Professional Documents
Culture Documents
MS-900T01
Microsoft 365
Fundamentals
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 Fundamentals
MS-900T01
MCT USE ONLY. STUDENT USE PROHIBITED II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2019 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.
1 http://www.microsoft.com/trademarks
MCT USE ONLY. STUDENT USE PROHIBITED
EULA III
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in
digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install
the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User
who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of
the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware be-
ing provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can access
one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instruc-
tor-Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior
to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to their
accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all
your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in
digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install
the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or MCT, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User
attending the Authorized Training Session and only immediately prior to the commencement of the
Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provid-
ed, or
MCT USE ONLY. STUDENT USE PROHIBITED VI EULA
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led
Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their use
of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote
their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing
the Microsoft Instructor-Led Courseware,
vi. you will ensure that each MCT teaching an Authorized Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that
is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
viii. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
ix. you will only provide access to the Trainer Content to MCTs.
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in
digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install
the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User
attending the Private Training Session, and only immediately prior to the commencement of the Private
Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led
Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
MCT USE ONLY. STUDENT USE PROHIBITED
EULA VII
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their use
of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote
their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing
the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training
Session or Private Training Session, and install one (1) additional copy on another Personal Device as a
backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy
of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the
Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training
Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement. If you
elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only
be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customiza-
tions will comply with this agreement. For clarity, any use of “customize” refers only to changing the
order of slides and content, and/or not using all the slides or content, it does not mean changing or
modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
MCT USE ONLY. STUDENT USE PROHIBITED VIII EULA
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code are included for
your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject
matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version. Licensed
Content based on the final version of the technology may not contain the same information as the
Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with
any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights survive
this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Compe-
tency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the
Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon
expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the
Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you
some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives
you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
MCT USE ONLY. STUDENT USE PROHIBITED
EULA IX
· access or allow any individual to access the Licensed Content if they have not acquired a valid
license for the Licensed Content,
· alter, remove or obscure any copyright or other protective notices (including watermarks),
branding or identifications contained in the Licensed Content,
· modify or create a derivative work of any Licensed Content,
· publicly display, or make the Licensed Content available for others to access or use,
· copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
· work around any technical limitations in the Licensed Content, or
· reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights
in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to the
Licensed Content. These laws include restrictions on destinations, end users and end use. For additional
information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services
for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a conveni-
ence, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates
and supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
MCT USE ONLY. STUDENT USE PROHIBITED X EULA
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict
of laws principles. The laws of the state where you live govern all other claims, including claims under
state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the laws
of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS
WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS
UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED
UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00.
YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque: Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en français.
MCT USE ONLY. STUDENT USE PROHIBITED
EULA XI
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les
garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contre-
façon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES.
Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs
uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
· tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
· les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois
de votre pays si celles-ci ne le permettent pas.
Revised November 2014
MCT USE ONLY. STUDENT USE PROHIBITED
Contents
■■ Module 0 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Course introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
■■ Module 1 Cloud Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Principles of cloud computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Microsoft cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Migrating to cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Lab - Cloud Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
■■ Module 2 Microsoft 365 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Microsoft 365 core services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Deploying Windows 10 and Office 365 ProPlus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Unified endpoint management in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Teamwork in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Lab - Configuring Microsoft 365 tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
■■ Module 3 Security, compliance, privacy, and trust in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . 75
Organizational security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Security features in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Device and information protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Lab - Implement security and compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
■■ Module 4 Microsoft 365 pricing and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Microsoft 365 subscriptions, updates, licenses, and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Lab - Managing subscriptions, licensing, and support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . 133
■■ Module 5 Course Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Course Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
MCT USE ONLY. STUDENT USE PROHIBITED
Module 0 Introduction
Course introduction
Welcome
https://www.youtube.com/watch?v=FUWU8853hZQ
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Introduction
1 https://www.microsoft.com/en-us/learning/exam-MS-900.aspx
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course 3
4. Take the Exam: Here is an example of an MS-900 Microsoft 365 Fundamentals exam item:
Your organization deploys Microsoft 365. Your goal is to significantly improve your security posture.
Which of the following actions will improve your Microsoft 365 Secure Score the most?
A. Require MFA for Azure AD privileged roles
B. Turn on mailbox auditing
C. Enable Password Hash Sync if hybrid
D. Store user documents in OneDrive for Business
In this example, because the learner was familiar with the Microsoft Secure Score dashboard either
through learning, exploration of Microsoft 365, or both, he/she would know that “Require MFA for Azure
AD privileged roles” impacted their Secure Score by fifty points, whereas the other answer options only
impact the score by no more than ten points.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 1 Cloud Concepts
The goal of cloud computing is to make running a business easier and more efficient, whether it's a small
start-up company or a large enterprise. Every business is unique and has different needs. To meet those
needs, cloud computing providers offer a wide range of services. Some of the most common types
include:
●● Compute services. Enables you to run your own web apps, databases, virtual machines, and other
types of computing in the cloud instead on local hardware. An example of compute services is
Microsoft Azure Virtual Machines.
●● Communications services. Provides communications between users. Examples of communication
services include Microsoft Exchange Online and Microsoft Teams. Exchange Online provides email,
calendar, and contact sharing, and Teams provides instant messaging, computer-to-computer audio
and video calls, screen sharing, and an integrated platform for sharing of documents and collabora-
tion.
●● Productivity services. Allows users to work and collaborate. An example of productivity services is
Microsoft Office 365, which provides a comprehensive collaboration platform for the entire organiza-
tion.
●● Search services. Provides search functionality into custom applications. In addition, it can provide a
search engine and data storage that can be accessed on an API. An example of search services is
Azure Search.
●● Storage services. Provides a storage platform for data. By storing data in the cloud, any user or
device can access it. Example of storage services are Microsoft Azure Storage and Microsoft OneDrive
for Business.
●● Operating expenditures (OpEx) are the costs that an organization incurs while performing its normal
business operations. This includes the electricity consumed, cost of employees to manage and
support systems, office space, and internet connections. Management is responsible for minimizing
OpEx without significantly affecting the organization’s operations and ability to compete in the
marketplace. OpEx is expensed each year because you pay for and use the product or service.
Now that you understand these different types of costs, let’s see how they relate to cloud computing and
traditional on-premises costs.
●● Leasing software and customized features. When you use the pay-per-use model, you have to
actively manage your subscriptions. You must ensure that users do not misuse the cloud, while
making sure that provisioned accounts are actually being used and not wasted. As soon as resources
are provisioned by the provider, billing starts. It is the client’s responsibility to deprovision the re-
sources when they are not in use, so that they can manage costs.
●● Scaled charges based on usage/demand instead of fixed hardware or capacity. Cloud computing
can bill in various ways: on the number of users, or on CPU usage amounts. However, billing catego-
ries can also include allocated RAM, I/O operations per second (IOPS) units, and storage space. If you
are connecting a datacenter to the cloud or connecting two clouds together, identify how much data
needs to be transferred so that you can determine the bandwidth needed. Don’t forget to plan for
backup traffic to or from the cloud, and replication between datacenters or the datacenter and the
cloud for data recovery purposes.
●● Billing at the user or organization level. The subscription (or pay-per-use) model is a computing
billing method that is designed for both organizations and end-users. The organization or user is
billed for the services used, typically on a recurring basis. You can scale, customize, and provision
computing resources, including software, storage, and development platforms. For example, when
using a dedicated cloud service, you could pay based on server power and usage.
Public cloud
This is the most common deployment model. In the public cloud model, you have no local hardware to
manage or keep up-to-date—everything runs on your cloud service provider’s hardware. This means that
the information technology infrastructure (hardware, servers, software, and other infrastructure items) is
located somewhere other than your datacenter, and is managed by a third party.
There are two variants of a public cloud:
●● Shared public cloud is where many companies share common resources (such as email) within the
same cloud service provider’s environment. Each company is only aware of its own cloud services
account (also known as a tenant); only the cloud service provider who manages this multi-tenant
environment is aware of the different accounts running within the same cloud. This model works well
for smaller businesses who are looking to save additional costs, because sharing computing resources
with other cloud users is cheaper than reserving resources for a single account.
●● Dedicated public cloud is typically for enterprise organizations who require a dedicated physical
infrastructure that is reserved for only their use, such as an on-demand sandbox environment. While
the cost might be higher than that of the shared public cloud, the dedicated public cloud might offer
better security, performance, and customization.
The advantages of public clouds include:
●● Lower costs. No need to purchase hardware or software, and you pay only for the service you use.
●● No maintenance. Your service provider provides the maintenance.
MCT USE ONLY. STUDENT USE PROHIBITED
Principles of cloud computing 9
●● Near-unlimited scalability. On-demand resources are available to meet your business needs.
●● High reliability. A vast network of servers ensures against failure.
Private cloud
In a private cloud, you create a cloud environment in your own datacenter and provide self-service access
to compute resources to users in your organization. This model offers a simulation of a public cloud to
your users, but you remain entirely responsible for the purchase and maintenance of the hardware and
software services you provide. An example of a private cloud would be an organization that deploys
virtual machines that use proprietary peripheral devices.
The advantages of private clouds include:
●● More flexibility. Your organization can customize its cloud environment to meet specific business
needs.
●● Improved security. Resources are not shared with others, so higher levels of control and security are
possible.
●● High scalability. Private clouds still afford the scalability and efficiency of a public cloud.
Some reasons teams move away from the private cloud are:
●● You have to purchase the hardware for startup and maintenance.
●● Private clouds require IT skills and expertise that can be hard to find.
Hybrid cloud
A hybrid cloud combines public and private clouds, allowing you to run your applications in the most
appropriate location. For example, you could host a website in the public cloud, but link it to a highly
secure database hosted in your private cloud (or on-premises datacenter). A hybrid cloud deployment
provides failover capabilities between local resources that you manage and resources in other regions.
This is helpful when you have some things that cannot be put in the cloud.
Organizations implement hybrid cloud deployments for a variety of reasons, the most common of which
include:
●● Protecting sensitive data. You have data that cannot be exposed publicly (such as medical data).
●● Extending capabilities of on-premises systems. You have applications that run on old hardware and
can’t be updated. In this case, you keep the old system running locally, and connect it to the public
cloud for authorization or storage.
●● Reducing data protection costs. You want to implement public key infrastructure (PKI) and Informa-
tion Rights Management Services (RMS) infrastructure locally for data protection, but doing so would
be expensive. Instead, you can enable these features from the cloud, and they will protect both your
cloud and on-premises documents and data.
MCT USE ONLY. STUDENT USE PROHIBITED 10 Module 1 Cloud Concepts
IaaS is the most flexible category of cloud services. It aims to provide you with complete control over the
hardware that runs your application. However, instead of having to purchase hardware—such as servers,
switches, routers, storage area networks, and firewalls—with IaaS, you rent it. Given the hardware costs
associated with this cloud model, it would not be the recommended solution for organizations looking to
minimize server and application maintenance costs. A common example of an IaaS are server-based
workloads on a virtual machine that are connected to an on-premises network. Virtual machines can be
quickly deployed using the IaaS model.
PaaS provides an environment for buying, building, testing, deploying, and running software applications;
therefore, it would not be the recommended cloud model for organizations looking to deploy a service
such as Exchange Online that is already fully developed. The goal of PaaS is to help you create an appli-
MCT USE ONLY. STUDENT USE PROHIBITED
Principles of cloud computing 11
cation as quickly as possible without having to worry about managing the underlying infrastructure. For
example, when deploying a web application using PaaS, you don't have to install an operating system,
web server, or even system updates. A common example of a PaaS is a custom web and mobile applica-
tion that securely connects to an on-premises data store.
SaaS is software that is centrally hosted and managed for the end customer. It is usually based on an
architecture where one version of the application is used for all customers, and runs on demand through
either remote desktop services or a web browser. The software is typically licensed through a monthly or
annual subscription and does not require deployment or ongoing maintenance. Examples of Software as
a Service include Microsoft 365, OneDrive for Business, Microsoft Outlook on the web, and Exchange
Online. Microsoft 365 is a SaaS because Office 365 delivers a set of software products on a subscription
basis. Exchange Online is also a SaaS, even when integrated with on-premises Exchange Server 2019 in a
hybrid cloud model.
Compliance
Many organizations have regulations and policies that they must comply with to operate in various
industries. For example, companies working in the health industry have to follow HIPAA. These policies
can be quite complex based on the type of industry, geographical location of the organization, and
company-based policies. Further complicating matters is the fact that legal and regulatory bodies might
change the responsibilities of both the cloud-computing tenants and providers.
An organization that does not protect its data could be subject to a fine by one or more government or
industry regulatory bodies. Some of these fines can be substantial, crippling a small or mid-sized busi-
ness.
Laws or regulations typically specify who within an organization should be held responsible for data
accuracy and security. For example, the Sarbanes–Oxley Act designates the Chief Financial Officer (CFO)
and Chief Executive Officer (CEO) as having joint responsibility for the financial data, while the Gramm–
Leach–Bliley Act specifies that the responsibility for security lies within the entire board of directors. These
both are in contrast to the United States Federal Trade Commission (FTC), which requires a specific
individual to be accountable for the information security program within a company.
MCT USE ONLY. STUDENT USE PROHIBITED
Principles of cloud computing 13
All these regulations pertain to cloud computing. If you store any of your data in the cloud, you must
ensure that your cloud service provider follows all legal and regulatory requirements. Remember, it’s still
your responsibility to ensure these requirements are met, so do your due diligence before signing any
contract. Then after the contract is signed, take steps to ensure that compliance is maintained to protect
your company and your customers.
Data protection
When running services and storing data in the cloud, you should follow the standard best practices for
security, just as you would on any on-premises network:
●● Always use strong passwords and ensure the passwords are changed regularly.
●● Always set rights and permissions for only what is needed, and review them on a regular basis.
However, because data consists of confidential information, you should consider using encryption.
●● Perform regular auditing and monitoring.
When considering protection for data in the cloud, explore how to best protect your data both where it’s
stored, and when it’s being used or transmitted:
●● For data that is at rest (sitting on a disk somewhere in the cloud), you should encrypt the disks or files
on the disks. Office 365 Data Loss Protection and Azure Information Protection—both part of Micro-
soft 365—collectively offer end-to-end discovery, custom labeling, and automated protection of
sensitive data, irrespective of when the data was created or where it is stored—even in PDFs and
RMS-encrypted files.
●● When transmitting important data (data on the move) such as credit card or social security numbers,
use HTTPS to encrypt the data.
work. The key is to create a modern workforce by providing employees with the processes and technolo-
gy tools that enhance their productivity and promote the collaboration that is core to accelerating
business.
This includes information workers and firstline workers.
Information workers. This includes those in office roles such as business, sales, accounting, engineering,
administration, management, and design. These are the people who gather information and use technol-
ogy tools to gain visibility into the state of the business, company products, and services. Information is
their input, and with the right productivity tools in hand, they develop products, establish schedules,
determine costs, and gain insight into the nature of the business.
Firstline workers. These include customer service, support and repair technicians, service professionals,
and more. These are the people who sit on the company’s “first line” and are commonly the first point of
contact for customers. Therefore they play a key role in representing a company’s brand by establishing
the best customer experience. These employees need the right productivity and collaboration tools to
empower them to do their best work. They also need to connect securely through any device wherever
they are, and use the most up-to-date software to keep information protected.
Microsoft 365 blends critical organizational tasks with technology solutions to meet the needs of modern
organizations and all sorts of busy professionals. Microsoft 365 improves enterprise collaboration,
provides a modernized system that is continually updated, and increases productivity for your modern
workforce, no matter where your employees are or what devices they are using.
For more information about solutions that Microsoft offers firstline workers, go to https://aka.ms/
AA55eyb.
MCT USE ONLY. STUDENT USE PROHIBITED 16 Module 1 Cloud Concepts
●● Mobile Services. Provides a scalable cloud backend for building Microsoft Store, Windows Phone,
Apple iOS, Android, and HTML/JavaScript applications. It can be used to store data in the cloud,
authenticate users, or send push notifications to your application within minutes.
●● Multi-Factor Authentication. By having more than one method of authentication, you can help
prevent unauthorized access to both on-premises and cloud applications.
●● Stream Analytics. Provides an event-processing engine that helps uncover insights from devices,
sensors, cloud infrastructure, and existing data properties in real time.
●● Virtual Machines. Enables you to deploy a Windows Server or Linux image in the cloud.
●● Virtual Network. Enables you to create virtual private networks within Azure, and then securely link
those networks with an on-premises network.
For more information about all the products Azure has to offer, click Azure Services1.
Product Description
Office 365 Enterprise Includes Office 365 ProPlus, the latest Office apps
for your PC and Mac (like Word, Excel, PowerPoint,
and Outlook), and a full suite of online services for
email, file storage and collaboration, meetings,
and more.
Windows 10 Enterprise The most productive and secure version of
Windows with comprehensive deployment, device,
and app management.
Enterprise Mobility + Security (EMS) Designed to help manage and protect users,
devices, apps, and data in a mobile-first, cloud-
first world. Includes Microsoft Intune, Azure AD
Premium, and Azure Rights Management.
Some Microsoft 365 components, like Office 365 and Intune, are delivered using the Software as a
Service (SaaS) model. SaaS is software that’s centrally hosted and managed by a cloud service provider
(CSP) for customers. In general, CSPs provide one version of an app for all customers and license it
through a monthly or annual subscription.
1 https://azure.microsoft.com/en-in/services/
MCT USE ONLY. STUDENT USE PROHIBITED 18 Module 1 Cloud Concepts
of many organizations who want to maximize their adoption of the cloud for productivity, but also for
enterprise-grade security and desktop operating system management.
Unlocks creativity
Microsoft 365 provides powerful capabilities through AI powered tools to unleash your organization's
creativity and fuel innovation. From engaging presentations to animated 3D models and immersive mixed
reality experiences, you can now create high-quality content that really stands out. AI-powered tools help
you turn an ever-growing mass of data into actionable insights to transform your organization. Stay
focused with fewer distractions and easily access the people and information you need without leaving
the flow of your work. When inspiration strikes, effortlessly go from thought to content using voice,
touch, and pen on any device.
Intelligent security
Microsoft 365 delivers holistic security across users, devices, apps, and data. Help stop attacks with
integrated and automated security. Protect against credential and device compromise with conditional
access. Locate, classify, and protect information anywhere it lives.
The Microsoft cloud offering can be an excellent solution for companies with any of the following
requirements:
●● Extract more value from existing investment in Microsoft technologies. If you have already
invested in Microsoft technologies, you can easily extend their capabilities and provide a consistent
experience across your entire technology stack. You can establish a hybrid coexistence that natively
integrates your on-premises Microsoft-based infrastructure with the cloud. This includes native
integration with Active Directory, and building and deploying apps for both cloud and on-premises
environments.
●● Work with end-to-end development and management tools. Azure offers unparalleled managea-
bility with all-in-one dashboards to monitor, manage, and protect your cloud resources. Microsoft
also caters to all types of developers by supporting the most popular development environments. In
fact, Microsoft is the only cloud service provider with integrated support for Red Hat, and also had the
most contributions to GitHub in 2017.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft cloud services 21
●● Access a comprehensive set of compliance offerings. For organizations that are concerned about
compliance and security in the cloud, Microsoft has extensive expertise in protecting data, champion-
ing privacy, and complying with complex regulations, and currently complies with both EU-US Privacy
Shield and EU Model Clauses.
●● Increase productivity and security while reducing IT overhead. For smaller companies who want
the benefit of always having the latest and greatest version of Microsoft productivity tools without
needing an IT department to manage updates, Microsoft 365 combines familiar productivity tools
with enhanced security and management features to enable a modern workforce from the cloud.
●● Leverage a global footprint. For global enterprises that need to ensure their cloud services provider
can deliver the scale and performance to regional locations, Microsoft has 54 regions spanning 140
countries–the most global regions of any cloud provider—to help bring applications closer to users
around the world.
For more information, go to the following resources:
●● Establishing a hybrid coexistence that natively integrates your on-premises Microsoft-based infra-
structure with the cloud: https://azure.microsoft.com/en-in/solutions/hybrid-cloud-app/
●● Microsoft compliance with EU-US Privacy Shield: https://privacy.microsoft.com/Privacy
●● Microsoft compliance with EU Model Clauses: https://www.microsoft.com/trustcenter/Compli-
ance/EU-Model-Clauses
●● Microsoft Azure world-wide regions: https://azure.microsoft.com/en-in/global-infrastructure/
MCT USE ONLY. STUDENT USE PROHIBITED 22 Module 1 Cloud Concepts
existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the
seamless look and feel of a single Exchange organization between an on-premises Exchange organization
and Exchange Online in Microsoft Office 365. Exchange provides hybrid capabilities for migrating user
mailboxes and information to Microsoft 365 and provides tools for coexistence. In addition, a hybrid
deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
Migration considerations
When you're planning your migration, the following considerations can guide your plans.
These migrations bring your organization closer to the modern workplace: a secure and integrated
environment that unlocks teamwork and creativity in your organization through Microsoft 365.
Migration considerations
It is common in both large and small organizations to still be running some older versions of server and
computer operating systems, and Microsoft Office programs. To maximize the business value of the
Microsoft 365 integrated suite of products, begin planning and implementing a strategy to migrate:
●● The Office client installed on your computers to Office 365 ProPlus:
●● Office 2013 and 2016 are the currently supported versions, but will require ongoing updates that
might not scale well with your organization. Instead of maintaining and updating computers with
these standalone products, consider updating and assigning Microsoft 365 licenses.
●● Office 2010 will no longer be supported in 2020. Instead of upgrading to Office 2013 or 2016
which require manual updates, consider providing Microsoft 365 licenses for these users.
●● Office 2007 is no longer supported. Rather than upgrading your computers running Office 2007
with Office 2010, Office 2013, or Office 2016, consider obtaining and assigning Microsoft 365
licenses for your users.
●● Office servers installed on your servers to their equivalent services in Office 365:
●● Office Server 2013 and Office Server 2016 products such as Exchange Server and SharePoint Server
are supported, but to take advantage of the cloud-based service and enhancements to digitally
transform your business, consider migrating the data on your Office 2016 servers to Office 365.
When there is no longer a need for the on-premises servers running Office 2016 server products,
you can decommission them.
●● Some Office Server 2010 products have a specified end-of-support date. Rather than upgrading
your server products in the Office 2013 release with server products in the Office 2016 release,
consider migrating their data to Office 365, rolling out the new functionality and work processes to
your users, and decommissioning your on-premises servers running Exchange Server 2013 and
SharePoint Server 2013 when you no longer need them.
MCT USE ONLY. STUDENT USE PROHIBITED 26 Module 1 Cloud Concepts
●● Office Server 2007 products are no longer supported. Instead of upgrading your server products in
the Office 2007 release with server products in the Office 2010, Office 2013, or Office 2016
releases, consider migrating the data on your Office 2007 servers to Office 365. To help with this,
hire a Microsoft partner. You can then roll out the new functionality and work processes to your
users, and then decommission the on-premises servers running Office 2007 server products when
you no longer need them.
●● Windows 7 and Windows 8.1 on your devices to Windows 10 Enterprise:
●● To migrate your devices running Windows 7 or Windows 8.1, you can perform an in-place upgrade
to Windows 10. Upgrading all devices throughout an organization to the same operating system is
proven to reduce support costs.
Accomplishing all of these migrations over time brings your organization closer to the modern work-
place: a secure and integrated environment that unlocks teamwork and creativity in your organization
through Microsoft 365.
For more information about migrating to Microsoft 365, go to https://aka.ms/AA4qeby.
Module Review
Test your knowledge of the content discussed in this module. The answers are provided at the end.
1. Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office
2007. You need to update your systems, but you want to minimize your CapEx impact. Which of the
following is the best solution?
(A) Purchase Exchange Server 2016 and Office 2016.
(B) Purchase Exchange Server 2010 and Office 2010.
(C) Subscribe to Microsoft 365.
2. You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this?
(A) Public cloud
(B) Private cloud
(C) Hybrid cloud
(D) Cumulonimbus cloud
3. Which of the following best describes the benefits of cloud computing?
(A) Cloud computing is cost effective, elastic and on-premises.
(B) Cloud computing is scalable, inelastic but always current.
(C) Cloud computing is scalable, elastic and reliable.
(D) Cloud computing is cost effective but unreliable.
4. You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this?
(A) Infrastructure as a Service (IaaS)
(B) Platform as a Service (PaaS)
(C) Software as a Service (SaaS)
5. Which type of cloud service provides an environment for buying, building, testing, deploying, and
running software applications?
MCT USE ONLY. STUDENT USE PROHIBITED
Migrating to cloud services 27
Scenario 1
Company profile: Northwind Traders
Northwind Traders is a three-generation, family-owned import/export company.
Challenge
The company’s growth over the past several years and their employee demands for better collaboration
tools to connect remote offices around the Pacific Rim are outpacing the company’s small IT team.
The IT lead is spending all her time trying to keep their outdated business systems running. She wants to
be able to upgrade the company’s old Microsoft SharePoint Server 2007, which has run out of space.
However, the IT budget is tight, and there would need to be a large up-front investment in new servers,
server licenses, storage, and more. Employee machines are running a mix of Windows 7, 8, and 10 operat-
ing systems, and old versions of Microsoft Office—all with no centralized management of updates.
Furthermore, the proliferation of mobile devices that are frequently connecting to the company’s network
is making her concerned about the potential of an unhealthy device infecting their corporate systems.
Moreover, they’ve been using a free web-based email system that isn’t delivering the business-class
services they need. They want to move completely away from this insecure mail and adopt a busi-
ness-class mail system without having to pay huge up-front licensing and hardware costs.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Cloud Fundamentals 29
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 2
Company profile: Contoso, Ltd.
Contoso is a large manufacturing corporation with almost 60,000 employees throughout North America.
Challenge
Like many large enterprises, Contoso has developed customized on-premises-based line-of-business
apps for many critical processes. These apps help them with their manufacturing processes, both up-
stream from materials suppliers, and downstream to order processing and customer billing.
Many of these systems are old and inflexible, and the IT organization within Contoso is looking for a way
to use the cloud to extend these apps’ capabilities, empowering remote workers, suppliers, and custom-
ers to more easily identify requirements, confirm production, and fill orders.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
MCT USE ONLY. STUDENT USE PROHIBITED 30 Module 1 Cloud Concepts
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 3
Company profile: First Up Consultants
First Up Consultants is a medium-sized consulting firm that builds customized applications for medical
businesses.
Challenge
First Up Consultants wants to be able to rapidly spin up virtual machines (VMs) to test new versions of
their software products. This historically has resulted in major CapEx costs associated with new high-end
servers and storage hardware, along with a significant amount of administrative overhead to plan for and
implement all the hardware updates in the company’s datacenter.
The biggest problem has always been one of accurate forecasting, because they either purchase too
much capacity that goes unused—wasting CapEx resources, or they run out of capacity too soon. They
want to significantly reduce their CapEx, in addition to reducing the administrative overhead associated
with each new wave of hardware. The solution First Up Consultants selects must support any type of
environment customization to suit their development needs—and enable them to reduce charges
whenever a system isn’t needed.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Cloud Fundamentals 31
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
MCT USE ONLY. STUDENT USE PROHIBITED 32 Module 1 Cloud Concepts
Answers
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
■■ SaaS
Explanation
SaaS. The company can subscribe to Microsoft 365 to give every employee access to the latest version of
Office productivity tools—including Microsoft Teams, and Skype for Business. These tools, along with
Microsoft SharePoint Online, will significantly improve how the remote offices collaborate with each other.
Office and Windows management will be streamlined by upgrading everyone to the latest versions, and
then utilizing Microsoft 365’s management tools to manage all devices—including mobile devices.
Dropdown
What type of cloud do you recommend? (Choose one)
■■ Public
Private
Hybrid
Explanation
Public cloud. Pricing is paramount, so the Operating Expenditures (OpEx)–oriented public cloud is optimal
for this company.
Dropdown
What type of migration model do you recommend? (Choose one)
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. Because the current mail is a free, web-based service that they’ll gladly move
off in in favor of Microsoft Exchange Online, there is no need for coexistence with it. Similarly, moving their
files from their outdated SharePoint Server 2007 to the cloud will enable them to decommission their old
machines.
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
■■ PaaS
SaaS
Explanation
PaaS. Because PaaS supports building, testing, and deploying software applications that will connect to their
legacy line-of-business systems, this would be the best choice. Different apps can be purpose-built for the
various roles (such as sales, suppliers, and fulfilment), with each app providing the appropriate access into
the line-of-business systems, securely, and from any mobile device.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Cloud Fundamentals 33
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
■■ Hybrid
Explanation
Hybrid cloud. This type of cloud is preferred for Contoso, as it enables the new web apps in the cloud to
connect to their on-premises line-of-business systems.
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
■■ Co-existence
Explanation
Coexistence migration model. Although coexistence is more complicated to establish, this type of model is
critical for Contoso because it maintains their investment in their existing line-of-business systems, and uses
their new cloud environment as an extension to their on-premises infrastructure.
Dropdown
What type of cloud service do you recommend? (Choose one)
■■ IaaS
PaaS
SaaS
Explanation
IaaS. This model is perfect for First Up Consultants, because it allows them to host all the VMs that they
need to test with. IaaS gives them control over the hardware that runs their applications, so they can utilize
them only when they’re needed. When they don’t need to run the VMs, they can place them in cheaper
cloud-based storage to reduce compute fees.
Dropdown
What type of cloud do you recommend? (Choose one)
■■ Public
Private
Hybrid
Explanation
Public cloud. Because First Up Consultants wants to significantly reduce their hardware costs and minimize
the amount of time their administrators spend configuring new hardware, a public cloud gives them a
platform for their VMs while relieving them of the associated hardware and administrative costs.
MCT USE ONLY. STUDENT USE PROHIBITED 34 Module 1 Cloud Concepts
Dropdown
What type of migration model do you recommend? (Choose one)
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. First Up Consultants could migrate any existing on-premises VMs and other
systems to the cloud, then deprecate those machines to free up space and reduce their operational costs.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 2 Microsoft 365 Services
Windows 10 Enterprise
Windows 10 Enterprise is one of the central pillars of your Microsoft 365 subscription. Windows 10 meets
the needs of large and midsize organizations, providing IT professionals with intelligent security, simpli-
fied updates, flexible management, and enhanced productivity tools.
Learn what Windows 10 Enterprise has to offer:
Intelligent security
Windows 10 protects, detects, and automatically responds to the most advanced malware and hacking
threats, while protecting user identities, devices, and your organization's information. Windows 10
investigates threats as they evolve and automates remediation to make response times faster, thanks to
the Intelligent Security Graph (which uses security intelligence, machine learning, and behavioral analyt-
MCT USE ONLY. STUDENT USE PROHIBITED 36 Module 2 Microsoft 365 Services
ics). These security solutions are built-in and provide you with full security lifecycle management for
endpoint protection (EPP) and detection and response (EDR). It also integrates with Microsoft 365
systems, which covers even the most complex multi-platform environments.
Flexible management
Deploy, manage, and update devices anywhere your employees need to work. Windows 10 includes tools
to help you customize device set up, use unified endpoint management, and control corporate identities,
data, and apps on personal devices without impacting personal data. Windows 10 supports the transition
to cloud-based device management with the ability to co-manage devices in Intune and Config Manager,
using both Active Directory and Azure Active Directory together. In addition, Windows Virtual Desktop
enables users to run incompatible applications on a Windows 10 device.
Simplified updates
Maximize security and productivity by staying current with Windows 10. The way we update Windows has
changed, moving away from major upgrades every few years to feature updates twice per year. Windows
10 provides modern tools and insights needed to support the semi-annual release cadence, with applica-
tion compatibility you can trust. 99% of applications that run on Windows 7 will run on Windows 10. You
can plan OS upgrades with confidence using telemetry-based analytics from Windows Analytics. Win-
dows 10 provides the flexibility and control to manage and distribute updates using your current method
or by leveraging Microsoft’s infrastructure. With every release, Windows updates become smaller and
easier to distribute so that they're less disruptive to your organization.
Work smarter
Windows 10 helps improve productivity by providing faster, safer ways to get work done, across all your
users' devices. Users can find apps, settings, documents, and messages by using enterprise search and
Cortana, and use Timeline to see a chronological view of their activities and documents. WIndows 10 also
supports collaboration through Office 365 apps, Microsoft Whiteboard, and OneNote.
Empower workstyles
With Windows 10 your users can work from the devices and places and ways that work best for them.
Windows 10 has hardware options ranging from the Surface Hub to the new always-connected PCs, to
support users wherever they need or prefer to work. Users can move from one device to another with
Continue on PC in Microsoft Edge or take notes directly on a web page with Microsoft Ink. Windows 10
also comes with a robust set of accessibility features, such as narrator, word prediction, and eye control.
Exchange Online
Exchange Online is a messaging and collaboration platform for your email, calendar, contact info, and
tasks. You can access all of this with Microsoft Outlook, Outlook Web Access, or Outlook Mobile. Ex-
change Online works from most mobile devices - including Android, iOS, and Windows 10 devices.
Some features of Exchange Online include:
●● Mailboxes and online archives. Individual users have their own mailboxes that they can use to store
mail messages. In addition to the main mailbox, some Office 365 plans include an online archive that
provides additional storage.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 37
●● Calendaring. Each user has a calendar that they can use to track their upcoming events. Users can use
calendars when booking meetings to verify availability. Where appropriate, users can delegate access
to their calendars to other users such as administrative assistants and teammates.
●● View and edit attachments online. When users receive attachments, they can view and edit them
online in Outlook on the web. They do not require a locally installed version of Office.
●● Shared mailboxes and resources. You can use shared mailboxes for groups of users that need to
share information in a central mailbox. You can configure resources for meeting rooms and equip-
ment to facilitate booking.
●● Public folders. Earlier versions of Microsoft Exchange Server relied on public folders for collaboration.
This feature is still available in Exchange Online if required.
●● Message policy and compliance. There are several message policy and compliance features in
Exchange Online. These include retention policies, message encryption, eDiscovery, data loss preven-
tion, and journaling.
●● Antispam and anti-malware. All Exchange Online subscriptions include Exchange Online Protection,
which provides configurable antispam and anti-malware scanning.
●● Configurable mail flow. To support specialized mail flow scenarios, you can create send and receive
connectors with varying settings. For example, you can create connectors that require additional
security settings with a business partner.
●● Mobile and multiplatform access. Users can access mailboxes and calendars from Outlook on either
Windows or Mac clients by using Messaging Application Programming Interface (MAPI) over HTTPS,
or by using Exchange Web Services. Outlook on the web supports accessing mailboxes and calendars
from almost any platform. Mobile devices can access mailboxes and calendars by using Microsoft
Exchange ActiveSync.
●● Hybrid deployment. You can integrate Microsoft 365, or more specifically, Exchange Online, with an
on-premises Exchange Server organization by implementing a hybrid deployment. In a hybrid deploy-
ment, Exchange Online and the on-premises Exchange organization can share a single namespace for
messaging. A hybrid deployment also supports calendar sharing and mailbox moves between Ex-
change Online and an on-premises Exchange server. In a hybrid deployment, you need to determine
where to manage different deployment features. For example, configuring multi-factor authentication
for cloud services and setting the frequency of Office 365 updates can only be performed in Microsoft
365, but you can configure email disclaimers and compliance in both Microsoft 365 and on-premises
Exchange Server.
●● Migration tools. Exchange Online includes tools to migrate from other on-premises Exchange Server
servers to Exchange Online. There is also a tool to migrate from any Internet Message Access Protocol
(IMAP) messaging service to Exchange Online.
For details about particular Exchange Online features included in specific subscription plans, see the
following Microsoft website: https://aka.ms/AA55eyh.
SharePoint Online
SharePoint Online is the cloud evolution of Microsoft SharePoint Server. It's a cloud service that enables
you to store, organize, and add third-party apps, access information from almost any device, and allow
sharing with external people by default, all by using a web-browser. It helps you create team or commu-
nication-focused sites for efficient collaboration and communication. Internal users with an appropriate
Microsoft 365 or SharePoint Online license can use SharePoint Online. They can share files or folders with
others inside or outside the organization. Sharing outside the organization can be controlled by site
administrators.
MCT USE ONLY. STUDENT USE PROHIBITED 38 Module 2 Microsoft 365 Services
Microsoft Teams
Microsoft Teams provides a central hub for collaboration within your organization and allows you to
implement a chat-based workspace that enables members of your organization to have conversations
and create work plans. Keep your team in sync by sharing documents, insights, and status updates while
being able to manage important projects and easily locate people. Teams is also available as a mobile
app, which lets you stay up-to-date both in the office and on the go.
With Microsoft Teams, you can:
●● Communicate through chat, meetings, and calls. You can host audio, video, and web conferences,
and chat with anyone inside or outside your organization. Teams also enables company employees
and users from outside the company to collaborate on a project in real-time by using a whiteboard.
●● Collaborate together with integrated Office 365 apps. Teams makes teamwork easy. Users can
coauthor and share files with popular Office 365 apps such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft OneNote, SharePoint, and Microsoft Power BI.
●● Customize your workplace and achieve more. Using Teams, you can integrate apps from Microsoft
and third-party partner services to tailor your process, increasing teamwork and productivity.
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 39
●● Make calls in Office 365 and Teams. When paired with Office 365 Phone System, Office 365 Calling
Plan, and/or Phone System Direct Routing, Office 365 provides a full business calling experience in
Teams on a global scale.
●● Connect across devices. Teams and Teams devices work better together for intelligent meeting and
calling experiences. Find the right devices for your needs and bring your best ideas to life.
Microsoft Intune
Intune is a cloud service that helps you manage computers, laptops, tablets, and other mobile devices.
This includes iOS, Android, and Mac OS X devices. It uses Azure Active Directory (Azure AD) as a directory
store for identity, and it can integrate with local management infrastructures such as Microsoft System
Center Configuration Manager (SCCM). Intune is especially useful for devices that are beyond the man-
agement scope of Group Policy, such as mobile phones, devices that are not AD DS domain members, or
Windows 10 devices that are joined to Azure AD. Intune can prevent users from copying company data
from managed applications installed on unmanaged devices.
By using Intune, you can:
●● Let your organization's employees use their personal devices to access organizational data (commonly
known as "Bring Your Own Device (BYOD)")
●● Manage organization-owned phones.
●● Control access to Microsoft Office 365 from unmanaged devices, such as public kiosks and mobile
devices.
●● Help to ensure that devices and apps that do connect to corporate data are compliant with security
policies.
●● Deploy app protection policies, which enable you to standardize corporate device deployments by
setting corporate configuration standards.
Intune is a component of Enterprise Mobility + Security (EMS). Intune integrates with Azure AD and
device OS features to provide a device management solution. For example, when a user attempts to
access Office 365 data through a line of business app (LOB app) on their phone, Office 365 checks with
Azure AD to authenticate the user and verify whether that user can access the data from that app on that
device. The results depend on:
●● Conditional access policies defined within Azure AD.
●● Whether Intune tells Azure AD that the device is compliant with device configuration and data
protection policies.
●● Whether the app on that device complies with app configuration and data protection policies.
If the device and app are both compliant with all policies, Azure AD notifies Office 365 that the data can
be accessed.
Yammer
Microsoft Yammer is an enterprise social networking tool that can be used to efficiently resolve support
issues and gather feedback on projects and documents. Yammer is becoming more integrated with Office
365, and SharePoint Online users now have the option to replace their activity stream in SharePoint
Online with Yammer. To make this change, users click a Yammer link and sign in to this service through a
separate browser window. Future integration will include Single Sign On (SSO) between the Yammer
service and Office 365. Furthermore, users can use the Yammer Newsfeed instead of SharePoint News-
feed.
Project Online
Project Online is the cloud version of Microsoft Project Server that enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value feature with Project Online is that it enables global organizations to plan project portfolios in
multiple time zones.
Planner
Use Planner from any of your devices to create new plans, assign tasks, and share files with others. You
can organize teamwork and collaborate on projects. You also can use Planner to chat with colleagues and
to keep track of your team's progress.
Power Bi
Power BI is a business analytics service that delivers insights to enable fast, informed decisions. You can
use Power Bi to transform data into visuals and share them with colleagues. You can use a variety of
device types to access this content. You also can collaborate on and share customized dashboards and
interactive reports.
Microsoft StaffHub
StaffHub helps workers manage their workday by using schedule management and information sharing.
It also provides the ability to connect to other work-related apps and resources. Managers can quickly
distribute important information to their team, such as policy documents, news bulletins or videos.
Stream
Stream is an enterprise video service where people in your organization can upload, view, and share
videos securely. You can share recordings of classes, meetings, presentations, training sessions, or other
videos that aid your team's collaboration. Stream also makes it easy to share comments about a video,
tag timecodes in comments, and add descriptions to refer to specific points in a video and discuss with
colleagues.
Microsoft Delve
Use Delve to manage your Office 365 profile, and to discover and organize the information that's likely to
be most interesting to you. Using Delve, you can manage your profile, and connect and collaborate with
colleagues.
Sway
You can use Sway to compile text, images, videos, and other content in an interactive online format. You
can apply designer-created layouts and color schemes, or let Sway suggest design elements that match
your content. You also can search and import relevant content from other sources, and then share your
completed Sways on the web.
to use Office 365 ProPlus. But, users must connect at least once every 30 days to confirm that they still
have the right to use the Office 365 ProPlus license.
Office 365 ProPlus gets updated on a regular basis with new features, security updates, and other quality
updates. New or improved features are released on either a monthly or a semi-annual basis. An organiza-
tion can choose which frequency works best for their users through the use of update channels.
Additional learning: For more information about Office 365 ProPlus see: Office 365 ProPlus in the
Enterprise1
1 https://docs.microsoft.com/en-us/DeployOffice/about-office-365-proplus-in-the-enterprise
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 43
how frequently your users receive feature updates. This option requires that your users have local
administrative rights on their client devices.
As part of deploying with the Office Deployment Tool or Configuration Manager, you can create configu-
ration files with the Office Customization Tool. These configuration files give you control over an Office
installation, including defining which applications and languages are installed, how those applications
should be updated, and application preferences. Similar options are available as part of the Intune
deployment.
Depending on the tool you choose to deploy with, you can also choose whether to deploy from the cloud
or to download Office to a local source on your network and deploy from there. When possible, we
recommend deploying Office from the cloud, as doing so will minimize your administrative overhead.
When you deploy from the cloud, Office 365 ProPlus is delivered to client devices directly from the Office
Content Delivery Network (CDN). If your network consideration requires you to deploy from a local
source, Configuration Manager can be a good option to help manage the deployment and updates.
●● Exchange web services. Exchange provides Exchange web services (EWS) to create solutions for
managing business email, calendar, and contacts on desktop and mobile devices and online, and for
accessing and managing Exchange store items. Both on-premises Exchange Server and Exchange
Online provide EWS access to accounts; however, only Exchange Server provides custom EWS throt-
tling settings.
In addition to Exchange Web Services, some of the more popular features that are available in both
on-premises Exchange Server and Exchange Online include Information Rights Management, archiving,
and legal holds.
Vision
Need a larger screen? A brighter screen? A narrator to read text? Find out about accessibility tools and
features for people who are blind, color blind, or have low vision. Here are some Microsoft 365 features
that assist vision.
●● Color filters2: Boost contrast or get rid of color entirely—whether you have colorblindness, light
sensitivity, or a visual preference, with color filters you can customize your screen's color palette.
●● Tell Me3: Quickly access commands in several Office 365 applications without navigating the com-
mand ribbon. You can use Tell Me to assist with formatting, discover the difficult-to-find capabilities
and even get scoped help in Office 365 using everyday language.
●● Microsoft Soundscape4: Use innovative audio-based technology to enable people with blindness or
low vision to build a richer awareness of their surroundings, thus becoming more confident navigating
new environments.
Hearing
For those who are hard of hearing, have hearing loss, or have deafness, our specialized features can
provide solutions including closed captioning, mono sound, and live call transcription. Here are some
Microsoft 365 features that assist hearing.
●● Microsoft Translator5: Display auto-generated subtitles on a presentation in any of 60+ supported
languages with the Presentation Translator add-in for PowerPoint on PCs. Plus, let each audience
member follow along with captions displayed in their chosen language on any device with Microsoft
Translator.
●● Autogenerate captions in Microsoft Stream6: Share videos securely across your organization in an
accessible format with Microsoft Stream. Select a simple option, and you’ll get captions and searcha-
ble transcripts in English and Spanish autogenerated while uploading videos.
●● Mono audio7: If you have partial hearing loss or deafness in one ear, Windows 10 helps you to hear
more from your computer. Just turn on mono audio, and your left and right speakers will play the
same sounds.
Neurodiversity
Innovative tools such as dictation and Windows Hello sign-in can make the digital world more accessible
for those who live with dyslexia, seizures, autism, or other cognitive differences.
●● Focus assist8: Block alerts and notifications so you can get things done without distractions. Don’t
worry, if there are some people you don’t want to ignore, you can add them to a special list. And
when you finish focusing, you'll get a summary of what you missed.
●● Reading view9: Use Reading view to clear distracting content from web pages, so you can stay
focused on what you want to read. And with Learning Tools in Microsoft Edge you can have docu-
ments read aloud to you.
2 https://support.microsoft.com/en-us/help/4344736/windows-10-use-color-filters
3 https://support.office.com/en-US/article/Do-things-quickly-with-Tell-Me-f20d2198-17b8-4b09-a3e5-007a337f1e4e
4 https://www.microsoft.com/en-us/research/product/soundscape/
5 https://translator.microsoft.com/
6 https://docs.microsoft.com/en-us/stream/portal-autogenerate-captions
7 https://support.microsoft.com/en-us/help/27933/windows-10-make-windows-easier-to-hear
8 https://support.microsoft.com/en-us/help/4026996/windows-10-turn-focus-assist-on-or-off
9 https://support.microsoft.com/en-us/help/17204/windows-10-take-your-reading-with-you
MCT USE ONLY. STUDENT USE PROHIBITED 46 Module 2 Microsoft 365 Services
Learning
Our applications for people living with learning disabilities can help increase focus, concentration, and
understanding—and include tools to improve reading and writing skills.
●● Immersive Reader10: Read more effectively with Learning Tools that read text out loud, break words
into syllables, and identify parts of speech. Sustain attention with a focus mode and adjustable
spacing between lines, letters, and words. Available for OneNote, Word, and Outlook on various
devices.
●● Editor in Word11: With Editor, see any misspellings, grammatical mistakes, and writing style issues as
you type in Word and Outlook for PCs. Get suggestions for phonetic misspellings, see synonyms
alongside suggestions, and have suggestions read out loud to avoid common word choice errors.
●● Text suggestions12: Get help constructing sentences with text suggestions. Word suggestions appear,
and can be inserted, as you type. It's a great feature for English language learners—and anyone who'd
like a little help with their writing.
Mobility
Our suite of products helps people living with arthritis, quadriplegia, spinal cord injuries, and other
mobility issues to navigate the digital world in non-traditional ways.
●● Dictate in Office 36513: Dictate in Office 365: Convert your speech to text with Dictate in Office 365
applications such as Word, PowerPoint and Outlook for PCs. Also available with the Dictate add-in for
Word, Outlook and PowerPoint for PCs which supports dictation in 20+ languages and real-time
translation to 60+ languages.
●● Keyboard shortcuts14: Office 365 is designed to work seamlessly with keyboards. Shortcuts are
documented per application to help you get started. Additionally, Tell Me lets you quickly access
commands in several Office 365 applications by typing what you want to do using everyday language.
●● Eye control15: If physical disabilities make it difficult to use a keyboard, Windows 10 offers built-in
support for eye control—an effective way to use your PC with just your eyes, (eye tracking hardware
sold separately).
Mental health
Learn more about assistive technologies for people living with issues such as bipolar disorder, anxiety,
PTSD, depression, or ADHD. Our products can help with distraction, reading, and concentration.
●● Minimize visual distraction16: Windows makes it easy to minimize distractions by reducing anima-
tions and turning off background images and transparency. You can also clean up taskbar clutter and
simplify the start menu.
10 https://www.onenote.com/learningtools
11 https://support.office.com/en-us/article/editor-is-your-writing-assistant-in-word-91ecbe1b-d021-4e9e-a82e-abc4cd7163d7?ui=en-
US&rs=en-US&ad=US
12 https://blogs.windows.com/windowsexperience/2017/11/08/announcing-windows-10-insider-preview-build-17035-
pc/#4rfiWmW4km5FdsgK.97
13 https://support.office.com/en-us/article/dictate-your-documents-d4fd296e-8f15-4168-afec-1f95b13a6408?ui=en-US&rs=en-US&ad=US
14 https://support.office.com/en-us/article/use-a-screen-reader-and-keyboard-shortcuts-with-office-apps-4aba5a56-f80c-4a6b-a584-
d0f415471617?ui=en-US&rs=en-US&ad=US
15 https://support.microsoft.com/en-us/help/4043921/windows-10-get-started-eye-control
16 https://support.microsoft.com/en-us/help/27930/windows-10-make-it-easier-to-focus-on-tasks
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 core services 47
●● Focus assist17: Block alerts and notifications, so you can get things done without distractions. Don't
worry, if there are some people you don't want to ignore, you can add them to a special list. And
when you finish focusing, you'll get a summary of what you missed.
●● To-dos18: OneNote and Outlook work together to help you stay organized. As you take notes and
plan projects in OneNote, you can manage deadlines and remember the things on your to-do list by
creating Outlook tasks. Then you can view and track those tasks in Outlook and even get reminders.
17 https://support.microsoft.com/en-us/help/4026996/windows-10-turn-focus-assist-on-or-off
18 https://support.office.com/en-us/article/Create-Outlook-tasks-in-OneNote-19725FF3-0234-495D-9838-FB1F511E924F
MCT USE ONLY. STUDENT USE PROHIBITED 48 Module 2 Microsoft 365 Services
line-of-business applications and macros. This pilot group can test the initial deployment of Windows 10
and Office 365 ProPlus as well as future updates.
●● Office Deployment Tool: For organizations that don't have System Center Configuration Manager
but still want to manage their deployment, you can use the Office Deployment Tool, which provides
control over installation, updates, and settings. Organizations use the Office Deployment Tool to
download installation files to a local distribution source and then install Office 365 ProPlus by using
the downloaded files to deploy Office to computers in the network. You can use this as a standalone
tool or in conjunction with third-party software deployment tools.
●● Microsoft Intune: For organizations that want to deploy and manage Office from the cloud, Intune
provides a cloud-based service that manages mobile devices and PCs, along with the applications on
those devices (like Office 365 ProPlus). Intune can also be used to manage Windows 10 on your PCs.
●● Install directly from the Office 365 portal: The simplest approach is to have your licensed users
self-install Office on their client devices directly from the Office 365 dashboard. This method requires
the least amount of administrative setup but gives you less control over the deployment. You can,
however, still define how frequently your users receive feature updates. This option requires that your
users have local administrative rights on their client devices.
Administrators can ensure that employees can install Microsoft Office 365 ProPlus on their devices by
enabling them to self-install directly from the Office 365 dashboard, and by enabling auto-deployment of
Office 365 apps for all devices using Configuration Manager or the Office Deployment Tool. As part of
deploying with the Office Deployment Tool or Configuration Manager, you can create configuration files
with the Office Customization Tool. These configuration files give you control over an Office installation,
including defining which applications and languages are installed, how those applications should be
updated, and application preferences. Similar options are available as part of the Intune deployment.
Depending on the tool you choose to deploy with, you can also choose whether to deploy from the cloud
or to download Office to a local source on your network and deploy from there. When possible, we
recommend deploying Office from the cloud, as doing so will minimize your administrative overhead.
When you deploy from the cloud, Office 365 ProPlus is delivered to client devices directly from the Office
Content Delivery Network (CDN). If your network consideration requires you to deploy from a local
source, Configuration Manager can be a good option to help manage the deployment and updates.
You can control how and when updates are applied with servicing channels and deployment rings:
●● Servicing channels. Windows as a service offers three servicing channels: Each of these channels
receives new feature updates at a different frequency. Servicing channels provide a method for
controlling the frequency at which organizations deploy Windows 10 features.
●● Deployment rings. In Windows 10, deployment rings are similar to the groups your organization
might have used to manage updates to earlier versions of Windows. These updates are in tools such
as Windows Server Update Services (WSUS). Deployment rings provide a method for gradually
deploying Windows 10. They allow you to group devices together for the purposes of receiving
updates through each of the servicing channels.
Servicing channels
Although servicing channels are new, you can still use the same management tools to deploy the updates
to your organization’s devices that you used in earlier versions of Windows. These include:
●● Windows Insider Program. This channel enables users to become familiar with Windows feature
updates before they are released to the wider public. These are early builds that are released to the
public during the feature-development phase. Organizations can test and evaluate these feature
updates within Microsoft Insider Preview Branch versions of Windows software before trying a wider
deployment. In addition, users can provide feedback to Microsoft to help resolve any issues with
updates. Feature updates are released to the Windows Insider program about once a week.
●● Semi-Annual Channel. Computers configured in the semi-annual channel receive updates as soon as
Microsoft publishes them. There are two semi-annual channels: semi-annual (targeted) is aimed at a
subset of your users, while semi-annual is aimed at all other users. Feature updates are released to the
semi-annual channel twice a year in the spring and fall.
●● Long-Term Servicing Channel (LTSC). For computers and other devices that perform a single task or
a number of specialized tasks, the long-term servicing channel prevents configured devices from
receiving feature updates. However, quality updates delivery is not affected. Note that the Long-term
Servicing Channel is available only in the Windows 10 Enterprise LTSC edition. Feature updates are
released to the LTSC about once every three years.
Deployment rings
In Windows 10, you can use deployment rings to further control how and when updates are applied to
your devices. It’s probable that you will only define these deployment rings once; however, you should
consider revisiting the deployment ring configuration periodically to ensure that they still meet the needs
of your organization and its users.
A typical deployment ring strategy is described in the following table.
You do not need to deploy all feature updates; you can opt to bypass those updates that do not add
value for your users. Bear in mind, however, that support for a feature update continues for 18 months
after its release.
There are several models that IT pros can use to service Windows as a service. Each option has its pros
and cons, ranging from capabilities and control to simplicity and low administrative requirements. The
following are examples of the servicing models available to manage Windows as a service updates:
●● Windows Update (stand-alone). Provides limited control over feature updates, with IT pros manually
configuring the device to be in the Semi-Annual Channel. Organizations can target which devices
defer updates by selecting the Defer upgrades check box in Start\Settings\Update and Security\
Advanced Options on a Windows 10 client. With this tool, organizations choose when updates are
installed to which devices, and the updates do not have to originate from an on-premises server.
●● Windows Update for Business. This servicing tool includes control over update deferment and
provides centralized management using Group Policy. Windows Update for Business can be used to
defer updates by up to 365 days, depending on the version. These deployment options are available
to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage
Windows Update for Business, either option can be configured without requiring any on-premises
infrastructure by using Intune. Devices that are updated using this tool must be updated periodically
and monitored using one system, and the updates do not have to originate from an on-premises
server.
●● Windows Server Update Services (WSUS). Provides extensive control over Windows 10 updates and
is natively available in the Windows Server operating system. In addition to the ability to defer
updates, organizations can add an approval layer for updates and choose to deploy them to specific
computers or groups of computers whenever ready.
●● System Center Configuration Manager. Provides the greatest control and cost savings to service
Windows as a service. IT pros can defer updates, approve them, and have multiple options for target-
ing deployments and managing bandwidth usage and deployment times. This enables consistent
scheduling of upgrades and updates across all devices. With this tool, application deployments and
operating system updates to devices must originate from an on-premises server.
The servicing option that an organization chooses depends on the resources, staff, and expertise of its IT
organization. For example, if IT already uses System Center Configuration Manager to manage Windows
updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consoli-
dated look at the benefits of each tool, see the following table.
MCT USE ONLY. STUDENT USE PROHIBITED
Deploying Windows 10 and Office 365 ProPlus 55
As needed, Microsoft also provides each update channel with two additional types of updates:
●● Security updates, such as updates that help keep Office protected from potential malicious attacks.
●● Quality updates, such as updates that provide stability or performance improvements for Office.
Security updates are usually released on the second Tuesday of every month. Quality updates, which are
sometimes referred to as non-security updates, are also usually released on this day. But, if necessary,
both types of updates can be released at other times.
MCT USE ONLY. STUDENT USE PROHIBITED 56 Module 2 Microsoft 365 Services
mode. You can also deactivate a user's Office 365 ProPlus license for a particular device, at which point
Office 365 ProPlus goes into reduced functionality mode on that device. The Office Licensing Service, a
part of Office 365, keeps track of which users are licensed and how many computers they've installed
Office on.
locations. Instead, the data is likely stored only on the device. If something happens to that device - like
getting lost, stolen, or suffering a hardware failure - you might also lose your data, which can lead to lost
productivity and worse, if that data was protected IP.
Lost or stolen devices. The average cost of replacing a stolen device can exceed the cost of the device.
This cost is higher because your organization must configure the new device and determine what data
was lost or stolen. In some cases, that data exists only on the mobile device, and is then lost to the organ-
ization.
Compromised devices that connect to the internal network. A mobile device infected with malware
can leak data and introduce the malware into the organization. Organizations must treat mobile devices
as possible malware carriers and take precautions to prevent leaks and attacks.
User-owned mobile devices. Personal devices are a challenge to organizations. IT departments need to
find a balance between allowing access to applications and data with users wanting to use their own
devices. When considering a mobile device support policy, ask the following questions:
●● Is the device owned by the user or the organization?
●● Should you let user-owned devices access sensitive applications and data? Or, only allow access if the
owner agrees to have the device managed by IT?
●● What actions can your organization take to protect data stored on the device if the device is lost, or if
the user leaves the company?
Azure Advanced Threat Protection (ATP) is a cloud-based solution to identify, detect, and investigate
threats, compromises, and malicious actions. ATP helps you:
●● Detect and investigate advanced attacks on-premises and in the cloud.
●● Identify suspicious user and device activity with both known-technique detection and behavioral
analytics.
●● Analyze threat intelligence from the cloud and on-premises.
●● Protect user identities and credentials stored in Active Directory.
●● View clear attack information on a simple timeline for fast triage.
●● Monitor multiple entry points through integration with Windows Defender Advanced Threat Protec-
tion.
also reduce time, costs, and complexity, and lets you use Autopilot and Configuration Manager to
migrate existing Windows 7 devices to Windows 10.
Hybrid Azure AD – Azure Active Directory (Azure AD) allows you to link your users, devices, and applica-
tions across both cloud and on-premises environments. Registering your devices to Azure AD helps you
improve productivity for your users and improve security for your resources. Having devices in Azure AD
is the foundation for both co-management and device-based conditional access. It also includes:
●● Single sign-on to cloud resources
●● Windows Hello for Business
●● Device-based conditional access
●● Automatic device licensing
●● Self Service functionality
●● Enterprise state roaming
MCT USE ONLY. STUDENT USE PROHIBITED
Teamwork in Microsoft 365 63
With the familiar Outlook email-based experience you can stay in touch with colleagues, and share
calendars, files, and tasks, to make sure important deliverables get attention.
MCT USE ONLY. STUDENT USE PROHIBITED 64 Module 2 Microsoft 365 Services
You can store your content in the cloud with SharePoint and OneDrive for Business. This lets you access
your files on any device and share them with others inside and outside your organization. Because the
files are in the cloud, team members can collaborate on them in real time using familiar Office applica-
tions like Word, Excel, and PowerPoint.
Microsoft Teams is the digital hub for teamwork in Microsoft 365. It brings together team conversations
and content so your users can stay up-to-date on critical projects. It includes everything teams need to
stay connected—chat, phone calls, content, and meetings—and can be customized with applications and
bots that support a given project. With guest access in Teams, you can invite people from both inside and
outside your organization to work on projects.
Yammer is a community conversation tool designed to help encourage open dialogue, idea generation,
and connections across the company. Yammer lets you create communities of interest and forums that
bring people together, improve transparency, and give everyone a voice. You can even grant external
access to partners and customers as needed.
Microsoft 365 is built on an intelligent fabric that keeps it all connected and secured no matter what app
or service you are working in as a team. Microsoft Graph provides a seamless connection between
people and relevant content. Office 365 Groups enable a single team identity across apps and services
and centralized policy management enhances security and compliance.
The inner loop is made up of the people you actively work with on a regular basis. Use Microsoft Teams
to let the inner loop members stay tightly connected on project updates and related content and files no
matter where they are located.
The outer loop is made up of the people you may not work with regularly on a project or in the team, but
who have a vested interest, like a project stakeholder or common goal. Use Yammer to openly share
information, find expertise, and share ideas across your organization. Groups and conversations are open
MCT USE ONLY. STUDENT USE PROHIBITED
Teamwork in Microsoft 365 65
and viewable to everyone. If you prefer working in email, Outlook is an ideal way to start the conversa-
tion.
When it comes to managing team content and files, SharePoint is the tool that brings together content
from Microsoft Teams, Yammer, and Outlook to keep track of critical project information no matter where
the conversation starts.
OneDrive for Business and SharePoint in Microsoft 365 provide shared storage, document version
controls, and permission settings to enable multiple users to seamlessly edit the same document.
Microsoft Teams provides the entire team, including outside consultants and independent contractors,
with a single point of access to everything they need to move a project forward, including project specific
applications like creative resources, development repositories, and survey and analytics tools. Teams is
also fully integrated with Microsoft applications including Word, Excel, PowerPoint, Power BI, and Stream,
MCT USE ONLY. STUDENT USE PROHIBITED 66 Module 2 Microsoft 365 Services
so the team can collaborate and access information without leaving their shared Teams workspace. All
files that are worked with in Teams are automatically stored in SharePoint, and team members can
customize intranet sites with project details and announcements for the broader organization. Teams is
the place to have informal chats, iterate quickly on a project, work with Teams files, and collaborate on
shared deliverables.
Microsoft Teams is also customizable and configurable. You can enable, disable, and configure apps for
Teams, including tabs, connectors, and bots provided by Teams (first-party apps, also known as default
apps) or by a third-party (also known as external apps). Additional settings let you specify whether
external apps are enabled by default and which users can sideload apps to Teams. You can control
organization-wide user settings such as external access and guest access to let your users work with
people outside your organization. Other configurable settings include email integration, file sharing and
cloud file storage, organizational charts, device authentication for Surface Hubs, and scoped directory
searches.
During meetings, video and screen sharing create a focus among the group, while new AI services
provide auto-translation, transcription, and recording so participants get more out of the experience.
Following the meeting, notes and action items can be automatically transcribed and distributed to the
group, and anyone who was unable to attend can easily go back and watch the meeting.
Microsoft Stream enables everyone in the organization to securely create, discover, and share videos,
and it integrates into the teamwork apps employees use most, including Teams, OneNote, SharePoint,
and Yammer.
Microsoft Search provides a rich, familiar, and consistent search experience across the web and the apps
used in your organization. Regardless of the interface used, you get the same experience, personalized
and contextualized for that specific interaction point.
●● Microsoft Search in Bing.com: Searching in Bing returns both your organizational results and web
results, making it an easy choice for broad searches. Recently added capabilities allow you to search
across conversations in both Teams and Yammer simultaneously.
●● Microsoft Search in Office.com: Microsoft Search in Office.com surfaces the same search scope
across Microsoft 365, allowing you to find what you need and get back to your work faster. Find
recent and recommended documents, as well as content flagged by colleagues for your review, and
keep up-to-date with what has been worked on since you last looked at it.
●● Microsoft Search in the SharePoint mobile app: The SharePoint mobile app includes search as the
default experience when you enter the app. The search interface shows common questions, personal-
ized results, and frequent searches that you can curate for your organization.
●● Microsoft Search in the Outlook mobile app: The Outlook mobile app, available for iOS and
Android, prioritizes the search experience by providing easy access to commands, content, and
people. By placing your cursor in the search box, you can use “zero query search” to see recommen-
dations powered by AI and Microsoft Graph.
Workplace Analytics
Microsoft 365 includes two analytic tools that gather data and use AI to provide insights into the working
habits of individuals and organizations - MyAnalytics and Workplace Analytics.
MyAnalytics lets you see how you spend your time at work and then suggests ways to work smarter –
from cutting unproductive meeting time to getting better work/life balance. MyAnalytics does this by
looking at data about emails, meetings, and Teams calls and chats, as well as how you use Office 365.
MyAnalytics is included in the Microsoft 365 E5 subscriptions and supports Outlook add-ins.
MCT USE ONLY. STUDENT USE PROHIBITED
Teamwork in Microsoft 365 69
Note: MyAnalytics doesn't use agents or tracking software, and it doesn't use data from any other
activities on your computer, such as applications or websites viewed.
While MyAnalytics provides insight at the individual level, Workplace Analytics focuses on the organiza-
tion. Use Workplace Analytics to identify collaboration patterns that impact productivity, workforce
effectiveness, and employee engagement. It helps you understand how your organization spends its time
and how groups work together. When you understand how your org works, you can look for efficiencies
and best practices.
Module Review
Test your knowledge of the content discussed in this module. The answers are provided at the end.
1. Which of the following are feature pillars of Windows 10 Enterprise?
(A) Limited hardware support
(B) Complex updates
19 https://docs.microsoft.com/en-us/workplace-analytics/index
MCT USE ONLY. STUDENT USE PROHIBITED 70 Module 2 Microsoft 365 Services
Answers:
1.(C) 2.(D) 3.(B) 4.(C) 5.(B) 6.(D) 7.(B)
MCT USE ONLY. STUDENT USE PROHIBITED 72 Module 2 Microsoft 365 Services
20 https://go.microsoft.com/fwlink/p/?LinkID=698279&culture=en-US&country=US
21 http://www.office.com/
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Configuring Microsoft 365 tenant 73
2. In the Azure Active Directory admin center, on the Dashboard, select Azure Active Directory from
the navigation pane.
3. Click Users. Notice the same user accounts from Office 365 are displayed.
4. Close the Users – All users blade. Notice on the dashboard in the Users and groups area the group
you created earlier appears. You can see the same groups from Office 365. You can click Find a group
in the Quick tasks area to search for a specific group.
5. Close the Groups – All groups blade.
6. On the Azure Active Directory admin center dashboard click Company branding.
7. Notice the settings configured for branding.
8. Close the company branding blade.
1. Switch to the Azure Active Directory admin center, and in the navigation pane, select Azure Active
Directory, and then select Users.
2. In the Users - All users blade, select + New user.
3. In the User blade, enter the following information:
●● Name: Enter your name
●● Username: Your_first_name@<your_tenant_here>.onmicrosoft.com
4. Select Profile, enter the following information, and then select Ok:
●● First name: A first name
●● Last name: A last name
●● Department: IT
5. Select Groups.
MCT USE ONLY. STUDENT USE PROHIBITED 74 Module 2 Microsoft 365 Services
6. Scroll down and select the group you created earlier in exercise 1.
7. Click Select.
8. Select the Show Password check box, and note the password for later use.
9. Select Create.
the operating system can then use to authenticate users who are trying access any domain-joined
device anywhere in the forest.
●● Azure AD accounts. You can use Azure AD to store user accounts that your users can utilize to access
hosted services based in the cloud, such as Microsoft Office 365. For those organizations that main-
tain an on-premises AD DS environment, Azure AD can integrate with on-premises AD DS deploy-
ments This scenario allows users to access resources from on-premises devices, and from cloud-based
services and resources. However, integration often requires synchronization between the two..
●● Microsoft accounts. Your users can use a Microsoft account regardless of their location or the
organization of which they are a member. A Microsoft account includes an email address and a
password that your users use to sign in to different services. Users already have a Microsoft account if
they sign in to services such as Microsoft OneDrive, Xbox Live, Outlook.com (formerly Hotmail), or
Windows Phone. Your users also can use their Microsoft accounts to authenticate with Azure AD. This
scenario is useful when you must support temporary or contract staff as the account is external to the
Azure AD directory.
●● Other accounts. Most users also have access to social accounts, such as Facebook and Twitter. Many
also use Apple and Google accounts to access platform-specific stores and other resources.
Because a user account (or accounts) is the primary means of determining who a user is, it’s important
that we protect the process of verifying identity. Identity protection is the method that you use to do this.
Microsoft 365 includes a number of features that enable you to identify when a user account might have
been compromised. For example, a change in sign-in time of day, or a new or unusual sign-in location
can be signs that an account has been compromised. When you identify these changes, you can take
action.
Device security
When users connect their devices to your IT infrastructure, they potentially introduce security risks. For
example:
●● Firewall settings. If a device lacks a properly configured firewall, then every time it connects to a
network it’s at risk. This is especially true if the device connects to public, unsecured networks such as
Wi-Fi hotspots.
●● Antivirus / antimalware protection. Without proper antimalware and antivirus software installed
and up to date, a device is at risk of being infected with malware. This software might be transferred
to your organization when an improperly protected user device connects their device to your network.
●● Software fixes and updates. When a weakness or flaw is discovered in an operating system or
application, the software vendor will provide an update (or patch). If a user doesn’t update their
device to include the latest updates, then the device is at risk. This might lead to malicious software
being able to transfer to the device with potential consequences for your organization’s infrastructure.
●● Lax security settings. Most users secure their phones with a PIN, but not all. And often, the PIN is too
short and fairly easy to guess. If a device contains sensitive company data, then that data is at risk on
the device.
●● Poor physical security. Many users are fairly relaxed about where they leave their phones and tablet
devices, even their company laptops. Leaving devices in vulnerable places such as internet cafes,
airports, or other public places , especially if those devices lack proper security safeguards can easily
lead to data leakage.
Some of the preceding risks can be mitigated with proper end-user education about the importance of
security, and guidance on enabling a secure PIN or using the biometric protection built-in to many
devices these days. (Many laptops, tablets, and mobile devices today offer fingerprint and facial recogni-
tion software). But beyond education, to properly secure your organization’s IT infrastructure you must be
able to impose those security settings on devices, including those owned by your users, and restrict
access based on failure to adhere to those policies.
Network security
In our connected world, being able to gain access to an organization’s network means getting through
the security door. There are numerous possible forms of network attacks, which can be thwarted by
proper network access planning.
Wi-Fi is extremely convenient, enabling your users to quickly and easily connect their devices to the
network. However, it also makes it easier for a malicious person to also gain access to your network
because they no longer need a physical connection.
To help protect your network, you must take a holistic approach. You must identify each possible threat,
and then plan mitigation for it such as requiring a rigorous form of authentication from connecting
devices. Allow your visitors access to the internet through your infrastructure, but don’t allow it through
the corporate network.
Secure authentication
Helping secure your users helps protect against breaches. And one important area is the quality of user
passwords. Passwords are problematic. Users are expected to remember complex passwords for a variety
of different accounts, both personal and for work. Issues with passwords include:
●● Strong passwords can be difficult to remember
●● Users often reuse passwords on multiple different sites
●● Server breaches can expose symmetric network credentials (passwords).
●● Passwords are subject to replay attacks.
●● Users can inadvertently expose their passwords due to phishing attacks.
This poses a significant security risk as once bad actors get compromised passwords, they can sign into
multiple sites. Most breaches are a result of compromised passwords. What if we could remove pass-
words altogether? Microsoft 365 solutions include password replacement options to help reduce risk.
Multi-factor authentication (MFA). Many authentication systems are based on simple password
exchange, which is not a very secure approach. By using multiple factors to authenticate, you can achieve
MCT USE ONLY. STUDENT USE PROHIBITED
Security features in Microsoft 365 81
significant security improvements. MFA relies on users identifying themselves with at least two authenti-
cation factors:
●● Something the user knows, such as a username and password or a PIN
●● Something the user has, such as a digital certificate or smartcard
●● Something the user is, as indicated by the use of facial recognition, fingerprint, or other biometrics.
MFA is provided in Office 365.
Windows Hello. In Windows 10, Windows Hello for Business replaces passwords with strong two-factor
authentication on PCs and mobile devices - a new type of user credential that's tied to a device and uses
a biometric or PIN. Windows Hello for Business lets user authenticate to an Active Directory or Azure
Active Directory account.
Microsoft Authenticator. The Microsoft Authenticator app helps you keep your accounts more secure,
especially while viewing sensitive information.
You can use the Microsoft Authenticator app in multiple ways, including:
●● Two-factor verification. The standard verification method, where one of the factors is your password.
After you sign in to a device, app, or site using your username and password, you can use Microsoft
Authenticator to approve a notification or enter a provided verification code.
●● Phone sign-in. A version of two-factor verification that lets you sign in without requiring a password,
using your username and your mobile device with your fingerprint, face, or PIN.
Conditional access
Conditional access provides granular access to keep your corporate data secure, while letting users do
their best work from any device and from any location. Conditional access helps protect sensitive data by
evaluating users, devices, apps, location, and risk before granting access to corporate data. This helps
ensure that only approved users and devices can access critical company resources.
Conditional access spans Microsoft 365 services including Intune, Office 365, and Windows 10. Condition-
al access evaluates each access request on a number of different criteria and then using policies you
define, decides if it should be allowed, if stricter controls are needed or if the access attempt should be
blocked altogether.
MCT USE ONLY. STUDENT USE PROHIBITED 82 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Identity protection
Most security breaches are a result of attackers stealing a user’s identity. Over the years, attackers have
become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks.
As soon as an attacker gains access to even low privileged user accounts, it's relatively easy for them to
gain access to important company resources.
To help protect your user’s identities, you need to:
●● Protect all identities regardless of their privilege level.
●● Proactively prevent compromised identities from being abused.
Protect identities in your Microsoft 365 environment with:
●● Azure Active Directory Identity Protection. User accounts are critical to helping identify users, so
you need to be able to identify unusual account behavior. This helps you identify attempts to compro-
mise accounts, possibly by a hacker or other malicious person. When Azure AD Identity Protection
detects unusual account behavior, it can block account access, or perhaps require additional authenti-
cation options.
●● Microsoft Cloud app security. Analytics for your cloud apps and services, helping security teams
better understand the protections for critical data across cloud apps.
●● Azure Advanced Threat Protection (ATP). A cloud-based security solution that identifies, detects,
and helps you investigate advanced threats, compromised identities, and malicious insider actions
directed at your organization.
●● Windows 10. Built-in identity protection capabilities help protect user identities. For example,
Windows Hello, a biometric authentication feature that helps strengthen authentication and guard
against potential spoofing by using fingerprint matching and facial recognition, is built right into the
OS.
The following solutions, included in Microsoft 365, help you deal with threats to your users, devices, and
data.
Microsoft Intune
Microsoft Intune, a mobile device management component of Enterprise Mobility + Security (EMS),
integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and
access control and Azure Information Protection for data protection. When you use it with Office 365, you
can help your users be productive on all their devices, while protecting your information. For example,
Microsoft Intune prevents users from copying company data from managed applications installed on
unmanaged devices.
able to control it as it travels within and outside your organization. You also need to have a way to
classify, label, and apply appropriate protections to this information.
It can be helpful to think about your information protection strategy in terms of these four key activities:
●● Discover
●● Classify
●● Protect
●● Monitor
The Microsoft Information Protection solutions in Microsoft 365 help you protect sensitive data through-
out its lifecycle—across devices, apps, cloud services, and on-premises locations.
Integrated capabilities work together over the course of the data lifecycle to keep information protected
and managed.
The following lessons in this course will explain in greater detail how these capabilities work at each
phase of the data lifecycle.
Alternatively, you can set things up so that a recommended classification and sensitivity label can be
provided to users. You can also give users the ability to override an automatic classification, while requir-
ing a justification for the override.
Because individual users may be most familiar with the data in your organization, you can also enable
users to classify and apply a sensitivity label themselves. For example, if they are working on a document
that contains privileged information, they can apply a sensitivity label of “highly confidential” right within
the app.
●● Microsoft 365 has data encryption built into the service – for both data at rest and data in transit.
●● To protect individual files, you can apply rights-based permissions so that only intended recipients can
access and view the information.
●● You can apply Data Loss Prevention actions, such as blocking the sharing of a file that is detected to
have sensitive information, such as credit card information or social security numbers.
●● You can limit or block access to cloud apps present in your environment, or revoke app access among
specific individuals.
●● To help end-users make more informed decisions, you can enable policy tips that notify users that the
document they are working with contains sensitive information, or you can even automatically apply a
visual marking to documents, such as a header or footer.
●● To help prevent sensitive information from staying around longer than necessary and potentially
posing a risk, you can automatically retain, expire or delete documents, based on data governance
policies defined by your company.
Once the Microsoft 365 security center is enabled for your tenant, you can access the security center at
https://security.microsoft.com.
Microsoft Secure Score gives you robust visualizations, integration with other Microsoft products,
comparison of your score with other companies, filtering by category, and much more. With the tool, you
can complete security improvement actions within your organization and track the history of your score.
The score can also reflect when third-party solutions have addressed recommended improvement
actions.
You're given points for configuring recommended security features, performing security-related tasks
(such as viewing reports), or addressing the improvement action with a third-party application or soft-
ware. Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for
your users. Security should always be balanced with usability, and not every recommendation will work
for your environment.
You can use Microsoft Secure Score recommendations to target the most important settings and make
changes quickly.
The table that follows includes some examples of improvement actions and their impact on your Micro-
soft Secure score. Notice the dashboard also provides information on the user impact and security
category.
Overview of Azure AD
Azure AD constitutes a separate Azure service. Its most elementary form (which any new Azure subscrip-
tion includes automatically) does not incur any extra cost and is referred to as Azure AD Free. If you
subscribe to any Microsoft Online business services (for example, Office 365 or Intune), you automatically
get Azure AD with access to all the free features.
The Azure AD Premium tier provides additional functionality over the Free and Basic editions. However,
Premium editions might require additional cost depending upon your Microsoft cloud subscription levels.
Azure AD Premium comes in two versions, P1 and P2.
The following features are available with the Azure AD Premium P1 edition:
●● Self-service group management. Simplifies the administration of groups where users are given the
rights to create and manage groups.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity and Access Management 91
●● Advanced security reports and alerts. You can monitor and protect access to your cloud applica-
tions by viewing detailed logs that show advanced anomalies and inconsistent access pattern reports.
●● Multi-factor authentication (MFA). Full MFA works with on-premises applications (using virtual
private network (VPN), Remote Authentication Dial-In User Service (RADIUS), and others), Azure,
Office 365, Dynamics 365, and third-party Azure AD gallery applications. It does not work with
non-browser off-the-shelf apps, such as Microsoft Outlook.
●● Microsoft Identity Manager (MIM) licensing. MIM integrates with Azure AD Premium to provide
hybrid identity solutions. MIM can span multiple on-premises authentication stores such as AD DS,
LDAP, Oracle, and other applications with Azure AD. This provides consistent experiences to on-prem-
ises line-of-business applications and software as a service (SaaS) solutions.
●● Password reset with writeback. Self-service password reset follows the Active Directory on-premises
password policy.
●● Conditional Access based on device, group, or location. This feature lets you configure conditional
access for critical resources, based on multiple criteria.
●● Azure AD Connect Health. You can use this tool to gain operational insight into Azure AD. It works
with alerts, performance counters, usage patterns, and configuration settings to present the collected
information in the Azure AD Connect Health portal.
In addition to the Azure AD Premium P1 features, Azure AD Premium P2 license provides a number of
advanced functionalities:
●● Azure AD Identity Protection. This feature provides enhanced functionalities for monitoring and
protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can
review users’ behavior and flag users for risk.
●● Azure AD Privileged Identity Management. This functionality lets you configure additional security
levels for privileged users such as administrators. With Privileged Identity Management you define
permanent and temporary administrators. You also define a policy workflow that activates whenever
someone wants to use administrative privileges to perform some task.
Consider Azure AD to be an online instance of Active Directory Domain Services (AD DS) although there
are significant differences between the two. Azure AD provides authentication and authorization for
Office 365 and for other Microsoft cloud offerings, including Intune. As mentioned earlier, authentication
through Azure AD can be on a cloud-only basis, through directory synchronization with on-premises AD
DS, or with optional password hash synchronization. Alternatively, you can enable user authentication
with on-premises user accounts through Active Directory Federation Services (AD FS) or other Single
Sign-On (SSO) providers.
In addition, a typical employee usually has one or more business accounts that they use on information
systems in the organization where they work. Because of all this, a typical user has to remember several
sets of credentials to be able to access the personal and business resources that they use. This usually
leads to a situation where most of the passwords for these accounts are similar or even the same. This
greatly increases the risk of identity theft. If one set of credentials is stolen or discovered in any way, it’s
highly likely that the other identities of the same user will be at a risk.
Because of this, it’s necessary to have an identity protection strategy. Identity protection is a set of
technologies that you implement to help proactively monitor user behavior, especially during authentica-
tion, and to take actions if risk or vulnerability is detected.
For example, if you notice that a user starts signing in from a different city or at peculiar times of the day
(such as out of office hours), or if the user makes a number of failed password attempts, that suggests
suspicious activity, and it might indicate that a user account is compromised. Implementing an identity
protection system can help identify these issues and help to protect the integrity of your account infra-
structure.
Based on a calculated risk, Azure AD Identity Protection can notify administrators, try to remediate the
risk, increase the authentication security requirements, or take another action defined by the risk policy.
The sign-in risk level can be Low and above, Medium and above, and High. For each risk level, you can
define actions such as requiring MFA for signing-in, password changes, or blocking access.
MCT USE ONLY. STUDENT USE PROHIBITED 94 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Protecting information
With the proliferation of devices such as tablets and phones, it’s becoming increasingly difficult for IT
administrators to manage devices and data that they contain. However, this is vital to an organization’s
security.
Although some organizations currently do not allow their users to bring their own devices and connect
them to their infrastructure, most do allow users access to corporate email via personal cellphones and
tablets. Even this relatively modest access poses risks of data leakage and the introduction of malware
into the organization.
If your organization decides to allow users to connect their devices in some way, it’s important that you
put in place security settings that can help protect your organization from the following threats:
●● Malware. Introduced through unsecured devices and apps.
●● Data leakage. Through:
●● Loss or theft of a device that contains corporate data.
●● Loss or theft of a storage device (such as a USB drive) that contains corporate data.
●● Inappropriate data access. Caused by access to an unsecured device by malicious persons.
●● Network access. Caused by insufficient security settings on a device, enabling a malicious person to
obtain sensitive data such as user accounts, passwords, and wireless access point settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Device and information protection 95
You implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. The MDM client functionality is included as part of the
Windows 10 operating system. The MDM authority can manage various devices that include MDM client
functionality, such as the Android, iOS, and Windows 10 operating systems.
MDM functionality typically includes:
●● App distribution
●● Data management
●● Device configuration
Note that to apply these settings, devices must be enrolled in an MDM. You can enroll Windows 10
devices manually or automatically. You must enroll devices running other operating systems manually,
often by installing a specific app.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled to MDM. A device
can include MDM client functionality such as Windows 10, or for other operating systems such as
Android or iOS, you must install a Company Portal app to manage it.
●● Device configuration. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to access
company resources such as Wi-Fi and VPN profiles, and control access to company resources by using
conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues, or whether MDM policy was not successfully applied, such as when devices
do not comply with a company baseline. You can also add enrolled devices to groups and view a list
of enrolled devices. By using Intune, you can also configure Windows Autopilot device deployment.
MCT USE ONLY. STUDENT USE PROHIBITED 96 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● Application Management. With Microsoft Intune, which is included within a Microsoft 365 subscrip-
tion, you can deploy apps to any enrolled device anywhere in the world. By using MDM and mobile
application management (MAM) you can deploy the applications, manage their settings, and separate
data that is created by personal and business apps.
●● Selective data deletion. If a device is lost or stolen, or if the user is no longer a company employee,
you can wipe company data that’s stored on the device. You can wipe all device data or perform a
selective wipe, which leaves personal user data on the device intact.
●● Not enrolled in any mobile device management solution: The devices are typically employee
owned devices that aren't managed or enrolled in Intune or other MDM solutions.
The important benefits of using Intune app protection policies are:
●● Protecting your company data at the app level. Because mobile app management doesn't require
device management, you can protect company data on both managed and unmanaged devices. The
management is centered on the user identity, which removes the requirement for device manage-
ment.
●● End-user productivity isn't affected, and policies don't apply when using the app in a personal
context. The policies are applied only in a work context, which gives you the ability to protect
company data without touching personal data.
There are additional benefits to using MDM with Intune app protection policies, and companies can use
Intune app protection policies with and without MDM at the same time. For example, consider an
employee that uses both a phone issued by the company along with their own personal tablet. The
company phone is enrolled in MDM and protected by Intune app protection policies, while the personal
device is protected by Intune app protection policies only.
●● MDM ensures the device is protected. For example, you can require a PIN to access the device, or
you can deploy managed apps to the device. You can also deploy apps to devices through your MDM
solution, to give you more control over app management.
●● Intune app protection policies ensure that app-layer protections are in place. For example, you
can:
3. Protect. In the Protect phase, the MDM solution provides ongoing monitoring of the settings estab-
lished in the Configure phase. During this phase, you also use the mobile device management
solution to help keep devices compliant through the monitoring and deployment of software updates.
4. Retire. When a device is no longer needed, when it’s lost, or stolen, or when an employee leaves the
organization, you should help to protect the data on the device. You can remove data by resetting the
device using Fresh Start, performing a full wipe, or performing a selective wipe that removes only
corporation-owned data from the device.
As an example of the MDM lifecycle, let’s use an employee named Emily Braun who has just started at
Contoso. She has a cellphone on which she wishes to read corporate emails. The following workflow is
from the device management perspective:
1. Enroll. When Emily enters the required information to configure her email account, she will be
notified that the organization she is connecting to requires that her device be configured. Assuming
that Emily accepts these conditions, her device is enrolled into MDM at Contoso.
2. Configure. As part of the conditions for allowing Emily access to corporate email, her device is
configured according to compliance policies defined within Microsoft 365 in the Contoso tenant.
These configuration settings might include requiring Emily to configure a PIN to unlock her phone,
and might also require that she enable device encryption.
3. Protect. As Emily uses her device, MDM continues to monitor and maintain her phone. If organiza-
tional needs change, these changes might be reflected in policies that apply to Emily’s device.
4. Retire. Emily has accepted another position outside of Contoso with Adatum. The administration
team at Contoso can now remotely wipe the corporate data from Emily’s phone.
Compliance policies
You can define company policies by using the Device Compliance policy in Intune. You can control access
to email, documents, and other cloud apps by using Conditional Access policies. Compliance with
company policy is just one criterion that you can evaluate in Conditional Access policy; you can also
evaluate sign-in risk, device type, location, and client apps.
If a device is not enrolled to Intune, its compliance cannot be evaluated. However, you can prevent access
to mailboxes, documents, and cloud apps from such devices. If a user tries to access his or her mailbox
from such a device, depending on how you set the policy the user might be blocked from accessing
Office 365 resources. They also might be redirected to enroll the device in MDM. Alternatively, the user
could be granted access, but Office 365 would report a policy violation.
MCT USE ONLY. STUDENT USE PROHIBITED
Device and information protection 99
After a device is enrolled, you continue to manage it through policies. In terms of data protection, you
can create the following types of policy:
●● Device restrictions. Device restrictions control security, hardware, data sharing, and other settings on
the devices. For example, you can create a device restriction profile that prevents iOS device users
from using the device’s camera.
●● Endpoint protection. Endpoint protection settings for devices include:
●● Windows Defender Application Guard
●● Windows Defender Firewall
●● Windows Defender SmartScreen
●● Windows Encryption
●● Windows Defender Exploit Guard
●● Windows Defender Application Control
●● Windows Defender Security Center
●● Windows Defender Advanced Threat Protection
●● Windows Information Protection
●● Identity protection. Identity protection controls the Windows Hello for Business experience on
Windows 10 and Windows 10 Mobile devices. Configure these settings to make Windows Hello for
Business available to users and devices, and to specify requirements for device PINs and gestures.
You can also perform a number of actions on enrolled devices, including:
●● Factory reset
●● Selective wipe
●● Delete device
●● Restart device
●● Fresh start
MCT USE ONLY. STUDENT USE PROHIBITED 100 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Microsoft 365 supports your organization’s compliance needs with built-in tools and capabilities to help
you protect information, manage data governance, and respond to regulatory requests.
It can be helpful to think about managing compliance in terms of three phases:
●● Assess: Assess compliance risk and posture with actionable insights
●● Protect: Protect and govern sensitive data across devices, apps and cloud services
●● Respond: Intelligently respond to data discovery requests by leveraging AI to find the most relevant
data
●● Trust documents - Audit reports, data protection info about how Microsoft operates Azure, Dynamics
365, and Office 365, Azure Security and Compliance Blueprint.
●● Regional Compliance - Regionally specific compliance information, often in the form of legal opin-
ions that describe Microsoft cloud services in different countries, like Australia, Poland, or the UK.
●● Privacy - Information about the capabilities in Microsoft services that you can use to address specific
GDPR requirements, as well as GDPR documentation.
You can access the Service Trust Portal by going to http://aka.ms/STP.
Compliance Manager
The Compliance Manager is a cross-Microsoft solution that helps meet complex compliance obligations,
including:
●● GDPR
●● ISO 27001
●● ISO 27018
●● NIST 800-53
●● HIPAA
Compliance Manager can be managed by assigned individuals and provides three key capabilities::
●● Ongoing risk assessment. View a summary of your compliance posture against the data protection
regulatory requirements that are relevant to your organization, in the context of using Microsoft cloud
services. The dashboard provides you with your compliance score, which helps you make appropriate
compliance decisions.
●● Actionable insights. Understand the responsibility that you and Microsoft share in meeting compli-
ance standards. For components that Microsoft manages, you can see the control implementation
and testing details, test date, and results. For components that you manage, you can see recommen-
dations for appropriate actions and guidance on how to implement them.
●● Simplified compliance. Simplify processes to achieve compliance. It provides built-in collaboration
tools that you can use to assign tasks to your teams. You can also generate audit-ready reports with
links to the evidence you collected.
MCT USE ONLY. STUDENT USE PROHIBITED 106 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Together, these controls enable you and Microsoft engineers to enforce zero standing access by default
for service provider access, which is a significant leap in keeping our datacenters and your data secure
and compliant.
You can work with data stored in Exchange Online, SharePoint Online, OneDrive for Business, Skype for
Business, Office 365 Groups, and Microsoft Teams.
These tools can help significantly reduce the costs of eDiscovery. In fact, at Microsoft, while average data
per custodian has grown 20x, the cost per custodian of eDiscovery has been reduced 85% with the use of
the built-in capabilities.
Watch this video to learn more about how Advanced eDiscovery can help you hold, search, refine,
analyze, review and export your relevant content.
The new experience helps you reduce compliance risks and protect your digital estate more easily and
effectively with three new insights:
●● With the Compliance Manager integration, Microsoft 365 compliance center provides you with
visibility into your compliance posture against key regulations and standards like the GDPR, ISO
27001, NIST 800-53, and more on the homepage. You can then perform risk assessments and follow
step-by-step guidance to enhance your compliance and privacy controls.
●● Additionally, to help you label data more accurately, Microsoft 365 Label Analytics preview can enable
you to analyze and validate how sensitivity and retention labels are being used beyond your Office
365 workloads.
●● Microsoft Cloud App Security (MCAS) insights are also available in the Microsoft 365 compliance
center to help you identify compliance risks across applications, discover shadow IT, and monitor
employees’ non-compliant behaviors.
MCT USE ONLY. STUDENT USE PROHIBITED 110 Module 3 Security, compliance, privacy, and trust in Microsoft 365
Once the Microsoft 365 compliance center is enabled for your tenant, you will be to access it at https://
compliance.microsoft.com
Module Review
Test your knowledge of the content discussed in this module. The answers are provided at the end.
1. Which of the following block or allow network traffic based on the traffic's properties?
(A) DLP policy
(B) Firewall
(C) MAC address
(D) Router
2. Which of the following Microsoft tools requires the tenant admin to approve a request before access
to your datacenter is granted to Microsoft engineers?
(A) Service Trust Portal
(B) Microsoft Intune
(C) Customer Lockbox for Office 365
(D) Compliance Manager
3. Which of the following is a compliance tool in the Service Trust Portal?
(A) Auditing
(B) Security
(C) Global Compliance
(D) Trust documents
4. Which of the following is a key capability of Compliance Manager in Microsoft 365?
(A) Workplace analytics
(B) Actionable insights
(C) MyAnalytics
(D) Streamlined compliance
5. You notice suspicious activity during sign in from a number of user accounts. It seems as if these users
are signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365
might alert you to such activity?
(A) Azure MFA
(B) Azure AD Privileged Identity Management
1 https://compliance.microsoft.com
MCT USE ONLY. STUDENT USE PROHIBITED
Compliance in Microsoft 365 111
1. Open Microsoft Edge and navigate to com and sign in using the global admin account you have
been assigned for this course.
2. Select the Admin
3. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers. You may need to click Try the new admin center to switch to the classic Microsoft 365
admin center interface to follow these instructions.
4. Click Azure Active Directory. Verify that a new tab opens in Microsoft Edge.
5. In the navigation pane, select Azure Active Directory.
6. Click Devices and then click Device settings.
7. In the details pane, in the Users may join devices to Azure AD select Selected.
8. Click Selected (No member selected).
9. Click Add members.
10. In the Select box, type Windows and click Windows 10 Deployment, which is the group you created
in the last lab.
11. Click Select and then click OK.
2 https://go.microsoft.com/fwlink/p/?LinkID=698279&culture=en-US&country=US
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Implement security and compliance in Microsoft 365 113
12. On the Devices – Device settings blade, click Save. You have configured that members of the Win-
dows 10 Deployment group may join devices to Azure AD.
1. Open Microsoft Edge and navigate to office.com and sign in using the global admin account you
have been assigned for this course.
2. Select the Admin tile
3. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers. You may need to click Try the new admin center to switch to the classic Microsoft 365
admin center interface to follow these instructions.
4. Click Azure Active Directory. Verify that a new tab opens in Microsoft Edge.
5. In the navigation pane, select Azure Active Directory.
6. Select Conditional Access under the Security area.
3 https://portal.azure.com/
MCT USE ONLY. STUDENT USE PROHIBITED
Module 4 Microsoft 365 pricing and support
Microsoft 365 Enterprise provides enterprise-class services to organizations that want a productivity
solution that includes robust threat protection, security, compliance, and analytics features.
There are two available plans for Microsoft 365 Enterprise, letting you further refine what's included in
your implementation - E3 and E5. E5 includes all of the same features as E3 plus the latest advanced
threat protection, security, and collaboration tools.
Feature E3 E5
Windows 10 Enterprise + +
Word, Excel, PowerPoint, One- + +
Note
Access + +
Exchange, Outlook + +
Microsoft Teams + +
StaffHub, PowerApps, Flow + +
Skype for Business + +
SharePoint, Yammer + +
Advanced Threat Analytics, + +
Windows Defender Antivirus, De-
vice Guard
Azure Active Directory Plan 1, + +
Windows Hello, Credential
Guard, Direct access
Microsoft Intune + +
Windows Autopilot, Fine Tuned + +
User Experience, Windows
Analytics Device Health
Windows Information Protection, + +
Bitlocker & Azure Information
Protection P1
Office 365 Data Loss Preventions + +
Delve + +
Power BI Pro, MyAnalytics +
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 subscriptions, updates, licenses, and billing 117
Feature E3 E5
Audio conferencing, Phone +
System
Windows Defender Advanced +
Threat Protection, Office 365
Advanced Threat Protection,
Office 365 Threat Intelligence
Azure Active Directory Plan 2 +
Azure Information Protection P2, +
Microsoft Cloud App Security,
Office 365 Cloud App Security
Advanced eDiscovery, Customer +
Lockbox, Advanced Data Gov-
ernance
Microsoft 365 Enterprise licenses can be purchased through a Cloud Solution Provider (CSP) or with an
Enterprise Agreement (EA) subscription from Microsoft.
For the latest information about Microsoft 365 Enterprise plans, features, and pricing, go to Discover the
Microsoft 365 Enterprise solution that’s right for you1
Microsoft 365 Business is designed for small- and medium-sized organizations. Like Microsoft 365
Enterprise, Microsoft 365 Business offers the full set of Office 365 productivity tools and includes security
and device management features. It does not include some of the more advanced information protec-
tion, compliance, or analytics tools available to enterprise subscribers. It is designed for organizations
that need up to 300 licenses; if your organization is larger than that, you will need to subscribe to a
Microsoft 365 Enterprise plan instead.
For the latest information about Microsoft 365 Business plans, features, and pricing, go to Microsoft 365
Business2.
For the latest information about Office 365 Business plans, features, and pricing, go to Office 365 for
Business3.
1 https://www.microsoft.com/en-us/microsoft-365/compare-all-microsoft-365-plans
2 https://www.microsoft.com/en-US/microsoft-365/business
3 http://aka.ms/AA50z67
MCT USE ONLY. STUDENT USE PROHIBITED 118 Module 4 Microsoft 365 pricing and support
Microsoft 365 Education is available for educational organizations. Academic licenses can be tailored to
fit any institution’s needs, including productivity and security solutions for faculty, staff, and students.
For more information about Microsoft 365 Education, go to Microsoft 365 Education4.
4 https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 subscriptions, updates, licenses, and billing 119
Release Validation
Any new release is first tested and validated by the feature team, then by the entire Office 365 feature
team, followed by all of Microsoft. After internal testing and validation, the next step is a Targeted
release (formerly known as First release) to customers who opt in. At each release ring, Microsoft collects
feedback and further validates quality by monitoring key usage metrics. This series of progressive
validation is in place to make sure the worldwide-release is as robust as possible. The releases are
pictured in the following figure:
MCT USE ONLY. STUDENT USE PROHIBITED 120 Module 4 Microsoft 365 pricing and support
For significant updates, Office customers are initially notified by the Microsoft 365 Roadmap5. As an
update gets closer to rolling out, it is communicated through your Office 365 Message Center6 (This link
goes directly to the Message Center of your Office 365 tenant).
Standard Release
This is the default option where you and your users receive the latest updates when they're released
broadly to all Office 365 customers. A good practice is to leave the majority of users in Standard release
and IT Pros and power users in Targeted release to evaluate new features and prepare teams to support
business users and executives.
Targeted Release
With this option, you and your users can be the first to see the latest updates and help shape the product
by providing early feedback. You can choose to have individuals, or the entire organization receive
updates early.
Early preview features issued through targeted release might not be supported until they reach the
Worldwide standard release.
5 https://products.office.com/business/office-365-roadmap
6 https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 subscriptions, updates, licenses, and billing 121
You can manage expired licenses in the admin center. If you don't renew a license or are past due paying
for the latest billing cycle, the user with the expired license won't be able to use all of their Microsoft 365
products. You either need to renew the license or assign them a different, active license.
You can also turn access to functions like Exchange Online or Microsoft Teams on or off within a single
license for each user. There are many services and tools within a single license that you can turn on or off
to fine-tune each user’s account settings. Note, however, that deactivating any or all features for a user
doesn't affect license consumption; these individual controls within the user’s product license are sepa-
rate from allocating (or removing) a license for a user.
MCT USE ONLY. STUDENT USE PROHIBITED 122 Module 4 Microsoft 365 pricing and support
Various Office 365 admin roles can perform different licensing actions. The table below lists tasks each
admin role may perform as it relates to licensing:
●● Premier Support - Microsoft Premier Support Services is well suited for large and global enterprises
with strategic and critical dependence on Microsoft products, including Microsoft 365 and Microsoft
Azure. If you're a Premier Support Services member, you'll be assigned a technical account manager
and can add additional benefits like advisory services and on-site support. Premier support engineers
are assigned customer issues and can call in any Microsoft expertise that’s needed to solve the
problem.
●● Cloud Service Provider Tier 1 support - If you purchased your Microsoft 365 subscription through a
certified tier 1 Cloud Solution Provider (CSP), contact them directly for technical support. Your Tier 1
CSP is your first point of contact for all service-related issues. Tier 1 providers will escalate any issues
they can’t resolve directly to Microsoft to ensure that you get the help you need.
●● Telephone support - Some Microsoft 365 components provide phone support.
●● Microsoft 365 Tech Community - Connect to and collaborate with other customers, share your
experiences and problems, and learn from experts. Available at Microsoft 365 Tech Community7, get
access to Microsoft blog posts, announcements, and forum posts from other Microsoft 365 users.
●● Microsoft 365 support forums - Microsoft offers official support forums where you can ask ques-
tions and get answers from both Microsoft and community members. Different technologies and
services in Microsoft 365 have their own forums. Some of the more popular ones are:
Azure forums8
Windows forums9
Office forums10
7 https://techcommunity.microsoft.com/t5/Microsoft-365/ct-p/microsoft365
8 https://azure.microsoft.com/support/community/
9 https://answers.microsoft.com/windows/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedA
fter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
10 https://answers.microsoft.com/msoffice/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAf
ter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
MCT USE ONLY. STUDENT USE PROHIBITED
Support in Microsoft 365 127
SLA considerations
Make sure you thoroughly review any service agreement before you sign it. Ask yourself the following
questions:
●● How does the CSP determine whether service levels are being achieved?
●● Who's responsible for measurement, and how can I obtain reports?
●● What exceptions are there in the SLA?
●● When the SLA is not met, what’s the remedy for the deficiencies?
●● What happens when maintenance (both scheduled and emergency) is performed?
●● What happens when a malicious hacker targets my organizations or the infrastructure that we’re
running on, and the result is downtime?
●● What happens when third-party system failures or services are not under the vendor’s control?
●● What happens if the service is brought down by acts of war or natural disasters, such as earthquakes,
floods, storms, tornadoes, or hurricanes?
●● What limits to the CSP’s liability are stated in the SLA?
Service level agreements also apply to technical support response times. As an example, the table below
lists a comparison of technical phone support options for Office 365 Business and Enterprise plans.
Select any entry to get more details. You can see the following:
●● A description of the problem
●● When the incident was first logged
●● Last update to the incident
●● Current status
●● User impact
Message center
To keep track of upcoming feature releases or issues, go to Message center. That's where we post official
announcements about new and changed features to enable you to take a proactive approach to change
MCT USE ONLY. STUDENT USE PROHIBITED
Support in Microsoft 365 131
management. Each post gives you a high-level overview of a planned change and how it may affect your
users, and links out to more detailed information to help you prepare.
Because Major updates are most impactful to your organization, they are highlighted at the top of the
Message center.
Module Review
Test your knowledge of the content discussed in this module. The answers are provided at the end.
1. Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan
2 for advanced identity and access management?
(A) Microsoft 365 Business
(B) Microsoft 365 E3
(C) Microsoft 365 E5
2. You are the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morn-
ing, no one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you
do to check the service status?
(A) Navigate to Service health in the Microsoft 365 admin center.
(B) Visit the Microsoft Office 365 online forum.
(C) Visit the Microsoft Azure online forum.
(D) Send an email to Microsoft support.
3. Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers.
Which plan should you choose?
(A) Microsoft 365 Education
(B) Microsoft 365 E3
(C) Microsoft 365 E5
(D) Microsoft 365 F1
(E) Microsoft 365 Business
4. You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to
do that?
(A) In the Microsoft 365 admin center, select View service requests under the Support blade.
(B) Search the Microsoft 365 support forums using your service request numbers.
(C) Only Tier 1 Cloud Service Providers have this information; you will need to call them.
(D) Email Microsoft Support.
5. Which of the following is an automated assistance bot designed to help you find answers to Office 365
support questions?
(A) FastTrack
(B) TechBot
(C) PremierBot
(D) O365 Assistant
MCT USE ONLY. STUDENT USE PROHIBITED 132 Module 4 Microsoft 365 pricing and support
6. Which of the following is a channel where you can get direct access to Microsoft 365 planning materi-
als and project managers?
(A) FastTrack
(B) Microsoft 365 Tech Community
(C) Premier Support
(D) Microsoft 365 support forums
Answers:
1.(C) 2.(A) 3.(D) 4.(A) 5.(D) 6.(A)
MCT USE ONLY. STUDENT USE PROHIBITED
Lab - Managing subscriptions, licensing, and support in Microsoft 365 133
11 https://go.microsoft.com/fwlink/p/?LinkID=698279&culture=en-US&country=US
12 http://www.office.com/
MCT USE ONLY. STUDENT USE PROHIBITED 134 Module 4 Microsoft 365 pricing and support
●● This is the menu where you can select a certain billing period, but because this is a new trial you won’t
have any billing statements available to review.
7. In Billing, select Payment methods. This is where you can specify how to pay for your services.
8. Select +Add a payment method to review the type (or types) of payment methods that are available
in your region.
9. In Billing, select Licenses. This is where you manage your subscription licenses.
●● Note that for each type of subscription you will see the total number of licenses (both valid and
expired), in addition to the number of licenses that are assigned to users.
●● Don’t do anything with your licenses yet; we’ll step through managing licenses in the next exercise.
10. In Billing, select Billing notifications. This is where you can determine who receives automated
emails about Microsoft services billing.
1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Purchase
services.
2. Scroll through the list of available services, and then select one that offers a free trial.
3. After signing up for the trial, in the Microsoft 365 admin center, in the navigation pane, expand
Billing, and then select Subscriptions to view the details of your new trial subscription and associat-
ed licenses.
6. Confirm that an additional license has been freed up and can be re-assigned.
1. In the Microsoft 365 admin center, in the navigation pane, expand Support, and then select New
service request.
2. In the Need help pane that opens, ensure that the Try O365 Assistant is switched on.
3. In the Type Message field, enter a question concerning your Microsoft 365 subscription, such as, My
OneDrive for Business isn’t synchronizing.
4. Review the O365 Assistant’s responses:
●● Select a topic to review.
●● Step through the O365 Assistant’s questions.
●● Review the links to related support articles.
●● Under New service request by phone, review how you would enter your contact information and
attach any optional materials to help explain your support request. Do not enter any information or
select Call me, as this would create an actual service request.
5. Close New service request by phone when you’ve finished reviewing it.
6. Review how to create a new email service request:
●● Under New service request by email, review how you would enter your email address (or addresses)
and attach any optional materials to help explain your support request. Do not enter any information
or select Send, as this would create an actual service request.
7. Close New service request by email when you’ve finished reviewing it.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 5 Course Review
Course Review
Course Summary
https://www.youtube.com/watch?v=O4pMI3ZBXb4