Professional Documents
Culture Documents
MS-900T01
Microsoft 365
Fundamentals
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 Fundamentals
MS-900T01
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
Contents
■■ Module 0 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Course introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Cloud concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Cloud computing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Microsoft cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Migrating to cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Lab - Cloud Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Module Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
■■ Module 2 Core Microsoft 365 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Microsoft 365 core services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Microsoft on-premises services vs cloud services in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Unified endpoint management in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Collaboration in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Lab - Configuring Microsoft 365 tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Module Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
■■ Module 3 Security, compliance, privacy, and trust in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . 89
Organization security review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Identity basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Device and data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Lab - Implement security and compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Module Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
■■ Module 4 Microsoft 365 pricing and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Microsoft 365 subscriptions, licenses, and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Lab - Managing subscriptions, licensing, and support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . 144
Module Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MCT USE ONLY. STUDENT USE PROHIBITED
Module 0 Introduction
Course introduction
Welcome
MCT USE ONLY. STUDENT USE PROHIBITED
2 Module 0 Introduction
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Cloud concepts
The goal of cloud computing is to make running a business easier and more efficient, whether it's a small
start-up company or a large enterprise. Every business is unique and has different needs. To meet those
needs, cloud computing providers offer a wide range of services. Some of the most common types
include:
●● Compute services. Enables you to run your own web apps, databases, virtual machines, and other
types of computing in the cloud instead on local hardware. An example of compute services is
Microsoft Azure Virtual Machines.
●● Communications services. Provides communications between users. Examples of communication
services include Microsoft Exchange Online and Microsoft Teams. Exchange Online provides email,
calendar, and contact sharing, and Teams provides instant messaging, computer-to-computer audio
and video calls, screen sharing, and an integrated platform for sharing of documents and collabora-
tion.
●● Productivity services. Allows users to work and collaborate. An example of productivity services is
Microsoft Office 365, which provides a comprehensive collaboration platform for the entire organiza-
tion.
●● Search services. Provides search functionality into custom applications. In addition, it can provide a
search engine and data storage that can be accessed on an API. An example of search services is
Azure Search.
●● Storage services. Provides a storage platform for data. By storing data in the cloud, any user or
device can access it. Example of storage services are Microsoft Azure Storage and Microsoft OneDrive
for Business.
Let’s look at what a cloud is, based on the concept of running some type of application in the cloud. Let’s
see what that means and what it involves.
MCT USE ONLY. STUDENT USE PROHIBITED
Cloud computing overview 5
●● Technical personnel. Based on the technology used, you will need technical expertise and work force
to install, deploy, and manage the systems at the datacenter. The staffing expense to run the server is
an OpEx.
Public cloud
This is the most common deployment model. In the public cloud model, you have no local hardware to
manage or keep up-to-date—everything runs on your cloud service provider’s hardware. This means that
the information technology infrastructure (hardware, servers, software, and other infrastructure items) is
located somewhere other than your datacenter, and is managed by a third party.
There are two variants of a public cloud:
●● Shared public cloud is where many companies share common resources (such as email) within the
same cloud service provider’s environment. Each company is only aware of its own cloud services
account (also known as a tenant); only the cloud service provider who manages this multi-tenant
environment is aware of the different accounts running within the same cloud. This model works well
for smaller businesses who are looking to save additional costs, because sharing computing resources
with other cloud users is cheaper than reserving resources for a single account.
●● Dedicated public cloud is typically for enterprise organizations who require a dedicated physical
infrastructure that is reserved for only their use. While the cost might be higher than that of the
shared public cloud, the dedicated public cloud might offer better security, performance, and custom-
ization.
Private cloud
In a private cloud, you create a cloud environment in your own datacenter and provide self-service access
to compute resources to users in your organization. This model offers a simulation of a public cloud to
your users, but you remain entirely responsible for the purchase and maintenance of the hardware and
software services you provide.
Some reasons teams move away from the private cloud are:
●● You have to purchase the hardware for startup and maintenance.
●● Private clouds require IT skills and expertise that can be hard to find.
MCT USE ONLY. STUDENT USE PROHIBITED 8 Module 1 Cloud concepts
Hybrid cloud
A hybrid cloud combines public and private clouds, allowing you to run your applications in the most
appropriate location. For example, you could host a website in the public cloud, but link it to a highly
secure database hosted in your private cloud (or on-premises datacenter).
This is helpful when you have some things that cannot be put in the cloud. Example reasons might
include:
●● Sensitive data. You have data that cannot be exposed publicly (such as medical data).
●● Extend capabilities of on-premises systems. You have applications that run on old hardware and
can’t be updated. In this case, you keep the old system running locally, and connect it to the public
cloud for authorization or storage.
●● Reduce data protection costs. You want to implement public key infrastructure (PKI) and Information
Rights Management Services (RMS) infrastructure locally for data protection, but doing so would be
expensive. Instead, you can enable these features from the cloud, and they will protect both your
cloud and on-premises documents and data.
Some hybrid cloud concerns you'll need to watch out for are:
●● It can be more expensive than selecting just one (public or private) deployment model.
●● It can be more complicated to set up and manage.
IaaS is the most flexible category of cloud services. It aims to provide you with complete control over the
hardware that runs your application. However, instead of having to purchase hardware—such as servers,
switches, routers, storage area networks, and firewalls—with IaaS, you rent it.
PaaS provides an environment for buying, building, testing, deploying, and running software applications.
The goal of PaaS is to help you create an application as quickly as possible without having to worry about
managing the underlying infrastructure. For example, when deploying a web application using PaaS, you
don't have to install an operating system, web server, or even system updates.
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_01_01_04_CloudComputing-
tutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED 10 Module 1 Cloud concepts
SaaS is software that is centrally hosted and managed for the end customer. It is usually based on an
architecture where one version of the application is used for all customers, and runs on demand through
either remote desktop services or a web browser. The software is typically licensed through a monthly or
annual subscription.
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_01_01_05_TypesCloudSer-
vicestutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED
Cloud computing overview 11
Compliance
Many organizations have regulations and policies that they must comply with to operate in various
industries. For example, companies working in the health industry have to follow HIPAA. These policies
can be quite complex based on the type of industry, geographical location of the organization, and
company-based policies. Further complicating matters is the fact that legal and regulatory bodies might
change the responsibilities of both the cloud-computing tenants and providers.
An organization that does not protect its data could be subject to a fine by one or more government or
industry regulatory bodies. Some of these fines can be substantial, crippling a small or mid-sized busi-
ness.
Laws or regulations typically specify who within an organization should be held responsible for data
accuracy and security. For example, the Sarbanes–Oxley Act designates the Chief Financial Officer (CFO)
and Chief Executive Officer (CEO) as having joint responsibility for the financial data, while the Gramm–
Leach–Bliley Act specifies that the responsibility for security lies within the entire board of directors. These
both are in contrast to the United States Federal Trade Commission (FTC), which requires a specific
individual to be accountable for the information security program within a company.
All these regulations pertain to cloud computing. If you store any of your data in the cloud, you must
ensure that your cloud service provider follows all legal and regulatory requirements. Remember, it’s still
MCT USE ONLY. STUDENT USE PROHIBITED 12 Module 1 Cloud concepts
your responsibility to ensure these requirements are met, so do your due diligence before signing any
contract. Then after the contract is signed, take steps to ensure that compliance is maintained to protect
your company and your customers.
Data protection
When running services and storing data in the cloud, you should follow the standard best practices for
security, just as you would on any on-premises network:
●● Always use strong passwords and ensure the passwords are changed regularly.
●● Always set rights and permissions for only what is needed, and review them on a regular basis.
However, because data consists of confidential information, you should consider using encryption.
●● Perform regular auditing and monitoring.
When considering protection for data in the cloud, explore how to best protect your data both where it’s
stored, and when it’s being used or transmitted:
●● For data that is at rest (sitting on a disk somewhere in the cloud), you should encrypt the disks or files
on the disks. Office 365 Data Loss Protection and Azure Information Protection—both part of Micro-
soft 365—collectively offer end-to-end discovery, custom labeling, and automated protection of
sensitive data, irrespective of when the data was created or where it is stored—even in PDFs and
RMS-encrypted files.
●● When transmitting important data (data on the move) such as credit card or social security numbers,
use HTTPS to encrypt the data.
costs associated with purchasing new servers and additional hardware for storage—especially when
planning for growth and purchasing larger amounts than the currently required capacity—they could
obtain similar resources based on a cloud computing model. Doing so would enable their business to
gain the benefits of the latest versions of Exchange and SharePoint immediately and without any up-front
costs.
Another example is if you are running an application used by employees you can have the cloud auto-
matically add resources for the core hours during which most people access the application, and then
remove the resources at the end of the day.
Information workers. This includes those in office roles such as business, sales, accounting, engineering,
administration, management, and design. These are the people who gather information and use technol-
ogy tools to gain visibility into the state of the business, company products, and services. Information is
their input, and with the right productivity tools in hand, they develop products, establish schedules,
determine costs, and gain insight into the nature of the business.
MCT USE ONLY. STUDENT USE PROHIBITED 16 Module 1 Cloud concepts
Firstline workers. These include customer service, support and repair technicians, service professionals,
and more. These are the people who sit on the company’s “first line” and are commonly the first point of
contact for customers. Therefore they play a key role in representing a company’s brand by establishing
the best customer experience. These employees need the right productivity and collaboration tools to
empower them to do their best work. They also need to connect securely through any device wherever
they are, and use the most up-to-date software to keep information protected.
Microsoft 365 blends critical business tasks with technology solutions to meet the needs of modern
businesses and all sorts of busy professionals—firstline workers, information workers, and executives
alike. Microsoft 365 improves enterprise collaboration, provides a modernized system that is continually
updated, and increases productivity for your modern workforce, no matter where your employees are or
what devices they’re using.
You’ll learn more about Microsoft 365 in the next lesson.
For more information about solutions that Microsoft offers firstline workers, go to https://blogs.technet.
microsoft.com/skypehybridguy/2018/01/04/firstline-worker-your-most-valuable-employees/.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft cloud services 17
What is Azure?
Watch the following short video that gives you a conceptual understanding of what Azure is and how it
works.
As you’ve just seen in the video, Azure delivers the power of the cloud; you just need to know how to
harness it. In fact, it contains more than 100 services, including:
●● Azure Active Directory (Azure AD or AAD) . Provides identity management and access control
capabilities for your cloud applications. It can be synchronized with the on-premises domain control-
lers. You can also enable Single Sign On (SSO) to simplify user access to cloud applications and to
support conditional access.
●● Azure Information Protection. Protects confidential or sensitive information by using encryption,
identity, and authorization policies.
●● Backup. Allows you to back up to and restore from the cloud using familiar tools in Windows 2016,
Windows Server 2012/Windows Server 2012 R2, or Microsoft System Center 2012 R2/2016 Data
Protection Manager.
MCT USE ONLY. STUDENT USE PROHIBITED 18 Module 1 Cloud concepts
●● Content Delivery Network. Allows you to deliver high-bandwidth content to users around the world
with low latency and high availability via a robust network of global datacenters.
●● Key Vault. Offers an easy, cost-effective way to safeguard keys and other secrets in the cloud using
hardware security modules (HSMs).
●● Machine Learning. Allows you to easily design, test, operationalize and manage predictive analytics
solutions in the cloud.
●● Media Services. Offers cloud-based media solutions from several existing technologies, including
ingest, encoding, format conversion, content protection, and both on-demand and live-streaming
capabilities.
●● Mobile Services. Provides a scalable cloud backend for building Microsoft Store, Windows Phone,
Apple iOS, Android, and HTML/JavaScript applications. It can be used to store data in the cloud,
authenticate users, or send push notifications to your application within minutes.
●● Multi-Factor Authentication. By having more than one method of authentication, you can help
prevent unauthorized access to both on-premises and cloud applications.
●● Stream Analytics. Provides an event-processing engine that helps uncover insights from devices,
sensors, cloud infrastructure, and existing data properties in real time.
●● Virtual Machines. Enables you to deploy a Windows Server or Linux image in the cloud.
●● Virtual Network. Enables you to create virtual private networks within Azure, and then securely link
those networks with an on-premises network.
For more information about all the products Azure has to offer, go to https://azure.microsoft.com/
en-in/services/.
●● How widespread is our workforce? Which cloud environment offers the largest number of regional
datacenters to maximize cloud computing performance to our firstline employees?
Every cloud computing solution has its own strengths. Organizations should carefully review what is most
important to their cloud strategy and investigate each service provider to determine the best fit.
The Microsoft cloud offering can be an excellent solution for companies with any of the following
requirements:
●● Extract more value from existing investment in Microsoft technologies. If you have already
invested in Microsoft technologies, you can easily extend their capabilities and provide a consistent
experience across your entire technology stack. You can establish a hybrid coexistence that natively
integrates your on-premises Microsoft-based infrastructure with the cloud. This includes native
integration with Active Directory, and building and deploying apps for both cloud and on-premises
environments.
●● Work with end-to-end development and management tools. Azure offers unparalleled managea-
bility with all-in-one dashboards to monitor, manage, and protect your cloud resources. Microsoft
also caters to all types of developers by supporting the most popular development environments. In
fact, Microsoft is the only cloud service provider with integrated support for Red Hat, and also had the
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft cloud services 21
●● Access a comprehensive set of compliance offerings. For organizations that are concerned about
compliance and security in the cloud, Microsoft has extensive expertise in protecting data, champion-
ing privacy, and complying with complex regulations, and currently complies with both EU-US Privacy
Shield and EU Model Clauses.
●● Increase productivity and security while reducing IT overhead. For smaller companies who want
the benefit of always having the latest and greatest version of Microsoft productivity tools without
needing an IT department to manage updates, Microsoft 365 combines familiar productivity tools
with enhanced security and management features to enable a modern workforce from the cloud.
●● Leverage a global footprint. For global enterprises that need to ensure their cloud services provider
can deliver the scale and performance to regional locations, Microsoft has 54 regions spanning 140
countries–the most global regions of any cloud provider—to help bring applications closer to users
around the world.
this context to emphasize how everything is moved (or migrated) from the old to the new with the intent
of deprecating the old system once the migration is complete.
If, however, a company wants to establish a hybrid environment where their new Microsoft 365 subscrip-
tion will extend their existing Exchange servers, then a coexistence is established, linking the on-premises
Active Directory and Exchange Server to their online Azure Active Directory and Exchange Online coun-
terparts. We use the term coexistence in this situation to emphasize how two different systems—one
on-premises, and the other in the cloud—connect and work together in an ongoing fashion as a single
service (such as email).
Migration considerations
It’s common in both large and small organizations to still be running some older versions of server and
computer operating systems, and Microsoft Office programs. To maximize the business value of the
Microsoft 365 integrated suite of products, begin planning and implementing a strategy to migrate:
●● The Office client installed on your computers to Office 365 ProPlus:
●● Office 2013 and 2016 are the currently supported versions, but will require ongoing updates that
might not scale well with your organization. Instead of maintaining and updating computers with
these standalone products, consider updating and assigning Microsoft 365 licenses.
●● Office 2010 will no longer be supported in 2020. Instead of upgrading to Office 2013 or 2016
which require manual updates, consider providing Microsoft 365 licenses for these users.
●● Office 2007 is no longer supported. Rather than upgrading your computers running Office 2007
with Office 2010, Office 2013, or Office 2016, consider obtaining and assigning Microsoft 365
licenses for your users.
●● Office servers installed on your servers to their equivalent services in Office 365:
●● Office Server 2013 and Office Server 2016 products such as Exchange Server and SharePoint Server
are supported, but to take advantage of the cloud-based service and enhancements to digitally
transform your business, consider migrating the data on your Office 2016 servers to Office 365.
When there is no longer a need for the on-premises servers running Office 2016 server products,
you can decommission them.
●● Some Office Server 2010 products have a specified end-of-support date. Rather than upgrading
your server products in the Office 2013 release with server products in the Office 2016 release,
consider migrating their data to Office 365, rolling out the new functionality and work processes to
your users, and decommissioning your on-premises servers running Exchange Server 2013 and
SharePoint Server 2013 when you no longer need them.
●● Office Server 2007 products are no longer supported. Instead of upgrading your server products in
the Office 2007 release with server products in the Office 2010, Office 2013, or Office 2016
releases, consider migrating the data on your Office 2007 servers to Office 365. To help with this,
hire a Microsoft partner. You can then roll out the new functionality and work processes to your
users, and then decommission the on-premises servers running Office 2007 server products when
you no longer need them.
●● Windows 7 and Windows 8.1 on your devices to Windows 10 Enterprise:
●● To migrate your devices running Windows 7 or Windows 8.1, you can perform an in-place upgrade
to Windows 10.
Accomplishing all of these migrations over time brings your organization closer to the modern work-
place: a secure and integrated environment that unlocks teamwork and creativity in your organization
through Microsoft 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Migrating to cloud services 25
Scenario 1
Company profile: Northwind Traders
Northwind Traders is a three-generation, family-owned import/export company.
Challenge
The company’s growth over the past several years and their employee demands for better collaboration
tools to connect remote offices around the Pacific Rim are outpacing the company’s small IT team.
The IT lead is spending all her time trying to keep their outdated business systems running. She wants to
be able to upgrade the company’s old Microsoft SharePoint Server 2007, which has run out of space.
However, the IT budget is tight, and there would need to be a large up-front investment in new servers,
server licenses, storage, and more. Employee machines are running a mix of Windows 7, 8, and 10 operat-
ing systems, and old versions of Microsoft Office—all with no centralized management of updates.
Furthermore, the proliferation of mobile devices that are frequently connecting to the company’s network
is making her concerned about the potential of an unhealthy device infecting their corporate systems.
Moreover, they’ve been using a free web-based email system that isn’t delivering the business-class
services they need. They want to move completely away from this insecure mail and adopt a busi-
ness-class mail system without having to pay huge up-front licensing and hardware costs.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Cloud Fundamentals 27
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 2
Company profile: Contoso, Ltd.
Contoso is a large manufacturing corporation with almost 60,000 employees throughout North America.
Challenge
Like many large enterprises, Contoso has developed customized on-premises-based line-of-business
apps for many critical processes. These apps help them with their manufacturing processes, both up-
stream from materials suppliers, and downstream to order processing and customer billing.
Many of these systems are old and inflexible, and the IT organization within Contoso is looking for a way
to use the cloud to extend these apps’ capabilities, empowering remote workers, suppliers, and custom-
ers to more easily identify requirements, confirm production, and fill orders.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
MCT USE ONLY. STUDENT USE PROHIBITED 28 Module 1 Cloud concepts
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 3
Company profile: First Up Consultants
First Up Consultants is a medium-sized consulting firm that builds customized applications for medical
businesses.
Challenge
First Up Consultants wants to be able to rapidly spin up virtual machines (VMs) to test new versions of
their software products. This historically has resulted in major CapEx costs associated with new high-end
servers and storage hardware, along with a significant amount of administrative overhead to plan for and
implement all the hardware updates in the company’s datacenter.
The biggest problem has always been one of accurate forecasting, because they either purchase too
much capacity that goes unused—wasting CapEx resources, or they run out of capacity too soon. They
want to significantly reduce their CapEx, in addition to reducing the administrative overhead associated
with each new wave of hardware. The solution First Up Consultants selects must support any type of
environment customization to suit their development needs—and enable them to reduce charges
whenever a system isn’t needed.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Cloud Fundamentals 29
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
MCT USE ONLY. STUDENT USE PROHIBITED 30 Module 1 Cloud concepts
Module Assessment
Questions
Checkbox
Which of the following costs are considered capital expenditures (CapEx)? (Choose all that apply.)
Electricity consumed in a datacenter
Administrator’s time for managing accounts
Physical servers
Networking hardware
Checkbox
What types of services does Microsoft Azure offer? (Choose all that apply.)
Directory services
Backup
Streaming media services
Virtual machines
Multiple choice
Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office 2007.
You need to update your systems, but you want to minimize your CapEx impact. Which of the following is
the best solution? (Choose the best answer.)
Purchase Exchange Server 2016 and Office 2016.
Purchase Exchange Server 2010 and Office 2010.
Subscribe to Microsoft 365.
Multiple choice
You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this? (Choose the correct answer.)
Shared public cloud
Dedicated public cloud
Hybrid cloud
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 31
Multiple choice
Your company is running your on-premises Exchange Servers at capacity. If you want to obtain a Microsoft
365 subscription to extend your existing servers with Exchange Online-based mail, what type of migration
model would you follow? (Choose the correct answer.)
Establish a cloud-only environment where you fully migrate from on-premises to cloud.
Establish an on-premises-only environment where you fully migrate from the cloud to on-premises.
Establish a hybrid environment where you establish coexistence between on-premises and the cloud.
Checkbox
Which of the following are components that are included with Microsoft 365? (Choose all that apply.)
Microsoft Office 365
Office 2016
Windows 10 Pro
Windows 10 Enterprise
Enterprise Mobility + Security
Multiple choice
You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this? (Choose
the correct answer.)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Multiple choice
Which type of cloud service would have the cloud service provider managing apps as a service? (Choose the
correct answer.)
IaaS
PaaS
SaaS
Checkbox
You’re exploring which cloud service to subscribe to. Which of the following are reasons to select Microsoft
365? (Choose all that apply.)
You want to extract more value from your existing investment in Microsoft technologies.
You want to be able to work with the most popular development environments, including Red Hat.
You want access to a comprehensive set of compliance offerings.
You want to maximize CapEx and minimize Operating Expenditures (OpEx).
MCT USE ONLY. STUDENT USE PROHIBITED 32 Module 1 Cloud concepts
Checkbox
Which of the following situations would be best served by utilizing a hybrid cloud? (Choose all that apply.)
You have sensitive data that can’t be exposed publicly (such as medical information).
You want to reduce your CapEx costs by eliminating all your on-premises systems.
You want to extend the capabilities of your on-premises systems.
You want to reduce your data protection costs.
Checkbox
Which of the following do Amazon Web Services (AWS) and Google Cloud offer in common with Microsoft
cloud services? (Choose all that apply.)
Cloud-based compute power
Native integration with Active Directory
Hot and cold cloud-based data storage
Office 365 productivity tools
Multiple choice
Which type of cloud service provides an environment for buying, building, testing, deploying, and running
software applications? (Choose the correct answer.) <<( ) Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Checkbox
In which circumstances would a cloud-only migration model be a good choice? (Choose all that apply.)
You have a large investment in on-premises infrastructure that you want to continue to leverage.
You’re a smaller company with minimal in-house technical resources.
You want to completely move away from your existing on-premises systems.
Checkbox
Which of the following regulations apply to cloud computing? (Choose all that apply.)
Endangered Species Act
Health Insurance Portability and Accountability Act (HIPPA)
Sarbanes–Oxley Act
Gramm–Leach–Bliley Act (GLBA)
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 33
Checkbox
Which of the following are considered cost benefits of cloud computing? (Choose all that apply.)
You shift the costs associated with the datacenter to the cloud service provider.
Cloud computing’s pay-per-use model guarantees costs savings, because accounts are never wasted.
If you actively manage your subscription, you can save money by deprovisioning unneeded resources
to stop being charged for it.
MCT USE ONLY. STUDENT USE PROHIBITED 34 Module 1 Cloud concepts
Answers
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
■■ SaaS
Explanation
SaaS. The company can subscribe to Microsoft 365 to give every employee access to the latest version of
Office productivity tools—including Microsoft Teams, and Skype for Business. These tools, along with
Microsoft SharePoint Online, will significantly improve how the remote offices collaborate with each other.
Office and Windows management will be streamlined by upgrading everyone to the latest versions, and
then utilizing Microsoft 365’s management tools to manage all devices—including mobile devices.
Dropdown
What type of cloud do you recommend? (Choose one)
■■ Public
Private
Hybrid
Explanation
Public cloud. Pricing is paramount, so the Operating Expenditures (OpEx)–oriented public cloud is optimal
for this company.
Dropdown
What type of migration model do you recommend? (Choose one)
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. Because the current mail is a free, web-based service that they’ll gladly
move off in in favor of Microsoft Exchange Online, there is no need for coexistence with it. Similarly, moving
their files from their outdated SharePoint Server 2007 to the cloud will enable them to decommission their
old machines.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
■■ PaaS
SaaS
Explanation
PaaS. Because PaaS supports building, testing, and deploying software applications that will connect to
their legacy line-of-business systems, this would be the best choice. Different apps can be purpose-built for
the various roles (such as sales, suppliers, and fulfilment), with each app providing the appropriate access
into the line-of-business systems, securely, and from any mobile device.
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 35
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
■■ Hybrid
Explanation
Hybrid cloud. This type of cloud is preferred for Contoso, as it enables the new web apps in the cloud to
connect to their on-premises line-of-business systems.
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
■■ Co-existence
Explanation
Coexistence migration model. Although coexistence is more complicated to establish, this type of model
is critical for Contoso because it maintains their investment in their existing line-of-business systems, and
uses their new cloud environment as an extension to their on-premises infrastructure.
Dropdown
What type of cloud service do you recommend? (Choose one)
■■ IaaS
PaaS
SaaS
Explanation
IaaS. This model is perfect for First Up Consultants, because it allows them to host all the VMs that they
need to test with. IaaS gives them control over the hardware that runs their applications, so they can utilize
them only when they’re needed. When they don’t need to run the VMs, they can place them in cheaper
cloud-based storage to reduce compute fees.
Dropdown
What type of cloud do you recommend? (Choose one)
■■ Public
Private
Hybrid
Explanation
Public cloud. Because First Up Consultants wants to significantly reduce their hardware costs and mini-
mize the amount of time their administrators spend configuring new hardware, a public cloud gives them a
platform for their VMs while relieving them of the associated hardware and administrative costs.
MCT USE ONLY. STUDENT USE PROHIBITED 36 Module 1 Cloud concepts
Dropdown
What type of migration model do you recommend? (Choose one)
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. First Up Consultants could migrate any existing on-premises VMs and
other systems to the cloud, then deprecate those machines to free up space and reduce their operational
costs.
Checkbox
Which of the following costs are considered capital expenditures (CapEx)? (Choose all that apply.)
Electricity consumed in a datacenter
Administrator’s time for managing accounts
■■ Physical servers
■■ Networking hardware
Checkbox
What types of services does Microsoft Azure offer? (Choose all that apply.)
■■ Directory services
■■ Backup
■■ Streaming media services
■■ Virtual machines
Multiple choice
Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office 2007.
You need to update your systems, but you want to minimize your CapEx impact. Which of the following is
the best solution? (Choose the best answer.)
Purchase Exchange Server 2016 and Office 2016.
Purchase Exchange Server 2010 and Office 2010.
■■ Subscribe to Microsoft 365.
Multiple choice
You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this? (Choose the correct answer.)
■■ Shared public cloud
Dedicated public cloud
Hybrid cloud
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 37
Multiple choice
Your company is running your on-premises Exchange Servers at capacity. If you want to obtain a Micro-
soft 365 subscription to extend your existing servers with Exchange Online-based mail, what type of
migration model would you follow? (Choose the correct answer.)
Establish a cloud-only environment where you fully migrate from on-premises to cloud.
Establish an on-premises-only environment where you fully migrate from the cloud to on-premises.
■■ Establish a hybrid environment where you establish coexistence between on-premises and the cloud.
Checkbox
Which of the following are components that are included with Microsoft 365? (Choose all that apply.)
■■ Microsoft Office 365
Office 2016
Windows 10 Pro
■■ Windows 10 Enterprise
■■ Enterprise Mobility + Security
Multiple choice
You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this?
(Choose the correct answer.)
■■ Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Multiple choice
Which type of cloud service would have the cloud service provider managing apps as a service? (Choose
the correct answer.)
IaaS
PaaS
■■ SaaS
MCT USE ONLY. STUDENT USE PROHIBITED 38 Module 1 Cloud concepts
Checkbox
You’re exploring which cloud service to subscribe to. Which of the following are reasons to select Micro-
soft 365? (Choose all that apply.)
■■ You want to extract more value from your existing investment in Microsoft technologies.
■■ You want to be able to work with the most popular development environments, including Red Hat.
■■ You want access to a comprehensive set of compliance offerings.
You want to maximize CapEx and minimize Operating Expenditures (OpEx).
Checkbox
Which of the following situations would be best served by utilizing a hybrid cloud? (Choose all that
apply.)
■■ You have sensitive data that can’t be exposed publicly (such as medical information).
You want to reduce your CapEx costs by eliminating all your on-premises systems.
■■ You want to extend the capabilities of your on-premises systems.
■■ You want to reduce your data protection costs.
Checkbox
Which of the following do Amazon Web Services (AWS) and Google Cloud offer in common with Micro-
soft cloud services? (Choose all that apply.)
■■ Cloud-based compute power
Native integration with Active Directory
Hot and cold cloud-based data storage
■■ Office 365 productivity tools
Multiple choice
Which type of cloud service provides an environment for buying, building, testing, deploying, and
running software applications? (Choose the correct answer.) <<( ) Infrastructure as a Service (IaaS)
■■ Platform as a Service (PaaS)
Software as a Service (SaaS)
Checkbox
In which circumstances would a cloud-only migration model be a good choice? (Choose all that apply.)
You have a large investment in on-premises infrastructure that you want to continue to leverage.
■■ You’re a smaller company with minimal in-house technical resources.
■■ You want to completely move away from your existing on-premises systems.
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 39
Checkbox
Which of the following regulations apply to cloud computing? (Choose all that apply.)
Endangered Species Act
■■ Health Insurance Portability and Accountability Act (HIPPA)
■■ Sarbanes–Oxley Act
■■ Gramm–Leach–Bliley Act (GLBA)
Checkbox
Which of the following are considered cost benefits of cloud computing? (Choose all that apply.)
■■ You shift the costs associated with the datacenter to the cloud service provider.
Cloud computing’s pay-per-use model guarantees costs savings, because accounts are never wasted.
■■ If you actively manage your subscription, you can save money by deprovisioning unneeded resources
to stop being charged for it.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Core Microsoft 365 services
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows operating system experience for PCs, tablets, and the popular hybrid laptop/tablets, such as the
Microsoft Surface Pro. Windows 10 Home includes several features:
●● Cortana
●● Microsoft Edge
●● Continuum tablet mode for touch-capable devices
●● Windows Hello
●● Virtual desktops
●● Photos, Maps, Mail, Calendar, Music and Video, and other built-in universal Windows apps
●● New updates and features received automatically
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker Drive Encryption and virtualization.
Windows 10 Pro provides the following additional features:
●● Windows Update for Business
●● Domain join and centralized management with Group Policy.
●● BitLocker
●● Enterprise mode in Microsoft Internet Explorer
●● Client Hyper-V
●● Microsoft Azure Active Directory Join
●● Microsoft Store for Business
●● Enterprise data protection
Windows 10 Enterprise
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Microsoft Volume Licensing customers
only. Organizations can choose the pace at which they adopt new technology, including the option to use
the new Windows Update for Business. Windows 10 Enterprise also gives customers access to the
Long-Term Servicing Channel as a special deployment option for their mission-critical devices and
environments.
Windows 10 Enterprise includes additional security features—Windows Defender Credential Guard and
Windows Defender Device Guard—to protect against security threats. It also supports a broad range of
options for operating system deployment, and device and app management. Windows 10 Enterprise
provides the following additional features compared with Windows 10 Pro:
●● DirectAccess
●● Windows To Go Creator
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 43
●● AppLocker
●● Windows BranchCache
●● Start screen control with Group Policy
●● Windows Defender Credential Guard
●● Windows Defender Device Guard
●● Application Virtualization (App-V)
●● User experience virtualization (UE-V)
Windows 10 Education
Windows 10 Education offers the same features as Windows 10 Enterprise, except for Long-term servicing
channel. This edition of Windows 10 is suitable for school staff, administrators, teachers, and students.
Windows 10 Education is only available through academic Volume Licensing.
●● Calendaring. Each user has a calendar that they can use to track their upcoming events. Users can use
calendars when booking meetings to verify availability. Where appropriate, users can delegate access
to their calendars to other users such as administrative assistants and teammates.
●● View and edit attachments online. When users receive attachments, they can view and edit them
online in Outlook on the web. They do not require a locally installed version of Office.
●● Shared mailboxes and resources. You can use shared mailboxes as a group mailbox for groups of
users that need to share access to a central mailbox. You can configure resources for meeting rooms
and equipment to facilitate booking.
●● Public folders. Earlier versions of Microsoft Exchange Server relied on public folders for collaboration.
This feature is still available in Exchange Online if required.
●● Message policy and compliance. There are several message policy and compliance features in
Exchange Online. These include retention policies, message encryption, eDiscovery, data loss preven-
tion, and journaling.
●● Antispam and anti-malware. All Exchange Online subscriptions include Exchange Online Protection,
which provides configurable antispam and anti-malware scanning.
●● Configurable mail flow. To support specialized mail flow scenarios, you can create send and receive
connectors with varying settings. For example, you can create connectors that require additional
security settings with a business partner.
●● Mobile and multiplatform access. Users can access mailboxes and calendars from Outlook on either
Windows or Mac clients by using Messaging Application Programming Interface (MAPI) over HTTPS,
or by using Exchange Web Services. Outlook on the web supports accessing mailboxes and calendars
from almost any platform. Mobile devices can access mailboxes and calendars by using Microsoft
Exchange ActiveSync.
●● Hybrid deployment. You can integrate Exchange Online with an on-premises Exchange Server
organization by implementing a hybrid deployment. In a hybrid deployment, Exchange Online and the
on-premises Exchange organization can share a single namespace for messaging. A hybrid deploy-
ment also supports calendar sharing and mailbox moves between Exchange Online and an on-premis-
es Exchange server.
●● Migration tools. Exchange Online includes tools to migrate from other on-premises Exchange Server
servers to Exchange Online. There is also a tool to migrate from any Internet Message Access Protocol
(IMAP) messaging service to Exchange Online.
For details about particular Exchange Online features included in specific subscription plans, see the
following Microsoft website: https://products.office.com/exchange/compare-microsoft-ex-
change-online-plans.
●● Share important visuals, news, and updates with a team or communication site.
●● Discover, follow, and search for sites, files, and people across their organization.
●● Manage their daily routines with workflows, forms, and lists.
●● Sync and store their files in the cloud so anyone can securely work with them.
●● Catch up on news on-the-go with the SharePoint mobile app.
Microsoft Teams provides a central hub for collaboration within your organization. By using the Microsoft
Teams platform, you can implement a chat-based workspace. You also can share documents, insights, and
status updates with colleagues. You can keep Teams in sync and manage important projects, find vital
documents, and locate people easily. Teams is also available as a mobile app, which enables users to help
you stay up to-date-on company information and news, whether you are in or out of the office.
With Teams, you can:
●● Communicate through chat, meetings, and calls. You can host audio, video, and web conferences, and
chat with anyone inside or outside your organization.
●● Collaborate together with integrated Office 365 apps. Teams makes teamwork easy. Users can
coauthor and share files with popular Office 365 apps such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft OneNote, SharePoint, and Microsoft Power BI.
●● Customize your workplace and achieve more. Using Teams, you can integrate apps from Microsoft
and third-party partner services to tailor your process, increasing teamwork and productivity.
●● Make calls in Office 365 and Teams. When paired with Office 365 Phone System, Office 365 Calling
Plan, and/or Phone System Direct Routing, Office 365 provides a full business calling experience in
Teams on a global scale.
●● Connect across devices. Teams and Teams devices work better together for intelligent meeting and
calling experiences. Find the right devices for your needs and bring your best ideas to life.
MCT USE ONLY. STUDENT USE PROHIBITED 46 Module 2 Core Microsoft 365 services
Note that many of the features provided by Skype for Business Online can also be accomplished by using
Microsoft Teams.
Yammer
The Microsoft enterprise social networking tool is becoming more integrated with Office 365, and
SharePoint Online users now have the option to replace their activity stream in SharePoint Online with
Yammer. To make this change, users click a Yammer link and sign in to this service through a separate
browser window. Future integration will include Single Sign On (SSO) between the Yammer service and
Office 365. Furthermore, users can use the Yammer Newsfeed instead of SharePoint Newsfeed.
Project Online
Project Online is the cloud version of Microsoft Project Server that enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value feature with Project Online is that it enables global organizations to plan project portfolios in
multiple time zones.
classification mechanism that is available in Azure Information Protection, you can classify your Office
documents based on various criteria.
Microsoft is continuously improving existing services and adding new services to Office 365. For example,
Microsoft recently added the Microsoft To-Do service for all Office 365 users.
Planner
Use Planner from any of your devices to create new plans, assign tasks, and share files with others. You
can organize teamwork and collaborate on projects. You also can use Planner to chat with colleagues and
to keep track of your team's progress.
Power Bi
Power BI is a business analytics service that delivers insights to enable fast, informed decisions. You can
use Power Bi to transform data into visuals and share them with colleagues. You can use a variety of
device types to access this content. You also can collaborate on and share customized dashboards and
interactive reports.
Microsoft StaffHub
StaffHub helps workers manage their workday by using schedule management and information sharing.
It also provides the ability to connect to other work-related apps and resources. Managers can quickly
distribute important information to their team, such as policy documents, news bulletins or videos.
Stream
Stream is an enterprise video service where people in your organization can upload, view, and share
videos securely. You can share recordings of classes, meetings, presentations, training sessions, or other
videos that aid your team's collaboration. Stream also makes it easy to share comments about a video,
tag timecodes in comments, and add descriptions to refer to specific points in a video and discuss with
colleagues.
Microsoft Delve
Use Delve to manage your Office 365 profile, and to discover and organize the information that's likely to
be most interesting to you. Using Delve, you can manage your profile, and connect and collaborate with
colleagues.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 49
Sway
You can use Sway to compile text, images, videos, and other content in an interactive online format. You
can apply designer-created layouts and color schemes, or let Sway suggest design elements that match
your content. You also can search and import relevant content from other sources, and then share your
completed Sways on the web.
What is Intune
Intune is a cloud service that helps you manage computers, laptops, tablets, and other mobile devices.
This includes iOS, Android, and Mac OS X devices. It uses Azure Active Directory (Azure AD) as a directory
store for identity, and it can integrate with local management infrastructures such as Microsoft System
Center Configuration Manager (SCCM). Intune is especially useful for devices that are beyond the man-
agement scope of Group Policy, such as mobile phones, devices that are not AD DS domain members, or
Windows 10 devices that are joined to Azure AD.
By using Intune, you can:
●● Allow staff to more safely access organizational data by using personal devices, which is commonly
known as a Bring Your Own Device (BYOD) program.
●● Manage company-owned phones.
●● Control access to Microsoft Office 365 from unmanaged devices, such as public kiosks and mobile
devices.
●● Help to ensure that devices and apps that do connect to corporate data are compliant with security
policies.
Intune is a component of EMS. Intune integrates with Azure AD and device operating-system features to
provide a complete solution. For example, when a user attempts to access Office 365 data through a line
of business app (LOB app) on a mobile phone, Office 365 checks with Azure AD to authenticate the user
and verify whether that user can access the data from that app on that device. The results depend on:
●● Conditional access policies defined within Azure AD.
●● Whether Intune tells Azure AD that the device is compliant with device configuration and data
protection policies.
●● Whether the app on that device complies with app configuration and data protection policies.
If the device and app are both compliant with all policies, Azure AD notifies Office 365 that the data can
be accessed.
Office 365 ProPlus is not a web-based or a light version of Office, and users do not have to connect to
the internet permanently to use it. However, they must connect at least every 30 days to confirm that
they still have the right to use the Office 365 ProPlus license.
●● Manage data privacy. For example, in the European Union, you can use this node to manage General
Data Protection Regulation (GDPR) compliance within your organization.
You can access Azure Security Center from the Azure portal.
MyAnalytics accesses data from your Office 365 use to help you determine how you can become more
efficient during your work day:
●● MyAnalytics personal dashboard: In the dashboard you can view statistics on how you've spent your
time over the past week.
●● Outlook add-in: The Outlook add-in presents you with cards that report on aspects of your recent
work experience, and let you respond in various ways.
●● Email digests: You receive a weekly digest in email that gives you highlights about your previous week.
●● MyAnalytics nudges: MyAnalytics nudges are notifications that appear in Microsoft Outlook that can
help boost your productivity by displaying useful suggestions and tips around managing email and
running meetings.
Introducing MyAnalytics
You can review the following short video about MyAnalytics to see what it has to offer you.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 55
in the future, but they will always appear first in Exchange Online because development happens there
first.
●● No access to Exchange Online databases or servers. Unlike an on-premises Exchange server where
you administer and manage Exchange servers and databases, Microsoft manages these items in
Exchange Online.
●● Voice calling auto attendants. This feature is only available with in Skype for Business Online with an
Office 365 E5 subscription.
●● Unified Messaging interoperability with Exchange Server. This feature is only available with Skype
for Business Server.
LAUNCH ACTIVITY1
Servicing channels
Although servicing channels are new, you can still use the same management tools to deploy the updates
to your organization’s devices that you used in earlier versions of Windows. These include:
●● Windows Insider Program. Users become familiar with feature updates before they are released to
the wider public. This enables organizations to use these feature updates before the wider public
deployment. In addition, users can provide feedback to Microsoft to help resolve any issues with
updates.
●● Semi-Annual Channel. Computers configured in the Semi-Annual Channel receive updates as soon
as Microsoft publishes them. There are two Semi-Annual Channels: semi-annual (targeted) is aimed at
a subset of your users, while semi-annual is aimed at all other users.
●● Long-Term Servicing Channel. For computers and other devices that perform a single task or a
number of specialized tasks, the long-term servicing channel prevents configured devices from
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_02_03_ProductBusinesstu-
torial.html
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft on-premises services vs cloud services in Microsoft 365 61
receiving feature updates. However, quality updates delivery is not affected. Note that the Long-term
Servicing Channel is available only in the Windows 10 Enterprise LTSB edition.
Deployment rings
In Windows 10, you can use deployment rings to further control how and when updates are applied to
your devices. It’s probable that you will only define these deployment rings once; however, you should
consider revisiting the deployment ring configuration periodically to ensure that they still meet the needs
of your organization and its users.
Typically, you might define the deployment rings in the following table.
By defining and using deployment rings, you can effectively control how feature and quality updates are
deployed through your organization. You should start to think about using Windows as a Service as an
ongoing process, rather than a specific project to update Windows builds. The following diagram shows
how you can use the servicing channels to create an update timeline that includes a planning and
preparation phase, pilot deployments, and general deployment.
You do not need to deploy all feature updates; you can opt to bypass those updates that do not add
value for your users. Bear in mind, however, that support for a feature update continues for 18 months
after its release.
to Azure AD, and to configure the device according to organizational standards. This configuration
could include deploying apps and settings to the device.
●● On-premises methods. You can use tools such as Microsoft Deployment Toolkit (MDT) and SCCM to
support on-premises methods. These tools support bare metal computer, refresh, and replace
scenarios. In addition, you can use In-place upgrades to upgrade a device from a supported operating
system to Windows 10. Finally, by using tools such as Windows Configuration Designer, you can
create and deploy provisioning packages to your Windows 10 devices, enabling you to configure
those devices.
Different methods that you can use to deploy, configure, and maintain Windows are:
●● Windows Autopilot. Use this method to customize an out-of-box-experience to deploy apps and
settings already configured for your organization’s devices. You use this method for devices already
running Windows 10.
●● In-place upgrade. Use this method to update your devices’ operating system and to migrate apps,
and user data and settings. You launch in-place upgrade by using Windows setup.exe. Use this
method for devices running earlier Windows operating systems.
●● Subscription activation. Using subscription activation, subscribed users can switch to Windows 10
Enterprise (from Windows 10 Pro) during sign in.
●● Azure AD or MDM. Join devices to Azure AD and enable device configuration with MDM automati-
cally.
●● Provisioning packages. Create provisioning packages with Windows Configuration Designer (part of
the Windows Assessment and Deployment Kit (ADK)), and then apply those packages to devices
within your organization.
●● Bare metal computer. Use this method to deploy new devices, or to wipe existing devices and
deploy fresh images to them.
●● Refresh. You use this method to redeploy devices by saving the user state, wiping the disk, and then
restoring user state. This is also known as wipe and load.
●● Replace. Use this method to replace existing devices with new devices by saving the user state on the
old device, then restoring the user state to a new device.
Windows Autopilot
With Windows Autopilot you can customize the out-of-box experience (OOBE) for your organization’s
Windows 10 computers. Windows Autopilot offers the following advantages over on-premises deploy-
ment methods:
●● You do not need to use images.
●● You do not need to customize the deployments by injecting drivers.
●● You do not need to deploy and maintain a deployment infrastructure.
Windows Autopilot is cloud-driven and based around Azure AD Premium, the Microsoft Store for Busi-
ness, and/or Microsoft Intune. Using Windows Autopilot, you can:
●● Join devices to Azure AD automatically.
●● Auto-enroll your users’ devices into MDM services.
MCT USE ONLY. STUDENT USE PROHIBITED 64 Module 2 Core Microsoft 365 services
●● Protection for on-premises Exchange and SharePoint content via Microsoft Rights Management
services (RMS) connector
●● RMS software developer kit (RMS SDK) for all platforms: Windows, Windows Mobile, iOS, Mac OS X,
and Android
●● RMS connector with on-premises Windows Server file shares by using the File Classification Infrastruc-
ture (FCI) connector
●● Document tracking and revocation
●● Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)
●● RMS content consumption by using work or school accounts from RMS policy-aware apps and
services
●● RMS content creation by using work or school accounts
Azure Information Protection P2 includes the following additional features:
●● Automated data classification and administrative support for automated rule sets
●● Azure Information Protection Hold Your Own Key (HYOK) for highly regulated scenarios
Advanced Threat Analytics enables you to see what’s happening within your network. by identifying
suspicious user and device activity. It then provides you with clear, unambiguous threat information.
Advanced Threat Analytics can:
●● Detect suspicious activities and malicious attacks.
●● Adapt to the changing nature of cyber-security threats.
●● Provide focus and clarity around what is important with a simple attack timeline.
●● Reduce false positives.
Cloud App Security uses data collected from your firewalls and proxy servers to identify cloud application
usage. This can help identify unauthorized applications that might be a threat to your data. Additionally,
it can identify unusual usage patterns that might indicate a problem.
The tools in EM+S help enhance management and security for mobile users. The following table de-
scribes some specific examples of how these tools work, and how to use them.
MCT USE ONLY. STUDENT USE PROHIBITED 68 Module 2 Core Microsoft 365 services
Tool Usage
Enhanced authentication security Azure AD monitors user authentication for
suspicious patterns, for credentials that are
available on the black market, and for devices
potentially infected by malware. You receive
notifications for any of these detected scenarios,
which enables you to potentially avoid problems
caused by compromised credentials. For example,
a suspicious pattern might be a user who signs in
from two different geographic locations in rapid
succession. If you implement MFA, you can
mitigate the risk of stolen credentials. MFA
requires the user to provide additional information
beyond user name and password for authentica-
tion. The additional information might be a code
sent to a phone via a text message, or acknowl-
edging a prompt in an app. With MFA enabled,
stolen credentials alone cannot be used to sign in.
Information protection Intune helps protect information on mobile
devices in multiple ways. First, if the entire device
is protected, then Intune can wipe a lost or stolen
device to ensure that data on the device is not
accessed by unauthorized users. If your organiza-
tion allows BYOD, Intune can separate personal
and organizational data. Even managed apps are
isolated from personally installed apps to prevent
data from being copied between them. Further-
more, if a user leaves the organization, you can
wipe the organizational data and apps without
affecting personal data. You can implement Azure
Information Protection to prevent data from
leaking outside of your organization to unauthor-
ized users. Conditions set in documents control
which users can access or modify the contents of
the documents. Because the documents’ contents
are encrypted, if they are forwarded to an unau-
thorized user, that user cannot view the contents.
cannot manage or might be better managed through MDM policies than through traditional methods
such as group policies.
MDM is implemented by using MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. MDM client functionality is included as part of the Windows
10 operating system. MDM authority can manage various devices that include MDM client functionality,
such as Android, iOS and Windows 10. Some device settings can be managed on all MDM-enrolled
devices, while other settings are device-specific and can only be configured using device-specific MDM
policies.
MDM functionality includes distribution of applications, data, and configuration settings to devices that
are enrolled to MDM. Windows 10 devices can be enrolled in MDM manually by using the Settings app,
by provisioning a package, or by Group Policy in a hybrid environment. Alternatively, devices can be
enrolled in Azure AD providing integration between Azure AD and MDM is configured. You can use MDM
to manage a device regardless of its domain membership.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled in MDM. A device
can include MDM client functionality such as Windows 10, or you must install the Intune Company
Portal app to be able to manage it; for example, on Android or iOS devices.
●● Configuring devices. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to be able
to access company resources, such as Wi-Fi profiles and virtual-private network (VPN) profiles and
control access to company resources by using conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues or if the MDM policy wasn’t successfully applied, such as when devices do not
comply with a company baseline. You can also add enrolled devices to groups, and view a list of
enrolled devices. Using Intune, you can also configure Windows Autopilot device deployment.
●● Application Management. By using MDM and MAM together, you can deploy applications, manage
their settings, and separate data created by personal and business apps.
●● Selective delete data. If a device is lost or stolen, or if the user is no longer with the company, you
can wipe company data that was stored on the device. You can wipe all device data, or perform a
selective wipe, which leaves personal user data on the device.
●● Backing up data. Data on mobile devices is often not backed up. When a device is connected to the
organizational network, users are more likely to use documents in central locations such as file shares
and SharePoint sites. Data on mobile devices is more likely to be stored only on those mobile com-
puters. This means that if a mobile computer is lost, stolen, or suffers a hardware failure, the unique
copy of that organizational data is likely to be lost.
●● Mobile devices more easily lost or stolen. The average cost of replacing a stolen device can exceed
the purchase price of the device. This cost is higher because the organization must reconfigure the
new device, and determine what data was on the lost or stolen devices. In some cases, that data exists
only on the mobile device and is therefore lost to the organization.
●● Compromised devices connect to the internal network. A mobile device that is infected with
malware can introduce that malware into the organization. Therefore, organizations must treat mobile
devices as possible malware vectors.
Many mobile devices run the iOS or Android operating systems. This provides a challenge to organiza-
tional IT departments who need to balance the user’s desire to use the platform of their choice with the
organization’s need to ensure that only authorized people and devices access sensitive applications and
data. When considering a mobile device support policy, you must take the following questions into
account:
●● Is the device owned by the user or the organization?
●● Should you permit user-owned devices to access sensitive applications and data? Or only if the owner
consents to having the device managed by the IT department?
●● What actions can organizations take to protect data stored on the device, if the device is lost or the
user leaves the company?
Because mobile devices are more likely than larger devices such as laptops to be lost or stolen the loss
can mean that gigabytes of organizational data can potentially be made public. Organizations that allow
mobile devices to have access to sensitive data need to have policies in place to address what happens if
the user loses or misplaces the device, or the user (who is the owner of the device) leaves the organiza-
tion.
After you have enrolled devices, you can use Intune device profiles to manage various aspects of your
devices’ configuration. The following table shows the most common device profiles for Windows 10.
Profile Description
Email Manages Exchange ActiveSync settings on devices.
Wi-Fi Allows you to manage wireless network settings
for users and devices. In Windows 10, managing
settings for users allows them to connect to
corporate Wi-Fi without having to configure the
connection manually. Instead, they can import a
configuration that was previously exported from
another device.
VPN Configures VPN settings for devices.
Education Configures options for the Take a Test app in
Windows 10.
Certificates Allows you to configure trust and other certificates
used for Wi-Fi, VPN, and email profiles.
Edition upgrade Allows you to permit users to upgrade some
versions of Windows 10.
Endpoint protection Configures settings for BitLocker and Windows
Defender.
Windows Information Protection Allows you to configure Windows Information
Protection for data loss prevention.
DLP
DLP is the capability built into Microsoft 365 that helps your organization ensure data loss or misappro-
priate doesn’t occur. Using Microsoft 365 you can create DLP policies that protect the following applica-
tions:
●● Exchange Online
●● SharePoint Online
●● OneDrive for Business
●● Desktop versions of Excel, PowerPoint, and Word
Microsoft 365 DLP protection allows you to:
●● Identify and continuously monitor and report on sensitive information.
●● Prevent accidental sharing of sensitive information.
Microsoft 365 also allows you to educate users about DLP policies and protect data without interrupting
their work. You can set DLP policies to show a policy tip or send an email when users try to share protect-
ed information. You can allow users to override the policy and share information despite the policy.
MCT USE ONLY. STUDENT USE PROHIBITED 72 Module 2 Core Microsoft 365 services
The Security & Compliance center includes built-in DLP reports. These reports tell you the number of
policy matches over time, and the number of times that policies were overridden or that users indicated
that a policy rule created a false positive. This information can help you understand how DLP policies
affect your business, and it also allows you to modify and improve your policies over time.
You configure labels, label policies, and sensitive information types by using Security & Compliance from
the Office 365 portal.
MCT USE ONLY. STUDENT USE PROHIBITED
Unified endpoint management in Microsoft 365 73
●● Support apps that allow users to work with both personal and corporate data. Some apps, such
as Word, automatically detect when a file contains corporate data and should be WIP-protected. They
maintain that protection when saving a file locally or on removable media. This protection is main-
tained even if the file name changes or if the data is stored with unencrypted personal data.
●● Prevent use of personal apps and services. You can prevent accidental release of organizational
data to public spaces and social media by preventing users from using applications such as a personal
OneDrive to store files. You can also prevent users from copying data from allowed apps to social
media such as Twitter or Facebook.
●● Remove corporate data from lost or stolen devices, or devices owned by ex-employees. You can
remove organizational data from, and unenroll any devices (including personal devices) that are
enrolled in Intune even if the device is lost or stolen. This does not affect personal data.
Compliance
Data is important, but management of data is critical. However, compliance with data management
standards is vital. Microsoft 365 enables you to become and remain compliant with governmental
standards across the globe. It’s estimated that there are over 200 updates from over 700 regulatory
bodies each day. Trying to keep up-to-date with regulatory changes can be challenging.
In Microsoft 365, Compliance Manager helps you to manage regulatory compliance. Using a dashboard
view, it provides a view of standards, regulations, and assessments. Compliance Manager provides:
●● Certification assessment control definitions.
●● Guidance on implementing and testing controls.
●● Risk-weighted scoring of controls.
●● Role-based access management.
●● In-place control action assignment workflow to track control implementation, testing status, and
evidence management.
To find out more, watch the following video about Compliance Manager:
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_03_06_EndpointManage-
menttutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED
Collaboration in Microsoft 365 75
Collaboration services
You can use the following services to enable collaboration between your employees:
●● Teams. With Teams, you can create projects, share files within a project, create a wiki platform for your
project, track activities, and chat and call your colleagues.
●● SharePoint Online. With SharePoint, you can easily collaborate with colleagues and external contacts
through the use of file sharing, content management, Team sites, intranets, and automated workflow.
●● Yammer. You can use Yammer to engage with others through polls and announcements, and share
content with files and notes.
●● Exchange Online Public folders. Public folders is a feature of early versions of Exchange Server for
on-premises collaboration. Exchange Online also supports this feature to enable support for your
apps that require public folders.
●● Skype for Business Online. Although primarily a communications platform, you can also collaborate
using Skype for Business Online by recording meetings, screen sharing, and PowerPoint annotation.
Use whiteboard, polls, Q&A, and built-in IM chats during your business meetings to make them more
productive.
MCT USE ONLY. STUDENT USE PROHIBITED 76 Module 2 Core Microsoft 365 services
Communication services
You can use the following services to enable collaboration between your employees:
●● Exchange Online. Exchange Online provides email services for communications.
●● Skype for Business Online. Skype for Business Online is primarily a communications platform,
providing for presence, instant messaging, audio calls, and video calls. It also supports broadcasting.
●● Teams. Teams supports communications through the use of instant messaging, and both audio and
video calls.
●● Yammer. Yammer enables users to participate in chats and calls and is basically an enterprise social
networking app.
Features of Teams
Teams provides the following features:
●● Teams and channels
●● Presence
●● Guest access
MCT USE ONLY. STUDENT USE PROHIBITED
Collaboration in Microsoft 365 77
●● Meetings
●● Cloud video interoperability
●● Live events
●● Cloud voice
●● Audio conferencing
●● Interoperability with SharePoint (a new SharePoint online site is created for each Team)
●● Interoperability with Exchange (an Exchange Online shared mailbox and calendar is created for each
Team)
You can discover more about the transition from Skype for Business to Teams by visiting the following
website: https://docs.microsoft.com/en-us/microsoftteams/faq-journey.
3 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_04_04_CollaborationBusi-
nesstutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED 78 Module 2 Core Microsoft 365 services
Exercise 1
Exploring the Microsoft 365 tenant
4 http://www.office.com/
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Configuring Microsoft 365 tenant 79
Exercise 2
Configuring new user and group accounts
Module Assessment
Questions
Multiple choice
Which edition (or editions) of Windows 10 include Microsoft User Experience Virtualization (Microsoft
UE-V)? (Choose all that apply.)
Windows 10 Home
Windows 10 Pro
Windows 10 Enterprise
Checkbox
You want the ability to communicate with colleagues by using instant messaging. Which Microsoft 365 app
(or apps) enable this? (Choose all that apply)
Microsoft Exchange Online
Skype for Business Online
Microsoft SharePoint online
Microsoft Teams
Checkbox
Which of the following can be described as collaboration services in Microsoft 365? (Choose all that apply)
Yammer
Sway
Teams
Microsoft OneDrive for Business
Skype for Business
Multiple choice
Which Microsoft 365 service or app enables you to manage users’ devices? (Choose all that apply)
Exchange Online
Teams
Microsoft Intune
Microsoft Azure Active Directory (Azure AD)
Microsoft Office 365 ProPlus
MCT USE ONLY. STUDENT USE PROHIBITED 82 Module 2 Core Microsoft 365 services
Multiple choice
Which offers high availability without needing to purchase additional hardware? (Choose the correct
answer)
Microsoft Exchange Server
Exchange Online
Multiple choice
Which solution provides antimalware protection by default? (Choose the correct answer)
SharePoint Online
Microsoft SharePoint Server
Multiple choice
Which solution provides for meeting broadcasts? (Choose the correct answer)
Skype for Business Server
Skype for Business Online
Multiple choice
Which Windows as a service (WaaS) update channel does not receive feature updates? (Choose the correct
answer)
Windows Insider program
Semi-Annual Channel
Semi-Annual Channel (Targeted)
Long-Term Servicing Channel
Checkbox
Which of the following is a cloud-based deployment or dynamic provisioning method? (Choose all that
apply)
Image deployment using Microsoft System Center Configuration Manager (SCCM)
Subscription activation
Windows Autopilot
Windows Configuration Designer provisioning packages
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 83
Checkbox
Which of the following statements about Windows Autopilot is true? (Choose all that apply)
You must use images.
You do not need to deploy and maintain a deployment infrastructure.
You must customize the deployments by injecting drivers.
You can restrict the creation of the Administrator account.
You can customize the out-of-box experience (OOBE) content specifically to your organization.
You cannot join devices to Azure AD automatically.
Checkbox
In which Microsoft 365 Enterprise subscription is Intune included? (Choose all that apply)
Microsoft 365 E3
Microsoft 365 E5
Multiple choice
In which Microsoft 365 Enterprise subscription is Microsoft Azure Information Protection (MSIP) included?
(Choose all that apply)
Microsoft 365 E3
Microsoft 365 E5
Multiple choice
You want to implement Azure AD Identity Protection. Which version (or versions) of Azure AD includes this
feature? (Choose all that apply)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
Multiple choice
You have a mix of devices in your organization. Some are Active Directory Domain Services (AD DS)
domain-joined while others are not. You want to use a centralized management approach. What should you
do? (Choose the best answer)
Implement Group Policy configuration for all domain-joined devices.
Implement a mobile device management (MDM) system to manage the non-domain-joined devices.
Implement Group Policy configuration for all devices.
Implement an MDM system to manage all devices.
MCT USE ONLY. STUDENT USE PROHIBITED 84 Module 2 Core Microsoft 365 services
Multiple choice
You must manage devices running the following operating systems: iOS, Windows 10, Android, and macOS.
Which device management approach should you take? (Choose the correct answer)
Use Group Policy Objects (GPOs) to manage the devices.
Use Intune to manage the devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 85
Answers
Multiple choice
Which edition (or editions) of Windows 10 include Microsoft User Experience Virtualization (Microsoft
UE-V)? (Choose all that apply.)
Windows 10 Home
Windows 10 Pro
■■ Windows 10 Enterprise
Checkbox
You want the ability to communicate with colleagues by using instant messaging. Which Microsoft 365
app (or apps) enable this? (Choose all that apply)
Microsoft Exchange Online
■■ Skype for Business Online
Microsoft SharePoint online
■■ Microsoft Teams
Checkbox
Which of the following can be described as collaboration services in Microsoft 365? (Choose all that
apply)
■■ Yammer
Sway
■■ Teams
Microsoft OneDrive for Business
■■ Skype for Business
Multiple choice
Which Microsoft 365 service or app enables you to manage users’ devices? (Choose all that apply)
Exchange Online
Teams
■■ Microsoft Intune
Microsoft Azure Active Directory (Azure AD)
Microsoft Office 365 ProPlus
MCT USE ONLY. STUDENT USE PROHIBITED 86 Module 2 Core Microsoft 365 services
Multiple choice
Which offers high availability without needing to purchase additional hardware? (Choose the correct
answer)
Microsoft Exchange Server
■■ Exchange Online
Multiple choice
Which solution provides antimalware protection by default? (Choose the correct answer)
■■ SharePoint Online
Microsoft SharePoint Server
Multiple choice
Which solution provides for meeting broadcasts? (Choose the correct answer)
Skype for Business Server
■■ Skype for Business Online
Multiple choice
Which Windows as a service (WaaS) update channel does not receive feature updates? (Choose the
correct answer)
Windows Insider program
Semi-Annual Channel
Semi-Annual Channel (Targeted)
■■ Long-Term Servicing Channel
Checkbox
Which of the following is a cloud-based deployment or dynamic provisioning method? (Choose all that
apply)
Image deployment using Microsoft System Center Configuration Manager (SCCM)
■■ Subscription activation
■■ Windows Autopilot
■■ Windows Configuration Designer provisioning packages
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 87
Checkbox
Which of the following statements about Windows Autopilot is true? (Choose all that apply)
You must use images.
■■ You do not need to deploy and maintain a deployment infrastructure.
You must customize the deployments by injecting drivers.
■■ You can restrict the creation of the Administrator account.
■■ You can customize the out-of-box experience (OOBE) content specifically to your organization.
You cannot join devices to Azure AD automatically.
Checkbox
In which Microsoft 365 Enterprise subscription is Intune included? (Choose all that apply)
■■ Microsoft 365 E3
■■ Microsoft 365 E5
Multiple choice
In which Microsoft 365 Enterprise subscription is Microsoft Azure Information Protection (MSIP) included?
(Choose all that apply)
Microsoft 365 E3
■■ Microsoft 365 E5
Multiple choice
You want to implement Azure AD Identity Protection. Which version (or versions) of Azure AD includes
this feature? (Choose all that apply)
Azure AD Free
Azure AD Basic
■■ Azure AD Premium P1
Azure AD Premium P2
Multiple choice
You have a mix of devices in your organization. Some are Active Directory Domain Services (AD DS)
domain-joined while others are not. You want to use a centralized management approach. What should
you do? (Choose the best answer)
Implement Group Policy configuration for all domain-joined devices.
Implement a mobile device management (MDM) system to manage the non-domain-joined devices.
Implement Group Policy configuration for all devices.
■■ Implement an MDM system to manage all devices.
MCT USE ONLY. STUDENT USE PROHIBITED 88 Module 2 Core Microsoft 365 services
Multiple choice
You must manage devices running the following operating systems: iOS, Windows 10, Android, and
macOS. Which device management approach should you take? (Choose the correct answer)
Use Group Policy Objects (GPOs) to manage the devices.
■■ Use Intune to manage the devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 3 Security, compliance, privacy, and
trust in Microsoft 365
●● Traffic protocol
●● Specific packet contents
However, when it comes to data security no single solution can ensure that data remains secure. Instead,
organizations must use a layered approach to protect their data. If you want to protect data on your
organizational computers, this might involve implementing drive encryption, file and folder permissions,
and rights management. If your information is stored in the cloud, then you must also consider imple-
menting appropriate security measures within your cloud-based infrastructure.
Bear in mind that no one security solution will fit all organizations. Consider the various security solutions
and settings as being analogous to a pendulum. At one end of the pendulum’s arc you have a highly
secure system that is so secure it’s almost unusable. At the other end of the arc, you have a highly
useable system that has very little and most likely inadequate security. Each organization must choose
where on that arc they want to operate. Then they must select and configure appropriate security settings
to achieve that goal.
they sign in to services such as Microsoft OneDrive, Xbox Live, Outlook.com (formerly Hotmail), or
Windows Phone. Your users also can use their Microsoft accounts to authenticate with Azure AD. This
scenario is useful when you must support temporary or contract staff as the account is external to the
Azure AD directory.
●● Other accounts. Most users also have access to social accounts, such as Facebook and Twitter. Many
also use Apple and Google accounts to access platform-specific stores and other resources.
Because a user account (or accounts) is the primary means of determining who a user is, it’s important
that we protect the process of verifying identity. Identity protection is the method that you use to do this.
Microsoft 365 includes a number of features that enable you to identify when a user account might have
been compromised. For example, a change in sign-in time of day, or a new or unusual sign-in location
can be signs that an account has been compromised. When you identify these changes, you can take
action.
Information protection
When considering how best to secure your organizational data, it’s important to consider two situations:
●● Data at rest. Data at rest is data stored somewhere, for example on a file server, a hard drive or USB
flash drive, or in a mailbox. Each of these storage locations poses different security risks. For example,
it’s fairly easy to lose a thumb drive; a laptop is an attractive device for theft; malicious people know
that a file server contains organizational data. Each of these situations presents a different challenge
for security personnel to solve, whether that’s by using drive encryption, intellectual rights manage-
ment software, or network security such as firewalls and antimalware.
Note: malware, or malicious software, is software that attackers design to harm computer systems.
Malware can do many things, from causing damage to the computer, to allowing unauthorized parties
remote access to the computer, to collecting and transmitting sensitive information to unauthorized third
parties. There are several types of malware, including computer viruses, computer worms, Trojan horses,
ransomware, and spyware.
●● Data in transit. Any time data moves between a user’s device and the server that hosts their data, it’s
at risk. For example, when a user reads their email on their cellphone, the email message is pushed to
their device. It’s important that not only is the data protected while in transit to the device, but that
the data is sent to the correct device as well. Authentication and encryption are the two technologies
used to help ensure safe transit of data to and from users’ devices, or between devices on your
network.
Threat protection
Threats to your organization’s data and infrastructure can originate from both devices and the network.
Device security
When users connect their devices to your IT infrastructure, they potentially introduce security risks. For
example:
●● Firewall settings. If a device lacks a properly configured firewall, then every time it connects to a
network it’s at risk. This is especially true if the device connects to public, unsecured networks such as
Wi-Fi hotspots.
MCT USE ONLY. STUDENT USE PROHIBITED 92 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● Antivirus / antimalware protection. Without proper antimalware and antivirus software installed
and up to date, a device is at risk of being infected with malware. This software might be transferred
to your organization when an improperly protected user device connects their device to your network.
●● Software fixes and updates. When a weakness or flaw is discovered in an operating system or
application, the software vendor will provide an update (or patch). If a user doesn’t update their
device to include the latest updates, then the device is at risk. This might lead to malicious software
being able to transfer to the device with potential consequences for your organization’s infrastructure.
●● Lax security settings. Most users secure their phones with a PIN, but not all. And often, the PIN is too
short and fairly easy to guess. If a device contains sensitive company data, then that data is at risk on
the device.
●● Poor physical security. Many users are fairly relaxed about where they leave their phones and tablet
devices, even their company laptops. Leaving devices in vulnerable places such as internet cafes,
airports, or other public places , especially if those devices lack proper security safeguards can easily
lead to data leakage.
Some of the preceding risks can be mitigated with proper end-user education about the importance of
security, and guidance on enabling a secure PIN or using the biometric protection built-in to many
devices these days. (Many laptops, tablets, and mobile devices today offer fingerprint and facial recogni-
tion software). But beyond education, to properly secure your organization’s IT infrastructure you must be
able to impose those security settings on devices, including those owned by your users, and restrict
access based on failure to adhere to those policies.
Network security
In our connected world, being able to gain access to an organization’s network means getting through
the security door. There are numerous possible forms of network attacks, which can be thwarted by
proper network access planning.
Wi-Fi is extremely convenient, enabling your users to quickly and easily connect their devices to the
network. However, it also makes it easier for a malicious person to also gain access to your network
because they no longer need a physical connection.
To help protect your network, you must take a holistic approach. You must identify each possible threat,
and then plan mitigation for it such as requiring a rigorous form of authentication from connecting
devices. Allow your visitors access to the internet through your infrastructure, but don’t allow it through
the corporate network.
Security management
The final pillar, to some extent, brings the first three together; you must be able to manage your security
settings to address the preceding three pillars. Management can be proactive and reactive. In the case of
proactive management, you might choose to implement a certain type of authentication in your organi-
zation to meet perceived threats. You might choose to implement security policies to require complex
passwords, or to use a public key infrastructure (PKI) to ensure more secure identity.
You might also choose to plan to use certain encryption technologies to help to protect data in transit
and data at rest, or implement compliance policies on your devices to help to ensure they meet organiza-
tional requirements.
In terms of reactive management, you will most likely want access to tools that can help identify security
threats, or infractions that are currently taking place. Monitoring tools can be helpful in these situations,
and can also identify corrective action that you can take to remedy a situation.
MCT USE ONLY. STUDENT USE PROHIBITED
Organization security review 93
capabilities, but Microsoft 365 subscriptions include Microsoft Intune, which provides significantly
more control over your users’ devices.
●● Advanced threat protection. Because email provides a primary means for introducing malware into
an organization, advanced threat protection aims to identify the threats before they land in a user’s
mailbox. This feature is included in Microsoft 365 E5 subscriptions, and provides protection by:
●● Scanning email attachments for malware.
●● Scanning URLs in email messages and Microsoft Office documents.
●● Identifying and blocking malicious files found in online libraries, Microsoft SharePoint, Microsoft
OneDrive, and Microsoft Teams.
●● Checking email messages for unauthorized spoofing.
●● Detecting when someone attempts to impersonate your users and access your organization's
custom domains.
●● Data loss prevention (DLP). This helps to ensure that data stored in SharePoint sites, OneDrive for
Business, email, and data created with Microsoft Office programs such as Microsoft Excel, Microsoft
Word, and Microsoft PowerPoint do not get into the wrong hands. You can create DLP policies to
identify and manage the flow of sensitive data within your organization, and between your organiza-
tion and other organizations.
●● Encrypted email. By using encryption, you can help ensure that only the intended recipient can view
emails that are sent outside your organization.
●● Azure AD Identity Protection. Because user accounts are critical to helping identify users, helping to
identify unusual account behavior is important. You use this to identify attempts to compromise
accounts, possibly by a hacker or other malicious person. When Azure AD Identity Protection detects
unusual account behavior, it can block account access, or perhaps require additional authentication
options.
●● Privileged identity management. It’s an important tenet of security that you limit the number of
administrative accounts. Failure to do so means that many day-to-day operations might be being
performed with unnecessary administrative privilege. Privileged identity management can help
identify and control admin accounts, and is included as part of Azure AD Premium P2 subscriptions.
Privileged identity management enables you to define temporary administrators for when legitimate
admin tasks require elevation. This can help to limit the number of permanent administrative ac-
counts.
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_01_04_SecurityRisktutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED
Identity basics 95
Identity basics
Introduction
Identity is the primary supporting pillar in any security system. You must be able to identify users (and
devices) before you can determine the level of access or privilege that they have. You can establish
identity through user and device accounts. Typically, an employee has at least one user account, but
many have more depending upon the configuration of an organization’s IT infrastructure. For example,
organizations that implement AD DS only in an on-premises environment tend to have comparatively
simple requirements. However, those organizations that implement hybrid environments have to manage
identities in multiple locations and configure synchronization between those locations.
After this lesson, you should be able to:
●● Describe cloud identity and synchronized identity.
●● Describe Azure AD.
●● Explain why business environments need identity management.
●● Explain why business environments need identity protection.
●● Explain how Azure AD addresses identity management.
●● Describe Azure AD identity protection.
Cloud identities
A cloud identity is a user account that exists only in Office 365 or, to be more precise, only in Azure AD.
Azure AD provides an identity store, and authentication and authorization services for Office 365. You can
create a cloud identity with the same name as an on-premises user account, but there is no link between
them. You create cloud identities by using either Office 365 management tools, the Azure AD admin
portal, or Windows PowerShell.
MCT USE ONLY. STUDENT USE PROHIBITED 96 Module 3 Security, compliance, privacy, and trust in Microsoft 365
If your organization does not have any on-premises identity infrastructure (such as AD DS domain
controllers), then using cloud-only identities offers significant benefits. They are comparatively simple to
manage, and enable users to gain access to all subscribed cloud services potentially using only one
account.
However, if you also have on-premises identity, then when you create a new user on-premises, you also
need to create that user in Office 365 as a separate step. This also means that users must maintain
separate passwords because there is no password synchronization (by default). If you have both cloud
and on-premises identities, you will most likely configure synchronization or federation between them.
Synchronized identities
A synchronized identity is a user that exists in both on-premises AD DS and Azure AD. The AD DS and the
Azure AD user accounts are linked together. Therefore, any changes that you make to the on-premises
user accounts are synchronized to the Azure AD user account. However, it is important to understand
that the AD DS user and the Azure AD user are two different objects that synchronize a set of attributes.
The Microsoft Azure Active Directory Connect (Azure AD Connect) tool performs the synchronization.
When you implement synchronized identities, AD DS is the authoritative source for most information.
This means that you perform administration tasks mostly on-premises, which are then synchronized to
Office 365. Only a very small set of attributes synchronize from Office 365 back to AD DS on-premises.
Authentication for synchronized identities occurs in Azure AD. The username and password are evaluated
in Azure AD without any reliance on the on-premises infrastructure.
Note: In AD DS, passwords are stored as a hash of the actual user password. This password hash cannot
be used as the password itself, and cannot be reverse engineered to obtain the user’s plain text pass-
word. To synchronize a password, the user password hash is extracted from the on-premises AD DS, and
the plain text version of a user’s password is never exposed to the synchronization process or to Azure
AD (or any of the associated services). When a user presents his or her synced password to Azure AD, it is
checked against the synchronized hash, so there is never a requirement to synchronize the password
itself.
Federated identities
A federated identity is a synced account that is authenticated by using Active Directory Federation
Services (AD FS). AD FS is deployed on-premises and communicates with AD DS on-premises. When
Office 365 authenticates a federated identity, it directs the authentication request to AD FS. Because the
on-premises user account is used for authentication, the same password is used for signing in to Office
365 and on-premises AD DS.
The main benefit of using federated identities is single sign-on (SSO). Users authenticate at a do-
main-joined workstation by using their credentials. SSO uses these credentials to automatically authenti-
cate to Office 365 services. When you use synchronized identities, the users typically need to enter their
credentials manually when accessing Office 365 services.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity basics 97
Overview of Azure AD
Azure AD constitutes a separate Azure service. Its most elementary form (which any new Azure subscrip-
tion includes automatically) does not incur any extra cost and is referred to as Azure AD Free. If you
subscribe to any Microsoft Online business services (for example, Office 365 or Intune), you automatically
get Azure AD with access to all the free features.
Some of the more advanced identity management features require paid versions of Azure AD, Azure AD
Basic and Azure AD Premium. Some of these features are also automatically included in Azure AD
instances generated as part of Office 365 subscriptions. For example, Microsoft 365 E5 subscriptions
include Azure AD Premium 2. The following identifies some of the advanced features in the Premium
plans.
Azure AD Premium P1 Plan Description: For enterprise environments, Azure AD Premium P1 provides
additional features that make it easier to manage users and applications. Some key features are:
●● Self-service group and app management
●● Self-service password reset (writeback to on-premises)
●● Two-way synchronization of device objects
●● Azure MFA
●● Conditional access based on group, location, and device state
●● Unlimited SSO apps
●● Cloud app discovery
●● Microsoft Identity Manager client access license for complex identity synchronization
MCT USE ONLY. STUDENT USE PROHIBITED 98 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● Managing administrative roles. Most users are created as standard users, but some will require
administrative privileges. Administrative roles enable you to more easily define a level of administra-
tive privilege on a given part of your infrastructure. When a specific role does not exist, you can create
custom roles and assign the necessary privileges to the role.
●● Assign permissions. Users need access to resources and apps. This access requires permissions.
Ensuring that user accounts are assigned only the necessary permissions is a significant part of
account management.
●● Retire the account. People leave organizations, and change jobs within organizations. When this
occurs, you must be able to deprovision the appropriate user account, or, where suitable, repurpose
the account. This might involve unassigning roles, removing permissions, or changing account
properties.
These steps are part of the account lifecycle, and form a major part of account administration. One of the
most critical factors in identity management is to assign the correct rights, privileges, and permissions to
the appropriate user accounts. If you are managing an enterprise environment where accounts exist in
multiple locations (such as AD DS, Microsoft 365, and potentially other directory services), this can be
easy to get wrong.
To streamline your administrative effort, try to implement a solution that enables you to define a single
account for a given entity (a user or a device). You can then grant that account access to resources and
apps across potentially multiple platforms. This is also beneficial for your users as they must remember
fewer disparate account details. This potentially could enable them to have a single account that gives
them access to all their required resources and apps within your organization.
One option is to consider synchronizing your accounts between the various directory services. For
example, you can install and configure Azure AD Connect to synchronize accounts from your on-premises
AD DS to your Microsoft 365 Azure AD tenant.
Because of this, it’s necessary to have an identity protection strategy. Identity protection is a set of
technologies that you implement to help proactively monitor user behavior, especially during authentica-
tion, and to take actions if risk or vulnerability is detected.
For example, if you notice that a user starts signing in from a different city or at peculiar times of the day
(such as out of office hours), or if the user makes a number of failed password attempts, that suggests
suspicious activity, and it might indicate that a user account is compromised. Implementing an identity
protection system can help identify these issues and help to protect the integrity of your account infra-
structure.
Tenants
Unlike AD DS, Azure AD is multitenant by design, and it is implemented specifically to ensure isolation
between its individual directories. It’s the world’s largest multitenant directory, hosting more than one
million directory services instances, with billions of authentication requests per week. The term tenant in
this context refers to an organization that has subscribed to a Microsoft cloud-based service such as
Office 365, Intune, or Azure, which uses Azure AD but also includes individual users.
Directories
When you provision your first Microsoft cloud service subscription, you automatically generate a new
Azure AD directory instance, referred to simply as a directory. The directory is assigned a default Domain
Name System (DNS) domain name that consists of a unique name of your choice followed by the onmi-
crosoft.com suffix. It’s possible and quite common to add at least one custom domain name that uses the
DNS domain namespace that the tenant owns.
The directory serves as the security boundary and a container for Azure AD objects such as users, groups,
and applications. It’s possible for a single directory to support multiple cloud-service subscriptions.
The Azure AD schema contains fewer object types than the AD DS schema. You can’t use Azure AD to
manage computers or user settings by using Group Policy Objects (GPOs). Instead, you use Azure AD to:
●● Provide directory services
●● Store and publish user, device, and application data
●● Manage authentication and authorization of users, devices, and applications
These features are effective and efficient in existing deployments of cloud services such as Office 365,
which rely on Azure AD as their identity provider to support millions of users.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity basics 101
Based on a calculated risk, Azure AD Identity Protection can notify administrators, try to remediate the
risk, increase the authentication security requirements, or take another action defined by the risk policy.
The sign-in risk level can be Low and above, Medium and above, and High. For each risk level, you can
define actions such as requiring MFA for signing-in, password changes, or blocking access.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity basics 103
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_02_07_ADFeaturestutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED 104 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Protecting information
With the proliferation of devices such as tablets and phones, it’s becoming increasingly difficult for IT
administrators to manage devices and data that they contain. However, this is vital to an organization’s
security.
Although some organizations currently do not allow their users to bring their own devices and connect
them to their infrastructure, most do allow users access to corporate email via personal cellphones and
tablets. Even this relatively modest access poses risks of data leakage and the introduction of malware
into the organization.
If your organization decide to allow users to connect their devices in some way, it’s important that you
put in place security settings that can help protect your organization from the following threats:
●● Malware. Introduced through unsecured devices and apps.
●● Data leakage. Through:
●● Loss or theft of a device that contains corporate data.
●● Loss or theft of a storage device (such as a USB drive) that contains corporate data.
●● Inappropriate data access. Caused by access to an unsecured device by malicious persons.
MCT USE ONLY. STUDENT USE PROHIBITED
Device and data protection 105
●● Network access. Caused by insufficient security settings on a device, enabling a malicious person to
obtain sensitive data such as user accounts, passwords, and wireless access point settings.
You implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. The MDM client functionality is included as part of the
Windows 10 operating system. The MDM authority can manage various devices that include MDM client
functionality, such as the Android, iOS, and Windows 10 operating systems.
MDM functionality typically includes:
●● App distribution
●● Data management
●● Device configuration
Note that to apply these settings, devices must be enrolled in an MDM. You can enroll Windows 10
devices manually or automatically. You must enroll devices running other operating systems manually,
often by installing a specific app.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled to MDM. A device
can include MDM client functionality such as Windows 10, or for other operating systems such as
Android or iOS, you must install a Company Portal app to manage it.
●● Device configuration. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to access
company resources such as Wi-Fi and VPN profiles, and control access to company resources by using
conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues, or whether MDM policy was not successfully applied, such as when devices
MCT USE ONLY. STUDENT USE PROHIBITED 106 Module 3 Security, compliance, privacy, and trust in Microsoft 365
do not comply with a company baseline. You can also add enrolled devices to groups and view a list
of enrolled devices. By using Intune, you can also configure Windows Autopilot device deployment.
●● Application Management. By using MDM and mobile application management (MAM) you can
deploy the applications, manage their settings, and separate data that is created by personal and
business apps.
●● Selective data deletion. If a device is lost or stolen, or if the user is no longer a company employee,
you can wipe company data that’s stored on the device. You can wipe all device data or perform a
selective wipe, which leaves personal user data on the device intact.
●● Configure Windows Information Protection (WIP) to help guard against data loss.
●● Enable device-compliance policies that can require certain minimal encryption and password
settings, prevent access by rooted devices, and determine a maximum mobile threat defense level.
3. Protect. In the Protect phase, the MDM solution provides ongoing monitoring of the settings estab-
lished in the Configure phase. During this phase, you also use the mobile device management
solution to help keep devices compliant through the monitoring and deployment of software updates.
4. Retire. When a device is no longer needed, when it’s lost, or stolen, or when an employee leaves the
organization, you should help to protect the data on the device. You can remove data by resetting the
device, performing a full wipe, or performing a selective wipe that removes only corporation-owned
data from the device.
As an example of the MDM lifecycle, let’s use an employee named Emily Braun who has just started at
Contoso. She has a cellphone on which she wishes to read corporate emails. The following workflow is
from the device management perspective:
1. Enroll. When Emily enters the required information to configure her email account, she will be
notified that the organization she is connecting to requires that her device be configured. Assuming
that Emily accepts these conditions, her device is enrolled into MDM at Contoso.
2. Configure. As part of the conditions for allowing Emily access to corporate email, her device is
configured according to compliance policies defined within Microsoft 365 in the Contoso tenant.
These configuration settings might include requiring Emily to configure a PIN to unlock her phone,
and might also require that she enable device encryption.
3. Protect. As Emily uses her device, MDM continues to monitor and maintain her phone. If organiza-
tional needs change, these changes might be reflected in policies that apply to Emily’s device.
4. Retire. Emily has accepted another position outside of Contoso with Adatum. The administration
team at Contoso can now remotely wipe the corporate data from Emily’s phone.
Compliance policies
You can define company policies by using the Device Compliance policy in Intune. You can control access
to email, documents, and other cloud apps by using Conditional Access policies. Compliance with
company policy is just one criterion that you can evaluate in Conditional Access policy; you can also
evaluate sign-in risk, device type, location, and client apps.
If a device is not enrolled to Intune, its compliance cannot be evaluated. However, you can prevent access
to mailboxes, documents, and cloud apps from such devices. If a user tries to access his or her mailbox
from such a device, depending on how you set the policy the user might be blocked from accessing
Office 365 resources. They also might be redirected to enroll the device in MDM. Alternatively, the user
could be granted access, but Office 365 would report a policy violation.
After a device is enrolled, you continue to manage it through policies. In terms of data protection, you
can create the following types of policy:
●● Device restrictions. Device restrictions control security, hardware, data sharing, and other settings on
the devices. For example, you can create a device restriction profile that prevents iOS device users
from using the device’s camera.
●● Endpoint protection. Endpoint protection settings for devices include:
●● Windows Defender Application Guard
●● Windows Defender Firewall
●● Windows Defender SmartScreen
●● Windows Encryption
●● Windows Defender Exploit Guard
●● Windows Defender Application Control
●● Windows Defender Security Center
●● Windows Defender Advanced Threat Protection
●● Windows Information Protection
MCT USE ONLY. STUDENT USE PROHIBITED
Device and data protection 109
●● Identity protection. Identity protection controls the Windows Hello for Business experience on
Windows 10 and Windows 10 Mobile devices. Configure these settings to make Windows Hello for
Business available to users and devices, and to specify requirements for device PINs and gestures.
You can also perform a number of actions on enrolled devices, including:
●● Factory reset
●● Selective wipe
●● Delete device
●● Restart device
●● Fresh start
What is IRM?
In modern enterprises, the increase in collaboration between both internal and external users and the
proliferation of employee-owned devices has increased the risk of accidental or malicious data leakage.
Traditionally, enterprises have controlled access to data by assigning credentials to users. However, user
access control does not prevent authorized users from accidentally sharing files or sending data in email,
which has led to new protection systems.
Organizations implemented DLP to overcome the limitations of systems that are based solely on authen-
tication and authorization. A DLP system automatically detects and controls data that should be protect-
ed.
Organizations also need to protect data after it leaves the company. To meet this need, you can imple-
ment IRM systems that make protection an inherent part of documents. You might have encountered
IRM protection on documents such as video and audio files that you have streamed from the internet.
These IRM protections prevent you from sharing the files and allow you only to view or listen to the files.
In a workplace, IRM can ensure that an employee can create a document and then determine the level of
protection that should apply to the document, such as allowing only authorized users to open the
document.
IRM systems require setting up both client and server environments. The client app that opens a docu-
ment is responsible for processing protection rules after checking with the server component of the
system to check for authorization updates.
●● Warning users that they are working with personal data that is covered by regulations that control the
sharing of that data.
Labels
In AIP, protection templates are associated with labels. Some default labels, such as Personal, Public, and
General, do not have protection configured because the purpose of these labels is to classify the content,
and not to protect it. However, when you create a new label you can choose whether you will use it to
protect a document, remove the protection from the document, or merely classify the document. You can
also choose to let users configure permissions when using a specific label, or have users apply permission
sets that you have configured already.
By default, after you complete the AIP activation the following default labels are available:
●● Personal
●● Public
●● General
●● Confidential
●● Highly Confidential
You can use these labels to enable users in your organization to protect sensitive content. When neces-
sary, you can create new labels and protection templates by using the AIP administration pane in the
Azure portal.
AIP policies
To enable classification, labeling, and protection, and to make these resources available to your users, you
must configure the AIP policy. This policy then downloads to computers that have installed the AIP client.
The policy contains labels and settings.
●● Labels apply a classification value to documents and email and can optionally protect this content.
The Azure Information Protection client displays these labels for your users in Office apps and when
users right-click a file in File Explorer. AIP comes with a default policy, which contains the previously
mentioned five main labels. You can use the default labels without changes, you can customize them,
you can delete them, or you can create new labels.
●● The settings change the default behavior of the Azure Information Protection client. For example, you
can select a default label, you can define whether all documents and emails must have a label, and
whether the AIP bar displays in Office apps.
MCT USE ONLY. STUDENT USE PROHIBITED 112 Module 3 Security, compliance, privacy, and trust in Microsoft 365
You configure labels, label policies, and sensitive information types by using Security & Compliance from
the Office 365 portal.
MCT USE ONLY. STUDENT USE PROHIBITED
Device and data protection 113
Information protection
Let's do a quick activity to test your knowledge of information protection. Click on the button below to
open this review activity full screen.
LAUNCH ACTIVITY3
3 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_03_07_InformationProtec-
tiontutorial.html
MCT USE ONLY. STUDENT USE PROHIBITED 114 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● EU Model Clauses. The European Union EU Data Protection Directive is a key instrument for the EU
privacy and human rights law. The EU Model Clauses legitimize the transfer of personal data outside
the EU, and they comprise the preferred method for the data transfer of personal data outside the EU.
●● Safe Harbor Framework. The US and EU Safe Harbor Framework also addresses the transfer of
personal data outside the EU. Office 365 follows the principles and processes stipulated by this
framework.
●● The Family Educational Rights and Privacy Act (FERPA). United States educational organizations are
required to follow FERPA regulations regarding the use or disclosure of student education records.
This also includes student information sent in email or email attachments.
●● SSAE 16. Independent organizations can audit Office 365 and provide SSAE 16 SOC 1 Type I and Type
II, and SOC 2 Type II reports on how the service implements controls.
●● The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is a Canadian
law pertaining to how private sector organizations collect, use, and disclose personal information in
regard to commercial business.
●● The Gramm–Leach–Bliley Act (GLBA). This act protects customers’ nonpublic personal information, and
financial institutions are required to follow these regulations to protect their clients’ information.
●● Azure Security and Compliance Blueprint, which offers turn-key security and compliance solutions
and support that is tailored to the needs of industry verticals, that accelerate cloud adoption and
utilization for customers with regulated or restricted data.
●● Regional Compliance. This tab provides regionally specific compliance information, often in the form
of legal opinions that describe Microsoft cloud services in:
●● Australia
●● Czech Republic
●● Germany
●● Poland
●● Romania
●● Spain
●● UK
●● Privacy. This site provides information about the capabilities in Microsoft services that you can use to
address specific GDPR requirements. It also provides documentation helpful to your GDPR accounta-
bility and to your understanding of the technical and organizational measures Microsoft has taken to
support the GDPR.
●● Resources. Enables access to:
●● Office 365 Security and Compliance Center. This offers comprehensive resources for learning
about security and compliance in Office 365, including documentation, articles, and recommended
best practices.
●● Admin. This tab has administrative functions that are only available to the tenant administrator
account, and will only be visible when you are signed in as a global administrator.
You can access the STP at https://servicetrust.microsoft.com/.
4 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_04_05_Compliancetutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED 120 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Exercise 2
Creating a conditional access policy
Exercise 3
Activating Azure Identity Protection
5 https://portal.azure.com/
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 123
Module Assessment
Questions
Checkbox
Which of the following is considered to be a pillar of computer security systems? (Choose all that apply.)
Identity
Firewalls
Device security
Antivirus software
Data security
Encryption
Network security
Multi-factor authentication (MFA)
Multiple choice
Can you use a Microsoft account to sign in to Microsoft 365? (Choose the correct answer.)
Yes
No
Multiple choice
When connecting to Wi-Fi hotspots, what is the most important security feature to have enabled on your
device? (Choose the best answer)
A PIN for sign in on your device
Encryption of the device contents
A firewall
The latest operating system feature updates
Checkbox
Which of the following is considered a data security threat? (Choose all that apply.)
Data leakage via removable media
Unauthorized user accessing information on a server
An eavesdropping attack
A denial of service attack
MCT USE ONLY. STUDENT USE PROHIBITED 124 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Checkbox
Which of the following Microsoft 365 features help guard against security issues arising from identity?
(Choose all that apply.)
MFA
Microsoft Azure Advanced Threat Protection (Azure ATP)
Data loss prevention
Azure Active Directory (Azure AD) Identity Protection
Multiple choice
Which of the following statement (or statements) are true about Microsoft synchronized identities? (Choose
the best answer)
They exist only in Active Directory Domain Services (AD DS).
They exist only in Azure AD.
They exist as duplicates in both AD DS and Azure AD.
They exist as linked account in both AD DS and Azure AD.
Multiple choice
When implementing synchronized accounts in Microsoft 365, which tool performs the synchronization
between AD DS and Azure AD? (Choose the correct answer.)
Azure AD
Azure AD Connect
Active Directory Federation Services (AD FS)
AD DS
Multiple choice
Mobile device management (MDM) autoenrollment is a feature in which version of Azure AD? (Choose the
correct answer.)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 125
Multiple choice
You notice suspicious activity during sign in from a number of user accounts. It seems as if these users are
signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365 might
alert you to such activity? (Choose the correct answer.)
Azure MFA
Azure AD Privileged Identity Management
Microsoft Identity Manager
Azure AD Identity Protection
Multiple choice
You want the ability to elevate a user’s account to that of a temporary administrator. Which Microsoft 365
identity management feature could help with this? (Choose the correct answer.)
Azure MFA
Azure AD Privileged Identity Management
Microsoft Identity Manager
Azure AD Identity Protection
Multiple choice
You want your users to have the ability to manage their group memberships themselves. What version of
Azure AD supports this capability? (Choose all that apply.)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
Multiple choice
Some of your users have access to Oracle databases. You need to implement a single hybrid identity
infrastructure. How could you achieve this using Azure AD? (Choose the correct answer.)
Implement MFA.
Implement Microsoft Identity Manager.
Implement Password reset with writeback.
Implement Conditional Access.
Implement Azure AD Connect Health.
MCT USE ONLY. STUDENT USE PROHIBITED 126 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Multiple choice
In Microsoft Intune, what kind of policy enables you to ensure that devices are not rooted, and are config-
ured with complex passwords? (Choose the correct answer.)
Conditional access policy
Device compliance policy
Device enrollment policy
Device configuration profile
Multiple choice
In Azure Information Protection, which of the following classifies documents? (Choose the correct answer.)
Labels
Templates
Settings
Multiple choice
Which feature in Microsoft 365 could help ensure that your organization retains data files for appropriate
periods based on legal requirements? (Choose the correct answer.)
Office 365 Auditing
Office 365 eDiscovery
Office 365 Archiving
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 127
Answers
Checkbox
Which of the following is considered to be a pillar of computer security systems? (Choose all that apply.)
■■ Identity
Firewalls
■■ Device security
Antivirus software
■■ Data security
Encryption
■■ Network security
Multi-factor authentication (MFA)
Multiple choice
Can you use a Microsoft account to sign in to Microsoft 365? (Choose the correct answer.)
Yes
■■ No
Multiple choice
When connecting to Wi-Fi hotspots, what is the most important security feature to have enabled on your
device? (Choose the best answer)
A PIN for sign in on your device
Encryption of the device contents
■■ A firewall
The latest operating system feature updates
Checkbox
Which of the following is considered a data security threat? (Choose all that apply.)
■■ Data leakage via removable media
■■ Unauthorized user accessing information on a server
An eavesdropping attack
A denial of service attack
MCT USE ONLY. STUDENT USE PROHIBITED 128 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Checkbox
Which of the following Microsoft 365 features help guard against security issues arising from identity?
(Choose all that apply.)
■■ MFA
Microsoft Azure Advanced Threat Protection (Azure ATP)
Data loss prevention
■■ Azure Active Directory (Azure AD) Identity Protection
Multiple choice
Which of the following statement (or statements) are true about Microsoft synchronized identities?
(Choose the best answer)
They exist only in Active Directory Domain Services (AD DS).
They exist only in Azure AD.
They exist as duplicates in both AD DS and Azure AD.
■■ They exist as linked account in both AD DS and Azure AD.
Multiple choice
When implementing synchronized accounts in Microsoft 365, which tool performs the synchronization
between AD DS and Azure AD? (Choose the correct answer.)
Azure AD
■■ Azure AD Connect
Active Directory Federation Services (AD FS)
AD DS
Multiple choice
Mobile device management (MDM) autoenrollment is a feature in which version of Azure AD? (Choose
the correct answer.)
Azure AD Free
Azure AD Basic
■■ Azure AD Premium P1
Azure AD Premium P2
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 129
Multiple choice
You notice suspicious activity during sign in from a number of user accounts. It seems as if these users
are signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365
might alert you to such activity? (Choose the correct answer.)
Azure MFA
Azure AD Privileged Identity Management
Microsoft Identity Manager
■■ Azure AD Identity Protection
Multiple choice
You want the ability to elevate a user’s account to that of a temporary administrator. Which Microsoft 365
identity management feature could help with this? (Choose the correct answer.)
Azure MFA
■■ Azure AD Privileged Identity Management
Microsoft Identity Manager
Azure AD Identity Protection
Multiple choice
You want your users to have the ability to manage their group memberships themselves. What version of
Azure AD supports this capability? (Choose all that apply.)
Azure AD Free
Azure AD Basic
■■ Azure AD Premium P1
Azure AD Premium P2
Multiple choice
Some of your users have access to Oracle databases. You need to implement a single hybrid identity
infrastructure. How could you achieve this using Azure AD? (Choose the correct answer.)
Implement MFA.
■■ Implement Microsoft Identity Manager.
Implement Password reset with writeback.
Implement Conditional Access.
Implement Azure AD Connect Health.
MCT USE ONLY. STUDENT USE PROHIBITED 130 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Multiple choice
In Microsoft Intune, what kind of policy enables you to ensure that devices are not rooted, and are
configured with complex passwords? (Choose the correct answer.)
Conditional access policy
■■ Device compliance policy
Device enrollment policy
Device configuration profile
Multiple choice
In Azure Information Protection, which of the following classifies documents? (Choose the correct
answer.)
■■ Labels
Templates
Settings
Multiple choice
Which feature in Microsoft 365 could help ensure that your organization retains data files for appropriate
periods based on legal requirements? (Choose the correct answer.)
Office 365 Auditing
Office 365 eDiscovery
■■ Office 365 Archiving
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4 Microsoft 365 pricing and support
Microsoft 365 Enterprise focuses on delivering enterprise-class services to organizations who want to
implement a complete productivity solution that integrates with the most robust Enterprise Mobility +
Security features. Microsoft 365 Enterprise offers different plans that further cater to each organization’s
unique needs. These include:
●● Microsoft 365 E3. This is the base level Microsoft 365 offering for enterprise customers. It provides
Office 365, Windows 10, and some Enterprise Mobility + Security features.
●● Microsoft 365 E5. This plan Includes all E3 products and features, plus the latest advanced informa-
tion protection, compliance, and analytics tools, including:
●● Enhanced communication features, including audio conferencing and phone system integration
with Skype for Business Online and Microsoft Teams.
●● Advanced threat protection, including Windows Defender Advanced Threat Protection, Office 365
Advanced Threat Protection, and Office 365 Threat Intelligence.
●● Advanced identity and access management with Azure Active Directory Premium 2.
●● Advanced compliance with Office 365 Advanced eDiscovery, Customer Lockbox, and Office 365
Advanced Data Governance.
●● Microsoft Managed Desktop. This plan combines Microsoft 365 E5 with device as a service (DaaS)
procurement, configuration, maintenance, and IT as a service (ITaaS) deployment, monitoring, report-
ing, and service desk.
●● Microsoft 365 F1. A special configuration of Microsoft 365, this plan is purpose-built for firstline
workers, offering them the tools and resources they need. It’s similar to Microsoft 365 E3, with the
following differences:
●● It includes all Microsoft Office apps except for Microsoft Access.
●● Email and calendar are limited to a 2-gigabyte (GB) Inbox. There is no commercial Outlook app or
integration, and no voicemail.
●● For schedule and task management, Microsoft PowerApps are limited to consumption only. Flow is
limited to 750 users per month.
●● For voice, video, and meetings:
●● Meetings are join only.
●● 1:1 audio and video calls are supported.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 subscriptions, licenses, and billing 133
Microsoft 365 Business brings together features from across Microsoft’s offerings in a solution designed
for small and medium-sized businesses. Like Microsoft 365 Enterprise, Microsoft 365 Business offers the
full set of productivity tools found in Office 365, and includes security and device management features.
However, it does not include some of the more advanced information protection, compliance, or analytics
tools that are available to enterprise subscribers. It’s designed for organizations that need up to 300
licenses; if an organization is larger than that, they will need to subscribe to a Microsoft 365 Enterprise
plan instead.
For the latest information about Microsoft 365 Business plans, features, and pricing, go to https://www.
microsoft.com/en-US/microsoft-365/business.
Microsoft 365 Education is available for educational organizations. Academic licenses can be tailored to
fit any institution’s needs, including productivity and security solutions for faculty, staff, and students.
MCT USE ONLY. STUDENT USE PROHIBITED 134 Module 4 Microsoft 365 pricing and support
Administrators might also encounter an expired license, meaning that the license wasn’t renewed, or the
payment for the latest billing cycle is past due. In this scenario, the user whose account is associated with
the expired license will have reduced functionality with Microsoft 365 features and products until the
license is renewed, or an administrator allocates another license to that user.
Administrators can also enable or disable functionalities within a single license for each user. As depicted
in the following figure, there can be many services and tools within a single license that administrations
can toggle on or off to fine-tune each user’s account settings. Note, however, that deactivating any or all
features for a user does not affect license consumption; these individual controls within the user’s
product licenses pane are separate from allocating a license to a user, or removing a license from a user.
MCT USE ONLY. STUDENT USE PROHIBITED 136 Module 4 Microsoft 365 pricing and support
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_04_01_05_Subscriptionstuto-
rial.html
MCT USE ONLY. STUDENT USE PROHIBITED 138 Module 4 Microsoft 365 pricing and support
language capabilities.
●● Premier Support. Microsoft Premier Support Services is well suited for large or global enterprises
with strategic and business-critical dependence on Microsoft products, including Microsoft 365 and
Microsoft Azure. Premier Support Services members are assigned a technical account manager, and
additional benefits such as advisory services and on-site support are available.
You can also click on any entry to obtain more details. For example, the following screenshot displays the
details of a Microsoft Exchange Online incident, including:
●● A description of the problem
●● When the incident was first logged
●● Last update to the incident
●● Current status
●● User impact
MCT USE ONLY. STUDENT USE PROHIBITED
Support in Microsoft 365 143
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_04_02_05_Supporttutorial.
html
MCT USE ONLY. STUDENT USE PROHIBITED 144 Module 4 Microsoft 365 pricing and support
Exercise 1
Exploring interfaces for billing and subscriptions
3 http://www.office.com/
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Managing subscriptions, licensing, and support in Microsoft 365 145
●● Note that for each type of subscription you’ll see the total number of licenses (both valid and expired),
in addition to the number of licenses that are assigned to users.
●● Don’t do anything with your licenses yet; we’ll step through managing licenses in the next exercise.
1. In Billing, select Billing notifications. This is where you can determine who receives automated
emails about Microsoft services billing.
Exercise 2
Managing licenses
Exercise 3
Reviewing support options
Module Assessment
Questions
Multiple choice
Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan 2 for
advanced identity and access management? (Choose the best answer.)
Microsoft 365 Business
Microsoft 365 E3
Microsoft 365 E5
Checkbox
Which of the following actions can a Microsoft 365 administrator perform in the Microsoft 365 admin
center’s Subscriptions window? (Choose all that apply.)
Add a partner of record to identify who sold you your Microsoft 365 subscription.
Edit the subscription address.
Cancel the subscription.
Install software that is part of their Microsoft 365 subscription.
Checkbox
You have an issue with your Microsoft OneDrive for Business. If you’ve purchased a Microsoft 365 Business
subscription directly from Microsoft, which support options are available to you? (Choose all that apply.)
Cloud Service Provider Tier 1 support
Microsoft 365 support forums
O365 Assistant
Microsoft Premier Support Services
Microsoft 365 service request
Multiple choice
What is the maximum number of licenses you can purchase under a Microsoft 365 Business subscription?
(Choose the correct answer.)
100
200
300
500
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 149
Checkbox
An educational facility is considering a Microsoft 365 Education subscription. Which people in the institution
can be assigned licenses through this subscription? (Choose all that apply.)
Faculty
Staff
Students
Alumni
Multiple choice
You’re the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morning, no
one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you do to
check the service status? (Choose the correct answer.)
Navigate to Service health in the Microsoft 365 admin center.
Visit the Microsoft Office 365 online forum.
Visit the Microsoft Azure online forum.
Send an email to Microsoft support.
Multiple choice
Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers. Which
plan should you choose? (Choose the correct answer.)
Microsoft 365 Education
Microsoft 365 E3
Microsoft 365 E5
Microsoft 365 F1
Microsoft 365 Business
Checkbox
Which of the following actions can a Microsoft 365 administrator perform with their subscription’s licenses?
(Choose all that apply.)
Remove a license from a user to make it available to another user.
Enable or disable functionalities within a license.
Allocate functionality of one license between two or more users.
Purchase additional licenses.
MCT USE ONLY. STUDENT USE PROHIBITED 150 Module 4 Microsoft 365 pricing and support
Multiple choice
You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to do
that? (Choose the correct answer.)
In the Microsoft 365 admin center, select View service requests under the Support blade.
Search the Microsoft 365 support forums using your service request numbers.
Only Tier 1 Cloud Service Providers have this information; you will need to call them.
Email Microsoft Support.
Multiple choice
Which plan combines Microsoft 365 E5 with Device as a Service (DaaS) and IT as a service? (Choose the
correct answer.)
Microsoft 365 E5
Microsoft 365 F1
Microsoft 365 Business
Microsoft Managed Desktop
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 151
Answers
Multiple choice
Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan 2
for advanced identity and access management? (Choose the best answer.)
Microsoft 365 Business
Microsoft 365 E3
■■ Microsoft 365 E5
Checkbox
Which of the following actions can a Microsoft 365 administrator perform in the Microsoft 365 admin
center’s Subscriptions window? (Choose all that apply.)
■■ Add a partner of record to identify who sold you your Microsoft 365 subscription.
■■ Edit the subscription address.
■■ Cancel the subscription.
■■ Install software that is part of their Microsoft 365 subscription.
Checkbox
You have an issue with your Microsoft OneDrive for Business. If you’ve purchased a Microsoft 365
Business subscription directly from Microsoft, which support options are available to you? (Choose all
that apply.)
Cloud Service Provider Tier 1 support
■■ Microsoft 365 support forums
■■ O365 Assistant
Microsoft Premier Support Services
■■ Microsoft 365 service request
Multiple choice
What is the maximum number of licenses you can purchase under a Microsoft 365 Business subscription?
(Choose the correct answer.)
100
200
■■ 300
500
MCT USE ONLY. STUDENT USE PROHIBITED 152 Module 4 Microsoft 365 pricing and support
Checkbox
An educational facility is considering a Microsoft 365 Education subscription. Which people in the
institution can be assigned licenses through this subscription? (Choose all that apply.)
■■ Faculty
■■ Staff
■■ Students
Alumni
Multiple choice
You’re the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morning, no
one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you do to
check the service status? (Choose the correct answer.)
■■ Navigate to Service health in the Microsoft 365 admin center.
Visit the Microsoft Office 365 online forum.
Visit the Microsoft Azure online forum.
Send an email to Microsoft support.
Multiple choice
Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers.
Which plan should you choose? (Choose the correct answer.)
Microsoft 365 Education
Microsoft 365 E3
Microsoft 365 E5
■■ Microsoft 365 F1
Microsoft 365 Business
Checkbox
Which of the following actions can a Microsoft 365 administrator perform with their subscription’s
licenses? (Choose all that apply.)
■■ Remove a license from a user to make it available to another user.
■■ Enable or disable functionalities within a license.
Allocate functionality of one license between two or more users.
■■ Purchase additional licenses.
MCT USE ONLY. STUDENT USE PROHIBITED
Module Assessment 153
Multiple choice
You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to
do that? (Choose the correct answer.)
■■ In the Microsoft 365 admin center, select View service requests under the Support blade.
Search the Microsoft 365 support forums using your service request numbers.
Only Tier 1 Cloud Service Providers have this information; you will need to call them.
Email Microsoft Support.
Multiple choice
Which plan combines Microsoft 365 E5 with Device as a Service (DaaS) and IT as a service? (Choose the
correct answer.)
Microsoft 365 E5
Microsoft 365 F1
Microsoft 365 Business
■■ Microsoft Managed Desktop