MS 900T01 Microsoft 365 Fundamentals MCT PDF

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
MS-900T01
Microsoft 365
Fundamentals
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 Fundamentals
MS-900T01
Contents
■■ Module 0 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Course introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Cloud concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Cloud computing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Microsoft cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Migrating to cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Lab - Cloud Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Module Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
■■ Module 2 Core Microsoft 365 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Microsoft 365 core services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Microsoft on-premises services vs cloud services in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Unified endpoint management in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Collaboration in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Lab - Configuring Microsoft 365 tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
■■ Module 3 Security, compliance, privacy, and trust in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . 89
Organization security review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Identity basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Device and data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Lab - Implement security and compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
■■ Module 4 Microsoft 365 pricing and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Microsoft 365 subscriptions, licenses, and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Lab - Managing subscriptions, licensing, and support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . 144
Module 0 Introduction
Course introduction
Welcome
2 Module 0 Introduction
Module 1 Cloud concepts
Cloud computing overview

Introduction
Cloud computing plays an increasingly important role in IT infrastructure, and as such, IT professionals
need to be aware of fundamental cloud principles and techniques. This lesson introduces the cloud and
describes considerations for implementing cloud-based infrastructure services.
After this lesson, you should be able to:
●● Describe what is a cloud.
●● Understand evolving IT operation models.
●● Understand business drivers for the cloud.
●● Explain how an organization can use the tools and services in Microsoft 365 to elevate all employees,
including firstline personnel and information workers, into a modern workforce.
What is cloud computing

Cloud computing is the delivery of computing services—servers, storage, databases, networking, soft-
ware, analytics, intelligence and more—over the internet (“the cloud”). Instead of maintaining CPUs,
random access memory (RAM), and storage in your datacenter, cloud computing enables you to rent
these cloud-based computing services from a cloud service provider. When you choose to use the cloud,
you shift certain responsibilities to the cloud service provider so that you can focus on other things—such
as your business—and less on the underlying technologies. The cloud service provider maintains the
underlying infrastructure, platforms, and services for you.
MCT USE ONLY. STUDENT USE PROHIBITED 4 Module 1 Cloud concepts
The goal of cloud computing is to make running a business easier and more efficient, whether it's a small
start-up company or a large enterprise. Every business is unique and has different needs. To meet those
needs, cloud computing providers offer a wide range of services. Some of the most common types
include:
●● Compute services. Enables you to run your own web apps, databases, virtual machines, and other
types of computing in the cloud instead on local hardware. An example of compute services is
Microsoft Azure Virtual Machines.
●● Communications services. Provides communications between users. Examples of communication
services include Microsoft Exchange Online and Microsoft Teams. Exchange Online provides email,
calendar, and contact sharing, and Teams provides instant messaging, computer-to-computer audio
and video calls, screen sharing, and an integrated platform for sharing of documents and collabora-
tion.
●● Productivity services. Allows users to work and collaborate. An example of productivity services is
Microsoft Office 365, which provides a comprehensive collaboration platform for the entire organiza-
tion.
●● Search services. Provides search functionality into custom applications. In addition, it can provide a
search engine and data storage that can be accessed on an API. An example of search services is
Azure Search.
●● Storage services. Provides a storage platform for data. By storing data in the cloud, any user or
device can access it. Example of storage services are Microsoft Azure Storage and Microsoft OneDrive
for Business.
Let’s look at what a cloud is, based on the concept of running some type of application in the cloud. Let’s
see what that means and what it involves.
Cloud computing overview 5
Differentiating between various IT funding mod-

els
Cloud computing changes not only how and where a business uses computing systems, it also changes
the funding model—the costs associated with computing. Why does cloud computing change the cost
structure? It’s mainly as a result of a shift from capital expenditure to operating expenditure:
●● Capital expenditures (CapEx) are the costs associated with buying or upgrading physical hardware,
such as servers, networking equipment, and storage. It also includes real estate such as buildings or
datacenter space. Typically, the physical resources are amortized over several years. Instead of deduct-
ing the full cost of the equipment in the first year, you deduct a portion of it each year.
●● Operating expenditures (OpEx) are the costs that an organization incurs while performing its normal
business operations. This includes the electricity consumed, cost of employees to manage and
support systems, office space, and internet connections. Management is responsible for minimizing
OpEx without significantly affecting the organization’s operations and ability to compete in the
marketplace. OpEx is expensed each year because you pay for and use the product or service.
Now that you understand these different types of costs, let’s see how they relate to cloud computing and
traditional on-premises costs.
On-premises computing costs

In a traditional, on-premises datacenter, you will need to pay for the following items:
●● Server costs. This includes all hardware components and the cost of hardware support. When
purchasing servers, make sure to design fault tolerance and redundancy, such as server clustering,
redundant power supplies, and uninterruptable power supplies. When a server needs to be replaced
or added to a datacenter you need to use CapEx to pay for the computer. This will affect your imme-
diate cash flow because you have to pay for the server up front. Fortunately, however, you can
amortize the cost over several years.
●● Storage costs. This includes all hardware components and the cost of hardware support. Based on
the application and level of fault tolerance, centralized storage can be quite expensive. For larger
organizations, you can create tiers of storage where more expensive fault‐tolerant storage is used for
critical applications and lower priorities use a less expensive form of storage. These storage costs are
CapEx.
●● Network costs. This includes all hardware components, including cabling, switches, access points, and
routers. This also includes wide area network (WAN) and internet connections. Network hardware
expenses are CapEx.
●● Backup and archive costs. This is the cost to back up, copy, or archive data to the cloud or data-
center. Options might include backing up to or from the cloud. These costs are CapEx for hardware,
but OpEx for backup maintenance and consumables such as tapes.
●● Business continuity and disaster recovery costs. Along with server fault tolerance and redundancy,
you need to plan for how to recover from a disaster and continue operating. Your plan should consist
of creating a data recovery site. It could also include backup generators. These are mostly CapEx
costs—especially if you build a DR site, but the infrastructure and personnel costs are OpEx.
●● Datacenter infrastructure costs. These are costs for electricity, floor space, cooling, and building
maintenance. The expense of running the server is an OpEx.
●● Technical personnel. Based on the technology used, you will need technical expertise and work force
to install, deploy, and manage the systems at the datacenter. The staffing expense to run the server is
an OpEx.
Cloud computing costs

With cloud computing, many of the costs associated with an on-premises datacenter are shifted to the
cloud service provider. Instead of thinking about physical hardware and datacenter costs, cloud comput-
ing has a different set of costs. For accounting purposes, all these costs are OpEx:
●● Leasing a cloud-based server. If you lease a server or use the cloud, the cost is usually based on the
pay-per-use model.
●● Leasing software and customized features. When you use the pay-per-use model, you have to
actively manage your subscriptions. You must ensure that users do not misuse the cloud, while
making sure that provisioned accounts are actually being used and not wasted. As soon as resources
are provisioned by the provider, billing starts. It is the client’s responsibility to deprovision the re-
sources when they are not in use, so that they can manage costs.
●● Scaled charges based on usage/demand instead of fixed hardware or capacity. Cloud computing
can bill in various ways: on the number of users, or on CPU usage amounts. However, billing catego-
ries can also include allocated RAM, I/O operations per second (IOPS) units, and storage space. If you
are connecting a datacenter to the cloud or connecting two clouds together, identify how much data
needs to be transferred so that you can determine the bandwidth needed. Don’t forget to plan for
backup traffic to or from the cloud, and replication between datacenters or the datacenter and the
cloud for data recovery purposes.
●● Billing at the user or organization level. The subscription (or pay-per-use) model is a computing
billing method that is designed for both organizations and end-users. The organization or user is
billed for the services used, typically on a recurring basis. You can scale, customize, and provision
computing resources, including software, storage, and development platforms. For example, when
using a dedicated cloud service, you could pay based on server power and usage.
Cloud computing models

A cloud deployment model defines where your data is stored and how your customers interact with it. In
other words, how do they get to it, and where do the applications run? It also depends on how much of
your own infrastructure you want or need to manage.
Cloud computing is flexible and enables you to choose how you want to deploy it. The cloud deployment
model you choose depends on your budget and your security, scalability, and maintenance needs.
Public cloud
This is the most common deployment model. In the public cloud model, you have no local hardware to
manage or keep up-to-date—everything runs on your cloud service provider’s hardware. This means that
the information technology infrastructure (hardware, servers, software, and other infrastructure items) is
located somewhere other than your datacenter, and is managed by a third party.
There are two variants of a public cloud:
●● Shared public cloud is where many companies share common resources (such as email) within the
same cloud service provider’s environment. Each company is only aware of its own cloud services
account (also known as a tenant); only the cloud service provider who manages this multi-tenant
environment is aware of the different accounts running within the same cloud. This model works well
for smaller businesses who are looking to save additional costs, because sharing computing resources
with other cloud users is cheaper than reserving resources for a single account.
●● Dedicated public cloud is typically for enterprise organizations who require a dedicated physical
infrastructure that is reserved for only their use. While the cost might be higher than that of the
shared public cloud, the dedicated public cloud might offer better security, performance, and custom-
ization.
Private cloud
In a private cloud, you create a cloud environment in your own datacenter and provide self-service access
to compute resources to users in your organization. This model offers a simulation of a public cloud to
your users, but you remain entirely responsible for the purchase and maintenance of the hardware and
software services you provide.
Some reasons teams move away from the private cloud are:
●● You have to purchase the hardware for startup and maintenance.
●● Private clouds require IT skills and expertise that can be hard to find.
Hybrid cloud
A hybrid cloud combines public and private clouds, allowing you to run your applications in the most
appropriate location. For example, you could host a website in the public cloud, but link it to a highly
secure database hosted in your private cloud (or on-premises datacenter).
This is helpful when you have some things that cannot be put in the cloud. Example reasons might
include:
●● Sensitive data. You have data that cannot be exposed publicly (such as medical data).
●● Extend capabilities of on-premises systems. You have applications that run on old hardware and
can’t be updated. In this case, you keep the old system running locally, and connect it to the public
cloud for authorization or storage.
●● Reduce data protection costs. You want to implement public key infrastructure (PKI) and Information
Rights Management Services (RMS) infrastructure locally for data protection, but doing so would be
expensive. Instead, you can enable these features from the cloud, and they will protect both your
cloud and on-premises documents and data.
Some hybrid cloud concerns you'll need to watch out for are:
●● It can be more expensive than selecting just one (public or private) deployment model.
●● It can be more complicated to set up and manage.
Cloud deployment models

Now that we’ve introduced you to these different types of cloud computing models, watch the following
short video that compares these different models.
Cloud Computing Model Benefits

Let's do a quick activity to test your knowledge of cloud computing model benefits. Click on the button
below to open this review activity full screen.
LAUNCH ACTIVITY1
Types of Cloud Services

Cloud computing has three major categories. It's important to understand them because they are
referenced in conversation, documentation, and training.
Infrastructure as a service (IaaS)
IaaS is the most flexible category of cloud services. It aims to provide you with complete control over the
hardware that runs your application. However, instead of having to purchase hardware—such as servers,
switches, routers, storage area networks, and firewalls—with IaaS, you rent it.
Platform as a service (PaaS)
PaaS provides an environment for buying, building, testing, deploying, and running software applications.
The goal of PaaS is to help you create an application as quickly as possible without having to worry about
managing the underlying infrastructure. For example, when deploying a web application using PaaS, you
don't have to install an operating system, web server, or even system updates.
Software as a service (SaaS)
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_01_01_04_CloudComputing-
tutorial.html
SaaS is software that is centrally hosted and managed for the end customer. It is usually based on an
architecture where one version of the application is used for all customers, and runs on demand through
either remote desktop services or a web browser. The software is typically licensed through a monthly or
annual subscription.
Think about service categories as layers

One way to understand these categories is as layers on top of each other. For example, PaaS adds a layer
on top of IaaS by providing a level of abstraction. The abstraction has the benefit of hiding the details
that you might not care about so that you can get to coding quicker. However, one cost of that is that
you have less control over the underlying hardware. The following illustration shows a list of resources
that you manage and that your service provider manages in each of the cloud service categories.
Table: A comparison of what resources a cloud service provider manages between on-premises environ-
ments and various types of cloud services.
Software as a Service Platform as a Service Infrastructure as a On-Premises

Service
Applications
Data
Runtime Runtime
Middleware Middleware
Operating system Operating system
Virtualization Virtualization Virtualization
Servers Servers Servers
Storage Storage Storage
Networking Networking Networking
Types of cloud services

Now that we've introduced you to these different types of cloud services, watch the following short video
that compares these different types of services.
Types of cloud services

Let's do a quick activity to test your knowledge of the types of cloud services. Click on the button below
to open this review activity full screen.
LAUNCH ACTIVITY2
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_01_01_05_TypesCloudSer-
vicestutorial.html
Cloud computing considerations

Privacy
When you depend on cloud service providers, you are relying on them to keep your data safe. This could
be from loss, theft, or misuse by third parties, including other customers, employees of the hosting
company, and even users within your own organization. As more and more customers are relying on
cloud service providers to keep their data safe, cloud services raise unique privacy questions for business-
es. This is because organizations have legal obligations to ensure the privacy of their employees, custom-
ers, and clients.
Laws prohibit some data from being used for a reason other than the purpose for which the data was
originally collected. In addition, when you collect and store data in the cloud, you are subject to legal
requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-
Leach-Bliley Act (GLBA), just as if you were storing data on premise. If you work with European companies
or customers, you must also adhere to EU privacy laws.
So, what does this mean for a company considering adopting cloud computing? You need to ensure your
cloud service provider is helping safeguard privacy by:
●● Reading the cloud service provider’s privacy notices. These specify how data is accessed by users
and how it can be deleted or modified. In addition, you need to know where data is actually kept, how
data is backed up and how often, and where the backups are stored. In some instances, you might
have data that cannot leave the country or region that it is intended for, or cross the borders of other
countries or regions.
●● Considering how the cloud service provider handles disaster recovery and business continuity.
You must ensure that backups are being created on a regular basis, data is being replicated to another
site, and that the services are duplicated on another site.
●● Considering how the hosting company handles security breaches. Also, check the disclosure
policy to see how quickly they will disclose the breach to you. In addition, there are laws that require
you to be informed promptly of any breaches.
Compliance
Many organizations have regulations and policies that they must comply with to operate in various
industries. For example, companies working in the health industry have to follow HIPAA. These policies
can be quite complex based on the type of industry, geographical location of the organization, and
company-based policies. Further complicating matters is the fact that legal and regulatory bodies might
change the responsibilities of both the cloud-computing tenants and providers.
An organization that does not protect its data could be subject to a fine by one or more government or
industry regulatory bodies. Some of these fines can be substantial, crippling a small or mid-sized busi-
ness.
Laws or regulations typically specify who within an organization should be held responsible for data
accuracy and security. For example, the Sarbanes–Oxley Act designates the Chief Financial Officer (CFO)
and Chief Executive Officer (CEO) as having joint responsibility for the financial data, while the Gramm–
Leach–Bliley Act specifies that the responsibility for security lies within the entire board of directors. These
both are in contrast to the United States Federal Trade Commission (FTC), which requires a specific
individual to be accountable for the information security program within a company.
All these regulations pertain to cloud computing. If you store any of your data in the cloud, you must
ensure that your cloud service provider follows all legal and regulatory requirements. Remember, it’s still
your responsibility to ensure these requirements are met, so do your due diligence before signing any
contract. Then after the contract is signed, take steps to ensure that compliance is maintained to protect
your company and your customers.
Data protection
When running services and storing data in the cloud, you should follow the standard best practices for
security, just as you would on any on-premises network:
●● Always use strong passwords and ensure the passwords are changed regularly.
●● Always set rights and permissions for only what is needed, and review them on a regular basis.
However, because data consists of confidential information, you should consider using encryption.
●● Perform regular auditing and monitoring.
When considering protection for data in the cloud, explore how to best protect your data both where it’s
stored, and when it’s being used or transmitted:
●● For data that is at rest (sitting on a disk somewhere in the cloud), you should encrypt the disks or files
on the disks. Office 365 Data Loss Protection and Azure Information Protection—both part of Micro-
soft 365—collectively offer end-to-end discovery, custom labeling, and automated protection of
sensitive data, irrespective of when the data was created or where it is stored—even in PDFs and
RMS-encrypted files.
●● When transmitting important data (data on the move) such as credit card or social security numbers,
use HTTPS to encrypt the data.
Key business benefits of using cloud computing

Every business must decide how they want to store their data and execute their logic. Depending on your
business requirements, cloud computing may or may not be right for you.
Let's learn about some of the top benefits of cloud computing.
Cloud computing is cost effective

Cloud computing provides a pay-as-you-go pricing model. Rather than paying for hardware up front, or
for a predefined amount of computing resources, you rent hardware and pay for only the resources that
you use.
For example, a medium-sized organization is reaching the performance and storage limits of their old
Microsoft Exchange 2007 and Microsoft SharePoint Server 2007 servers. Instead of incurring significant
costs associated with purchasing new servers and additional hardware for storage—especially when
planning for growth and purchasing larger amounts than the currently required capacity—they could
obtain similar resources based on a cloud computing model. Doing so would enable their business to
gain the benefits of the latest versions of Exchange and SharePoint immediately and without any up-front
costs.
Cloud computing is scalable

Cloud computing supports both vertical and horizontal scaling:
●● Vertical scaling (also known as scale-up) is the process of adding resources to increase the power of
an existing server. Some examples of vertical scaling are adding a faster CPU, adding additional CPUs,
or adding more memory.
●● Horizontal scaling (also known as scale-out) is the process of adding more servers that function
together as one unit. For example, instead of having one server processing incoming requests, you
have two. In the context of cloud computing, scale-out is typically the more desirable scenario.
Cloud computing is elastic

As an organization’s workload changes from a spike or drop in demand, a cloud computing system can
compensate by automatically adding or removing resources.
For example, imagine your website is featured in a news article, which leads to a spike in traffic overnight.
Because the cloud is elastic, it automatically allocates more computing resources to manage the in-
creased traffic. When traffic begins to settle, the cloud notices it has too many resources allocated and
begins to remove them, thereby saving you money.
Another example is if you are running an application used by employees you can have the cloud auto-
matically add resources for the core hours during which most people access the application, and then
remove the resources at the end of the day.
Cloud computing is always current

When you use the cloud, you’re able to focus on what matters most—running your business. You don't
have to divert resources for software patching, system configuration, upgrades, and other IT manage-
ment tasks; all of this is done automatically for you, to ensure you're using the latest and greatest tools to
run your business.
Additionally, the cloud service provider also maintains the computer hardware, and upgrades it as
necessary. For example, if a disk stops working or new hardware comes out, the cloud service provider is
responsible for replacing the disk or upgrading the hardware. This saves you from having to go through
the lengthy process of replacing your hardware and from bearing the cost of having up-to-date hardware
all the time.
Cloud computing is reliable

When you're running a business, you want to be confident your data is always going to be there. Cloud
computing providers offer data backup, disaster recovery, and data replication services to make sure your
data is always safe.
Empowering all employees

In the previous topic, you were introduced to several business benefits of using cloud computing. Here,
we explore in more detail one of the ways that cloud computing in general and Microsoft 365 in particu-
lar are helping organizations empower all their employees—from executives, to information workers, to
the firstline workers.
Why is empowering all of your employees so important? As organizations today undergo digital transfor-
mations, technology becomes a critical component of how people perform the vast majority of their
work. The key is to create a modern workforce by providing employees with the processes and technolo-
gy tools that enhance their productivity and promote the collaboration that is core to accelerating
business.
This includes information workers and firstline workers.
Information workers. This includes those in office roles such as business, sales, accounting, engineering,
administration, management, and design. These are the people who gather information and use technol-
ogy tools to gain visibility into the state of the business, company products, and services. Information is
their input, and with the right productivity tools in hand, they develop products, establish schedules,
determine costs, and gain insight into the nature of the business.
Firstline workers. These include customer service, support and repair technicians, service professionals,
and more. These are the people who sit on the company’s “first line” and are commonly the first point of
contact for customers. Therefore they play a key role in representing a company’s brand by establishing
the best customer experience. These employees need the right productivity and collaboration tools to
empower them to do their best work. They also need to connect securely through any device wherever
they are, and use the most up-to-date software to keep information protected.
Microsoft 365 blends critical business tasks with technology solutions to meet the needs of modern
businesses and all sorts of busy professionals—firstline workers, information workers, and executives
alike. Microsoft 365 improves enterprise collaboration, provides a modernized system that is continually
updated, and increases productivity for your modern workforce, no matter where your employees are or
what devices they’re using.
You’ll learn more about Microsoft 365 in the next lesson.
For more information about solutions that Microsoft offers firstline workers, go to https://blogs.technet.
microsoft.com/skypehybridguy/2018/01/04/firstline-worker-your-most-valuable-employees/.
Microsoft cloud services 17
Microsoft cloud services

Introduction
In the previous lesson, you were introduced to some basic cloud computing concepts. You’re now ready
to learn about Microsoft-specific cloud offerings, Microsoft 365 in particular. In this lesson, you’ll be
introduced to Microsoft Azure and Microsoft 365. You’ll then compare Microsoft 365 with Office 365 to
better understand when a business would adopt one or the other. You’ll also review alternative third-par-
ty cloud offerings and see what value Microsoft 365 subscriptions deliver compared to other subscrip-
tions.
●● Explain what Microsoft Azure is.
●● List the primary products and services that are included in a Microsoft 365 subscription.
●● Determine when a business would want a Microsoft 365 subscription versus an Office 365 subscrip-
tion.
What is Microsoft Azure

Microsoft Azure is a cloud-computing platform used for building, deploying, and managing applications
and services through a global network of Microsoft-managed datacenters. Access to both infrastructure
and services on Azure enables you to quickly deliver new and innovative features to your users. Projects
that once took months can now often be completed in weeks or days.
What is Azure?
Watch the following short video that gives you a conceptual understanding of what Azure is and how it
works.
As you’ve just seen in the video, Azure delivers the power of the cloud; you just need to know how to
harness it. In fact, it contains more than 100 services, including:
●● Azure Active Directory (Azure AD or AAD) . Provides identity management and access control
capabilities for your cloud applications. It can be synchronized with the on-premises domain control-
lers. You can also enable Single Sign On (SSO) to simplify user access to cloud applications and to
support conditional access.
●● Azure Information Protection. Protects confidential or sensitive information by using encryption,
identity, and authorization policies.
●● Backup. Allows you to back up to and restore from the cloud using familiar tools in Windows 2016,
Windows Server 2012/Windows Server 2012 R2, or Microsoft System Center 2012 R2/2016 Data
Protection Manager.
●● Content Delivery Network. Allows you to deliver high-bandwidth content to users around the world
with low latency and high availability via a robust network of global datacenters.
●● Key Vault. Offers an easy, cost-effective way to safeguard keys and other secrets in the cloud using
hardware security modules (HSMs).
●● Machine Learning. Allows you to easily design, test, operationalize and manage predictive analytics
solutions in the cloud.
●● Media Services. Offers cloud-based media solutions from several existing technologies, including
ingest, encoding, format conversion, content protection, and both on-demand and live-streaming
capabilities.
●● Mobile Services. Provides a scalable cloud backend for building Microsoft Store, Windows Phone,
Apple iOS, Android, and HTML/JavaScript applications. It can be used to store data in the cloud,
authenticate users, or send push notifications to your application within minutes.
●● Multi-Factor Authentication. By having more than one method of authentication, you can help
prevent unauthorized access to both on-premises and cloud applications.
●● Stream Analytics. Provides an event-processing engine that helps uncover insights from devices,
sensors, cloud infrastructure, and existing data properties in real time.
●● Virtual Machines. Enables you to deploy a Windows Server or Linux image in the cloud.
●● Virtual Network. Enables you to create virtual private networks within Azure, and then securely link
those networks with an on-premises network.
For more information about all the products Azure has to offer, go to https://azure.microsoft.com/
en-in/services/.
Microsoft 365 as a cloud service

A complete, intelligent cloud-based solution, Microsoft 365 is a pay-as-you-go SaaS offering that
includes Office 365, Windows 10, and Microsoft Enterprise Mobility + Security. By combining all these
features into a single subscription model, customers can:
●● Use all the familiar productivity tools available in Office 365.
●● Collaborate using Teams, and Skype for Business Online.
●● Help increase security and compliance, by:
●● Managing mobile device security with Microsoft Intune and Azure AD.
●● Providing users with the most productive and secure version of Windows (Windows 10 Enterprise).
●● Providing IT professionals with comprehensive deployment, device, and app management capabil-
ities.
●● Enforcing data policy with Windows Information Protection.
●● Detecting and monitoring sensitive data with Office 365 data loss prevention.
●● Simplifying and automating data classification with Azure Information Protection.
●● Automating threat protection with Windows Defender Advanced Threat Protection.
●● Protecting email from phishing attacks with Office 365 Advanced Threat Protection.
Key differences between Microsoft 365 and Office 365

You likely already know all about Office 365 and how it bundles key Microsoft productivity tools into an
SaaS model. By bundling these tools, Office 365 helps employees be productive from wherever they work
and helps ensure that they have the latest versions of their familiar Office tools. However, Microsoft 365
as a concept and a service might not be so familiar.
As previously discussed, Microsoft 365 includes Office 365. However, it also includes Windows 10 Enter-
prise, and a complete set of security and compliance features provided as services. By bringing together
Office 365, Windows as a service, and Enterprise Mobility + Security, Microsoft 365 addresses the needs
of many organizations who want to maximize their adoption of the cloud for productivity, but also for
enterprise-grade security and desktop operating system management.
Alternative cloud solutions

In addition to Microsoft, Amazon and Google also offer cloud services, respectively known as Amazon
Web Services (AWS) and Google Cloud.
What AWS and Google Cloud have in common with Micro-

soft cloud services
Similar to Azure, AWS and Google Cloud offer scalable computing on demand for cloud-based compute
power. The differences are in the pricing models and exactly what services are supported. A popular
function of a cloud service is data storage. Both AWS and Google Cloud offer a variety of plans to
accommodate hot storage of data (data that needs to be frequently accessed with minimal lag), and cold,
(or archival) storage of data (such as BLOBs) that lower costs by reducing access speeds to your archival
material.
Each cloud service provider also includes analytics tools, but the particular types of supported technolo-
gies and programming models vary. Similarly, the development tools used to build, deploy, and manage
apps and services in each provider’s cloud environment differ between providers.
Finally, all cloud providers provide some aspect of networking and content delivery, management tools to
maintain accounts, and security features to protect customer data. However, as with the other aspects of
a cloud solution, the types of tools, the level of control they offer, and their relative ease of use vary
significantly between providers.
Choosing the best fit for your business

Every business is different; there is no single cloud environment that is the best choice for all. When
determining which cloud service provider to use, each organization should review the following ques-
tions:
●● What development and management tools and operating systems are we using, and which do we
want to continue to leverage?
●● What productivity solutions are employees using, and do we stay with the same technologies, or
require a new learning curve to adopt different tools?
●● What’s the scale of our on-premises infrastructure, and what’s the strategy to use it in conjunction
with the cloud? Will we migrate everything to the cloud? Or are there on-premises-based systems
such as line-of-business environments that need to stay on-premises but also extend to the cloud?
●● How important is compliance and privacy to our cloud-based operations? What tools and offerings
does a cloud service provider offer, and for what regions, countries, and regulatory agencies?
●● How widespread is our workforce? Which cloud environment offers the largest number of regional
datacenters to maximize cloud computing performance to our firstline employees?
Every cloud computing solution has its own strengths. Organizations should carefully review what is most
important to their cloud strategy and investigate each service provider to determine the best fit.
The Microsoft cloud offering can be an excellent solution for companies with any of the following
requirements:
●● Extract more value from existing investment in Microsoft technologies. If you have already
invested in Microsoft technologies, you can easily extend their capabilities and provide a consistent
experience across your entire technology stack. You can establish a hybrid coexistence that natively
integrates your on-premises Microsoft-based infrastructure with the cloud. This includes native
integration with Active Directory, and building and deploying apps for both cloud and on-premises
environments.
●● Work with end-to-end development and management tools. Azure offers unparalleled managea-
bility with all-in-one dashboards to monitor, manage, and protect your cloud resources. Microsoft
also caters to all types of developers by supporting the most popular development environments. In
fact, Microsoft is the only cloud service provider with integrated support for Red Hat, and also had the
most contributions to GitHub in 2017.
●● Access a comprehensive set of compliance offerings. For organizations that are concerned about
compliance and security in the cloud, Microsoft has extensive expertise in protecting data, champion-
ing privacy, and complying with complex regulations, and currently complies with both EU-US Privacy
Shield and EU Model Clauses.
●● Increase productivity and security while reducing IT overhead. For smaller companies who want
the benefit of always having the latest and greatest version of Microsoft productivity tools without
needing an IT department to manage updates, Microsoft 365 combines familiar productivity tools
with enhanced security and management features to enable a modern workforce from the cloud.
●● Leverage a global footprint. For global enterprises that need to ensure their cloud services provider
can deliver the scale and performance to regional locations, Microsoft has 54 regions spanning 140
countries–the most global regions of any cloud provider—to help bring applications closer to users
around the world.
For more information, go to the following resources:

●● Establishing a hybrid coexistence that natively integrates your on-premises Microsoft-based infra-
structure with the cloud: https://azure.microsoft.com/en-in/solutions/hybrid-cloud-app/
●● Microsoft compliance with EU-US Privacy Shield: https://privacy.microsoft.com/Privacy
●● Microsoft compliance with EU Model Clauses: https://www.microsoft.com/trustcenter/Compli-
ance/EU-Model-Clauses
●● Microsoft Azure world-wide regions: https://azure.microsoft.com/en-in/global-infrastructure/
Migrating to cloud services

Introduction
When you move to the cloud, you need to decide which service model you want to implement (SaaS,
PaaS, or IaaS). You will also need to determine which type of implementation you want to use: purely
cloud-based, or working in tandem with some on-premises systems. In this lesson, we’ll discuss how
companies can work purely in the cloud, or connect existing on-premises systems to the cloud to extend
the value of their legacy infrastructure. You will see how these two different service models require
different approaches to migration, and then you’ll review a few scenarios that demonstrate when a
business might opt for one type of migration over the other. Finally, we’ll review some considerations for
how an organization approaches migrating systems with older versions of Windows, Windows Server, and
Office to Microsoft 365.
●● Describe what a cloud-only model is, and provide some scenarios for when this type of migration is
best for an organization.
●● Describe what a hybrid model is, and provide some scenarios for when this type of migration is best
for an organization.
●● Recommend when it might be preferable for an organization to move systems with older operating
systems and Microsoft Office directly to Microsoft 365 instead of upgrading to on-premises-based
solutions.
The Cloud-only model

The cloud-only model describes a situation where the service (or services) model you want to use (SaaS,
PaaS, or IaaS) is strictly run in the could; there isn’t any connection to existing on-premises-based
systems. One of the advantages of using the cloud-only model is that an organization doesn’t have to
concern itself with the infrastructure that the services run on; all the backend functionality is invisible (or,
black box) to the users.
For smaller companies such as startups or non-profits that don’t have the in-house resources and capital
outlay to purchase and maintain their own infrastructure, the cloud-only model can be a good choice.
Note, however, that a cloud-only model will limit the amount of customization that’s available, as users
have no access to the cloud-based servers.
The Hybrid cloud model

What if your company is large, and has invested heavily in on-premises hardware, line-of-business
systems, custom apps, and so on? Does all of this have to be abandoned to gain the benefits that cloud
computing offers? Certainly not.
A hybrid cloud migration is a solution that fits most larger organizations, because it allows you to keep
critical resources on-premises. Many enterprises embrace this model because it connects on-premises
systems to the cloud, effectively making the new cloud services an extension of the company’s on-prem-
ises infrastructure. By doing so, the enterprise can continue to extract value from its legacy systems while
using the cloud to extend capabilities or features (such as mobility and productivity) that might not have
been available in the standalone on-premises systems.
Migrating to cloud services 23
Which cloud model should business environ-

ments choose
When companies consider cloud solutions, they usually focus on three categories:
●● Cost
●● Security/reliability and compliance
●● Functionality
However, these three categories are not of equal importance for all companies. While some smaller
companies might favor lower costs and functionalities, some larger, more complex environments might
have security and compliance as their top priority.
In terms of an organization’s operational activities, timing can also be a key factor. Consider the following
circumstances:
●● Recent investment in hardware. A medium-sized company made a significant investment in new
hardware for their on-premises datacenter one year ago. Given this recent expense, they most likely
would not be interested in any major shift to the cloud for at least year or two. Companies in a similar
situation will likely opt for a limited hybrid cloud model that focuses on providing functionalities they
lack in their local datacenter.
●● Outdated hardware and systems. In contrast to the previous example, a company that is considering
a local datacenter renewal versus cloud solutions as replacement can have a very different perspec-
tive. If they have old hardware and unsupported versions of software running in their datacenter, they
will be more likely to consider moving to the cloud. Moreover, if security and compliance require-
ments are fulfilled with the cloud offering they are considering, the relative cost and the type of cost
model (OpEx vs. CapEx) will probably be the deciding factors.
●● Limited in-house IT resources. A significant factor when considering transitioning to cloud-based
solutions is the size and skillset of the organization’s IT department. A company that has very limited
local IT resources will most likely adopt cloud services faster. Some companies with larger IT organiza-
tions might consider the cloud as a way to reduce the number of their local IT personnel. Although a
personnel reduction mindset might not be the best reason to move to the cloud, freeing those IT
resources from having to perform datacenter maintenance tasks can enable them to focus on more
strategic functions—which in turn adds value to the business.
●● Limited budget. Cloud-only companies are still rare. Those who can most readily transition to the
cloud are typically smaller companies, startups, and nonprofits without any funds available to invest in
hardware beyond employee laptops or desktops. However, this same financial constraint can give
these companies an advantage for the future: if they succeed in their business, most will probably stay
with a cloud-only model and can therefore avoid any CapEx for their IT on an ongoing basis.
Migration principles to Microsoft 365 services

In the previous topic, we reviewed how companies have the option to work solely in the cloud, or to
connect existing on-premises systems to the cloud to extend the value of their legacy infrastructure.
These two different service models require different approaches to migration.
For example, if a smaller company has been using a free, web-based mail service and decides to change
to the more productive and secure email that Microsoft 365 provides, implementation would entail
migrating all the users’ email accounts from the free online service to Exchange Online in Microsoft 365.
Once that migration is complete, users access their old email and inboxes through Outlook, and the data
is stored in Exchange Online; there is nothing left in the old system to use. We use the term migration in
this context to emphasize how everything is moved (or migrated) from the old to the new with the intent
of deprecating the old system once the migration is complete.
If, however, a company wants to establish a hybrid environment where their new Microsoft 365 subscrip-
tion will extend their existing Exchange servers, then a coexistence is established, linking the on-premises
Active Directory and Exchange Server to their online Azure Active Directory and Exchange Online coun-
terparts. We use the term coexistence in this situation to emphasize how two different systems—one
on-premises, and the other in the cloud—connect and work together in an ongoing fashion as a single
service (such as email).
Migration considerations
It’s common in both large and small organizations to still be running some older versions of server and
computer operating systems, and Microsoft Office programs. To maximize the business value of the
Microsoft 365 integrated suite of products, begin planning and implementing a strategy to migrate:
●● The Office client installed on your computers to Office 365 ProPlus:
●● Office 2013 and 2016 are the currently supported versions, but will require ongoing updates that
might not scale well with your organization. Instead of maintaining and updating computers with
these standalone products, consider updating and assigning Microsoft 365 licenses.
●● Office 2010 will no longer be supported in 2020. Instead of upgrading to Office 2013 or 2016
which require manual updates, consider providing Microsoft 365 licenses for these users.
●● Office 2007 is no longer supported. Rather than upgrading your computers running Office 2007
with Office 2010, Office 2013, or Office 2016, consider obtaining and assigning Microsoft 365
licenses for your users.
●● Office servers installed on your servers to their equivalent services in Office 365:
●● Office Server 2013 and Office Server 2016 products such as Exchange Server and SharePoint Server
are supported, but to take advantage of the cloud-based service and enhancements to digitally
transform your business, consider migrating the data on your Office 2016 servers to Office 365.
When there is no longer a need for the on-premises servers running Office 2016 server products,
you can decommission them.
●● Some Office Server 2010 products have a specified end-of-support date. Rather than upgrading
your server products in the Office 2013 release with server products in the Office 2016 release,
consider migrating their data to Office 365, rolling out the new functionality and work processes to
your users, and decommissioning your on-premises servers running Exchange Server 2013 and
SharePoint Server 2013 when you no longer need them.
●● Office Server 2007 products are no longer supported. Instead of upgrading your server products in
the Office 2007 release with server products in the Office 2010, Office 2013, or Office 2016
releases, consider migrating the data on your Office 2007 servers to Office 365. To help with this,
hire a Microsoft partner. You can then roll out the new functionality and work processes to your
users, and then decommission the on-premises servers running Office 2007 server products when
you no longer need them.
●● Windows 7 and Windows 8.1 on your devices to Windows 10 Enterprise:
●● To migrate your devices running Windows 7 or Windows 8.1, you can perform an in-place upgrade
to Windows 10.
Accomplishing all of these migrations over time brings your organization closer to the modern work-
place: a secure and integrated environment that unlocks teamwork and creativity in your organization
through Microsoft 365.
Migrating to cloud services 25
For more information about migrating to Microsoft 365, go to https://docs.microsoft.com/en-us/

microsoft-365/enterprise/migration-microsoft-365-enterprise-workload.
Lab - Cloud Fundamentals

Lab Introduction
This lab is comprised of a set of scenarios. Using the knowledge you’ve gained in Module 1, review each
scenario to identify the customer’s requirements, and select which combination of cloud services Infra-
structure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), type of cloud
(public, private, or hybrid), and migration (cloud-only or coexistence) best fits their needs.
Scenario 1
Company profile: Northwind Traders
Northwind Traders is a three-generation, family-owned import/export company.
Challenge
The company’s growth over the past several years and their employee demands for better collaboration
tools to connect remote offices around the Pacific Rim are outpacing the company’s small IT team.
The IT lead is spending all her time trying to keep their outdated business systems running. She wants to
be able to upgrade the company’s old Microsoft SharePoint Server 2007, which has run out of space.
However, the IT budget is tight, and there would need to be a large up-front investment in new servers,
server licenses, storage, and more. Employee machines are running a mix of Windows 7, 8, and 10 operat-
ing systems, and old versions of Microsoft Office—all with no centralized management of updates.
Furthermore, the proliferation of mobile devices that are frequently connecting to the company’s network
is making her concerned about the potential of an unhealthy device infecting their corporate systems.
Moreover, they’ve been using a free web-based email system that isn’t delivering the business-class
services they need. They want to move completely away from this insecure mail and adopt a busi-
ness-class mail system without having to pay huge up-front licensing and hardware costs.
What’s your recommendation?

How can Microsoft 365 address this company’s needs?
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Lab - Cloud Fundamentals 27
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 2
Company profile: Contoso, Ltd.
Contoso is a large manufacturing corporation with almost 60,000 employees throughout North America.
Challenge
Like many large enterprises, Contoso has developed customized on-premises-based line-of-business
apps for many critical processes. These apps help them with their manufacturing processes, both up-
stream from materials suppliers, and downstream to order processing and customer billing.
Many of these systems are old and inflexible, and the IT organization within Contoso is looking for a way
to use the cloud to extend these apps’ capabilities, empowering remote workers, suppliers, and custom-
ers to more easily identify requirements, confirm production, and fill orders.

How can Microsoft 365 address this company’s needs?
Dropdown
IaaS
PaaS
SaaS
Dropdown
Public
Private
Hybrid
Dropdown
Cloud-only
Co-existence
Scenario 3
Company profile: First Up Consultants
First Up Consultants is a medium-sized consulting firm that builds customized applications for medical
businesses.
Challenge
First Up Consultants wants to be able to rapidly spin up virtual machines (VMs) to test new versions of
their software products. This historically has resulted in major CapEx costs associated with new high-end
servers and storage hardware, along with a significant amount of administrative overhead to plan for and
implement all the hardware updates in the company’s datacenter.
The biggest problem has always been one of accurate forecasting, because they either purchase too
much capacity that goes unused—wasting CapEx resources, or they run out of capacity too soon. They
want to significantly reduce their CapEx, in addition to reducing the administrative overhead associated
with each new wave of hardware. The solution First Up Consultants selects must support any type of
environment customization to suit their development needs—and enable them to reduce charges
whenever a system isn’t needed.

How can Microsoft 365 address this company’s needs? What type of cloud service (IaaS, PaaS, or SaaS),
cloud (public, private, or hybrid), and migration (cloud-only or coexistence) would you recommend, and
why?
Dropdown
IaaS
PaaS
SaaS
Dropdown
Public
Private
Hybrid
Lab - Cloud Fundamentals 29
Dropdown
Cloud-only
Co-existence
Module Assessment
Questions
Checkbox
Which of the following costs are considered capital expenditures (CapEx)? (Choose all that apply.)
Electricity consumed in a datacenter
Administrator’s time for managing accounts
Physical servers
Networking hardware
Checkbox
What types of services does Microsoft Azure offer? (Choose all that apply.)
Directory services
Backup
Streaming media services
Virtual machines
Multiple choice
Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office 2007.
You need to update your systems, but you want to minimize your CapEx impact. Which of the following is
the best solution? (Choose the best answer.)
Purchase Exchange Server 2016 and Office 2016.
Subscribe to Microsoft 365.
Multiple choice
You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this? (Choose the correct answer.)
Shared public cloud
Dedicated public cloud
Hybrid cloud
Module Assessment 31
Multiple choice
Your company is running your on-premises Exchange Servers at capacity. If you want to obtain a Microsoft
365 subscription to extend your existing servers with Exchange Online-based mail, what type of migration
model would you follow? (Choose the correct answer.)
Establish a cloud-only environment where you fully migrate from on-premises to cloud.
Establish an on-premises-only environment where you fully migrate from the cloud to on-premises.
Establish a hybrid environment where you establish coexistence between on-premises and the cloud.
Checkbox
Which of the following are components that are included with Microsoft 365? (Choose all that apply.)
Microsoft Office 365
Office 2016
Windows 10 Pro
Windows 10 Enterprise
Enterprise Mobility + Security
Multiple choice
You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this? (Choose
the correct answer.)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Multiple choice
Which type of cloud service would have the cloud service provider managing apps as a service? (Choose the
correct answer.)
IaaS
PaaS
SaaS
Checkbox
You’re exploring which cloud service to subscribe to. Which of the following are reasons to select Microsoft
365? (Choose all that apply.)
You want to extract more value from your existing investment in Microsoft technologies.
You want to be able to work with the most popular development environments, including Red Hat.
You want access to a comprehensive set of compliance offerings.
You want to maximize CapEx and minimize Operating Expenditures (OpEx).
Checkbox
Which of the following situations would be best served by utilizing a hybrid cloud? (Choose all that apply.)
You have sensitive data that can’t be exposed publicly (such as medical information).
You want to reduce your CapEx costs by eliminating all your on-premises systems.
You want to extend the capabilities of your on-premises systems.
You want to reduce your data protection costs.
Checkbox
Which of the following do Amazon Web Services (AWS) and Google Cloud offer in common with Microsoft
cloud services? (Choose all that apply.)
Cloud-based compute power
Native integration with Active Directory
Hot and cold cloud-based data storage
Office 365 productivity tools
Multiple choice
Which type of cloud service provides an environment for buying, building, testing, deploying, and running
software applications? (Choose the correct answer.) <<( ) Infrastructure as a Service (IaaS)
Checkbox
In which circumstances would a cloud-only migration model be a good choice? (Choose all that apply.)
You have a large investment in on-premises infrastructure that you want to continue to leverage.
You’re a smaller company with minimal in-house technical resources.
You want to completely move away from your existing on-premises systems.
Checkbox
Which of the following regulations apply to cloud computing? (Choose all that apply.)
Endangered Species Act
Health Insurance Portability and Accountability Act (HIPPA)
Sarbanes–Oxley Act
Gramm–Leach–Bliley Act (GLBA)
Checkbox
Which of the following are considered cost benefits of cloud computing? (Choose all that apply.)
You shift the costs associated with the datacenter to the cloud service provider.
Cloud computing’s pay-per-use model guarantees costs savings, because accounts are never wasted.
If you actively manage your subscription, you can save money by deprovisioning unneeded resources
to stop being charged for it.
Answers
Dropdown
IaaS
PaaS
■■ SaaS
Explanation
SaaS. The company can subscribe to Microsoft 365 to give every employee access to the latest version of
Office productivity tools—including Microsoft Teams, and Skype for Business. These tools, along with
Microsoft SharePoint Online, will significantly improve how the remote offices collaborate with each other.
Office and Windows management will be streamlined by upgrading everyone to the latest versions, and
then utilizing Microsoft 365’s management tools to manage all devices—including mobile devices.
Dropdown
■■ Public
Private
Hybrid
Explanation
Public cloud. Pricing is paramount, so the Operating Expenditures (OpEx)–oriented public cloud is optimal
for this company.
Dropdown
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. Because the current mail is a free, web-based service that they’ll gladly
move off in in favor of Microsoft Exchange Online, there is no need for coexistence with it. Similarly, moving
their files from their outdated SharePoint Server 2007 to the cloud will enable them to decommission their
old machines.
Dropdown
IaaS
■■ PaaS
SaaS
Explanation
PaaS. Because PaaS supports building, testing, and deploying software applications that will connect to
their legacy line-of-business systems, this would be the best choice. Different apps can be purpose-built for
the various roles (such as sales, suppliers, and fulfilment), with each app providing the appropriate access
into the line-of-business systems, securely, and from any mobile device.
Dropdown
Public
Private
■■ Hybrid
Explanation
Hybrid cloud. This type of cloud is preferred for Contoso, as it enables the new web apps in the cloud to
connect to their on-premises line-of-business systems.
Dropdown
Cloud-only
■■ Co-existence
Explanation
Coexistence migration model. Although coexistence is more complicated to establish, this type of model
is critical for Contoso because it maintains their investment in their existing line-of-business systems, and
uses their new cloud environment as an extension to their on-premises infrastructure.
Dropdown
■■ IaaS
PaaS
SaaS
Explanation
IaaS. This model is perfect for First Up Consultants, because it allows them to host all the VMs that they
need to test with. IaaS gives them control over the hardware that runs their applications, so they can utilize
them only when they’re needed. When they don’t need to run the VMs, they can place them in cheaper
cloud-based storage to reduce compute fees.
Dropdown
■■ Public
Private
Hybrid
Explanation
Public cloud. Because First Up Consultants wants to significantly reduce their hardware costs and mini-
mize the amount of time their administrators spend configuring new hardware, a public cloud gives them a
platform for their VMs while relieving them of the associated hardware and administrative costs.
Dropdown
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. First Up Consultants could migrate any existing on-premises VMs and
other systems to the cloud, then deprecate those machines to free up space and reduce their operational
costs.
Checkbox
Which of the following costs are considered capital expenditures (CapEx)? (Choose all that apply.)
Electricity consumed in a datacenter
Administrator’s time for managing accounts
■■ Physical servers
■■ Networking hardware

Checkbox
What types of services does Microsoft Azure offer? (Choose all that apply.)
■■ Directory services
■■ Backup
■■ Streaming media services
■■ Virtual machines

Multiple choice
Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office 2007.
You need to update your systems, but you want to minimize your CapEx impact. Which of the following is
the best solution? (Choose the best answer.)
■■ Subscribe to Microsoft 365.

Multiple choice
You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this? (Choose the correct answer.)
■■ Shared public cloud
Dedicated public cloud
Hybrid cloud

Multiple choice
Your company is running your on-premises Exchange Servers at capacity. If you want to obtain a Micro-
soft 365 subscription to extend your existing servers with Exchange Online-based mail, what type of
migration model would you follow? (Choose the correct answer.)
Establish a cloud-only environment where you fully migrate from on-premises to cloud.
Establish an on-premises-only environment where you fully migrate from the cloud to on-premises.
■■ Establish a hybrid environment where you establish coexistence between on-premises and the cloud.

Checkbox
Which of the following are components that are included with Microsoft 365? (Choose all that apply.)
■■ Microsoft Office 365
Office 2016
Windows 10 Pro
■■ Windows 10 Enterprise
■■ Enterprise Mobility + Security

Multiple choice
You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this?
(Choose the correct answer.)
■■ Infrastructure as a Service (IaaS)

Multiple choice
Which type of cloud service would have the cloud service provider managing apps as a service? (Choose
IaaS
PaaS
■■ SaaS

Checkbox
You’re exploring which cloud service to subscribe to. Which of the following are reasons to select Micro-
soft 365? (Choose all that apply.)
■■ You want to extract more value from your existing investment in Microsoft technologies.
■■ You want to be able to work with the most popular development environments, including Red Hat.
■■ You want access to a comprehensive set of compliance offerings.
You want to maximize CapEx and minimize Operating Expenditures (OpEx).

Checkbox
Which of the following situations would be best served by utilizing a hybrid cloud? (Choose all that
apply.)
■■ You have sensitive data that can’t be exposed publicly (such as medical information).
You want to reduce your CapEx costs by eliminating all your on-premises systems.
■■ You want to extend the capabilities of your on-premises systems.
■■ You want to reduce your data protection costs.

Checkbox
Which of the following do Amazon Web Services (AWS) and Google Cloud offer in common with Micro-
soft cloud services? (Choose all that apply.)
■■ Cloud-based compute power
Native integration with Active Directory
Hot and cold cloud-based data storage
■■ Office 365 productivity tools

Multiple choice
Which type of cloud service provides an environment for buying, building, testing, deploying, and
running software applications? (Choose the correct answer.) <<( ) Infrastructure as a Service (IaaS)
■■ Platform as a Service (PaaS)

Checkbox
In which circumstances would a cloud-only migration model be a good choice? (Choose all that apply.)
You have a large investment in on-premises infrastructure that you want to continue to leverage.
■■ You’re a smaller company with minimal in-house technical resources.
■■ You want to completely move away from your existing on-premises systems.

Checkbox
Which of the following regulations apply to cloud computing? (Choose all that apply.)
Endangered Species Act
■■ Health Insurance Portability and Accountability Act (HIPPA)
■■ Sarbanes–Oxley Act
■■ Gramm–Leach–Bliley Act (GLBA)

Checkbox
Which of the following are considered cost benefits of cloud computing? (Choose all that apply.)
■■ You shift the costs associated with the datacenter to the cloud service provider.
Cloud computing’s pay-per-use model guarantees costs savings, because accounts are never wasted.
■■ If you actively manage your subscription, you can save money by deprovisioning unneeded resources
to stop being charged for it.

Module 2 Core Microsoft 365 services
Microsoft 365 core services

Introduction
Microsoft 365 provides a number of core services, of which this lesson introduces and describes.
●● Identify the important features of Windows 10 Enterprise.
●● Describe Microsoft Exchange Online.
●● Describe Microsoft SharePoint Online.
●● Describe Microsoft Teams.
●● Describe Skype for Business Online.
●● Identify the additional services in Microsoft 365.
●● Describe Microsoft Intune.
●● Describe Microsoft Office 365 ProPlus.
●● Explain security services in Microsoft 365.
●● Explain analytic services in Microsoft 365.
●● Manage the Microsoft 365 platform and services.
What is Windows 10 Enterprise

Although Microsoft 365 includes Windows 10 Enterprise, it’s important to be able to compare Windows
10 Enterprise with other editions of the Windows 10 operating system. These other editions help to
address the needs of consumers ranging from individuals to large enterprises.
MCT USE ONLY. STUDENT USE PROHIBITED 42 Module 2 Core Microsoft 365 services
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows operating system experience for PCs, tablets, and the popular hybrid laptop/tablets, such as the
Microsoft Surface Pro. Windows 10 Home includes several features:
●● Cortana
●● Microsoft Edge
●● Continuum tablet mode for touch-capable devices
●● Windows Hello
●● Virtual desktops
●● Photos, Maps, Mail, Calendar, Music and Video, and other built-in universal Windows apps
●● New updates and features received automatically
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker Drive Encryption and virtualization.
Windows 10 Pro provides the following additional features:
●● Windows Update for Business
●● Domain join and centralized management with Group Policy.
●● BitLocker
●● Enterprise mode in Microsoft Internet Explorer
●● Client Hyper-V
●● Microsoft Azure Active Directory Join
●● Microsoft Store for Business
●● Enterprise data protection
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Microsoft Volume Licensing customers
only. Organizations can choose the pace at which they adopt new technology, including the option to use
the new Windows Update for Business. Windows 10 Enterprise also gives customers access to the
Long-Term Servicing Channel as a special deployment option for their mission-critical devices and
environments.
Windows 10 Enterprise includes additional security features—Windows Defender Credential Guard and
Windows Defender Device Guard—to protect against security threats. It also supports a broad range of
options for operating system deployment, and device and app management. Windows 10 Enterprise
provides the following additional features compared with Windows 10 Pro:
●● DirectAccess
●● Windows To Go Creator
Microsoft 365 core services 43
●● AppLocker
●● Windows BranchCache
●● Start screen control with Group Policy
●● Windows Defender Credential Guard
●● Windows Defender Device Guard
●● Application Virtualization (App-V)
●● User experience virtualization (UE-V)
Windows 10 Enterprise Long-Term Servicing Channel

Windows 10 Enterprise long-term servicing channel is a special edition of Windows 10 Enterprise that
Microsoft will not update with any new features. The Windows 10 Enterprise Long Term Servicing Branch
(LTSB) edition only gets security updates and other important updates. You can install Windows 10
Enterprise LTSB to devices that run in a known environment that does not change. For example, you can
deploy Windows 10 Enterprise LTSB for devices that run a specific application, such as a manufacturing
process. Changes to the device could affect the app that manages the manufacturing process in unex-
pected ways. By using Windows 10 Enterprise LTSB, you prevent feature updates from causing unexpect-
ed effects for line-of-business apps.
The differences between Windows 10 Enterprise and Windows 10 Enterprise long-term servicing channel
are that Windows 10 Enterprise Long-term servicing channel:
●● Does not receive feature upgrades.
●● Does not contain the Microsoft Edge browser.
●● Does not have a Microsoft Store client.
●● Does not have Cortana.
●● Many built-in Universal Windows apps are missing.
Windows 10 Education
Windows 10 Education offers the same features as Windows 10 Enterprise, except for Long-term servicing
channel. This edition of Windows 10 is suitable for school staff, administrators, teachers, and students.
Windows 10 Education is only available through academic Volume Licensing.
What is Exchange Online

Exchange Online is a messaging and collaboration platform that provides one location for composing,
reading, and storing email, calendar, contact, and task information in Microsoft Outlook, Outlook Web
Access, or Outlook Mobile. Exchange Online supports access from most mobile devices, including
Android, iOS, and Windows 10 devices.
Some features of Exchange Online include:
●● Mailboxes and online archives. Individual users have their own mailboxes that they can use to store
mail messages. In addition to the main mailbox, some Office 365 plans include an online archive that
provides additional storage.
●● Calendaring. Each user has a calendar that they can use to track their upcoming events. Users can use
calendars when booking meetings to verify availability. Where appropriate, users can delegate access
to their calendars to other users such as administrative assistants and teammates.
●● View and edit attachments online. When users receive attachments, they can view and edit them
online in Outlook on the web. They do not require a locally installed version of Office.
●● Shared mailboxes and resources. You can use shared mailboxes as a group mailbox for groups of
users that need to share access to a central mailbox. You can configure resources for meeting rooms
and equipment to facilitate booking.
●● Public folders. Earlier versions of Microsoft Exchange Server relied on public folders for collaboration.
This feature is still available in Exchange Online if required.
●● Message policy and compliance. There are several message policy and compliance features in
Exchange Online. These include retention policies, message encryption, eDiscovery, data loss preven-
tion, and journaling.
●● Antispam and anti-malware. All Exchange Online subscriptions include Exchange Online Protection,
which provides configurable antispam and anti-malware scanning.
●● Configurable mail flow. To support specialized mail flow scenarios, you can create send and receive
connectors with varying settings. For example, you can create connectors that require additional
security settings with a business partner.
●● Mobile and multiplatform access. Users can access mailboxes and calendars from Outlook on either
Windows or Mac clients by using Messaging Application Programming Interface (MAPI) over HTTPS,
or by using Exchange Web Services. Outlook on the web supports accessing mailboxes and calendars
from almost any platform. Mobile devices can access mailboxes and calendars by using Microsoft
Exchange ActiveSync.
●● Hybrid deployment. You can integrate Exchange Online with an on-premises Exchange Server
organization by implementing a hybrid deployment. In a hybrid deployment, Exchange Online and the
on-premises Exchange organization can share a single namespace for messaging. A hybrid deploy-
ment also supports calendar sharing and mailbox moves between Exchange Online and an on-premis-
es Exchange server.
●● Migration tools. Exchange Online includes tools to migrate from other on-premises Exchange Server
servers to Exchange Online. There is also a tool to migrate from any Internet Message Access Protocol
(IMAP) messaging service to Exchange Online.
For details about particular Exchange Online features included in specific subscription plans, see the
following Microsoft website: https://products.office.com/exchange/compare-microsoft-ex-
change-online-plans.
What is SharePoint Online

SharePoint Online is the cloud version of Microsoft SharePoint Server. It enables organizations to create
and customize intranet and team-focused or task-focused sites for efficient collaboration. Internal users
with an appropriate Office 365 or SharePoint Online license can use SharePoint Online. They can also
invite external users to access some parts of the SharePoint Online site. In this scenario, the external users
inherit the rights of the SharePoint Online user who sent them the invitation to collaborate. Using
SharePoint Online, users can:
●● Build intranet sites and create pages, document libraries, and lists.
●● Add web parts to customize their content.
●● Share important visuals, news, and updates with a team or communication site.
●● Discover, follow, and search for sites, files, and people across their organization.
●● Manage their daily routines with workflows, forms, and lists.
●● Sync and store their files in the cloud so anyone can securely work with them.
●● Catch up on news on-the-go with the SharePoint mobile app.
What is Microsoft Teams
Microsoft Teams provides a central hub for collaboration within your organization. By using the Microsoft
Teams platform, you can implement a chat-based workspace. You also can share documents, insights, and
status updates with colleagues. You can keep Teams in sync and manage important projects, find vital
documents, and locate people easily. Teams is also available as a mobile app, which enables users to help
you stay up to-date-on company information and news, whether you are in or out of the office.
With Teams, you can:
●● Communicate through chat, meetings, and calls. You can host audio, video, and web conferences, and
chat with anyone inside or outside your organization.
●● Collaborate together with integrated Office 365 apps. Teams makes teamwork easy. Users can
coauthor and share files with popular Office 365 apps such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft OneNote, SharePoint, and Microsoft Power BI.
●● Customize your workplace and achieve more. Using Teams, you can integrate apps from Microsoft
and third-party partner services to tailor your process, increasing teamwork and productivity.
●● Make calls in Office 365 and Teams. When paired with Office 365 Phone System, Office 365 Calling
Plan, and/or Phone System Direct Routing, Office 365 provides a full business calling experience in
Teams on a global scale.
●● Connect across devices. Teams and Teams devices work better together for intelligent meeting and
calling experiences. Find the right devices for your needs and bring your best ideas to life.
What is Microsoft Teams?

The Microsoft Teams platform provides similar functionalities to Skype for Business. Microsoft plans to
integrate these products. You can find out more about Teams by viewing the following video.
What is Skype for Business Online

Skype for Business Online provides presence and instant messaging information, enabling users to
identify whether people are available and then chat, call, and video conference with each other. By using
Skype for Business Online, you also can create online meetings with audio, video, and web conferencing,
including integrating guest users from outside the organization. You can implement multiparty high-defi-
nition (HD) video with hardware that supports this capability.
Skype for Business Online is available as part of most Microsoft 365 subscriptions. Skype for Business
Online provides the following key features:
●● Real-time presence. Users get availability and location information to make it easier for them to
choose the best method of communication with their co-workers. Skype for Business Online tracks
presence information for all Skype for Business Online users, and it provides this information to the
Skype for Business client and other apps such as Outlook.
●● Instant messaging. Users can utilize standard text-based instant messages to communicate in real
time with multiple users, and users can transfer files to those users.
●● Voice calls. Users can make Skype for Business Online calls to other Skype for Business Online users
inside and outside an organization. If enabled, they can also call Skype consumer users.
●● Web conferencing. Skype for Business Online can host conferences, which you can schedule or
initiate as needed. Conferences can include instant messaging (IM), audio, video, and application shar-
ing, slide presentations, and other forms of data collaboration.
●● Audio conferencing. Users can join Skype for Business Server–based audio conferences by using any
desktop or mobile device. When connecting to an audio conference by using a web browser, users
can provide a telephone number for audio conferencing service calls.
●● Enhanced presentations. Users can enhance their online presentations by using Skype for Business
Online screen sharing, application sharing, and virtual whiteboard features.
●● Support for federation. You can configure federation with other organizations that are running
Skype for Business Online, Skype for Business Server on-premises, Microsoft Lync Server, or Office
Communications Server. In addition, you can provide full Skype for Business functionality for users in
multiple organizations.
To improve productivity, Skype for Business Online provides integration with users’ calendars in Ex-
change, and also enables the “click-to-communicate” feature in Outlook, SharePoint, and other Office
applications. Furthermore, Skype for Business Online introduces integration with on-premises Private
Branch Exchange (PBX) and video teleconferencing systems.
Note that many of the features provided by Skype for Business Online can also be accomplished by using
Microsoft Teams.
Additional services in Microsoft 365

Your organization can also subscribe to optional components within Office 365 that can enhance your
use of this cloud-based services and provide your users with additional facilities to increase productivity.
These optional components include Yammer, Microsoft Project Online, Project Pro for Office 365, and
Microsoft Office Visio Pro for Office 365.
Yammer
The Microsoft enterprise social networking tool is becoming more integrated with Office 365, and
SharePoint Online users now have the option to replace their activity stream in SharePoint Online with
Yammer. To make this change, users click a Yammer link and sign in to this service through a separate
browser window. Future integration will include Single Sign On (SSO) between the Yammer service and
Office 365. Furthermore, users can use the Yammer Newsfeed instead of SharePoint Newsfeed.
Project Online
Project Online is the cloud version of Microsoft Project Server that enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value feature with Project Online is that it enables global organizations to plan project portfolios in
multiple time zones.
Project Pro for Office 365

Project Pro for Office 365 provides desktop project management capabilities for small teams and organi-
zations. Organizations that require full desktop project-management capabilities and the ability to
participate online from virtually anywhere on almost any device can combine this service with Project
Online.
Office Visio Pro for Office 365

Office Visio Pro for Office 365 is a subscription version of Microsoft Visio Professional, the diagramming
and flowchart application. Users can install it on up to five devices, and it includes the Visio on Demand
feature, which enables a user to install the application temporarily on any computer running recent
versions of the Windows operating system.
Microsoft Dynamics 365

Dynamics 365 is a cloud-based platform that combines customer relationship manager and enterprise
resource planning (functionalities and delivers applications for managing business functions, sales,
marketing, finances, and customer service.
Microsoft Azure Information Protection

With Azure Information Protection, you can enhance document security in your organization and provide
classification services. This technology uses Microsoft Azure Rights Management to protect documents
both on premises and in the cloud, and to provide monitoring and document usage tracking. With the
classification mechanism that is available in Azure Information Protection, you can classify your Office
documents based on various criteria.
Microsoft is continuously improving existing services and adding new services to Office 365. For example,
Microsoft recently added the Microsoft To-Do service for all Office 365 users.
OneDrive for Business

OneDrive for Business is a private library for the storage, organization, and sharing of users’ work docu-
ments. It is an integral component of a user’s Office 365 online environment, and is provided to each of
your organization’s users through its subscription to SharePoint Online in Office 365. If you get OneDrive
for Business through your organization’s subscription to Office 365, then you get 25 GB of personal
storage space by default; however, if your OneDrive for Business library is hosted on an on-premises
SharePoint server, then your storage space is allocated and controlled by your SharePoint administrators
OneDrive for Business is not the same as OneDrive, which is a cloud-based service intended for personal
storage and is provided with Microsoft accounts and Outlook.com accounts.
Planner
Use Planner from any of your devices to create new plans, assign tasks, and share files with others. You
can organize teamwork and collaborate on projects. You also can use Planner to chat with colleagues and
to keep track of your team's progress.
Power Bi
Power BI is a business analytics service that delivers insights to enable fast, informed decisions. You can
use Power Bi to transform data into visuals and share them with colleagues. You can use a variety of
device types to access this content. You also can collaborate on and share customized dashboards and
interactive reports.
Microsoft StaffHub
StaffHub helps workers manage their workday by using schedule management and information sharing.
It also provides the ability to connect to other work-related apps and resources. Managers can quickly
distribute important information to their team, such as policy documents, news bulletins or videos.
Stream
Stream is an enterprise video service where people in your organization can upload, view, and share
videos securely. You can share recordings of classes, meetings, presentations, training sessions, or other
videos that aid your team's collaboration. Stream also makes it easy to share comments about a video,
tag timecodes in comments, and add descriptions to refer to specific points in a video and discuss with
colleagues.
Microsoft Delve
Use Delve to manage your Office 365 profile, and to discover and organize the information that's likely to
be most interesting to you. Using Delve, you can manage your profile, and connect and collaborate with
colleagues.
Sway
You can use Sway to compile text, images, videos, and other content in an interactive online format. You
can apply designer-created layouts and color schemes, or let Sway suggest design elements that match
your content. You also can search and import relevant content from other sources, and then share your
completed Sways on the web.
What is Intune
Intune is a cloud service that helps you manage computers, laptops, tablets, and other mobile devices.
This includes iOS, Android, and Mac OS X devices. It uses Azure Active Directory (Azure AD) as a directory
store for identity, and it can integrate with local management infrastructures such as Microsoft System
Center Configuration Manager (SCCM). Intune is especially useful for devices that are beyond the man-
agement scope of Group Policy, such as mobile phones, devices that are not AD DS domain members, or
Windows 10 devices that are joined to Azure AD.
By using Intune, you can:
●● Allow staff to more safely access organizational data by using personal devices, which is commonly
known as a Bring Your Own Device (BYOD) program.
●● Manage company-owned phones.
●● Control access to Microsoft Office 365 from unmanaged devices, such as public kiosks and mobile
devices.
●● Help to ensure that devices and apps that do connect to corporate data are compliant with security
policies.
Intune is a component of EMS. Intune integrates with Azure AD and device operating-system features to
provide a complete solution. For example, when a user attempts to access Office 365 data through a line
of business app (LOB app) on a mobile phone, Office 365 checks with Azure AD to authenticate the user
and verify whether that user can access the data from that app on that device. The results depend on:
●● Conditional access policies defined within Azure AD.
●● Whether Intune tells Azure AD that the device is compliant with device configuration and data
protection policies.
●● Whether the app on that device complies with app configuration and data protection policies.
If the device and app are both compliant with all policies, Azure AD notifies Office 365 that the data can
be accessed.
What is Office 365 ProPlus

Some Office 365 plans include Office 365 ProPlus, which is a downloadable version of the Microsoft
productivity suite of applications, including Word, Excel, PowerPoint, Outlook, Access, Publisher, OneNote,
Microsoft InfoPath, and the Skype for Business client. There are also web app versions of Word, Excel,
PowerPoint, and OneNote.
Office 365 ProPlus supports streaming deployment by using Click-to-Run technology, when used on a
computer. This enables users to click the application installation icon and start using the application while
the program installs in the background. It is important to emphasize that although deployment requires
an internet connection, Office 365 ProPlus installs and runs locally on the user's computer.
Office 365 ProPlus is not a web-based or a light version of Office, and users do not have to connect to
the internet permanently to use it. However, they must connect at least every 30 days to confirm that
they still have the right to use the Office 365 ProPlus license.
Office 365 ProPlus vs. Office Professional 2019

While Office 365 ProPlus installs from the Office 365 subscription license and includes the Office Profes-
sional applications, it differs from Office Professional 2019 in a few ways:
●● Office Professional 2019 is the desktop version of Office. You install Office Professional 2019 in the
traditional way, through Microsoft Windows Installer (MSI) from volume license media, which requires
a volume license product key.
●● Office 365 ProPlus is a full version of Office that you install through Click-to-Run technology, and it
includes Office Online in the license. Updates automatically push out to the users. (We will discuss
controlling the frequency through update branches later in this lesson.)
●● Office 365 ProPlus licensing also provides five copies of the full Office suite to use on multiple devices
per user.
●● Office Professional 2019 installations do not stream. They include a license for only one copy per user,
and updates do not automatically update the applications without some intervention.
●● Office Professional Plus 2019 is connected to the device on which you installed it, whereas Office 365
ProPlus is connected to the user, which provides additional flexibility. For example, you can de-acti-
vate Office on user-owned devices when employees leave the organization, or if their devices are
compromised. Also, companies can treat Office 365 as an operational cost instead of a software asset.
Security services in Microsoft 365

Microsoft 365 includes Enterprise Mobility plus Security. Security is a concern for any organization. How
much of a concern might vary based on an organization’s particular needs. But whatever those needs, Mi-
crosoft 365 provides security features that can help.
When attempting to manage these aspects of your IT services, Microsoft 365 enables you to:
●● Help protect users’ identities and control access to resources .
●● Help protect against advanced threats.
●● Recover quickly from security attacks.
●● Control access to data by ensuring documents and emails are seen only by authorized people.
●● Have control over security tools to enable visibility of your organization’s security infrastructure.
Security for your organization’s IT services can fall into one of four main categories:
●● Identity. You manage this through Azure AD.
●● Devices. These are managed by Windows Defender Security Center and Intune.
●● Apps and data. You manage these using Office 365 Security & Compliance Center and Microsoft
Cloud App Security.
●● Infrastructure. You managed this with Azure Security Center
Office 365 Security & Compliance Center
You can use the Security and Compliance center to:

●● View security alerts and to configure security alert policies.
●● Define and manage security roles (known as Permissions) for your users. These define what your users
can do, for example; Reviewer, Security Administrator, Mail Flow Administrator.
●● Configure labels and label policies that allow you to identify and classify documents, email messages,
and so on. You then can apply protection to labelled items, such as encrypting email messages.
●● Create and manage data loss prevention (DLP) policies. DLP policies help you to identify and protect
your organization's sensitive data. For example, they help to ensure that a sensitive email isn’t shared
with unauthorized people.
●● Manage data governance. This enables you to classify your content and where necessary, retain that
content per legal requirements.
●● Manage threats. This enables you to manage malware threats within your organization. You can view
reports on malware threats, configure quarantine, manage restricted users, and identify specific
malware. You can also define policies for anti-phishing, anti-spam, antimalware, and DomainKeys
Identified Mail (DKIM) signatures.
●● Manage mail flow. You can view reports about mail flow in and out of your organization, and perform
specific message traces.
●● Manage data privacy. For example, in the European Union, you can use this node to manage General
Data Protection Regulation (GDPR) compliance within your organization.
Cloud App Security

Cloud App Security is an add-on that you can combine with your Microsoft 365 subscription. Cloud App
Security provides you with visibility of your cloud apps and services. It also provides sophisticated
analytics to help to identify and combat security threats, and enables you to control data flow in and out
of your organization.
Cloud App Security provides the following features:
●● Identify cloud apps used in your organization. Your users might be accessing other software as a
service (SaaS) platforms that could present a potential security risk.
●● Protect your sensitive information. You can label and monitor sensitive data and identify how the data
is distributed and stored.
●● Identify and mitigate threats in your cloud apps. You can receive notifications about possible threats
based on unusual behavior and other anomalies.
●● Ensure compliance. This helps you to remain compliant with data storage regulations and certifica-
tions, such as GDPR.
Cloud App Security

View the short video about Cloud App Security to find out more.
Azure Security Center

You can use Azure Security Center to manage the following security aspects of your cloud platform:
●● Monitor security across on-premises and cloud workloads.
●● Apply policy to ensure compliance with security standards.
●● Find and fix vulnerabilities before they can be exploited.
●● Use access and application controls to block malicious activity.
●● Leverage advanced analytics and threat intelligence to detect attacks.
●● Simplify investigation for rapid threat response.
You can access Azure Security Center from the Azure portal.
Analytic services in Microsoft 365

Microsoft MyAnalytics
Included in the Microsoft 365 E5 subscriptions, MyAnalytics lets you see how you spend your time at
work.
MyAnalytics accesses data from your Office 365 use to help you determine how you can become more
efficient during your work day:
●● MyAnalytics personal dashboard: In the dashboard you can view statistics on how you've spent your
time over the past week.
●● Outlook add-in: The Outlook add-in presents you with cards that report on aspects of your recent
work experience, and let you respond in various ways.
●● Email digests: You receive a weekly digest in email that gives you highlights about your previous week.
●● MyAnalytics nudges: MyAnalytics nudges are notifications that appear in Microsoft Outlook that can
help boost your productivity by displaying useful suggestions and tips around managing email and
running meetings.
How does MyAnalytics work?

MyAnalytics uses data from your Office 365 mailbox; specifically, data about emails, meetings, and Skype
calls and chats. MyAnalytics does not require an agent or tracking software on your device to capture this
data. It gathers the following information:
●● Email items:
●● Metadata. This includes the email's timestamp, sender, recipients, and an indication of whether the
email was read.
●● Statements that people have made in email body text. These statements are used to create To-do
cards for your use.
●● Actions of other users who receive your email – for example, whether they have opened your
email. (This would be used only in aggregate form to protect individual privacy.)
●● Calendar items:
●● Type of meeting or appointment
●● Status, such as busy, free, out-of-office, or tentative
●● Category
●● Subject
●● Duration
●● Attendees
●● Skype for Business Online items include:
●● Audio calls
●● Video calls
●● Chats that people make in Skype for Business Online
MyAnalytics does not use data derived from activities on your computer, such as applications that you've
used and websites that you've visited.
Introducing MyAnalytics
You can review the following short video about MyAnalytics to see what it has to offer you.
Microsoft Workplace Analytics

In the same way that a user can use MyAnalytics to understand how they work and gain an insight into
their workaday practices, so an organization can identify similar working practices across an entire
organization by using Workplace Analytics.
Workplace Analytics helps you understand how your organization spends its time by providing you with
information on how groups collaborate across your organization. This insight enables business deci-
sion-makers to push for cultural transformation within the organization.
By augmenting Office 365 data with business outcome data, you can:
●● Identify best practices.
●● Develop predictive models.
●● Establish organizational benchmarks.
You can use the data gathered by Workplace Analytics to:

●● Improve organizational efficiency.
●● Help employees reduce their work-related stress.
Get to Know Workplace Analytics

Find out more by viewing the following short video about Workplace Analytics.
Microsoft on-premises services vs cloud services in Microsoft 365 57
Microsoft on-premises services vs cloud ser-

vices in Microsoft 365
Introduction
Many organizations use on-premises IT solutions. This means that they maintain physical or virtual
servers and services within their IT datacenters. However, organizations are moving their services to cloud
providers at an increasing rate. Microsoft 365 provides a full range of services that can replace (or coexist
with) an organization’s on-premises infrastructure and services.
●● Compare on-premises services with Microsoft 365 cloud services.
●● Identify business usage scenarios for Microsoft 365.
●● Describe the Windows as a service model.
●● Compare Windows as a service with the traditional Windows desktop.
Comparing Microsoft 365 services with

on-premises services
Although you can think of the Microsoft 365 core services—such as Exchange Online and SharePoint
Online — as being cloud-based equivalents of the on-premises versions of Exchange Server and Share-
Point server, that is more of a simplistic view. In reality, the cloud-based services in Microsoft 365 can
provide many organizations with service and reliability improvements over those available in many
on-premises scenarios. This topic compares some of the Microsoft 365 core services with the on-premis-
es equivalents.
Comparing Exchange Online and on-premises Exchange

Server
To determine whether Exchange Online is appropriate for your organization, you must identify the
differences between Exchange Online and on-premises Exchange Server. Some of these differences are:
●● Unlimited storage. Many on-premises deployments of Exchange Server place relatively low limits on
mailbox sizes, such as one or two gigabytes (GB). Exchange Online supports larger mailboxes of 50 GB
or larger depending on the plan you have purchased.
●● High availability. For an on-premises Exchange Server, you need to purchase and configure hardware
to store multiple mailbox copies, and configure load balancing to achieve high availability. For true
high availability, you also need an alternate datacenter. Whereas Exchange Online is automatically
highly available with your data replicated to multiple datacenters.
●● Backups. Exchange Online does not have any built-in methods for configuring backups. Instead, you
configure retention through single-item recovery and litigation hold.
●● Automatic integration with other Office 365 features. Exchange Online offers additional features
such as Office 365 groups, which integrate multiple Office 365 features together. Another example is
the online viewing and editing of email attachments.
●● New features. Exchange Online has many features that do not exist in an on-premises Exchange
server. It is possible that some of these features will be integrated into on-premises Exchange server
in the future, but they will always appear first in Exchange Online because development happens there
first.
●● No access to Exchange Online databases or servers. Unlike an on-premises Exchange server where
you administer and manage Exchange servers and databases, Microsoft manages these items in
Exchange Online.
Comparing SharePoint Online and an on-premises Share-

Point Server
As with Exchange Server and Exchange Online, organizations implementing SharePoint must determine
whether to deploy SharePoint Server on-premises or to implement SharePoint Online.
SharePoint Online is a Microsoft cloud-based service. Instead of installing and deploying SharePoint
Server on-premises, you can subscribe to a Microsoft 365 plan (or to the standalone SharePoint Online
service). Your users can then create sites to share documents and information.
SharePoint Server is an on-premises solution. It includes all the features of Microsoft SharePoint Founda-
tion, but also provides a number of additional features and capabilities including Enterprise Content
Management, business intelligence, Enterprise Search, personal sites, and Newsfeed.
Feature differences between SharePoint Online and an on-premises SharePoint Server include:
●● Anti-malware protection is not included in SharePoint Server.
●● Claims-based authentication is only provided with SharePoint Server.
●● Data loss prevention policies are available in SharePoint Online as part of Microsoft 365 E3 or Micro-
soft 365 E5 subscriptions.
●● Encryption at rest is not available in SharePoint Server.
Comparing Skype for Business Online and an on-premises

Skype for Business Server
One of the key factors when deciding whether to implement Skype for Business Server or subscribe to
Skype for Business Online is the relative complexity of configuring Skype for Business on a server.
Enabling and configuring the various communications protocols and devices requires specialist knowl-
edge, which some organizations might lack. Skype for Business Online requires no such specializations.
Beyond this significant factor, there are some additional feature differences in the two platforms:
●● Clients. The Skype for Business Online E3 and E5 subscriptions include the full Skype for Business
client, which is not provided with Skype for Business Server 2015.
●● Persistent chat. This feature is available in Skype for Business Server, but not for Skype for Business
Online.
●● Network Quality of Service (QoS) Differentiated Services Code Point (DSCP). This feature is
unavailable in Skype for Business Online.
●● AOL and Yahoo! Federation. This feature is unavailable in Skype for Business Online.
●● Skype for Business meeting dial-in via Audio Conferencing (first party). This feature is only
available in Skype for Business Online with an Office 365 E5 subscription.
●● Skype for Business meeting dial-in via Certified Audio Conferencing Provider (ACP). This feature
is only available with Skype for Business Online.
●● Skype Meeting Broadcast. This feature is only available with Skype for Business Online.
●● Voice calling auto attendants. This feature is only available with in Skype for Business Online with an
Office 365 E5 subscription.
●● Unified Messaging interoperability with Exchange Server. This feature is only available with Skype
for Business Server.
Business usage scenarios for Microsoft 365

There are a number of factors to consider when asking whether Microsoft 365 is the right choice for an
organization. Microsoft 365 provides more features and functionality than some organizations might
need. In these situations, Office 365 subscriptions might be the most appropriate choice. For others—
such as larger organizations—the choice might be between Microsoft 365 and on-premises implementa-
tions. When planning to purchase an Office 365 versus Microsoft 365 subscription, you should consider
the following questions:
●● What business needs will drive your organization to move to Microsoft 365? Some answers might
include better availability, industry-standard security, lower hardware and software maintenance costs,
and support for multiple devices and platforms.
●● What is your organization’s current IT infrastructure? For example, do you have many on-premises
custom applications? If so, the planning process of moving custom applications to the cloud might be
time-consuming. If you opt to transition infrastructure and applications to the cloud, you might
choose to deploy a hybrid solution, in which you move Exchange mailboxes to Office 365, and
continue to host custom applications on premises.
●● What is your organization’s change-management process? Every organization has a different
change-management process that defines the deployment process for new solutions. For example,
your organization might use Microsoft Operations Framework (MOF) 4.0, which incorporates the best
practices of the service management industry. MOF is a particularly appropriate framework to apply
when implementing and operating Office 365, as it also integrates well with the phases of the Fast-
Track deployment plan and can help solve service-delivery issues.
●● How many users will use Office 365 versus Microsoft 365, and what are your plans for growth? Some
of the Office 365 subscriptions are limited in the number of users and the types of functionalities
permitted. Therefore, organizations have to match the requirements for Office 365 functionalities with
the number of users. However, an organization can mix different Office 365 plans according to its
business needs. For example, one organization can purchase 200 Business Essentials seats, 200
Business Premium seats, and 200 Enterprise E3 seats on a single tenant.
●● How do you plan to manage mobile devices? For example, if you only plan to allow users to use
organizationally owned devices which are Active Directory Domain Services (AD DS) domain-joined,
then you can use on-premises Group Policy settings to configure these devices. However, if you plan
to allow users to use their own devices, and particularly if the devices they want to use run a variety of
operating systems such as iOS, macOS, Android, or Windows 10), then you will need mobile device
management (MDM). If your device management needs are simple, you can probably use Office 365’s
MDM. If your needs are more complex, then you will probably need to use Intune MDM, available as
part of an Microsoft 365 subscription.
Product business needs

Let's do a quick activity to test your knowledge of the appropriate product for each business need. Click
on the button below to open this review activity full screen.
LAUNCH ACTIVITY1
Understanding Windows as a service model

With Windows as a service, Microsoft simplifies the operating system build, deployment, and servicing
process. In the past, Microsoft released new versions of the Windows operating system every few years
(for example, the change from Windows 7 to Windows 10). This has meant that updates were intermittent
and required a significant effort to implement.
Today, Microsoft no longer provides major operating system revisions (such as Windows 7 to Windows
10) every few years, or significant operating system servicing updates (known as service packs) between
these major revisions. Instead, revisions and updates are propagated more frequently and are described
as follows:
●● Feature updates. These add new functionality and are released twice a year. Microsoft aims to
package new features into biannual updates that can be readily deployed using existing management
tools. Because the updates are more frequent and smaller, users take less time to adapt to changes.
Consequently, the workload and cost impact on organizations is reduced.
●● Quality updates. These provide greater reliability through security updates and fixes, and are usually
issued at least once a month. On the second Tuesday of each month, a cumulative update is released
which supersedes all previous updates. This helps to ensure that organizations’ devices more closely
align to those used for testing in Microsoft.
The major advantage of this process is that you can begin to consider Windows updates as an ongoing
update maintenance task rather than a periodic operating system upgrade project. In addition to the
streamlining of the update process, Microsoft provides organizations with more control over how and
when updates are applied to their devices through the use of:
●● Servicing channels. Windows as a service offers three servicing channels: the Windows Insider
Program, semi-annual, and long-term servicing.
●● Deployment rings. In Windows 10, deployment rings are similar to the groups your organization
might have used to manage updates to earlier versions of Windows. These updates are within tools
such as Windows Server Update Services (WSUS). With deployment rings you can group devices
together for the purposes of receiving updates via each of the servicing channels.
Servicing channels
Although servicing channels are new, you can still use the same management tools to deploy the updates
to your organization’s devices that you used in earlier versions of Windows. These include:
●● Windows Insider Program. Users become familiar with feature updates before they are released to
the wider public. This enables organizations to use these feature updates before the wider public
deployment. In addition, users can provide feedback to Microsoft to help resolve any issues with
updates.
●● Semi-Annual Channel. Computers configured in the Semi-Annual Channel receive updates as soon
as Microsoft publishes them. There are two Semi-Annual Channels: semi-annual (targeted) is aimed at
a subset of your users, while semi-annual is aimed at all other users.
●● Long-Term Servicing Channel. For computers and other devices that perform a single task or a
number of specialized tasks, the long-term servicing channel prevents configured devices from
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_02_03_ProductBusinesstu-
torial.html
receiving feature updates. However, quality updates delivery is not affected. Note that the Long-term
Servicing Channel is available only in the Windows 10 Enterprise LTSB edition.
Deployment rings
In Windows 10, you can use deployment rings to further control how and when updates are applied to
your devices. It’s probable that you will only define these deployment rings once; however, you should
consider revisiting the deployment ring configuration periodically to ensure that they still meet the needs
of your organization and its users.
Typically, you might define the deployment rings in the following table.
Name of ring Channel Feature update Quality update Description

deferral deferral
Preview Windows Insider None None You can test
Program updates on a small
group of devices
before they
become more
widely available on
the Semi-Annual
Channel.
Targeted Semi-Annual None None You can evaluate a
Channel (Targeted) significant update
before it is
deployed to most
other devices.
Broad Semi-Annual 120 days 7 to 14 days You use this ring to
Channel deploy the update
to most of your
users’ devices. Use
the deferment
period to thor-
oughly test the
updates before
further deploy-
ment. Note: You
can pause updates
if you encounter
significant prob-
lems or issues.
Critical Semi-Annual 180 days 30 days These are reserved
Channel for devices that are
critical and are
only updated
when the updates
have been thor-
oughly tested
throughout the
rest of your
organization.
By defining and using deployment rings, you can effectively control how feature and quality updates are
deployed through your organization. You should start to think about using Windows as a Service as an
ongoing process, rather than a specific project to update Windows builds. The following diagram shows
how you can use the servicing channels to create an update timeline that includes a planning and
preparation phase, pilot deployments, and general deployment.
You do not need to deploy all feature updates; you can opt to bypass those updates that do not add
value for your users. Bear in mind, however, that support for a feature update continues for 18 months
after its release.
Windows as a service - What to know about software up-

date management in Windows 10
For more information, watch the following video about Windows as a service.
Comparing Windows as a service with the tradi-

tional Windows desktop
In the past, a significant effort was required to implement a shift to a new Windows version. Windows as
a service helps streamline this process by helping to avoid these major shifts in the organizational
infrastructure. Instead, it provides continual updates for devices.
Many organizations have extensive on-premises infrastructure components to aid with deployments, but
you can also use a number of cloud-based services and tools to deploy, configure, and maintain Win-
dows 10.
●● Cloud-based methods. Cloud-based methods include Windows Autopilot, Subscription Activation,
and either Azure AD or MDM. These three methods enable you to join a device running Windows 10
to Azure AD, and to configure the device according to organizational standards. This configuration
could include deploying apps and settings to the device.
●● On-premises methods. You can use tools such as Microsoft Deployment Toolkit (MDT) and SCCM to
support on-premises methods. These tools support bare metal computer, refresh, and replace
scenarios. In addition, you can use In-place upgrades to upgrade a device from a supported operating
system to Windows 10. Finally, by using tools such as Windows Configuration Designer, you can
create and deploy provisioning packages to your Windows 10 devices, enabling you to configure
those devices.
Different methods that you can use to deploy, configure, and maintain Windows are:
●● Windows Autopilot. Use this method to customize an out-of-box-experience to deploy apps and
settings already configured for your organization’s devices. You use this method for devices already
running Windows 10.
●● In-place upgrade. Use this method to update your devices’ operating system and to migrate apps,
and user data and settings. You launch in-place upgrade by using Windows setup.exe. Use this
method for devices running earlier Windows operating systems.
●● Subscription activation. Using subscription activation, subscribed users can switch to Windows 10
Enterprise (from Windows 10 Pro) during sign in.
●● Azure AD or MDM. Join devices to Azure AD and enable device configuration with MDM automati-
cally.
●● Provisioning packages. Create provisioning packages with Windows Configuration Designer (part of
the Windows Assessment and Deployment Kit (ADK)), and then apply those packages to devices
within your organization.
●● Bare metal computer. Use this method to deploy new devices, or to wipe existing devices and
deploy fresh images to them.
●● Refresh. You use this method to redeploy devices by saving the user state, wiping the disk, and then
restoring user state. This is also known as wipe and load.
●● Replace. Use this method to replace existing devices with new devices by saving the user state on the
old device, then restoring the user state to a new device.
Cloud-based deployment scenarios
Windows Autopilot
With Windows Autopilot you can customize the out-of-box experience (OOBE) for your organization’s
Windows 10 computers. Windows Autopilot offers the following advantages over on-premises deploy-
ment methods:
●● You do not need to use images.
●● You do not need to customize the deployments by injecting drivers.
●● You do not need to deploy and maintain a deployment infrastructure.
Windows Autopilot is cloud-driven and based around Azure AD Premium, the Microsoft Store for Busi-
ness, and/or Microsoft Intune. Using Windows Autopilot, you can:
●● Join devices to Azure AD automatically.
●● Auto-enroll your users’ devices into MDM services.
●● Restrict Administrator account creation.

●● Customize the OOBE content specifically for your organization.
Dynamic provisioning scenarios

Most organizations do not purchase a new device, unbox it and use it as is. Instead, IT pros usually
replace the preinstalled operating system with a standard image customized for the organizations’ needs.
With Windows 10 pre-installed on new devices, the aim of dynamic provisioning is to avoid the need for
this initial replacement. Dynamic provisioning uses a number of transforms to achieve this objective:
●● Subscription activation
●● Azure AD / MDM
●● Provisioning packages
Unified endpoint management in Microsoft 365 65
Unified endpoint management in Microsoft

365
Introduction
A key task of any administrator is to protect and secure an organization's resources and data. This set of
tasks is usually referred to as device management. Users have many devices from which they open and
share personal files, visit websites, and install apps and games. These same users are also employees and
want to use their devices to access work resources, such as email and SharePoint. Device management
enables organizations to protect and secure their resources and data.
●● Describe Enterprise Mobility and Unified Endpoint Management.
●● Explain (MDM) and mobile application management (MAM).
●● Explain why a business needs MDM.
●● Describe MDM and MAM in Microsoft 365.
●● Describe data compliance and explain how Microsoft 365 provides for this.
What is Enterprise Mobility and Unified End-

point Management
In the past, organizations typically provided a computer built to a single standard, using a single configu-
ration to support all users. There was no need to support different types of device, such as tablets and
phones, or to support varying configurations.
In the modern workplace, IT departments typically support multiple device types, in addition to many
different device configurations across a single device type. Android and iOS operating systems on phones
and tablets, Windows 10 devices that are connected to your AD DS domain, and users’ own devices must
all be supported. All these devices must conform to organizational standards of security and device
health. In addition, IT pros must be able to configure these disparate device types to support organiza-
tional apps and features, such as VPNs, email settings, and updates.
Unified Endpoint Management is an industry term that describes the notion of a platform that can
provide overall device and app management from a single console. Microsoft’s Enterprise Mobility +
Security (EM+S) provides enterprise mobility and unified endpoint management. EM+S is provided as
part of Microsoft 365 E3 and E5 plans, as summarized in the table below.
Product E3 plan E5 plan

Azure AD Premium P1 plan P2 plan
Intune Yes Yes
Azure Information Protection P1 plan P2 plan
Microsoft Advanced Threat Yes Yes
Analytics
Cloud App Security No Yes
Azure AD Premium is the central identity store that you use for all the applications in EM+S and Micro-
soft 365. Some of the additional features included with the P1 and P2 plans are:
●● Self-service password reset.
●● Write-back from Azure AD to on-premises AD DS.

●● Microsoft Azure Multi-Factor Authentication (MFA) for cloud and on-premises apps.
●● Conditional access based on group, location, and device state.
●● Conditional access based on sign-in or user risk (P2 plan only).
Differences between Azure AD Premium 1 and Azure AD Premium 2 are identified as follows:
Azure AD Premium P1 Plan Description: For enterprise environments, Azure AD Premium P1 provides
additional features that make it easier to manage users and applications. Some key features are:
●● Self-service group and app management.
●● Self-service password reset (writeback to on-premises).
●● Two-way synchronization of device objects.
●● Azure MFA.
●● Conditional access based on group, location, and device state.
●● Unlimited SSO apps.
●● Cloud app discovery.
●● Microsoft Identity Manager client access license for complex identity synchronization.
●● Advanced security and usage reports.
●● Azure AD Join features, such as:
●● MDM autoenrollment.
●● Self-service BitLocker recovery.
●● Add local administrators.
●● Enterprise State Roaming.
Azure AD Premium 2 Plan Description: Includes all the features of P1, plus you can use additional features
in Azure AD to further enhance Azure AD security:
●● Azure AD Privileged Identity Management. This feature enables you to assign administrators as an
eligible admin. When administrators need to perform administrative tasks, they activate administrative
privileges for a predetermined amount of time.
●● Azure AD Identity Protection. This service monitors authentication to Azure AD and identifies risks
based on anomalies and suspicious events. Notifications are sent for risk events. You can also create
risk-based conditional policies that can block sign-ins or require MFA. |
Intune enables you to manage mobile devices and apps. Using Intune, you can enforce security policies,
wipe devices remotely, and deploy apps.
Azure Information Protection encrypts documents and enforces policies on their use. Document data is
more protected because only authorized users can access the contents.
Azure Information Protection P1 includes the following features:
●● Manual document classification and consumption of classified documents
●● Protection for Exchange Online, SharePoint Online, and OneDrive for Business content
●● Bring Your Own Key (BYOK) for customer-managed key provisioning life-cycle
●● Custom templates
●● Protection for on-premises Exchange and SharePoint content via Microsoft Rights Management
services (RMS) connector
●● RMS software developer kit (RMS SDK) for all platforms: Windows, Windows Mobile, iOS, Mac OS X,
and Android
●● RMS connector with on-premises Windows Server file shares by using the File Classification Infrastruc-
ture (FCI) connector
●● Document tracking and revocation
●● Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)
●● RMS content consumption by using work or school accounts from RMS policy-aware apps and
services
●● RMS content creation by using work or school accounts
Azure Information Protection P2 includes the following additional features:
●● Automated data classification and administrative support for automated rule sets
●● Azure Information Protection Hold Your Own Key (HYOK) for highly regulated scenarios
Advanced Threat Analytics enables you to see what’s happening within your network. by identifying
suspicious user and device activity. It then provides you with clear, unambiguous threat information.
Advanced Threat Analytics can:
●● Detect suspicious activities and malicious attacks.
●● Adapt to the changing nature of cyber-security threats.
●● Provide focus and clarity around what is important with a simple attack timeline.
●● Reduce false positives.
Cloud App Security uses data collected from your firewalls and proxy servers to identify cloud application
usage. This can help identify unauthorized applications that might be a threat to your data. Additionally,
it can identify unusual usage patterns that might indicate a problem.
The tools in EM+S help enhance management and security for mobile users. The following table de-
scribes some specific examples of how these tools work, and how to use them.
Tool Usage
Enhanced authentication security Azure AD monitors user authentication for
suspicious patterns, for credentials that are
available on the black market, and for devices
potentially infected by malware. You receive
notifications for any of these detected scenarios,
which enables you to potentially avoid problems
caused by compromised credentials. For example,
a suspicious pattern might be a user who signs in
from two different geographic locations in rapid
succession. If you implement MFA, you can
mitigate the risk of stolen credentials. MFA
requires the user to provide additional information
beyond user name and password for authentica-
tion. The additional information might be a code
sent to a phone via a text message, or acknowl-
edging a prompt in an app. With MFA enabled,
stolen credentials alone cannot be used to sign in.
Information protection Intune helps protect information on mobile
devices in multiple ways. First, if the entire device
is protected, then Intune can wipe a lost or stolen
device to ensure that data on the device is not
accessed by unauthorized users. If your organiza-
tion allows BYOD, Intune can separate personal
and organizational data. Even managed apps are
isolated from personally installed apps to prevent
data from being copied between them. Further-
more, if a user leaves the organization, you can
wipe the organizational data and apps without
affecting personal data. You can implement Azure
Information Protection to prevent data from
leaking outside of your organization to unauthor-
ized users. Conditions set in documents control
which users can access or modify the contents of
the documents. Because the documents’ contents
are encrypted, if they are forwarded to an unau-
thorized user, that user cannot view the contents.
What is MDM and MAM

MDM enables you to manage your users’ devices, which helps you secure your organization’s resources
and data. For example, you can use MDM to configure device security settings on enrolled devices and
require a user to enter a PIN to unlock their device.
MAM enables an administrator to manage apps installed on devices, but not necessarily the devices
themselves. So, for example, you could create an Intune MAM policy that controls whether a user can
save corporate date to their OneDrive.
MDM is an industry standard for managing desktop computers and mobile devices such as smart phones,
tablets, and laptops. As a modern desktop administrator you need to know how to manage devices in
your organization by using MDM. There are a number of scenarios where on-premises solutions either
cannot manage or might be better managed through MDM policies than through traditional methods
such as group policies.
MDM is implemented by using MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. MDM client functionality is included as part of the Windows
10 operating system. MDM authority can manage various devices that include MDM client functionality,
such as Android, iOS and Windows 10. Some device settings can be managed on all MDM-enrolled
devices, while other settings are device-specific and can only be configured using device-specific MDM
policies.
MDM functionality includes distribution of applications, data, and configuration settings to devices that
are enrolled to MDM. Windows 10 devices can be enrolled in MDM manually by using the Settings app,
by provisioning a package, or by Group Policy in a hybrid environment. Alternatively, devices can be
enrolled in Azure AD providing integration between Azure AD and MDM is configured. You can use MDM
to manage a device regardless of its domain membership.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled in MDM. A device
can include MDM client functionality such as Windows 10, or you must install the Intune Company
Portal app to be able to manage it; for example, on Android or iOS devices.
●● Configuring devices. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to be able
to access company resources, such as Wi-Fi profiles and virtual-private network (VPN) profiles and
control access to company resources by using conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues or if the MDM policy wasn’t successfully applied, such as when devices do not
comply with a company baseline. You can also add enrolled devices to groups, and view a list of
enrolled devices. Using Intune, you can also configure Windows Autopilot device deployment.
●● Application Management. By using MDM and MAM together, you can deploy applications, manage
their settings, and separate data created by personal and business apps.
●● Selective delete data. If a device is lost or stolen, or if the user is no longer with the company, you
can wipe company data that was stored on the device. You can wipe all device data, or perform a
selective wipe, which leaves personal user data on the device.
Why business environments need MDM

A substantial number of devices that are sold today and used in enterprise environments are laptops,
tablets, or other mobile devices. These devices present unique management challenges to enterprise IT
departments, different from those encountered when managing more traditional desktop computers.
These challenges might include:
●● Mobile devices connecting to hostile networks. Although you can protect the organizational
network and keep it free of threats, mobile devices frequently connect to networks outside the
organization. A person’s home network might be safe, but organizational computers often connect to
Wi-Fi access points in public places such as airports and cafés. Wi-Fi access points can enable mali-
cious hackers to capture network traffic or allow them to attempt to insert malware into browsing
sessions to compromise the computer.
●● Mobile devices intermittently connecting to organizational networks. Because mobile devices are
not always on the organizational network, it’s difficult to manage them using tools such as Group Poli-
cy, which assume that the devices are always connected to the organizational network.
●● Backing up data. Data on mobile devices is often not backed up. When a device is connected to the
organizational network, users are more likely to use documents in central locations such as file shares
and SharePoint sites. Data on mobile devices is more likely to be stored only on those mobile com-
puters. This means that if a mobile computer is lost, stolen, or suffers a hardware failure, the unique
copy of that organizational data is likely to be lost.
●● Mobile devices more easily lost or stolen. The average cost of replacing a stolen device can exceed
the purchase price of the device. This cost is higher because the organization must reconfigure the
new device, and determine what data was on the lost or stolen devices. In some cases, that data exists
only on the mobile device and is therefore lost to the organization.
●● Compromised devices connect to the internal network. A mobile device that is infected with
malware can introduce that malware into the organization. Therefore, organizations must treat mobile
devices as possible malware vectors.
Many mobile devices run the iOS or Android operating systems. This provides a challenge to organiza-
tional IT departments who need to balance the user’s desire to use the platform of their choice with the
organization’s need to ensure that only authorized people and devices access sensitive applications and
data. When considering a mobile device support policy, you must take the following questions into
account:
●● Is the device owned by the user or the organization?
●● Should you permit user-owned devices to access sensitive applications and data? Or only if the owner
consents to having the device managed by the IT department?
●● What actions can organizations take to protect data stored on the device, if the device is lost or the
user leaves the company?
Because mobile devices are more likely than larger devices such as laptops to be lost or stolen the loss
can mean that gigabytes of organizational data can potentially be made public. Organizations that allow
mobile devices to have access to sensitive data need to have policies in place to address what happens if
the user loses or misplaces the device, or the user (who is the owner of the device) leaves the organiza-
tion.
How Microsoft 365 provides MDM and MAM

Windows 10 devices have built-in mobile device management features in the operating system. There-
fore, the preferred method for managing these devices is to enroll it as a mobile device with Intune. You
must use device enrollment for devices running any operating system other than Windows, such as those
running iOS, MacOS, or Android.
You can use automatic enrollment to MDM for Windows 10 devices. Other devices, such as Android and
iOS devices can only be enrolled to MDM manually by using the Company Portal app. The Company
Portal app is available as a free app in the Google Play store and the Apple App Store.
Intune supports devices running the following operating systems through device enrollment:
●● Apple iOS 9.0 and later
●● Mac OS X 10.9 and later
●● Android 4.4 and later, including Android for Work and Samsung Knox
●● Windows Phone 8.1, Windows RT 8.1, and Windows 8.1 (sustaining mode)
●● Windows 10 and Windows 10 Mobile
●● Windows 10 IoT Enterprise and Windows 10 IoT Mobile Enterprise
After you have enrolled devices, you can use Intune device profiles to manage various aspects of your
devices’ configuration. The following table shows the most common device profiles for Windows 10.
Profile Description
Email Manages Exchange ActiveSync settings on devices.
Wi-Fi Allows you to manage wireless network settings
for users and devices. In Windows 10, managing
settings for users allows them to connect to
corporate Wi-Fi without having to configure the
connection manually. Instead, they can import a
configuration that was previously exported from
another device.
VPN Configures VPN settings for devices.
Education Configures options for the Take a Test app in
Windows 10.
Certificates Allows you to configure trust and other certificates
used for Wi-Fi, VPN, and email profiles.
Edition upgrade Allows you to permit users to upgrade some
versions of Windows 10.
Endpoint protection Configures settings for BitLocker and Windows
Defender.
Windows Information Protection Allows you to configure Windows Information
Protection for data loss prevention.
Data Protection and compliance, and how MI-

crosoft 365 services provide for these
Every company has data that it must protect, including personally identifiable information (PII) such as
social security numbers, credit card numbers, or company financial data. Part of the protection a compa-
ny must provide is ensuring that data is not purposefully or accidentally exposed to unauthorized people.
DLP
DLP is the capability built into Microsoft 365 that helps your organization ensure data loss or misappro-
priate doesn’t occur. Using Microsoft 365 you can create DLP policies that protect the following applica-
tions:
●● Exchange Online
●● SharePoint Online
●● OneDrive for Business
●● Desktop versions of Excel, PowerPoint, and Word
Microsoft 365 DLP protection allows you to:
●● Identify and continuously monitor and report on sensitive information.
●● Prevent accidental sharing of sensitive information.
Microsoft 365 also allows you to educate users about DLP policies and protect data without interrupting
their work. You can set DLP policies to show a policy tip or send an email when users try to share protect-
ed information. You can allow users to override the policy and share information despite the policy.
The Security & Compliance center includes built-in DLP reports. These reports tell you the number of
policy matches over time, and the number of times that policies were overridden or that users indicated
that a policy rule created a false positive. This information can help you understand how DLP policies
affect your business, and it also allows you to modify and improve your policies over time.
Information Rights Management

Organizations also need to protect data after it leaves the company. To meet this need, systems based on
Information Rights Management (IRM) are used to make protection an inherent part of documents. An
employee can create a document and then determine the level of protection that should apply to the
document, such as preventing unauthorized users from opening the document. In some scenarios,
protection can also be applied automatically based on conditions that the administrator defines.
IRM systems require setting up both client and server environments. The client app that opens a docu-
ment is responsible for processing protection rules after checking for authorization updates with the
server component of the system.
Azure Rights Management (Azure RMS) is the protection technology used by Azure Information Protec-
tion (AIP) to provide for IRM in Office 365. AIP is cloud-based and enables you to classify and protect
documents and emails by using labeling.
In the following example, a user has entered information into an email message that the administrator
has configured as being sensitive. The message is classified as sensitive based on labels and rules that can
detect sensitive information, as defined by an administrator. The user submitting the email message sees
a notification with recommendations.
You configure labels, label policies, and sensitive information types by using Security & Compliance from
the Office 365 portal.
Windows Information Protection

Windows Information Protection (WIP) is a set of technologies that protect your organization from
accidental or malicious data leaks, without significant changes to your enterprise environment or apps. It
provides this protection to both enterprise-owned devices and BYOD devices, and it does so without
interfering with employees’ regular workflows. With the growth in the number of mobile devices and
personal devices, this protection is needed more than ever.
WIP helps you to overcome several common challenges by providing:
●● Separation between personal and corporate data. Users do not need to choose which app to use
for which data.
●● Additional protection to LOB apps. You can add protection without modifying the app.
●● Ability to perform a selective wipe. You can remove corporate data from a device without removing
personal data.
●● Audit reporting. WIP gives you the ability to track and report on policy issues and the actions
performed in response to policy violations.
●● Management system integration. WIP integrates with Intune, SCCM, and other MDM systems.
These benefits can help you to protect enterprise data in a variety of scenarios:
●● Encrypt data on a device. When copying or downloading organizational data from SharePoint,
OneDrive for Business, network shares, or other locations using a device that is managed by using
WIP policies, WIP encrypts the data on the device even if the device is personally owned.
●● Control which apps can access corporate data. Apps that you have included on the Allowed Apps
list can access organizational data, while apps that are not on the list have more limited capabilities.
For example, if the policy is set to Override mode, when a user tries to copy data from an allowed app
to a personal app a warning notice will ask for confirmation to perform a potentially unsafe action.
●● Support apps that allow users to work with both personal and corporate data. Some apps, such
as Word, automatically detect when a file contains corporate data and should be WIP-protected. They
maintain that protection when saving a file locally or on removable media. This protection is main-
tained even if the file name changes or if the data is stored with unencrypted personal data.
●● Prevent use of personal apps and services. You can prevent accidental release of organizational
data to public spaces and social media by preventing users from using applications such as a personal
OneDrive to store files. You can also prevent users from copying data from allowed apps to social
media such as Twitter or Facebook.
●● Remove corporate data from lost or stolen devices, or devices owned by ex-employees. You can
remove organizational data from, and unenroll any devices (including personal devices) that are
enrolled in Intune even if the device is lost or stolen. This does not affect personal data.
Compliance
Data is important, but management of data is critical. However, compliance with data management
standards is vital. Microsoft 365 enables you to become and remain compliant with governmental
standards across the globe. It’s estimated that there are over 200 updates from over 700 regulatory
bodies each day. Trying to keep up-to-date with regulatory changes can be challenging.
In Microsoft 365, Compliance Manager helps you to manage regulatory compliance. Using a dashboard
view, it provides a view of standards, regulations, and assessments. Compliance Manager provides:
●● Certification assessment control definitions.
●● Guidance on implementing and testing controls.
●● Risk-weighted scoring of controls.
●● Role-based access management.
●● In-place control action assignment workflow to track control implementation, testing status, and
evidence management.
To find out more, watch the following video about Compliance Manager:
Microsoft 365 endpoint management features

Let's do a quick activity to test your knowledge of endpoint management features. Click on the button
LAUNCH ACTIVITY2
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_03_06_EndpointManage-
menttutorial.html
Collaboration in Microsoft 365 75
Collaboration in Microsoft 365

Introduction
Users collaborate. They work together; they meet online; they share data and ideas. And you must
provide services in their IT infrastructure that enables them to do these things. By using Microsoft 365,
you can enable your users to collaborate and communicate.
●● Compare collaboration and communication, and explain how Microsoft 365 can address businesses’
collaboration needs.
●● Compare Skype for Business Online with Microsoft Teams.
●● Select the appropriate collaboration tool.
Collaboration vs. Communication, and how Mi-

crosoft 365 services provide collaboration
Users work in a number of different ways. Sometimes they work along departmental lines; other times
they work in project groups made up from team members from other departments. Often they work with
people from outside their own organization, such as suppliers and customers.
As a result, you must provide your users with the means to share their documents and data. This is known
as collaboration. It’s also necessary to enable these users to discuss their work. This is known as commu-
nication.
Microsoft 365 provides a number of different services that enable either collaboration, communication, or
both.
Collaboration services
You can use the following services to enable collaboration between your employees:
●● Teams. With Teams, you can create projects, share files within a project, create a wiki platform for your
project, track activities, and chat and call your colleagues.
●● SharePoint Online. With SharePoint, you can easily collaborate with colleagues and external contacts
through the use of file sharing, content management, Team sites, intranets, and automated workflow.
●● Yammer. You can use Yammer to engage with others through polls and announcements, and share
content with files and notes.
●● Exchange Online Public folders. Public folders is a feature of early versions of Exchange Server for
on-premises collaboration. Exchange Online also supports this feature to enable support for your
apps that require public folders.
●● Skype for Business Online. Although primarily a communications platform, you can also collaborate
using Skype for Business Online by recording meetings, screen sharing, and PowerPoint annotation.
Use whiteboard, polls, Q&A, and built-in IM chats during your business meetings to make them more
productive.
Communication services
You can use the following services to enable collaboration between your employees:
●● Exchange Online. Exchange Online provides email services for communications.
●● Skype for Business Online. Skype for Business Online is primarily a communications platform,
providing for presence, instant messaging, audio calls, and video calls. It also supports broadcasting.
●● Teams. Teams supports communications through the use of instant messaging, and both audio and
video calls.
●● Yammer. Yammer enables users to participate in chats and calls and is basically an enterprise social
networking app.
Skype for Business Online vs. Teams

Microsoft recently announced its intention to move Office 365 and Microsoft 365 Skype for Business
Online users to Teams. If you’re a current Skype for Business Online user, what does this mean for you?
Furthermore, if you are currently considering implementing a collaborative platform, should you choose
Skype for Business Online or opt for Teams.
NOTE: Microsoft Teams is now the primary client for messaging, meetings and calling in Office 365. Soon,
new Office 365 customers with 500 users or less will be onboarded to Microsoft Teams and will no longer
have access to Skype for Business Online. Tenants that are already using Skype for Business Online will be
able to continue doing so (including provisioning new users) until they complete their transition to
Microsoft Teams.
Features of Skype for Business Online

Skype for Business Online provides the following features:
●● Instant messaging, presence, and contacts
●● Skype-to-Skype audio, video, and media
●● Federation and public IM connectivity
●● Online meetings
●● Security and archiving
●● Interoperability with SharePoint (presence and click-to-communicate in SharePoint sites)
●● Interoperability with Exchange (calendar information, unified contact store, archiving, out-of-office
messages)
●● Audio conferencing
●● Skype meeting broadcast
Features of Teams
Teams provides the following features:
●● Teams and channels
●● Presence
●● Guest access
Collaboration in Microsoft 365 77
●● Meetings
●● Cloud video interoperability
●● Live events
●● Cloud voice
●● Audio conferencing
●● Interoperability with SharePoint (a new SharePoint online site is created for each Team)
●● Interoperability with Exchange (an Exchange Online shared mailbox and calendar is created for each
Team)
You can discover more about the transition from Skype for Business to Teams by visiting the following
website: https://docs.microsoft.com/en-us/microsoftteams/faq-journey.
Choosing the right collaboration solution ac-

cording to business needs
The collaboration tool that you select from Microsoft 365 will vary depending upon your organization
and is business needs. Use the following to help provide some guidance:
●● Find yourself using email most of the time? Then, use groups in Exchange Online/Outlook for email-
based collaboration.
●● Want to connect across your organization to have company-wide discussions? Use Yammer, the social
network for work, to create communities of interest.
●● Participating in project work with colleagues? Use Microsoft Teams, the chat-based workspace.
●● Want to make calls and hold online meetings? Use Skype for Business for voice and video meetings
on any device.
●● Need to store and share team files? Use SharePoint for file collaboration and intranet sites.
Let's do a quick activity to test your knowledge of how to choose the right collaboration solution accord-
ing to business needs. Click on the button below to open this review activity full screen.
LAUNCH ACTIVITY3
3 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_02_04_04_CollaborationBusi-
nesstutorial.html
Lab - Configuring Microsoft 365 tenant

Lab Introduction
This lab is designed to reinforce the concepts to which you were introduced and the knowledge you have
gained in this module. In this lab, you will use various administrative portals to manage your Microsoft
365 tenant. You will also create both user and group accounts, and assign licenses to users.
Please note that this lab has two exercises, each with multiple tasks. For a successful outcome, the
exercises and their corresponding tasks must be completed in order.
Exercise 1
Exploring the Microsoft 365 tenant
Task 1: Sign in to the tenant

1. Open Microsoft Edge.
2. Navigate to www.office.com4.
3. Sign in with the global admin account you have been provided with.
4. Click the Admin tile.
Task 2: Explore the Microsoft 365 admin center

1. In the Microsoft 365 admin center, in the navigation pane, select Show more.
2. Expand Users, and then select Active users. View the available accounts.
3. Select the top user in the list by clicking their name. A blade opens that displays more details for the
account. Close the blade by clicking X in the upper right corner of the blade.
4. Expand Groups, and then select Groups. There are a number of groups already configured in the
tenant.
5. Select the one at the top by clicking its name. Details for the group are displayed. Close the blade by
clicking X in the upper right corner of the blade.
6. Expand Billing, and then select Subscriptions. At least one subscription is displayed.
Task 3: Explore the Azure Active Directory admin center

1. Expand Admin centers, and then select Azure Active Directory. Notice that a new tab opens in
Microsoft Edge.
2. In the Azure Active Directory admin center, on the Dashboard, select Azure Active Directory from
the navigation pane.
3. Click Users. Notice the same user accounts are displayed.
4. Close the Users – All users blade and then click Groups. You can see the same groups.
4 http://www.office.com/
Lab - Configuring Microsoft 365 tenant 79
5. Close the Groups – All groups blade.

6. Click Company branding.
7. In the details pane, click Default. Notice the images configured for branding.
8. Close the Edit company branding blade.
Task 4: Explore the Intune classic portal

1. Open Microsoft Internet Explorer and navigate to portal.azure.com. (You need Internet Explorer to
view the Intune classic portal.) Sign in using the global admin account assigned to the tenant.
2. In the search box, type Intune, and then click Intune.
3. In the details pane, click Classic portal. A new tab opens.
4. In the Classic portal, click GROUPS.
5. Click Groups. Notice the text that informs you that groups are managed in the Azure Active Directory
portal. This is because many administrative tasks are now performed using the new portal.
6. Click POLICY, then click Configuration policy. Notice that no policies display.
7. Click ADMIN, and then explore the available options.
8. Close Internet Explorer.
Task 5: Explore the Intune portal

1. Switch to Microsoft Edge and select the tab that contains the Microsoft 365 admin center.
2. From Admin centers, click Intune. A new tab opens.
3. If prompted, select your global admin account.
4. In the navigation pane, click Device enrollment, and then click Windows enrollment. You can
configure settings such as Windows Autopilot devices and profiles here to manage Windows 10
enrollment.
5. In the navigation pane, click Software updates, and then click Windows 10 Update Rings. You can
configure how to apply feature and quality updates to your Windows 10 computers from here.
6. In the navigation pane, click Device configuration and then click Profiles. You can create and
configure profiles that will configure your devices from here.
7. In the navigation pane, click Roles and then click All roles. You can define administrative privileges
here.
8. In the navigation pane, click Dashboard.
Exercise 2
Configuring new user and group accounts
Task 1: Add a user

1. Switch to the Azure Active Directory admin center, and in the navigation pane, select Azure Active
Directory, and then select Users.
2. In the Users - All users blade, select + New user.

3. In the User blade, enter the following information:
●● Name: Enter your name
●● Username: Your_first_name@yourtenant.onmicrosoft.com
1. Select Profile, enter the following information, and then select Ok:
●● First name: Your first name
●● Last name: Your last name
●● Department: IT
1. Select Groups.
2. Scroll down and select IT.
3. Click Select.
4. Select the Show Password check box, and note the password for later use.
5. Select Create.
Task 2: Create a group

1. In the navigation pane, click Azure Active Directory, and then click Groups.
2. Click New group.
3. In the Group blade, in the Group type list, select Security.
4. In the Group name box, type Windows 10 Deployment.
5. In the Group description box, type Windows 10 Deployment Team.
6. In the Membership type list, notice that you can choose Assigned, Dynamic User, and Dynamic
Device. Select Assigned.
7. Click Members.
8. On the Members blade, scroll down and select your account and then also select both Emily Braun
and Adele Vance.
9. Click Select.
10. On the Group blade, select Create.
11. Navigate to All groups, scroll down and verify that the IT group now displays.
Task 3: Assign licenses

1. In Microsoft Edge, switch to the Microsoft 365 admin center tab, and then click Billing.
2. Click Subscriptions, and then click the Assign to users shortcut.
3. Select your own account and then, next to Product licenses, click Edit.
4. In the Location list, select your current location.
5. Enable an Office 365 Enterprise E5 license for your account and then click Save.
6. Click Close twice.
7. Close all open windows.
Module Assessment
Questions
Multiple choice
Which edition (or editions) of Windows 10 include Microsoft User Experience Virtualization (Microsoft
UE-V)? (Choose all that apply.)
Windows 10 Home
Windows 10 Pro
Checkbox
You want the ability to communicate with colleagues by using instant messaging. Which Microsoft 365 app
(or apps) enable this? (Choose all that apply)
Microsoft Exchange Online
Skype for Business Online
Microsoft SharePoint online
Microsoft Teams
Checkbox
Which of the following can be described as collaboration services in Microsoft 365? (Choose all that apply)
Yammer
Sway
Teams
Microsoft OneDrive for Business
Skype for Business
Multiple choice
Which Microsoft 365 service or app enables you to manage users’ devices? (Choose all that apply)
Exchange Online
Teams
Microsoft Intune
Microsoft Azure Active Directory (Azure AD)
Microsoft Office 365 ProPlus
Multiple choice
Which offers high availability without needing to purchase additional hardware? (Choose the correct
answer)
Microsoft Exchange Server
Exchange Online
Multiple choice
Which solution provides antimalware protection by default? (Choose the correct answer)
SharePoint Online
Microsoft SharePoint Server
Multiple choice
Which solution provides for meeting broadcasts? (Choose the correct answer)
Skype for Business Online
Multiple choice
Which Windows as a service (WaaS) update channel does not receive feature updates? (Choose the correct
answer)
Windows Insider program
Semi-Annual Channel
Semi-Annual Channel (Targeted)
Long-Term Servicing Channel
Checkbox
Which of the following is a cloud-based deployment or dynamic provisioning method? (Choose all that
apply)
Image deployment using Microsoft System Center Configuration Manager (SCCM)
Subscription activation
Windows Autopilot
Windows Configuration Designer provisioning packages
Checkbox
Which of the following statements about Windows Autopilot is true? (Choose all that apply)
You must use images.
You do not need to deploy and maintain a deployment infrastructure.
You must customize the deployments by injecting drivers.
You can restrict the creation of the Administrator account.
You can customize the out-of-box experience (OOBE) content specifically to your organization.
You cannot join devices to Azure AD automatically.
Checkbox
In which Microsoft 365 Enterprise subscription is Intune included? (Choose all that apply)
Microsoft 365 E3
Microsoft 365 E5
Multiple choice
In which Microsoft 365 Enterprise subscription is Microsoft Azure Information Protection (MSIP) included?
(Choose all that apply)
Microsoft 365 E3
Microsoft 365 E5
Multiple choice
You want to implement Azure AD Identity Protection. Which version (or versions) of Azure AD includes this
feature? (Choose all that apply)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
Multiple choice
You have a mix of devices in your organization. Some are Active Directory Domain Services (AD DS)
domain-joined while others are not. You want to use a centralized management approach. What should you
do? (Choose the best answer)
Implement Group Policy configuration for all domain-joined devices.
Implement a mobile device management (MDM) system to manage the non-domain-joined devices.
Implement Group Policy configuration for all devices.
Implement an MDM system to manage all devices.
Multiple choice
You must manage devices running the following operating systems: iOS, Windows 10, Android, and macOS.
Which device management approach should you take? (Choose the correct answer)
Use Group Policy Objects (GPOs) to manage the devices.
Use Intune to manage the devices.
Answers
Multiple choice
Which edition (or editions) of Windows 10 include Microsoft User Experience Virtualization (Microsoft
UE-V)? (Choose all that apply.)
Windows 10 Home
Windows 10 Pro
■■ Windows 10 Enterprise

Checkbox
You want the ability to communicate with colleagues by using instant messaging. Which Microsoft 365
app (or apps) enable this? (Choose all that apply)
Microsoft Exchange Online
■■ Skype for Business Online
Microsoft SharePoint online
■■ Microsoft Teams

Checkbox
Which of the following can be described as collaboration services in Microsoft 365? (Choose all that
apply)
■■ Yammer
Sway
■■ Teams
Microsoft OneDrive for Business
■■ Skype for Business

Multiple choice
Which Microsoft 365 service or app enables you to manage users’ devices? (Choose all that apply)
Exchange Online
Teams
■■ Microsoft Intune
Microsoft Azure Active Directory (Azure AD)
Microsoft Office 365 ProPlus

Multiple choice
Which offers high availability without needing to purchase additional hardware? (Choose the correct
answer)
Microsoft Exchange Server
■■ Exchange Online

Multiple choice
Which solution provides antimalware protection by default? (Choose the correct answer)
■■ SharePoint Online
Microsoft SharePoint Server

Multiple choice
Which solution provides for meeting broadcasts? (Choose the correct answer)
■■ Skype for Business Online

Multiple choice
Which Windows as a service (WaaS) update channel does not receive feature updates? (Choose the
correct answer)
Windows Insider program
Semi-Annual Channel
Semi-Annual Channel (Targeted)
■■ Long-Term Servicing Channel

Checkbox
Which of the following is a cloud-based deployment or dynamic provisioning method? (Choose all that
apply)
Image deployment using Microsoft System Center Configuration Manager (SCCM)
■■ Subscription activation
■■ Windows Autopilot
■■ Windows Configuration Designer provisioning packages

Checkbox
Which of the following statements about Windows Autopilot is true? (Choose all that apply)
You must use images.
■■ You do not need to deploy and maintain a deployment infrastructure.
You must customize the deployments by injecting drivers.
■■ You can restrict the creation of the Administrator account.
■■ You can customize the out-of-box experience (OOBE) content specifically to your organization.
You cannot join devices to Azure AD automatically.

Checkbox
In which Microsoft 365 Enterprise subscription is Intune included? (Choose all that apply)
■■ Microsoft 365 E3

Multiple choice
In which Microsoft 365 Enterprise subscription is Microsoft Azure Information Protection (MSIP) included?
(Choose all that apply)
Microsoft 365 E3

Multiple choice
You want to implement Azure AD Identity Protection. Which version (or versions) of Azure AD includes
this feature? (Choose all that apply)
Azure AD Free
Azure AD Basic
■■ Azure AD Premium P1
Azure AD Premium P2

Multiple choice
You have a mix of devices in your organization. Some are Active Directory Domain Services (AD DS)
domain-joined while others are not. You want to use a centralized management approach. What should
you do? (Choose the best answer)
Implement Group Policy configuration for all domain-joined devices.
Implement a mobile device management (MDM) system to manage the non-domain-joined devices.
Implement Group Policy configuration for all devices.
■■ Implement an MDM system to manage all devices.

Multiple choice
You must manage devices running the following operating systems: iOS, Windows 10, Android, and
macOS. Which device management approach should you take? (Choose the correct answer)
Use Group Policy Objects (GPOs) to manage the devices.
■■ Use Intune to manage the devices.

Module 3 Security, compliance, privacy, and
trust in Microsoft 365
Organization security review

Introduction
Many organizations are considering moving to the cloud, but some still have security concerns about
making this transition. By using a cloud service, your organization entrusts your service provider to
process your data, and to store and manage your data securely. Microsoft 365 has a number of important
security, compliance, privacy, and trust features. In this module, you will learn about those features.
●● Describe the key pillars of security.
●● Identify the most common security threats.
●● Select an appropriate security mitigation in Microsoft 365.
Key pillars of security

The goal of any security design is to provide for defense in depth. Defense in depth is a security concept
in which you protect your data by using several layers of security. If a malicious hacker, or attacker,
compromises one layer of defense, other layers continue to offer protection. An analogy for the defense-
in-depth concept is castles. Castles have moats, outer walls, and inner walls. A networking example is the
common practice of having an external firewall, a perimeter network, and an internal firewall, with
additional firewalls that you configure on each host computer.
Note: Firewalls block or allow network traffic based on the traffic’s properties. You can utilize hard-
ware-based firewalls or software firewalls that run on a device (known as host firewalls). Depending on
your firewall’s sophistication, you can configure it to block or allow traffic based on the following charac-
teristics:
●● Traffic source and/or destination address
●● Traffic source and/or destination port
MCT USE ONLY. STUDENT USE PROHIBITED 90 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● Traffic protocol
●● Specific packet contents
However, when it comes to data security no single solution can ensure that data remains secure. Instead,
organizations must use a layered approach to protect their data. If you want to protect data on your
organizational computers, this might involve implementing drive encryption, file and folder permissions,
and rights management. If your information is stored in the cloud, then you must also consider imple-
menting appropriate security measures within your cloud-based infrastructure.
Bear in mind that no one security solution will fit all organizations. Consider the various security solutions
and settings as being analogous to a pendulum. At one end of the pendulum’s arc you have a highly
secure system that is so secure it’s almost unusable. At the other end of the arc, you have a highly
useable system that has very little and most likely inadequate security. Each organization must choose
where on that arc they want to operate. Then they must select and configure appropriate security settings
to achieve that goal.
Key pillars of computer security

The key pillars of any computer security system are:
●● Identity and access management
●● Information protection
●● Threat protection
●● Security management
Identity and access management

Identity is used to identify a user so that they can be authorized to access resources within your IT
infrastructure. Typically, we identify users through the use of user accounts; these accounts are assigned
an appropriate level of access or privilege on a particular system. Most people have many user accounts.
These accounts might identify people to their bank, their credit card company, or to their own personal
computer. Your users might have a number of user accounts within your organization, such as Local
accounts, Active Directory Domain Services (AD DS) domain accounts, Microsoft Azure Active Directory
(Azure AD) accounts, and a Microsoft account.
●● Local accounts. A local user account resides on the local Windows 10 device only. It does not allow a
user to access resources on other computers. All Windows 10 computers have local accounts, al-
though typically they are not used interactively.
●● Domain accounts. Most organizations implement AD DS forests to consolidate their users’ comput-
ers into manageable units known as domains. An AD DS database stores domain user accounts, which
the operating system can then use to authenticate users who are trying access any domain-joined
device anywhere in the forest.
●● Azure AD accounts. You can use Azure AD to store user accounts that your users can utilize to access
hosted services based in the cloud, such as Microsoft Office 365. For those organizations that main-
tain an on-premises AD DS environment, Azure AD can integrate with on-premises AD DS deploy-
ments This scenario allows users to access resources from on-premises devices, and from cloud-based
services and resources. However, integration often requires synchronization between the two..
●● Microsoft accounts. Your users can use a Microsoft account regardless of their location or the
organization of which they are a member. A Microsoft account includes an email address and a
password that your users use to sign in to different services. Users already have a Microsoft account if
Organization security review 91
they sign in to services such as Microsoft OneDrive, Xbox Live, Outlook.com (formerly Hotmail), or
Windows Phone. Your users also can use their Microsoft accounts to authenticate with Azure AD. This
scenario is useful when you must support temporary or contract staff as the account is external to the
Azure AD directory.
●● Other accounts. Most users also have access to social accounts, such as Facebook and Twitter. Many
also use Apple and Google accounts to access platform-specific stores and other resources.
Because a user account (or accounts) is the primary means of determining who a user is, it’s important
that we protect the process of verifying identity. Identity protection is the method that you use to do this.
Microsoft 365 includes a number of features that enable you to identify when a user account might have
been compromised. For example, a change in sign-in time of day, or a new or unusual sign-in location
can be signs that an account has been compromised. When you identify these changes, you can take
action.
Information protection
When considering how best to secure your organizational data, it’s important to consider two situations:
●● Data at rest. Data at rest is data stored somewhere, for example on a file server, a hard drive or USB
flash drive, or in a mailbox. Each of these storage locations poses different security risks. For example,
it’s fairly easy to lose a thumb drive; a laptop is an attractive device for theft; malicious people know
that a file server contains organizational data. Each of these situations presents a different challenge
for security personnel to solve, whether that’s by using drive encryption, intellectual rights manage-
ment software, or network security such as firewalls and antimalware.
Note: malware, or malicious software, is software that attackers design to harm computer systems.
Malware can do many things, from causing damage to the computer, to allowing unauthorized parties
remote access to the computer, to collecting and transmitting sensitive information to unauthorized third
parties. There are several types of malware, including computer viruses, computer worms, Trojan horses,
ransomware, and spyware.
●● Data in transit. Any time data moves between a user’s device and the server that hosts their data, it’s
at risk. For example, when a user reads their email on their cellphone, the email message is pushed to
their device. It’s important that not only is the data protected while in transit to the device, but that
the data is sent to the correct device as well. Authentication and encryption are the two technologies
used to help ensure safe transit of data to and from users’ devices, or between devices on your
network.
Threat protection
Threats to your organization’s data and infrastructure can originate from both devices and the network.
Device security
When users connect their devices to your IT infrastructure, they potentially introduce security risks. For
example:
●● Firewall settings. If a device lacks a properly configured firewall, then every time it connects to a
network it’s at risk. This is especially true if the device connects to public, unsecured networks such as
Wi-Fi hotspots.
●● Antivirus / antimalware protection. Without proper antimalware and antivirus software installed
and up to date, a device is at risk of being infected with malware. This software might be transferred
to your organization when an improperly protected user device connects their device to your network.
●● Software fixes and updates. When a weakness or flaw is discovered in an operating system or
application, the software vendor will provide an update (or patch). If a user doesn’t update their
device to include the latest updates, then the device is at risk. This might lead to malicious software
being able to transfer to the device with potential consequences for your organization’s infrastructure.
●● Lax security settings. Most users secure their phones with a PIN, but not all. And often, the PIN is too
short and fairly easy to guess. If a device contains sensitive company data, then that data is at risk on
the device.
●● Poor physical security. Many users are fairly relaxed about where they leave their phones and tablet
devices, even their company laptops. Leaving devices in vulnerable places such as internet cafes,
airports, or other public places , especially if those devices lack proper security safeguards can easily
lead to data leakage.
Some of the preceding risks can be mitigated with proper end-user education about the importance of
security, and guidance on enabling a secure PIN or using the biometric protection built-in to many
devices these days. (Many laptops, tablets, and mobile devices today offer fingerprint and facial recogni-
tion software). But beyond education, to properly secure your organization’s IT infrastructure you must be
able to impose those security settings on devices, including those owned by your users, and restrict
access based on failure to adhere to those policies.
Network security
In our connected world, being able to gain access to an organization’s network means getting through
the security door. There are numerous possible forms of network attacks, which can be thwarted by
proper network access planning.
Wi-Fi is extremely convenient, enabling your users to quickly and easily connect their devices to the
network. However, it also makes it easier for a malicious person to also gain access to your network
because they no longer need a physical connection.
To help protect your network, you must take a holistic approach. You must identify each possible threat,
and then plan mitigation for it such as requiring a rigorous form of authentication from connecting
devices. Allow your visitors access to the internet through your infrastructure, but don’t allow it through
the corporate network.
Security management
The final pillar, to some extent, brings the first three together; you must be able to manage your security
settings to address the preceding three pillars. Management can be proactive and reactive. In the case of
proactive management, you might choose to implement a certain type of authentication in your organi-
zation to meet perceived threats. You might choose to implement security policies to require complex
passwords, or to use a public key infrastructure (PKI) to ensure more secure identity.
You might also choose to plan to use certain encryption technologies to help to protect data in transit
and data at rest, or implement compliance policies on your devices to help to ensure they meet organiza-
tional requirements.
In terms of reactive management, you will most likely want access to tools that can help identify security
threats, or infractions that are currently taking place. Monitoring tools can be helpful in these situations,
and can also identify corrective action that you can take to remedy a situation.
Organization security review 93
Most common security threats

●● There are many security threats facing IT staff these days: Network security threats, and data security
threats.
Network security threats

Common network security threats include:
●● An eavesdropping attack (also known as network sniffing), occurs when a hacker captures network
packets in transit on your network.
●● A denial of service (DoS) attack limits the function of a network app, or renders an app or network
resource unavailable.
●● Port scanning attacks, which can identify specific apps running on servers.
●● Man-in-the-middle attacks (MITMs), where a hacker uses a computer to impersonate a legitimate host
on the network with which your computers are communicating.
Data security threats

Common data security threats include:
●● Unauthorized users accessing information on a server.
●● Unauthorized users accessing data from a lost or stolen removable drive.
●● Data leakage arising from a lost or stolen laptop that contains company information.
●● Data leakage arising from user emails with sensitive content inadvertently being sent to unintended
recipient(s).
How Microsoft 365 services address security

threats
Microsoft 365 offers a number of security features that you can implement to help mitigate common
security threats. These include:
●● Multi-factor authentication (MFA). Many authentication systems are based on simple password
exchange, which is not a very secure approach. By using multiple factors to authenticate, you can
achieve significant security improvements. MFA relies on users identifying themselves with at least two
authentication factors:
●● Something the user knows, such as a username and password or a PIN
●● Something the user has, such as a digital certificate or smartcard
●● Something the user is, as indicated by the use of facial recognition, fingerprint, or other biometrics.
MFA is provided in Office 365, in Microsoft Azure Multi-Factor Authentication as an additional add-on,
and within Windows 10 through the Windows Hello feature.
●● Mobile device management (MDM). By using MDM, you can configure users’ devices with the
necessary security (and other) settings to help to ensure that users’ devices don’t pose a security risk
when connected to your infrastructure. For example, an MDM policy might require a user to enable
authentication on a cellphone that they use to access corporate email. Office 365 includes basic MDM
capabilities, but Microsoft 365 subscriptions include Microsoft Intune, which provides significantly
more control over your users’ devices.
●● Advanced threat protection. Because email provides a primary means for introducing malware into
an organization, advanced threat protection aims to identify the threats before they land in a user’s
mailbox. This feature is included in Microsoft 365 E5 subscriptions, and provides protection by:
●● Scanning email attachments for malware.
●● Scanning URLs in email messages and Microsoft Office documents.
●● Identifying and blocking malicious files found in online libraries, Microsoft SharePoint, Microsoft
OneDrive, and Microsoft Teams.
●● Checking email messages for unauthorized spoofing.
●● Detecting when someone attempts to impersonate your users and access your organization's
custom domains.
●● Data loss prevention (DLP). This helps to ensure that data stored in SharePoint sites, OneDrive for
Business, email, and data created with Microsoft Office programs such as Microsoft Excel, Microsoft
Word, and Microsoft PowerPoint do not get into the wrong hands. You can create DLP policies to
identify and manage the flow of sensitive data within your organization, and between your organiza-
tion and other organizations.
●● Encrypted email. By using encryption, you can help ensure that only the intended recipient can view
emails that are sent outside your organization.
●● Azure AD Identity Protection. Because user accounts are critical to helping identify users, helping to
identify unusual account behavior is important. You use this to identify attempts to compromise
accounts, possibly by a hacker or other malicious person. When Azure AD Identity Protection detects
unusual account behavior, it can block account access, or perhaps require additional authentication
options.
●● Privileged identity management. It’s an important tenet of security that you limit the number of
administrative accounts. Failure to do so means that many day-to-day operations might be being
performed with unnecessary administrative privilege. Privileged identity management can help
identify and control admin accounts, and is included as part of Azure AD Premium P2 subscriptions.
Privileged identity management enables you to define temporary administrators for when legitimate
admin tasks require elevation. This can help to limit the number of permanent administrative ac-
counts.
Security risks and mitigations**

Let's do a quick activity to test your knowledge of security risks and mitigations. Click on the button
LAUNCH ACTIVITY1
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_01_04_SecurityRisktutorial.
html
Identity basics 95
Identity basics
Introduction
Identity is the primary supporting pillar in any security system. You must be able to identify users (and
devices) before you can determine the level of access or privilege that they have. You can establish
identity through user and device accounts. Typically, an employee has at least one user account, but
many have more depending upon the configuration of an organization’s IT infrastructure. For example,
organizations that implement AD DS only in an on-premises environment tend to have comparatively
simple requirements. However, those organizations that implement hybrid environments have to manage
identities in multiple locations and configure synchronization between those locations.
●● Describe cloud identity and synchronized identity.
●● Describe Azure AD.
●● Explain why business environments need identity management.
●● Explain why business environments need identity protection.
●● Explain how Azure AD addresses identity management.
●● Describe Azure AD identity protection.
Overview of cloud identity and synchronized

identities
One of the most important considerations for implementing user accounts in Microsoft 365 is the way in
which you create and manage those identities. You can choose to maintain identities only in Office 365,
or you can integrate identities with your on-premises AD DS. Each option has different advantages.
Cloud identities
A cloud identity is a user account that exists only in Office 365 or, to be more precise, only in Azure AD.
Azure AD provides an identity store, and authentication and authorization services for Office 365. You can
create a cloud identity with the same name as an on-premises user account, but there is no link between
them. You create cloud identities by using either Office 365 management tools, the Azure AD admin
portal, or Windows PowerShell.
If your organization does not have any on-premises identity infrastructure (such as AD DS domain
controllers), then using cloud-only identities offers significant benefits. They are comparatively simple to
manage, and enable users to gain access to all subscribed cloud services potentially using only one
account.
However, if you also have on-premises identity, then when you create a new user on-premises, you also
need to create that user in Office 365 as a separate step. This also means that users must maintain
separate passwords because there is no password synchronization (by default). If you have both cloud
and on-premises identities, you will most likely configure synchronization or federation between them.
Synchronized identities
A synchronized identity is a user that exists in both on-premises AD DS and Azure AD. The AD DS and the
Azure AD user accounts are linked together. Therefore, any changes that you make to the on-premises
user accounts are synchronized to the Azure AD user account. However, it is important to understand
that the AD DS user and the Azure AD user are two different objects that synchronize a set of attributes.
The Microsoft Azure Active Directory Connect (Azure AD Connect) tool performs the synchronization.
When you implement synchronized identities, AD DS is the authoritative source for most information.
This means that you perform administration tasks mostly on-premises, which are then synchronized to
Office 365. Only a very small set of attributes synchronize from Office 365 back to AD DS on-premises.
Authentication for synchronized identities occurs in Azure AD. The username and password are evaluated
in Azure AD without any reliance on the on-premises infrastructure.
Note: In AD DS, passwords are stored as a hash of the actual user password. This password hash cannot
be used as the password itself, and cannot be reverse engineered to obtain the user’s plain text pass-
word. To synchronize a password, the user password hash is extracted from the on-premises AD DS, and
the plain text version of a user’s password is never exposed to the synchronization process or to Azure
AD (or any of the associated services). When a user presents his or her synced password to Azure AD, it is
checked against the synchronized hash, so there is never a requirement to synchronize the password
itself.
Federated identities
A federated identity is a synced account that is authenticated by using Active Directory Federation
Services (AD FS). AD FS is deployed on-premises and communicates with AD DS on-premises. When
Office 365 authenticates a federated identity, it directs the authentication request to AD FS. Because the
on-premises user account is used for authentication, the same password is used for signing in to Office
365 and on-premises AD DS.
The main benefit of using federated identities is single sign-on (SSO). Users authenticate at a do-
main-joined workstation by using their credentials. SSO uses these credentials to automatically authenti-
cate to Office 365 services. When you use synchronized identities, the users typically need to enter their
credentials manually when accessing Office 365 services.
Identity basics 97
Overview of Azure AD
Azure AD constitutes a separate Azure service. Its most elementary form (which any new Azure subscrip-
tion includes automatically) does not incur any extra cost and is referred to as Azure AD Free. If you
subscribe to any Microsoft Online business services (for example, Office 365 or Intune), you automatically
get Azure AD with access to all the free features.
Some of the more advanced identity management features require paid versions of Azure AD, Azure AD
Basic and Azure AD Premium. Some of these features are also automatically included in Azure AD
instances generated as part of Office 365 subscriptions. For example, Microsoft 365 E5 subscriptions
include Azure AD Premium 2. The following identifies some of the advanced features in the Premium
plans.
Azure AD Premium P1 Plan Description: For enterprise environments, Azure AD Premium P1 provides
additional features that make it easier to manage users and applications. Some key features are:
●● Self-service group and app management
●● Self-service password reset (writeback to on-premises)
●● Two-way synchronization of device objects
●● Azure MFA
●● Conditional access based on group, location, and device state
●● Unlimited SSO apps
●● Cloud app discovery
●● Microsoft Identity Manager client access license for complex identity synchronization
●● Advanced security and usage reports

●● Azure AD Join features such as:
●● Mobile device management autoenrollment
●● Self-service BitLocker Drive Encryption recovery
●● Add local administrators
●● Enterprise State Roaming
Azure AD Premium 2 Plan Description: Additional features in Azure AD Premium 2 include:
●● Azure AD Privileged Identity Management, which enables you to assign administrators as an eligible
admin. When administrators need to perform administrative tasks, they activate administrative
privileges for a predetermined amount of time.
●● Azure AD Identity Protection, which monitors authentication to Azure AD and identifies risks based on
anomalies and suspicious events. Notifications are sent for risk events. You can also create risk-based
conditional policies that can block sign-ins or require MFA. |
Consider Azure AD to be an online instance of AD DS (although there are significant differences between
the two). Azure AD provides authentication and authorization for Office 365 and for other Microsoft
cloud offerings, including Intune. As mentioned earlier, authentication through Azure AD can be on a
cloud-only basis, through directory synchronization with on-premises AD DS, or with optional password
synchronization. Alternatively, you can enable user authentication with on-premises user accounts
through AD FS or other SSO providers.
Securing your applications with Azure Active Directory

The primary benefit from implementing identity in the cloud, whether in isolation or in conjunction with
on-premises AD DS, is the ability to use a single account to access all cloud-based apps and data within
Office 365. The following video explains more.
Why business environments need identity man-

agement
It’s vitally important to identify your users to ensure that they can access appropriate resources and have
sufficient privilege to perform appropriate tasks; this is known as identity management. Identity manage-
ment is the process of defining, assigning, and managing administrative roles and access permissions for
user identities. Within a modern IT infrastructure, this process can become complex because a specific
individual might need to authenticate to several systems and gain access to multiple apps by using a vari-
ety of devices, or perform a variety of management tasks within those systems.
Identity management passes through several stages:
●● Provisioning accounts. This is the first part of identity management, during which you determine
which users in your organization need access to your systems.
Identity basics 99
●● Managing administrative roles. Most users are created as standard users, but some will require
administrative privileges. Administrative roles enable you to more easily define a level of administra-
tive privilege on a given part of your infrastructure. When a specific role does not exist, you can create
custom roles and assign the necessary privileges to the role.
●● Assign permissions. Users need access to resources and apps. This access requires permissions.
Ensuring that user accounts are assigned only the necessary permissions is a significant part of
account management.
●● Retire the account. People leave organizations, and change jobs within organizations. When this
occurs, you must be able to deprovision the appropriate user account, or, where suitable, repurpose
the account. This might involve unassigning roles, removing permissions, or changing account
properties.
These steps are part of the account lifecycle, and form a major part of account administration. One of the
most critical factors in identity management is to assign the correct rights, privileges, and permissions to
the appropriate user accounts. If you are managing an enterprise environment where accounts exist in
multiple locations (such as AD DS, Microsoft 365, and potentially other directory services), this can be
easy to get wrong.
To streamline your administrative effort, try to implement a solution that enables you to define a single
account for a given entity (a user or a device). You can then grant that account access to resources and
apps across potentially multiple platforms. This is also beneficial for your users as they must remember
fewer disparate account details. This potentially could enable them to have a single account that gives
them access to all their required resources and apps within your organization.
One option is to consider synchronizing your accounts between the various directory services. For
example, you can install and configure Azure AD Connect to synchronize accounts from your on-premises
AD DS to your Microsoft 365 Azure AD tenant.
Why business environments need identity pro-

tection
In addition to protecting resources such as devices, documents, and other critical types of data, it’s
necessary to protect user identities, as well. Many of today’s successful cyberattacks are based on identity
theft. This makes identity protection—particularly user accounts that have privileges—highly important
for organizations of all sizes.
Each computer user today has typically at least five, and possibly more than five, identities (or accounts)
for accessing different local or internet-based resources. For example, a typical user might have personal
accounts with:
●● Microsoft, Google, or Apple for email
●● Social accounts such as Facebook, Instagram, or Twitter
●● Business accounts such as LinkedIn
In addition, a typical employee usually has one or more business accounts that they use on information
systems in the organization where they work. Because of all this, a typical user has to remember several
sets of credentials to be able to access the personal and business resources that they use. This usually
leads to a situation where most of the passwords for these accounts are similar or even the same. This
greatly increases the risk of identity theft. If one set of credentials is stolen or discovered in any way, it’s
highly likely that the other identities of the same user will be at a risk.
Because of this, it’s necessary to have an identity protection strategy. Identity protection is a set of
technologies that you implement to help proactively monitor user behavior, especially during authentica-
tion, and to take actions if risk or vulnerability is detected.
For example, if you notice that a user starts signing in from a different city or at peculiar times of the day
(such as out of office hours), or if the user makes a number of failed password attempts, that suggests
suspicious activity, and it might indicate that a user account is compromised. Implementing an identity
protection system can help identify these issues and help to protect the integrity of your account infra-
structure.
Understanding Azure AD as a directory service

in the cloud
When deployed locally, AD DS is an identity provider, a directory service, and an access management
solution. Cloud-based identity providers have the same functionality, and Azure AD is an example of such
a provider. While Azure AD is like AD DS, several significant differences between them exist. Because
Azure AD is cloud-based, you don’t need to maintain or update it. As new features are added to Azure
AD, they are automatically available to you. Some features of Azure AD, such as MFA, aren’t typically
available in AD DS. Similarly, some features of AD DS, such as organizational units (OUs) and Group
Policy, aren’t available in Azure AD.
Tenants
Unlike AD DS, Azure AD is multitenant by design, and it is implemented specifically to ensure isolation
between its individual directories. It’s the world’s largest multitenant directory, hosting more than one
million directory services instances, with billions of authentication requests per week. The term tenant in
this context refers to an organization that has subscribed to a Microsoft cloud-based service such as
Office 365, Intune, or Azure, which uses Azure AD but also includes individual users.
Directories
When you provision your first Microsoft cloud service subscription, you automatically generate a new
Azure AD directory instance, referred to simply as a directory. The directory is assigned a default Domain
Name System (DNS) domain name that consists of a unique name of your choice followed by the onmi-
crosoft.com suffix. It’s possible and quite common to add at least one custom domain name that uses the
DNS domain namespace that the tenant owns.
The directory serves as the security boundary and a container for Azure AD objects such as users, groups,
and applications. It’s possible for a single directory to support multiple cloud-service subscriptions.
The Azure AD schema contains fewer object types than the AD DS schema. You can’t use Azure AD to
manage computers or user settings by using Group Policy Objects (GPOs). Instead, you use Azure AD to:
●● Provide directory services
●● Store and publish user, device, and application data
●● Manage authentication and authorization of users, devices, and applications
These features are effective and efficient in existing deployments of cloud services such as Office 365,
which rely on Azure AD as their identity provider to support millions of users.
Identity basics 101
How Azure AD provides for identity protection

The Azure AD Premium tier provides additional functionality over the Free and Basic editions. However,
Premium editions might require additional cost depending upon your Microsoft cloud subscription levels.
Azure AD Premium comes in two versions, P1 and P2.
The following features are available with the Azure AD Premium P1 edition:
●● Self-service group management. Simplifies the administration of groups where users are given the
rights to create and manage groups.
●● Advanced security reports and alerts. You can monitor and protect access to your cloud applica-
tions by viewing detailed logs that show advanced anomalies and inconsistent access pattern reports.
●● MFA. Full MFA works with on-premises applications (using virtual private network (VPN), Remote
Authentication Dial-In User Service (RADIUS), and others), Azure, Office 365, Dynamics 365, and
third-party Azure AD gallery applications. It does not work with non-browser off-the-shelf apps, such
as Microsoft Outlook.
●● Microsoft Identity Manager (MIM) licensing. MIM integrates with Azure AD Premium to provide
hybrid identity solutions. MIM can span multiple on-premises authentication stores such as AD DS,
LDAP, Oracle, and other applications with Azure AD. This provides consistent experiences to on-prem-
ises line-of-business applications and software as a service (SaaS) solutions.
●● Password reset with writeback. Self-service password reset follows the Active Directory on-premises
password policy.
●● Conditional Access based on device, group, or location. This feature lets you configure conditional
access for critical resources, based on multiple criteria.
●● Azure AD Connect Health. You can use this tool to gain operational insight into Azure AD. It works
with alerts, performance counters, usage patterns, and configuration settings to present the collected
information in the Azure AD Connect Health portal.
In addition to the Azure AD Premium P1 features, Azure AD Premium P2 license provides a number of
advanced functionalities:
●● Azure AD Identity Protection. This feature provides enhanced functionalities for monitoring and
protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can
review users’ behavior and flag users for risk.
●● Azure AD Privileged Identity Management. This functionality lets you configure additional security
levels for privileged users such as administrators. With Privileged Identity Management you define
permanent and temporary administrators. You also define a policy workflow that activates whenever
someone wants to use administrative privileges to perform some task.
Azure AD Identity Protection

Azure AD Identity Protection is a Microsoft implementation of identity protection technology for users of
Office 365 and other Microsoft cloud services. As mentioned earlier, it’s a feature of the Azure AD
Premium P2 license.
Azure AD Identity Protection provides you with the ability to:
●● Proactively recognize potential security risks and identify vulnerabilities in your organization.
●● Automatically apply responses and actions when suspicious activity on one or more identities is
detected.
●● Properly investigate incidents and take actions to resolve them.

Azure AD Identity Protection is more than another reporting and monitoring utility; with this technology,
you can also define risk policies with clearly defined manual or automatic actions.
Azure AD Identity Protection monitors each user session that authenticates on any of your cloud resourc-
es, and calculates the potential risk. The risk is based on factors such as the user location, the application
used to authenticate, and the device the user uses. For example, Azure AD Identity Protection can detect
if the same user tries to authenticate from two geographic locations in a short period of time. It also can
detect if a user tries to authenticate from a location from where they have never authenticated.
Azure AD Identity Protection provides a dashboard where you can monitor in real time the users that are
flagged for risk, how many risk events have happened, and the potential vulnerabilities in your organiza-
tion.
Based on a calculated risk, Azure AD Identity Protection can notify administrators, try to remediate the
risk, increase the authentication security requirements, or take another action defined by the risk policy.
The sign-in risk level can be Low and above, Medium and above, and High. For each risk level, you can
define actions such as requiring MFA for signing-in, password changes, or blocking access.
Identity basics 103
Microsoft Azure Active Directory (Azure AD) features

Let's do a quick activity to test your knowledge of Microsoft Azure Active Directory (Azure AD) features.
Click on the button below to open this review activity full screen.
LAUNCH ACTIVITY2
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_02_07_ADFeaturestutorial.
html
Device and data protection

Introduction
A key task of any administrator is to protect and secure an organization's resources and data. This set of
tasks is typically referred to as device management. Users have many devices from which they open and
share personal files, visit websites, and install apps and games. These same users are also employees who
want to use their devices to access work resources such as email. Device management enables organiza-
tions to protect and secure their resources and data.
●● Explain the need for device management.
●● Describe how Intune provides device protection.
●● Identify Microsoft 365 services that protect data in your organization.
●● Describe Information Rights Management (IRM).
●● Describe Microsoft Azure Information Protection (AIP).
●● Explain how AIP works.
Why business environments need to protect de-

vices and data
As mentioned earlier in the module, the key pillars of a computer security system are:
●● Identity and access management
●● Information protection
●● Threat protection
●● Security management
Protecting information
With the proliferation of devices such as tablets and phones, it’s becoming increasingly difficult for IT
administrators to manage devices and data that they contain. However, this is vital to an organization’s
security.
Although some organizations currently do not allow their users to bring their own devices and connect
them to their infrastructure, most do allow users access to corporate email via personal cellphones and
tablets. Even this relatively modest access poses risks of data leakage and the introduction of malware
into the organization.
If your organization decide to allow users to connect their devices in some way, it’s important that you
put in place security settings that can help protect your organization from the following threats:
●● Malware. Introduced through unsecured devices and apps.
●● Data leakage. Through:
●● Loss or theft of a device that contains corporate data.
●● Loss or theft of a storage device (such as a USB drive) that contains corporate data.
●● Inappropriate data access. Caused by access to an unsecured device by malicious persons.
Device and data protection 105
●● Network access. Caused by insufficient security settings on a device, enabling a malicious person to
obtain sensitive data such as user accounts, passwords, and wireless access point settings.
How MDM can help

MDM is an industry standard for managing mobile devices including smart phones, tablets, and laptops.
You implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. The MDM client functionality is included as part of the
Windows 10 operating system. The MDM authority can manage various devices that include MDM client
functionality, such as the Android, iOS, and Windows 10 operating systems.
MDM functionality typically includes:
●● App distribution
●● Data management
●● Device configuration
Note that to apply these settings, devices must be enrolled in an MDM. You can enroll Windows 10
devices manually or automatically. You must enroll devices running other operating systems manually,
often by installing a specific app.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled to MDM. A device
can include MDM client functionality such as Windows 10, or for other operating systems such as
Android or iOS, you must install a Company Portal app to manage it.
●● Device configuration. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to access
company resources such as Wi-Fi and VPN profiles, and control access to company resources by using
conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues, or whether MDM policy was not successfully applied, such as when devices
do not comply with a company baseline. You can also add enrolled devices to groups and view a list
of enrolled devices. By using Intune, you can also configure Windows Autopilot device deployment.
●● Application Management. By using MDM and mobile application management (MAM) you can
deploy the applications, manage their settings, and separate data that is created by personal and
business apps.
●● Selective data deletion. If a device is lost or stolen, or if the user is no longer a company employee,
you can wipe company data that’s stored on the device. You can wipe all device data or perform a
selective wipe, which leaves personal user data on the device intact.
How Microsoft 365 device management pro-

vides device protection
Using a device management provider, organizations can ensure that only authorized individuals and
devices can access to proprietary information. Similarly, device users can not worry about accessing work
data from their phone because they know that their device meets their organization's security require-
ments. As an organization, you might ask, “What should we use to protect our resources?” The answer is
Intune.
Intune is a cloud service that helps to manage computers, laptops, tablets, and other mobile devices,
including iOS, Android, and Mac OS X devices. Intune offers both MDM and MAM, uses Azure AD as a
directory store for identity, and can integrate with local management infrastructures such as Microsoft
System Center Configuration Manager (SCCM).
By using Intune, you can:
●● Allow staff to more safely access organizational data by using personal devices, which is commonly
known as a Bring Your Own Device (BYOD).
●● Manage corporate-owned phones and limited-use devices through integration with device provider
services such as the Apple Device Enrollment Program and the Samsung Knox mobile security plat-
form.
●● Control access to Office 365 from unmanaged devices such as public kiosks and mobile devices.
●● Help to ensure that devices and apps that connect to corporate data are compliant with security
policies.
Device management lifecycle

Like most IT management activities, MDM follows a lifecycle. The MDM lifecycle contains four phases:
1. Enroll. In the Enroll phase, devices register with the MDM solution. With Intune, you can enroll both
mobile devices—such as phones—and Windows PCs. When you enroll devices, you can:
●● Require users to accept company terms and conditions of use.
●● Restrict enrollment to company-owned devices only.
●● Require MFA on devices.
2. Configure. In the Configure phase you help to ensure that the enrolled devices are secure and that
they comply with any configuration or security policies. You can also automate common administra-
tive tasks such as configuring Wi-Fi. You can use policies to:
●● Configure endpoint security settings (such as configuring BitLocker and Windows Defender
settings).
●● Configure Windows Information Protection (WIP) to help guard against data loss.
●● Enable device-compliance policies that can require certain minimal encryption and password
settings, prevent access by rooted devices, and determine a maximum mobile threat defense level.
3. Protect. In the Protect phase, the MDM solution provides ongoing monitoring of the settings estab-
lished in the Configure phase. During this phase, you also use the mobile device management
solution to help keep devices compliant through the monitoring and deployment of software updates.
4. Retire. When a device is no longer needed, when it’s lost, or stolen, or when an employee leaves the
organization, you should help to protect the data on the device. You can remove data by resetting the
device, performing a full wipe, or performing a selective wipe that removes only corporation-owned
data from the device.
As an example of the MDM lifecycle, let’s use an employee named Emily Braun who has just started at
Contoso. She has a cellphone on which she wishes to read corporate emails. The following workflow is
from the device management perspective:
1. Enroll. When Emily enters the required information to configure her email account, she will be
notified that the organization she is connecting to requires that her device be configured. Assuming
that Emily accepts these conditions, her device is enrolled into MDM at Contoso.
2. Configure. As part of the conditions for allowing Emily access to corporate email, her device is
configured according to compliance policies defined within Microsoft 365 in the Contoso tenant.
These configuration settings might include requiring Emily to configure a PIN to unlock her phone,
and might also require that she enable device encryption.
3. Protect. As Emily uses her device, MDM continues to monitor and maintain her phone. If organiza-
tional needs change, these changes might be reflected in policies that apply to Emily’s device.
4. Retire. Emily has accepted another position outside of Contoso with Adatum. The administration
team at Contoso can now remotely wipe the corporate data from Emily’s phone.
How Microsoft 365 helps protect data in an or-

ganization
An important benefit of using MDM technology such as Intune for managing devices is that you can
allow access to email and documents only from devices that are managed by MDM and comply with your
company’s policies. For example, a company policy can specify that user passwords must be complex,
that local data on devices is encrypted, and that the latest updates are installed. This would mean that a
user can access their Microsoft Exchange Online mailbox from a device that meets company policy, but
they cannot read their email from a secondary device that does not have the latest updates installed. If all
other prerequisites are met, the user can access their mailbox from his secondary device after the latest
updates are installed on that device.
Compliance policies
You can define company policies by using the Device Compliance policy in Intune. You can control access
to email, documents, and other cloud apps by using Conditional Access policies. Compliance with
company policy is just one criterion that you can evaluate in Conditional Access policy; you can also
evaluate sign-in risk, device type, location, and client apps.
If a device is not enrolled to Intune, its compliance cannot be evaluated. However, you can prevent access
to mailboxes, documents, and cloud apps from such devices. If a user tries to access his or her mailbox
from such a device, depending on how you set the policy the user might be blocked from accessing
Office 365 resources. They also might be redirected to enroll the device in MDM. Alternatively, the user
could be granted access, but Office 365 would report a policy violation.
After a device is enrolled, you continue to manage it through policies. In terms of data protection, you
can create the following types of policy:
●● Device restrictions. Device restrictions control security, hardware, data sharing, and other settings on
the devices. For example, you can create a device restriction profile that prevents iOS device users
from using the device’s camera.
●● Endpoint protection. Endpoint protection settings for devices include:
●● Windows Defender Application Guard
●● Windows Defender Firewall
●● Windows Defender SmartScreen
●● Windows Encryption
●● Windows Defender Exploit Guard
●● Windows Defender Application Control
●● Windows Defender Security Center
●● Windows Defender Advanced Threat Protection
●● Windows Information Protection
●● Identity protection. Identity protection controls the Windows Hello for Business experience on
Windows 10 and Windows 10 Mobile devices. Configure these settings to make Windows Hello for
Business available to users and devices, and to specify requirements for device PINs and gestures.
You can also perform a number of actions on enrolled devices, including:
●● Factory reset
●● Selective wipe
●● Delete device
●● Restart device
●● Fresh start
What is IRM?
In modern enterprises, the increase in collaboration between both internal and external users and the
proliferation of employee-owned devices has increased the risk of accidental or malicious data leakage.
Traditionally, enterprises have controlled access to data by assigning credentials to users. However, user
access control does not prevent authorized users from accidentally sharing files or sending data in email,
which has led to new protection systems.
Organizations implemented DLP to overcome the limitations of systems that are based solely on authen-
tication and authorization. A DLP system automatically detects and controls data that should be protect-
ed.
Organizations also need to protect data after it leaves the company. To meet this need, you can imple-
ment IRM systems that make protection an inherent part of documents. You might have encountered
IRM protection on documents such as video and audio files that you have streamed from the internet.
These IRM protections prevent you from sharing the files and allow you only to view or listen to the files.
In a workplace, IRM can ensure that an employee can create a document and then determine the level of
protection that should apply to the document, such as allowing only authorized users to open the
document.
IRM systems require setting up both client and server environments. The client app that opens a docu-
ment is responsible for processing protection rules after checking with the server component of the
system to check for authorization updates.
What is Azure Information Protection

Azure Information Protection is a set of cloud-based technologies that provide classification, labeling,
and data protection. You can use Azure Information Protection to classify, label, and protect data such as
email and documents created in Microsoft Office apps or other supported apps. Instead of focusing only
on data encryption, Azure Information Protection has a wider scope. It provides mechanisms to recognize
sensitive data, alert users when they are accessing or working with sensitive data, and track critical data
usage. However, the key component of Azure Information Protection is data protection based on rights
management technologies.
AIP and Azure RMS

To protect data, Azure Information Protection uses Microsoft Azure Rights Management service (Azure
RMS) technology. Previously, Azure RMS was available as a standalone product, known as Azure RMS and
RMS for Office 365. It’s now integrated in the Azure Information Protection solution, so you can use it
together with classification, labeling, and tracking.
Classification, labeling, and protection

To use Azure Information Protection in its full capacity, you should configure rules and policies for
classification, labeling, and protection. For example, you can configure some data types, keywords, or
phrases to be conditions for automatic or recommended classification.
The Azure Information Protection client component monitors the documents or emails in real time. If it
detects a keyword or a phrase, it recommends a proper classification for a document.
You can also configure Azure Information Protection to apply classification automatically. For example,
you can configure an automatic classification rule that classifies a document as restricted if it contains a
credit card number.
The result of classification is a label. A label is metadata for a document that appears in files and email
headers in clear text. The label is stored in clear text as well, so that other services such as DLP solutions
or protection solutions can identify the classification and take appropriate action. For example, a label
could be confidential, restricted, or public. The label also contains protection configuration if the protec-
tion is required by a specific label.
Document protection can be label-based, or an end user can apply it manually. For example, you can
configure an Azure Information Protection policy so it protects each document that is labeled as confi-
dential. This protection, for example, can provide read-only access for certain users within the company.
After Azure Information Protection applies protection to a document or an email, the protection remains
until an author or a super user removes it. When Azure RMS protects a document, you can also track its
usage by using a dedicated web portal. For each Azure RMS–protected file, you can configure notifica-
tions that you will receive when someone tries to open that file. You can also use the same portal to
revoke access for each protected and shared document.
Microsoft Azure Information Protection
How Azure Information Protection protects data

When you protect content with AIP, you specify which users or groups have access to the content. You
also specify which actions users or groups can take. For example, you might specify that employees can
view and edit a document, but contractors can only view content. However, setting specific permissions
for specific users or groups is time consuming, particularly if you also use content expiration and other
optional settings. To simplify the process of protecting content, you can use rights policy templates or
labels in AIP.
Some situations where AIP might prove useful include:
●● Controlling the sharing (intentionally or inadvertently) of work product with people from outside your
organization.
●● Preventing the emailing of sensitive data such as passports or credit card numbers.
●● Warning users that they are working with personal data that is covered by regulations that control the
sharing of that data.
Rights policy templates

Rights policy templates store the desired content protection settings, including which users have access
to content, and which content restrictions are in place. Typically, rights policy templates are used only in
some specific scenarios, such as Exchange Online transport rules.
Labels
In AIP, protection templates are associated with labels. Some default labels, such as Personal, Public, and
General, do not have protection configured because the purpose of these labels is to classify the content,
and not to protect it. However, when you create a new label you can choose whether you will use it to
protect a document, remove the protection from the document, or merely classify the document. You can
also choose to let users configure permissions when using a specific label, or have users apply permission
sets that you have configured already.
By default, after you complete the AIP activation the following default labels are available:
●● Personal
●● Public
●● General
●● Confidential
●● Highly Confidential
You can use these labels to enable users in your organization to protect sensitive content. When neces-
sary, you can create new labels and protection templates by using the AIP administration pane in the
Azure portal.
AIP policies
To enable classification, labeling, and protection, and to make these resources available to your users, you
must configure the AIP policy. This policy then downloads to computers that have installed the AIP client.
The policy contains labels and settings.
●● Labels apply a classification value to documents and email and can optionally protect this content.
The Azure Information Protection client displays these labels for your users in Office apps and when
users right-click a file in File Explorer. AIP comes with a default policy, which contains the previously
mentioned five main labels. You can use the default labels without changes, you can customize them,
you can delete them, or you can create new labels.
●● The settings change the default behavior of the Azure Information Protection client. For example, you
can select a default label, you can define whether all documents and emails must have a label, and
whether the AIP bar displays in Office apps.
How AIP works on end-user devices and apps

Azure Information Protection client helps keep important documents and emails safe from people who
shouldn't see them, even if email is forwarded or documents are saved to another location. You use the
Azure Information Protection client to classify documents and open documents that other people have
protected by using the Rights Management protection technology from Azure Information Protection.
Your IT team define default classifications and policies at the organization level and these are enforced by
Azure Information Protection client. Azure Information Protection client checks for any changes whenever
a supported Microsoft Office application starts, and downloads the changes as its latest Azure Informa-
tion Protection policy. Users must have Azure Information Protection client installed on their machines to
define classifications and open protected documents. The client can be pushed centrally by the IT team
to all employees. You can also ask users to download Azure Information Protection client from the
Microsoft Azure website.
After the Azure Information Protection client is installed, a new Azure Information Protection bar will
appear across Microsoft Office applications. This is used to classify and label sensitive documents.
In the following example, a user has entered information into an email message that the administrator
has configured as being sensitive. The message is classified as sensitive based on labels and rules that can
detect sensitive information, as defined by an administrator. The user submitting the email message sees
a notification with recommendations.
You configure labels, label policies, and sensitive information types by using Security & Compliance from
the Office 365 portal.
Information protection
Let's do a quick activity to test your knowledge of information protection. Click on the button below to
open this review activity full screen.
LAUNCH ACTIVITY3
3 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_03_07_InformationProtec-
tiontutorial.html
Compliance in Microsoft 365

Introduction
Microsoft 365 complies with industry standard regulations, and is design helps you to meet the regulato-
ry requirements for your business. In this lesson, you will learn what compliance features are available
within Microsoft 365 and how they can help your organization become and remain compliant.
●● Identify compliance needs in your organization.
●● Explain how to use the Service Trust Portal.
●● Explain how to use the Compliance Manager.
Most common compliance needs in today's

business environments
As the proliferation of data increases, and our reliance on storing and accessing that data from computer
systems grows, so has the need for data management. Over the years, governmental and other agencies
have become interested in how we use and share data. This is particularly relevant when dealing with per-
sonal data, such as financial and health data.
To help protect individuals, governments and the agencies they appoint have introduced regulations
about data storage and use. These regulations include:
●● Granting people the right to access, and possibly correct, data stored about them.
●● Defining a data retention period.
●● Granting governments and their appointed regulatory bodies the rights to access stored records for
investigative purposes.
●● Defining exactly how stored data can and cannot be used. In other words, defining the purpose for
the collated data.
●● Defining privacy controls so that private data can remain private.
Organizations must comply with a number of governmental regulations regarding data privacy and
access. This can be extremely complex to implement and manage. Some of these regulations include:
●● HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) imposes strict privacy regula-
tions for customers who process electronic protected health information.
●● Data processing agreements. A data processing agreement describes how the data processor handles
and safeguards customer data. For example, the data processor for Office 365 is Microsoft, and the
regulations are covered worldwide.
●● FISMA. United States federal agencies can procure information systems and services only from
organizations that meet the Federal Information Security Modernization Act (FISMA) regulations.
●● ISO/IEC 27001:2013. This standard from ISO and the International Electrotechnical Commission (IEC) is
widely used, and is the best-known standard for an information security management system. Office
365 meets this security benchmark with physical, logical, process, and management controls. Since
2015, even ISO 27018 privacy controls for the most recent Office 365 audit are included.
Compliance in Microsoft 365 115
●● EU Model Clauses. The European Union EU Data Protection Directive is a key instrument for the EU
privacy and human rights law. The EU Model Clauses legitimize the transfer of personal data outside
the EU, and they comprise the preferred method for the data transfer of personal data outside the EU.
●● Safe Harbor Framework. The US and EU Safe Harbor Framework also addresses the transfer of
personal data outside the EU. Office 365 follows the principles and processes stipulated by this
framework.
●● The Family Educational Rights and Privacy Act (FERPA). United States educational organizations are
required to follow FERPA regulations regarding the use or disclosure of student education records.
This also includes student information sent in email or email attachments.
●● SSAE 16. Independent organizations can audit Office 365 and provide SSAE 16 SOC 1 Type I and Type
II, and SOC 2 Type II reports on how the service implements controls.
●● The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is a Canadian
law pertaining to how private sector organizations collect, use, and disclose personal information in
regard to commercial business.
●● The Gramm–Leach–Bliley Act (GLBA). This act protects customers’ nonpublic personal information, and
financial institutions are required to follow these regulations to protect their clients’ information.
Compliance features in Microsoft 365

Microsoft 365 offers a variety of compliance features to help organizations comply with governmental
regulations and help keep customer data secure. These include:
●● Office 365 eDiscovery
●● Office 365 Archiving
●● Office 365 Auditing
Office 365 eDiscovery

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that
can be used as evidence in legal cases. You can use eDiscovery in Office 365 to search for content in
Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for
Business sites, and Skype for Business Online conversations. You can search mailboxes and sites in the
same eDiscovery search by using the Content Search tool in the Office 365 Security & Compliance Center.
And you can use eDiscovery cases in the Security & Compliance Center to identify, hold, and export
content found in mailboxes and sites. If your organization has an Office 365 E5 subscription, you can
further analyze content by using Office 365 Advanced eDiscovery.
Office 365 provides the following eDiscovery tools:
●● Content Search in the Office 365 Security & Compliance Center
●● eDiscovery Cases in the Office 365 Security & Compliance Center
●● Office 365 Advanced eDiscovery
You can find out more at the following website: https://docs.microsoft.com/office365/securitycompli-
ance/ediscovery.
Office 365 Archiving

Many regulations require that you retain data for set periods of time in an accessible format. Office 365
Archiving enables you to comply with these regulations, and lets you store, archive, retain, and discover
data in Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business Online. Office
365 Archiving also meets your needs if your organization is subject to industry-specific regulatory
requirements about record keeping, such as SEC Rule 17a-4.
Office 365 Auditing

With Office 365 Auditing, you can monitor and investigate actions taken on your data, intelligently
identify risks, contain, and respond to threats, and protect valuable intellectual property.
Activity logging and reporting enable you to track both user and admin activity events in SharePoint
Online, OneDrive for Business, Exchange Online, and Azure Active Directory. The Office 365 activity report
lets you investigate activity by searching for a user, file, or other resource across SharePoint Online,
OneDrive for Business, Exchange Online, and Azure Active Directory.
Office 365 Management Activity API is a RESTful API that provides an unprecedented level of visibility
into all user and admin transactions within Office 365. The Management Activity API lets organizations
and other software providers integrate Office 365 activity data into security and compliance monitoring
and reporting solutions.
Service Trust Portal overview

There are a number of tools you can use to manage compliance in Microsoft 365. The first of these is the
Service Trust Portal (STP). This portal provides a variety of content, tools, and other resources about
Microsoft security, privacy, and compliance practices. It also includes independent third-party audit
reports of Microsoft's online services, and information about how our online services can help your
organization maintain and track compliance with standards, laws, and regulations such as:
●● International Organization for Standardization (ISO).
●● Service Organization Controls (SOC).
●● National Institute of Standards and Technology (NIST)
●● Federal Risk and Authorization Management Program (FedRAMP)
●● General Data Protection Regulation (GDPR
The portal consists of a number of accessible tabs:
●● Service Trust Portal. Via the portal you can access the STP home page, which provides links to the
other tabs and a section on what’s new in STP and compliance in Microsoft 365.
●● Compliance Manager. Use this tab to help meet data protection and regulatory requirements when
using Microsoft cloud services.
●● Trust documents. This tab provides access to many documents about security implementation and
design that can help you to meet regulatory compliance objectives. These include:
●● Audit reports, which provides independent audit and assessment reports on Microsoft cloud
services compliance with data protection standards and regulatory requirements.
●● Data protection, which provides trust documents for download, and information about how
Microsoft operates Azure, Dynamics 365, and Office 365.
●● Azure Security and Compliance Blueprint, which offers turn-key security and compliance solutions
and support that is tailored to the needs of industry verticals, that accelerate cloud adoption and
utilization for customers with regulated or restricted data.
●● Regional Compliance. This tab provides regionally specific compliance information, often in the form
of legal opinions that describe Microsoft cloud services in:
●● Australia
●● Czech Republic
●● Germany
●● Poland
●● Romania
●● Spain
●● UK
●● Privacy. This site provides information about the capabilities in Microsoft services that you can use to
address specific GDPR requirements. It also provides documentation helpful to your GDPR accounta-
bility and to your understanding of the technical and organizational measures Microsoft has taken to
support the GDPR.
●● Resources. Enables access to:
●● Office 365 Security and Compliance Center. This offers comprehensive resources for learning
about security and compliance in Office 365, including documentation, articles, and recommended
best practices.
●● Admin. This tab has administrative functions that are only available to the tenant administrator
account, and will only be visible when you are signed in as a global administrator.
You can access the STP at https://servicetrust.microsoft.com/.
Compliance Manager Overview

The Compliance Manager portal helps you to stay compliant with both internal requirements and
well-known security standards. This feature works across Microsoft cloud services to help organizations
meet complex compliance obligations, including:
●● GDPR
●● ISO 27001
●● ISO 27018
●● NIST 800-53
●● HIPAA
Compliance Manager performs the following key activities:

●● Real-time risk assessment. In the Compliance Manager dashboard you can view a summary of your
compliance posture against the data protection regulatory requirements that are relevant to your
organization, in the context of using Microsoft cloud services. The dashboard provides you with your
compliance score, which helps you make appropriate compliance decisions.
●● Actionable insights. These insights help you understand the responsibility that you and Microsoft
share in meeting compliance standards. For components that Microsoft manages, you can see the
control implementation and testing details, test date, and results. For components that you manage,
you can see recommendations for appropriate actions and guidance on how to implement them.
●● Simplified compliance. Compliance Manager can help you simplify processes to achieve compliance.
It provides control management tools that you can use to assign tasks to your teams. You can also
generate reports instead of collecting information from multiple teams. This tool also enables you to
perform proactive assessments when needed.
Introducing Compliance Manager

Compliance in Microsoft 365

Let's do a quick activity to test your knowledge of compliance in Microsoft 365. Click on the button below
to open this review activity full screen.
LAUNCH ACTIVITY4
4 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_03_04_05_Compliancetutorial.
html
Lab - Implement security and compliance in

Microsoft 365
Lab Introduction
This lab is designed to reinforce the concepts to which you were introduced and the knowledge you’ve
gained in this module. In this lab, you will configure Azure Active Directory (Azure AD), create a condi-
tional access policy, and activate Azure Identity Protection.
Please note that this lab has three exercises, each with multiple tasks. For a successful outcome, the
Configuring Microsoft Active Directory (Azure

AD)
Task 1: Configure Azure AD join settings
1. Open Microsoft Edge and navigate to office.com and sign in using the global admin account you
have been assigned for this course.
2. Select the Admin tile.
3. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers.
4. Click Azure Active Directory. Verify that a new tab opens in Microsoft Edge.
5. In the navigation pane, select Azure Active Directory.
6. Click Devices and then click Device settings.
7. In the details pane, click Selected.
8. Click Selected (No member selected).
9. Click Add members.
10. In the Select box, type Windows and click Windows 10 Deployment, which is the group you created
in the last lab.
11. Click Select and then click OK.
12. On the Devices – Device settings blade, click Save. You have configured that members of the Win-
dows 10 Deployment group may join devices to Azure AD.
Task 2: Configure roaming user settings

1. On the Devices – Device settings blade, to the left, click Enterprise State Roaming.
2. In the details pane, click All and then click Save. You have enabled Enterprise state roaming which
enables users’ settings to sync across their devices.
Task 3: Assign a user the password administrator role

1. In the navigation pane, click Azure Active Directory.
Lab - Implement security and compliance in Microsoft 365 121
2. Click Roles and administrators.

3. Click Password administrator.
4. Click Add member.
5. In the Add member blade, in the Select box, type Emily and then click Emily Braun.
6. Click Select.
7. In the navigation pane, click Azure Active Directory.
Exercise 2
Creating a conditional access policy
Task 1: Open the Intune console

1. Switch to the Microsoft 365 admin center tab.
2. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers.
3. Click Intune. Verify that a new tab opens in Microsoft Edge.
Task 2: Create and assign the policy

1. In the Microsoft 365 Device Management window, in the navigation pane, click Conditional Access.
2. Click New policy.
3. On the New blade, in the Name box, type Contoso Deviance Compliance Policy.
4. Under Assignments, click Users and groups.
5. On the User and groups blade, click Select users and groups.
6. Select the Users and groups check box, and then click Select.
7. On the Select blade, select the IT group, and then click Select.
8. On the Users and groups blade, click Done.
Task 3: Configure and enable the policy

1. On the New blade, click Conditions.
2. On the Conditions blade, click Sign-in risk.
3. On the Sign-in risk blade, click Yes. Select the Medium check box, and then click Select.
4. On the Conditions blade, click Device platforms.
5. On the Device platforms blade, click Yes. Select the Windows check box, and then click Done.
6. On the Conditions blade, click Done.
7. Under Access controls, click Grant.
8. On the Grant blade, select the Require multi-factor authentication check box, and then click Select.
9. On the New blade, under Enable policy, click On, and then click Create.
Exercise 3
Activating Azure Identity Protection
Task 1: Sign in to the Azure portal

1. In Microsoft Edge, open a new tab and navigate to https://ms.portal.azure.com/.
2. Sign in using your global admin account.
3. On the Azure dashboard page, click the Marketplace tile.
4. On the Everything blade, in the Search Everything text box, type Azure Identity Protection, and
then press Enter.
Task 2: Enable AIP

1. In the returned list, click Azure AD Identity Protection.
2. On the Azure AD Identity Protection blade, click Create.
3. On the second Azure AD Identity Protection blade, click Create.
Task 3: Review current settings

1. In Microsoft Edge, open a new tab and navigate to https://portal.azure.com/#blade/Microsoft_
AAD_ProtectionCenter/IdentitySecurityDashboardMenuBlade/Overview5.
2. On the Overview blade, on the Azure AD Identity Protection tab, in the navigation pane, click
Getting Started. Review the available information.
3. Click Vulnerabilities. Notice that the RISK LEVEL is Medium, and that the COUNT is greater than zero.
This shows that all user accounts are not configured for multi-factor authentication (MFA).
Task 4: Enable MFA

1. Click MFA registration. (You configure and enable MFA from here.)
2. Under Assignments, click All users.
3. Select All users, and then click Done.
4. Under Controls, click Select a control.
5. Ensure that the Require Azure MFA registration check box is selected, and then click Select.
6. Under Review, click Current registration status. Notice that all users are not registered.
7. Click the X to close the blade.
8. Under Enforce policy, click On, and then click Save.
9. Close all open windows.
5 https://portal.azure.com/
Module Assessment
Questions
Checkbox
Which of the following is considered to be a pillar of computer security systems? (Choose all that apply.)
Identity
Firewalls
Device security
Antivirus software
Data security
Encryption
Network security
Multi-factor authentication (MFA)
Multiple choice
Can you use a Microsoft account to sign in to Microsoft 365? (Choose the correct answer.)
Yes
No
Multiple choice
When connecting to Wi-Fi hotspots, what is the most important security feature to have enabled on your
device? (Choose the best answer)
A PIN for sign in on your device
Encryption of the device contents
A firewall
The latest operating system feature updates
Checkbox
Which of the following is considered a data security threat? (Choose all that apply.)
Data leakage via removable media
Unauthorized user accessing information on a server
An eavesdropping attack
A denial of service attack
Checkbox
Which of the following Microsoft 365 features help guard against security issues arising from identity?
(Choose all that apply.)
MFA
Microsoft Azure Advanced Threat Protection (Azure ATP)
Data loss prevention
Azure Active Directory (Azure AD) Identity Protection
Multiple choice
Which of the following statement (or statements) are true about Microsoft synchronized identities? (Choose
the best answer)
They exist only in Active Directory Domain Services (AD DS).
They exist only in Azure AD.
They exist as duplicates in both AD DS and Azure AD.
They exist as linked account in both AD DS and Azure AD.
Multiple choice
When implementing synchronized accounts in Microsoft 365, which tool performs the synchronization
between AD DS and Azure AD? (Choose the correct answer.)
Azure AD
Azure AD Connect
Active Directory Federation Services (AD FS)
AD DS
Multiple choice
Mobile device management (MDM) autoenrollment is a feature in which version of Azure AD? (Choose the
correct answer.)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
Multiple choice
You notice suspicious activity during sign in from a number of user accounts. It seems as if these users are
signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365 might
alert you to such activity? (Choose the correct answer.)
Azure MFA
Azure AD Privileged Identity Management
Microsoft Identity Manager
Multiple choice
You want the ability to elevate a user’s account to that of a temporary administrator. Which Microsoft 365
identity management feature could help with this? (Choose the correct answer.)
Azure MFA
Multiple choice
You want your users to have the ability to manage their group memberships themselves. What version of
Azure AD supports this capability? (Choose all that apply.)
Azure AD Free
Azure AD Basic
Azure AD Premium P1
Azure AD Premium P2
Multiple choice
Some of your users have access to Oracle databases. You need to implement a single hybrid identity
infrastructure. How could you achieve this using Azure AD? (Choose the correct answer.)
Implement MFA.
Implement Microsoft Identity Manager.
Implement Password reset with writeback.
Implement Conditional Access.
Implement Azure AD Connect Health.
Multiple choice
In Microsoft Intune, what kind of policy enables you to ensure that devices are not rooted, and are config-
ured with complex passwords? (Choose the correct answer.)
Conditional access policy
Device compliance policy
Device enrollment policy
Device configuration profile
Multiple choice
In Azure Information Protection, which of the following classifies documents? (Choose the correct answer.)
Labels
Templates
Settings
Multiple choice
Which feature in Microsoft 365 could help ensure that your organization retains data files for appropriate
periods based on legal requirements? (Choose the correct answer.)
Office 365 Auditing
Office 365 Archiving
Answers
Checkbox
Which of the following is considered to be a pillar of computer security systems? (Choose all that apply.)
■■ Identity
Firewalls
■■ Device security
Antivirus software
■■ Data security
Encryption
■■ Network security
Multi-factor authentication (MFA)

Multiple choice
Can you use a Microsoft account to sign in to Microsoft 365? (Choose the correct answer.)
Yes
■■ No

Multiple choice
When connecting to Wi-Fi hotspots, what is the most important security feature to have enabled on your
device? (Choose the best answer)
A PIN for sign in on your device
Encryption of the device contents
■■ A firewall
The latest operating system feature updates

Checkbox
Which of the following is considered a data security threat? (Choose all that apply.)
■■ Data leakage via removable media
■■ Unauthorized user accessing information on a server
An eavesdropping attack
A denial of service attack

Checkbox
Which of the following Microsoft 365 features help guard against security issues arising from identity?
■■ MFA
Microsoft Azure Advanced Threat Protection (Azure ATP)
Data loss prevention
■■ Azure Active Directory (Azure AD) Identity Protection

Multiple choice
Which of the following statement (or statements) are true about Microsoft synchronized identities?
(Choose the best answer)
They exist only in Active Directory Domain Services (AD DS).
They exist only in Azure AD.
They exist as duplicates in both AD DS and Azure AD.
■■ They exist as linked account in both AD DS and Azure AD.

Multiple choice
When implementing synchronized accounts in Microsoft 365, which tool performs the synchronization
between AD DS and Azure AD? (Choose the correct answer.)
Azure AD
■■ Azure AD Connect
Active Directory Federation Services (AD FS)
AD DS

Multiple choice
Mobile device management (MDM) autoenrollment is a feature in which version of Azure AD? (Choose
Azure AD Free
Azure AD Basic
Azure AD Premium P2

Multiple choice
You notice suspicious activity during sign in from a number of user accounts. It seems as if these users
are signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365
might alert you to such activity? (Choose the correct answer.)
Azure MFA
■■ Azure AD Identity Protection

Multiple choice
You want the ability to elevate a user’s account to that of a temporary administrator. Which Microsoft 365
identity management feature could help with this? (Choose the correct answer.)
Azure MFA
■■ Azure AD Privileged Identity Management

Multiple choice
You want your users to have the ability to manage their group memberships themselves. What version of
Azure AD supports this capability? (Choose all that apply.)
Azure AD Free
Azure AD Basic
Azure AD Premium P2

Multiple choice
Some of your users have access to Oracle databases. You need to implement a single hybrid identity
infrastructure. How could you achieve this using Azure AD? (Choose the correct answer.)
Implement MFA.
■■ Implement Microsoft Identity Manager.
Implement Password reset with writeback.
Implement Conditional Access.
Implement Azure AD Connect Health.

Multiple choice
In Microsoft Intune, what kind of policy enables you to ensure that devices are not rooted, and are
configured with complex passwords? (Choose the correct answer.)
Conditional access policy
■■ Device compliance policy
Device enrollment policy
Device configuration profile

Multiple choice
In Azure Information Protection, which of the following classifies documents? (Choose the correct
answer.)
■■ Labels
Templates
Settings

Multiple choice
Which feature in Microsoft 365 could help ensure that your organization retains data files for appropriate
periods based on legal requirements? (Choose the correct answer.)
Office 365 Auditing
■■ Office 365 Archiving

Module 4 Microsoft 365 pricing and support
Microsoft 365 subscriptions, licenses, and bill-

ing
Introduction
Microsoft 365 offers a variety of subscriptions and licenses from which to choose. In this lesson, you’ll be
introduced to the plans and options available to Microsoft 365 subscribers. You’ll then learn about how to
manage your Microsoft 365 subscription, including adding and removing user licenses. You’ll also learn
how Microsoft 365 billing works, including the different billing cycles, payment methods, and typical
lifecycle phases of Microsoft 365 from provisioning to retiring.
●● Differentiate between the different Microsoft 365 subscription options.
●● Manage your Microsoft 365 subscription.
●● Add or remove a license from a user.
●● Manage your Microsoft 365 billing.
●● Explain the typical Microsoft 365 lifecycle phases.
Microsoft 365 subscription options

As you’ve learned in the previous modules, Microsoft 365 is a complete, intelligent software as a service
(SaaS)–based solution that includes Microsoft Office 365, Windows 10, and Enterprise Mobility + Security
all bundled into a single subscription. Different kinds of businesses have different requirements, so Micro-
soft offers a variety of subscriptions and plans to accommodate each organization’s needs. In this topic,
we’ll summarize these subscriptions.
Note: The plans, exact set of features, pricing, and licensing requirements can vary between countries
and regions. If you require a Microsoft 365 subscription for a non-US organization, contact your regional
sales representative to learn what subscriptions, plans, features, and pricing are available.
MCT USE ONLY. STUDENT USE PROHIBITED 132 Module 4 Microsoft 365 pricing and support
Microsoft 365 Enterprise
Microsoft 365 Enterprise focuses on delivering enterprise-class services to organizations who want to
implement a complete productivity solution that integrates with the most robust Enterprise Mobility +
Security features. Microsoft 365 Enterprise offers different plans that further cater to each organization’s
unique needs. These include:
●● Microsoft 365 E3. This is the base level Microsoft 365 offering for enterprise customers. It provides
Office 365, Windows 10, and some Enterprise Mobility + Security features.
●● Microsoft 365 E5. This plan Includes all E3 products and features, plus the latest advanced informa-
tion protection, compliance, and analytics tools, including:
●● Enhanced communication features, including audio conferencing and phone system integration
with Skype for Business Online and Microsoft Teams.
●● Advanced threat protection, including Windows Defender Advanced Threat Protection, Office 365
Advanced Threat Protection, and Office 365 Threat Intelligence.
●● Advanced identity and access management with Azure Active Directory Premium 2.
●● Advanced compliance with Office 365 Advanced eDiscovery, Customer Lockbox, and Office 365
Advanced Data Governance.
●● Microsoft Managed Desktop. This plan combines Microsoft 365 E5 with device as a service (DaaS)
procurement, configuration, maintenance, and IT as a service (ITaaS) deployment, monitoring, report-
ing, and service desk.
●● Microsoft 365 F1. A special configuration of Microsoft 365, this plan is purpose-built for firstline
workers, offering them the tools and resources they need. It’s similar to Microsoft 365 E3, with the
following differences:
●● It includes all Microsoft Office apps except for Microsoft Access.
●● Email and calendar are limited to a 2-gigabyte (GB) Inbox. There is no commercial Outlook app or
integration, and no voicemail.
●● For schedule and task management, Microsoft PowerApps are limited to consumption only. Flow is
limited to 750 users per month.
●● For voice, video, and meetings:
●● Meetings are join only.
●● 1:1 audio and video calls are supported.
Microsoft 365 subscriptions, licenses, and billing 133
●● Desktop or app sharing is not supported.

●● For social and intranet, cannot be site administrators, have a site mailbox or a personal site, or create
forms.
For the latest information about Microsoft 365 Enterprise plans, features, and pricing, go to https://
www.microsoft.com/en-us/microsoft-365/compare-all-microsoft-365-plans, and to https://docs.
microsoft.com/en-us/microsoft-365/managed-desktop/index.
Microsoft 365 Business
Microsoft 365 Business brings together features from across Microsoft’s offerings in a solution designed
for small and medium-sized businesses. Like Microsoft 365 Enterprise, Microsoft 365 Business offers the
full set of productivity tools found in Office 365, and includes security and device management features.
However, it does not include some of the more advanced information protection, compliance, or analytics
tools that are available to enterprise subscribers. It’s designed for organizations that need up to 300
licenses; if an organization is larger than that, they will need to subscribe to a Microsoft 365 Enterprise
plan instead.
For the latest information about Microsoft 365 Business plans, features, and pricing, go to https://www.
microsoft.com/en-US/microsoft-365/business.
Microsoft 365 Education
Microsoft 365 Education is available for educational organizations. Academic licenses can be tailored to
fit any institution’s needs, including productivity and security solutions for faculty, staff, and students.
For more information about Microsoft 365 Education, go to https://www.microsoft.com/en-us/

education/buy-license/microsoft365/default.aspx.
Managing subscriptions in Microsoft 365

You can manage your Microsoft 365 subscription via the Microsoft 365 admin center. (Many functions
can also be performed via the Windows PowerShell command-line interface.) Administrators can view
billing and manage their subscription in the Subscriptions window. As highlighted in the following figure,
the More actions menu in the Subscriptions window is where administrators can:
●● Add a partner of record to identify who sold you your Microsoft 365 subscription.
●● Edit your subscription address.
●● Cancel your subscription.
●● Install software that is part of their Microsoft 365 subscription.
Managing licenses in Microsoft 365

When you buy a Microsoft 365 subscription, you specify the number of licenses that you need, based on
how many people you have in your organization. If you have more than one subscription, you can assign
licenses to different people for each subscription.
The Microsoft 365 admin center is where you create accounts for people and assign licenses to them. As
your organizational needs change, you can buy more licenses to accommodate new people. You can also
remove a license when a user no longer requires it, enabling you to re-assign the license to a different
person. By doing so, you can maintain the correct number of licenses your organization requires without
paying for unneeded additional licenses (known as over-licensing), or running out of licenses for addi-
tional users.
Administrators might also encounter an expired license, meaning that the license wasn’t renewed, or the
payment for the latest billing cycle is past due. In this scenario, the user whose account is associated with
the expired license will have reduced functionality with Microsoft 365 features and products until the
license is renewed, or an administrator allocates another license to that user.
Administrators can also enable or disable functionalities within a single license for each user. As depicted
in the following figure, there can be many services and tools within a single license that administrations
can toggle on or off to fine-tune each user’s account settings. Note, however, that deactivating any or all
features for a user does not affect license consumption; these individual controls within the user’s
product licenses pane are separate from allocating a license to a user, or removing a license from a user.
Managing billing in Microsoft 365

Billing in Microsoft 365 is also managed from Microsoft 365 admin center. The options available and
pricing associated with any account depend on the subscription selected and the number of licensed
users. Each service has a specified price that is typically rated on a per-user, per-month basis.
In Microsoft 365 admin center, you can review and modify all billing aspects, including:
●● Current number of purchased licenses, and the number of those that have been allocated to users for
each service.
●● Any current charges due on an account.
●● Payment method (credit card, or in some countries or regions, bank accounts, or prepaid—where you
have a product key code to activate licenses), and payment frequency (monthly or annual basis).
●● Additional services or features you might opt to add to the subscription.

●● Billing notifications, where you can provide a list of email accounts of who should receive automated
billing notifications and renewal reminders for the Microsoft 365 subscription.
Subscriptions, licenses, and billing

Let's do a quick activity to test your knowledge of subscriptions, licenses and billing. Click on the button
LAUNCH ACTIVITY1
1 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_04_01_05_Subscriptionstuto-
rial.html
Support in Microsoft 365

Introduction
In this lesson, you’ll learn about what support options are available in Microsoft 365, and the guarantees
and service-level agreements (SLAs) that it offers. You’ll also learn how to monitor your Microsoft 365
service health, how to create new service requests, and how to review the status of active service re-
quests.
●● List what support options are available with Microsoft 365.
●● Discuss guarantees, SLAs, and capping of liability of the Cloud Service Provider.
●● Demonstrate how to create a service request and how to review any active service requests in your
subscription.
●● Demonstrate how to monitor your Microsoft 365 service health.
Support options in Microsoft 365

Microsoft 365 subscribers have a variety of support options to choose from. The particulars depend on
the type of Microsoft 365 subscription, service package included, the service or tool in question, and the
source of support. In general, Microsoft 365 subscribers can obtain help in the following ways:
●● Cloud Service Provider Tier 1 support. If you have established your Microsoft 365 subscription
through a Microsoft Cloud Solution Provider (CSP) that is certified as a Tier 1 CSP, you can contact
them directly for technical support. Under this model, your Tier 1 CSP can provision your Microsoft
365 tenant for you, and act as your first point of contact for all service-related issues. Tier 1 providers
will escalate any issues they can’t resolve directly to Microsoft to ensure that you get the help you
need.
●● Telephone support. Some Microsoft 365 components provide phone support. For more information
about languages, regions, and phone numbers, go to**:** https://docs.microsoft.com/en-us/
office365/admin/contact-support-for-business-products?redirectSourcePath=%252farti-
cle%252fContact-support-for-business-products-Admin-Help-32a17ca7-6fa0-4870-8a8d-
e25ba4ccfd4b&view=o365-worldwide&tabs=phone
●● Microsoft 365 support forums. Microsoft offers many official support forums where you can pose
questions and obtain responses from both Microsoft and community members. Different technologies
and services within Microsoft 365 have their own forums. Some of the more popular ones are:
●● Azure forums: https://azure.microsoft.com/en-us/support/community/
●● Windows forums**:** https://answers.microsoft.com/en-us/windows/forum?sort=LastReply-
Date&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&posted-
Before=&threadType=All&isFilterExpanded=false&page=1
●● Office forums**:** https://answers.microsoft.com/en-us/msoffice/forum?sort=LastReply-
Date&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&posted-
Before=&threadType=All&isFilterExpanded=false&page=1
●● Automated assistance bot. Microsoft 365 admin center offers an automated assistance bot that’s
designed to help administrators get answers to their own support questions. Accessed from the Need
help button, the bot known as O365 Assistant offers a chat-based user experience with natural
Support in Microsoft 365 139
language capabilities.
●● Premier Support. Microsoft Premier Support Services is well suited for large or global enterprises
with strategic and business-critical dependence on Microsoft products, including Microsoft 365 and
Microsoft Azure. Premier Support Services members are assigned a technical account manager, and
additional benefits such as advisory services and on-site support are available.
Microsoft 365 SLAs

As with any cloud-based service offering, Microsoft 365 subscriptions come with a guaranteed amount of
uptime in terms of a percentage of service availability over a period of time (such as a 99 percent availa-
ble uptime average over the period of one year). The particulars of the guarantee are stipulated in a legal
agreement between a cloud service provider and the customer, known as an SLA. The details within an
SLA vary from one cloud service provider to another.
In addition to your CSP’s SLA, Microsoft offers Microsoft 365 subscribers a Microsoft Online Services
Agreement that provides financial backing to our commitment to achieve and maintain the service levels
for each service.
Business considerations for SLAs

Although the cloud has much to offer, it’s not unlike any other network, server, or on-premises service,
where an unforeseen problem or disaster can cause the service to be unavailable. Therefore, before
signing any service agreement between your organization and the cloud provider, thoroughly review the
SLA.
When reviewing the agreement, ask yourself the following questions:
●● How does the CSP determine whether service levels are being achieved?
●● Who is responsible for measurement, and how can I obtain reports?
●● What exceptions are there in the SLA?
●● When the SLA is not met, what’s the remedy for the deficiencies?
●● What happens when maintenance (both scheduled and emergency) is performed?

●● What happens when a malicious hacker targets my business or the infrastructure that we’re running
on, and the result is downtime?
●● What happens when third-party system failures or services are not under the vendor’s control?
●● What happens if the service is brought down by acts of war or natural disasters, such as earthquakes,
floods, storms, tornadoes, or hurricanes?
●● What limits to the CSP’s liability are stated in the SLA?
The following video discusses these important SLA considerations in more detail.
Understand cloud services and liabilities
What is a service request

A service request is a support process that formalizes a user’s request to Microsoft Support for help.
These requests can be made through different channels including telephone support, online chat sup-
port, and email. Each service request is identified by a unique code that helps track the request through
the support process until the issue is resolved and the service request is closed.
Creating a service request

The Microsoft 365 admin center provides an integrated interface where administrators can create a new
service request and view the status of any existing requests. As shown in the following image, you first
must toggle off the O365 Assistant bot within the Support pane. You then type in a description of your
issue, search for solutions, and if your problem hasn’t been resolved, create a new service request by
phone or by email.
Viewing existing service requests

You can also view the status of all your existing service requests. To do so, you either click View service
requests under the Support blade, or if you already have the help pane open, click the circular arrow
icon in the Need help tab to display a list of your service requests.
How to monitor Microsoft 365 service health

The first place to go to review your Microsoft 365 subscription’s health status is Microsoft 365 admin
portal. As depicted in the following figure, clicking Service health in the Microsoft 365 admin center’s
Health pane will display a list of all your subscription’s services and their associated health statuses. You
can also filter the list to only view incidents that can indicate a degraded or interrupted service, advisories
view issues which are more limited in scope or impact, or view all services including those running
normally.
You can also click on any entry to obtain more details. For example, the following screenshot displays the
details of a Microsoft Exchange Online incident, including:
●● A description of the problem
●● When the incident was first logged
●● Last update to the incident
●● Current status
●● User impact
Microsoft 365 support

Let's do a quick activity to test your knowledge of Microsoft 365 support. Click on the button below to
open this review activity full screen.
LAUNCH ACTIVITY2
2 https://edxinteractivepage.blob.core.windows.net/miltstatic/MS-900.1/20190128-114536911/static/MS900.1_04_02_05_Supporttutorial.
html
Lab - Managing subscriptions, licensing, and

support in Microsoft 365
Lab Introduction
This lab is designed to reinforce the concepts you were introduced to and the knowledge you've gained
in this module. In this lab, you will use your trial Microsoft 365 account to gain hands-on experience
managing your Microsoft 365 subscription, licensing, and billing settings.
Please note that this lab has three exercises, each with multiple tasks. For a successful outcome, the
Exercise 1
Exploring interfaces for billing and subscriptions
Task 1: Explore the billing environment

1. Open Microsoft Edge and navigate to http://www.office.com3.
2. Sign in using the global admin account you have been assigned for this course.
3. Select the Admin tile.
4. In Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Purchase
services. This is where you can add more Microsoft services to your account. Scroll through the list of
available services you can subscribe to in addition to Microsoft 365.
5. In Billing, select Subscriptions. This is where you manage your subscriptions.
●● If it’s not already selected, select the Microsoft 365 E5 Trial subscription, and then review its details,
including available and assigned licenses, cost, and the trial’s expiration date.
●● In the lower-right section of the main pane, click More actions.
This is where you can add a partner of record to your account, cancel the trial, or install software that’s
associated with your subscription. Spend a few minutes to explore each of these areas, but do not make
any changes.
1. In Billing, select Bills. This is where you can review your subscription’s billing statements.
●● This is the menu where you can select a certain billing period, but because this is a new trial you won’t
have any billing statements available to review.
●● At the top of the main window, select Billing FAQ. Scan through this FAQ to learn more about billing,
including regional phone numbers to call for billing support, and updating payment information.
When you’ve finished, return to Microsoft 365 admin center.
1. In Billing, select Payment methods. This is where you can specify how to pay for your services.
2. Select Select a payment method to review the type (or types) of payment methods that are available
in your region.
3. In Billing, select Licenses. This is where you manage your subscription licenses.
3 http://www.office.com/
Lab - Managing subscriptions, licensing, and support in Microsoft 365 145
●● Note that for each type of subscription you’ll see the total number of licenses (both valid and expired),
in addition to the number of licenses that are assigned to users.
●● Don’t do anything with your licenses yet; we’ll step through managing licenses in the next exercise.
1. In Billing, select Billing notifications. This is where you can determine who receives automated
emails about Microsoft services billing.
Exercise 2
Managing licenses
Task 1: Provision a new subscription and licenses for your

tenant
1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Purchase
services.
2. Scroll through the list of available services, and then select one that offers a free trial.
3. After signing up for the trial, in the Microsoft 365 admin center, in the navigation pane, expand
Billing, and then select Subscriptions to view the details of your new trial subscription and associat-
ed licenses.
Task 2: Assign a user license

1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Licenses.
Make a note of how many licenses have been assigned.
2. In the Microsoft 365 E5 row, under the Status column, select Assign now.
3. In the user list that appears, select a user that is currently Unlicensed, and then in the User configu-
ration window that appears, next to Product licenses, select Edit.
4. In the Product licenses window, from the Location menu, select United States. Set the Microsoft
365 E5 license toggle to On, and then select Save to save your changes.
5. Select Close to confirm the changes, and then select Close to close the User configuration window.
7. Confirm that an additional license has been assigned.
Task 3: Remove a user license

1. In the Microsoft 365 admin center, in the navigation pane, expand Users, and then under Status,
select a user account that lists Microsoft 365 E5.
2. In the User configuration window that appears, next to Product licenses, select Edit.
3. In the Product licenses window, set the Microsoft 365 E5 license toggle to Off, and then select Save.
4. Select Close to confirm the changes, and then select Close to close the User configuration window.
6. Confirm that an additional license has been freed up and can be re-assigned.
Task 4: Remove a subscription from your tenant

1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Subscrip-
tions.
2. In the Subscriptions window, select the new trial subscription you added in Task 1.
3. In the lower-right corner of the window, select the More actions menu, and then select Cancel
subscription.
4. On the Cancel subscription page that appears, confirm you are canceling the appropriate trial. Fill
out the form’s details, and then select Cancel subscription.
Exercise 3
Reviewing support options
Task 1: Use the O365 Assistant bot

1. In the Microsoft 365 admin center, in the navigation pane, expand Support, and then select New
service request.
2. In the Need help pane that opens, ensure that the Try O365 Assistant is switched on.
3. In the Type Message field, enter a question concerning your Microsoft 365 subscription, such as, My
OneDrive for Business isn’t synchronizing.
4. Review the O365 Assistant’s responses:
●● Select a topic to review.
●● Step through the O365 Assistant’s questions.
●● Review the links to related support articles.
Task 2: Search Microsoft 365 support articles

service request.
2. In the Need help pane that opens, ensure that the Try O365 Assistant is switched off.
3. In the text box, enter a question concerning your Microsoft 365 subscription, such as, “My OneDrive
for Business isn’t synchronizing,” then select Get help.
4. Under View solutions, review the links to related support articles.
Task 3: Check for recent support tickets

1. In the Microsoft 365 admin center, in the navigation pane, expand Support, and then select View ser-
vice requests.
2. In the Support tickets pane that opens, the list of your support tickets appears—which should be
none, as this is a new trial account.
Lab - Managing subscriptions, licensing, and support in Microsoft 365 147
Task 4: Begin to create a service request

service request.
2. In the Need help? pane that opens, ensure that the Try O365 Assistant is switched off.
3. In the text box, enter a question concerning your Microsoft 365 subscription, such as, My OneDrive for
Business isn’t synchronizing, then select Get help.
4. Review how to create a new phone request:
●● Under New service request by phone, review how you would enter your contact information and
attach any optional materials to help explain your support request. Do not enter any information or
select Call me, as this would create an actual service request.
1. Close New service request by phone when you’ve finished reviewing it.
2. Review how to create a new email service request:
●● Under New service request by email, review how you would enter your email address (or addresses)
and attach any optional materials to help explain your support request. Do not enter any information
or select Send, as this would create an actual service request.
1. Close New service request by email when you’ve finished reviewing it.
Module Assessment
Questions
Multiple choice
Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan 2 for
advanced identity and access management? (Choose the best answer.)
Microsoft 365 E3
Microsoft 365 E5
Checkbox
Which of the following actions can a Microsoft 365 administrator perform in the Microsoft 365 admin
center’s Subscriptions window? (Choose all that apply.)
Add a partner of record to identify who sold you your Microsoft 365 subscription.
Edit the subscription address.
Cancel the subscription.
Install software that is part of their Microsoft 365 subscription.
Checkbox
You have an issue with your Microsoft OneDrive for Business. If you’ve purchased a Microsoft 365 Business
subscription directly from Microsoft, which support options are available to you? (Choose all that apply.)
Cloud Service Provider Tier 1 support
Microsoft 365 support forums
O365 Assistant
Microsoft Premier Support Services
Microsoft 365 service request
Multiple choice
What is the maximum number of licenses you can purchase under a Microsoft 365 Business subscription?
100
200
300
500
Checkbox
An educational facility is considering a Microsoft 365 Education subscription. Which people in the institution
can be assigned licenses through this subscription? (Choose all that apply.)
Faculty
Staff
Students
Alumni
Multiple choice
You’re the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morning, no
one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you do to
check the service status? (Choose the correct answer.)
Navigate to Service health in the Microsoft 365 admin center.
Visit the Microsoft Office 365 online forum.
Visit the Microsoft Azure online forum.
Send an email to Microsoft support.
Multiple choice
Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers. Which
plan should you choose? (Choose the correct answer.)
Microsoft 365 E3
Microsoft 365 E5
Microsoft 365 F1
Checkbox
Which of the following actions can a Microsoft 365 administrator perform with their subscription’s licenses?
Remove a license from a user to make it available to another user.
Enable or disable functionalities within a license.
Allocate functionality of one license between two or more users.
Purchase additional licenses.
Multiple choice
You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to do
that? (Choose the correct answer.)
In the Microsoft 365 admin center, select View service requests under the Support blade.
Search the Microsoft 365 support forums using your service request numbers.
Only Tier 1 Cloud Service Providers have this information; you will need to call them.
Email Microsoft Support.
Multiple choice
Which plan combines Microsoft 365 E5 with Device as a Service (DaaS) and IT as a service? (Choose the
correct answer.)
Microsoft 365 E5
Microsoft 365 F1
Microsoft Managed Desktop
Answers
Multiple choice
Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan 2
for advanced identity and access management? (Choose the best answer.)
Microsoft 365 E3

Checkbox
Which of the following actions can a Microsoft 365 administrator perform in the Microsoft 365 admin
center’s Subscriptions window? (Choose all that apply.)
■■ Add a partner of record to identify who sold you your Microsoft 365 subscription.
■■ Edit the subscription address.
■■ Cancel the subscription.
■■ Install software that is part of their Microsoft 365 subscription.

Checkbox
You have an issue with your Microsoft OneDrive for Business. If you’ve purchased a Microsoft 365
Business subscription directly from Microsoft, which support options are available to you? (Choose all
that apply.)
Cloud Service Provider Tier 1 support
■■ Microsoft 365 support forums
■■ O365 Assistant
Microsoft Premier Support Services
■■ Microsoft 365 service request

Multiple choice
What is the maximum number of licenses you can purchase under a Microsoft 365 Business subscription?
100
200
■■ 300
500

Checkbox
An educational facility is considering a Microsoft 365 Education subscription. Which people in the
institution can be assigned licenses through this subscription? (Choose all that apply.)
■■ Faculty
■■ Staff
■■ Students
Alumni

Multiple choice
You’re the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morning, no
one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you do to
check the service status? (Choose the correct answer.)
■■ Navigate to Service health in the Microsoft 365 admin center.
Visit the Microsoft Office 365 online forum.
Visit the Microsoft Azure online forum.
Send an email to Microsoft support.

Multiple choice
Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers.
Which plan should you choose? (Choose the correct answer.)
Microsoft 365 E3
Microsoft 365 E5
■■ Microsoft 365 F1

Checkbox
Which of the following actions can a Microsoft 365 administrator perform with their subscription’s
licenses? (Choose all that apply.)
■■ Remove a license from a user to make it available to another user.
■■ Enable or disable functionalities within a license.
Allocate functionality of one license between two or more users.
■■ Purchase additional licenses.

Multiple choice
You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to
do that? (Choose the correct answer.)
■■ In the Microsoft 365 admin center, select View service requests under the Support blade.
Search the Microsoft 365 support forums using your service request numbers.
Only Tier 1 Cloud Service Providers have this information; you will need to call them.
Email Microsoft Support.

Multiple choice
Which plan combines Microsoft 365 E5 with Device as a Service (DaaS) and IT as a service? (Choose the
correct answer.)
Microsoft 365 E5
Microsoft 365 F1
■■ Microsoft Managed Desktop

MS 900T01 Microsoft 365 Fundamentals MCT PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MS 900T01 Microsoft 365 Fundamentals MCT PDF

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Cloud computing overview

What is cloud computing

Differentiating between various IT funding mod-

On-premises computing costs

Cloud computing costs

Cloud computing models

Cloud deployment models

Cloud Computing Model Benefits

Types of Cloud Services

Infrastructure as a service (IaaS)

Platform as a service (PaaS)

Software as a service (SaaS)

Think about service categories as layers

Software as a Service Platform as a Service Infrastructure as a On-Premises

Types of cloud services

Types of cloud services

Cloud computing considerations

Key business benefits of using cloud computing

Cloud computing is cost effective

Cloud computing is scalable

Cloud computing is elastic

Cloud computing is always current

Cloud computing is reliable

Empowering all employees

Microsoft cloud services

What is Microsoft Azure

Microsoft 365 as a cloud service

Key differences between Microsoft 365 and Office 365

Alternative cloud solutions

What AWS and Google Cloud have in common with Micro-

Choosing the best fit for your business

most contributions to GitHub in 2017.

For more information, go to the following resources:

Migrating to cloud services

The Cloud-only model

The Hybrid cloud model

Which cloud model should business environ-

Migration principles to Microsoft 365 services

For more information about migrating to Microsoft 365, go to https://docs.microsoft.com/en-us/

Lab - Cloud Fundamentals

What’s your recommendation?

What’s your recommendation?

What’s your recommendation?

Microsoft 365 core services

What is Windows 10 Enterprise

Windows 10 Enterprise Long-Term Servicing Channel

What is Exchange Online

What is SharePoint Online

What is Microsoft Teams

What is Microsoft Teams?

What is Skype for Business Online

Additional services in Microsoft 365

Project Pro for Office 365

Office Visio Pro for Office 365

Microsoft Dynamics 365

Microsoft Azure Information Protection

OneDrive for Business

What is Office 365 ProPlus

Office 365 ProPlus vs. Office Professional 2019

Security services in Microsoft 365

Office 365 Security & Compliance Center