MS 900T01A ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
MS-900T01
Microsoft 365
Fundamentals
MCT USE ONLY. STUDENT USE PROHIBITED
Microsoft 365 Fundamentals
MS-900T01
MCT USE ONLY. STUDENT USE PROHIBITED II Disclaimer

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.

© 2019 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.

1 http://www.microsoft.com/trademarks
EULA III
MICROSOFT LICENSE TERMS

MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one
of its affiliates) and you. Please read them. They apply to your use of the content accompanying this
agreement which includes the media on which you received it, if any. These license terms also apply to
Trainer Content and any updates and supplements for the Licensed Content unless other terms accompa-
ny those items. If so, those terms apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU
DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center
owns or controls that is located at an Authorized Learning Center’s training facilities that meets or
exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training
Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time
employee.

e. “Licensed Content” means the content accompanying this agreement which may include the Micro-
soft Instructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training
session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently
certified as a Microsoft Certified Trainer under the Microsoft Certification Program.

MCT USE ONLY. STUDENT USE PROHIBITED IV EULA
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course

that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner
Network program in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Micro-
soft Official Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active Microsoft Partner Network program member in good standing.

l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for the
particular Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Pro-
gram Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and addi-
tional supplemental content designated solely for Trainers’ use to teach a training session using the
Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations,
trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide
and Pre-release course feedback form. To clarify, Trainer Content does not include any software, virtual
hard disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:
EULA V
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in
digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install
the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User
who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of
the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware be-
ing provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can access
one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instruc-
tor-Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior
to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to their
accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all
your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:
ii. For each license you acquire on behalf of an End User or MCT, you may either:
attending the Authorized Training Session and only immediately prior to the commencement of the
Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provid-
ed, or
MCT USE ONLY. STUDENT USE PROHIBITED VI EULA
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led
Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their use
of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote
their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing
the Microsoft Instructor-Led Courseware,
vi. you will ensure that each MCT teaching an Authorized Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that
is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
viii. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
ix. you will only provide access to the Trainer Content to MCTs.

c. If you are a MPN Member:
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
attending the Private Training Session, and only immediately prior to the commencement of the Private
Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led
Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
EULA VII
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their use
of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote
their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing
the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training
Session or Private Training Session, and install one (1) additional copy on another Personal Device as a
backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy
of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the
Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training
Session.

ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement. If you
elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only
be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customiza-
tions will comply with this agreement. For clarity, any use of “customize” refers only to changing the
order of slides and content, and/or not using all the slides or content, it does not mean changing or
modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

MCT USE ONLY. STUDENT USE PROHIBITED VIII EULA
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code are included for
your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject
matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version. Licensed
Content based on the final version of the technology may not contain the same information as the
Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with
any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights survive
this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Compe-
tency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the
Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon
expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the
Licensed Content in your possession or under your control.

4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you
some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives
you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
EULA IX
· access or allow any individual to access the Licensed Content if they have not acquired a valid
license for the Licensed Content,
· alter, remove or obscure any copyright or other protective notices (including watermarks),
branding or identifications contained in the Licensed Content,
· modify or create a derivative work of any Licensed Content,
· publicly display, or make the Licensed Content available for others to access or use,
· copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
· work around any technical limitations in the Licensed Content, or
· reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights
in the Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to the
Licensed Content. These laws include restrictions on destinations, end users and end use. For additional
information, see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services
for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a conveni-
ence, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates
and supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.
MCT USE ONLY. STUDENT USE PROHIBITED X EULA
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict
of laws principles. The laws of the state where you live govern all other claims, including claims under
state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the laws
of your country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS
WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS
UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED
UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00.
YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque: Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en français.

EULA XI
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les
garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contre-
façon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES.
Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs
uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
· tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
· les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois
de votre pays si celles-ci ne le permettent pas.

Revised November 2014
Contents
■■ Module 0 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Course introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
■■ Module 1 Cloud Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Principles of cloud computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Microsoft cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Migrating to cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Lab - Cloud Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
■■ Module 2 Microsoft 365 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Microsoft 365 core services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Deploying Windows 10 and Office 365 ProPlus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Unified endpoint management in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Teamwork in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Lab - Configuring Microsoft 365 tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
■■ Module 3 Security, compliance, privacy, and trust in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . 75
Organizational security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Security features in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Device and information protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Lab - Implement security and compliance in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
■■ Module 4 Microsoft 365 pricing and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Microsoft 365 subscriptions, updates, licenses, and billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Lab - Managing subscriptions, licensing, and support in Microsoft 365 . . . . . . . . . . . . . . . . . . . . . . . . . 133
■■ Module 5 Course Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Course Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Module 0 Introduction
Course introduction
Welcome
https://www.youtube.com/watch?v=FUWU8853hZQ
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Introduction
About This Course

Preparing for Exam MS-900: Microsoft 365 Fun-
damentals
Exam MS-900 validates a learner’s fundamental knowledge of Microsoft 365. How you prepare for the
exam depends on your existing knowledge of the basic concepts related to Microsoft 365 and which
learning methods are most effective for you.
Microsoft offers courseware and other learning opportunities that provide information about key con-
cepts and knowledge that you must understand about Microsoft 365 to have a solid foundation to grow
your Microsoft 365 skills; some of these concepts will be assessed on the Microsoft 365 Fundamentals
exam. This courseware will get you started on your exam preparation journey.
Microsoft 365 is a software system that includes a wide range of capabilities. Operating this system
involves many procedures and configurations. As a result, we suggest that you have some familiarity with
Microsoft 365 before taking this exam. To do this, consider completing hands-on labs within the course-
ware, or exploring your own Microsoft 365 tenant.
To prepare for a Fundamentals exam, we recommend a combination of content-based learning material
and familiarity with the Microsoft 365 system. Put simply…
Courseware + Familiarity = Preparation

Here is an example of this process of exam preparation in action:
1. Read the Skills measured for MS-900: The Skills measured area of the exam page1 lists the objec-
tives that will be tested on the exam. Notice one of these objectives is ”Understand how Microsoft 365
services addresses the most common current threats.”
2. Use the Courseware: Microsoft’s courseware provides explanations of technologies and systems that
may appear on the exam. For example, in support of the objective identified in step #1, the course-
ware includes a unit on Microsoft Secure Score. This Secure Score learning unit explains what the
technology is, how it works, and why it exists for Microsoft 365.
3. Explore Microsoft 365: Since Microsoft 365 Secure Score is discussed in the courseware, it is likely to
be covered on the exam. If you are not familiar with Secure Score, you should explore it through a
Microsoft 365 tenant. By exploring the Microsoft Secure Score dashboard, you learn about the impact
various security actions have upon your score. Do this for all objectives with which you are not
familiar.
1 https://www.microsoft.com/en-us/learning/exam-MS-900.aspx
About This Course 3
4. Take the Exam: Here is an example of an MS-900 Microsoft 365 Fundamentals exam item:
Your organization deploys Microsoft 365. Your goal is to significantly improve your security posture.
Which of the following actions will improve your Microsoft 365 Secure Score the most?
A. Require MFA for Azure AD privileged roles
B. Turn on mailbox auditing
C. Enable Password Hash Sync if hybrid
D. Store user documents in OneDrive for Business
In this example, because the learner was familiar with the Microsoft Secure Score dashboard either
through learning, exploration of Microsoft 365, or both, he/she would know that “Require MFA for Azure
AD privileged roles” impacted their Secure Score by fifty points, whereas the other answer options only
impact the score by no more than ten points.
Module 1 Cloud Concepts
Principles of cloud computing

Introduction
Cloud computing plays an increasingly important role in IT infrastructure, and as such, IT professionals
need to be aware of fundamental cloud principles and techniques. This lesson introduces the cloud and
describes considerations for implementing cloud-based infrastructure services.
After this lesson, you should be able to:
●● Describe what cloud computing is.
●● Describe evolving IT operation models.
●● Describe business drivers for the cloud.
●● Explain how an organization can use the tools and services in Microsoft 365 to elevate all employees,
including firstline personnel and information workers, into a modern workforce.
What is cloud computing

Cloud computing is the delivery of computing services—servers, storage, databases, networking, soft-
ware, analytics, intelligence and more—over the internet (“the cloud”). Instead of maintaining CPUs,
random access memory (RAM), and storage in your datacenter, cloud computing enables you to rent
these cloud-based computing services from a cloud service provider. When you choose to use the cloud,
you shift certain responsibilities to the cloud service provider so that you can focus on other things—such
as your business—and less on the underlying technologies. The cloud service provider maintains the
underlying infrastructure, platforms, and services for you.
MCT USE ONLY. STUDENT USE PROHIBITED 6 Module 1 Cloud Concepts
The goal of cloud computing is to make running a business easier and more efficient, whether it's a small
start-up company or a large enterprise. Every business is unique and has different needs. To meet those
needs, cloud computing providers offer a wide range of services. Some of the most common types
include:
●● Compute services. Enables you to run your own web apps, databases, virtual machines, and other
types of computing in the cloud instead on local hardware. An example of compute services is
Microsoft Azure Virtual Machines.
●● Communications services. Provides communications between users. Examples of communication
services include Microsoft Exchange Online and Microsoft Teams. Exchange Online provides email,
calendar, and contact sharing, and Teams provides instant messaging, computer-to-computer audio
and video calls, screen sharing, and an integrated platform for sharing of documents and collabora-
tion.
●● Productivity services. Allows users to work and collaborate. An example of productivity services is
Microsoft Office 365, which provides a comprehensive collaboration platform for the entire organiza-
tion.
●● Search services. Provides search functionality into custom applications. In addition, it can provide a
search engine and data storage that can be accessed on an API. An example of search services is
Azure Search.
●● Storage services. Provides a storage platform for data. By storing data in the cloud, any user or
device can access it. Example of storage services are Microsoft Azure Storage and Microsoft OneDrive
for Business.
Differentiating between various IT funding mod-

els
Cloud computing changes not only how and where a business uses computing systems, it also changes
the funding model—the costs associated with computing. Why does cloud computing change the cost
structure? It’s mainly as a result of a shift from capital expenditure to operating expenditure:
●● Capital expenditures (CapEx) are the costs associated with buying or upgrading physical hardware,
such as servers, networking equipment, and storage. It also includes real estate such as buildings or
datacenter space. Typically, the physical resources are amortized over several years. Instead of deduct-
ing the full cost of the equipment in the first year, you deduct a portion of it each year.
Principles of cloud computing 7
●● Operating expenditures (OpEx) are the costs that an organization incurs while performing its normal
business operations. This includes the electricity consumed, cost of employees to manage and
support systems, office space, and internet connections. Management is responsible for minimizing
OpEx without significantly affecting the organization’s operations and ability to compete in the
marketplace. OpEx is expensed each year because you pay for and use the product or service.
Now that you understand these different types of costs, let’s see how they relate to cloud computing and
traditional on-premises costs.
On-premises computing costs

In a traditional, on-premises datacenter, you will need to pay for the following items:
●● Server costs. This includes all hardware components and the cost of hardware support. When
purchasing servers, make sure to design fault tolerance and redundancy, such as server clustering,
redundant power supplies, and uninterruptable power supplies. When a server needs to be replaced
or added to a datacenter you need to use CapEx to pay for the computer. This will affect your imme-
diate cash flow because you have to pay for the server up front. Fortunately, however, you can
amortize the cost over several years.
●● Storage costs. This includes all hardware components and the cost of hardware support. Based on
the application and level of fault tolerance, centralized storage can be quite expensive. For larger
organizations, you can create tiers of storage where more expensive fault‐tolerant storage is used for
critical applications and lower priorities use a less expensive form of storage. These storage costs are
CapEx.
●● Network costs. This includes all hardware components, including cabling, switches, access points, and
routers. This also includes wide area network (WAN) and internet connections. Network hardware
expenses are CapEx.
●● Backup and archive costs. This is the cost to back up, copy, or archive data to the cloud or data-
center. Options might include backing up to or from the cloud. These costs are CapEx for hardware,
but OpEx for backup maintenance and consumables such as tapes.
●● Business continuity and disaster recovery costs. Along with server fault tolerance and redundancy,
you need to plan for how to recover from a disaster and continue operating. Your plan should consist
of creating a data recovery site. It could also include backup generators. These are mostly CapEx
costs—especially if you build a DR site, but the infrastructure and personnel costs are OpEx.
●● Datacenter infrastructure costs. These are costs for electricity, floor space, cooling, and building
maintenance. The expense of running the server is an OpEx.
●● Technical personnel. Based on the technology used, you will need technical expertise and work force
to install, deploy, and manage the systems at the datacenter. The staffing expense to run the server is
an OpEx.
Cloud computing costs

With cloud computing, many of the costs associated with an on-premises datacenter are shifted to the
cloud service provider. Instead of thinking about physical hardware and datacenter costs, cloud comput-
ing has a different set of costs. For accounting purposes, all these costs are OpEx:
●● Leasing a cloud-based server. If you lease a server or use the cloud, the cost is usually based on the
pay-per-use model.
●● Leasing software and customized features. When you use the pay-per-use model, you have to
actively manage your subscriptions. You must ensure that users do not misuse the cloud, while
making sure that provisioned accounts are actually being used and not wasted. As soon as resources
are provisioned by the provider, billing starts. It is the client’s responsibility to deprovision the re-
sources when they are not in use, so that they can manage costs.
●● Scaled charges based on usage/demand instead of fixed hardware or capacity. Cloud computing
can bill in various ways: on the number of users, or on CPU usage amounts. However, billing catego-
ries can also include allocated RAM, I/O operations per second (IOPS) units, and storage space. If you
are connecting a datacenter to the cloud or connecting two clouds together, identify how much data
needs to be transferred so that you can determine the bandwidth needed. Don’t forget to plan for
backup traffic to or from the cloud, and replication between datacenters or the datacenter and the
cloud for data recovery purposes.
●● Billing at the user or organization level. The subscription (or pay-per-use) model is a computing
billing method that is designed for both organizations and end-users. The organization or user is
billed for the services used, typically on a recurring basis. You can scale, customize, and provision
computing resources, including software, storage, and development platforms. For example, when
using a dedicated cloud service, you could pay based on server power and usage.
‎
Cloud computing models

A cloud deployment model defines where your data is stored and how your customers interact with it. In
other words, how do they get to it, and where do the applications run? It also depends on how much of
your own infrastructure you want or need to manage.
Cloud computing is flexible and enables you to choose how you want to deploy it. The cloud deployment
model you choose depends on your budget and your security, scalability, and maintenance needs.
Public cloud
This is the most common deployment model. In the public cloud model, you have no local hardware to
manage or keep up-to-date—everything runs on your cloud service provider’s hardware. This means that
the information technology infrastructure (hardware, servers, software, and other infrastructure items) is
located somewhere other than your datacenter, and is managed by a third party.
There are two variants of a public cloud:
●● Shared public cloud is where many companies share common resources (such as email) within the
same cloud service provider’s environment. Each company is only aware of its own cloud services
account (also known as a tenant); only the cloud service provider who manages this multi-tenant
environment is aware of the different accounts running within the same cloud. This model works well
for smaller businesses who are looking to save additional costs, because sharing computing resources
with other cloud users is cheaper than reserving resources for a single account.
●● Dedicated public cloud is typically for enterprise organizations who require a dedicated physical
infrastructure that is reserved for only their use, such as an on-demand sandbox environment. While
the cost might be higher than that of the shared public cloud, the dedicated public cloud might offer
better security, performance, and customization.
The advantages of public clouds include:
●● Lower costs. No need to purchase hardware or software, and you pay only for the service you use.
●● No maintenance. Your service provider provides the maintenance.
●● Near-unlimited scalability. On-demand resources are available to meet your business needs.
●● High reliability. A vast network of servers ensures against failure.
Private cloud
In a private cloud, you create a cloud environment in your own datacenter and provide self-service access
to compute resources to users in your organization. This model offers a simulation of a public cloud to
your users, but you remain entirely responsible for the purchase and maintenance of the hardware and
software services you provide. An example of a private cloud would be an organization that deploys
virtual machines that use proprietary peripheral devices.
The advantages of private clouds include:
●● More flexibility. Your organization can customize its cloud environment to meet specific business
needs.
●● Improved security. Resources are not shared with others, so higher levels of control and security are
possible.
●● High scalability. Private clouds still afford the scalability and efficiency of a public cloud.
Some reasons teams move away from the private cloud are:
●● You have to purchase the hardware for startup and maintenance.
●● Private clouds require IT skills and expertise that can be hard to find.
Hybrid cloud
A hybrid cloud combines public and private clouds, allowing you to run your applications in the most
appropriate location. For example, you could host a website in the public cloud, but link it to a highly
secure database hosted in your private cloud (or on-premises datacenter). A hybrid cloud deployment
provides failover capabilities between local resources that you manage and resources in other regions.
This is helpful when you have some things that cannot be put in the cloud.
Organizations implement hybrid cloud deployments for a variety of reasons, the most common of which
include:
●● Protecting sensitive data. You have data that cannot be exposed publicly (such as medical data).
●● Extending capabilities of on-premises systems. You have applications that run on old hardware and
can’t be updated. In this case, you keep the old system running locally, and connect it to the public
cloud for authorization or storage.
●● Reducing data protection costs. You want to implement public key infrastructure (PKI) and Informa-
tion Rights Management Services (RMS) infrastructure locally for data protection, but doing so would
be expensive. Instead, you can enable these features from the cloud, and they will protect both your
cloud and on-premises documents and data.
The advantages of hybrid clouds include:

●● Control. Your organization can maintain a private infrastructure for sensitive assets.
●● Flexibility. You can take advantage of additional resources in the public cloud when you need them.
●● Cost-effectiveness. With the ability to scale to the public cloud, you pay for extra computing power
only when needed.
●● Ease. Transitioning to the cloud doesn’t have to be overwhelming because you can migrate gradually
by phasing in workloads over time.
Some hybrid cloud concerns you'll need to watch out for are:
●● It can be more expensive than selecting just one (public or private) deployment model.
●● It can be more complicated to set up and manage.
‎
Types of cloud services

Cloud computing has three major categories. It's important to understand them because they are
referenced in conversation, documentation, and training.
Infrastructure as a service (IaaS)
IaaS is the most flexible category of cloud services. It aims to provide you with complete control over the
hardware that runs your application. However, instead of having to purchase hardware—such as servers,
switches, routers, storage area networks, and firewalls—with IaaS, you rent it. Given the hardware costs
associated with this cloud model, it would not be the recommended solution for organizations looking to
minimize server and application maintenance costs. A common example of an IaaS are server-based
workloads on a virtual machine that are connected to an on-premises network. Virtual machines can be
quickly deployed using the IaaS model.
Platform as a service (PaaS)
PaaS provides an environment for buying, building, testing, deploying, and running software applications;
therefore, it would not be the recommended cloud model for organizations looking to deploy a service
such as Exchange Online that is already fully developed. The goal of PaaS is to help you create an appli-
cation as quickly as possible without having to worry about managing the underlying infrastructure. For
example, when deploying a web application using PaaS, you don't have to install an operating system,
web server, or even system updates. A common example of a PaaS is a custom web and mobile applica-
tion that securely connects to an on-premises data store.
Software as a service (SaaS)
SaaS is software that is centrally hosted and managed for the end customer. It is usually based on an
architecture where one version of the application is used for all customers, and runs on demand through
either remote desktop services or a web browser. The software is typically licensed through a monthly or
annual subscription and does not require deployment or ongoing maintenance. Examples of Software as
a Service include Microsoft 365, OneDrive for Business, Microsoft Outlook on the web, and Exchange
Online. Microsoft 365 is a SaaS because Office 365 delivers a set of software products on a subscription
basis. Exchange Online is also a SaaS, even when integrated with on-premises Exchange Server 2019 in a
hybrid cloud model.
Think about service categories as layers

One way to understand these categories is as layers on top of each other. For example, PaaS adds a layer
on top of IaaS by providing a level of abstraction. The abstraction has the benefit of hiding the details
that you might not care about so that you can get to coding quicker. However, one cost of that is that
you have less control over the underlying hardware. The following illustration shows a list of resources
that you manage and that your service provider manages in each of the cloud service categories.
The following table provides a comparison of what resources a cloud service provider manages between
on-premises environments and various types of cloud services.
Software as a Service Platform as a Service Infrastructure as a On-Premises

Service
Applications
Data
Runtime Runtime
Middleware Middleware
Operating system Operating system
Virtualization Virtualization Virtualization
Servers Servers Servers
Storage Storage Storage
Networking Networking Networking
Cloud computing considerations for privacy,

compliance, and data protection
Privacy
When you depend on cloud service providers, you are relying on them to keep your data safe. This could
be from loss, theft, or misuse by third parties, including other customers, employees of the hosting
company, and even users within your own organization. As more and more customers are relying on
cloud service providers to keep their data safe, cloud services raise unique privacy questions for business-
es. This is because organizations have legal obligations to ensure the privacy of their employees, custom-
ers, and clients.
Laws prohibit some data from being used for a reason other than the purpose for which the data was
originally collected. In addition, when you collect and store data in the cloud, you are subject to legal
requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-
Leach-Bliley Act (GLBA), just as if you were storing data on premise. If you work with European companies
or customers, you must also adhere to EU privacy laws.
So, what does this mean for a company considering adopting cloud computing? You need to ensure your
cloud service provider is helping safeguard privacy by:
●● Reading the cloud service provider’s privacy notices. These specify how data is accessed by users
and how it can be deleted or modified. In addition, you need to know where data is actually kept, how
data is backed up and how often, and where the backups are stored. In some instances, you might
have data that cannot leave the country or region that it is intended for, or cross the borders of other
countries or regions.
●● Considering how the cloud service provider handles disaster recovery and business continuity.
You must ensure that backups are being created on a regular basis, data is being replicated to another
site, and that the services are duplicated on another site.
●● Considering how the hosting company handles security breaches. Also, check the disclosure
policy to see how quickly they will disclose the breach to you. In addition, there are laws that require
you to be informed promptly of any breaches.
Compliance
Many organizations have regulations and policies that they must comply with to operate in various
industries. For example, companies working in the health industry have to follow HIPAA. These policies
can be quite complex based on the type of industry, geographical location of the organization, and
company-based policies. Further complicating matters is the fact that legal and regulatory bodies might
change the responsibilities of both the cloud-computing tenants and providers.
An organization that does not protect its data could be subject to a fine by one or more government or
industry regulatory bodies. Some of these fines can be substantial, crippling a small or mid-sized busi-
ness.
Laws or regulations typically specify who within an organization should be held responsible for data
accuracy and security. For example, the Sarbanes–Oxley Act designates the Chief Financial Officer (CFO)
and Chief Executive Officer (CEO) as having joint responsibility for the financial data, while the Gramm–
Leach–Bliley Act specifies that the responsibility for security lies within the entire board of directors. These
both are in contrast to the United States Federal Trade Commission (FTC), which requires a specific
individual to be accountable for the information security program within a company.
All these regulations pertain to cloud computing. If you store any of your data in the cloud, you must
ensure that your cloud service provider follows all legal and regulatory requirements. Remember, it’s still
your responsibility to ensure these requirements are met, so do your due diligence before signing any
contract. Then after the contract is signed, take steps to ensure that compliance is maintained to protect
your company and your customers.
Data protection
When running services and storing data in the cloud, you should follow the standard best practices for
security, just as you would on any on-premises network:
●● Always use strong passwords and ensure the passwords are changed regularly.
●● Always set rights and permissions for only what is needed, and review them on a regular basis.
However, because data consists of confidential information, you should consider using encryption.
●● Perform regular auditing and monitoring.
When considering protection for data in the cloud, explore how to best protect your data both where it’s
stored, and when it’s being used or transmitted:
●● For data that is at rest (sitting on a disk somewhere in the cloud), you should encrypt the disks or files
on the disks. Office 365 Data Loss Protection and Azure Information Protection—both part of Micro-
soft 365—collectively offer end-to-end discovery, custom labeling, and automated protection of
sensitive data, irrespective of when the data was created or where it is stored—even in PDFs and
RMS-encrypted files.
●● When transmitting important data (data on the move) such as credit card or social security numbers,
use HTTPS to encrypt the data.
‎
Key business benefits of using cloud computing

Every business must decide how they want to store their data and execute their logic. Depending on your
business requirements, cloud computing may or may not be right for you.
Let's learn about some of the top benefits of cloud computing.
Cloud computing is cost effective

Cloud computing provides a pay-as-you-go pricing model. Rather than paying for hardware up front, or
for a predefined amount of computing resources, you rent hardware and pay for only the resources that
you use.
For example, a medium-sized organization is reaching the performance and storage limits of their old
Microsoft Exchange 2007 and Microsoft SharePoint Server 2007 servers. Instead of incurring significant
costs associated with purchasing new servers and additional hardware for storage—especially when
planning for growth and purchasing larger amounts than the currently required capacity—they could
obtain similar resources based on a cloud computing model. Doing so would enable their business to
gain the benefits of the latest versions of Exchange and SharePoint immediately and without any up-front
costs.
Cloud computing is scalable

Cloud computing supports both vertical and horizontal scaling:
●● Vertical scaling (also known as scale-up) is the process of adding resources to increase the power of
an existing server. Some examples of vertical scaling are adding a faster CPU, adding additional CPUs,
or adding more memory.
●● Horizontal scaling (also known as scale-out) is the process of adding more servers that function
together as one unit. For example, instead of having one server processing incoming requests, you
have two. In the context of cloud computing, scale-out is typically the more desirable scenario.
Cloud computing is elastic

As an organization’s workload changes from a spike or drop in demand, a cloud computing system can
compensate by automatically adding or removing resources.
For example, imagine your website is featured in a news article, which leads to a spike in traffic overnight.
Because the cloud is elastic, it automatically allocates more computing resources to manage the in-
creased traffic. When traffic begins to settle, the cloud notices it has too many resources allocated and
begins to remove them, thereby saving you money.
Another example is if you are running an application used by employees you can have the cloud auto-
matically add resources for the core hours during which most people access the application, and then
remove the resources at the end of the day.
Cloud computing is always current

When you use the cloud, you’re able to focus on what matters most—running your business. You don't
have to divert resources for software patching, system configuration, upgrades, and other IT manage-
ment tasks; all of this is done automatically for you, to ensure you're using the latest and greatest tools to
run your business.
Additionally, the cloud service provider also maintains the computer hardware, and upgrades it as
necessary. For example, if a disk stops working or new hardware comes out, the cloud service provider is
responsible for replacing the disk or upgrading the hardware. This saves you from having to go through
the lengthy process of replacing your hardware and from bearing the cost of having up-to-date hardware
all the time.
Cloud computing is reliable

When you're running a business, you want to be confident your data is always going to be there. Cloud
computing providers offer data backup, disaster recovery, and data replication services to make sure your
data is always safe.
Empowering all employees

In the previous topic, you were introduced to several business benefits of using cloud computing. Here,
we explore in more detail one of the ways that cloud computing in general and Microsoft 365 are helping
organizations empower all their employees—from executives, to information workers, to the firstline
workers.
Why is empowering all of your employees so important? As organizations today undergo digital transfor-
mations, technology becomes a critical component of how people perform the vast majority of their
work. The key is to create a modern workforce by providing employees with the processes and technolo-
gy tools that enhance their productivity and promote the collaboration that is core to accelerating
business.
This includes information workers and firstline workers.
Information workers. This includes those in office roles such as business, sales, accounting, engineering,
administration, management, and design. These are the people who gather information and use technol-
ogy tools to gain visibility into the state of the business, company products, and services. Information is
their input, and with the right productivity tools in hand, they develop products, establish schedules,
determine costs, and gain insight into the nature of the business.
Firstline workers. These include customer service, support and repair technicians, service professionals,
and more. These are the people who sit on the company’s “first line” and are commonly the first point of
contact for customers. Therefore they play a key role in representing a company’s brand by establishing
the best customer experience. These employees need the right productivity and collaboration tools to
empower them to do their best work. They also need to connect securely through any device wherever
they are, and use the most up-to-date software to keep information protected.
Microsoft 365 blends critical organizational tasks with technology solutions to meet the needs of modern
organizations and all sorts of busy professionals. Microsoft 365 improves enterprise collaboration,
provides a modernized system that is continually updated, and increases productivity for your modern
workforce, no matter where your employees are or what devices they are using.
For more information about solutions that Microsoft offers firstline workers, go to https://aka.ms/
AA55eyb.
Microsoft cloud services

Introduction
In the previous lesson, you were introduced to some basic cloud computing concepts. You are now ready
to learn about Microsoft-specific cloud offerings, Microsoft 365 in particular. In this lesson, you will be
introduced to Microsoft Azure and Microsoft 365. You will then compare Microsoft 365 with Office 365 to
better understand when a business would adopt one or the other. You will also review alternative
third-party cloud offerings and see what value Microsoft 365 subscriptions deliver compared to other
subscriptions.
●● Describe Microsoft Azure.
●● Describe Microsoft 365.
●● List the primary products and services that are included in a Microsoft 365 subscription.
●● Describe the benefits of Microsoft 365 services.
What is Microsoft Azure

Microsoft Azure is a cloud-computing platform used for building, deploying, and managing applications
and services through a global network of Microsoft-managed datacenters. Access to both infrastructure
and services on Azure enables you to quickly deliver new and innovative features to your users. Projects
that once took months can now often be completed in weeks or days.
Azure delivers the power of the cloud; you just need to know how to harness it. In fact, it contains more
than 100 services, including:
●● Azure Active Directory (Azure AD or AAD) . Provides identity management and access control
capabilities for your cloud applications. It can be synchronized with the on-premises domain control-
lers. You can also enable Single Sign On (SSO) to simplify user access to cloud applications and to
support conditional access.
●● Azure Information Protection. Protects confidential or sensitive information by using encryption,
identity, and authorization policies.
●● Backup. Allows you to back up to and restore from the cloud using familiar tools in Windows 2016,
Windows Server 2012/Windows Server 2012 R2, or Microsoft System Center 2012 R2/2016 Data
Protection Manager.
●● Content Delivery Network. Allows you to deliver high-bandwidth content to users around the world
with low latency and high availability via a robust network of global datacenters.
●● Key Vault. Offers an easy, cost-effective way to safeguard keys and other secrets in the cloud using
hardware security modules (HSMs).
●● Machine Learning. Allows you to easily design, test, operationalize and manage predictive analytics
solutions in the cloud.
●● Media Services. Offers cloud-based media solutions from several existing technologies, including
ingest, encoding, format conversion, content protection, and both on-demand and live-streaming
capabilities.
Microsoft cloud services 17
●● Mobile Services. Provides a scalable cloud backend for building Microsoft Store, Windows Phone,
Apple iOS, Android, and HTML/JavaScript applications. It can be used to store data in the cloud,
authenticate users, or send push notifications to your application within minutes.
●● Multi-Factor Authentication. By having more than one method of authentication, you can help
prevent unauthorized access to both on-premises and cloud applications.
●● Stream Analytics. Provides an event-processing engine that helps uncover insights from devices,
sensors, cloud infrastructure, and existing data properties in real time.
●● Virtual Machines. Enables you to deploy a Windows Server or Linux image in the cloud.
●● Virtual Network. Enables you to create virtual private networks within Azure, and then securely link
those networks with an on-premises network.
For more information about all the products Azure has to offer, click Azure Services1.
‎
What is Microsoft 365

When you purchase Microsoft 365 Enterprise you get the following products and services:
Product Description
Office 365 Enterprise Includes Office 365 ProPlus, the latest Office apps
for your PC and Mac (like Word, Excel, PowerPoint,
and Outlook), and a full suite of online services for
email, file storage and collaboration, meetings,
and more.
Windows 10 Enterprise The most productive and secure version of
Windows with comprehensive deployment, device,
and app management.
Enterprise Mobility + Security (EMS) Designed to help manage and protect users,
devices, apps, and data in a mobile-first, cloud-
first world. Includes Microsoft Intune, Azure AD
Premium, and Azure Rights Management.
Some Microsoft 365 components, like Office 365 and Intune, are delivered using the Software as a
Service (SaaS) model. SaaS is software that’s centrally hosted and managed by a cloud service provider
(CSP) for customers. In general, CSPs provide one version of an app for all customers and license it
through a monthly or annual subscription.
Key differences between Microsoft 365 and Office 365

You likely already know all about Office 365 and how it bundles key Microsoft productivity tools into an
SaaS model. By bundling these tools, Office 365 helps employees be productive from wherever they work
and helps ensure that they have the latest versions of their familiar Office tools. However, Microsoft 365
as a concept and a service might not be so familiar.
As previously discussed, Microsoft 365 includes Office 365. However, it also includes Windows 10 Enter-
prise, and a complete set of security and compliance features provided as services. By bringing together
Office 365, Windows as a service, and Enterprise Mobility + Security, Microsoft 365 addresses the needs
1 https://azure.microsoft.com/en-in/services/
of many organizations who want to maximize their adoption of the cloud for productivity, but also for
enterprise-grade security and desktop operating system management.
Benefits of Microsoft 365 services

By connecting Office 365, Windows 10 Enterprise, Enterprise Mobility and Security into a single subscrip-
tion model, Microsoft 365 helps drive digital transformation in four key areas:
Unlocks creativity
Microsoft 365 provides powerful capabilities through AI powered tools to unleash your organization's
creativity and fuel innovation. From engaging presentations to animated 3D models and immersive mixed
reality experiences, you can now create high-quality content that really stands out. AI-powered tools help
you turn an ever-growing mass of data into actionable insights to transform your organization. Stay
focused with fewer distractions and easily access the people and information you need without leaving
the flow of your work. When inspiration strikes, effortlessly go from thought to content using voice,
touch, and pen on any device.
Built for teamwork

Microsoft 365 enables teamwork and collaboration through intuitive tools that increase service scalability
and allow you to work together in real time. Microsoft Teams is the hub for teamwork, where you can
chat, hold meetings and share files and apps. Outlook, available for iOS and Android, brings email,
calendar, contacts, and documents securely together, so you can share files, coordinate schedules, and
book meetings wherever you go. Use SharePoint Online to share resources, news, and apps across the
organization with dynamic sites and portals. Build communities, conduct live and on-demand events,
share knowledge and best practices, and crowdsource ideas with Yammer. Use OneDrive for Business to
share your files securely, view version history, and track changes in apps like Word and PowerPoint to
more effectively co-create content.
Integrated for simplicity

Microsoft 365 helps you reduce IT complexity, increase agility, and lower costs by making technology
easier to adopt and manage. Microsoft 365 enables you to centrally provision, deploy, and manage all
your devices―from mobile to PCs, across all platforms. Organizations can take advantage of advances in
cloud security to strengthen their security posture, and they can administer apps, services, data, devices,
and users―all from a unified, web-based admin center. Microsoft 365 enables organizations to easily
assess their compliance risk, govern and protect their data, and efficiently respond to regulatory require-
ments from a central console. With a subscription-based service such as Microsoft 365, an organization's
licensing costs are predictable and known because they're simply a multiple of the number of users
multiplied by the Microsoft 365 license cost. The maintenance and energy costs associated with an
organization's on-premises infrastructure are also decreased because with Microsoft 365, Microsoft now
owns that part of the service.
Intelligent security
Microsoft 365 delivers holistic security across users, devices, apps, and data. Help stop attacks with
integrated and automated security. Protect against credential and device compromise with conditional
access. Locate, classify, and protect information anywhere it lives.
Alternative cloud solutions

In addition to Microsoft, Amazon and Google also offer cloud services, respectively known as Amazon
Web Services (AWS) and Google Cloud.
What AWS and Google Cloud have in common with Micro-

soft cloud services
Similar to Azure, AWS and Google Cloud offer scalable computing on demand for cloud-based compute
power. The differences are in the pricing models and exactly what services are supported. A popular
function of a cloud service is data storage. Both AWS and Google Cloud offer a variety of plans to
accommodate hot storage of data (data that needs to be frequently accessed with minimal lag), and cold,
(or archival) storage of data (such as BLOBs) that lower costs by reducing access speeds to your archival
material.
Each cloud service provider also includes analytics tools, but the particular types of supported technolo-
gies and programming models vary. Similarly, the development tools used to build, deploy, and manage
apps and services in each provider’s cloud environment differ between providers.
Finally, all cloud providers provide some aspect of networking and content delivery, management tools to
maintain accounts, and security features to protect customer data. However, as with the other aspects of
a cloud solution, the types of tools, the level of control they offer, and their relative ease of use vary
significantly between providers.
Choosing the best fit for your business

Every business is different; there is no single cloud environment that is the best choice for all. When
determining which cloud service provider to use, each organization should review the following ques-
tions:
●● What development and management tools and operating systems are we using, and which do we
want to continue to leverage?
●● What productivity solutions are employees using, and do we stay with the same technologies, or
require a new learning curve to adopt different tools?
●● What’s the scale of our on-premises infrastructure, and what’s the strategy to use it in conjunction
with the cloud? Will we migrate everything to the cloud? Or are there on-premises-based systems
such as line-of-business environments that need to stay on-premises but also extend to the cloud?
●● How important is compliance and privacy to our cloud-based operations? What tools and offerings
does a cloud service provider offer, and for what regions, countries, and regulatory agencies?
●● How widespread is our workforce? Which cloud environment offers the largest number of regional
datacenters to maximize cloud computing performance to our firstline employees?
Every cloud computing solution has its own strengths. Organizations should carefully review what is most
important to their cloud strategy and investigate each service provider to determine the best fit.
The Microsoft cloud offering can be an excellent solution for companies with any of the following
requirements:
●● Extract more value from existing investment in Microsoft technologies. If you have already
invested in Microsoft technologies, you can easily extend their capabilities and provide a consistent
experience across your entire technology stack. You can establish a hybrid coexistence that natively
integrates your on-premises Microsoft-based infrastructure with the cloud. This includes native
integration with Active Directory, and building and deploying apps for both cloud and on-premises
environments.
‎
●● Work with end-to-end development and management tools. Azure offers unparalleled managea-
bility with all-in-one dashboards to monitor, manage, and protect your cloud resources. Microsoft
also caters to all types of developers by supporting the most popular development environments. In
fact, Microsoft is the only cloud service provider with integrated support for Red Hat, and also had the
most contributions to GitHub in 2017.
‎
●● Access a comprehensive set of compliance offerings. For organizations that are concerned about
compliance and security in the cloud, Microsoft has extensive expertise in protecting data, champion-
ing privacy, and complying with complex regulations, and currently complies with both EU-US Privacy
Shield and EU Model Clauses.
●● Increase productivity and security while reducing IT overhead. For smaller companies who want
the benefit of always having the latest and greatest version of Microsoft productivity tools without
needing an IT department to manage updates, Microsoft 365 combines familiar productivity tools
with enhanced security and management features to enable a modern workforce from the cloud.
●● Leverage a global footprint. For global enterprises that need to ensure their cloud services provider
can deliver the scale and performance to regional locations, Microsoft has 54 regions spanning 140
countries–the most global regions of any cloud provider—to help bring applications closer to users
around the world.
‎
For more information, go to the following resources:
●● Establishing a hybrid coexistence that natively integrates your on-premises Microsoft-based infra-
structure with the cloud: https://azure.microsoft.com/en-in/solutions/hybrid-cloud-app/
●● Microsoft compliance with EU-US Privacy Shield: https://privacy.microsoft.com/Privacy
●● Microsoft compliance with EU Model Clauses: https://www.microsoft.com/trustcenter/Compli-
ance/EU-Model-Clauses
●● Microsoft Azure world-wide regions: https://azure.microsoft.com/en-in/global-infrastructure/
Migrating to cloud services

Introduction
When you move to the cloud, you need to decide which service model you want to implement (SaaS,
PaaS, or IaaS). You will also need to determine which type of implementation you want to use: purely
cloud-based, or working in tandem with some on-premises systems. In this lesson, we’ll discuss how
companies can work purely in the cloud, or connect existing on-premises systems to the cloud to extend
the value of their legacy infrastructure.
You will see how these two different service models require different approaches to migration, and then
you’ll review a few scenarios that demonstrate when a business might opt for one type of migration over
the other. Finally, we’ll review some considerations for how an organization approaches migrating
systems with older versions of Windows, Windows Server, and Office to Microsoft 365.
●● Describe what a cloud-only model is, and provide some scenarios for when this type of migration is
best for an organization.
●● Describe what a hybrid model is, and provide some scenarios for when this type of migration is best
for an organization.
●● Recommend when it might be preferable for an organization to move systems with older operating
systems and Microsoft Office directly to Microsoft 365 instead of upgrading to on-premises-based
solutions.
The cloud-only model

The cloud-only model describes a situation where the service (or services) model you want to use (SaaS,
PaaS, or IaaS) is strictly run in the cloud; there isn’t any connection to existing on-premises-based
systems. One of the advantages of using the cloud-only model is that an organization doesn’t have to
concern itself with the infrastructure that the services run on; all the backend functionality is invisible (or,
black box) to the users.
For smaller companies such as startups or non-profits that don’t have the in-house resources and capital
outlay to purchase and maintain their own infrastructure, the cloud-only model can be a good choice.
Note, however, that a cloud-only model will limit the amount of customization that’s available, as users
have no access to the cloud-based servers.
The hybrid cloud model

What if your company is large, and has invested heavily in on-premises hardware, line-of-business
systems, custom apps, and so on? Does all of this have to be abandoned to gain the benefits that cloud
computing offers? Certainly not.
A hybrid cloud migration is a solution that fits most larger organizations, because it allows you to keep
critical resources on-premises. Many enterprises embrace this model because it connects on-premises
systems to the cloud, effectively making the new cloud services an extension of the company’s on-prem-
ises infrastructure. By doing so, the enterprise can continue to extract value from its legacy systems while
using the cloud to extend capabilities or features (such as mobility and productivity) that might not have
been available in the standalone on-premises systems.
A common hybrid scenario involves Microsoft Exchange. A hybrid Exchange deployment offers organiza-
tions the ability to extend the feature-rich experience and administrative control they have with their
Migrating to cloud services 23
existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the
seamless look and feel of a single Exchange organization between an on-premises Exchange organization
and Exchange Online in Microsoft Office 365. Exchange provides hybrid capabilities for migrating user
mailboxes and information to Microsoft 365 and provides tools for coexistence. In addition, a hybrid
deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
Which cloud model should business environ-

ments choose
When companies consider cloud solutions, they usually focus on three categories:
●● Cost
●● Security/reliability and compliance
●● Functionality
However, these three categories are not of equal importance for all companies. While some smaller
companies might favor lower costs and functionalities, some larger, more complex environments might
have security and compliance as their top priority.
In terms of an organization’s operational activities, timing can also be a key factor. Consider the following
circumstances:
●● Recent investment in hardware. A medium-sized company made a significant investment in new
hardware for their on-premises datacenter one year ago. Given this recent expense, they most likely
would not be interested in any major shift to the cloud for at least year or two. Companies in a similar
situation will likely opt for a limited hybrid cloud model that focuses on providing functionalities they
lack in their local datacenter.
●● Outdated hardware and systems. In contrast to the previous example, a company that is considering
a local datacenter renewal versus cloud solutions as replacement can have a very different perspec-
tive. If they have old hardware and unsupported versions of software running in their datacenter, they
will be more likely to consider moving to the cloud. Moreover, if security and compliance require-
ments are fulfilled with the cloud offering they are considering, the relative cost and the type of cost
model (OpEx vs. CapEx) will probably be the deciding factors.
●● Limited in-house IT resources. A significant factor when considering transitioning to cloud-based
solutions is the size and skillset of the organization’s IT department. A company that has very limited
local IT resources will most likely adopt cloud services faster. Some companies with larger IT organiza-
tions might consider the cloud as a way to reduce the number of their local IT personnel. Although a
personnel reduction mindset might not be the best reason to move to the cloud, freeing those IT
resources from having to perform datacenter maintenance tasks can enable them to focus on more
strategic functions—which in turn adds value to the business.
●● Limited budget. Cloud-only companies are still rare. Those who can most readily transition to the
cloud are typically smaller companies, startups, and nonprofits without any funds available to invest in
hardware beyond employee laptops or desktops. However, this same financial constraint can give
these companies an advantage for the future: if they succeed in their business, most will probably stay
with a cloud-only model and can therefore avoid any CapEx for their IT on an ongoing basis.
Migration versus co-existence

Once you have chosen the right deployment model for your organization, it is time to start planning your
migration. The two different service models require different approaches - migration for cloud-only
deployments and coexistence for hybrid deployments.
●● Migration is moving everything from an old system to a new system, with the intent of eventually
removing the old system. In the context of your cloud deployment, you move your data and applica-
tions from local resources up into the cloud, to infrastructure provided by your CSP. For example, if
you have a free, web-based mail service and decide to move to the more secure email system in
Microsoft 365, you’ll need to migrate all users’ email accounts from the free online service to Ex-
change Online in Microsoft 365. After that migration, users access their old email and inboxes through
Outlook, and the data is stored in Exchange Online; there's nothing left in the old system to use.
●● Coexistence means two different systems, one on-premises and one in the cloud, connect and work
together at the same time (or coexist) as a single service (such as email). For example, in contrast to
the example above, you've chosen to go with a hybrid environment where your Microsoft 365
subscription extends your existing Microsoft Exchange servers. You'll link the on-premises Windows
Server Active Directory and Exchange Server to their online Azure Active Directory and Exchange
Online counterparts.
Migration considerations
When you're planning your migration, the following considerations can guide your plans.
What you need to migrate Strategies/considerations

Office 2013 or older to Office 365 ProPlus Reasons to upgrade to Microsoft 365 licenses:
- After Oct 2020, accessing Office 365 services (like
Exchange Online, SharePoint) won't be supported
if you're using Office 2013.
- Office 2010 is only supported until 2020 and
Office 2007 isn’t supported at all.
Office Server versions to equivalent Office 365 Reasons to upgrade to Office 365 services:
services
- Office Server 2013 and Office Server 2016
products (like Exchange Server and SharePoint
Server) don’t take advantage of the cloud-based
services and enhancements.
- Some Office Server 2010 products have a
specified end-of-support date.
- Office Server 2007 products are no longer
supported. To help with migration from this
version, hire a Microsoft partner. You can then roll
out the new functionality and work processes to
your users and decommission the on-premises
servers running Office 2007 server products when
you no longer need them.
Windows 7 and Windows 8.1 on your devices to Perform an in-place upgrade to Windows 10
Windows 10 Enterprise Enterprise.

These migrations bring your organization closer to the modern workplace: a secure and integrated
environment that unlocks teamwork and creativity in your organization through Microsoft 365.
Migration principles to Microsoft 365 services

In the previous topic, we reviewed how companies have the option to work solely in the cloud, or to
connect existing on-premises systems to the cloud to extend the value of their legacy infrastructure.
These two different service models require different approaches to migration.
For example, if a smaller company has been using a free, web-based mail service and decides to change
to the more productive and secure email that Microsoft 365 provides, implementation would entail
migrating all the users’ email accounts from the free online service to Exchange Online in Microsoft 365.
Once that migration is complete, users access their old email and inboxes through Outlook, and the data
is stored in Exchange Online; there is nothing left in the old system to use. We use the term migration in
this context to emphasize how everything is moved (or migrated) from the old to the new with the intent
of deprecating the old system once the migration is complete.
If, however, a company wants to establish a hybrid environment where their new Microsoft 365 subscrip-
tion will extend their existing Exchange servers, then a coexistence is established, linking the on-premises
Active Directory and Exchange Server to their online Azure Active Directory and Exchange Online coun-
terparts. We use the term coexistence in this situation to emphasize how two different systems—one
on-premises, and the other in the cloud—connect and work together in an ongoing fashion as a single
service (such as email).
Migration considerations
It is common in both large and small organizations to still be running some older versions of server and
computer operating systems, and Microsoft Office programs. To maximize the business value of the
Microsoft 365 integrated suite of products, begin planning and implementing a strategy to migrate:
●● The Office client installed on your computers to Office 365 ProPlus:
●● Office 2013 and 2016 are the currently supported versions, but will require ongoing updates that
might not scale well with your organization. Instead of maintaining and updating computers with
these standalone products, consider updating and assigning Microsoft 365 licenses.
●● Office 2010 will no longer be supported in 2020. Instead of upgrading to Office 2013 or 2016
which require manual updates, consider providing Microsoft 365 licenses for these users.
●● Office 2007 is no longer supported. Rather than upgrading your computers running Office 2007
with Office 2010, Office 2013, or Office 2016, consider obtaining and assigning Microsoft 365
licenses for your users.
●● Office servers installed on your servers to their equivalent services in Office 365:
●● Office Server 2013 and Office Server 2016 products such as Exchange Server and SharePoint Server
are supported, but to take advantage of the cloud-based service and enhancements to digitally
transform your business, consider migrating the data on your Office 2016 servers to Office 365.
When there is no longer a need for the on-premises servers running Office 2016 server products,
you can decommission them.
●● Some Office Server 2010 products have a specified end-of-support date. Rather than upgrading
your server products in the Office 2013 release with server products in the Office 2016 release,
consider migrating their data to Office 365, rolling out the new functionality and work processes to
your users, and decommissioning your on-premises servers running Exchange Server 2013 and
SharePoint Server 2013 when you no longer need them.
●● Office Server 2007 products are no longer supported. Instead of upgrading your server products in
the Office 2007 release with server products in the Office 2010, Office 2013, or Office 2016
releases, consider migrating the data on your Office 2007 servers to Office 365. To help with this,
hire a Microsoft partner. You can then roll out the new functionality and work processes to your
users, and then decommission the on-premises servers running Office 2007 server products when
you no longer need them.
●● Windows 7 and Windows 8.1 on your devices to Windows 10 Enterprise:
●● To migrate your devices running Windows 7 or Windows 8.1, you can perform an in-place upgrade
to Windows 10. Upgrading all devices throughout an organization to the same operating system is
proven to reduce support costs.
Accomplishing all of these migrations over time brings your organization closer to the modern work-
place: a secure and integrated environment that unlocks teamwork and creativity in your organization
through Microsoft 365.
For more information about migrating to Microsoft 365, go to https://aka.ms/AA4qeby.
Module Review
Test your knowledge of the content discussed in this module. The answers are provided at the end.
1. Your company is running Microsoft Exchange Server 2007 and your employees use Microsoft Office
2007. You need to update your systems, but you want to minimize your CapEx impact. Which of the
following is the best solution?
(A) Purchase Exchange Server 2016 and Office 2016.
(B) Purchase Exchange Server 2010 and Office 2010.
(C) Subscribe to Microsoft 365.
2. You want a cloud subscription model that is the least expensive way to access services that are strictly
hosted by a cloud service provider. Which cloud model describes this?
(A) Public cloud
(B) Private cloud
(C) Hybrid cloud
(D) Cumulonimbus cloud
3. Which of the following best describes the benefits of cloud computing?
(A) Cloud computing is cost effective, elastic and on-premises.
(B) Cloud computing is scalable, inelastic but always current.
(C) Cloud computing is scalable, elastic and reliable.
(D) Cloud computing is cost effective but unreliable.
4. You want to leverage the cloud to host virtual machines (VMs). Which type of cloud service is this?
(A) Infrastructure as a Service (IaaS)
(B) Platform as a Service (PaaS)
(C) Software as a Service (SaaS)
5. Which type of cloud service provides an environment for buying, building, testing, deploying, and
running software applications?
(A) Infrastructure as a Service (IaaS)

(B) Platform as a Service (PaaS)
(C) Software as a Service (SaaS)
6. Which of the following regulations apply to cloud computing? (Select three)
(A) Endangered Species Act
(B) Health Insurance Portability and Accountability Act (HIPPA)
(C) Sarbanes–Oxley Act
(D) Gramm–Leach–Bliley Act (GLBA)
(E) Cloud Compliance Act
7. Which of the following are components that are included with Microsoft 365? (Select three)
(A) Office 365 Enterprise
(B) Office 2016
(C) Windows 10 Pro
(D) Windows 10 Enterprise
(E) Enterprise Mobility + Security
Answers: 1. (C) 2. (A) 3. (C) 4. (A) 5. (B) 6. (B, C, D) 7. (A, D, E)
Lab - Cloud Fundamentals

Lab Introduction
This lab is comprised of a set of scenarios. Using the knowledge you’ve gained in Module 1, review each
scenario to identify the customer’s requirements, and select which combination of cloud services Infra-
structure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), type of cloud
(public, private, or hybrid), and migration (cloud-only or coexistence) best fits their needs.
Scenario 1
Company profile: Northwind Traders
Northwind Traders is a three-generation, family-owned import/export company.
Challenge
The company’s growth over the past several years and their employee demands for better collaboration
tools to connect remote offices around the Pacific Rim are outpacing the company’s small IT team.
The IT lead is spending all her time trying to keep their outdated business systems running. She wants to
be able to upgrade the company’s old Microsoft SharePoint Server 2007, which has run out of space.
However, the IT budget is tight, and there would need to be a large up-front investment in new servers,
server licenses, storage, and more. Employee machines are running a mix of Windows 7, 8, and 10 operat-
ing systems, and old versions of Microsoft Office—all with no centralized management of updates.
Furthermore, the proliferation of mobile devices that are frequently connecting to the company’s network
is making her concerned about the potential of an unhealthy device infecting their corporate systems.
Moreover, they’ve been using a free web-based email system that isn’t delivering the business-class
services they need. They want to move completely away from this insecure mail and adopt a busi-
ness-class mail system without having to pay huge up-front licensing and hardware costs.
What’s your recommendation?

How can Microsoft 365 address this company’s needs?
Dropdown
What type of cloud service do you recommend? (Choose one)
IaaS
PaaS
SaaS
Lab - Cloud Fundamentals 29
Dropdown
What type of cloud do you recommend? (Choose one)
Public
Private
Hybrid
Dropdown
What type of migration model do you recommend? (Choose one)
Cloud-only
Co-existence
Scenario 2
Company profile: Contoso, Ltd.
Contoso is a large manufacturing corporation with almost 60,000 employees throughout North America.
Challenge
Like many large enterprises, Contoso has developed customized on-premises-based line-of-business
apps for many critical processes. These apps help them with their manufacturing processes, both up-
stream from materials suppliers, and downstream to order processing and customer billing.
Many of these systems are old and inflexible, and the IT organization within Contoso is looking for a way
to use the cloud to extend these apps’ capabilities, empowering remote workers, suppliers, and custom-
ers to more easily identify requirements, confirm production, and fill orders.

How can Microsoft 365 address this company’s needs?
Dropdown
IaaS
PaaS
SaaS
Dropdown
Public
Private
Hybrid
Dropdown
Cloud-only
Co-existence
Scenario 3
Company profile: First Up Consultants
First Up Consultants is a medium-sized consulting firm that builds customized applications for medical
businesses.
Challenge
First Up Consultants wants to be able to rapidly spin up virtual machines (VMs) to test new versions of
their software products. This historically has resulted in major CapEx costs associated with new high-end
servers and storage hardware, along with a significant amount of administrative overhead to plan for and
implement all the hardware updates in the company’s datacenter.
The biggest problem has always been one of accurate forecasting, because they either purchase too
much capacity that goes unused—wasting CapEx resources, or they run out of capacity too soon. They
want to significantly reduce their CapEx, in addition to reducing the administrative overhead associated
with each new wave of hardware. The solution First Up Consultants selects must support any type of
environment customization to suit their development needs—and enable them to reduce charges
whenever a system isn’t needed.

How can Microsoft 365 address this company’s needs? What type of cloud service (IaaS, PaaS, or SaaS),
cloud (public, private, or hybrid), and migration (cloud-only or coexistence) would you recommend, and
why?
Dropdown
IaaS
PaaS
SaaS
Dropdown
Public
Private
Hybrid
Dropdown
Cloud-only
Co-existence
Answers
Dropdown
IaaS
PaaS
■■ SaaS
Explanation
SaaS. The company can subscribe to Microsoft 365 to give every employee access to the latest version of
Office productivity tools—including Microsoft Teams, and Skype for Business. These tools, along with
Microsoft SharePoint Online, will significantly improve how the remote offices collaborate with each other.
Office and Windows management will be streamlined by upgrading everyone to the latest versions, and
then utilizing Microsoft 365’s management tools to manage all devices—including mobile devices.
Dropdown
■■ Public
Private
Hybrid
Explanation
Public cloud. Pricing is paramount, so the Operating Expenditures (OpEx)–oriented public cloud is optimal
for this company.
Dropdown
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. Because the current mail is a free, web-based service that they’ll gladly move
off in in favor of Microsoft Exchange Online, there is no need for coexistence with it. Similarly, moving their
files from their outdated SharePoint Server 2007 to the cloud will enable them to decommission their old
machines.
Dropdown
IaaS
■■ PaaS
SaaS
Explanation
PaaS. Because PaaS supports building, testing, and deploying software applications that will connect to their
legacy line-of-business systems, this would be the best choice. Different apps can be purpose-built for the
various roles (such as sales, suppliers, and fulfilment), with each app providing the appropriate access into
the line-of-business systems, securely, and from any mobile device.
Dropdown
Public
Private
■■ Hybrid
Explanation
Hybrid cloud. This type of cloud is preferred for Contoso, as it enables the new web apps in the cloud to
connect to their on-premises line-of-business systems.
Dropdown
Cloud-only
■■ Co-existence
Explanation
Coexistence migration model. Although coexistence is more complicated to establish, this type of model is
critical for Contoso because it maintains their investment in their existing line-of-business systems, and uses
their new cloud environment as an extension to their on-premises infrastructure.
Dropdown
■■ IaaS
PaaS
SaaS
Explanation
IaaS. This model is perfect for First Up Consultants, because it allows them to host all the VMs that they
need to test with. IaaS gives them control over the hardware that runs their applications, so they can utilize
them only when they’re needed. When they don’t need to run the VMs, they can place them in cheaper
cloud-based storage to reduce compute fees.
Dropdown
■■ Public
Private
Hybrid
Explanation
Public cloud. Because First Up Consultants wants to significantly reduce their hardware costs and minimize
the amount of time their administrators spend configuring new hardware, a public cloud gives them a
platform for their VMs while relieving them of the associated hardware and administrative costs.
Dropdown
■■ Cloud-only
Co-existence
Explanation
Cloud-only migration model. First Up Consultants could migrate any existing on-premises VMs and other
systems to the cloud, then deprecate those machines to free up space and reduce their operational costs.
Module 2 Microsoft 365 Services
Microsoft 365 core services

Introduction
Microsoft 365 provides a number of core services, of which this lesson introduces and describes.
●● Identify the important features of Windows 10 Enterprise.
●● Describe Microsoft Exchange Online.
●● Describe Microsoft SharePoint Online.
●● Describe Microsoft Teams.
●● Identify the additional services in Microsoft 365.
●● Describe Microsoft Intune.
●● Describe Microsoft Office 365 ProPlus.
●● Compare on-premises services with Microsoft 365 cloud services.
Windows 10 Enterprise
Windows 10 Enterprise is one of the central pillars of your Microsoft 365 subscription. Windows 10 meets
the needs of large and midsize organizations, providing IT professionals with intelligent security, simpli-
fied updates, flexible management, and enhanced productivity tools.
Learn what Windows 10 Enterprise has to offer:
Intelligent security
Windows 10 protects, detects, and automatically responds to the most advanced malware and hacking
threats, while protecting user identities, devices, and your organization's information. Windows 10
investigates threats as they evolve and automates remediation to make response times faster, thanks to
the Intelligent Security Graph (which uses security intelligence, machine learning, and behavioral analyt-
MCT USE ONLY. STUDENT USE PROHIBITED 36 Module 2 Microsoft 365 Services
ics). These security solutions are built-in and provide you with full security lifecycle management for
endpoint protection (EPP) and detection and response (EDR). It also integrates with Microsoft 365
systems, which covers even the most complex multi-platform environments.
Flexible management
Deploy, manage, and update devices anywhere your employees need to work. Windows 10 includes tools
to help you customize device set up, use unified endpoint management, and control corporate identities,
data, and apps on personal devices without impacting personal data. Windows 10 supports the transition
to cloud-based device management with the ability to co-manage devices in Intune and Config Manager,
using both Active Directory and Azure Active Directory together. In addition, Windows Virtual Desktop
enables users to run incompatible applications on a Windows 10 device.
Simplified updates
Maximize security and productivity by staying current with Windows 10. The way we update Windows has
changed, moving away from major upgrades every few years to feature updates twice per year. Windows
10 provides modern tools and insights needed to support the semi-annual release cadence, with applica-
tion compatibility you can trust. 99% of applications that run on Windows 7 will run on Windows 10. You
can plan OS upgrades with confidence using telemetry-based analytics from Windows Analytics. Win-
dows 10 provides the flexibility and control to manage and distribute updates using your current method
or by leveraging Microsoft’s infrastructure. With every release, Windows updates become smaller and
easier to distribute so that they're less disruptive to your organization.
Work smarter
Windows 10 helps improve productivity by providing faster, safer ways to get work done, across all your
users' devices. Users can find apps, settings, documents, and messages by using enterprise search and
Cortana, and use Timeline to see a chronological view of their activities and documents. WIndows 10 also
supports collaboration through Office 365 apps, Microsoft Whiteboard, and OneNote.
Empower workstyles
With Windows 10 your users can work from the devices and places and ways that work best for them.
Windows 10 has hardware options ranging from the Surface Hub to the new always-connected PCs, to
support users wherever they need or prefer to work. Users can move from one device to another with
Continue on PC in Microsoft Edge or take notes directly on a web page with Microsoft Ink. Windows 10
also comes with a robust set of accessibility features, such as narrator, word prediction, and eye control.
Exchange Online
Exchange Online is a messaging and collaboration platform for your email, calendar, contact info, and
tasks. You can access all of this with Microsoft Outlook, Outlook Web Access, or Outlook Mobile. Ex-
change Online works from most mobile devices - including Android, iOS, and Windows 10 devices.
Some features of Exchange Online include:
●● Mailboxes and online archives. Individual users have their own mailboxes that they can use to store
mail messages. In addition to the main mailbox, some Office 365 plans include an online archive that
provides additional storage.
Microsoft 365 core services 37
●● Calendaring. Each user has a calendar that they can use to track their upcoming events. Users can use
calendars when booking meetings to verify availability. Where appropriate, users can delegate access
to their calendars to other users such as administrative assistants and teammates.
●● View and edit attachments online. When users receive attachments, they can view and edit them
online in Outlook on the web. They do not require a locally installed version of Office.
●● Shared mailboxes and resources. You can use shared mailboxes for groups of users that need to
share information in a central mailbox. You can configure resources for meeting rooms and equip-
ment to facilitate booking.
●● Public folders. Earlier versions of Microsoft Exchange Server relied on public folders for collaboration.
This feature is still available in Exchange Online if required.
●● Message policy and compliance. There are several message policy and compliance features in
Exchange Online. These include retention policies, message encryption, eDiscovery, data loss preven-
tion, and journaling.
●● Antispam and anti-malware. All Exchange Online subscriptions include Exchange Online Protection,
which provides configurable antispam and anti-malware scanning.
●● Configurable mail flow. To support specialized mail flow scenarios, you can create send and receive
connectors with varying settings. For example, you can create connectors that require additional
security settings with a business partner.
●● Mobile and multiplatform access. Users can access mailboxes and calendars from Outlook on either
Windows or Mac clients by using Messaging Application Programming Interface (MAPI) over HTTPS,
or by using Exchange Web Services. Outlook on the web supports accessing mailboxes and calendars
from almost any platform. Mobile devices can access mailboxes and calendars by using Microsoft
Exchange ActiveSync.
●● Hybrid deployment. You can integrate Microsoft 365, or more specifically, Exchange Online, with an
on-premises Exchange Server organization by implementing a hybrid deployment. In a hybrid deploy-
ment, Exchange Online and the on-premises Exchange organization can share a single namespace for
messaging. A hybrid deployment also supports calendar sharing and mailbox moves between Ex-
change Online and an on-premises Exchange server. In a hybrid deployment, you need to determine
where to manage different deployment features. For example, configuring multi-factor authentication
for cloud services and setting the frequency of Office 365 updates can only be performed in Microsoft
365, but you can configure email disclaimers and compliance in both Microsoft 365 and on-premises
Exchange Server.
●● Migration tools. Exchange Online includes tools to migrate from other on-premises Exchange Server
servers to Exchange Online. There is also a tool to migrate from any Internet Message Access Protocol
(IMAP) messaging service to Exchange Online.
For details about particular Exchange Online features included in specific subscription plans, see the
following Microsoft website: https://aka.ms/AA55eyh.
SharePoint Online
SharePoint Online is the cloud evolution of Microsoft SharePoint Server. It's a cloud service that enables
you to store, organize, and add third-party apps, access information from almost any device, and allow
sharing with external people by default, all by using a web-browser. It helps you create team or commu-
nication-focused sites for efficient collaboration and communication. Internal users with an appropriate
Microsoft 365 or SharePoint Online license can use SharePoint Online. They can share files or folders with
others inside or outside the organization. Sharing outside the organization can be controlled by site
administrators.
With SharePoint Online, users can:

●● Build sites and pages, document libraries, and lists.
●● Add web parts to customize their pages.
●● Share important visuals, news, and updates with a team or more broadly.
●● Search and discover sites, files, people, and news from across their organization.
●● Manage their business processes with flows, forms, and lists.
●● Co-author documents with other users.
●● Sync and store their files in the cloud so anyone can securely work with them.
●● Catch up on news on-the-go with the SharePoint mobile app.
Microsoft Teams
Microsoft Teams provides a central hub for collaboration within your organization and allows you to
implement a chat-based workspace that enables members of your organization to have conversations
and create work plans. Keep your team in sync by sharing documents, insights, and status updates while
being able to manage important projects and easily locate people. Teams is also available as a mobile
app, which lets you stay up-to-date both in the office and on the go.
With Microsoft Teams, you can:
●● Communicate through chat, meetings, and calls. You can host audio, video, and web conferences,
and chat with anyone inside or outside your organization. Teams also enables company employees
and users from outside the company to collaborate on a project in real-time by using a whiteboard.
●● Collaborate together with integrated Office 365 apps. Teams makes teamwork easy. Users can
coauthor and share files with popular Office 365 apps such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft OneNote, SharePoint, and Microsoft Power BI.
●● Customize your workplace and achieve more. Using Teams, you can integrate apps from Microsoft
and third-party partner services to tailor your process, increasing teamwork and productivity.
●● Make calls in Office 365 and Teams. When paired with Office 365 Phone System, Office 365 Calling
Plan, and/or Phone System Direct Routing, Office 365 provides a full business calling experience in
Teams on a global scale.
●● Connect across devices. Teams and Teams devices work better together for intelligent meeting and
calling experiences. Find the right devices for your needs and bring your best ideas to life.
Microsoft Intune
Intune is a cloud service that helps you manage computers, laptops, tablets, and other mobile devices.
This includes iOS, Android, and Mac OS X devices. It uses Azure Active Directory (Azure AD) as a directory
store for identity, and it can integrate with local management infrastructures such as Microsoft System
Center Configuration Manager (SCCM). Intune is especially useful for devices that are beyond the man-
agement scope of Group Policy, such as mobile phones, devices that are not AD DS domain members, or
Windows 10 devices that are joined to Azure AD. Intune can prevent users from copying company data
from managed applications installed on unmanaged devices.
By using Intune, you can:
●● Let your organization's employees use their personal devices to access organizational data (commonly
known as "Bring Your Own Device (BYOD)")
●● Manage organization-owned phones.
●● Control access to Microsoft Office 365 from unmanaged devices, such as public kiosks and mobile
devices.
●● Help to ensure that devices and apps that do connect to corporate data are compliant with security
policies.
●● Deploy app protection policies, which enable you to standardize corporate device deployments by
setting corporate configuration standards.
Intune is a component of Enterprise Mobility + Security (EMS). Intune integrates with Azure AD and
device OS features to provide a device management solution. For example, when a user attempts to
access Office 365 data through a line of business app (LOB app) on their phone, Office 365 checks with
Azure AD to authenticate the user and verify whether that user can access the data from that app on that
device. The results depend on:
●● Conditional access policies defined within Azure AD.
●● Whether Intune tells Azure AD that the device is compliant with device configuration and data
protection policies.
●● Whether the app on that device complies with app configuration and data protection policies.
If the device and app are both compliant with all policies, Azure AD notifies Office 365 that the data can
be accessed.
Additional services in Microsoft 365

Your organization can also subscribe to optional components within Office 365 that can enhance your
use of this cloud-based services and provide your users with additional facilities to increase productivity.
These optional components include Yammer, Microsoft Project Online, Project Pro for Office 365, and
Microsoft Office Visio Pro for Office 365.
Yammer
Microsoft Yammer is an enterprise social networking tool that can be used to efficiently resolve support
issues and gather feedback on projects and documents. Yammer is becoming more integrated with Office
365, and SharePoint Online users now have the option to replace their activity stream in SharePoint
Online with Yammer. To make this change, users click a Yammer link and sign in to this service through a
separate browser window. Future integration will include Single Sign On (SSO) between the Yammer
service and Office 365. Furthermore, users can use the Yammer Newsfeed instead of SharePoint News-
feed.
Project Online
Project Online is the cloud version of Microsoft Project Server that enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value feature with Project Online is that it enables global organizations to plan project portfolios in
multiple time zones.
Project Pro for Office 365

Project Pro for Office 365 provides desktop project management capabilities for small teams and organi-
zations. Organizations that require full desktop project-management capabilities and the ability to
participate online from virtually anywhere on almost any device can combine this service with Project
Online.
Office Visio Pro for Office 365

Office Visio Pro for Office 365 is a subscription version of Microsoft Visio Professional, the diagramming
and flowchart application. Users can install it on up to five devices, and it includes the Visio on Demand
feature, which enables a user to install the application temporarily on any computer running recent
versions of the Windows operating system.
Microsoft Dynamics 365

Dynamics 365 is a cloud-based platform that combines customer relationship manager and enterprise
resource planning (functionalities and delivers applications for managing business functions, sales,
marketing, finances, and customer service.)
OneDrive for Business

OneDrive for Business is a private library for the storage, organization, and sharing of users’ work docu-
ments. It's a cloud service that enables you to store and protect files, share files with others, access files
from anywhere using an app or web-browser, and restore all files to a previous date and time. It is an
integral component of a user’s Office 365 online environment, and is provided to each of your organiza-
tion’s users through its subscription to SharePoint Online in Office 365. If you get OneDrive for Business
through your organization’s subscription to Office 365, then you get 25 GB of personal storage space by
default; however, if your OneDrive for Business library is hosted on an on-premises SharePoint server,
then your storage space is allocated and controlled by your SharePoint administrators
OneDrive for Business is not the same as OneDrive, which is a cloud-based service intended for personal
storage and is provided with Microsoft accounts and Outlook.com accounts.
Planner
Use Planner from any of your devices to create new plans, assign tasks, and share files with others. You
can organize teamwork and collaborate on projects. You also can use Planner to chat with colleagues and
to keep track of your team's progress.
Power Bi
Power BI is a business analytics service that delivers insights to enable fast, informed decisions. You can
use Power Bi to transform data into visuals and share them with colleagues. You can use a variety of
device types to access this content. You also can collaborate on and share customized dashboards and
interactive reports.
Microsoft StaffHub
StaffHub helps workers manage their workday by using schedule management and information sharing.
It also provides the ability to connect to other work-related apps and resources. Managers can quickly
distribute important information to their team, such as policy documents, news bulletins or videos.
Stream
Stream is an enterprise video service where people in your organization can upload, view, and share
videos securely. You can share recordings of classes, meetings, presentations, training sessions, or other
videos that aid your team's collaboration. Stream also makes it easy to share comments about a video,
tag timecodes in comments, and add descriptions to refer to specific points in a video and discuss with
colleagues.
Microsoft Delve
Use Delve to manage your Office 365 profile, and to discover and organize the information that's likely to
be most interesting to you. Using Delve, you can manage your profile, and connect and collaborate with
colleagues.
Sway
You can use Sway to compile text, images, videos, and other content in an interactive online format. You
can apply designer-created layouts and color schemes, or let Sway suggest design elements that match
your content. You also can search and import relevant content from other sources, and then share your
completed Sways on the web.
Office 365 ProPlus

Office 365 ProPlus provides the Microsoft productivity suite of applications, such as Word, Excel, Power-
Point, and Outlook for both Windows and Mac devices. Office 365 ProPlus is a full version of Office, and
it’s installed and runs on the user’s local device. Office 365 ProPlus is not a web-based version of Office.
The Office applications that come with Office 365 ProPlus can be used with the on-premises or the online
versions of Exchange, SharePoint, or Skype for Business.
Office 365 ProPlus can be installed directly from the internet or can be deployed from a location on an
organization’s local network. There is no Windows Installer (.msi) package that users can download and
install for Office 365 ProPlus. Once installed, users don’t have to be connected to the internet all the time
to use Office 365 ProPlus. But, users must connect at least once every 30 days to confirm that they still
have the right to use the Office 365 ProPlus license.
Office 365 ProPlus gets updated on a regular basis with new features, security updates, and other quality
updates. New or improved features are released on either a monthly or a semi-annual basis. An organiza-
tion can choose which frequency works best for their users through the use of update channels.
Additional learning: For more information about Office 365 ProPlus see: Office 365 ProPlus in the
Enterprise1
Office 365 ProPlus compared to Office Professional Plus

2019
Office 365 ProPlus is very similar to Office Professional Plus 2019, which is a version of Office that is
available to organizations through volume licensing instead of through a Microsoft 365 plan. But, there
are significant differences between the two versions of Office:
●● Office 365 ProPlus continues to get new and improved features on a regular basis, but the features
included in Office Professional Plus 2019 remain the same.
●● Users can install Office 365 ProPlus on multiple devices with a single license, but Office Professional
Plus 2019 can only be installed on one device with a single license.
●● There is a web-based portal where administrators can have users install Office 365 ProPlus for them-
selves, if the users are a local administrator on their devices. Office Professional Plus 2019 doesn’t
provide a self-install portal.
●● Office 365 ProPlus is activated by connecting to the internet, and it requires regular internet connec-
tivity to remain activated. Office Professional Plus 2019 is activated by using volume activation
methods, such as Key Management Service (KMS), and the user’s device doesn’t require internet
connectivity to remain activated.
Deployment options for Office 365 ProPlus

To deploy Office 365 ProPlus, you first choose what deployment tool to use:
●● Configuration Manager: For enterprises that already use Configuration Manager to deploy and man-
age software, we recommend using it for Office deployment as well. Configuration Manager scales for
large environments and enables extensive control over installation, updates, and settings. It also has
built-in features for deploying and managing Office and Windows.
●● Office Deployment Tool: For organizations that don't have Configuration Manager but still want to
manage their deployment, you can use the Office Deployment Tool, which provides control over
installation, updates, and settings. You can use this as a standalone tool or in conjunction with
third-party software deployment tools.
●● Microsoft Intune: For organizations that want to deploy and manage Office from the cloud, Intune
provides a cloud-based service that manages mobile devices and PCs, along with the applications on
those devices (like Office 365 ProPlus). Intune can also be used to manage Windows 10 on your PCs.
●● Install directly from the Office 365 portal: The simplest approach is to have your users install Office
on their client devices directly from the Office 365 portal. This method requires the least amount of
administrative setup but gives you less control over the deployment. You can, however, still define
1 https://docs.microsoft.com/en-us/DeployOffice/about-office-365-proplus-in-the-enterprise
how frequently your users receive feature updates. This option requires that your users have local
administrative rights on their client devices.
As part of deploying with the Office Deployment Tool or Configuration Manager, you can create configu-
ration files with the Office Customization Tool. These configuration files give you control over an Office
installation, including defining which applications and languages are installed, how those applications
should be updated, and application preferences. Similar options are available as part of the Intune
deployment.
Depending on the tool you choose to deploy with, you can also choose whether to deploy from the cloud
or to download Office to a local source on your network and deploy from there. When possible, we
recommend deploying Office from the cloud, as doing so will minimize your administrative overhead.
When you deploy from the cloud, Office 365 ProPlus is delivered to client devices directly from the Office
Content Delivery Network (CDN). If your network consideration requires you to deploy from a local
source, Configuration Manager can be a good option to help manage the deployment and updates.
Comparing Microsoft 365 services with

on-premises services
The online versions of SharePoint and Exchange that are in Microsoft 365 offer additional features and
reliability improvements when compared to the on-premises versions. Let’s take a look at how to com-
pare Microsoft 365 core services with the on-premises equivalents.
Comparing Exchange Online and on-premises Exchange

Server
To determine whether Exchange Online is appropriate for your organization, you must identify the
differences between Exchange Online and on-premises Exchange Server. Some of the primary differences
include:
●● Unlimited storage. Many on-premises deployments of Exchange Server place relatively low limits on
mailbox sizes, such as one or two gigabytes (GB). Exchange Online supports larger mailboxes of 50 GB
or larger depending on the plan you have purchased.
●● High availability. For an on-premises Exchange Server, you need to purchase and configure hardware
to store multiple mailbox copies, and configure load balancing to achieve high availability. For true
high availability, you also need an alternate datacenter. Whereas Exchange Online is automatically
highly available with your data replicated to multiple datacenters.
●● Backups. Exchange Online does not have any built-in methods for configuring backups. Instead, you
configure retention through single-item recovery and litigation hold.
●● Automatic integration with other Office 365 features. Exchange Online offers additional features
such as Office 365 groups, which integrate multiple Office 365 features together. Another example is
the online viewing and editing of email attachments.
●● New features. Exchange Online has many features that do not exist in an on-premises Exchange
server. It is possible that some of these features will be integrated into on-premises Exchange server
in the future, but they will always appear first in Exchange Online because development happens there
first.
●● No access to Exchange Online databases or servers. Unlike an on-premises Exchange server where
you administer and manage Exchange servers and databases, Microsoft manages these items in
Exchange Online.
●● Exchange web services. Exchange provides Exchange web services (EWS) to create solutions for
managing business email, calendar, and contacts on desktop and mobile devices and online, and for
accessing and managing Exchange store items. Both on-premises Exchange Server and Exchange
Online provide EWS access to accounts; however, only Exchange Server provides custom EWS throt-
tling settings.
In addition to Exchange Web Services, some of the more popular features that are available in both
on-premises Exchange Server and Exchange Online include Information Rights Management, archiving,
and legal holds.
Comparing SharePoint Online and an on-premises Share-

Point Server
SharePoint Online is a Microsoft cloud-based service. Instead of installing and deploying SharePoint
Server on-premises, you can subscribe to a Microsoft 365 plan (or to the standalone SharePoint Online
service). Your users can then create sites to collaborate or communicate. SharePoint Online receives all
the latest features with regular updates.
SharePoint Server is an on-premises solution. It includes the ability to create sites for collaboration and
communication but will not reflect the latest updates. The on-premises product requires an organization
to maintain servers, including patching, updating, and setting up and maintaining the environment for
high availability and disaster recovery. All of that is handled by Microsoft with SharePoint Online.
Feature differences between SharePoint Online and an on-premises SharePoint Server include:
●● Anti-malware protection is not included in SharePoint Server.
●● Claims-based authentication is only provided with SharePoint Server.
●● Data loss prevention policies are available in SharePoint Online as part of Microsoft 365 E3 or Micro-
soft 365 E5 subscriptions.
●● Encryption at rest is not available in SharePoint Server.
●● Not all modern web parts are available in SharePoint Server 2019, no modern pages or parts are
available on-premise for earlier versions.
●● Intelligent functionality based on the Microsoft Graph available in SharePoint Online.
Accessibility in Microsoft 365

There are no limits to what people can achieve when technology reflects the diversity of everyone. Our
products and services are designed for people of all abilities.
At Microsoft, our Mission is to empower every person and every organization on the planet to achieve
more. With more than 1 billion people in the world with disabilities, there is no limit to what people can
achieve when technology reflects the diversity of all those who use it.
Our accessibility efforts focus on the following accessibility standards (EN 301 549, U.S. Section 508,
WCAG 2.0, ISO/IEC 40500). Here is a list of some of the key accessibility features available on Windows 10
and Office 365.
Vision
Need a larger screen? A brighter screen? A narrator to read text? Find out about accessibility tools and
features for people who are blind, color blind, or have low vision. Here are some Microsoft 365 features
that assist vision.
●● Color filters2: Boost contrast or get rid of color entirely—whether you have colorblindness, light
sensitivity, or a visual preference, with color filters you can customize your screen's color palette.
●● Tell Me3: Quickly access commands in several Office 365 applications without navigating the com-
mand ribbon. You can use Tell Me to assist with formatting, discover the difficult-to-find capabilities
and even get scoped help in Office 365 using everyday language.
●● Microsoft Soundscape4: Use innovative audio-based technology to enable people with blindness or
low vision to build a richer awareness of their surroundings, thus becoming more confident navigating
new environments.
Hearing
For those who are hard of hearing, have hearing loss, or have deafness, our specialized features can
provide solutions including closed captioning, mono sound, and live call transcription. Here are some
Microsoft 365 features that assist hearing.
●● Microsoft Translator5: Display auto-generated subtitles on a presentation in any of 60+ supported
languages with the Presentation Translator add-in for PowerPoint on PCs. Plus, let each audience
member follow along with captions displayed in their chosen language on any device with Microsoft
Translator.
●● Autogenerate captions in Microsoft Stream6: Share videos securely across your organization in an
accessible format with Microsoft Stream. Select a simple option, and you’ll get captions and searcha-
ble transcripts in English and Spanish autogenerated while uploading videos.
●● Mono audio7: If you have partial hearing loss or deafness in one ear, Windows 10 helps you to hear
more from your computer. Just turn on mono audio, and your left and right speakers will play the
same sounds.
Neurodiversity
Innovative tools such as dictation and Windows Hello sign-in can make the digital world more accessible
for those who live with dyslexia, seizures, autism, or other cognitive differences.
●● Focus assist8: Block alerts and notifications so you can get things done without distractions. Don’t
worry, if there are some people you don’t want to ignore, you can add them to a special list. And
when you finish focusing, you'll get a summary of what you missed.
●● Reading view9: Use Reading view to clear distracting content from web pages, so you can stay
focused on what you want to read. And with Learning Tools in Microsoft Edge you can have docu-
ments read aloud to you.
2 https://support.microsoft.com/en-us/help/4344736/windows-10-use-color-filters
3 https://support.office.com/en-US/article/Do-things-quickly-with-Tell-Me-f20d2198-17b8-4b09-a3e5-007a337f1e4e
4 https://www.microsoft.com/en-us/research/product/soundscape/
5 https://translator.microsoft.com/
6 https://docs.microsoft.com/en-us/stream/portal-autogenerate-captions
7 https://support.microsoft.com/en-us/help/27933/windows-10-make-windows-easier-to-hear
8 https://support.microsoft.com/en-us/help/4026996/windows-10-turn-focus-assist-on-or-off
9 https://support.microsoft.com/en-us/help/17204/windows-10-take-your-reading-with-you
Learning
Our applications for people living with learning disabilities can help increase focus, concentration, and
understanding—and include tools to improve reading and writing skills.
●● Immersive Reader10: Read more effectively with Learning Tools that read text out loud, break words
into syllables, and identify parts of speech. Sustain attention with a focus mode and adjustable
spacing between lines, letters, and words. Available for OneNote, Word, and Outlook on various
devices.
●● Editor in Word11: With Editor, see any misspellings, grammatical mistakes, and writing style issues as
you type in Word and Outlook for PCs. Get suggestions for phonetic misspellings, see synonyms
alongside suggestions, and have suggestions read out loud to avoid common word choice errors.
●● Text suggestions12: Get help constructing sentences with text suggestions. Word suggestions appear,
and can be inserted, as you type. It's a great feature for English language learners—and anyone who'd
like a little help with their writing.
Mobility
Our suite of products helps people living with arthritis, quadriplegia, spinal cord injuries, and other
mobility issues to navigate the digital world in non-traditional ways.
●● Dictate in Office 36513: Dictate in Office 365: Convert your speech to text with Dictate in Office 365
applications such as Word, PowerPoint and Outlook for PCs. Also available with the Dictate add-in for
Word, Outlook and PowerPoint for PCs which supports dictation in 20+ languages and real-time
translation to 60+ languages.
●● Keyboard shortcuts14: Office 365 is designed to work seamlessly with keyboards. Shortcuts are
documented per application to help you get started. Additionally, Tell Me lets you quickly access
commands in several Office 365 applications by typing what you want to do using everyday language.
●● Eye control15: If physical disabilities make it difficult to use a keyboard, Windows 10 offers built-in
support for eye control—an effective way to use your PC with just your eyes, (eye tracking hardware
sold separately).
Mental health
Learn more about assistive technologies for people living with issues such as bipolar disorder, anxiety,
PTSD, depression, or ADHD. Our products can help with distraction, reading, and concentration.
●● Minimize visual distraction16: Windows makes it easy to minimize distractions by reducing anima-
tions and turning off background images and transparency. You can also clean up taskbar clutter and
simplify the start menu.
10 https://www.onenote.com/learningtools
11 https://support.office.com/en-us/article/editor-is-your-writing-assistant-in-word-91ecbe1b-d021-4e9e-a82e-abc4cd7163d7?ui=en-
US&rs=en-US&ad=US
12 https://blogs.windows.com/windowsexperience/2017/11/08/announcing-windows-10-insider-preview-build-17035-
pc/#4rfiWmW4km5FdsgK.97
13 https://support.office.com/en-us/article/dictate-your-documents-d4fd296e-8f15-4168-afec-1f95b13a6408?ui=en-US&rs=en-US&ad=US
14 https://support.office.com/en-us/article/use-a-screen-reader-and-keyboard-shortcuts-with-office-apps-4aba5a56-f80c-4a6b-a584-
d0f415471617?ui=en-US&rs=en-US&ad=US
15 https://support.microsoft.com/en-us/help/4043921/windows-10-get-started-eye-control
16 https://support.microsoft.com/en-us/help/27930/windows-10-make-it-easier-to-focus-on-tasks
●● Focus assist17: Block alerts and notifications, so you can get things done without distractions. Don't
worry, if there are some people you don't want to ignore, you can add them to a special list. And
when you finish focusing, you'll get a summary of what you missed.
●● To-dos18: OneNote and Outlook work together to help you stay organized. As you take notes and
plan projects in OneNote, you can manage deadlines and remember the things on your to-do list by
creating Outlook tasks. Then you can view and track those tasks in Outlook and even get reminders.
17 https://support.microsoft.com/en-us/help/4026996/windows-10-turn-focus-assist-on-or-off
18 https://support.office.com/en-us/article/Create-Outlook-tasks-in-OneNote-19725FF3-0234-495D-9838-FB1F511E924F
Deploying Windows 10 and Office 365 ProPlus

Introduction
Many organizations use on-premises IT solutions. This means that they maintain physical or virtual
servers and services in their IT datacenters. However, organizations are moving their services to cloud
providers at an increasing rate. Microsoft 365 provides a full range of services that can replace (or coexist
with) an organization’s on-premises infrastructure and services.
●● How to plan a deployment of Windows 10 and Office 365 ProPlus.
●● The deployment options for Windows 10 and Office 365 ProPlus.
●● The update model for Windows and Office 365 ProPlus.
Plan your Windows 10 and Office 365 ProPlus

deployment
The two most critical parts of planning an enterprise deployment of Windows 10 and Office 365 ProPlus
are:
1. Assessing your environment and network.
2. Making sure your existing hardware and applications will work with the new software.
Assess hardware and application compatibility

Almost all the applications written in the last 10 years will run on Windows 10, and almost all add-ins and
Visual Basic for Applications (VBA) macros that are based on previous versions of Office will continue to
work on the latest versions of Office. However, depending on the size and age of your organization,
verifying application and hardware compatibility will still be an essential first step in deploying the
modern desktop.
Microsoft offers several tools to help with making sure your applications and hardware are compatible,
including:
●● Windows Analytics Upgrade Readiness: The recommended tool for assessing desktop device and
application readiness. It provides application and driver compatibility information to give you a
detailed assessment of issues that might block your upgrade. It's supported with links to suggested
fixes known to Microsoft.
●● The Readiness Toolkit for Office add-ins and VBA: This tool can help you identify compatibility
issues with your Microsoft VBA macros and add-ins that you use with Office. The toolkit can scan for
VBA macros in Word, Excel, PowerPoint, Outlook, Access, Project, Visio, and Publisher files for Office
versions as far back as Office 2003. It can also scan for certain types of add-ins used with Office.
●● Desktop App Assure: The FastTrack Center Benefit for Windows 10 provides access to Desktop App
Assure, a new service designed to address issues with Windows 10 and Office 365 ProPlus application
compatibility. For customers with an eligible subscription, a Microsoft engineer works with you to
address valid application issues.
As part of your testing process, we recommend deploying Windows 10 and Office 365 ProPlus first to a
pilot group of users and client devices from across your organization. For example, you might want to
include devices from your finance department, because those devices probably include specialized
Deploying Windows 10 and Office 365 ProPlus 49
line-of-business applications and macros. This pilot group can test the initial deployment of Windows 10
and Office 365 ProPlus as well as future updates.
Assess and optimize your network

Network bandwidth is a critical consideration when deploying and managing updates for Windows 10
and Office 365 ProPlus. Installation files for Office 365 ProPlus, for example, are at least 1.6 GB in size for
the core files, plus at least 250 MB for each language deployed.
Microsoft has built-in methods for automatically limiting bandwidth, including reducing the size of
update downloads with express update delivery and binary delta compression. As a result, you'll down-
load only the changes between the current update and the previous update, which can significantly
minimize the impact to your network.
Peer-to-peer options help shift traffic related to Windows 10 and Office 365 ProPlus away from the center
of the network and reduce the need for classic throttling approaches. They let computers find the update
files they need on peers in their local network, rather than downloading them from a distribution point or
the internet. Microsoft 365 includes the following peer-to-peer options:
●● BranchCache can help you download source files in distributed environments without saturating the
network. BranchCache fetches content from your main office or hosted cloud content servers and
caches the content at branch office locations, allowing client computers at branch offices to access
the content locally.
●● Peer cache is a solution in Configuration Manager that enables clients to share source files with other
clients directly from their local cache. You can use peer cache to help manage deployment of source
files to clients in remote locations. BranchCache and peer cache are complementary and can work
together in the same environment.
●● Delivery Optimization allows clients to download source files from alternate sources (such as other
peers on the network) in addition to the traditional Internet-based Windows Update servers. You can
use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows
Update for Business, or Configuration Manager.
Deployment options for Windows 10 and Office

365 ProPlus
How you deploy Windows 10 and Office 365 ProPlus depends on your business requirements and your
environment, including how much administrative control you want over the deployment, your network
capacity, and the deployment tools you already use.
You can choose from a variety of existing and new deployment tools for Windows 10 and Office 365
ProPlus, including Windows Autopilot and the Microsoft Deployment Toolkit for Windows, the Office
Deployment Tool for Office, and Intune and Configuration Manager for both Windows and Office. As part
of your deployment, you also choose whether to deploy Windows and Office from the cloud or from a
local source on your network.
By upgrading all client devices to Windows 10, organizations can reduce the amount of time their IT team
spends on user support. This same goal can be met by deploying Office 365 ProPlus on all devices, since
having the same software on all computers is known to reduce user support issues.
Deployment options for Windows 10

Windows 10 includes the following new deployment tools and methods:
Windows Autopilot: Customize the out-of-box experience (OOBE) to deploy apps and settings that are
pre-configured for your organization. Include just the apps your users need. Autopilot is the easiest way
to deploy a new PC running Windows 10. You can also use it with Configuration Manager to upgrade
Windows 7 or Windows 8.1 to Windows 10. By using AutoPilot to deploy computers to users, an organi-
zation can also reduce the amount of time that its IT team spends on user support.
In-place upgrade: Upgrade a device’s operating system without reinstalling. You can migrate apps, user
data, and settings from one version of Windows to another (like going from Windows 8.1 to Windows
10). You can also update from one release of Windows 10 to the next (like going from Windows 10,
version 1803, to Windows 10, version 1809).
Dynamic provisioning: Create a provisioning package to quickly configure one or more devices, even
those without network connectivity. You create provisioning packages with the Windows Configuration
Designer and can install them over a network, from removable media (like a USB drive), or in near field
communication (NFC) tags or barcodes.
Subscription activation: Use a subscription to switch from one edition of Windows 10 to another. For
example, you can switch from Windows 10 Pro to Windows 10 Enterprise. When a licensed user signs into
a device (and they have credentials associated with a Windows 10 E3 or E5 license), the OS changes from
Windows 10 Pro to Windows 10 Enterprise, and all the appropriate Windows 10 Enterprise features are
unlocked. If the subscription expires (or is transferred to another user), the device reverts seamlessly to
Windows 10 Pro edition, after a grace period of up to 90 days.
In addition to those new tools, you can deploy Windows 10 with modern desktop management tools and
existing tools in your organization, including Intune, Azure AD, and Configuration Manager.
Deployment options for Office 365 ProPlus

To deploy Office 365 ProPlus, you first choose what deployment tool to use:
●● Configuration Manager: For enterprises that already use System Center Configuration Manager
(SCCM) to deploy and manage software, Microsoft recommends using it for Office deployment as
well. System Center Configuration Manager scales for large environments and enables extensive
control over installation, updates, and settings. SCCM can be used to deploy Office 365 from a local
distribution source by dowloading installation files that can then be used for installing Office on
computers in the local network. It also has built-in features for deploying and managing Office and
Windows.
●● Office Deployment Tool: For organizations that don't have System Center Configuration Manager
but still want to manage their deployment, you can use the Office Deployment Tool, which provides
control over installation, updates, and settings. Organizations use the Office Deployment Tool to
download installation files to a local distribution source and then install Office 365 ProPlus by using
the downloaded files to deploy Office to computers in the network. You can use this as a standalone
tool or in conjunction with third-party software deployment tools.
●● Microsoft Intune: For organizations that want to deploy and manage Office from the cloud, Intune
provides a cloud-based service that manages mobile devices and PCs, along with the applications on
those devices (like Office 365 ProPlus). Intune can also be used to manage Windows 10 on your PCs.
●● Install directly from the Office 365 portal: The simplest approach is to have your licensed users
self-install Office on their client devices directly from the Office 365 dashboard. This method requires
the least amount of administrative setup but gives you less control over the deployment. You can,
however, still define how frequently your users receive feature updates. This option requires that your
users have local administrative rights on their client devices.
Administrators can ensure that employees can install Microsoft Office 365 ProPlus on their devices by
enabling them to self-install directly from the Office 365 dashboard, and by enabling auto-deployment of
Office 365 apps for all devices using Configuration Manager or the Office Deployment Tool. As part of
deploying with the Office Deployment Tool or Configuration Manager, you can create configuration files
with the Office Customization Tool. These configuration files give you control over an Office installation,
including defining which applications and languages are installed, how those applications should be
updated, and application preferences. Similar options are available as part of the Intune deployment.
Depending on the tool you choose to deploy with, you can also choose whether to deploy from the cloud
or to download Office to a local source on your network and deploy from there. When possible, we
recommend deploying Office from the cloud, as doing so will minimize your administrative overhead.
When you deploy from the cloud, Office 365 ProPlus is delivered to client devices directly from the Office
Content Delivery Network (CDN). If your network consideration requires you to deploy from a local
source, Configuration Manager can be a good option to help manage the deployment and updates.
Windows as a service model

With Windows as a service, Microsoft simplifies the operating system build, deployment, and servicing
process. In the past, Microsoft released new versions of the Windows operating system every few years,
upgrades were infrequent and required a significant effort to deploy.
In the Windows as a service (WaaS) model Microsoft no longer provides major operating system revisions
every few years, with significant servicing updates (known as service packs) between these major revi-
sions. Instead, consider Windows updates as an ongoing maintenance task rather than a periodic operat-
ing system upgrade project. The Windows operating system receives revisions and updates more fre-
quently and they are applied with less disruption and effort. These updates fall into two categories:
●● Feature updates. These add new functionality and are released twice a year. These updates can be
readily deployed using existing management tools. Because the updates are more frequent, they are
smaller, so users take less time to adapt to changes. Consequently, the workload and cost impact on
organizations is reduced.
●● Quality updates. These are security updates and fixes, usually issued once a month. On the second
Tuesday of each month (“patch Tuesday”), a cumulative update is released that includes all previous
updates. This helps to ensure that devices are fully up to date and more closely align to those used for
testing in Microsoft.
You can control how and when updates are applied with servicing channels and deployment rings:
●● Servicing channels. Windows as a service offers three servicing channels: Each of these channels
receives new feature updates at a different frequency. Servicing channels provide a method for
controlling the frequency at which organizations deploy Windows 10 features.
●● Deployment rings. In Windows 10, deployment rings are similar to the groups your organization
might have used to manage updates to earlier versions of Windows. These updates are in tools such
as Windows Server Update Services (WSUS). Deployment rings provide a method for gradually
deploying Windows 10. They allow you to group devices together for the purposes of receiving
updates through each of the servicing channels.
Servicing channels
Although servicing channels are new, you can still use the same management tools to deploy the updates
to your organization’s devices that you used in earlier versions of Windows. These include:
●● Windows Insider Program. This channel enables users to become familiar with Windows feature
updates before they are released to the wider public. These are early builds that are released to the
public during the feature-development phase. Organizations can test and evaluate these feature
updates within Microsoft Insider Preview Branch versions of Windows software before trying a wider
deployment. In addition, users can provide feedback to Microsoft to help resolve any issues with
updates. Feature updates are released to the Windows Insider program about once a week.
●● Semi-Annual Channel. Computers configured in the semi-annual channel receive updates as soon as
Microsoft publishes them. There are two semi-annual channels: semi-annual (targeted) is aimed at a
subset of your users, while semi-annual is aimed at all other users. Feature updates are released to the
semi-annual channel twice a year in the spring and fall.
●● Long-Term Servicing Channel (LTSC). For computers and other devices that perform a single task or
a number of specialized tasks, the long-term servicing channel prevents configured devices from
receiving feature updates. However, quality updates delivery is not affected. Note that the Long-term
Servicing Channel is available only in the Windows 10 Enterprise LTSC edition. Feature updates are
released to the LTSC about once every three years.
Deployment rings
In Windows 10, you can use deployment rings to further control how and when updates are applied to
your devices. It’s probable that you will only define these deployment rings once; however, you should
consider revisiting the deployment ring configuration periodically to ensure that they still meet the needs
of your organization and its users.
A typical deployment ring strategy is described in the following table.
Name of ring Channel Feature update Quality update Description

deferral deferral
Preview Windows Insider None None For testing
Program updates on a small
group of devices
before they
become more
widely available on
the semi-annual
channel.
Name of ring Channel Feature update Quality update Description

deferral deferral
Targeted Semi-Annual None None Used to evaluate a
Channel (Targeted) significant update
before it is
deployed to most
other devices.
Broad Semi-Annual 120 days 7 to 14 days Use this ring to
Channel deploy the update
to most of your
users’ devices. Use
the deferment
period to thor-
oughly test the
updates before
further deploy-
ment. Note: You
can pause updates
if you encounter
significant prob-
lems or issues.
Critical Semi-Annual 180 days 30 days Reserved for devic-
Channel es that are critical
and are only
updated when the
updates have been
thoroughly tested
throughout the
rest of your
organization.
The naming convention used to identify the rings is completely customizable as long as the name clearly
identifies the sequence. By defining and using deployment rings, you can effectively control how feature
and quality updates are deployed through your organization. You should start to think about using
Windows as a Service as an ongoing process, rather than a specific project to update Windows builds.
The following diagram shows how you can use the servicing channels to create an update timeline that
includes a planning and preparation phase, pilot deployments, and general deployment.
You do not need to deploy all feature updates; you can opt to bypass those updates that do not add
value for your users. Bear in mind, however, that support for a feature update continues for 18 months
after its release.
There are several models that IT pros can use to service Windows as a service. Each option has its pros
and cons, ranging from capabilities and control to simplicity and low administrative requirements. The
following are examples of the servicing models available to manage Windows as a service updates:
●● Windows Update (stand-alone). Provides limited control over feature updates, with IT pros manually
configuring the device to be in the Semi-Annual Channel. Organizations can target which devices
defer updates by selecting the Defer upgrades check box in Start\Settings\Update and Security\
Advanced Options on a Windows 10 client. With this tool, organizations choose when updates are
installed to which devices, and the updates do not have to originate from an on-premises server.
●● Windows Update for Business. This servicing tool includes control over update deferment and
provides centralized management using Group Policy. Windows Update for Business can be used to
defer updates by up to 365 days, depending on the version. These deployment options are available
to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage
Windows Update for Business, either option can be configured without requiring any on-premises
infrastructure by using Intune. Devices that are updated using this tool must be updated periodically
and monitored using one system, and the updates do not have to originate from an on-premises
server.
●● Windows Server Update Services (WSUS). Provides extensive control over Windows 10 updates and
is natively available in the Windows Server operating system. In addition to the ability to defer
updates, organizations can add an approval layer for updates and choose to deploy them to specific
computers or groups of computers whenever ready.
●● System Center Configuration Manager. Provides the greatest control and cost savings to service
Windows as a service. IT pros can defer updates, approve them, and have multiple options for target-
ing deployments and managing bandwidth usage and deployment times. This enables consistent
scheduling of upgrades and updates across all devices. With this tool, application deployments and
operating system updates to devices must originate from an on-premises server.
The servicing option that an organization chooses depends on the resources, staff, and expertise of its IT
organization. For example, if IT already uses System Center Configuration Manager to manage Windows
updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consoli-
dated look at the benefits of each tool, see the following table.
Updates for Office 365 ProPlus

After you deploy Windows 10 and Office 365 ProPlus, Microsoft strongly recommends that you keep
them up to date as new features and other updates are released.
Types of updates for Office 365 ProPlus

Similar to Windows 10, one of the benefits of Office 365 ProPlus is that Microsoft provides new or
updated features for Office apps on a regular basis. For example, adding improved translation capabilities
to Word or adding support for 3D animations in PowerPoint.
For Office 365 ProPlus, Microsoft provides you options (called update channels) that allow you to control
how often Office 365 ProPlus receives feature updates. Here are the primary update channels for Office
365 ProPlus:
●● Monthly Channel, which receives feature updates approximately every month.
●● Semi-Annual Channel (Targeted), which receives feature updates in March and September. This is
typically used for pilot users and application compatibility testers.
●● Semi-Annual Channel, which receives feature updates every six months, in January and July.
Feature updates in Semi-Annual Channel have already been released in Monthly Channel in previous
months. Semi-Annual Channel is the default update channel for Office 365 ProPlus.
As needed, Microsoft also provides each update channel with two additional types of updates:
●● Security updates, such as updates that help keep Office protected from potential malicious attacks.
●● Quality updates, such as updates that provide stability or performance improvements for Office.
Security updates are usually released on the second Tuesday of every month. Quality updates, which are
sometimes referred to as non-security updates, are also usually released on this day. But, if necessary,
both types of updates can be released at other times.
Choose the appropriate update channel for your organiza-

tion
Which update channel of Office 365 ProPlus you deploy to the users in your organization can depend on
several factors, such as application compatibility testing and user readiness.
If your organization has line-of-business applications, add-ins, and macros that need to be tested to
determine if they work with an updated version of Office 365 ProPlus, then Semi-Annual Channel is
probably the right update channel for your organization.
If application compatibility testing isn’t a significant concern, and if your users need the newest features
of Office 365 ProPlus as soon as they are available, then Monthly Channel is probably the right update
channel for your organization. If you choose Monthly Channel, keep in mind that your help desk and
others need to be prepared to support these more frequent feature updates.
Not all users in your organization need to be on the same update channel. For example, you can provide
your training department with Monthly Channel so they can start learning about the new Office features,
while the rest of your organization is on Semi-Annual Channel.
The update channel that you choose for Office 365 ProPlus doesn’t have to match the update channel for
Windows 10.
How updates are installed for Office 365 ProPlus

When Office 365 ProPlus is updated, all the available updates for that update channel are installed at the
same time. There aren’t separate downloads for feature, security, or quality updates. Also, updates are
cumulative, so the most current update includes all the feature, security, and quality updates that have
been previously released for that update channel.
Office 365 ProPlus checks for updates on a regular basis, and they're downloaded and installed automati-
cally. While updates are being downloaded, your users can continue to use Office apps. After they're
downloaded, the updates are installed. If any Office apps are open, your users will be prompted to save
their work and close the apps, so that the updates can finish being installed.
Licensing and activation in Office 365 ProPlus

To deploy Office 365 ProPlus to users in your organization, you start by assigning licenses to your users.
Then, each user can install Office 365 ProPlus on up to five computers. Each installation is activated and
kept activated automatically by cloud-based services associated with Office 365. This means you don't
have to keep track of product keys. It also means you don't have to figure out how to use other activation
methods such as Key Management Service (KMS) or Multiple Activation Key (MAK). All you have to do is
make sure you purchase enough licenses, keep your Office 365 subscription current, and make sure your
users can connect to Office Licensing Service via the Internet at least once every 30 days.
Licensing Office 365 ProPlus

The number of available licenses available for Office 365 ProPlus depends on your organization's Office
365 subscription level. To assign a license to a user, you select a check box on the licenses page for the
user's account. After that's done, the user can install Office directly from the Office 365 portal or you can
deploy Office to your users from your local network. If the user hasn't been assigned a license, the user
can't install Office from the Office 365 portal.
You can remove a user's Office 365 ProPlus license (for example, if the user leaves your organization).
After you do this, any installations of Office 365 ProPlus that the user had go into reduced functionality
mode. You can also deactivate a user's Office 365 ProPlus license for a particular device, at which point
Office 365 ProPlus goes into reduced functionality mode on that device. The Office Licensing Service, a
part of Office 365, keeps track of which users are licensed and how many computers they've installed
Office on.
What is reduced functionality mode?

In reduced functionality mode, Office 365 ProPlus remains installed on the computer, but users can only
view and print their documents. All features for editing or creating new documents are disabled.
If a user tries to use Office 365 ProPlus on a computer where it's installed but the user hasn't been
assigned a license, Office will be in reduced functionality mode. Also, the user will be prompted to sign in
and activate every time they open an Office app, such as Word or Excel.
Activating Office 365 ProPlus

As part of the installation process, Office 365 ProPlus communicates with the Office Licensing Service and
the Activation and Validation Service to obtain and activate a product key. Each day, or each time the user
logs on to his or her computer, the computer connects to the Activation and Validation Service to verify
the license status and extend the product key. As long as the computer connects to the Internet at least
once every 30 days, Office remains fully functional. If the computer goes offline for more than 30 days,
Office enters reduced functionality mode until the next time a connection can be made. To get Office
fully functional again, usually a user can simply connect to the Internet and let the Activation and Valida-
tion Service reactivate the installation.
Managing activated installations

Each Office 365 ProPlus license allows a user to install Office on up to five computers. If the user decides
to install Office 365 ProPlus on a sixth computer, he or she will need to deactivate one of the first five, at
which point Office 365 ProPlus goes into reduced functionality mode on the deactivated computer.
Unified endpoint management in Microsoft

365
Introduction
A key task of any administrator is to protect and secure an organization's resources and data. This set of
tasks is usually referred to as device management. Users have many devices from which they open and
share personal files, visit websites, and install apps and games. These same users are also employees and
want to use their devices to access work resources, such as email and SharePoint. Device management
enables organizations to protect and secure their resources and data.
●● Define what unified endpoint management is in the context of the Microsoft 365 toolset.
●● Identify challenges involved with managing and securing devices.
●● Describe the concepts and benefits of cloud connected management.
What is Unified Endpoint Management

Today's technology is changing the way we all work. Digital transformations enable the flexibility to work
from anywhere, on any device. That flexibility doesn't mean, however, that you're not responsible for the
security of your organization's data, no matter where it lives. Modern workplaces demand a new ap-
proach to managing and securing data and devices, alongside seamless interactions between the produc-
tivity tools you rely on.
Unified endpoint management is a concept that describes a platform that includes device and app
management. Microsoft Intune and System Center Configuration Manager (Configuration Manager), part
of Enterprise Mobility + Security (EMS) in your Microsoft 365 subscription, help simplify modern work-
place management. Use them to create a productive Microsoft 365 environment where your users can
work on the devices and apps they choose, while still protecting your org's data.
Device management in today's workplace

In today’s workplace, IT departments support different devices configured in different ways. Your org
might have Android and iOS mobile phones, Windows 10 and macOS PCs, and custom devices your users
bring to work. Not only do you have to support all of these devices, you have to be sure they meet
organizational standards for security and device health. You also have to be able to configure them to
support organizational apps and features, like VPNs, email settings, and updates.
These different devices present the following management challenges:
Mobile devices that connect to unsecured networks. Mobile devices frequently connect to networks
outside your organization. Company laptops often connect to Wi-Fi access points in public places, like
airports and cafés. Using Wi-Fi access points, hackers can capture network traffic and try to insert mal-
ware into your browsing sessions. This can impact everyone in your organization.
Mobile devices that intermittently connect to organizational networks. Mobile devices can be
difficult to manage using tools such as Group Policy, which assumes devices are always connected to the
organizational network.
Backing up data. When a device is connected to your organizational network, users are more likely to
use documents in central locations, such as file shares and SharePoint sites. These locations are typically
backed up. Mobile devices, including laptops, may not regularly connect and use content from central
Unified endpoint management in Microsoft 365 59
locations. Instead, the data is likely stored only on the device. If something happens to that device - like
getting lost, stolen, or suffering a hardware failure - you might also lose your data, which can lead to lost
productivity and worse, if that data was protected IP.
Lost or stolen devices. The average cost of replacing a stolen device can exceed the cost of the device.
This cost is higher because your organization must configure the new device and determine what data
was lost or stolen. In some cases, that data exists only on the mobile device, and is then lost to the organ-
ization.
Compromised devices that connect to the internal network. A mobile device infected with malware
can leak data and introduce the malware into the organization. Organizations must treat mobile devices
as possible malware carriers and take precautions to prevent leaks and attacks.
User-owned mobile devices. Personal devices are a challenge to organizations. IT departments need to
find a balance between allowing access to applications and data with users wanting to use their own
devices. When considering a mobile device support policy, ask the following questions:
●● Is the device owned by the user or the organization?
●● Should you let user-owned devices access sensitive applications and data? Or, only allow access if the
owner agrees to have the device managed by IT?
●● What actions can your organization take to protect data stored on the device if the device is lost, or if
the user leaves the company?
Enterprise Mobility + Security components

One of the tools you can use to manage all of the devices in your organization is Enterprise Mobility +
Security (EMS), an intelligent mobility management and security platform that helps protect and secure
your organization and empowers your employees to work in new and flexible ways. EMS is a suite of
products included in your Microsoft 365 Enterprise subscription. Learn how these products help manage
devices in your organization.
EMS is provided as part of Microsoft 365 E3 and E5 plans, as summarized in the table below.
Product E3 plan E5 plan

Azure AD Premium P1 plan P2 plan
Intune Yes Yes
Azure Information Protection P1 plan P2 plan
Microsoft Advanced Threat Yes Yes
Analytics
Cloud App Security No Yes
Configuration Manager Yes Yes
Azure AD Premium is the central identity store used for all the applications in EMS and Microsoft 365.
Azure AD Premium is available with three different levels of capabilities: Basic, P1, or P2. P1 and P2
include features that are important for unified endpoint management. Some of the additional features
included with the P1 and P2 plans are:
●● Self-service password reset
●● Write-back from Azure AD to on-premises Active Directory Domain Services (meaning your cloud and
on-premises data is linked)
●● Microsoft Azure Multi-Factor Authentication (MFA) for cloud and on-premises apps
●● Conditional access based on group, location, and device state
●● Conditional access based on sign-in or user risk (P2 plan only)

Intune is a cloud-based enterprise mobility management (EMM) service that enables user productivity
while keeping your corporate data protected. Intune integrates with Azure Active Directory for identity
and access control, and Azure Information Protection for data protection. Intune can enforce security
policies, wipe devices remotely, and deploy apps.
Use Intune to manage apps and mobile devices by “enrolling” devices. When you enroll, you can use
profiles to manage different settings and features on devices.
System Center Configuration Manager is an on-premises product used to manage Windows, macOS
PCs, and servers. Configuration Manager has a rich set of capabilities that allow you to highly customize
the following areas:
●● Application management
●● OS deployment
●● Software update management
●● Device compliance
Azure Information Protection encrypts documents and enforces policies on how they can be used.
Document data is more protected because only authorized users can access the contents.
Microsoft Advanced Threat Analytics can:
●● Detect suspicious activities and malicious attacks.
●● Adapt to the changing nature of cyber-security threats.
●● Provide focus and clarity around what is important with a simple attack timeline.
●● Reduce false positives.
Cloud App Security uses data collected from your firewalls and proxy servers to identify cloud applica-
tion usage. This can help identify unauthorized applications that might be a threat to your data. Addition-
ally, it can identify unusual usage patterns that might indicate a problem.
Cloud App Security is an add-on that you can combine with your Microsoft 365 subscription. Cloud App
Security provides you with visibility of your cloud apps and services. It also provides sophisticated
analytics to help to identify and combat security threats, and enables you to control data flow in and out
of your organization.
Cloud App Security provides the following features:
●● Identify cloud apps used in your organization. Your users might be accessing other software as a
service (SaaS) platforms that could present a potential security risk.
●● Protect your sensitive information. You can label and monitor sensitive data and identify how the data
is distributed and stored.
●● Identify and mitigate threats in your cloud apps. You can receive notifications about possible threats
based on unusual behavior and other anomalies.
●● Ensure compliance. This helps you to remain compliant with data storage regulations and certifica-
tions, such as GDPR.
Microsoft Identity Manager 2016 binds Microsoft's identity and access management solutions together
by seamlessly bridging multiple on-premises authentication stores like Active Directory, LDAP, Oracle,
and other applications with Azure Active Directory. This provides consistent identity experiences for both
on-premises business applications and SaaS solutions.
Unified endpoint management in Microsoft 365 61
Azure Advanced Threat Protection (ATP) is a cloud-based solution to identify, detect, and investigate
threats, compromises, and malicious actions. ATP helps you:
●● Detect and investigate advanced attacks on-premises and in the cloud.
●● Identify suspicious user and device activity with both known-technique detection and behavioral
analytics.
●● Analyze threat intelligence from the cloud and on-premises.
●● Protect user identities and credentials stored in Active Directory.
●● View clear attack information on a simple timeline for fast triage.
●● Monitor multiple entry points through integration with Windows Defender Advanced Threat Protec-
tion.
Cloud-connected device management

If you have an existing on-premises Configuration Manager infrastructure, you can connect it with your
cloud-based Intune management system using the “co-management” function from Configuration
Manager. This cloud-connected scenario lets you manage Windows 10 devices using Configuration
Manager and Microsoft Intune concurrently. It brings Intune functionality into your device management
ecosystem and provides immediate value, such as:
Conditional access – Conditional access makes sure that only trusted users can access your organiza-
tional resources on trusted devices using trusted apps. With co-management, Intune evaluates every
device in your network to determine how trustworthy it is. Intune makes sure devices and apps are
managed and securely configured, and detects active security incidents on a device.
Remote actions – You can manage every registered device every time it connects, no matter where it is.
Remote device actions give you management controls on the device without interfering with personal
data of your users. These remote device actions allow you to:
●● Delete company data on lost or stolen devices
●● Rename a device
●● Restart a device
●● Review device inventory
●● Remotely control a device
●● Wipe out pre-installed OEM apps with a Fresh Start reboot
●● Do a factory reset on any Windows 10 device
Client Health – Configuration Manager monitors client device health while it’s connected to your
network. On a co-managed device, Intune communicates with and monitors the health of the device -
even when it’s not connected to your network. With co-management, Intune can report on the health of
the client. It provides timestamp information for the validity of the data, which tells you if your devices
are healthy, able to connect, able to install apps, or able to update to the required OS builds. With this
feature, you have an external data source with Intune. It allows you to determine what the next steps
should be when troubleshooting client issues. You don't need to create additional reports or use other
tools to get client data, which saves you time and effort.
Windows 10 Autopilot – When you use co-management and Autopilot together, new devices entering
your network get configured the same way existing devices are. In this setup, devices are enrolled in
Intune and have a Configuration Manager client. It allows you to use the Windows 10 provisioning model
and helps you eliminate the need to create, maintain, and update custom operating system images. It can
also reduce time, costs, and complexity, and lets you use Autopilot and Configuration Manager to
migrate existing Windows 7 devices to Windows 10.
Hybrid Azure AD – Azure Active Directory (Azure AD) allows you to link your users, devices, and applica-
tions across both cloud and on-premises environments. Registering your devices to Azure AD helps you
improve productivity for your users and improve security for your resources. Having devices in Azure AD
is the foundation for both co-management and device-based conditional access. It also includes:
●● Single sign-on to cloud resources
●● Windows Hello for Business
●● Device-based conditional access
●● Automatic device licensing
●● Self Service functionality
●● Enterprise state roaming
Teamwork in Microsoft 365 63
Teamwork in Microsoft 365

Introduction
Working in teams is an essential part of today’s modern workplace. An increasing number of workers are
remote, mobile, or work from different time zones and geographic locations. In this module you will learn
about the Microsoft 365 tools that facilitate teamwork for all workers, no matter where they are located
or how they connect to your organization’s resources. These tools include apps designed for co-author-
ing and file sharing, security and compliance controls, and access controls via Azure Active Directory.
●● Define the teamwork scenarios that are enabled in Microsoft 365.
●● Name the products in Microsoft 365 that are part of the teamwork toolkit.
●● Describe how Microsoft 365 can help you run meetings and projects more effectively.
●● Explain how Microsoft 365 analytics tools can improve efficiency.
Teamwork tools in Microsoft 365

No two teams look exactly alike. The nature of teamwork continues to evolve as teams of various shapes
and sizes come together for short-term and long-term projects.
Microsoft 365 give your teams the right tools at the right time for the right task, along with common
services to help you work fluidly across applications.
The teamwork products benefit from the same enterprise-level security, compliance, and manageability
as the rest of Microsoft 365.
With the familiar Outlook email-based experience you can stay in touch with colleagues, and share
calendars, files, and tasks, to make sure important deliverables get attention.
You can store your content in the cloud with SharePoint and OneDrive for Business. This lets you access
your files on any device and share them with others inside and outside your organization. Because the
files are in the cloud, team members can collaborate on them in real time using familiar Office applica-
tions like Word, Excel, and PowerPoint.
Microsoft Teams is the digital hub for teamwork in Microsoft 365. It brings together team conversations
and content so your users can stay up-to-date on critical projects. It includes everything teams need to
stay connected—chat, phone calls, content, and meetings—and can be customized with applications and
bots that support a given project. With guest access in Teams, you can invite people from both inside and
outside your organization to work on projects.
Yammer is a community conversation tool designed to help encourage open dialogue, idea generation,
and connections across the company. Yammer lets you create communities of interest and forums that
bring people together, improve transparency, and give everyone a voice. You can even grant external
access to partners and customers as needed.
Microsoft 365 is built on an intelligent fabric that keeps it all connected and secured no matter what app
or service you are working in as a team. Microsoft Graph provides a seamless connection between
people and relevant content. Office 365 Groups enable a single team identity across apps and services
and centralized policy management enhances security and compliance.
Choose the right teamwork tools

Which tools are best for your organization's teamwork needs? It generally depends on your team mem-
bers' roles in the project and how you intend to communicate and collaborate with them. Team members
can typically be categorized as either part of the inner loop or outer loop of people that you collaborate
with:
The inner loop is made up of the people you actively work with on a regular basis. Use Microsoft Teams
to let the inner loop members stay tightly connected on project updates and related content and files no
matter where they are located.
The outer loop is made up of the people you may not work with regularly on a project or in the team, but
who have a vested interest, like a project stakeholder or common goal. Use Yammer to openly share
information, find expertise, and share ideas across your organization. Groups and conversations are open
and viewable to everyone. If you prefer working in email, Outlook is an ideal way to start the conversa-
tion.
When it comes to managing team content and files, SharePoint is the tool that brings together content
from Microsoft Teams, Yammer, and Outlook to keep track of critical project information no matter where
the conversation starts.
Work together on files and content

Users work in many ways, sometimes along departmental lines and other times with team members from
other departments. Often, they also work with people from outside their own organization, such as
suppliers and customers. Microsoft 365 enables users to easily and securely share their documents and
data, work together with teammates anytime, get feedback insights from colleagues, and store content
easily with version history to keep up-to-date with document progress. When you enable external access
by using the Microsoft 365 admin portal, users can send sharing invitations for specific content.
When users are working together on a document in real time, it’s called co-authoring. Microsoft 365
provides co-authoring capabilities across all the core Office apps. You can co-author on an Office docu-
ment when it is stored in OneDrive for Business or SharePoint. Microsoft Teams brings author presence
information into the co-authoring experience and adds a chat-based workspace for the people who are
actively working in the doc.
OneDrive for Business and SharePoint in Microsoft 365 provide shared storage, document version
controls, and permission settings to enable multiple users to seamlessly edit the same document.
Microsoft Teams provides the entire team, including outside consultants and independent contractors,
with a single point of access to everything they need to move a project forward, including project specific
applications like creative resources, development repositories, and survey and analytics tools. Teams is
also fully integrated with Microsoft applications including Word, Excel, PowerPoint, Power BI, and Stream,
so the team can collaborate and access information without leaving their shared Teams workspace. All
files that are worked with in Teams are automatically stored in SharePoint, and team members can
customize intranet sites with project details and announcements for the broader organization. Teams is
the place to have informal chats, iterate quickly on a project, work with Teams files, and collaborate on
shared deliverables.
Microsoft Teams is also customizable and configurable. You can enable, disable, and configure apps for
Teams, including tabs, connectors, and bots provided by Teams (first-party apps, also known as default
apps) or by a third-party (also known as external apps). Additional settings let you specify whether
external apps are enabled by default and which users can sideload apps to Teams. You can control
organization-wide user settings such as external access and guest access to let your users work with
people outside your organization. Other configurable settings include email integration, file sharing and
cloud file storage, organizational charts, device authentication for Surface Hubs, and scoped directory
searches.
Use teamwork tools to run meetings and pro-

jects
It is estimated that the average knowledge worker spends nearly one third of the week in meetings. The
most productive meetings bring together subject matter experts and project teams to have focused,
interactive discussions that help them make informed decisions. The key to achieving this productivity is
better preparation, supported by tools that encourage positive work and meeting habits.
With Microsoft 365 you can:
●● Easily schedule calls and online meetings.
●● Quickly start a meeting through an ad hoc call or instant message.
●● Create a shared workspace for all your team conversations, files, meetings, and apps.
●● Automate processes and workflows across your organization.
●● Save time with self-service tools for schedule and task management.
Outlook provides calendar and file integration to ensure meeting tools can be accessed seamlessly. Team
members can access shared Outlook calendars and link to shared files in SharePoint and OneNote.
Microsoft Teams lets employees form teams around important projects by organizing conversations,
files, meetings, and tools into a single hub for teamwork complete with rich audio and video capabilities.
Collaboration begins the moment the meeting is scheduled. Attendees can immediately connect on
group chat to prepare for the meeting and share relevant documents ahead of time. Learn about meeting
participants by hovering over Teams profiles to see organizational and LinkedIn background. Teams also
enables company employees and users from outside the company to collaborate on a project in real-time
by using a whiteboard.
During meetings, video and screen sharing create a focus among the group, while new AI services
provide auto-translation, transcription, and recording so participants get more out of the experience.
Following the meeting, notes and action items can be automatically transcribed and distributed to the
group, and anyone who was unable to attend can easily go back and watch the meeting.
Collect and share knowledge

Microsoft 365 helps to connect people, content, conversations, and activity, and helps people discover
and share knowledge. The result is that users can find not only answers, but insights.
Yammer is designed to help you encourage open dialogue, idea generation, and connections across your
company. With Yammer you can modernize organization-wide communication, with two-way executive
forums or live company-wide meetings, giving everyone a voice. Create communities of interest, execu-
tive forums and even facilitate live town hall meetings to improve transparency. Yammer even grants
external access to partners and customers where necessary.
Microsoft Stream enables everyone in the organization to securely create, discover, and share videos,
and it integrates into the teamwork apps employees use most, including Teams, OneNote, SharePoint,
and Yammer.
Microsoft Search provides a rich, familiar, and consistent search experience across the web and the apps
used in your organization. Regardless of the interface used, you get the same experience, personalized
and contextualized for that specific interaction point.
●● Microsoft Search in Bing.com: Searching in Bing returns both your organizational results and web
results, making it an easy choice for broad searches. Recently added capabilities allow you to search
across conversations in both Teams and Yammer simultaneously.
●● Microsoft Search in Office.com: Microsoft Search in Office.com surfaces the same search scope
across Microsoft 365, allowing you to find what you need and get back to your work faster. Find
recent and recommended documents, as well as content flagged by colleagues for your review, and
keep up-to-date with what has been worked on since you last looked at it.
●● Microsoft Search in the SharePoint mobile app: The SharePoint mobile app includes search as the
default experience when you enter the app. The search interface shows common questions, personal-
ized results, and frequent searches that you can curate for your organization.
●● Microsoft Search in the Outlook mobile app: The Outlook mobile app, available for iOS and
Android, prioritizes the search experience by providing easy access to commands, content, and
people. By placing your cursor in the search box, you can use “zero query search” to see recommen-
dations powered by AI and Microsoft Graph.
Create communication sites

In large organizations, especially those with multiple geographic locations, employees can feel discon-
nected from one another and from the decisions made in headquarters. Providing forums for open, trans-
parent communication is one of the most important steps you can take to keep your employee commu-
nity connected. From modern intranet sites to engaging discussion tools, Microsoft 365 helps you
communicate at scale to reach people where they are with compelling digital employee experiences.
With SharePoint you can create communication sites. These sites are designed to publish curated news,
important announcements, stories, and resources to employees, regardless of their device or location.
Easy-to-use templates available on the SharePoint home page in Office 365 help you quickly create a
professional design.
Once you’ve created a communication site, you can adjust page layouts and add web parts to pull in
valuable content from other services, like conversations from Yammer, videos from Microsoft Stream, and
content from across Office 365. You can use these sites to communicate about upcoming events, cam-
paigns, or product launches, or share team insights and expertise on various topics. The result is a vibrant,
interactive, dynamic experience for your site visitors that keeps them engaged.
Workplace Analytics
Microsoft 365 includes two analytic tools that gather data and use AI to provide insights into the working
habits of individuals and organizations - MyAnalytics and Workplace Analytics.
MyAnalytics lets you see how you spend your time at work and then suggests ways to work smarter –
from cutting unproductive meeting time to getting better work/life balance. MyAnalytics does this by
looking at data about emails, meetings, and Teams calls and chats, as well as how you use Office 365.
MyAnalytics is included in the Microsoft 365 E5 subscriptions and supports Outlook add-ins.
Note: MyAnalytics doesn't use agents or tracking software, and it doesn't use data from any other
activities on your computer, such as applications or websites viewed.
While MyAnalytics provides insight at the individual level, Workplace Analytics focuses on the organiza-
tion. Use Workplace Analytics to identify collaboration patterns that impact productivity, workforce
effectiveness, and employee engagement. It helps you understand how your organization spends its time
and how groups work together. When you understand how your org works, you can look for efficiencies
and best practices.
Additional reading: For more information on Workplace Analytics click here19
Module Review
1. Which of the following are feature pillars of Windows 10 Enterprise?
(A) Limited hardware support
(B) Complex updates
19 https://docs.microsoft.com/en-us/workplace-analytics/index
(C) Intelligent security

(D) Rigid management
2. You want the ability to communicate with colleagues by using instant messaging. Which Microsoft 365
app enables this?
(A) Microsoft Exchange Online
(B) Microsoft Intune
(C) Microsoft SharePoint online
(D) Microsoft Teams
3. Which of the following is a cloud-based platform that combines customer relationship management
and enterprise resource planning?
(A) Power BI
(B) Microsoft Dynamics
(C) Yammer
(D) OneDrive for Business
4. Which Microsoft 365 service or app enables you to manage users’ devices?
(A) Exchange Online
(B) Teams
(C) Microsoft Intune
(D) Microsoft Azure Active Directory (Azure AD)
5. You are the IT manager for your organization. What is the simplest approach to have your users install
Office on their client devices?
(A) Use the Office Deployment Tool
(B) Install directly from the Office 365 portal
(C) Use Configuration Manager
(D) Use Microsoft Intune
6. Which Windows as a service (WaaS) update channel does not receive feature updates?
(A) Windows Insider program
(B) Semi-Annual Channel
(C) Semi-Annual Channel (Targeted)
(D) Long-Term Servicing Channel
7. Which of the following lets you see how you spend your time at work and then suggests ways to work
smarter, like cutting unproductive meeting time?
(A) Advanced Threat Analytics
(B) MyAnalytics
(C) Yammer
(D) Microsoft Stream
Answers:
1.(C) 2.(D) 3.(B) 4.(C) 5.(B) 6.(D) 7.(B)
Lab - Configuring Microsoft 365 tenant

Lab Introduction
This lab is designed to reinforce the concepts to which you were introduced and the knowledge you have
gained in this module. In this lab, you will use various administrative portals to manage your Microsoft
365 tenant. You will also create both user and group accounts, and assign licenses to users.
Important: this lab has two exercises, each with multiple tasks. For a successful outcome, the exercises
and their corresponding tasks must be completed in order.
To perform the tasks in the labs for this course you will need an Office 365 trial. To acquire an Office 365
Enterprise E5 trial click here20.
Note: You may already have an Office 365 tenant connected to your Microsoft ID. However, you may not
have the administrator access to perform the lab tasks in that tenant. What’s more you may not want to
perform these sample lab steps in your live production Office 365 environment.
Exercise 1 Explore the Microsoft 365 tenant
Task 1: Sign in to the tenant
1. Open Microsoft Edge.

2. Navigate to www.office.com21.
3. Sign in with the global admin account credentials for your Office 365 tenant. See Lab introduction to
acquire a trial Office 365 tenant.
4. Click the Admin tile.
Task 2: Explore the Microsoft 365 admin center

1. In the Microsoft 365 admin center, in the navigation pane, select Show all.
2. Expand Users, and then select Active users. View the available accounts.
3. Select the top user in the list by clicking their name. A blade opens that displays more details for the
account. Close the blade by clicking X in the upper right corner of the blade.
4. Expand Groups, and then select Groups. If you are using a recently created trial Office 365 tenant this
page will likely be empty. If you do not already have groups add one by clicking Add a group.
5. Expand Billing, and then select Licenses. At least one set of licenses should display.
Task 3: Explore the Azure Active Directory admin center

1. Expand Admin centers, and then select Azure Active Directory. Notice that a new tab opens in
Microsoft Edge.
20 https://go.microsoft.com/fwlink/p/?LinkID=698279&culture=en-US&country=US
21 http://www.office.com/
Lab - Configuring Microsoft 365 tenant 73
2. In the Azure Active Directory admin center, on the Dashboard, select Azure Active Directory from
the navigation pane.
3. Click Users. Notice the same user accounts from Office 365 are displayed.
4. Close the Users – All users blade. Notice on the dashboard in the Users and groups area the group
you created earlier appears. You can see the same groups from Office 365. You can click Find a group
in the Quick tasks area to search for a specific group.
5. Close the Groups – All groups blade.
6. On the Azure Active Directory admin center dashboard click Company branding.
7. Notice the settings configured for branding.
8. Close the company branding blade.
Task 4: Explore the Intune classic portal

1. Open Microsoft Internet Explorer and navigate to azure.com. (You need Internet Explorer to view
the Intune classic portal.) Sign in using the global admin account assigned to the Office 365 tenant.
2. In the search box, type Intune, and then click Intune.
3. In the Microsoft Intune dashboard click Groups. You may see text that informs you that groups are
managed in the Azure Active Directory portal. This is because many administrative tasks are now
performed using the new portal.
4. Click Naming policy, notice you can click and set Group naming policy.
5. Close Internet Explorer.
Exercise 2 Configure new user and group ac-

counts
Task 1: Add a user
1. Switch to the Azure Active Directory admin center, and in the navigation pane, select Azure Active
Directory, and then select Users.
2. In the Users - All users blade, select + New user.
3. In the User blade, enter the following information:
●● Name: Enter your name
●● Username: Your_first_name@<your_tenant_here>.onmicrosoft.com
4. Select Profile, enter the following information, and then select Ok:
●● First name: A first name
●● Last name: A last name
●● Department: IT
5. Select Groups.
6. Scroll down and select the group you created earlier in exercise 1.
7. Click Select.
8. Select the Show Password check box, and note the password for later use.
9. Select Create.
Task 2: Create a group

1. In the navigation pane, click Azure Active Directory, and then click Groups.
2. Click New group.
3. In the Group blade, in the Group type list, select Security.
4. In the Group name box, type Windows 10 Deployment.
5. In the Group description box, type Windows 10 Deployment Team.
6. In the Membership type list, notice that Assigned is already selected.
7. Click Members.
8. On the Members blade, scroll down and select the account you just created
9. Click Select.
10. On the Group blade, select Create.
11. Navigate to All groups, verify that the IT group now displays.
Task 3: Assign licenses

1. In Microsoft Edge, switch to the Microsoft 365 admin center tab, and then click Billing. You may
need to click Try the new admin center to switch to the classic Microsoft 365 admin center.
2. Click Subscriptions, and then click the Assign to users
3. Select the account you just created and then, next to Product licenses, click Edit.
4. In the Location list, select your current location.
5. Enable an Office 365 E5 license for the account and then click Save.
6. Click Close.
7. Close all open windows.
Module 3 Security, compliance, privacy, and
trust in Microsoft 365
Organizational security fundamentals

Introduction
Many organizations are considering moving to the cloud, but some still have security concerns about
making this transition. By using a cloud service, your organization entrusts your service provider to
process your data, and to store and manage your data securely. In this module, you will learn about those
features.
●● Describe the key pillars of security.
●● Identify the common security threats.
Pillars of computer security

The goal of any security design is to provide for defense in depth. Defense in depth is a security concept
in which you protect your data by using several layers of security. If a malicious hacker, or attacker,
compromises one layer of defense, other layers continue to offer protection. An analogy for the defense-
in-depth concept is castles. Castles have moats, outer walls, and inner walls. A networking example is the
common practice of having an external firewall, a perimeter network, and an internal firewall, with
additional firewalls that you configure on each host computer.
Note: Firewalls block or allow network traffic based on the traffic’s properties. You can utilize hard-
ware-based firewalls or software firewalls that run on a device (known as host firewalls). Depending on
your firewall’s sophistication, you can configure it to block or allow traffic based on the following charac-
teristics:
●● Traffic source and/or destination address
●● Traffic source and/or destination port
●● Traffic protocol
MCT USE ONLY. STUDENT USE PROHIBITED 76 Module 3 Security, compliance, privacy, and trust in Microsoft 365
●● Specific packet contents

However, when it comes to data security no single solution can ensure that data remains secure. Instead,
organizations must use a layered approach to protect their data. If you want to protect data on your
organizational computers, this might involve implementing drive encryption, file and folder permissions,
and rights management. If your information is stored in the cloud, then you must also consider imple-
menting appropriate security measures within your cloud-based infrastructure.
Keep in mind that no one security solution will fit all organizations. Consider the various security solutions
and settings as being analogous to a pendulum. At one end of the pendulum’s arc you have a highly
secure system that is so secure it’s almost unusable. At the other end of the arc, you have a highly
useable system that has very little and most likely inadequate security. Each organization must choose
where on that arc they want to operate. Then they must select and configure appropriate security settings
to achieve that goal.
Microsoft provides a holistic approach to security, helping you to protect identities, data, applications,
and devices across on-premises, cloud, and mobile. These key pillars are foundational to the security of
every computer system:
Identity and access management concepts

Identity is used to identify a user so that they can be authorized to access resources within your IT
infrastructure. Typically, we identify users through the use of user accounts; these accounts are assigned
an appropriate level of access or privilege on a particular system. Most people have many user accounts.
These accounts might identify people to their bank, their credit card company, or to their own personal
computer. Your users might have a number of user accounts within your organization, such as Local
accounts, Active Directory Domain Services (AD DS) domain accounts, Microsoft Azure Active Directory
(Azure AD) accounts, and a Microsoft account.
●● Local accounts. A local user account resides on the local Windows 10 device only. It does not allow a
user to access resources on other computers. All Windows 10 computers have local accounts, al-
though typically they are not used interactively.
●● Domain accounts. Most organizations implement AD DS forests to consolidate their users’ comput-
ers into manageable units known as domains. An AD DS database stores domain user accounts, which
Organizational security fundamentals 77
the operating system can then use to authenticate users who are trying access any domain-joined
device anywhere in the forest.
●● Azure AD accounts. You can use Azure AD to store user accounts that your users can utilize to access
hosted services based in the cloud, such as Microsoft Office 365. For those organizations that main-
tain an on-premises AD DS environment, Azure AD can integrate with on-premises AD DS deploy-
ments This scenario allows users to access resources from on-premises devices, and from cloud-based
services and resources. However, integration often requires synchronization between the two..
●● Microsoft accounts. Your users can use a Microsoft account regardless of their location or the
organization of which they are a member. A Microsoft account includes an email address and a
password that your users use to sign in to different services. Users already have a Microsoft account if
they sign in to services such as Microsoft OneDrive, Xbox Live, Outlook.com (formerly Hotmail), or
Windows Phone. Your users also can use their Microsoft accounts to authenticate with Azure AD. This
scenario is useful when you must support temporary or contract staff as the account is external to the
Azure AD directory.
●● Other accounts. Most users also have access to social accounts, such as Facebook and Twitter. Many
also use Apple and Google accounts to access platform-specific stores and other resources.
Because a user account (or accounts) is the primary means of determining who a user is, it’s important
that we protect the process of verifying identity. Identity protection is the method that you use to do this.
Microsoft 365 includes a number of features that enable you to identify when a user account might have
been compromised. For example, a change in sign-in time of day, or a new or unusual sign-in location
can be signs that an account has been compromised. When you identify these changes, you can take
action.
Information protection concepts

When considering how best to secure your organizational data, it’s important to consider two situations:
●● Data at rest. Data at rest is data stored somewhere, for example on a file server, a hard drive or USB
flash drive, or in a mailbox. Each of these storage locations poses different security risks. For example,
it’s fairly easy to lose a thumb drive; a laptop is an attractive device for theft; malicious people know
that a file server contains organizational data. Each of these situations presents a different challenge
for security personnel to solve, whether that’s by using drive encryption, intellectual rights manage-
ment software, or network security such as firewalls and antimalware.
●● Data in transit. Any time data moves between a user’s device and the server that hosts their data, it’s
at risk. For example, when a user reads their email on their cellphone, the email message is pushed to
their device. It’s important that not only is the data protected while in transit to the device, but that
the data is sent to the correct device as well. Authentication and encryption are the two technologies
used to help ensure safe transit of data to and from users’ devices, or between devices on your
network.
Note: malware, or malicious software, is software that attackers design to harm computer systems.
Malware can do many things, from causing damage to the computer, to allowing unauthorized parties
remote access to the computer, to collecting and transmitting sensitive information to unauthorized third
parties. There are several types of malware, including computer viruses, computer worms, Trojan horses,
ransomware, and spyware.
Threat protection concepts

Threats to your organization’s data and infrastructure can originate from both devices and the network.
Device security
When users connect their devices to your IT infrastructure, they potentially introduce security risks. For
example:
●● Firewall settings. If a device lacks a properly configured firewall, then every time it connects to a
network it’s at risk. This is especially true if the device connects to public, unsecured networks such as
Wi-Fi hotspots.
●● Antivirus / antimalware protection. Without proper antimalware and antivirus software installed
and up to date, a device is at risk of being infected with malware. This software might be transferred
to your organization when an improperly protected user device connects their device to your network.
●● Software fixes and updates. When a weakness or flaw is discovered in an operating system or
application, the software vendor will provide an update (or patch). If a user doesn’t update their
device to include the latest updates, then the device is at risk. This might lead to malicious software
being able to transfer to the device with potential consequences for your organization’s infrastructure.
●● Lax security settings. Most users secure their phones with a PIN, but not all. And often, the PIN is too
short and fairly easy to guess. If a device contains sensitive company data, then that data is at risk on
the device.
●● Poor physical security. Many users are fairly relaxed about where they leave their phones and tablet
devices, even their company laptops. Leaving devices in vulnerable places such as internet cafes,
airports, or other public places , especially if those devices lack proper security safeguards can easily
lead to data leakage.
Some of the preceding risks can be mitigated with proper end-user education about the importance of
security, and guidance on enabling a secure PIN or using the biometric protection built-in to many
devices these days. (Many laptops, tablets, and mobile devices today offer fingerprint and facial recogni-
tion software). But beyond education, to properly secure your organization’s IT infrastructure you must be
able to impose those security settings on devices, including those owned by your users, and restrict
access based on failure to adhere to those policies.
Network security
In our connected world, being able to gain access to an organization’s network means getting through
the security door. There are numerous possible forms of network attacks, which can be thwarted by
proper network access planning.
Wi-Fi is extremely convenient, enabling your users to quickly and easily connect their devices to the
network. However, it also makes it easier for a malicious person to also gain access to your network
because they no longer need a physical connection.
To help protect your network, you must take a holistic approach. You must identify each possible threat,
and then plan mitigation for it such as requiring a rigorous form of authentication from connecting
devices. Allow your visitors access to the internet through your infrastructure, but don’t allow it through
the corporate network.
Common security threats

There are many security threats facing IT staff these days: Network security threats, and data security
threats.
Organizational security fundamentals 79
Network security threats

Common network security threats include:
●● An eavesdropping attack (also known as network sniffing), occurs when a hacker captures network
packets in transit on your network.
●● A denial of service (DoS) attack limits the function of a network app, or renders an app or network
resource unavailable.
●● Port scanning attacks, which can identify specific apps running on servers.
●● Man-in-the-middle attacks (MITMs), where a hacker uses a computer to impersonate a legitimate host
on the network with which your computers are communicating.
Data security threats

Common data security threats include:
●● Unauthorized users accessing information on a server.
●● Unauthorized users accessing data from a lost or stolen removable drive.
●● Data leakage arising from a lost or stolen laptop or removable media that contains company informa-
tion.
●● Data leakage arising from user emails with sensitive content inadvertently being sent to unintended
recipient(s).
Security management concepts

Security management brings the first three concepts together; you must be able to manage your security
settings to address the key pillars of security. Security management can be proactive and reactive. In the
case of proactive management, you might choose to implement a certain type of authentication in your
organization to meet perceived threats. You might choose to implement security policies to require
complex passwords, or to use a public key infrastructure (PKI) to ensure more secure identity.
You might also choose to plan to use certain encryption technologies to help to protect data in transit
and data at rest, or implement compliance policies on your devices to help to ensure they meet organiza-
tional requirements.
In terms of reactive management, you will most likely want access to tools that can help identify security
threats, or infractions that are currently taking place. Monitoring tools can be helpful in these situations,
and can also identify corrective action that you can take to remedy a situation.
Security features in Microsoft 365

Introduction
The sophistication and capabilities of cyberattacks are evolving at a rapid pace. Cyberattacks are now a
weapon of choice for both large-scale organized crime and nation states. Coupled with these emerging
threats, the proliferation of devices in our connected world increases the surface area of attacks. Cyberat-
tacks can be devastating—and the people with the security skills to meet the challenge are in short
supply.
When it comes to defending against cyberattacks, companies need to consider their digital estate. This
represents all the assets you need to help protect. This is a bit different now than it was five or ten years
ago - you're now responsible for protecting a set of technologies you might not own, like user-owned
mobile devices that access corporate data. It also includes systems and devices that your partners and
customers use to access your information. Any one of these points can be a point of vulnerability. When
it comes to security, you can no longer draw perimeters around your organization. In this lesson you will
learn about the different Microsoft solutions for managing security in your organization.
●● Describe how Microsoft 365 helps protect identity and access.
●● Describe how Microsoft 365 helps you against threats and protects your information.
●● Describe how Microsoft 365 classifies information to protect it from data loss.
●● Describe the Microsoft 365 Security Center.
Identity and access in Microsoft 365

The first security pillar, identity & access management, is one of the most important. Microsoft 365 helps
you identify who is accessing your resources and control exactly what they can access.
Secure authentication
Helping secure your users helps protect against breaches. And one important area is the quality of user
passwords. Passwords are problematic. Users are expected to remember complex passwords for a variety
of different accounts, both personal and for work. Issues with passwords include:
●● Strong passwords can be difficult to remember
●● Users often reuse passwords on multiple different sites
●● Server breaches can expose symmetric network credentials (passwords).
●● Passwords are subject to replay attacks.
●● Users can inadvertently expose their passwords due to phishing attacks.
This poses a significant security risk as once bad actors get compromised passwords, they can sign into
multiple sites. Most breaches are a result of compromised passwords. What if we could remove pass-
words altogether? Microsoft 365 solutions include password replacement options to help reduce risk.
Multi-factor authentication (MFA). Many authentication systems are based on simple password
exchange, which is not a very secure approach. By using multiple factors to authenticate, you can achieve
Security features in Microsoft 365 81
significant security improvements. MFA relies on users identifying themselves with at least two authenti-
cation factors:
●● Something the user knows, such as a username and password or a PIN
●● Something the user has, such as a digital certificate or smartcard
●● Something the user is, as indicated by the use of facial recognition, fingerprint, or other biometrics.
MFA is provided in Office 365.
Windows Hello. In Windows 10, Windows Hello for Business replaces passwords with strong two-factor
authentication on PCs and mobile devices - a new type of user credential that's tied to a device and uses
a biometric or PIN. Windows Hello for Business lets user authenticate to an Active Directory or Azure
Active Directory account.
Microsoft Authenticator. The Microsoft Authenticator app helps you keep your accounts more secure,
especially while viewing sensitive information.
You can use the Microsoft Authenticator app in multiple ways, including:
●● Two-factor verification. The standard verification method, where one of the factors is your password.
After you sign in to a device, app, or site using your username and password, you can use Microsoft
Authenticator to approve a notification or enter a provided verification code.
●● Phone sign-in. A version of two-factor verification that lets you sign in without requiring a password,
using your username and your mobile device with your fingerprint, face, or PIN.
Conditional access
Conditional access provides granular access to keep your corporate data secure, while letting users do
their best work from any device and from any location. Conditional access helps protect sensitive data by
evaluating users, devices, apps, location, and risk before granting access to corporate data. This helps
ensure that only approved users and devices can access critical company resources.
Conditional access spans Microsoft 365 services including Intune, Office 365, and Windows 10. Condition-
al access evaluates each access request on a number of different criteria and then using policies you
define, decides if it should be allowed, if stricter controls are needed or if the access attempt should be
blocked altogether.
Identity protection
Most security breaches are a result of attackers stealing a user’s identity. Over the years, attackers have
become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks.
As soon as an attacker gains access to even low privileged user accounts, it's relatively easy for them to
gain access to important company resources.
To help protect your user’s identities, you need to:
●● Protect all identities regardless of their privilege level.
●● Proactively prevent compromised identities from being abused.
Protect identities in your Microsoft 365 environment with:
●● Azure Active Directory Identity Protection. User accounts are critical to helping identify users, so
you need to be able to identify unusual account behavior. This helps you identify attempts to compro-
mise accounts, possibly by a hacker or other malicious person. When Azure AD Identity Protection
detects unusual account behavior, it can block account access, or perhaps require additional authenti-
cation options.
●● Microsoft Cloud app security. Analytics for your cloud apps and services, helping security teams
better understand the protections for critical data across cloud apps.
●● Azure Advanced Threat Protection (ATP). A cloud-based security solution that identifies, detects,
and helps you investigate advanced threats, compromised identities, and malicious insider actions
directed at your organization.
●● Windows 10. Built-in identity protection capabilities help protect user identities. For example,
Windows Hello, a biometric authentication feature that helps strengthen authentication and guard
against potential spoofing by using fingerprint matching and facial recognition, is built right into the
OS.
Threat protection in Microsoft 365

Microsoft Threat Protection helps protect users, identities, devices, user data, apps, and your infrastruc-
ture.
The following solutions, included in Microsoft 365, help you deal with threats to your users, devices, and
data.
Azure Active Directory Identity Protection

Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and
suspicious incidents that indicate potentially compromised identities. Using this data, Identity Protection
generates reports and alerts so you can evaluate issues and take action.
Azure Active Directory Identity Protection is more than a monitoring and reporting tool - you can
configure risk-based policies that automatically respond to issues. These policies, along with other
conditional access controls provided by Azure Active Directory and EMS, can either automatically block or
start remediation actions like resetting passwords and enforcing multifactor authentication.
Azure Advanced Threat Protection (ATP)

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that identifies, detects, and
helps you investigate advanced threats, compromised identities, and malicious insider actions directed at
your organization.
Through security reports and user profile analytics, Azure ATP helps reduce your attack surface, making it
harder to compromise user credentials and advance an attack.
Azure Security Center

Azure Security Center provides unified security management and advanced threat protection across
hybrid cloud workloads. Get a unified view of security across your on-premises and cloud workloads,
automatically discover and onboard new Azure resources, and apply security policies to ensure compli-
ance with security standards. You can collect, search, and analyze security data from a variety of sources,
including firewalls and partner solutions.
Microsoft Cloud App Security

Microsoft Cloud App Security gives you visibility into your cloud apps and services, provides analytics to
identify and combat cyberthreats, and enables you to control how your data travels.
Microsoft Exchange Online Protection (EOP)

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect
against spam and malware and includes features to safeguard against messaging-policy violations. EOP
can simplify the management of your messaging environment and alleviate many of the burdens that
come with maintaining on-premises hardware and software.
Microsoft Intune
Microsoft Intune, a mobile device management component of Enterprise Mobility + Security (EMS),
integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and
access control and Azure Information Protection for data protection. When you use it with Office 365, you
can help your users be productive on all their devices, while protecting your information. For example,
Microsoft Intune prevents users from copying company data from managed applications installed on
unmanaged devices.
Office 365 Advanced Threat Protection

Because email is a primary way malware gets into your organization, Advanced Threat Protection helps to
identify threats before they land in a user’s mailbox. This feature, included in Microsoft 365 E5 subscrip-
tions, provides protection by scanning email and URLs, identifying and blocking malicious files, and
detecting when someone tries to impersonate one of your users to access your organization's data.
Office 365 Advanced Threat Protection includes Safe Links, a feature that scans email in real time and
sends users a warning message if they select a link that could be malicious. It also includes Attack
Simulator which you can use to run realistic attack scenarios in your organization. Attack simulations
include Password-spray, Brute-force password, and Display name spear-phishing attack.
Office 365 Threat Intelligence

Office 365 Threat Intelligence is a collection of insights and information available in the Office 365
Security & Compliance Center. Office 365 Threat Intelligence monitors signals and gathers data from
multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents.
You can use this information to understand and respond to threats against users and intellectual proper-
ty.
Information protection in Microsoft 365

In a mobile-first, cloud-first world, important business data lives and travels everywhere.
Organizations need to balance productivity and security. How do you create and share information across
boundaries, while preventing the unauthorized disclosure, modification, or destruction of that data? What
can you do to reduce the risk that employees share sensitive information accidentally or use sensitive
information inappropriately?
To balance productivity and security effectively, you need strategy for protecting and managing your
sensitive information. You need to know where your sensitive information is located. And you need to be
able to control it as it travels within and outside your organization. You also need to have a way to
classify, label, and apply appropriate protections to this information.
It can be helpful to think about your information protection strategy in terms of these four key activities:
●● Discover
●● Classify
●● Protect
●● Monitor
The Microsoft Information Protection solutions in Microsoft 365 help you protect sensitive data through-
out its lifecycle—across devices, apps, cloud services, and on-premises locations.
Integrated capabilities protect and manage data through-

out its lifecycle
The unified labeling experience in Microsoft 365 provides organizations with a more integrated and
consistent approach to creating, configuring, and automatically applying comprehensive policies to
protect and govern data – across devices, apps, cloud services, and on-premises. The information protec-
tion capabilities also support your overall data governance strategy. Classifying and labeling data enables
you to apply policy-based protections and/or retention actions. Advanced monitoring and analytics
provide visibility and insights into your organization’s data. You can understand where important data
resides, receive proactive alerts on policy violations, and view recommendations on policy enhancements
based on your environment.
Integrated capabilities work together over the course of the data lifecycle to keep information protected
and managed.
The following lessons in this course will explain in greater detail how these capabilities work at each
phase of the data lifecycle.
Discover and classify sensitive information

The Discover and Classify phases of information protection involve scanning and detecting sensitive data
– all based on the policies defined and configured by your organization.
Key considerations:
●● Is there an automated way to discover important data?
●● Which regulations and compliance factors matter?
●● Is my data spread out across devices, the cloud, and on-premises servers?
●● Is my data spread out geographically?

●● Are certain employees or groups more relevant for discovery?
●● Do I know the characteristics of sensitive or important data?
Discover sensitive information

In order to protect your organization’s information, you need to be able to discover sensitive information
no matter where it is created or lives. That means having sensitive data discovery capabilities across your
on-premises file shares or datacenters, on individual devices, as well as across cloud services and SaaS
applications.
What counts as “sensitive data” for your organization will be determined by things like your industry (e.g.,
healthcare, financial services), governmental regulations and policies, as well as your organization’s
internal policies.
●● You can start by using Content Search to search for in-place items such as email, documents, and
instant messaging conversations.
●● Microsoft has many built-in sensitive information types (part of Data Loss Prevention) that can be
used to detect common sensitive information types, such as financial information, healthcare related
information, PII and other information types.
●● If you need more granular control beyond the built-in sensitive information types, you create your
own custom sensitive information types, or add your own unique dictionary of terms to detect
against.
●● Beyond detecting sensitive information in documents and emails, you can also use Microsoft Cloud
App Security to detect content in cloud storage services, based on policy. You can discover sensitive
data across third-party SaaS apps. You can also apply labels and protection to sensitive files with
Microsoft Information Protection.
●● The Azure Information Protection Scanner enables you to discover, classify, and protect files on
on-premises servers, network shares, and on-premises SharePoint Server sites.
Classify content with sensitivity labels

After you have identified the sensitive data you want to protect, you can apply sensitivity labels to help
your organization monitor the transmission and usage of documents that are potentially sensitive.
You can use sensitivity labels to:
●● Enforce protection settings such as encryption or watermarks on labeled content.
●● Protect content in Office apps across different platforms and devices.
●● Prevent sensitive content from leaving your organization on devices running Windows, by using
endpoint protection in Microsoft Intune.
●● Extend sensitivity labels to third-party apps and services.
●● Classify content without using any protection settings.
You have flexibility in how you choose to apply sensitivity labels. You can configure a policy to automati-
cally apply a sensitivity label to a document based on the detection of sensitive information. For example,
policy could be defined to automatically mark a document as “confidential” if it contains social security
numbers.
Alternatively, you can set things up so that a recommended classification and sensitivity label can be
provided to users. You can also give users the ability to override an automatic classification, while requir-
ing a justification for the override.
Because individual users may be most familiar with the data in your organization, you can also enable
users to classify and apply a sensitivity label themselves. For example, if they are working on a document
that contains privileged information, they can apply a sensitivity label of “highly confidential” right within
the app.
Protect information and prevent data loss

Sensitive data may initially be created on an individual device, but it's frequently shared or stored in other
locations, like cloud-based storage, on-premises file shares, or email. There are several complementary
protection measures you can take to protect this sensitive information wherever it lives or travels:
●● Microsoft 365 has data encryption built into the service – for both data at rest and data in transit.
●● To protect individual files, you can apply rights-based permissions so that only intended recipients can
access and view the information.
●● You can apply Data Loss Prevention actions, such as blocking the sharing of a file that is detected to
have sensitive information, such as credit card information or social security numbers.
●● You can limit or block access to cloud apps present in your environment, or revoke app access among
specific individuals.
●● To help end-users make more informed decisions, you can enable policy tips that notify users that the
document they are working with contains sensitive information, or you can even automatically apply a
visual marking to documents, such as a header or footer.
●● To help prevent sensitive information from staying around longer than necessary and potentially
posing a risk, you can automatically retain, expire or delete documents, based on data governance
policies defined by your company.
Microsoft 365 Security Center

The Microsoft 365 security center helps you to track and manage security across your identities, data,
devices, apps, and infrastructure. Security admins can manage devices, get alerts if there’s suspicious
activity, and get an all up view of the security posture in their organization.
The Microsoft 365 security center provides the following:

●● Real-time reports to help you keep on top of issues with users, devices, apps, and infrastructure.
●● An all-up Microsoft Secure Score view that shows the configurable security score.
●● Insights and recommendations to help you improve your security posture and take advantage of
Microsoft 365 security features.
●● The ability to configure device and data policies to help you better manage your organization.
Once the Microsoft 365 security center is enabled for your tenant, you can access the security center at
https://security.microsoft.com.
Microsoft Secure Score

Managing your security posture to protect against a continually evolving threat landscape offers many
challenges. From having too many security solutions with various places to configure lots of controls, a
lack of knowledge around which controls are the most effective, and being unable to benchmark yourself
against other organizations, it can be difficult for security teams to find the right balance of security and
productivity.
With Microsoft Secure Score in the Microsoft 365 security center, you can have increased visibility and
control over your organization’s security posture. From a centralized dashboard you can monitor and
improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure.
Microsoft Secure Score gives you robust visualizations, integration with other Microsoft products,
comparison of your score with other companies, filtering by category, and much more. With the tool, you
can complete security improvement actions within your organization and track the history of your score.
The score can also reflect when third-party solutions have addressed recommended improvement
actions.
You're given points for configuring recommended security features, performing security-related tasks
(such as viewing reports), or addressing the improvement action with a third-party application or soft-
ware. Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for
your users. Security should always be balanced with usability, and not every recommendation will work
for your environment.
You can use Microsoft Secure Score recommendations to target the most important settings and make
changes quickly.
The table that follows includes some examples of improvement actions and their impact on your Micro-
soft Secure score. Notice the dashboard also provides information on the user impact and security
category.
Improvement Action Score Category User Impact

Require MFA for Azure 50/50 Identity Low
AD privileged roles
Require MFA for all 30/30 Identity Moderate
users
Set outbound spam 0/15 Data Low
notifications
Do not expire pass- 0/1 Identity Moderate
words
Delete/block account 0/1 Identity Moderate
not used in last 30 days.
Turn on user risk policy 0/30 Identity Moderate
Enable policy to block 0/20 Identity Moderate
legacy authentication
Identity and Access Management

Introduction
Identity is the primary supporting pillar in any security system. You must be able to identify users (and
devices) before you can determine the level of access or privilege that they have. You can establish
identity through user and device accounts.
●● Describe the basic features of Azure AD.
●● Explain Azure AD identity protection.
Overview of Azure AD
Azure AD constitutes a separate Azure service. Its most elementary form (which any new Azure subscrip-
tion includes automatically) does not incur any extra cost and is referred to as Azure AD Free. If you
subscribe to any Microsoft Online business services (for example, Office 365 or Intune), you automatically
get Azure AD with access to all the free features.
The Azure AD Premium tier provides additional functionality over the Free and Basic editions. However,
Premium editions might require additional cost depending upon your Microsoft cloud subscription levels.
Azure AD Premium comes in two versions, P1 and P2.
The following features are available with the Azure AD Premium P1 edition:
●● Self-service group management. Simplifies the administration of groups where users are given the
rights to create and manage groups.
Identity and Access Management 91
●● Advanced security reports and alerts. You can monitor and protect access to your cloud applica-
tions by viewing detailed logs that show advanced anomalies and inconsistent access pattern reports.
●● Multi-factor authentication (MFA). Full MFA works with on-premises applications (using virtual
private network (VPN), Remote Authentication Dial-In User Service (RADIUS), and others), Azure,
Office 365, Dynamics 365, and third-party Azure AD gallery applications. It does not work with
non-browser off-the-shelf apps, such as Microsoft Outlook.
●● Microsoft Identity Manager (MIM) licensing. MIM integrates with Azure AD Premium to provide
hybrid identity solutions. MIM can span multiple on-premises authentication stores such as AD DS,
LDAP, Oracle, and other applications with Azure AD. This provides consistent experiences to on-prem-
ises line-of-business applications and software as a service (SaaS) solutions.
●● Password reset with writeback. Self-service password reset follows the Active Directory on-premises
password policy.
●● Conditional Access based on device, group, or location. This feature lets you configure conditional
access for critical resources, based on multiple criteria.
●● Azure AD Connect Health. You can use this tool to gain operational insight into Azure AD. It works
with alerts, performance counters, usage patterns, and configuration settings to present the collected
information in the Azure AD Connect Health portal.
In addition to the Azure AD Premium P1 features, Azure AD Premium P2 license provides a number of
advanced functionalities:
●● Azure AD Identity Protection. This feature provides enhanced functionalities for monitoring and
protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can
review users’ behavior and flag users for risk.
●● Azure AD Privileged Identity Management. This functionality lets you configure additional security
levels for privileged users such as administrators. With Privileged Identity Management you define
permanent and temporary administrators. You also define a policy workflow that activates whenever
someone wants to use administrative privileges to perform some task.
Consider Azure AD to be an online instance of Active Directory Domain Services (AD DS) although there
are significant differences between the two. Azure AD provides authentication and authorization for
Office 365 and for other Microsoft cloud offerings, including Intune. As mentioned earlier, authentication
through Azure AD can be on a cloud-only basis, through directory synchronization with on-premises AD
DS, or with optional password hash synchronization. Alternatively, you can enable user authentication
with on-premises user accounts through Active Directory Federation Services (AD FS) or other Single
Sign-On (SSO) providers.
Identity protection basics

In addition to protecting resources such as devices, documents, and other critical types of data, it’s
necessary to protect user identities, as well. Many of today’s successful cyberattacks are based on identity
theft. This makes identity protection—particularly user accounts that have privileges—highly important
for organizations of all sizes.
Each computer user today has typically at least five identities (or accounts) for accessing different local or
internet-based resources. For example, a typical user might have personal accounts with:
●● Microsoft, Google, or Apple for email
●● Social accounts such as Facebook, Instagram, or Twitter
●● Business accounts such as LinkedIn
In addition, a typical employee usually has one or more business accounts that they use on information
systems in the organization where they work. Because of all this, a typical user has to remember several
sets of credentials to be able to access the personal and business resources that they use. This usually
leads to a situation where most of the passwords for these accounts are similar or even the same. This
greatly increases the risk of identity theft. If one set of credentials is stolen or discovered in any way, it’s
highly likely that the other identities of the same user will be at a risk.
Because of this, it’s necessary to have an identity protection strategy. Identity protection is a set of
technologies that you implement to help proactively monitor user behavior, especially during authentica-
tion, and to take actions if risk or vulnerability is detected.
For example, if you notice that a user starts signing in from a different city or at peculiar times of the day
(such as out of office hours), or if the user makes a number of failed password attempts, that suggests
suspicious activity, and it might indicate that a user account is compromised. Implementing an identity
protection system can help identify these issues and help to protect the integrity of your account infra-
structure.
Azure AD Identity Protection

Azure AD Identity Protection is a Microsoft implementation of identity protection technology for users of
Office 365 and other Microsoft cloud services. As mentioned earlier, it’s a feature of the Azure AD
Premium P2 license.
Azure AD Identity Protection provides you with the ability to:
●● Proactively recognize potential security risks and identify vulnerabilities in your organization.
●● Automatically apply responses and actions when suspicious activity on one or more identities is
detected.
●● Properly investigate incidents and take actions to resolve them.
●● Protect emails and documents by automatically applying classifications and labels.
Azure AD Identity Protection is more than another reporting and monitoring utility; with this technology,
you can also define risk policies with clearly defined manual or automatic actions.
Azure AD Identity Protection monitors each user session that authenticates on any of your cloud resourc-
es, and calculates the potential risk. The risk is based on factors such as the user location, the application
used to authenticate, and the device the user uses. For example, Azure AD Identity Protection can detect
if the same user tries to authenticate from two geographic locations in a short period of time. It also can
detect if a user tries to authenticate from a location from where they have never authenticated.
Azure AD Identity Protection provides a dashboard where you can monitor in real time the users that are
flagged for risk, how many risk events have happened, and the potential vulnerabilities in your organiza-
tion.
Identity and Access Management 93
Based on a calculated risk, Azure AD Identity Protection can notify administrators, try to remediate the
risk, increase the authentication security requirements, or take another action defined by the risk policy.
The sign-in risk level can be Low and above, Medium and above, and High. For each risk level, you can
define actions such as requiring MFA for signing-in, password changes, or blocking access.
Device and information protection

Introduction
A key task of any administrator is to protect and secure an organization's resources and data. This set of
tasks is typically referred to as device management. Users have many devices from which they open and
share personal files, visit websites, and install apps and games. These same users are also employees who
want to use their devices to access work resources such as email. Device management enables organiza-
tions to protect and secure their resources and data.
●● Explain the need for device management.
●● Describe how Intune provides device protection.
●● Identify Microsoft 365 services that protect data in your organization.
●● Describe Information Rights Management (IRM).
Why business environments need to protect de-

vices and data
As mentioned earlier in the module, the key pillars of a computer security system are:
●● Identity and access management
●● Information protection
●● Threat protection
●● Security management
Protecting information
With the proliferation of devices such as tablets and phones, it’s becoming increasingly difficult for IT
administrators to manage devices and data that they contain. However, this is vital to an organization’s
security.
Although some organizations currently do not allow their users to bring their own devices and connect
them to their infrastructure, most do allow users access to corporate email via personal cellphones and
tablets. Even this relatively modest access poses risks of data leakage and the introduction of malware
into the organization.
If your organization decides to allow users to connect their devices in some way, it’s important that you
put in place security settings that can help protect your organization from the following threats:
●● Malware. Introduced through unsecured devices and apps.
●● Data leakage. Through:
●● Loss or theft of a device that contains corporate data.
●● Loss or theft of a storage device (such as a USB drive) that contains corporate data.
●● Inappropriate data access. Caused by access to an unsecured device by malicious persons.
●● Network access. Caused by insufficient security settings on a device, enabling a malicious person to
obtain sensitive data such as user accounts, passwords, and wireless access point settings.
Device and information protection 95
How Mobile Device Management (MDM) can help

MDM is an industry standard for managing mobile devices including smart phones, tablets, and laptops.
You implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority
solutions: Intune, and MDM for Office 365. The MDM client functionality is included as part of the
Windows 10 operating system. The MDM authority can manage various devices that include MDM client
functionality, such as the Android, iOS, and Windows 10 operating systems.
MDM functionality typically includes:
●● App distribution
●● Data management
●● Device configuration
Note that to apply these settings, devices must be enrolled in an MDM. You can enroll Windows 10
devices manually or automatically. You must enroll devices running other operating systems manually,
often by installing a specific app.
An MDM authority such as Intune provides the following capabilities:
●● Device enrollment. MDM can manage only supported devices that are enrolled to MDM. A device
can include MDM client functionality such as Windows 10, or for other operating systems such as
Android or iOS, you must install a Company Portal app to manage it.
●● Device configuration. You can use profiles and policies to configure devices, control user access, and
set device settings to comply with company policy. You can also deploy settings for devices to access
company resources such as Wi-Fi and VPN profiles, and control access to company resources by using
conditional access.
●● Monitoring and reporting. In the MDM management tool, you can receive notifications about
devices that have issues, or whether MDM policy was not successfully applied, such as when devices
do not comply with a company baseline. You can also add enrolled devices to groups and view a list
of enrolled devices. By using Intune, you can also configure Windows Autopilot device deployment.
●● Application Management. With Microsoft Intune, which is included within a Microsoft 365 subscrip-
tion, you can deploy apps to any enrolled device anywhere in the world. By using MDM and mobile
application management (MAM) you can deploy the applications, manage their settings, and separate
data that is created by personal and business apps.
●● Selective data deletion. If a device is lost or stolen, or if the user is no longer a company employee,
you can wipe company data that’s stored on the device. You can wipe all device data or perform a
selective wipe, which leaves personal user data on the device intact.
How Microsoft 365 device management pro-

vides device protection
Using a device management provider, organizations can ensure that only authorized individuals and
devices can access proprietary information. Similarly, device users do not worry about accessing work
data from their phone because they know that their device meets their organization's security require-
ments. As an organization, you might ask, “What should we use to protect our resources?” The answer is
Intune.
Intune is a cloud service that helps to manage computers, laptops, tablets, and other mobile devices,
including iOS, Android, and Mac OS X devices. Intune offers both MDM and MAM, uses Azure AD as a
directory store for identity, and can integrate with local management infrastructures such as Microsoft
System Center Configuration Manager (SCCM).
By using Intune, you can:
●● Allow staff to more safely access organizational data by using personal devices, which is commonly
known as a Bring Your Own Device (BYOD).
●● Manage corporate-owned phones and limited-use devices through integration with device provider
services such as the Apple Device Enrollment Program and the Samsung Knox mobile security plat-
form.
●● Control access to Office 365 from unmanaged devices such as public kiosks and mobile devices.
●● Help to ensure that devices and apps that connect to corporate data are compliant with security
policies.
Using Intune App Protection Policies

Microsoft Intune app protection policies help protect your company data and prevent data loss.
Your employees use mobile devices for both personal and work tasks. While making sure your employees
can be productive, you want to prevent data loss, intentional and unintentional. You'll also want to
protect company data that is accessed from devices that are not managed by you.
You can use Intune app protection policies independent of any mobile-device management (MDM)
solution. This independence helps you protect your company's data with or without enrolling devices in a
device management solution. By implementing app-level policies, you can restrict access to company
resources and keep data within the purview of your IT department.
Intune app protection policies can be configured for apps that run on devices that are:
●● Enrolled in Microsoft Intune. These devices are typically corporate owned.
●● Enrolled in a third-party Mobile device management (MDM) solution. These devices are typically
corporate owned.
●● Not enrolled in any mobile device management solution: The devices are typically employee
owned devices that aren't managed or enrolled in Intune or other MDM solutions.
The important benefits of using Intune app protection policies are:
●● Protecting your company data at the app level. Because mobile app management doesn't require
device management, you can protect company data on both managed and unmanaged devices. The
management is centered on the user identity, which removes the requirement for device manage-
ment.
●● End-user productivity isn't affected, and policies don't apply when using the app in a personal
context. The policies are applied only in a work context, which gives you the ability to protect
company data without touching personal data.
There are additional benefits to using MDM with Intune app protection policies, and companies can use
Intune app protection policies with and without MDM at the same time. For example, consider an
employee that uses both a phone issued by the company along with their own personal tablet. The
company phone is enrolled in MDM and protected by Intune app protection policies, while the personal
device is protected by Intune app protection policies only.
●● MDM ensures the device is protected. For example, you can require a PIN to access the device, or
you can deploy managed apps to the device. You can also deploy apps to devices through your MDM
solution, to give you more control over app management.
●● Intune app protection policies ensure that app-layer protections are in place. For example, you
can:
●● Require a PIN to open an app in a work context

●● Control the sharing of data between apps
●● Prevent the saving of company app data to a personal storage location such as a personal
OneDrive folder
Device management lifecycle

Like most IT management activities, MDM follows a lifecycle. The MDM lifecycle contains four phases:
1. Enroll. In the Enroll phase, devices register with the MDM solution. With Intune, you can enroll both
mobile devices—such as phones—and Windows PCs. When you enroll devices, you can:
●● Require users to accept company terms and conditions of use.
●● Restrict enrollment to company-owned devices only.
●● Require MFA on devices.
2. Configure. In the Configure phase you help to ensure that the enrolled devices are secure and that
they comply with any configuration or security policies. You can also automate common administra-
tive tasks such as configuring Wi-Fi. You can use policies to:
●● Configure endpoint security settings (such as configuring BitLocker and Windows Defender
settings).
●● Configure Windows Information Protection (WIP) to help guard against data loss.
●● Enable device-compliance policies that can require certain minimal encryption and password
settings, prevent access by rooted devices, and determine a maximum mobile threat defense level.
3. Protect. In the Protect phase, the MDM solution provides ongoing monitoring of the settings estab-
lished in the Configure phase. During this phase, you also use the mobile device management
solution to help keep devices compliant through the monitoring and deployment of software updates.
4. Retire. When a device is no longer needed, when it’s lost, or stolen, or when an employee leaves the
organization, you should help to protect the data on the device. You can remove data by resetting the
device using Fresh Start, performing a full wipe, or performing a selective wipe that removes only
corporation-owned data from the device.
As an example of the MDM lifecycle, let’s use an employee named Emily Braun who has just started at
Contoso. She has a cellphone on which she wishes to read corporate emails. The following workflow is
from the device management perspective:
1. Enroll. When Emily enters the required information to configure her email account, she will be
notified that the organization she is connecting to requires that her device be configured. Assuming
that Emily accepts these conditions, her device is enrolled into MDM at Contoso.
2. Configure. As part of the conditions for allowing Emily access to corporate email, her device is
configured according to compliance policies defined within Microsoft 365 in the Contoso tenant.
These configuration settings might include requiring Emily to configure a PIN to unlock her phone,
and might also require that she enable device encryption.
3. Protect. As Emily uses her device, MDM continues to monitor and maintain her phone. If organiza-
tional needs change, these changes might be reflected in policies that apply to Emily’s device.
4. Retire. Emily has accepted another position outside of Contoso with Adatum. The administration
team at Contoso can now remotely wipe the corporate data from Emily’s phone.
How Microsoft 365 helps protect data in an or-

ganization
An important benefit of using MDM technology such as Intune for managing devices is that you can
allow access to email and documents only from devices that are managed by MDM and comply with your
company’s policies. For example, a company policy can specify that user passwords must be complex,
that local data on devices is encrypted, and that the latest updates are installed. This would mean that a
user can access their Microsoft Exchange Online mailbox from a device that meets company policy, but
they cannot read their email from a secondary device that does not have the latest updates installed. If all
other prerequisites are met, the user can access their mailbox from his secondary device after the latest
updates are installed on that device.
Compliance policies
You can define company policies by using the Device Compliance policy in Intune. You can control access
to email, documents, and other cloud apps by using Conditional Access policies. Compliance with
company policy is just one criterion that you can evaluate in Conditional Access policy; you can also
evaluate sign-in risk, device type, location, and client apps.
If a device is not enrolled to Intune, its compliance cannot be evaluated. However, you can prevent access
to mailboxes, documents, and cloud apps from such devices. If a user tries to access his or her mailbox
from such a device, depending on how you set the policy the user might be blocked from accessing
Office 365 resources. They also might be redirected to enroll the device in MDM. Alternatively, the user
could be granted access, but Office 365 would report a policy violation.
After a device is enrolled, you continue to manage it through policies. In terms of data protection, you
can create the following types of policy:
●● Device restrictions. Device restrictions control security, hardware, data sharing, and other settings on
the devices. For example, you can create a device restriction profile that prevents iOS device users
from using the device’s camera.
●● Endpoint protection. Endpoint protection settings for devices include:
●● Windows Defender Application Guard
●● Windows Defender Firewall
●● Windows Defender SmartScreen
●● Windows Encryption
●● Windows Defender Exploit Guard
●● Windows Defender Application Control
●● Windows Defender Security Center
●● Windows Defender Advanced Threat Protection
●● Windows Information Protection
●● Identity protection. Identity protection controls the Windows Hello for Business experience on
Windows 10 and Windows 10 Mobile devices. Configure these settings to make Windows Hello for
Business available to users and devices, and to specify requirements for device PINs and gestures.
You can also perform a number of actions on enrolled devices, including:
●● Factory reset
●● Selective wipe
●● Delete device
●● Restart device
●● Fresh start
What is Information Rights Management (IRM)?

In modern enterprises, the increase in collaboration between both internal and external users and the
proliferation of employee-owned devices has increased the risk of accidental or malicious data leakage.
Traditionally, enterprises have controlled access to data by assigning credentials to users. However, user
access control does not prevent authorized users from accidentally sharing files or sending data in email,
which has led to new protection systems.
Organizations implemented Data Loss Prevention (DLP) to overcome the limitations of systems that are
based solely on authentication and authorization. A DLP system automatically detects and controls data
that should be protected.
Organizations also need to protect data after it leaves the company. To meet this need, you can imple-
ment IRM systems that make protection an inherent part of documents. You might have encountered
IRM protection on documents such as video and audio files that you have streamed from the internet.
These IRM protections prevent you from sharing the files and allow you only to view or listen to the files.
In a workplace, IRM can ensure that an employee can create a document and then determine the level of
protection that should apply to the document, such as allowing only authorized users to open the
document.
IRM systems require setting up both client and server environments. The client app that opens a docu-
ment is responsible for processing protection rules after checking with the server component of the
system to check for authorization updates.
Data Loss Prevention (DLP)

DLP is the capability built into Microsoft 365 that helps your organization ensure data loss or misappro-
priate use doesn’t occur. Using Microsoft 365 you can create DLP policies that protect the following
applications:
●● Exchange Online
●● SharePoint Online
●● OneDrive for Business
●● Desktop versions of Excel, PowerPoint, and Word
Microsoft 365 DLP protection allows you to:
●● Identify and continuously monitor and report on sensitive information.
●● Prevent accidental sharing of sensitive information.
Microsoft 365 also allows you to educate users about DLP policies and protect data without interrupting
their work. You can set DLP policies to show a policy tip or send an email when users try to share protect-
ed information. You can allow users to override the policy and share information despite the policy.
Windows Information Protection

Windows Information Protection (WIP) is a set of technologies that protect your organization from
accidental or malicious data leaks, without significant changes to your enterprise environment or apps. It
provides this protection to both enterprise-owned devices and BYOD devices, and it does so without
interfering with employees’ regular workflows. With the growth in the number of mobile devices and
personal devices, this protection is needed more than ever.
WIP helps you to overcome several common challenges by providing:

●● Separation between personal and corporate data. Users do not need to choose which app to use
for which data.
●● Additional protection to LOB apps. You can add protection without modifying the app.
●● Ability to perform a selective wipe. You can remove corporate data from a device without removing
personal data.
●● Audit reporting. WIP gives you the ability to track and report on policy issues and the actions
performed in response to policy violations.
●● Management system integration. WIP integrates with Intune, SCCM, and other MDM systems.
These benefits can help you to protect enterprise data in a variety of scenarios:
●● Encrypt data on a device. When copying or downloading organizational data from SharePoint,
OneDrive for Business, network shares, or other locations using a device that is managed by using
WIP policies, WIP encrypts the data on the device even if the device is personally owned.
●● Control which apps can access corporate data. Apps that you have included on the Allowed Apps
list can access organizational data, while apps that are not on the list have more limited capabilities.
For example, if the policy is set to Override mode, when a user tries to copy data from an allowed app
to a personal app a warning notice will ask for confirmation to perform a potentially unsafe action.
●● Support apps that allow users to work with both personal and corporate data. Some apps, such
as Word, automatically detect when a file contains corporate data and should be WIP-protected. They
maintain that protection when saving a file locally or on removable media. This protection is main-
tained even if the file name changes or if the data is stored with unencrypted personal data.
●● Prevent use of personal apps and services. You can prevent accidental release of organizational
data to public spaces and social media by preventing users from using applications such as a personal
OneDrive to store files. You can also prevent users from copying data from allowed apps to social
media such as Twitter or Facebook.
●● Remove corporate data from lost or stolen devices, or devices owned by ex-employees. You can
remove organizational data from, and unenroll any devices (including personal devices) that are
enrolled in Intune even if the device is lost or stolen. This does not affect personal data.
Azure Information Protection

Azure Information Protection (AIP) is a set of cloud-based technologies that provide classification,
labeling, and data protection. You can use Azure Information Protection to classify, label, and protect data
such as email and documents created in Microsoft Office apps or other supported apps, and classification
and protection information is available for on-premises file servers. Instead of focusing only on data
encryption, Azure Information Protection has a wider scope. It provides mechanisms to recognize
sensitive data, alert users when they are accessing or working with sensitive data, and track critical data
usage. However, the key component of Azure Information Protection is data protection based on rights
management technologies.
AIP and Azure RMS

To protect data, Azure Information Protection uses Microsoft Azure Rights Management service (Azure
RMS) technology. Previously, Azure RMS was available as a standalone product, known as Azure RMS and
RMS for Office 365. It’s now integrated in the Azure Information Protection solution, so you can use it
together with classification, labeling, and tracking.
Classification, labeling, and protection

To use Azure Information Protection in its full capacity, you should configure rules and policies for
classification, labeling, and protection. For example, you can configure some data types, keywords, or
phrases to be conditions for automatic or recommended classification. You can also use Azure Informa-
tion Protection to supplement the default templates to apply restrictive controls.
The Azure Information Protection client component monitors the documents or emails in real time. If it
detects a keyword or a phrase, it recommends a proper classification for a document. Installing the Azure
Information Protection client installs an information protection bar in Microsoft Excel.
You can also configure Azure Information Protection to apply classification automatically. For example,
you can configure an automatic classification rule that classifies a document as restricted if it contains a
credit card number.
The result of classification is a label. A label is metadata for a document that appears in files and email
headers in clear text. The label is stored in clear text as well, so that other services such as Data Loss
Prevention (DLP) solutions or protection solutions can identify the classification and take appropriate
action. For example, a label could be confidential, restricted, or public. The label also contains protection
configuration if the protection is required by a specific label.
Document protection can be label-based, or an end user can apply it manually. For example, you can
configure an Azure Information Protection policy so it protects each document that is labeled as confi-
dential. This protection, for example, can provide read-only access for certain users within the company.
After Azure Information Protection applies protection to a document or an email, the protection remains
until an author or a super user removes it. When Azure RMS protects a document, you can also track its
usage by using a dedicated web portal. For each Azure RMS–protected file, you can configure notifica-
tions that you will receive when someone tries to open that file. You can also use the same portal to
revoke access for each protected and shared document.
Compliance in Microsoft 365 103
Compliance in Microsoft 365

Introduction
In this lesson learn how Microsoft 365 helps you meet your compliance needs. Microsoft 365 complies
with global, industry, and regional standards and regulations and is designed to help you to meet the
regulatory requirements for your business. You will learn what integrated compliance solutions are
available within Microsoft 365 and how they can help your organization leverage intelligence to reduce
your compliance risk.
●● Describe the three pillars of compliance.
●● Explain the benefits of the Compliance Manager tool.
●● Describe the Microsoft Compliance Center.
Common compliance needs in today's business

environments
As the proliferation of data increases, and our reliance on storing and accessing that data online grows,
so has the need for data management. Over the years, governmental and other agencies have become
interested in how we use and share data, particularly personal data, like financial and health data.
To help protect individuals, governments have introduced regulations about data storage, handling, and
use:
●● Granting people the right to access, and possibly correct, data stored about them.
●● Defining a data retention period.
●● Granting governments and regulatory bodies the rights to access records for investigative purposes.
●● Defining exactly how data can and cannot be used. In other words, defining the purpose for the
collated data.
●● Defining privacy controls so that private data remains private.
Some of these regulations include:
●● Health Insurance Portability and Accountability Act (HIPAA) - imposes strict privacy regulations
on protected health information.
●● Federal Information Security Modernization Act (FISMA) - dictates how United States federal
agencies protect information.
●● General Data Protection Regulation (GDPR) - addresses the protection of data and how and when
it can be transferred.
●● The Family Educational Rights and Privacy Act (FERPA) - covers the use or disclosure of student
education records, including student information sent in email or email attachments.
●● The Personal Information Protection and Electronic Documents Act (PIPEDA) - addresses how
private sector organizations collect, use, and disclose personal information in regard to commercial
business.
●● The Gramm–Leach–Bliley Act (GLBA) - protects nonpublic personal information.
Microsoft 365 supports your organization’s compliance needs with built-in tools and capabilities to help
you protect information, manage data governance, and respond to regulatory requests.
It can be helpful to think about managing compliance in terms of three phases:
●● Assess: Assess compliance risk and posture with actionable insights
●● Protect: Protect and govern sensitive data across devices, apps and cloud services
●● Respond: Intelligently respond to data discovery requests by leveraging AI to find the most relevant
data
Service Trust Portal and Compliance Manager

Let’s look at some of the tools Microsoft 365 provides to assess your compliance risk, protect and govern
information, and respond to regulatory requests or manage investigations.
Service Trust Portal

The Service Trust Portal (STP) provides a variety of content, tools, and other resources about Microsoft
security, privacy, and compliance practices. It also includes independent third-party audit reports of
Microsoft's online services, and information about how our online services can help your organization
maintain and track compliance with standards, laws, and regulations such as:
●● International Organization for Standardization (ISO).
●● Service Organization Controls (SOC).
●● National Institute of Standards and Technology (NIST)
●● Federal Risk and Authorization Management Program (FedRAMP)
●● General Data Protection Regulation (GDPR)
●● Office 365 Auditing
The Service Trust Portal includes the following compliance tools:
●● Compliance Manager – your dashboard to standards, regulations, and assessments.
●● Trust documents - Audit reports, data protection info about how Microsoft operates Azure, Dynamics
365, and Office 365, Azure Security and Compliance Blueprint.
●● Regional Compliance - Regionally specific compliance information, often in the form of legal opin-
ions that describe Microsoft cloud services in different countries, like Australia, Poland, or the UK.
●● Privacy - Information about the capabilities in Microsoft services that you can use to address specific
GDPR requirements, as well as GDPR documentation.
You can access the Service Trust Portal by going to http://aka.ms/STP.
Compliance Manager
The Compliance Manager is a cross-Microsoft solution that helps meet complex compliance obligations,
including:
●● GDPR
●● ISO 27001
●● ISO 27018
●● NIST 800-53
●● HIPAA
Compliance Manager can be managed by assigned individuals and provides three key capabilities::
●● Ongoing risk assessment. View a summary of your compliance posture against the data protection
regulatory requirements that are relevant to your organization, in the context of using Microsoft cloud
services. The dashboard provides you with your compliance score, which helps you make appropriate
compliance decisions.
●● Actionable insights. Understand the responsibility that you and Microsoft share in meeting compli-
ance standards. For components that Microsoft manages, you can see the control implementation
and testing details, test date, and results. For components that you manage, you can see recommen-
dations for appropriate actions and guidance on how to implement them.
●● Simplified compliance. Simplify processes to achieve compliance. It provides built-in collaboration
tools that you can use to assign tasks to your teams. You can also generate audit-ready reports with
links to the evidence you collected.
Data governance in Microsoft 365

Data governance is all about keeping your data around when you need it and getting rid of it when you
don't. With data governance in Microsoft 365, you can manage the full content lifecycle, from importing
and storing data at the beginning, to creating policies that retain and then permanently delete content at
the end. Microsoft 365 takes a unified approach to discovering, classifying, and labeling your content
across locations.
Across your organization, you probably have different types of content that require different actions
taken on them in order to comply with industry regulations and internal policies. For example, you might
have:
●● Tax forms that need to be retained for a minimum period of time.
●● Press materials that need to be permanently deleted when they reach a certain age.
●● Competitive research that needs to be both retained and then permanently deleted.
●● Work visas that must be marked as a record so that they can't be edited or deleted.
In all of these cases, retention labels can help you take the right actions on the right content. With
retention labels, you can classify data across your organization for governance, and enforce retention
rules based on that classification.
With retention labels, you can:
●● Enable people in your organization to apply a retention label manually to content in Outlook on
the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best
what type of content they're working with, so they can classify it and have the appropriate policy
applied.
●● Apply retention labels to content automatically if it matches specific conditions, such as when the
content contains:
●● Specific types of sensitive information.
●● Specific keywords that match a query you create.

Automatically applying retention labels is important because:
●● You don't need to train your users on all of your classifications.
●● You don't need to rely on users to classify all content correctly.
●● Users no longer need to know about data governance policies they can instead focus on their
work.
●● Apply a default retention label to a document library in SharePoint and Office 365 group sites, so
that all documents in that library get the default retention label.
●● Implement records management across Office 365, including both email and documents. You can
use a retention label to classify content as a record. When this happens, the label can't be changed or
removed, and the content can't be edited or deleted.
With retention policies, you can:
●● Decide proactively whether to retain content, delete content, or both retain and then delete the
content.
●● Apply a single policy to the entire organization or just specific locations or users.
●● Apply a policy to all content or just content meeting certain conditions, such as content containing
specific keywords or specific types of sensitive information.
With Supervision policies in Office 365, you can:
Capture employee communications for examination by designated reviewers. You can define
specific policies that capture internal and external email, Microsoft Teams, or 3rd-party communications
in your organization. Reviewers can then examine the messages to make sure that they are compliant
with your organization's message standards and resolve them with classification type.
These policies can also help you overcome many modern compliance challenges, including:
●● Monitoring increasing types of communication channels
●● The increasing volume of message data
●● Regulatory enforcement & the risk of fines.
In this video, you will see how integrated and intelligent data governance in Microsoft 365 can help you
manage the lifecycle of your content to meet compliance requirements and manage risk.
Encryption in Microsoft 365

Microsoft 365 uses some of the strongest encryption protocols avilable - data is encrypted by default, at
rest and in transit. For data at rest, data is encrypted at the physical disk with BitLocker and in applica-
tions with service encryption. Data in transit is encrypted with TLS (Transport Layer Security) as it moves
across the network.
For additional controls, you can encrypt your data in transit, and more granularly at the content level,
with Office 365 Message Encryption and Azure Information Protection.
If you have specific compliance obligations to provide and control your encryption keys, Microsoft 365
provides several options like Customer Key, which lets customers you add another layer of encryption
that belongs to you, not Microsoft.
Zero standing access

Organizations are twice as likely to get breached through compromised credentials than through any
other threat vector. All that's needed to expose data and inflict damage is perpetual or standing privi-
leged access to an application. Increasingly regulators and customers expect you to carefully document
(including an audit trail) when you grant privileged access. One way to address this is by adopting zero
standing access - users don't get permissions by default to perform privileged tasks or access sensitive
data on their own.
Customer Lockbox for Office 365

Microsoft runs organizations and datacenters on the principle of zero standing admin access. When
required, all access requests go through a privileged access workflow, allowing users just-in-time and
just-enough access for the specific task they need to perform. These requests require approvals and
significant oversight.
Another tool Microsoft offers to control access is Customer Lockbox. Customer Lockbox requires the
tenant admin (or a custom role like the compliance manager) to approve a request before access to your
datacenter is granted to Microsoft engineers. The transparency, control, and security rigor provided
through this Customer Lockbox workflow is above and beyond what other major SaaS vendors offer
today.
Together, these controls enable you and Microsoft engineers to enforce zero standing access by default
for service provider access, which is a significant leap in keeping our datacenters and your data secure
and compliant.
Privileged access management in Office 365

Taking all the learnings from how Microsoft manages its own datacenter, Office 365 has built a similar
privileged access management system to help you manage privileged admin access to your users,
typically the tenant admins. This system requires your users to request just-in-time and just-enough
access to perform the tasks at hand.
With privileged access management in Office 365, access requests must be approved by an authorized
set of approvers. You can configure whehter access requests are automatically or manually approved.
Either way, all the activity is logged and auditable, so that both requests and approvals can be reviewed
and documentation provided for internal reviews and auditor requests.
Respond to data discovery requests

Microsoft 365 provides built-in, suite-wide search and discovery tools to help reduce your risk and
exposure of multiple copies of data in multiple places.
You can use Advanced eDiscovery to review and redact content prior to export to ensure that only the
most relevant data is being shared, and that any business confidential pieces of that data are redacted.
You can work with data stored in Exchange Online, SharePoint Online, OneDrive for Business, Skype for
Business, Office 365 Groups, and Microsoft Teams.
These tools can help significantly reduce the costs of eDiscovery. In fact, at Microsoft, while average data
per custodian has grown 20x, the cost per custodian of eDiscovery has been reduced 85% with the use of
the built-in capabilities.
Watch this video to learn more about how Advanced eDiscovery can help you hold, search, refine,
analyze, review and export your relevant content.
Microsoft Compliance Center

The new Microsoft 365 compliance center is a specialized workspace for your compliance, privacy, and
risk management professionals. You can use the compliance center to assess your compliance risks
through Compliance Manager, protect and govern your data with sensitivity and retention labels, re-
spond to regulatory requests like Data Subject Requests, and access other compliance and privacy
solutions.
The new experience helps you reduce compliance risks and protect your digital estate more easily and
effectively with three new insights:
●● With the Compliance Manager integration, Microsoft 365 compliance center provides you with
visibility into your compliance posture against key regulations and standards like the GDPR, ISO
27001, NIST 800-53, and more on the homepage. You can then perform risk assessments and follow
step-by-step guidance to enhance your compliance and privacy controls.
●● Additionally, to help you label data more accurately, Microsoft 365 Label Analytics preview can enable
you to analyze and validate how sensitivity and retention labels are being used beyond your Office
365 workloads.
●● Microsoft Cloud App Security (MCAS) insights are also available in the Microsoft 365 compliance
center to help you identify compliance risks across applications, discover shadow IT, and monitor
employees’ non-compliant behaviors.
Once the Microsoft 365 compliance center is enabled for your tenant, you will be to access it at https://
compliance.microsoft.com
Data Subject Requests

GDPR gives people (also called data subjects) the right to their personal data. This includes obtaining a
copy of it and requesting to export it in an electronic format. A formal request by a data subject to a
controller to take an action on their personal data is called a Data Subject Request or DSR. You can create
a data subject request case from your Microsoft 365 compliance center1.
Module Review
1. Which of the following block or allow network traffic based on the traffic's properties?
(A) DLP policy
(B) Firewall
(C) MAC address
(D) Router
2. Which of the following Microsoft tools requires the tenant admin to approve a request before access
to your datacenter is granted to Microsoft engineers?
(A) Service Trust Portal
(B) Microsoft Intune
(C) Customer Lockbox for Office 365
(D) Compliance Manager
3. Which of the following is a compliance tool in the Service Trust Portal?
(A) Auditing
(B) Security
(C) Global Compliance
(D) Trust documents
4. Which of the following is a key capability of Compliance Manager in Microsoft 365?
(A) Workplace analytics
(B) Actionable insights
(C) MyAnalytics
(D) Streamlined compliance
5. You notice suspicious activity during sign in from a number of user accounts. It seems as if these users
are signing in at unusual times and from not normal locations. What tool or feature in Microsoft 365
might alert you to such activity?
(A) Azure MFA
(B) Azure AD Privileged Identity Management
1 https://compliance.microsoft.com
(C) Microsoft Identity Manager

(D) Azure AD Identity Protection
6. You want the ability to elevate a user’s account to that of a temporary administrator. Which Microsoft
365 identity management feature could help with this?
(A) Azure MFA
(B) Azure AD Privileged Identity Management
(C) Microsoft Identity Manager
(D) Azure AD Identity Protection
7. In Microsoft Intune, what kind of policy enables you to ensure that devices are not rooted, and are
configured with complex passwords?
(A) Conditional Access policy
(B) Device Compliance policy
(C) Device Enrollment policy
(D) Device configuration profile
8. Which feature in Microsoft 365 enables you to review and redact content prior to export to ensure that
only the most relevant data is being shared?
(A) Customer Key encryption
(B) Advanced eDiscovery
(C) Azure Information Protection
(D) Office 365 Advanced Threat Protection
Answers:
1. (B) 2. (C) 3. (D) 4. (B) 5. (D) 6. (B) 7. (B) 8. (B)
Lab - Implement security and compliance in

Microsoft 365
Lab Introduction
This lab is designed to reinforce the concepts to which you were introduced and the knowledge you’ve
gained in this module. In this lab, you will configure Azure Active Directory (Azure AD), create a condi-
tional access policy, and activate Azure Identity Protection.
Important: This lab has three exercises, each with multiple tasks. For a successful outcome, the exercises
To perform the tasks in the labs for this course you will need an Office 365 trial. You can use the trial you
may have acquired in earlier in the course. To acquire an Office 365 Enterprise E5 trial click here2.
Note:
You may already have an Office 365 tenant connected to your Microsoft ID. However, you may not have
the administrator access to perform the lab tasks in that tenant. What’s more you may not want to
Exercise 1 Configure Azure Active Director
Task 1: Configure Azure AD join settings
1. Open Microsoft Edge and navigate to com and sign in using the global admin account you have
been assigned for this course.
2. Select the Admin
3. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers. You may need to click Try the new admin center to switch to the classic Microsoft 365
admin center interface to follow these instructions.
4. Click Azure Active Directory. Verify that a new tab opens in Microsoft Edge.
5. In the navigation pane, select Azure Active Directory.
6. Click Devices and then click Device settings.
7. In the details pane, in the Users may join devices to Azure AD select Selected.
8. Click Selected (No member selected).
9. Click Add members.
10. In the Select box, type Windows and click Windows 10 Deployment, which is the group you created
in the last lab.
11. Click Select and then click OK.
Lab - Implement security and compliance in Microsoft 365 113
12. On the Devices – Device settings blade, click Save. You have configured that members of the Win-
dows 10 Deployment group may join devices to Azure AD.
Task 2: Assign a user the Helpdesk (password) administra-

tor role
1. In the navigation pane, click Azure Active Directory.
2. Select Roles and administrators.
3. Select Helpdesk (Password) administrator.
4. Click Add assignment.
5. In the Add assignments blade, in the Select box, select the user you created in the previous lab.
6. Click Add.
7. In the navigation pane, click Azure Active Directory.
Exercise 2 Enable a Conditional Access Policy
Task 1: Open the Azure Active Directory admin center
1. Open Microsoft Edge and navigate to office.com and sign in using the global admin account you
have been assigned for this course.
2. Select the Admin tile
3. In Microsoft 365 admin center, in the navigation pane, click Show more, and then click Admin
centers. You may need to click Try the new admin center to switch to the classic Microsoft 365
admin center interface to follow these instructions.
4. Click Azure Active Directory. Verify that a new tab opens in Microsoft Edge.
5. In the navigation pane, select Azure Active Directory.
6. Select Conditional Access under the Security area.
Task 2: Enable the policy

1. In the Conditional Access - Policies area, in the navigation pane, select Baseline policy: Block
legacy authentication (Preview).
2. Select Enable policy - On.
3. Click Save.
Exercise 3 Activate Azure Identity Protection
Task 1: Sign in to the Azure portal
1. In Microsoft Edge, open a new tab and navigate to https://ms.portal.azure.com/.

2. Sign in using your global admin account.
3. Select the Dashboard.
4. On the Azure dashboard page, click the Marketplace
5. On the Everything blade, in the Search Everything text box, type Azure Identity Protection, and
then press Enter.
Task 2: Enable AIP

1. In the returned list, click Azure AD Identity Protection.
2. On the Azure AD Identity Protection blade, click Create.
3. On the second Azure AD Identity Protection blade, click Create.
Task 3: Review current settings

1. In Microsoft Edge, open a new tab and navigate to https://portal.azure.com/#blade/Microsoft_
AAD_ProtectionCenter/IdentitySecurityDashboardMenuBlade/Overview3.
2. On the Overview blade, on the Azure AD Identity Protection tab, in the navigation pane, click
Getting Started. Review the available information.
3 https://portal.azure.com/
Module 4 Microsoft 365 pricing and support
Microsoft 365 subscriptions, updates, licenses,

and billing
Introduction
Microsoft 365 offers a variety of subscriptions and licenses from which to choose. In this lesson, you’ll be
introduced to the plans and options available to Microsoft 365 subscribers. You’ll then learn about how to
manage your Microsoft 365 subscription, including adding and removing user licenses. You’ll also learn
how Microsoft 365 billing works, including the different billing cycles, payment methods, and typical
lifecycle phases of Microsoft 365 from provisioning to retiring.
●● Differentiate between the different Microsoft 365 subscription options.
●● Manage your Microsoft 365 subscription.
●● Add or remove a license from a user.
●● Manage your Microsoft 365 billing.
●● Explain the typical Microsoft 365 lifecycle phases.
Microsoft 365 subscription options

As you’ve learned in the previous modules, Microsoft 365 is a complete, intelligent software as a service
(SaaS)–based solution that includes Microsoft Office 365, Windows 10, and Enterprise Mobility + Security
all bundled into a single subscription. Different kinds of businesses have different requirements, so Micro-
soft offers a variety of subscriptions and plans to accommodate each organization’s needs. In this topic,
we’ll summarize these subscriptions.
Note: The plans, exact set of features, pricing, and licensing requirements can vary between countries
and regions. If you require a Microsoft 365 subscription for a non-US organization, contact your regional
sales representative to learn what subscriptions, plans, features, and pricing are available.
MCT USE ONLY. STUDENT USE PROHIBITED 116 Module 4 Microsoft 365 pricing and support
Microsoft 365 Enterprise
Microsoft 365 Enterprise provides enterprise-class services to organizations that want a productivity
solution that includes robust threat protection, security, compliance, and analytics features.
There are two available plans for Microsoft 365 Enterprise, letting you further refine what's included in
your implementation - E3 and E5. E5 includes all of the same features as E3 plus the latest advanced
threat protection, security, and collaboration tools.
Feature E3 E5
Windows 10 Enterprise + +
Word, Excel, PowerPoint, One- + +
Note
Access + +
Exchange, Outlook + +
Microsoft Teams + +
StaffHub, PowerApps, Flow + +
Skype for Business + +
SharePoint, Yammer + +
Advanced Threat Analytics, + +
Windows Defender Antivirus, De-
vice Guard
Azure Active Directory Plan 1, + +
Windows Hello, Credential
Guard, Direct access
Microsoft Intune + +
Windows Autopilot, Fine Tuned + +
User Experience, Windows
Analytics Device Health
Windows Information Protection, + +
Bitlocker & Azure Information
Protection P1
Office 365 Data Loss Preventions + +
Delve + +
Power BI Pro, MyAnalytics +
Microsoft 365 subscriptions, updates, licenses, and billing 117
Feature E3 E5
Audio conferencing, Phone +
System
Windows Defender Advanced +
Threat Protection, Office 365
Advanced Threat Protection,
Office 365 Threat Intelligence
Azure Active Directory Plan 2 +
Azure Information Protection P2, +
Microsoft Cloud App Security,
Office 365 Cloud App Security
Advanced eDiscovery, Customer +
Lockbox, Advanced Data Gov-
ernance
Microsoft 365 Enterprise licenses can be purchased through a Cloud Solution Provider (CSP) or with an
Enterprise Agreement (EA) subscription from Microsoft.
For the latest information about Microsoft 365 Enterprise plans, features, and pricing, go to Discover the
Microsoft 365 Enterprise solution that’s right for you1
Microsoft 365 Business
Microsoft 365 Business is designed for small- and medium-sized organizations. Like Microsoft 365
Enterprise, Microsoft 365 Business offers the full set of Office 365 productivity tools and includes security
and device management features. It does not include some of the more advanced information protec-
tion, compliance, or analytics tools available to enterprise subscribers. It is designed for organizations
that need up to 300 licenses; if your organization is larger than that, you will need to subscribe to a
Microsoft 365 Enterprise plan instead.
For the latest information about Microsoft 365 Business plans, features, and pricing, go to Microsoft 365
Business2.
For the latest information about Office 365 Business plans, features, and pricing, go to Office 365 for
Business3.
1 https://www.microsoft.com/en-us/microsoft-365/compare-all-microsoft-365-plans
2 https://www.microsoft.com/en-US/microsoft-365/business
3 http://aka.ms/AA50z67
Microsoft 365 Education
Microsoft 365 Education is available for educational organizations. Academic licenses can be tailored to
fit any institution’s needs, including productivity and security solutions for faculty, staff, and students.
For more information about Microsoft 365 Education, go to Microsoft 365 Education4.
Microsoft 365 for firstline workers

The Microsoft 365 F1 subscription plan connects your firstline workers - such as customer service repre-
sentatives, support and repair technicians, and service professionals - through purpose-built tools and
resources that allow them to do their best work. These people are commonly the first point of contact for
customers, and they need the right productivity and collaboration tools to do their jobs.
While Microsoft 365 F1 has many of the same features and services as Microsoft 365 E3, including
Microsoft's Yammer, SharePoint Online, Teams, and StaffHub collaboration tools, the F1 plan has been
modified to better fit the needs of firstline workers. For example, firstline workers do not generally use
virtual machines, so Microsoft 365 F1 includes Windows 10 E3, but without virtualization rights. Microsoft
365 F1 is also significantly less expensive than the Microsoft 365 E1 and E3 Enterprise plans.
Manage subscriptions in Microsoft 365

You can manage your Microsoft 365 subscription via the Microsoft 365 admin center. (Many functions
can also be performed via the Windows PowerShell command-line interface.) Administrators can view
billing and manage their subscription in the Subscriptions window. As highlighted in the following figure,
the More actions menu in the Subscriptions window is where administrators can:
●● Add a partner of record to identify who sold you your Microsoft 365 subscription.
●● Edit your subscription address.
●● Cancel your subscription.
●● Install software that is part of their Microsoft 365 subscription.
4 https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx
Manage updates to Microsoft 365

With Office 365, you receive new product updates and features as they become available instead of
scheduled updates that are months or years apart. As a result, you and your users will routinely experi-
ence new and improved ways to do your job rather than a costly and time-consuming company-wide
upgrade.
You can manage how your organization receives these updates. For example, you can sign up for an early
release so that your organization receives updates first. You can designate that only certain individuals
receive the updates. Or, you can remain on the default release schedule and receive the updates later.
Release Validation
Any new release is first tested and validated by the feature team, then by the entire Office 365 feature
team, followed by all of Microsoft. After internal testing and validation, the next step is a Targeted
release (formerly known as First release) to customers who opt in. At each release ring, Microsoft collects
feedback and further validates quality by monitoring key usage metrics. This series of progressive
validation is in place to make sure the worldwide-release is as robust as possible. The releases are
pictured in the following figure:
For significant updates, Office customers are initially notified by the Microsoft 365 Roadmap5. As an
update gets closer to rolling out, it is communicated through your Office 365 Message Center6 (This link
goes directly to the Message Center of your Office 365 tenant).
Standard Release
This is the default option where you and your users receive the latest updates when they're released
broadly to all Office 365 customers. A good practice is to leave the majority of users in Standard release
and IT Pros and power users in Targeted release to evaluate new features and prepare teams to support
business users and executives.
Targeted Release
With this option, you and your users can be the first to see the latest updates and help shape the product
by providing early feedback. You can choose to have individuals, or the entire organization receive
updates early.
Early preview features issued through targeted release might not be supported until they reach the
Worldwide standard release.
Benefits of Targeted release

Targeted release allows admins, change managers, or anyone else responsible for Office 365 updates to
prepare for the upcoming changes by letting them:
●● Test and validate new updates before they are released to all the users in the organization.
●● Prepare user notification and documentation before updates are released worldwide.
●● Prepare internal help-desk for upcoming changes.
●● Go through compliance and security reviews.
●● Use feature controls, where applicable, to control the release of updates to end users.
Manage licenses in Microsoft 365

When you buy a Microsoft 365 subscription, you specify the number of licenses that you need, based on
how many people you have in your organization. If you have more than one subscription, you can assign
licenses to different people for each subscription.
The Microsoft 365 admin center is where you create user accounts and assign licenses to them. As your
organizational needs change, you can buy more licenses to accommodate new people. You can also
remove a license from one user and reassign it to a different person. (For example, if someone leaves
your organization, you can reassign their license to another employee.) This helps you maintain the
correct number of licenses your organization needs without paying for unneeded additional licenses
(known as “over-licensing”) or running out of licenses.
5 https://products.office.com/business/office-365-roadmap
6 https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter
You can manage expired licenses in the admin center. If you don't renew a license or are past due paying
for the latest billing cycle, the user with the expired license won't be able to use all of their Microsoft 365
products. You either need to renew the license or assign them a different, active license.
You can also turn access to functions like Exchange Online or Microsoft Teams on or off within a single
license for each user. There are many services and tools within a single license that you can turn on or off
to fine-tune each user’s account settings. Note, however, that deactivating any or all features for a user
doesn't affect license consumption; these individual controls within the user’s product license are sepa-
rate from allocating (or removing) a license for a user.
Various Office 365 admin roles can perform different licensing actions. The table below lists tasks each
admin role may perform as it relates to licensing:
Role What they do in Office 365

Global administrator Accesses all administrative features in the Office

365 suite of services in your plan, including Skype
for Business. By default, the person who signs up
to buy Office 365 becomes a global admin.
Global admins are the only admins who can assign
other admin roles, and only global admins can
manage the accounts of other global admins. You
can have more than one global admin in your
organization.
Billing administrator Makes purchases, manages subscriptions, opens
and manages support tickets, and monitors service
health.
License administrator Adds, removes, and updates license assignments
for users, groups (using group-based licensing),
and manages the usage location of users.
People in this role can't purchase or manage

subscriptions, create or manage groups, or create
or manage users beyond the usage location.
This role has no access to view, create, or manage

support tickets.
Manage billing in Microsoft 365

Billing in Microsoft 365 is also managed from the Microsoft 365 admin center. The options available and
pricing associated with any account depend on your subscription and number of licensed users. Each
service has a specified price that's typically rated on a per-user, per-month basis.
You can review and modify all billing aspects in the Microsoft 365 admin center, including:
●● Current number of purchased licenses and how many of those licenses that you've allocated to users
for each service.
●● Any current charges due on an account.
●● Payment method and frequency (monthly or annual).
●● Additional services or features you might opt to add to the subscription.
●● Billing notifications, where you can provide a list of email accounts of who should receive automated
billing notifications and renewal reminders for the Microsoft 365 subscription.
Support in Microsoft 365 125
Support in Microsoft 365

Introduction
In this lesson, you’ll learn about what support options are available in Microsoft 365, and the guarantees
and service-level agreements (SLAs) that it offers. You’ll also learn how to monitor your Microsoft 365
service health, how to create new service requests, and how to review the status of active service re-
quests.
●● List what support options are available with Microsoft 365.
●● Discuss guarantees, SLAs, and capping of liability of the Cloud Service Provider.
●● Demonstrate how to create a service request and how to review any active service requests in your
subscription.
●● Demonstrate how to monitor your Microsoft 365 service health.
Support options in Microsoft 365

As a Microsoft 365 subscriber you have a variety of support options, but the details depend your specific
situation:
●● Which subscription do you have? Does it include a service package?
●● Which service or tool do you need support for?
●● What kind of support do you need?
Here are the different ways and channels to get support for Microsoft 365:
●● FastTrack - Get direct access to Microsoft 365 planning materials and dedicated Microsoft FastTrack
project managers and engineers to help you deploy Microsoft 365.
●● O365 Assistant - The Microsoft 365 admin center has an automated assistance bot, the O365
Assistant, that’s designed to help you find answers to support questions. Accessed from the Need
help button, the bot offers a chat-based user experience.
‎
●● Premier Support - Microsoft Premier Support Services is well suited for large and global enterprises
with strategic and critical dependence on Microsoft products, including Microsoft 365 and Microsoft
Azure. If you're a Premier Support Services member, you'll be assigned a technical account manager
and can add additional benefits like advisory services and on-site support. Premier support engineers
are assigned customer issues and can call in any Microsoft expertise that’s needed to solve the
problem.
●● Cloud Service Provider Tier 1 support - If you purchased your Microsoft 365 subscription through a
certified tier 1 Cloud Solution Provider (CSP), contact them directly for technical support. Your Tier 1
CSP is your first point of contact for all service-related issues. Tier 1 providers will escalate any issues
they can’t resolve directly to Microsoft to ensure that you get the help you need.
●● Telephone support - Some Microsoft 365 components provide phone support.
●● Microsoft 365 Tech Community - Connect to and collaborate with other customers, share your
experiences and problems, and learn from experts. Available at Microsoft 365 Tech Community7, get
access to Microsoft blog posts, announcements, and forum posts from other Microsoft 365 users.
●● Microsoft 365 support forums - Microsoft offers official support forums where you can ask ques-
tions and get answers from both Microsoft and community members. Different technologies and
services in Microsoft 365 have their own forums. Some of the more popular ones are:
Azure forums8
Windows forums9
Office forums10
7 https://techcommunity.microsoft.com/t5/Microsoft-365/ct-p/microsoft365
8 https://azure.microsoft.com/support/community/
9 https://answers.microsoft.com/windows/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedA
fter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
10 https://answers.microsoft.com/msoffice/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAf
ter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
Microsoft 365 service level agreements

As with any cloud-based service offering, Microsoft 365 subscriptions come with a guaranteed amount of
uptime (such as a 99 percent available uptime average over the period of one year). The details of the
guarantee vary from one cloud service provider to another and are detailed in a legal agreement be-
tween a cloud service provider and the customer, known as a Service Level Agreement (SLA).
In addition to your CSP’s SLA, Microsoft offers Microsoft 365 subscribers a Microsoft Online Services
Agreement that documents our commitment to achieve and maintain service levels for each service.
SLA considerations
Make sure you thoroughly review any service agreement before you sign it. Ask yourself the following
questions:
●● How does the CSP determine whether service levels are being achieved?
●● Who's responsible for measurement, and how can I obtain reports?
●● What exceptions are there in the SLA?
●● When the SLA is not met, what’s the remedy for the deficiencies?
●● What happens when maintenance (both scheduled and emergency) is performed?
●● What happens when a malicious hacker targets my organizations or the infrastructure that we’re
running on, and the result is downtime?
●● What happens when third-party system failures or services are not under the vendor’s control?
●● What happens if the service is brought down by acts of war or natural disasters, such as earthquakes,
floods, storms, tornadoes, or hurricanes?
●● What limits to the CSP’s liability are stated in the SLA?
Service level agreements also apply to technical support response times. As an example, the table below
lists a comparison of technical phone support options for Office 365 Business and Enterprise plans.

Severity Description Office 365 Business Office 365 Enterprise

plans plans
Critical Events that prevent you Available: 24/7 Available: 24/7
from accessing or using
Response time: one Response time: one
your services or data,
hour hour
severely impact dead-
lines or profitability, or
affect multiple users or
services.
High Events that affect the Available: business Available: 24/7
productivity of users but hours
Response time: next day
have moderate business
Response time: no
impact, can be dealt
commitment
with during business
hours, or affect a single
user, customer, or
service.
Non-critical Events that have Available: business Available: 24/7

minimal service or hours
Response time: no
productivity impact on
Response time: no commitment
the business, such as a
commitment
single user experiencing
partial disruption, but
an acceptable
workaround exists.

Service requests in Microsoft 365

A service request is a formal request for help from Microsoft Support. You can create requests through
telephone support, online chat support, and email. Each customer case is identified by a unique code that
helps you track it through the support process.
Creating a service request

You can find help and figure out when to open a service request in the Microsoft 365 admin center. As
shown in the following image, toggle off the O365 Assistant bot in the Support pane, and then type in a
description of your issue and search for solutions. If you don't find a solution for your problem, create a
new service request by phone or by email.
View existing service requests

You can view the status of all your existing service requests. Either click View service requests under the
Support blade, or if you already have the pane open, select the circular arrow icon in the Need help tab
to see a list of your service requests.
Monitor Microsoft 365 service health

Microsoft constantly monitors the health of the services in Microsoft 365. This helps us ensure we're
meeting the SLA - our promise to you. You can also monitor the health of your services in the Microsoft
365 admin portal. You can view whether a service is up or down (available) and the performance of the
service. You can filter the list of subscriptions and services to view only what's most relevant to you - from
services with degraded performance to advisories to all services.
Select any entry to get more details. You can see the following:
●● A description of the problem
●● When the incident was first logged
●● Last update to the incident
●● Current status
●● User impact
Message center
To keep track of upcoming feature releases or issues, go to Message center. That's where we post official
announcements about new and changed features to enable you to take a proactive approach to change
management. Each post gives you a high-level overview of a planned change and how it may affect your
users, and links out to more detailed information to help you prepare.
Because Major updates are most impactful to your organization, they are highlighted at the top of the
Message center.
Module Review
1. Which of the following Microsoft 365 subscription plans includes Microsoft Azure Active Directory Plan
2 for advanced identity and access management?
(A) Microsoft 365 Business
(B) Microsoft 365 E3
(C) Microsoft 365 E5
2. You are the Microsoft 365 subscription administrator at your organization. As of 10:00 AM this morn-
ing, no one is able to connect their mailboxes to the Microsoft Exchange Online service. What should you
do to check the service status?
(A) Navigate to Service health in the Microsoft 365 admin center.
(B) Visit the Microsoft Office 365 online forum.
(C) Visit the Microsoft Azure online forum.
(D) Send an email to Microsoft support.
3. Your organization is looking for a Microsoft 365 offering that is built specifically for firstline workers.
Which plan should you choose?
(A) Microsoft 365 Education
(B) Microsoft 365 E3
(C) Microsoft 365 E5
(D) Microsoft 365 F1
(E) Microsoft 365 Business
4. You want to review the statuses of your existing Microsoft 365 service requests. What’s the best way to
do that?
(A) In the Microsoft 365 admin center, select View service requests under the Support blade.
(B) Search the Microsoft 365 support forums using your service request numbers.
(C) Only Tier 1 Cloud Service Providers have this information; you will need to call them.
(D) Email Microsoft Support.
5. Which of the following is an automated assistance bot designed to help you find answers to Office 365
support questions?
(A) FastTrack
(B) TechBot
(C) PremierBot
(D) O365 Assistant
6. Which of the following is a channel where you can get direct access to Microsoft 365 planning materi-
als and project managers?
(A) FastTrack
(B) Microsoft 365 Tech Community
(C) Premier Support
(D) Microsoft 365 support forums
Answers:
1.(C) 2.(A) 3.(D) 4.(A) 5.(D) 6.(A)
Lab - Managing subscriptions, licensing, and support in Microsoft 365 133
Lab - Managing subscriptions, licensing, and

support in Microsoft 365
Lab Introduction
This lab is designed to reinforce the concepts you were introduced to and the knowledge you've gained
in this module. In this lab, you will use your trial Microsoft 365 account to gain hands-on experience
managing your Microsoft 365 subscription, licensing, and billing settings.
Important: This lab has three exercises, each with multiple tasks. For a successful outcome, the exercises
To perform the tasks in the labs for this course you will need an Office 365 trial. You can use the trial you
may have acquired in the earlier in this course. To acquire an Office 365 Enterprise E5 trial click here11.
Note:
You may already have an Office 365 tenant connected to your Microsoft ID. However, you may not have
the administrator access to perform the lab tasks in that tenant. What’s more you may not want to
Exercise 1 Explore Interfaces for Billing and Sub-

scriptions
Task 1: Explore the billing environment
1. Open Microsoft Edge and navigate to http://www.office.com12.

2. Sign in using the global admin account you have been assigned for this course.
3. Select the Admin
4. In Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Purchase
services. You may need to select Try the new admin center to view the classic interface and follow
these instructions. This is where you can add more Microsoft services to your account. Scroll through
the list of available services you can subscribe to in addition to Microsoft 365.
5. In Billing, select Subscriptions. This is where you manage your subscriptions.
●● Notice the information about the licenses available.
●● In the lower-right section of the main pane, click More actions.
This is where you can add a partner of record to your account, cancel the trial, or install software that’s
associated with your subscription. Spend a few minutes to explore each of these areas, but do not make
any changes.
6. In Billing, select Bills & payments. This is where you can review your subscription’s billing state-
ments.
12 http://www.office.com/
●● This is the menu where you can select a certain billing period, but because this is a new trial you won’t
have any billing statements available to review.
7. In Billing, select Payment methods. This is where you can specify how to pay for your services.
8. Select +Add a payment method to review the type (or types) of payment methods that are available
in your region.
9. In Billing, select Licenses. This is where you manage your subscription licenses.
●● Note that for each type of subscription you will see the total number of licenses (both valid and
expired), in addition to the number of licenses that are assigned to users.
●● Don’t do anything with your licenses yet; we’ll step through managing licenses in the next exercise.
10. In Billing, select Billing notifications. This is where you can determine who receives automated
emails about Microsoft services billing.
Exercise 2 Manage Licenses
Task 1: Provision a new subscription and licenses for your

tenant
1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Purchase
services.
2. Scroll through the list of available services, and then select one that offers a free trial.
3. After signing up for the trial, in the Microsoft 365 admin center, in the navigation pane, expand
Billing, and then select Subscriptions to view the details of your new trial subscription and associat-
ed licenses.
Task 2: Assign a user license

1. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Licenses.
Make a note of how many licenses have been assigned.
2. In the Microsoft 365 admin center select Users and select Active users. Here you can see the users
who exist in your tenant and which licenses are assigned to each user.
3. Select the user you created in an earlier lab. Click Edit next to Product licenses. Here you can change
the license assigned to the user or disable certain components of a given license.
Task 3: Remove a user license

1. In the Microsoft 365 admin center, in the navigation pane, expand Users, and then select Active
users, select the account you created earlier in the lab.
2. In the Produce licenses area that appears, select Edit.
3. In the Product licenses window, set the Office 365 E5 license toggle to Off, and then select Save.
4. Select Close to confirm the changes, and then select Close to close the User configuration
5. In the Microsoft 365 admin center, in the navigation pane, expand Billing, and then select Licenses.
Lab - Managing subscriptions, licensing, and support in Microsoft 365 135
6. Confirm that an additional license has been freed up and can be re-assigned.
Exercise 3 Review Support Options
Task 1: Use the O365 Assistant bot
1. In the Microsoft 365 admin center, in the navigation pane, expand Support, and then select New
service request.
2. In the Need help pane that opens, ensure that the Try O365 Assistant is switched on.
3. In the Type Message field, enter a question concerning your Microsoft 365 subscription, such as, My
OneDrive for Business isn’t synchronizing.
4. Review the O365 Assistant’s responses:
●● Select a topic to review.
●● Step through the O365 Assistant’s questions.
●● Review the links to related support articles.
Task 2: Search Microsoft 365 support articles

service request.
2. In the Need help pane that opens, ensure that the Try O365 Assistant is switched off.
3. In the text box, enter a question concerning your Microsoft 365 subscription, such as, “My OneDrive
for Business isn’t synchronizing,” then select Get help.
4. Under View solutions, review the links to related support articles.
Task 3: Check for recent support tickets

1. In the Microsoft 365 admin center, in the navigation pane, expand Support, and then select View ser-
vice requests.
2. In the Support tickets pane that opens, the list of your support tickets appears—which should be
none, as this is a new trial account.
Task 4: Begin to create a service request

service request.
2. In the Need help? pane that opens, ensure that the Try O365 Assistant is switched off.
3. In the text box, enter a question concerning your Microsoft 365 subscription, such as, My OneDrive for
Business isn’t synchronizing, then select Get help.
4. Review how to create a new phone request:
●● Under New service request by phone, review how you would enter your contact information and
attach any optional materials to help explain your support request. Do not enter any information or
select Call me, as this would create an actual service request.
5. Close New service request by phone when you’ve finished reviewing it.
6. Review how to create a new email service request:
●● Under New service request by email, review how you would enter your email address (or addresses)
and attach any optional materials to help explain your support request. Do not enter any information
or select Send, as this would create an actual service request.
7. Close New service request by email when you’ve finished reviewing it.
Module 5 Course Review
Course Review
Course Summary
https://www.youtube.com/watch?v=O4pMI3ZBXb4

MS 900T01A ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MS 900T01A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course

About This Course

Courseware + Familiarity = Preparation

Principles of cloud computing

What is cloud computing

Differentiating between various IT funding mod-

On-premises computing costs

Cloud computing costs

Cloud computing models

The advantages of hybrid clouds include:

Types of cloud services

Infrastructure as a service (IaaS)

Platform as a service (PaaS)

Software as a service (SaaS)

Think about service categories as layers

Software as a Service Platform as a Service Infrastructure as a On-Premises

Cloud computing considerations for privacy,

Key business benefits of using cloud computing

Cloud computing is cost effective

Cloud computing is scalable

Cloud computing is elastic

Cloud computing is always current

Cloud computing is reliable

Empowering all employees

Microsoft cloud services

What is Microsoft Azure

What is Microsoft 365

Key differences between Microsoft 365 and Office 365

Benefits of Microsoft 365 services

Built for teamwork

Integrated for simplicity

Alternative cloud solutions

What AWS and Google Cloud have in common with Micro-

Choosing the best fit for your business

Migrating to cloud services

The cloud-only model

The hybrid cloud model

Which cloud model should business environ-

Migration versus co-existence

What you need to migrate Strategies/considerations

Migration principles to Microsoft 365 services

(A) Infrastructure as a Service (IaaS)

Lab - Cloud Fundamentals

What’s your recommendation?

What’s your recommendation?

What’s your recommendation?

Microsoft 365 core services

With SharePoint Online, users can:

Additional services in Microsoft 365

Project Pro for Office 365

Office Visio Pro for Office 365

Microsoft Dynamics 365

OneDrive for Business

Office 365 ProPlus

Office 365 ProPlus compared to Office Professional Plus

Deployment options for Office 365 ProPlus

Comparing Microsoft 365 services with

Comparing Exchange Online and on-premises Exchange

Comparing SharePoint Online and an on-premises Share-

Accessibility in Microsoft 365