dynamic and self-service group membership, automatic • Windows Defender Advanced Threat
license assignment, access reviews Protection (E5 only)
• Which identity model: cloud-only or hybrid • Choose a deployment strategy
• Which authentication method: PHS, PTA, or federated • In-place upgrade
• Use of Azure AD Seamless SSO • PC imaging
• Which conditional access policies to enforce MFA, force • Autopilot
password resets, etc. • Choose deployment and configuration tools:
• Which MFA methods to support • Microsoft Endpoint Configuration Manager
• How to protect global admin accounts (MFA, Azure AD • MDT
Privileged Identity Management [E5 only]) • Intune
• How to simplify password management (password writeback • Group Policy
and self-service password reset) • Windows PowerShell
• Which custom words to prevent in passwords • Create a phased deployment plan
• How to manage group membership: Manual, dynamic, or • Plan a servicing strategy
self-service • Assign devices to update rings
• How to manage licenses: manual or group-based • Optimize update delivery
• Which groups to manage for access reviews • Analyze and validate updates
• Azure AD Connect settings for PHS, PTA, SSO, password Infrastructure and settings for:
writeback • Deploying new devices
• Global admin account protection with MFA and Azure AD PIM • Deploying OS upgrades
(E5 only) • Deploying OS updates
• Security groups for: • Enabling Windows Defender Antivirus
• Identity-based conditional access policies • Deploying Windows Defender Advanced
• Password writeback and self-service reset enabled Threat Protection
• Dynamic group membership and automatic licensing • Deploying attack surface reduction rules
Add computer account/HW ID/other or group
Add user account to the Azure AD security groups for:
to the appropriate security groups for:
• Identity-based conditional access policies
• Windows Autopilot
• Password reset
• Device upgrades
• Automatic licensing
• Windows 10 Enterprise security features
• Monitor device health and compliance with
Windows Analytics
• Monitor directory synchronization health with Azure AD
• Monitor Windows antivirus and intrusion activity
Connect Health
with Microsoft Endpoint Configuration Manager
• Monitor sign-in activity with Azure AD Identity Protection
or Microsoft Intune
(E5 only) and Azure AD reporting
• Manage and deploy updates for Windows 10
Enterprise
December 2019
Mobile Device Information
Office 365 ProPlus
Management Protection
Admins: The infrastructure is in
Admins: The infrastructure is in place to Admins: The infrastructure is in
place to deploy Office 365 ProPlus
enroll devices, use application and place to implement and monitor
to Windows 10 Enterprise and other
conditional access policies, and secure data compliance and
devices and keep it updated.
my organization's resources. information protection.
Users: My version of Office client
Users: I can easily and safely access my Users: It’s easy to apply
applications always have the latest
work email and files on my device. sensitivity labels to documents.
features.
• Cloud-only with Intune (part of EMS)
• Office 365 sensitivity and
• Co-management with Intune and
retention labels
Microsoft Endpoint Configuration
• Office 365 Data Loss Prevention
Manager (part of EMS)
• Office Deployment Tool (ODT) (DLP)
• Mobile device management for
• Office Customization Tool • Microsoft Cloud App Security
enrolled devices
• Readiness Toolkit (E5 only)
• Mobile application management for
• Microsoft Endpoint Configuration • Office 365 Advanced Threat
all devices
Manager Protection (ATP) (E5 only)
• Conditional access using Azure AD
• Secure Score
Premium P1 and P2 (part of EMS)
• Office 365 privileged access
• Compliance policies and control
management (E5 only)
device features
• How to manage licenses and address
network capability and application
compatibility • Choose cloud-only or co- • Which security and information
• How to install: upgrade or clean install management device management protection levels
• How to deploy: • Choose how Android, macOS, iOS, • How to use sensitivity labels and
• Microsoft Endpoint Configuration and Windows devices are managed Azure Information Protection
Manager • Use Azure AD groups for app and labels
• Office Deployment Tool device access • Which sensitive information types
• Self-install from the Office portal • Deploy Office, Win32, and other apps for DLP
• Where to deploy from: cloud or local to devices • Which Office 365 ATP policies
source on your network • Force compliance with conditional • How to use Microsoft Cloud App
• What to include in Office installation access rules Security (E5 only)
packages: which Office apps, languages, • Allow or block device features and • How to use privileged access
and architectures settings management (E5 only)
• How to manage updates and which
update channels to use
• Information protection levels
• Deployment infrastructure is in place • Access is controlled using new or
• Sensitive information types
• Update management infrastructure is in existing Azure AD groups
• Sensitivity or Azure Information
place • Devices are enrolled, and apps, features,
Protection labels
• Installation packages are defined and settings are applied
• Retention labels
• All client devices are assigned to • Users with personal devices get secure
• DLP policies
deployment groups access to organization apps, such as
• Microsoft Cloud App Security
• Office applications, architectures, and email
settings (E5 only)
languages are assigned to go to client • Conditional access is enforced when
• Privileged access management
devices devices are compliant with IT rules
policies (E5 only)
• Add users to your Azure AD security
• Add user accounts to security
groups
groups for sensitivity or Azure
Add the client device to the appropriate • Add devices to your Azure AD security
Information Protection labels
deployment group. groups
• Train users on how to apply
• Assign licenses
labels to documents
• Enroll devices to receive policies
• Get inventory of devices accessing
• If updates are automatic, they’ll occur
organization services Monitor with:
without any administrative overhead
• Use Intune reports to monitor apps, • Microsoft Secure Score
• To manage updates directly, download
device compliance, and configuration • Office 365 DLP dashboard
the updates and deploy them from
profiles • Microsoft Cloud App Security
distribution points with Microsoft
• Use Power BI and the Intune Data dashboard (E5 only)
Endpoint Configuration Manager
Warehouse
© 2019 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at M365docs@microsoft.com.