MS-900 Exam Prep - Microsoft 365 Fundamentals

MS-900 Exam Prep: Microsoft 365 Fundamentals
About this Book

Copyright 2020 Thomas J Mitchell
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written consent of the author, except
in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, this information contained in this book is sold without
warranty, either express or implied. Neither the author, nor publisher, will be held liable for any
damages caused or alleged to have been caused directly or indirectly by this book.
1|Page
About the Author

Thomas Mitchell is a 25+ year veteran of the IT Industry. After spending the last two decades as
a Senior Engineer and Solutions Architect for several organizations, including national,
international, and global enterprises, Tom now focuses on teaching and providing freelance IT
consulting and solution design services for organizations around the world.
Tom's specialties include Microsoft Azure, Microsoft Active Directory, Microsoft 365, and
Messaging (Exchange & Exchange Online).
Tom is the founder of labITout.com, a website that IT professionals use to learn how to deploy
real-world IT solutions through guided labs. Tom has also trained over 40,000 students in over
200 countries through the Udemy platform.
Some of Tom’s highest rated courses include:
• MS-900 Exam Prep: Microsoft 365 Fundamentals Course
• AZ-900 Azure Exam Prep: Microsoft Azure Fundamentals in 2020
• Deploying and Managing Azure Virtual Machines
• Getting Started with Okta
• Extending On-Prem Active Directory into Microsoft Azure
• AZ-103 Exam Prep: Microsoft Azure Administrator
• Creating and Managing Azure Virtual Machines with PowerShell
• How to Perform an Express Migration from Exchange to O365
There are also several more highly rated courses that Tom teaches on Udemy as well.
2|Page
Contents
PREFACE ...................................................................................................................................... 6
Who this Book is For .................................................................................................................. 6
What this Book Covers ............................................................................................................... 6
To Get the Most out of this Book................................................................................................ 7
Get in Touch ................................................................................................................................ 8
BASIC CLOUD CONCEPTS ...................................................................................................... 9
Cloud Computing Principles ....................................................................................................... 9
Funding Models and Compute Costs ........................................................................................ 10
Cloud Computing Models ......................................................................................................... 12
Cloud Service Types ................................................................................................................. 13
Cloud Computing Benefits ........................................................................................................ 15
Chapter Review: What You’ve Learned ................................................................................... 16
KEY MICROSOFT CLOUD OFFERINGS ............................................................................ 17
Microsoft Azure ........................................................................................................................ 17
Microsoft 365 ............................................................................................................................ 18
Other Cloud Solutions ............................................................................................................... 20
CORE MICROSOFT 365 SERVICES AND CONCEPTS ..................................................... 22
Windows 10 Enterprise ............................................................................................................. 22
Exchange Online ....................................................................................................................... 24
SharePoint Online ..................................................................................................................... 25
Microsoft Teams ....................................................................................................................... 26
Microsoft InTune....................................................................................................................... 27
Other Services in Microsoft 365 ............................................................................................... 28
Office 365 ProPlus .................................................................................................................... 28
Exchange Online vs Exchange Server ...................................................................................... 30
SharePoint Online vs on-premises SharePoint Server .............................................................. 31
DEPLOYING WINDOWS 10 AND OFFICE 365 PROPLUS ............................................... 33
Planning Deployments .............................................................................................................. 33
Windows 10 Deployment Options ............................................................................................ 35
3|Page
Deployment Options for Office 365 ProPlus ............................................................................ 36

Windows-as-a-Service .............................................................................................................. 37
Office 365 ProPlus Updates ...................................................................................................... 39
Office 365 Licensing and Activation ........................................................................................ 40
UNIFIED ENDPOINT MANAGEMENT ................................................................................ 44
Device Management in the Modern Workplace ....................................................................... 44
Enterprise Mobility + Security Components............................................................................. 46
Cloud-Connected Device Management .................................................................................... 48
TEAMWORK IN MICROSOFT 365 ....................................................................................... 50
Facilitating Teamwork in Microsoft 365 .................................................................................. 50
Working Together ..................................................................................................................... 51
Analytics in the Workplace ....................................................................................................... 52
SECURITY FUNDAMENTALS ............................................................................................... 54
Pillars of Protection ................................................................................................................... 54
Identity and Access Management ............................................................................................. 54
Threat Protection ....................................................................................................................... 55
Information Protection Concepts .............................................................................................. 56
Security Management ................................................................................................................ 57
MICROSOFT 365 SECURITY FEATURES ........................................................................... 59
Identity and access in Microsoft 365......................................................................................... 59
Threat Protection in Microsoft 365 ........................................................................................... 61
Microsoft 365 Security Center and the Secure Score ............................................................... 63
COMPLIANCE IN MICROSOFT 365..................................................................................... 65
Service Trust Portal and Compliance Manager......................................................................... 65
Microsoft Compliance Center ................................................................................................... 66
MICROSOFT 365 PRICING AND SUPPORT ....................................................................... 68
4|Page
Microsoft 365 Subscription Options ......................................................................................... 68

Managing Microsoft 365 Licenses ............................................................................................ 70
Billing and Support in Microsoft 365 ....................................................................................... 71
SO NOW WHAT?....................................................................................................................... 74
5|Page
PREFACE
The shift to the cloud is now in full swing. That being the case, it is critical that, as an IT
professional, you remain ahead of the curve by learning about the technologies that are in
demand. IT professionals that do not will quickly find themselves sidelined and a new crop of
cloud-centric engineers emerges.
I chose to focus on Microsoft 365 in this book because the Microsoft 365 offering features many
products and services that are now in demand. Whether it’s Windows 10 Enterprise, Office 365
ProPlus, Enterprise Mobility + Security, or any of the numerous underlying sub-services and
features, it’s critical that you understand them all – because if you can’t effectively plan, deploy,
and manage all aspects of the Microsoft 365 suite, you’ll be left behind.
Focusing on the Microsoft 365 suite has allowed me to create a book that not only teaches you
how to plan, deploy, and manage Microsoft 365, but it also prepares you for the Microsoft 365
Fundamentals certification exam.
Who this Book is For

Want to learn Microsoft 365? Whether it's Office 365 ProPlus, Windows 10, or Enterprise
Mobility + Security that you need to brush up on, this MS-900 exam-prep book will provide you
with a solid foundation which will enhance your career and improve your earnings potential.
Designed for those with little or no Microsoft 365 experience, this Microsoft 365 Fundamentals
book will not only provide you with the necessary knowledge to plan, deploy, and manage
Microsoft 365 services, but it will also prepare you for the MS-900 exam.
If you are looking for an entry point to Microsoft 365, this book is the way to go!
What this Book Covers

This book covers all of Microsoft 365 Fundamentals MS-900 exam objectives, including:
• Basic Cloud Concepts
• Core Microsoft 365 Services and Concepts
• Security, Compliance, Privacy, and Trust Options in Microsoft 365
• Microsoft 365 Pricing and Support Options
In Chapter 1, we'll cover basic cloud concepts. You’ll learn about the principles of cloud
computing and about funding models and compute costs. We'll then cover the different cloud
computing models and cloud service types, before rounding out the chapter by looking at the
benefits of cloud computing.
Chapter 2 will introduce you to key Microsoft cloud offerings. You'll learn about Microsoft
Azure, Microsoft 365, and even some other cloud platforms. You’ll learn what Microsoft Azure
is, and you’ll learn about key services that it provides. We'll then cover Microsoft 365. You'll
learn what Microsoft 365 is, and you'll learn about some of its key offerings. You'll also learn
6|Page
how it differs from Office 365. We’ll also look at some of the core benefits of Microsoft 365 and
at the similarities among Amazon AWS, Google Cloud, and Microsoft Azure.
In Chapter 3, we'll cover the core services that are available to Microsoft 365 subscribers. You'll
learn about Windows 10 Enterprise, Exchange Online, and SharePoint Online. As you work
through Chapter 3, you’ll also learn about Microsoft Teams, Microsoft Intune, and several other
Microsoft 365 services. We’ll round out the chapter with Office 365 ProPlus and the differences
between the on-prem versions of Exchange and SharePoint with their cloud-based counterparts.
Chapter 4 will introduce you to deployment planning and deployment options for both
Windows 10 and Office 365 ProPlus. We’ll also cover Windows-as-a-Service, Office 365
ProPlus updates, and Office 365 licensing and activation.
Chapter 5 is essentially the halfway point of this book. In this chapter, we’ll cover unified
endpoint management, where you’ll learn about device management and the various Enterprise
Mobility + Security components.
In Chapter 6, you’ll learn about teamwork in Microsoft 365. We’ll cover ways that Microsoft
365 facilitates teamwork and at the analytics options in Microsoft 365.
Chapter 7 introduces you to security fundamentals in Microsoft 365. In this chapter, we’ll cover
the four pillars of protection, identity and access management, and threat protection in Microsoft
365. We’ll also cover information protection concepts and security management in Microsoft
365.
In Chapter 8, we’ll get into Microsoft 365 security features. You’ll learn about identity and
access in Microsoft 365 and about threat protection in Microsoft 365. We’ll also cover the
Microsoft 365 Security Center and the Secure Score.
Chapter 9 represents the home stretch. In this chapter, you’ll learn about compliance in
Microsoft 365. We’ll cover the Service Trust Portal, Compliance Manager, and the Microsoft
Compliance Center.
Winding things down in Chapter 10, we’ll dive into Microsoft 365 pricing and support, where
you’ll learn about the various Microsoft 365 subscription options and about managing Microsoft
365 licenses. We’ll round out the chapter with billing and support in Microsoft 365.
By the time you finish this course, you should have a foundation level understanding of
Microsoft 365 and you should be able to pass the MS-900 exam.
To Get the Most out of this Book

This book is adapted from my best-selling Microsoft 365 course, entitled MS-900 Exam Prep:
Microsoft 365 Fundamentals. While this book includes most of the content from the online
course, it doesn’t capture the hundreds of visuals that the online course offers, nor the
infographic downloads, nor the quizzes, nor the end-of-course practice test. I highly recommend
picking up the course in addition to this book.
I also recommend that you join my Microsoft 365 learning group as well. It’s free to join!
7|Page
Get in Touch
Be sure to connect with me! You can find me on LinkedIn. I also run labITout.com, the website
that IT professionals use to learn how to deploy real-world IT solutions.
8|Page
CHAPTER 1
BASIC CLOUD CONCEPTS
Welcome to Basic Cloud Concepts! In this chapter, we're going to cover several topics. We're
going to start off with the principles of cloud computing, and then we'll dive into funding models
and compute costs. We’ll then discuss the different cloud computing models and cloud service
types. We’ll round things out by looking at the benefits of cloud computing.
Cloud Computing Principles

Cloud computing refers to the delivery and use of various compute resources over the internet.
By leveraging cloud computing services, organizations can “rent” instead of “own” their
resources. This eliminates the headache of maintaining servers, storage, and other hardware that
you would normally have to deal with to support on-prem solutions.
By renting resources from a cloud provider like Microsoft, organizations can shift many of their
support and maintenance responsibilities to the cloud provider. This allows the organization to
focus on its actual business, rather than on the underlying infrastructure. The underlying
maintenance and support can be left to the cloud provider.
Microsoft offers a wide range of services. The most common of these are compute services,
communications services, productivity services, search services, and storage services.
Compute services are useful when you need to run your own virtual machines, web apps, and
other types of computing solutions in the cloud - instead of on physical hardware that resides in
an on-prem datacenter. Microsoft Azure Virtual Machines are probably the most common type
of cloud-based compute services available to Microsoft customers.
Communications services are used to establish communications between users. Popular
communication services offered my Microsoft include Microsoft Exchange Online and Microsoft
Teams.
Exchange Online is a cloud-based version of the on-prem Microsoft Exchange offering. This
offering provides services such as email, calendar, and contact sharing. Teams, which has
replaced Skype, provides instant messaging services for end users, along with computer-to-
9|Page
computer audio and video calls. It also facilitates document sharing and collaboration among
team members.
Productivity services like Microsoft Office 365 facilitate collaboration among team members.
Search services offer search functionality (no surprise). This search functionality can be
integrated into custom applications. The Azure Search service, quite obviously, would be a prime
example of search services that are offered.
Storage services, not surprisingly, provide a platform that organizations can use to store data.
Storing data in Azure makes it more easily accessible by users from all kinds of devices.
Microsoft Azure Storage and Microsoft OneDrive for Business are two good examples of storage
services that Microsoft makes available.
Funding Models and Compute Costs

Because cloud computing changes how and where an organization uses computing resources, it
also changes the funding model. The funding model governs the costs associated with computing
and it changes when an organization moves to cloud computing because the costs become
operating expenditures, rather than capital expenditures.
Capital expenditures, which are referred to as CapEx, are costs that are incurred when an
organization purchases or upgrades physical hardware, such as servers and networking
equipment. CapEx also includes things like datacenters and office buildings. When a CapEx
purchase is made, the equipment or real estate purchased is typically amortized over several
years, instead of being deducted in full in the first year.
Operating expenditures, which are referred to as OpEx, are costs that are incurred by an
organization while performing its normal day-to-day operations. OpEx costs typically include
things like electricity, cost of employees, office space, and other ongoing business expenses. An
organization’s management team is ultimately responsible for keeping OpEx costs to a minimum
without negatively affecting the organization’s operations.
OpEx costs, unlike CapEx costs, are typically expensed each year, rather than being amortized
over time. Let’s see how each of these funding models relates to cloud computing and to
traditional on-premises costs.
On-Prem Compute Costs
An organization that runs a traditional, on-prem datacenter will usually have to pay for server
costs, storage costs, network costs, datacenter infrastructure costs, costs associated with backups
and disaster recovery , and personnel costs. That’s a lot of money!
Server costs generally include server hardware components as well as the costs of supporting that
hardware. Whenever a server or other hardware component needs to be replaced or added to a
datacenter, you use the CapEx bucket to pay for it. Since this is an up-front cost, it affects the
organization’s cash flow. However, as mentioned previously, the hardware cost can be amortized
over several years.
10 | P a g e
Storage costs usually include all storage-related hardware components as well as the cost of
supporting that hardware. In larger organizations, these costs can become quite large – and as
was the case with server costs, storage costs also fall into the CapEx bucket.
Network costs include networking hardware such as cabling, switches, routers, and the like.
WAN connections and internet connections also fall under network costs. These network
hardware expenses fall into the CapEx bucket, just like storage hardware and server hardware
costs.
Backup and archive costs are generally split between CapEx and OpEx. While the hardware
costs associated with a backup and archive infrastructure fall under CapEx, consumables like
tapes and backup maintenance support typically full under OpEx.
Business continuity and disaster recovery costs are usually considered mostly CapEx, because
they typically include redundant hardware, backup generators, and even redundant datacenters.
However, the infrastructure and personnel costs are typically considered OpEx.
Datacenter infrastructure costs, like electricity, floor space, and cooling, are generally
considered OpEx expenses.
Technical personnel, or IT staff, is considered an OpEx cost.
Cloud Compute Costs
So, what about cloud computing costs? Which buckets do these costs fall into?
Instead of physical hardware and datacenter costs, cloud computing incurs different costs, which
for accounting purposes, are all OpEx. These costs include things like VM leases, software
leases, and charges incurred as a result of scaling out.
11 | P a g e
VM leases are considered OpEx because the cost is usually based on the pay-per-use model. The
same thing goes for software leases.
Scaling charges that are based on demand instead of fixed hardware or capacity are usually
billed as you go as well. That being the case, these charges also fall under OpEx.
So, as you can see, the lion’s share of computing costs is suddenly switched to OpEx when an
organization moves to the cloud.
Cloud Computing Models

There are three primary cloud computing models. They include the public cloud model, the
private cloud model, and the hybrid cloud model. Let’s review the properties of each, as well as
the benefits of each.
Public Cloud
The public cloud model is the most common cloud deployment model. In a public cloud model,
the organization has no local hardware to manage
or maintain. All resources and services run on the
cloud provider’s hardware. The IT infrastructure,
including hardware, servers, and software, resides
somewhere other than the on-prem datacenter –
and it’s managed by the cloud provider.
There are two different types of a public cloud.
They include the shared public cloud and the
dedicated public cloud.
A shared public cloud allows all customers of a
cloud service provider to share common resources
within the provider’s environment. However, each
customer can only see its own tenant. The cloud
provider is the only one that can see all of the different tenants – and it is this cloud provider who
manages the multi-tenant environment. The shared public cloud model is often a good choice for
smaller businesses because, by sharing resources with other customers, it helps them save
additional costs.
A dedicated public cloud is typically reserved for larger enterprise organizations. This model
features a dedicated physical infrastructure that’s reserved for the organization only. Although
the costs associated with a dedicated public cloud are often higher than those of a shared public
cloud, a dedicated public cloud will often offer better security, performance, and customization.
Some key advantages of the public cloud model include lower costs and no maintenance
requirements. Public cloud costs are lower because there is no need to purchase hardware or
software. The ability to pay-as-you go also contributes to the reduced costs. Public clouds also
offer near-unlimited scalability, meaning you can automatically provision on-demand resources
12 | P a g e
as they are needed. And last, but not least, public clouds offer high reliability because they rely
on a vast network of underlying hardware.
Private Cloud
A private cloud is a cloud environment that you deploy into your own datacenter. You manage
the cloud hardware and you provide self-service access to your compute resources to the users in
your organization. A private cloud is essentially a simulation of a public cloud as far as your
users are concerned. However, your organization is 100% responsible for the purchase and
maintenance of the underlying hardware and the services that you provide.
Although they are more expensive than public clouds, private clouds offer more flexibility over
their public counterparts because they can be customized to meet specific business needs – and
because the resources within a private cloud are not shared with other organizations, they offer
improved security as well. Private clouds also offer similar scalability and efficiency to that of a
public cloud.
Hybrid cloud
A hybrid cloud is essentially a combination of a public and a private cloud. Hybrid clouds allow
organizations to run their applications in whichever location is most appropriate. A typical use
case for a hybrid cloud would be a situation where an organization wants to host a public-facing
website in the public cloud that connects back to a secure database that’s hosted in the private
cloud, or even in an on-prem datacenter.
Organizations will often deploy hybrid clouds when they need to protect sensitive data or when
they wish to extend the capabilities of their on-prem systems. For example, an organization that
needs to run an application that will only run on an older OS or on older hardware, might opt to
keep the old system running locally, but connect it to the public cloud for authorization or
storage.
Hybrid clouds can also be used to reduce data protection costs. For example, if your organization
needs to deploy a PKI and Information Rights management infrastructure to protect its data, the
cost of doing so locally might be quite high. However, enabling these features from the cloud
will allow you to protect both your cloud and on-prem data and documents.
Some key advantages of the hybrid cloud model include increased control, the ability to leverage
resources in the public cloud when they are needed, and a cost-effective way to scale out to the
cloud when needed. A hybrid cloud also eases the transition of your workloads to the cloud.
However, there are a couple caveats to consider when thinking about deploying a hybrid cloud.
Not only is a hybrid cloud more complicated to setup and manage, but it’s often more expensive
than choosing just one model – be it public or private.
Cloud Service Types

When deploying a cloud solution, you have a choice of three main cloud service types. They
include infrastructure-as-a-service, platform-as-a-service, and software-as-a-service.
13 | P a g e
Infrastructure-as-a-Service (IaaS)
Infrastructure-as-a-Service, or IaaS as it is known, is the most flexible cloud service type
available, because it provides you with complete control over the underlying hardware that runs
your application. Instead of purchasing physical hardware like servers, switches, routers, and
such to host your app, infrastructure-as-a-service allows you to you rent it.
While infrastructure-as-a-service offers more control, due to the associated hardware costs, it is
not a good solution for organizations that are interested in minimizing their infrastructure and
application maintenance costs.
Platform-as-a-Service (PaaS)
Platform-as-a-Service, or PaaS, provides organizations with a platform they can use to build,
test, and deploy software solutions on. That being the case, platform-as-a-service is not usually a
good fit for organizations that require a service like Exchange Online, which is already fully
developed.
The purpose of platform-as-a-service is to allow organizations to create applications quickly,
without having to deal with the deployment or management of any underlying infrastructure. For
example, an organization that deploys a web application using platform-as-a-service can do so
without having to install an operating system or even the web server software itself. The
organization won’t even have to worry about system updates.
Software-as-a-Service (SaaS)
Software-as-a-Service refers to software that is centrally hosted and managed for the customer.
This service type typically provides the same version of the software or application to all
customers. The software or application usually runs on-demand in either a web browser or via
Remote Desktop Services. It’s usually licensed via a monthly or annual subscription, and
because it’s accessed remotely over the internet, it usually doesn’t require deployment or any
ongoing maintenance.
Services like Microsoft 365 and Exchange Online are typical examples of software-as-a-service
offerings because they deliver software products over the internet, on a subscription basis.
14 | P a g e
Cloud Computing Benefits

There are many benefits to moving to the cloud. Let’s take a look at some of the key benefits of
cloud computing.
Cost-Effective
Cloud computing works on a pay-as-you-go model. This means that organizations can rent
hardware and pay only for the resources that they use, instead of paying upfront for hardware.
Scalability
The ability to scale is critical to organizations who have to keep up with application demands.
Leveraging cloud computing allows such organizations to leverage both vertical and horizontal
scaling.
Vertical scaling, which is also known as scaling up/down, refers to the ability to add resources to
an existing server to increase its power. For example, you might scale a virtual machine
vertically by adding additional processors or more memory to it.
Horizontal scaling, which is known as scaling in/out, refers to the addition of more servers that
function as one unit. An example of horizontal scaling would be a scenario where you add a
second web server to handle the load of a web front end, instead of adding hardware to the first
server. VM Scale Sets, in Azure, operate on the principle of horizontal scaling.
Generally speaking, scaling in/out is usually the preferred scaling solution.
Elasticity
While scalability is critical to organizations because it allows them to keep up with growing
demand for applications, elasticity is also just as critical because it allows a chosen computing
solution to automatically add resources as demand increases and to remove resources as demand
drops.
An example of elasticity would be a website that’s promoting the launch of a new product.
Leading up to the product launch, there is lots of press around the upcoming product. Before the
launch occurs, there is a consistent number of people visiting the website to read about it.
However, once the product launches, there is a crush of traffic hitting the website. Because the
cloud is elastic, additional compute resources are automatically allocated for the website to
handle the increased traffic. In the days following the launch, as traffic subsides a bit, the cloud
will notice that there are too many resources allocated for the website. As a result, it will begin to
remove those resources automatically. This saves the organization money.
Up to Date
A company like the Blue Widget Corporation makes widgets. Instead of dealing with system
upgrades, configuration, and other kinds of IT management tasks, the Blue Widget Corporation
can focus on its core business while allowing the cloud service provider to handle all of these
tasks. Because the cloud service provider maintains the underlying hardware that runs the
15 | P a g e
systems that support the Blue Widget Corporation, it is the cloud provider that will ensure the
hardware is always the latest and greatest.
Reliability
Organizations obviously require reliable IT solutions. If the IT infrastructure of an organization
is not solid, this will often negatively affect the organization’s earnings. By leveraging cloud
computing, organizations can be sure that their data is always available and that their
applications are always running.
By leveraging cloud computing, organizations can focus on their core businesses, instead of
dealing with IT management tasks - and they can do so while reducing their IT costs. This is
what makes cloud computing so attractive.
Chapter Review: What You’ve Learned

Congratulations! You’ve reached the end of Basic Cloud Concepts! Let’s review what you’ve
learned.
In this chapter, we covered several basic cloud computing topics. We started off with the
principles of cloud computing, and then we dove into funding models and compute costs. Next,
we discussed the different cloud computing models and cloud service types. We rounded things
out by looking at the benefits of cloud computing.
Click here for the full 3-hour video course.
16 | P a g e
CHAPTER 2
KEY MICROSOFT CLOUD OFFERINGS
Welcome to Key Microsoft Cloud Offerings. In this chapter, we are going to take a look at
Microsoft Azure, Microsoft 365, and even some other cloud platforms.
You’ll learn what Microsoft Azure is and about key services that it provides. We’ll take a look at
Azure Active Directory, Azure Information Protection, Azure Backup, and the Azure Content
Delivery Network. We will also talk a little bit about Azure Key Vault, Multi-Factor
Authentication, Azure Virtual Machines, and Azure Virtual Networks.
Next, we will cover Microsoft 365. We are going to talk about what Microsoft 365 is, about
some of its key offerings, and how it differs from Office 365. We’ll also look at some of the core
benefits of Microsoft 365.
We’ll wrap this chapter up by looking at the similarities among Amazon AWS, Google Cloud,
and Microsoft Azure.
By the time we finish this section, you should have a pretty good understanding of what
Microsoft Azure brings to the table, what Microsoft 365 brings to the table, and how AWS and
Google are similar to Microsoft.
Microsoft Azure
Azure is Microsoft’s cloud computing platform. Organizations use it to deploy and manage
applications and services. It’s hosted by a global network of Microsoft managed data centers.
Leveraging Microsoft Azure allows organizations to deploy, in days or weeks, solutions that, at
one time, took months to deploy.
While Microsoft Azure offers well over 100 different services, some are more important than
others.
Azure Active Directory, for example, is used for identity management and access control for
cloud applications and resources. You can even synchronize Azure AD with traditional on-prem
Active Directory domain controllers. Azure AD also offers single sign-on, or SSO, capabilities
that allows you to simplify access to cloud applications for your users by allowing them to login
to all apps and resources using a single set of login credentials.
Azure Information Protection, or AIP, is an offering that allows organizations to use encryption,
identity, and authorization policies to protect their sensitive information.
Azure Backup can be used to backup machines to the cloud and to restore from the cloud.
The Azure Content Delivery Network allows organizations to provide content to its users,
regardless of their location in the world, through a network of global data centers. The purpose of
17 | P a g e
the content delivery network is to allow delivery of this content with minimal latency and
increased availability.
Azure Key Vault is used to protect and manage keys, certificates, and other secrets in Azure.
These secrets can be protected using hardware security modules, or HSMs.
Multi-Factor Authentication is another key offering available through Azure. It allows you to
configure multiple methods of authentication, which, in turn, helps prevent unauthorized access
to not only cloud applications, but also to on-prem applications.
Virtual Machines and Virtual Networks are two of the staples of Microsoft Azure. They allow
you to create virtual networks within Azure and to deploy Windows servers and Linux servers in
Azure, and to connect them to your virtual networks. Your virtual networks can then be
connected to on-prem networks through various VPN connections.
To read more about the many different Azure services that are available, visit this URL.
Microsoft 365
Microsoft 365 is actually a collection of three
main products, each of which consists of its own
sub-collection of products and services. When
you purchase a Microsoft 365 subscription, you
get Office 365 Enterprise, Windows 10
Enterprise, and Enterprise Mobility + Security,
or EMS.
Office 365 Enterprise includes Office 365
ProPlus, which is Microsoft’s suite of the latest
office apps for PC and Mac. Office 365 ProPlus includes things like Microsoft Word, Excel,
PowerPoint, and Outlook. It also includes several online services for email, file storage,
collaborations, and meetings.
Windows 10 Enterprise is Microsoft’s flagship desktop operating system (you probably already
knew this). It features robust deployment, device management, and application management
features.
Enterprise Mobility + Security allows organizations to more effectively manage and protect its
users, devices, apps, and data in a mobile centric cloud environment. EMS includes Microsoft
InTune, Azure AD Premium, and Azure Rights Management.
Microsoft 365 versus Office 365
The terms “Microsoft 365” and “Office 365” are often used interchangeably.
Office 365 is a productivity suite that bundles several productivity tools into a software-as-a-
service model. As I mentioned earlier, Office 365 includes the latest office applications and some
other online services.
18 | P a g e
Microsoft 365, however, is different. It’s actually a larger offering, that includes Office 365
Enterprise, Windows 10 Enterprise, and EMS. You can view Microsoft 365 as an umbrella of
offerings, under which Office 365 falls.
Microsoft 365 Benefits
Because it’s an umbrella of services that includes Office 365, Windows 10 Enterprise, and
Enterprise Mobility and Security in a single subscription, Microsoft 365 helps organizations in
several different areas.
Creativity
The powerful capabilities of Microsoft 365 can be used by users to create slick presentations,
mixed-reality experiences, and other high-quality content. With its AI-powered tools, Microsoft
365 also helps organizations turn data into actionable insights.
Teamwork
Microsoft 365, as you would expect, also provides several tools that can be used to facilitate
teamwork and collaboration within organizations. A tool like Microsoft Teams, for example,
allows users to collaborate in real time. It allows them to chat, hold meetings, and even share
files and applications.
Users can leverage Microsoft Outlook to access, email, calendars, contacts, and documents.
SharePoint Online is another collaboration tool. It allows users to share things like news,
applications, and even resources across the organization by building portals and dynamic sites.
OneDrive for Business provides users the ability to securely share files and to track versioning
history.
Simplicity
Because Microsoft 365 allows organizations to centrally provision, deploy, and manage all of
their devices, whether they are mobile devices or PCs, Microsoft 365 vastly reduces IT
19 | P a g e
complexity and lowers costs. It helps organizations become more agile as a result. Leveraging
cloud security allows organizations to improve their security posture, while allowing them to
administer their applications, their services, their devices, their data, and their users, all from a
single web-based admin portal.
Security
Microsoft 365’s holistic approach to security allows organizations to protect users, devices,
applications, and data. Its built-in intelligent security protects organizations against threats and
even offers automated remediation of many of those threats.
Other Cloud Solutions

The big three providers, including Azure, AWS, and Google Cloud all offer scalable computing
resources on demand. The services are all actually quite similar. However, where they really
differ, is in the pricing models and in which services are supported.
AWS and Google Cloud both offer a few different storage plans that can accommodate the hot
storage and cold storage requirements of organizations. While the features and pricing may differ
from Microsoft’s offerings, the purpose of the offerings remains the same - to reduce costs and to
improve access speeds to data.
Each of these providers also offers its own set of analytics tools. That said, the supported
technologies and programming models for each differs a bit, depending on the platform. Both
AWS and Google also offer development tools that organizations can use to build, deploy, and
manage applications - just like Microsoft does.
And last but not least, all three cloud providers offer the basics, which include networking
services, content delivery services, management tools, and security features. As you would
expect, the tools available from each provider will differ in many ways, including the levels of
control that each offer, and the ease-of-use for each tool.

Congratulations! You’ve reached the end of Key Microsoft Cloud Offerings. Let’s review what
you’ve learned.
We kicked things off by taking a look at Microsoft Azure. You learned what Microsoft Azure is
and about key services that it provides. We covered Azure Active Directory, Azure Information
Protection, Azure Backup, and the Azure Content Delivery Network. We also talked a little bit
about Azure Key Vault, Multi-Factor Authentication, Azure Virtual Machines, and Azure Virtual
Networks.
We then dove into Microsoft 365. You learned what Microsoft 365 is, about some of its key
offerings, and how it differs from Office 365. You also learned about the core benefits of
Microsoft 365.
We wrapped up by looking at the similarities among Amazon AWS, Google Cloud, and
Microsoft Azure.
20 | P a g e
At this point, you should have a pretty good understanding of what Microsoft Azure brings to the
table, what Microsoft 365 brings to the table, and how AWS and Google Cloud are similar to
Microsoft.
21 | P a g e
CHAPTER 3
CORE MICROSOFT 365 SERVICES AND CONCEPTS
Welcome to Core Microsoft 365 Services and Concepts. In this chapter, we are going to cover
the core services that are available to Microsoft 365 subscribers.
We’re going to start off by taking a look at Windows 10 Enterprise, where we’ll review the
different features and benefits it offers. We will then take a look at Exchange Online and the
features and benefits that it brings to the table. After covering Exchange Online, we’ll dive into
SharePoint Online and it’s features and benefits.
Next, we’ll look at the benefits and of Microsoft Teams and of Microsoft InTune. We’ll look at
the ways that Teams facilitates collaboration, and at how Microsoft InTune facilitates
management of mobile devices.
Later on, we’ll touch on several other services in Microsoft 365. We’ll quickly review services
such as Yammer, Project Online, Office Visio Pro for Office 365, and several other Microsoft
365 services.
We will then look at Office 365 ProPlus. You’ll learn what applications are included in Office
365 ProPlus and how it compares to Office Professional 2019. We’ll also cover the different
deployment options for Office 365 ProPlus.
After learning about Office 365 ProPlus, you’ll learn about the differences between Exchange
Online and the on-prem Exchange Server offering. We’ll round things out by covering the
differences between SharePoint Online and SharePoint server.
By the time you finish this chapter, you should have a pretty broad understanding of the different
core Microsoft 365 services that are available to you.
Windows 10 Enterprise
Windows 10 Enterprise is a staple of any Microsoft 365 subscription. It offers organizations
intelligent security, flexible management, streamlined updates, and robust productivity tools.
Security Intelligence
Windows 10 comes with many built-in tools that organizations can use to detect and
automatically respond to malware and hacking threats. It provides protection for not only user
identities and devices, but also data. The intelligent security graph allows Windows 10 to
investigate and remediate threats as they evolve. The combination of intelligence, machine
learning, and behavioral analytics that the intelligent security graph leverages results in faster
response times when threats are detected. The best part about all of this protection is that it’s
built-in.
22 | P a g e
Management Flexibility
Windows 10 also comes with several tools that organizations can use to deploy, manage, and
update their devices – even if their users are remote. Organizations can customize their devices
and leverage built-in endpoint management. They can also manage corporate identities and data
on personal devices without affecting any personal data on those personal devices.
Windows 10 makes it easier for organizations to move to cloud-based device management that
can be performed using tools such as InTune and Config Manager. Users can even run
incompatible applications on Windows 10 devices by leveraging Windows Virtual Desktop.
Streamlined Updates
Instead of offering major upgrades every few years, like they’ve done in the past, Microsoft has
moved to a different update model that offers feature updates twice a year. That said, it’s
important to note that 99% of applications that run on Windows 7 will run on Windows 10.
Because of this new flexibility that is provided, organizations can manage and distribute their
updates by leveraging Microsoft infrastructure or by leveraging whatever current method they
are using. To ensure Windows updates are as least disruptive to organizations as possible, the
updates become smaller and easier to distribute with every new release.
Productivity Tools
A key benefit of Windows 10 is the improved productivity that it facilitates. It facilitates
improved productivity by providing faster and safer ways for users to get work done. For
example, users can use Cortana to find applications, documents, and messages, while using
Timeline to get a chronological look at their activities and documents. Windows 10 users can
also collaborate through Office 365 apps, OneNote, and even Microsoft Whiteboard.
23 | P a g e
Exchange Online
Exchange Online is Microsoft’s cloud-based messaging and collaboration platform. It’s used by
organizations all over the world - mostly for email, calendaring, contact info. Exchange Online
supports Microsoft Outlook, Outlook Web Access, and Outlook Mobile. It can be accessed by
users from android devices, iOS devices, and Windows 10 devices.
When an organization deploys Exchange Online, its users each get their own 50GB mailboxes
for storing emails. Some Office 365 plans also offer online archives for users that provide
additional storage.
In addition to a mailbox, each user gets a calendar that can be used track upcoming events and
appointments. Users can also use their calendars to check the availability of coworkers and to
book meetings. They can even delegate access to their calendars so that other users can access
them if needed.
A cool feature of Exchange Online is the ability for users to view and edit their attachments right
online in Outlook for the Web. The locally installed version of Office/Outlook is not even
necessary.
Shared mailboxes allow groups of users to share information via a central mailbox, while
resource mailboxes can be set up for meeting rooms and equipment. These resource mailboxes
can be used to reserve those rooms and resources.
For organizations that still rely on public folders, this feature is (unfortunately) still available in
Exchange Online. I, personally, would like to see public folders go away.
Exchange Online also features lots of message policies and compliance features, including
message encryption, e-discovery, retention policies, data loss prevention, and journaling.
24 | P a g e
To protect against spam and malware, every Exchange Online subscription comes with
Exchange Online Protection. Exchange Online Protection, or EOP, is a configurable anti-spam
and anti-malware solution.
Because Microsoft recognizes there are organizations with specific mail flow requirements,
Exchange Online also allows you to create connectors to facilitate these specific mail flow
requirements. An example of this would be a send connector that enforces certain security
settings whenever mail is sent to a specific domain. This is often seen in the medical, financial,
and legal fields.
Exchange Online also offers the flexibility of mobile access and multiplatform access. This
means that Exchange Online users can access their mailboxes and calendars via Outlook from
both Windows machines and Mac machines, using MAPI over HTTPS. They can also use
Outlook on the Web to access their mailboxes and calendars from virtually anywhere in the
world. The Microsoft Exchange ActiveSync service allows users to access their mailboxes and
calendars from mobile devices.
Organizations that require a hybrid solution can integrate Exchange Online with their on-prem
Exchange Servers. This can be done by creating what is called a hybrid deployment. A hybrid
deployment allows the Exchange Online organization and the on-prem exchange organization to
share a single namespace (or domain) for messaging. Correctly configured hybrid deployments
also allow for calendar sharing between the on-prem users and the cloud users. Hybrid also
facilitates mailbox moves between Exchange Online and the on-prem Exchange Server.
To facilitate migrations from on-prem Exchange Servers and IMAP messaging services to
Exchange Online, Microsoft offers several migration tools.
As you can see, Exchange Online is a rather robust messaging platform that offers several
collaboration tools, management tools, and migration tools.
SharePoint Online
SharePoint Online is Microsoft’s cloud version of its original SharePoint server offering. This
service allows an organization’s users to access information from virtually any device.
SharePoint Online is often used to create team centric sites, which facilitate improved
communications and collaboration of team members.
25 | P a g e
An internal user must be assigned an appropriate Microsoft 365 license or SharePoint Online
license before using SharePoint Online. Users with access to SharePoint Online can share files
and folders with other users, whether they are inside the organization or outside the organization.
These sharing capabilities, however, can be controlled by site administrators.
Once an organization deploys SharePoint Online, its users can build sites, pages, lists, and even
complete document libraries. These users can also customize their pages through the addition of
web parts.
The SharePoint Online service is ideal for teams in an organization who wish to share important
news and updates with their members and with other users throughout the organization.
Other features and benefits of SharePoint Online include the ability of users to discover sites,
files, and even other people within their organization. Flows, forms, and lists allow users to
manage their business processes more effectively. Users can even use SharePoint Online to co-
author documents with other users, and they can synchronize and store their files in the cloud.
This further facilitates collaboration by allowing other users to securely work with those files.
At the end of the day, the main drive of SharePoint Online is to facilitate collaboration among
users, whether they are internal or external to an organization.
Microsoft Teams
Much like its predecessor, Skype for business, Microsoft Teams functions as a central hub for
collaboration. It’s an offering that provides chat-based services that allow users to more easily
collaborate. Microsoft Teams also allows team members to share documents and insights, as well
as status updates. By providing presence information for users, Microsoft Teams makes it easier
to manage projects and to locate users. You can even use the Teams mobile app to remain
available and to collaborate while on the go.
You can use Microsoft Teams to communicate in various ways, including chat, meetings, and
even calls. You can host audio conferences, video conferences, and web conferences. You can
also communicate with users both inside and outside your own organization. Microsoft Teams
also provides whiteboard services so that Teams can collaborate on projects in real time.
26 | P a g e
By integrating with Office 365 applications, like Microsoft Word, Excel, PowerPoint, and others,
Microsoft Teams allows users to co-author and share files.
Combining Microsoft Teams with Office 365 phone system, Office 365 calling plan, or phone
system direct routing creates a globally scalable calling experience.
It is clear that Microsoft is positioning Microsoft Teams as its go-to communications solution.
Microsoft InTune
Microsoft InTune is a cloud service that is used to manage all kinds of devices, including
laptops, computers, tablets, and mobile devices/phones. It supports iOS devices, Android
devices, and even Mac OSX devices.
InTune uses Azure AD as its directory store for
identity. You can also integrate InTune with
management solutions like Microsoft SCCM to more
effectively manage devices. Organizations will often
leverage Microsoft InTune to manage devices that
cannot be managed by group policy. These devices
typically include mobile phones and devices that are
not Active Directory domain members. Microsoft
InTune can also be used to manage Windows 10
devices that are joined to Azure Active Directory.
A key security feature of Microsoft InTune is its ability to prohibit users from copying corporate
data from managed applications that might be installed on devices that are unmanaged.
InTune allows employees to access corporate data from their own personal devices and is helpful
for managing organization-owned devices like mobile phones. InTune ensures that devices and
apps that are used to access corporate data comply with established security policies of the
organization. By using Microsoft InTune to deploy application protection policies, you can
standardize corporate device deployments.
27 | P a g e
Because Microsoft InTune is included with Enterprise Mobility + Security, or EMS, you’ll need
an EMS license to use it. Its integration with Azure Active Directory and certain device OS
features creates a solid device management solution.
Other Services in Microsoft 365

So far, in this chapter, we covered several of the key offerings within the Microsoft 365 suite.
However, there are several other optional pieces that organizations can use. These optional
offerings provide additional features and further improve productivity. They include services like
Yammer, Microsoft Project Online, Microsoft Office Visio Pro for Office 365, and Project Pro
for Office 365.
Yammer, for example, is essentially a social networking tool for enterprises. It’s typically used
to handle support issues and to collect feedback on projects.
For more information on yammer visit this URL.
Project Online is Microsoft’s cloud version of Microsoft Project Server. This offering helps
organizations prioritize project portfolio investments and to deliver projects with the intended
business value. For more information on Project Online, visit this URL.
Office Visio Pro for Office 365 is a subscription-based version of Microsoft’s Visio Pro
diagramming tool. When licensed, users can install office Visio Pro for Office 365 on up to five
different devices. To learn more about office Visio Pro for Office 365, visit this URL.
Project Pro for Office 365 is a solution that provides project management capabilities for
organizations. This offering is a desktop-based solution. Visit this URL to read more about
project Pro for Office 365.
Other Microsoft 365 services that deserve honorable mention include Microsoft Dynamics 365,
OneDrive for Business, Planner, Power BI, Microsoft Staff Hub, Stream, Microsoft Delve, and
Sway. You won’t be expected to know every detail about every service, but you should at least
familiarize yourself with their overall descriptions.
Office 365 ProPlus

Office 365 ProPlus is Microsoft’s suite of productivity applications. This suite includes
Microsoft Word, Excel, PowerPoint, and Outlook for both Windows and Mac machines. This
full version of office is installed locally on the user’s device. It is not a web-based version of
28 | P a g e
office. The applications that come with Office 365 ProPlus can be used with both the on-prem
versions of Exchange, SharePoint, and Skype for Business, as well as the online versions.
You can install Office 365 ProPlus right from the Internet or from a shared location on your local
network. However, it’s important to note that there is no Windows installer package that users
can download and install.
Although users need to be connected to the Internet to perform the initial installation of Office
365 ProPlus, they do not need to be continuously connected to the Internet to use it once it’s
been installed. Users, however, will need to connect to the internet at least once every 30 days to
confirm that they still are licensed to use Office 365 ProPlus.
Office 365 ProPlus is updated regularly with new features, security updates, and other updates as
well. New features and improvements are released on a semi-annual basis or on a monthly basis.
The frequency that an organization receives these updates is determined by the option chosen by
the organization through the use of update channels.
Office 365 ProPlus vs Office Professional Plus 2019
Although office ProPlus is similar in many ways to Office Professional Plus 2019, there are
some significant differences between the two.
For example, while Office 365 ProPlus is updated with new features on a regular basis, Office
Professional Plus 2019 features remain the same. Another difference between the two is the fact
that users can install Office 365 ProPlus on multiple devices (up to 5) with just a single license,
while Office Professional Plus 2019 is limited to one device per license.
Deployment options for Office 365 ProPlus also differ from those for Office Professional Plus
2019, because users can install Office 365 ProPlus for themselves, right from a web-based portal.
Office Professional Plus 2019 features no such portal installation option.
29 | P a g e
I should also mention that the license activation is different for the two as well. While Office 365
ProPlus is activated by connecting to the internet, Office Professional Plus 2019 is activated
through volume activation methods, including Key Management Service (KMS). It’s also
important to be aware that Office 365 ProPlus requires regular internet connectivity in order to
remain activated. Office Professional Plus 2019 has no internet connectivity requirement.
Deploying Office 365 ProPlus
There are several ways to deploy Office 365 ProPlus. You can use Configuration Manager, the
Office Deployment Tool, or Microsoft InTune to perform Office 365 ProPlus deployments. You
can, of course, also install directly from the Office 365 portal. We’ll cover these deployment
options in detail later on.
Exchange Online vs Exchange Server

Let’s take a look at the primary differences between Exchange Online and Exchange Server.
Mailbox Sizes
While many organizations enforce small(ish) mailbox sizes for their end users in their on-prem
Exchange deployments, Exchange Online supports much larger mailboxes. As a result,
organizations that leverage Exchange Online can provide mailboxes that are 50 gig or larger to
their users, depending on the plan that is purchased.
Availability
High-availability is another key difference between on-prem Exchange solutions and Exchange
Online. Deploying a highly available on-prem Exchange organization requires the purchase and
configuration of enough hardware to store multiple mailbox copies. In addition, load-balancing
has to be configured. To be honest, to attain true high-availability for an on-prem Exchange
solution, you really should also have an entirely separate alternate data center as well. This stuff
costs money. Exchange Online data, however, is automatically replicated to multiple data
centers, which makes it highly available right out of the box.
Backups
The lack of native backups for Exchange Online is viewed by many as a drawback of the online
offering. However, instead of configuring backups, organizations typically configure retention
through single item recovery and litigation hold.
Office 365 Groups
Office 365 Groups is another feature of Exchange Online that is not offered in the on-prem
version of Exchange.
Server Access
Another feature of Exchange Online that can be seen as a benefit or as a drawback, depending on
your view, is the fact that Exchange Online offers no access to the Exchange databases, nor to
the Exchange servers themselves. These components are managed entirely by Microsoft. Old-
30 | P a g e
school Exchange admins, in an odd twist, often appreciate the access they have to these
components in an on-prem deployment.
Other Services and Features
While Exchange Web Services (EWS) are available in both the online version and the on-prem
version of Exchange, only the on-prem version offers custom EWS throttling settings. Other
features, such as rights management, archiving, and legal holds are available in both the on-prem
version and in Exchange Online.
SharePoint Online vs on-premises SharePoint Server

Because SharePoint Server is an on-prem solution, it requires an organization to maintain
servers, perform patching, and to set up and maintain an environment that facilitates high
availability and disaster recovery. However, these tasks are handled by Microsoft for SharePoint
Online subscribers.
While SharePoint Online and the on-prem SharePoint Server share lots of similarities, there are
some significant feature differences between the two. For example, SharePoint Server does not
include any anti-malware protection, whereas SharePoint Online does. Organizations that require
claims-based authentication will need to use SharePoint Server, rather than SharePoint Online,
because SharePoint Online does not offer claims-based authentication. However, SharePoint
Server does NOT offer the encryption at rest that SharePoint Online offers.
I should also mention that not all modern web parts are available in SharePoint Server 2019, nor
is intelligent functionality that’s based on the Microsoft Graph. Instead, this intelligent
functionality is only available in SharePoint Online.
As was the case with Exchange and Exchange Online, organizations will need to determine what
features they require, and what management they want to perform, before deciding whether
SharePoint Server or SharePoint Online is the right solution.

Congratulations, you’ve come to the end of Core Microsoft 365 Services and Concepts. Let’s
review what you’ve learned.
We started things off by taking a look at Windows 10 Enterprise, where we covered the different
features and benefits offered. We then took a look at Exchange Online. After covering Exchange
Online, we dove into SharePoint Online and it’s features and benefits.
Next, we looked at the benefits and of Microsoft Teams and of Microsoft InTune. We looked at
the ways that Teams facilitates collaboration, and at how Microsoft InTune facilitates
management of mobile devices.
Later on, we touched on several other services in Microsoft 365. We took a quick look at
Yammer, Project Online, Office Visio Pro for Office 365, and several other Microsoft 365
services.
31 | P a g e
We then took a close look at Office 365 ProPlus. You learned what applications are included in
Office 365 ProPlus and how it compares to Office Professional 2019. We also covered the
different deployment options for Office 365 ProPlus.
After learning about Office 365 ProPlus, you learned about the differences between Exchange
Online and the on-prem Exchange Server offering. We rounded things out by covering the
differences between SharePoint Online and SharePoint server.
At this point you should have a pretty broad understanding of the different Microsoft 365 core
services that are available.
32 | P a g e
CHAPTER 4
DEPLOYING WINDOWS 10 AND OFFICE 365 PROPLUS
Welcome to Deploying Windows 10 and Office 365 ProPlus. In this chapter, we are going to
cover the different ways that you can deploy Windows 10 and Office 365 ProPlus in your
environment. We will start things off by covering the steps you need to take to plan for Windows
10 and Office 365 ProPlus deployments. We’ll cover hardware assessment and application
compatibility assessment, along with network assessment and optimization.
Next, we’ll cover the different deployment options for Windows 10. We’ll look at things like
Windows autopilot, in-place upgrades, and dynamic provisioning. We will also look at
subscription activation as a means for switching from one edition of Windows 10 to another.
After covering the deployment options for Windows 10, will take a look at the different
deployment options for Office 365 ProPlus. We will take a look at Configuration Manager, the
office deployment tool, and manual installation from the Office 365 portal.
Once we finish working through the different Office 365 ProPlus deployment options, we’ll
cover servicing channels and deployment rings.
Coming down the home stretch, we will cover updates for Office 365 ProPlus. We’ll take a look
at the different update channels for Office 365 ProPlus including the Monthly Channel, the
semiannual targeted channel, and the Semi-Annual Channel. In this lecture, you’ll learn how to
choose the appropriate update channel for your organization and how updates are installed for
Office 365 ProPlus.
Rounding things out, we’ll dive into licensing and activation in Office 365 ProPlus, where you’ll
learn about licensing Office 365 ProPlus, reduced functionality mode, and how to activate Office
365 ProPlus. You’ll also learn how to manage activated installations.
Planning Deployments
When planning an enterprise deployment of Windows 10 and Office 365 ProPlus, you need to
ensure that you properly assess your environments and your network. You also need to make
sure that any existing hardware and applications in your environment will work with your new
software.
Assessing Compatibility
Although virtually all applications that have been written in the last decade will run on Windows
10 - and virtually all add-ins and VBA macros that are based on previous versions of Office will
work in the latest versions of Office - your organization should ensure that existing applications
and hardware will support Windows 10 and Office 365 ProPlus before rolling them out.
33 | P a g e
To help with this process, Microsoft offers several different tools.
The Windows Analytics Upgrade Readiness Tool is provided to assess desktop, device, and
application readiness. This tool provides information about application and driver compatibility,
and it provides a detailed assessment of any identified issues that could prevent an upgrade. It
also provides links to suggested fixes for any issues it identifies.
The Readiness Toolkit for Office Add-Ins and VBA is designed to help organizations identify
compatibility issues with existing Microsoft VBA macros and add-ins. This tool scans for VBA
macros in Word, Excel, PowerPoint, Access, Outlook, Project, Visio, and Publisher files.
Desktop App Assure is a new service that you can use to address issues with Windows 10 and
Office 365 ProPlus application compatibility.
This service comes with the Fast-Track
Center Benefit for Windows 10. To get
access to the Fast-Track Center Benefit for
Windows 10, you must have an eligible
subscription. An eligible subscription is one
that includes at least 150 licenses for an
eligible service or plan for your Office 365
tenant.
Before deploying Windows 10 and Office
365 ProPlus in production, Microsoft
recommends that you first deploy them to a
pilot group of users on a pilot group of
devices across the organization. By testing
your deployment with a pilot group first, you
can mitigate any issues that crop up before
you deploy into production.
Network Assessment and Optimization
Before deploying and managing updates for Windows 10 and Office 365 ProPlus, you need to
ensure you have the necessary bandwidth to do so. The Office 365 ProPlus installation files are
at least 1.6 GB in size – and this is just for the core files. Each language that you deploy will add
another 250 MB.
34 | P a g e
To help deal with network bandwidth limitations, there are several built-in methods for
automatically limiting bandwidth. Express Update Delivery and Binary Delta Compression both
help reduce the size of your update downloads. These methods ensure that you only download
the changes that have occurred between the current update and the previous update. This
typically vastly minimizes the impact to your network.
There also peer-to-peer options available. These options essentially shift Windows 10 and Office
365 ProPlus traffic away from the center of your network. What this does is reduce the need for
throttling. Using a peer-to-peer option allows computers to find necessary update files on other
machines in the local network, instead of downloading those files from a central distribution
share on the network or from the internet.
There are currently three peer-to-peer options available. These options include Branch Cache,
Peer Cache, and Delivery Optimization.
Branch Cache allows you to download source files in a distributed environment without crushing
your network. What Branch Cache does is retrieve the content from the main office or from
hosted cloud content servers. It then
caches that content at your branch office
locations. Users from these locations can
then access that content locally instead of
accessing it over the WAN.
Peer Cache comes with Configuration
Manager. It allows clients to share source
files directly from other clients.
Organizations will often use Peer Cache to
manage the deployment of source files to
users in remote locations. You can use
Branch Cache and Peer Cache together in
the same environment.
With Delivery Optimization, your clients can download source files from alternate sources,
including other peers on the local network. This is in addition to Windows Update Servers.
Delivery Optimization can be used with Windows Update, Windows Server Update Services
(WSUS), Windows Update for Business, and Configuration Manager.
By assessing hardware and application compatibility, and assessing and optimizing your
network, you can ensure a smooth deployment of Windows 10 and Office 365 ProPlus.
Windows 10 Deployment Options

There are actually quite a few ways to deploy Windows 10 in an organization. You can use
existing tools such as InTune, Azure AD, and Configuration Manager OR you can you one of
several new deployment tools and methods that are now available. These new tools and methods
include Windows Autopilot, In-Place Upgrades, Dynamic Provisioning, and Subscription
Activation.
35 | P a g e
With Windows Autopilot, you can customize the out of box experience (OOBE) so that you can
deploy applications and settings that are preconfigured specifically for your organization. This
allows you to include just the applications that your users need. Windows Autopilot is probably
the easiest way to deploy new PCs that run Windows 10. It can also be used in conjunction with
Configuration Manager to upgrade Windows 7 and Windows 8.1 machines to Windows 10.
Leveraging In-Place Upgrades allow you to upgrade to Windows 10 without reinstalling the OS.
This method allows you to migrate applications, user data, and settings from one version of
Windows to another. You can also use an in-place upgrade to update a Windows 10 machine
from one release to the next.
Dynamic Provisioning allows you to create a package that you can use to quickly configure
multiple devices, even those that have no network connectivity. Using Windows Configuration
Designer, you can create provisioning packages and install them over the network, or even from
a USB drive. They can also be installed in NFC tags or barcodes.
Using Subscription Activation, you can use subscriptions to switch from one edition of Windows
10 to another. An example of this would be a scenario where you need to switch a user from
Windows 10 Pro to Windows 10 Enterprise. In this scenario, if a licensed user signs into the
Windows 10 device, assuming the user has a Windows 10 E3 or E5 license, the operating system
automatically changes from Windows 10 Pro to Windows 10 Enterprise. This unlocks the
Windows 10 Enterprise features. I should mention that if the associated E3 or E5 license expires,
the Windows 10 device simply reverts back to the Windows 10 Pro addition. You are, however,
offered a grace period of up to 90 days before it reverts back.
So, as you can see there are several ways to deploy Windows 10.
Deployment Options for Office 365 ProPlus

There are several ways to deploy Office 365 ProPlus. Let’s take a look at the options that are
available.
You can use Configuration Manager, the Office Deployment Tool, and Microsoft InTune to
perform Office 365 ProPlus deployments. You can, of course, also install directly from the
Office 365 portal.
Configuration Manager is a good choice for enterprises that already leverage a solution to
deploy and manage their existing software. The Office Deployment Tool is a good choice for
organizations who need to manage their Office 365 ProPlus deployment, but do not have
Configuration Manager deployed. Organizations that wish to deploy and manage Office 365
ProPlus directly from the cloud should consider Microsoft InTune. However, the easiest
approach to deploying Office 365 ProPlus is to just allow your users to install it directly from the
Office 365 Portal. The caveat to this solution, though, is that it provides far less control over the
deployment process.
When you deploy Office 365 ProPlus using the Office Deployment Tool or through
Configuration Manager, you’ll typically create configuration files using the Office
36 | P a g e
Customization Tool. These configuration files are then used to define the configuration of
Office. This process provides you with more control over your installations. There are also
similar options available when you use InTune to deploy Office 365 ProPlus.
I should mention here, that depending on how you decide to deploy Office 365 ProPlus, you can
choose to deploy directly from the cloud or you can download Office to local storage on your
network, where you can then deploy from. Microsoft, however, recommends that you deploy
Office directly from the cloud because it minimizes administrative overhead. When deployed in
this fashion, Office 365 ProPlus is installed on your client devices right from the Office Content
Delivery Network. If you find that your internet bandwidth can’t support installations directly
from the cloud, you can use Configuration Manager to manage your deployments and updates
that can be pulled from a local network location.
The deployment option you choose will be largely dependent on your network infrastructure,
your user base, and your corporate policies.
Windows-as-a-Service
Under the Windows-as-a-Service model, Microsoft has simplified the OS build and deployment
process. Instead of providing major OS revisions every few years, with service packs released
between those revisions, Windows updates are now treated more like ongoing maintenance tasks.
This means that Windows will now receive updates and revisions on a more frequent basis.
These updates and revisions are also applied with less disruption.
These new updates fall into two different buckets. These buckets include Feature Updates and
Quality Updates. Feature Updates are updates that add new functionality. They are released
twice a year and can be deployed using existing management tools. Feature Updates are typically
smaller because they are more frequent. Because they are smaller, the impact to organizations
when deploying them is reduced.
Quality Updates are security updates and fixes. These updates are typically issued once a month.
More specifically, the second Tuesday of each month, otherwise known as Patch Tuesday. When
a cumulative update is released on Patch Tuesday, it includes all previous updates. This makes it
easier to ensure that devices are fully up to date.
You can use deployment rings and servicing channels to control how updates are applied - and
when.
37 | P a g e
Servicing Channels
There are three servicing channels offered by Windows-as-a-Service. Each channel receives new
feature updates on a different schedule. These channels include the Semi-Annual Channel, the
Long-Term Servicing Channel, and Windows Insider. The purpose of these servicing channels is
to provide organizations with a way to control the frequency at which they deploy Windows 10
features.
Deployment Rings
Deployment rings are similar to machine groups that you may have used previously to manage
updates for earlier versions of Windows in WSUS. There used to gradually deploy Windows 10.
You can use deployment rings to group devices together and to ensure those devices receive their
updates through the same servicing channels.
You can use the same management tools to deploy servicing channel updates that you used in
earlier versions of Windows. For example, you can use the Windows Insider program to allow
users to familiarize themselves with Windows features before they are released to the larger
population of users within the organization. This allows organizations to get a look at early
builds and to test them before they are released to the general public.
You can use the Semi-Annual Channel to receive updates as soon as Microsoft publishes them.
Feature updates go out to the Semi-Annual Channel Once in the spring and once in the fall.
You can also use the Long-Term Servicing Channel to deploy updates to your organization. The
Long-Term Servicing Channel is for computers and other devices that essentially perform a
single task or several specialized tasks. For these types of computers and devices, the Long-Term
Servicing Channel prevents them from receiving feature updates. However, quality updates are
not affected. I should point out that the Long-Term Servicing Channel is only available in the
Windows 10 Enterprise LTSC edition. Feature updates are released to LTSC about once every
three years.
A typical deployment ring strategy might consist of four rings. For example, the first ring may be
a preview ring that leverages the Windows Insider Program. This ring would be reserved for a
small group of devices that you wish to use for testing. The next ring would be the targeted
ring, which leverages the Targeted Semi-Annual Channel. You would use this ring to evaluate
important updates before you deploy them to other devices in your environment. The next ring
would be the production ring. This ring would leverage the Semi-Annual Channel and would be
used to deploy updates to production machines. A fourth ring might be a critical ring. This
critical ring would leverage the Semi-Annual Channel as well, but it would be reserved for
machines that are critical, and which are only updated after thorough testing throughout the rest
of your organization.
Ring strategies like the one in this example allow organizations to control how updates are
deployed to all of their devices.
38 | P a g e
Windows-as-a-Service, when leveraged properly, is essentially an ongoing process that you use
to handle Windows updates in an organization. The servicing models that are available for
managing Windows-as-a-Service updates include Windows Update (or standalone), Windows
Update for Business, WSUS, and System Center Configuration Manager (SCCM).
Windows Update offers limited control over feature updates. Devices are typically manually
configured to use the Semi-Annual Channel. An organization that uses Windows Update can
specify when updates get installed and to what devices. I should also mention that the updates do
not even have to come from an on-prem server.
Windows Update for Business provides control over update deferments while also allowing for
centralized management through group policy. You can use Windows Update for Business to
defer updates for up to a year. Devices that are updated using Windows Update for Business
need to be updated periodically and monitored using one system.
Windows Server Update Services, or WSUS, allows for significant control over Windows
updates. This tool, which is native to the Windows Server OS, allows organizations to not only
defer updates, but to also add an approval layer for updates that allows organizations to specify
groups of computers that should receive updates.
System Center Configuration Manager offers the most control and is the most cost-effective
option to service Windows-as-a-Service. Updates can be deferred and approved by IT staff, and
there are also multiple options for targeting and bandwidth management. System Center
Configuration Manager allows for consistent scheduling of updates across all devices within the
enterprise. I should point out, however, that application deployments and operating system
updates must originate from an on-prem server when using system Center Configuration
Manager.
So which servicing option, should you choose? Well, the servicing option that you choose will
be largely governed by the resources you have available to you, your IT staff, and the knowledge
of that IT staff. If you already use. System Center Configuration Manager to manage your
Windows updates, it probably makes sense to continue using it. However, if you are already
using a solution like WSUS, it probably makes sense to continue using WSUS. Your
environment and your staff will ultimately determine which solution is right for you.
Office 365 ProPlus Updates

There are several types of updates that are available for Office 365 ProPlus. Let’s take a look at
these types of updates and figured out how to choose the appropriate update channel for your
organization.
Because Microsoft provides new features for Office 365 applications pretty regularly, it’s
important that you keep it updated. Microsoft offers multiple update channels that you can use to
keep Office 365 ProPlus updated. These channels are used to control how often Office 365
ProPlus receives feature updates.
39 | P a g e
The three primary update channels that are available for Office 365 ProPlus include the Monthly
Channel, the Targeted Semi-Annual Channel, and the Semi-Annual Channel. The Monthly
Channel, as you would expect, receives feature updates roughly every month. The Targeted
Semi-Annual Channel receives feature updates in March and in September. Organizations will
often use this channel for its pilot users and for application compatibility testing. The Semi-
Annual Channel receives feature updates twice a year, once in January and again in July.
The feature updates that are released in the Semi-Annual Channel will generally have already
been released through the Monthly Channel in prior months. I should note that the Semi-Annual
Channel is the default update channel for Office 365 ProPlus.
Microsoft also provides additional updates for each channel as needed. These include Security
Updates and Quality Updates. While Security Updates are often released on patch Tuesday,
which is the second Tuesday of every month, they can be released at other times when needed.
Quality Updates are non-security updates which are also released on patch Tuesday.
Choosing the Right Update Channel
Organizations obviously have different needs - and these needs will determine which update
channels are needed. For example, an organization might leverage the Semi-Annual Channel if it
uses business applications, add-ins, and macros that must be tested to ensure they work with an
updated version of Office 365 ProPlus.
However, an organization that wants its users to have access to the latest Office 365 ProPlus
features as soon as they become available might want to leverage the Monthly Channel,
assuming there is no need for any kind of application compatibility testing.
It’s important to note that an organization can leverage different update channels for different
users. Not all users need to be on the same channel.
Installing Updates for Office 365 ProPlus
When an Office 365 ProPlus update occurs, all updates for the specific channel are installed at
the same time. For example, you won’t get a separate download for Security Updates, a separate
download for Quality Updates, etc. They are all installed at the same time. I should also mention
that updates are cumulative. This means that the latest update will include all previously released
feature, security, and quality updates for the specific channel.
Office 365 ProPlus goes out and checks for updates on a regular basis. These updates are then
downloaded and installed automatically. Although users can continue using their office
applications while uploads are being downloaded, once the actual update installation begins,
those users will be prompted to save their work and to close their apps to allow the installation of
the downloaded updates.
Office 365 Licensing and Activation

Before you can deploy Office 365 ProPlus to your users, you first need to assign licenses to
them. Once you’ve assigned licenses to your users, they can begin installing the software. Once
40 | P a g e
licensed, each user can install Office 365 ProPlus on up to five different computers or devices.
Because each installation is activated and kept activated automatically, you don’t even have to
keep track of product keys. You also don’t have to worry about dealing with KMS or MAK
services. What you do have to do, however, is ensure that your users connect to the internet at
least once every 30 days so their licenses can be kept activated by the Office licensing service.
Licensing Office 365

Assigning an Office 365 ProPlus license to a user is as simple as checking a box on the licensing
page for the users account. Once you’ve assigned licenses to your users, they can install office
right from the Office 365 portal. You can also deploy Office to your end users from a shared
location on your local network. Users cannot install Office from the Office 365 portal until they
have been assigned a license.
Reduced Functionality Mode
If you remove a user’s Office 365 ProPlus license, any existing installations of Office 365
ProPlus for that user will go into what is called Reduced Functionality Mode. Deactivating a
user’s Office 365 ProPlus license for a specific device will also cause Office 365 ProPlus to go
into Reduced Functionality Mode, but only on that device.
An Office 365 ProPlus installation that has gone into Reduced Functionality Mode will remain
installed on the computer; however, the user will only be able to view and print documents. They
will not be able to edit documents nor create new documents.
I should also point out that every time the unlicensed user runs Office 365 ProPlus, that user will
be prompted to sign in and activate the software.
Activating Office 365 ProPlus
41 | P a g e
When Office 365 ProPlus is installed, it communicates back to the Office Licensing Service and
the Activation and Validation Service. It does this so it can obtain and activate a product key.
Whenever a user logs into his computer, the computer will connect to the Activation and
Validation service. This is done in order to verify the license status of the software and to extend
the product key.
Office will remain fully functional as long as the computer connects to the internet at least once
every 30 days. Office will enter Reduced Functionality Mode if a computer goes off-line for
more than 30 days. Once the computer connects back to the internet, the Activation and
Validation Service will automatically reactivate the installation and it will become fully
functional again.
Managing Activated Installations
As I mentioned previously, an Office 365 ProPlus license allows a user to install Office on up to
five different computers. However, if that user tries to install Office 365 Pro on sixth computer,
the user will first need to deactivate one of the existing five installations. This causes the
installation that is deactivated to go into Reduced Functionality Mode.

Congratulations! You’ve reached the end of Deploying Windows 10 and Office 365 ProPlus.
Let’s review what you’ve learned.
Throughout this chapter, we covered the different ways that you can deploy Windows 10 and
Office 365 ProPlus in your environment. We started things off by covering the steps you need to
take to plan for Windows 10 and Office 365 ProPlus deployments. We covered hardware
assessment and application compatibility assessment, along with network assessment and
optimization.
Next, we covered the different deployment options for Windows 10. We looked at things like
Windows Autopilot, In-Place Upgrades, and Dynamic Provisioning. We also looked at
Subscription Activation as a means for switching from one edition of Windows 10 to another.
After covering the deployment options for Windows 10, we reviewed the different deployment
options for Office 365 ProPlus. We looked at Configuration Manager, the Office Deployment
Tool, and Manual Installation from the Office 365 portal.
Once we finished working through the different Office 365 ProPlus deployment options, we
dove into the Windows-as-a-Service model, where we covered servicing channels and
deployment rings.
Coming down the home stretch, you learned about updates for Office 365 ProPlus. You learned
about the different update channels for Office 365 ProPlus including the Monthly Channel, the
Semi-Annual Targeted Channel, and the Semi-Annual Channel. You also learned how to choose
the appropriate update channel for your organization and how updates are installed for Office
365 ProPlus.
42 | P a g e
Rounding things out we dove into licensing and activation in Office 365 ProPlus, where you
learned about licensing Office 365 ProPlus, Reduced Functionality Mode, and how to activate
Office 365 ProPlus. You also learned how to manage activated installations.
At this point, you should have a good idea of what all goes into planning for and deploying
Windows 10 and Office 365 ProPlus. Click here for the full 3-hour video course.
43 | P a g e
CHAPTER 5
UNIFIED ENDPOINT MANAGEMENT
Welcome to Unified Endpoint Management. In this chapter, we are going to cover unified
endpoint management topics.
We will start things off with device management in today’s workplace. You’ll learn about key
unified endpoint management concepts and how IT departments can support different devices in
the modern workplace.
Next, we’ll cover the many different components of the Enterprise Mobility and Security suite.
You’ll learn about Azure AD, SCCM, Azure Information Protection, and much, much more.
You’ll learn what each component is and what role each component plays.
Rounding things out, we’ll get into cloud-connected device management, where you’ll learn
about the different ways that you can manage cloud-connected devices.
We have quite a bit to get to. So, let’s get started.
Device Management in the Modern Workplace

Unified endpoint management refers to a platform for managing devices and applications. Using
Microsoft InTune and System Center Configuration Manager, both of which are parts of
Enterprise Mobility and Security within a Microsoft 365 subscription, can help simplify
management. Using these products creates an environment that allows end users to use whatever
devices and applications they choose, while still offering protection for the organizations data.
44 | P a g e
The modern workplace presents unique challenges

for IT departments because they need to support
many different devices that are configured in
many different ways. Some users may have
Android devices, while others may use iOS
smartphones. Yet others may use Windows 10
machines, while others use Macs. In addition to
supporting the devices themselves, IT departments
need to ensure that these devices all meet the
security standards and health standards that are
established by the organization. Such devices also
need to be configured to support whatever
applications and features the organization uses.
Each of these different devices clearly presents different management challenges. For example,
users will often use mobile devices and laptops that connect to outside networks through public
Wi-Fi access points. Because hackers will often use public access points to capture network
traffic and insert malware into a user’s browsing sessions, the fact that mobile devices often
connect to unsecured networks like these can impact every user in the organization.
While devices that connect to unsecured networks can be a problem, so can mobile devices that
only intermittently connect to the corporate network. This is because tools like Group Policy,
which are used to manage devices, usually assume that these devices are always connected to the
corporate network. Because they are not, these mobile devices can be difficult to manage with
traditional tools.
Users will often connect to the corporate network and access files from central file shares and
from SharePoint sites. While these centralized storage locations are often backed up, mobile
devices, which include laptops, typically are not. Because these devices aren’t backed up, any
data that is created directly on them is not backed up either. If one of these devices is stolen or
suffers a serious hardware failure, this locally created data is lost.
Speaking of lost or stolen devices… Quite often, the cost of replacing a stolen device can far
exceed the original cost of the device itself. This is because the organization needs to not only
replace the device, but it also needs to configure the device and determine what data was lost or
stolen. This all requires time - and time is money.
Another struggle that IT departments deal with are devices that have been compromised and then
connected to the corporate network. This is a problem because a device that’s been infected with
malware cannot only steal data, but also spread the malware to other devices in the organization.
Because of this, mobile devices must be treated as potential threats, and precautions must be
taken to prevent attacks and to prevent leaks.
Personal devices also pose significant challenges to most organizations because those
organizations need to decide if they wish to allow users to access corporate apps and data from
their personal devices. This requires organizations to implement mobile device support policies.
45 | P a g e
Organizations need to decide whether they will allow user owned devices to access corporate
applications and data or if they will only allow this access only if the owner of the device allows
the organization to manage the device. Organizations also need to decide what actions can be
taken to protect any corporate data that is stored on the device. In the event the device is lost or if
the user leaves the company.
The proliferation of BYOD in today’s modern workplace has made work easier for end users, but
as you can see, it also presents significant challenges to IT departments.
Enterprise Mobility + Security Components

Enterprise Mobility + Security is a tool that you can use to manage all devices within your
organization. It’s intended to help organizations protect and secure their environments. The EMS
suite of products comes included with Microsoft 365 E3 and E5 plans.
The table below provides a summary of what is included.
Azure AD Premium is a central identity store. All applications in EMS and in Microsoft 365
use this identity store. There are three different levels of Azure AD premium. They include
Basic, P1, and P2. The Basic level includes basic features that can be used to facilitate endpoint
management. However, the P1 and P2 plans come with additional features, including Self-
Service Password Reset, Write-Back from Azure AD to On-Prem Active Directory, and
Microsoft Azure MFA for Cloud and On-Prem Apps. Other features that come with the P1 and
P2 plans include Conditional Access Based on Group, Location, and Device, and in the case of
P2, Conditional Access Based on Sign-In or User Risk.
Another component to EMS, is InTune. This cloud-based enterprise mobility management

service protects corporate data while facilitating end-user productivity. Identity and access
control are achieved through its integration with Azure AD, while data protection is achieved
through its integration with Azure Information Protection. You can also use InTune to enforce
46 | P a g e
security policies, deploy applications, and even remotely wipe devices when they are lost or
stolen.
System Center Configuration Manager, or SCCM, is an on-prem product that organizations
can use to manage Windows PCs, Mac OS PCs, and servers. This product allows organizations
to customize application management, OS deployments, and even device compliance.
Azure Information Protection, or AIP, is a component of EMS that organizations can use to
encrypt documents and to enforce policies on how those documents can be used.
Microsoft Advanced Threat Analytics is another component of EMS. With Advanced Threat
Analytics, organizations can detect suspicious activities and malicious attacks. This allows them
to adapt to the ever-changing landscape of cybersecurity threats. Microsoft Advanced Threat
Analytics also helps organizations reduce false positives.
Cloud App Security is an add-on that can be combined with your organizations Microsoft 365
subscription. It provides visibility into cloud apps and services, while also providing analytics
that you can use to identify and mitigate security threats.
Cloud App Security takes data that’s been collected from your organization’s firewalls and proxy
servers and uses it to track cloud application usage. Using Cloud App Security, you can identify
unauthorized applications that are in use and that might be a threat to your organization. It also
allows organizations to identify unusual usage patterns.
Microsoft Identity Manager essentially combines Microsoft’s identity and access management
solutions together. It takes different on-prem authentication stores, including AD, Oracle, LDAP,
47 | P a g e
and others, and bridges them with Azure AD to provide a consistent identity experience for on-
prem applications as well as SaaS solutions.
Azure Advanced Threat Protection, or ATP, is a cloud-based solution that allows
organizations to not only identify and detect threats and malicious activities but to also
investigate them as well. You can use Azure Advanced Threat Protection to identify suspicious
user and device activity and to analyze threat intelligence from the cloud, and on-prem. Azure
Advanced Threat Protection helps protect user identities and credentials that are stored in Active
Directory and allows you to view attack information on a simple timeline. This allows for faster
triage.
As you can see, Enterprise Mobility and Security offers quite a few tools that you can use to
manage security and devices within your organization.
Cloud-Connected Device Management

If your organization already uses Configuration Manager on-prem to manage devices, it can be
connected with the cloud-based InTune management system through the co-management
function of Configuration Manager. When you connect the two using the co-management
function, you can manage your Windows 10 devices with both Configuration Manager and
Microsoft InTune at the same time. What this does is add InTune functionality to your device
management solution.
Connecting Configuration Manager with the cloud-based InTune management system provides
several benefits over using Configuration Manager alone. For example, with this cloud
connected system, you can use conditional access to make sure that only trusted users can
access corporate resources from trusted devices, using trusted apps.
You can also manage all registered devices every time they connect, regardless of where they
are. These remote actions allow you to wipe such devices when they are lost or stolen. You can
also rename and restart devices remotely, and even perform factory resets on Windows devices.
While Configuration Manager can monitor the health of your devices while they are connected
to the network, Microsoft InTune can communicate with co-managed devices, and monitor their
health, even when they are not connected to the network - and it can report on the health of those
clients.
To ensure that new devices that are added to your network get configured the same way as
existing devices, you can use co-management and Windows 10 Autopilot together. When you
use Windows 10 Autopilot and co-management together, you can take advantage of the
Windows 10 provisioning model, which helps eliminate the need to deal with creating and
updating custom operating system images.
Leveraging Azure Active Directory lets you link users, devices, and applications from both cloud
and on-prem environments. When you register your organizations devices to Azure AD, you can
improve security while increasing productivity of your end users. Registering devices in Azure
AD provides the ability to co-manage them and to leverage device-based conditional access. It
48 | P a g e
also allows you to offer single sign-on to cloud resources, automatic device licensing, self-
service functionality, Windows Hello for Business, and enterprise state roaming.
So, with that said, if you have an existing on-prem Configuration Manager infrastructure,
connecting it with a cloud-based InTune management system through the co-management
function allows you to reap significant benefits.

Congratulations! You've reached the end of Unified Endpoint Management. Let's review what
you've learned.
Throughout this chapter, you learned about several unified endpoint management topics.
We started things off with device management in the modern workplace. You learned about key
unified endpoint management concepts and how IT departments can support different devices in
the modern workplace.
Next, we covered the many different components of the Enterprise Mobility and Security suite.
You learned about Azure AD, SCCM, Azure Information Protection, and much, much more.
You also learned what each component is and what role each component plays.
Rounding things out, looked at cloud-connected device management, where you learned about
the different ways that you can manage cloud-connected devices.
At this point, you should have a pretty good understanding of unified endpoint management
options in Microsoft 365.
49 | P a g e
CHAPTER 6
TEAMWORK IN MICROSOFT 365
Welcome to Teamwork in Microsoft 365! In this chapter, we are going to cover teamwork in
Microsoft 365 and analytics in Microsoft 365.
We will kick things off by looking at the different teamwork tools that are available in Microsoft
365 and how to choose the right teamwork tools for your needs. We'll look at tools like
SharePoint Online, Outlook, Microsoft Teams, and more.
Next, we'll take a look at the different ways you can work together on files and content and how
you can use teamwork tools to run meetings and projects.
We'll round things out by touching on the analytic tools that Microsoft 365 includes, where you'll
learn about MyAnalytics and about Workplace Analytics.
Facilitating Teamwork in Microsoft 365

Microsoft 365 offers several tools and services that help teams of all sizes and shapes get their
work done. The purpose of these tools is to streamline productivity while providing enterprise-
level security, compliance, and manageability.
Using Microsoft Outlook, users can share calendars, files, tasks, while keeping in touch with
coworkers.
SharePoint and OneDrive for business can be used to
store content. This content can be accessed from
virtually any device and even shared with other
users, both inside and outside the organization. Users
can collaborate on this content using applications
such as Word, Excel, and PowerPoint.
Microsoft Teams allows users to communicate via
chat, phone calls, and meetings. It can also be used to
share content. Microsoft Teams also offers guest
access that allows users to invite both internal and
external users to work on projects.
Yammer is another communications tool offered with Microsoft 365. It’s a community
conversation tool that encourages dialogue and idea generation across the organization. With
yammer, you can create different communities of interest, as well as forms that bring people
together. Yammer also allows you to grant external access when you need to.
50 | P a g e
Other teamwork tools available in Microsoft 365 include Microsoft Graph and Office 365
Groups. Using Microsoft graph provides a seamless connection between people and relevant
content, while Office 365 groups enables a single team identity across applications and services,
along with a centralized policy management system that enhances security and compliance for
your organization.
Choosing the Right Tools
Choosing the right tools for your organization is important to ensuring your team members have
what they need to complete their jobs. Those team members can be categorized as inner loop or
outer loop.
Inner loop users are those who you actively work with on a day-to-day basis. To facilitate
communications with inner loop users, you should probably use Microsoft Teams.
Outer loop users are users that you don’t necessarily work with on a regular basis but who have a
vested interest in whatever project it is that you are working on. Project stakeholders would be a
good example of outer loop users when it comes to a specific project because, while you won’t
necessarily work with them on a regular basis, they do want to hear what’s going on with the
project they are involved in. In these cases, you could use Yammer to share information and
ideas. An alternative for those who prefer email, would be Outlook.
SharePoint should be your tool of choice when you need to manage team content and files
because it essentially brings together the content from Microsoft Teams, Yammer, and Outlook.
You can also use SharePoint to keep track of your project information.
Working Together
Because users will often need to work together in real time, on a specific document, Microsoft
365 offers co-authoring capabilities with all core office applications.
For example, your users can co-author a Word document when it is stored in OneDrive for
Business or even in SharePoint. Presence information that Microsoft Teams offers adds to the
51 | P a g e
co-authoring experience, while providing a chat-based workspace for those users who are
actively working on the document that they are co-authoring.
The shared storage, versioning controls, and permission settings that OneDrive for Business and
SharePoint offer allow multiple users to edit the same document seamlessly.
Through Microsoft Teams, all users on a given team, including external users, have a single
point of access to all the tools they need to move their projects forward. Because Teams is
integrated with applications like Word, Excel, PowerPoint, Power BI, and Stream, team
members are able to collaborate without leaving the shared Teams workspace.
When team members work on files in Teams, those files are automatically stored in SharePoint.
Team members can hold chats and collaborate on shared deliverables.
I should note that you can customize Microsoft Teams to fit your environment. For example, you
can enable, disable, and configure apps for Teams - this includes tabs, connectors, and lots of
other features provided by Teams. You can specify whether external applications are enabled,
and you can control which users can sideload apps. Organization-wide user settings like guest
access and external access can be configured as well. These settings allow users to work with
people outside the organization. There are many other settings that can be configured as well,
including filesharing, cloud file storage, email integration, and more.
Meetings and Projects
It should come as no surprise that most workers spend as much as one-third of their time in
meetings. Nobody likes them, but they are a necessity. Microsoft 365 makes meetings less
painful and more productive by allowing users to not only easily schedule calls and online
meetings, but to also quickly start them through a call or instant message.
Microsoft 365 also allows you to create shared workspaces to host all of your Teams meetings,
files, apps, and even team conversations. Microsoft 365 automates processes and workflows and
allows you to save time by leveraging self-service tools to manage and schedule tasks.
Outlook’s calendar and file integration make it easier for users to leverage meeting tools
seamlessly. Team members can even access shared calendars and link to shared files in both
SharePoint and in OneNote. Microsoft Teams organizes conversations, files, meetings, and tools
into a single hub that also offers audio and video capabilities. Video and screen sharing
capabilities of Microsoft Teams, along with features like auto translation, transcription, and
recording, allow users to get more out of the experience. Notes and action items can even be
automatically transcribed and distributed to meeting attendees at the end of the meeting.
Analytics in the Workplace

Microsoft 365 offers two analytic tools. These analytic tools include MyAnalytics and
Workplace Analytics. Both of these tools gather data and use artificial intelligence to provide
insights into the working habits of your users and your organization.
52 | P a g e
MyAnalytics can be used to see how you are spending your time at work. It then suggests
different ways that you can work smarter instead of harder. To allow this magic to happen,
MyAnalytics, which is included in Microsoft 365 E5 subscriptions, looks at email data,
meetings, team chats, calls, and how you use Office 365. There are no agents to install, nor is
there any tracking software to deal with.
I should point out for the security conscious that MyAnalytics does not use any data from any
from your other activities such as applications or websites that you view.
To learn more about MyAnalytics, visit this URL.
Workplace Analytics focuses on the organization as a whole. This is different from MyAnalytics,
which provides insights at the individual level. Using Workplace Analytics allows you to
identify collaboration processes that impact your organization’s productivity and workforce
effectiveness. Workplace Analytics helps organizations understand how they spend their time
and how their groups work together. This allows those organizations to define best practices and
to become more efficient.
To read more about Workplace Analytics, visit this URL.

Congratulations! You've reached the end of Teamwork in Microsoft 365! Let's review what
you've learned.
Throughout this chapter, we covered teamwork features in Microsoft 365 and analytics in
Microsoft 365.
We kicked things off by looking at the different teamwork tools that are available in Microsoft
365 and how to choose the right teamwork tools for your needs. We also looked at tools like
SharePoint Online, Outlook, Microsoft Teams, and more.
Next, we looked at the different ways you can work together on files and content and how you
can use teamwork tools to run meetings and projects.
We rounded things out by touching on the analytic tools that Microsoft 365 includes, where you
learned about MyAnalytics and about Workplace Analytics.
At this point, you should be able to intelligently evaluate the many different teamwork tools in
Microsoft 365.
53 | P a g e
CHAPTER 7
SECURITY FUNDAMENTALS
Welcome to Security Fundamentals. In this chapter, we are going to cover a few different
fundamental security topics.
We will start things off by covering the 4 key security pillars of protection. We'll look at identity
and access management, threat protection, information protection, and security management.
Next, we’ll cover key identity and access management concepts.
After covering identity and access management concepts, we'll look at threat protection concepts,
where you'll learn about the ways you can protect your network against threats from devices and
against network threats. Rounding out the chapter, you'll learn about information protection
concepts and security management concepts.
Pillars of Protection
Any respectable security design will provide defense in depth. Defense in depth is a security
concept that involves the use of several different layers of security to protect data. Defense in
depth is important because if a hacker is able to compromise one layer of defense, there are still
several others to offer protection. An example of defense in depth in a network environment
would be in architecture that features an external firewall, a DMZ, an internal firewall, and then
firewalls that are configured on each computer.
Because no single security solution can ensure data security at all times, organizations should
take this layered defense in depth approach to protect themselves. Protecting data on computers
or servers, for example, may include drive encryption, file and folder permissions, and maybe
even rights management.
Microsoft takes a holistic approach to security. In doing so, it helps organizations protect their
identities, their data, their applications, and their devices, whether they reside on-prem, in the
cloud, or are mobile.
The key pillars that are foundational to the security of every computer system include identity
and access management, threat protection, information protection, and security management.
Identity and Access Management

The identity piece of identity and access is used to identify users before they are authorized to
access IT resources. Users are typically identified via user accounts, which are assigned the
necessary levels of access for particular resources. Each user in an organization may actually
have several different user accounts. These accounts can include local login accounts, Active
Directory accounts, Azure Active Directory accounts, or Microsoft accounts.
54 | P a g e
A local user account is specific to a local Windows 10 device only. A local account on one
computer will not allow access to resources on another computer. Devices can also have local
accounts. For example, all Windows 10 computers have local accounts, but those local accounts
are usually not used interactively.
Because most organizations use traditional Active Directory forests to manage their users and
computers, domain accounts are another prominent type of user account. These types of accounts
are used to authenticate users when they access domain joined devices.
Azure AD accounts are user accounts that are stored in Azure Active Directory. These accounts
are generally used to access resources and services that are hosted in the cloud. Office 365
immediately comes to mind. Organizations that use both a traditional on-prem Active Directory
and an Azure Active Directory can integrate the two via synchronization with Azure AD
Connect.
Microsoft accounts include an email address and password. These accounts are used to sign into
many different services and can be used regardless of the user location or organization that a user
is a member of. Users that have signed into services like Xbox live or Outlook.com, among
others, already have a Microsoft account.
Microsoft accounts can also be used to authenticate with Azure AD.
There are of course many other types of accounts, including social accounts, like Facebook
accounts and Twitter accounts.
Since user accounts are the primary way of determining who a user is it’s critical that those
accounts be protected and it’s critical that the identity verification process is protected as well.
This is referred to as identity protection.
Microsoft 365 offers several features that can be used to identify compromised user accounts. It
can, for example, detect new or unusual sign in locations that often indicate an account has been
compromised. You can then take action based on these unexpected changes.
Threat Protection
Every time a device connects to your infrastructure, it has the potential to bring with it security
risks. For example, if a particular device does not have a properly configured firewall running, it
is a threat to the network every time it connects - especially if the device often connects to
unsecured public networks when it’s not on the corporate LAN.
55 | P a g e
A device without antivirus or antimalware protection is obviously a threat because of its risk of
being infected with malware. When a device like this attaches to the network, such malware can
then be spread to other devices within the organization.
Unpatched operating systems and applications are additional threats to the organization that
originate from devices. Because malicious software often takes advantage of unpatched systems,
these types of systems and devices can serve as an opening to the corporate LAN.
Poor passwords and poor physical security are also risks that devices introduce to the corporate
network. A phone or a device that is protected with an easy to guess PIN or password is a risk
because if it is stolen, the data on that device is readily accessible. As far as physical security
goes, many users will often leave their devices unattended in public places like airports and
Internet cafés. In such scenarios, not only can a device be stolen, but it can also be tampered
with.
Many of these risks to device security can be mitigated through end-user education on how to
properly secure devices with complex passwords, pins, and biometric protection. That said,
education only goes so far. As a result, in order to properly secure your organization’s IT
infrastructure, you need to be able to enforce corporate security settings on these devices,
including those that are owned by the users. By restricting access to corporate resources to only
those devices that adhere to such policies, you can better protect your environment.
Network security is a whole other ball of wax. While there are many different types of attacks
that threaten a network, most can be mitigated with some proper network access planning.
To protect your network, you need to take a holistic approach. Every possible threat must be
identified and there needs to be a plan for mitigation. For example, there should be a rigorous
form of authentication in place for devices that wish to connect to the network. Another way to
protect against network sourced threats is to only allow guest users to access the Internet from
guest networks, and not from the corporate network.
Information Protection Concepts

To properly protect organizational data, that data needs to be protected both at rest and in transit.
Data at rest is data that is stored somewhere like a file server or on a hard drive. Data at rest can
also be stored on a USB flash drive or even in mailboxes. The security risks that are associated
with each of these storage locations differs significantly. Data on a thumb drive, for example, can
easily be lost because thumb drives are easy to misplace. Because laptops are usually targets for
theft, data stored on laptops can disappear rather quickly as well. Because hackers know that
organizational file servers often contain critical data, such file servers are often targeted.
Each scenario presents different challenges. That being the case, it’s important to understand
which data protection solutions are the right ones to use. Some solutions that can be used to
protect data at rest include drive encryption, rights management software, antimalware, and even
enhanced network security.
56 | P a g e
Data in transit is data moving between devices. An example of data in transit would be a user
accessing files on a file server or when a user reads his email on his cell phone. Authentication
and encryption are used to ensure the safety of data that is in transit from one device to another.
So, the key takeaway here is that there are two information protection concepts to keep in mind.
You must protect data at rest, and you must protect data in transit.
Security Management
Security management actually is a combination of the first three concepts that we’ve discussed.
It brings together identity and access management, threat protection, and information protection.
In order to address these other pillars of security. You need an effective security management
process.
Because security management is both proactive and reactive, it’s important to implement
solutions that address both sides of the coin. Taking a proactive security management position
will often require you to deploy certain types of authentication, like complex passwords and
MFA, to meet perceived threats.
Reactive management will require you to deploy tools that you can use to identify security
threats that are happening right now. This means you should deploy monitoring tools that cannot
only identify active threats, but that can also help you take the correct mitigation steps.
By taking the right security management tact, you can ensure that you are properly addressing
the three other key pillars of security.

Congratulations! You have come to the end of Security Fundamentals! Let's review what
you've learned.
We kicked things off by covering the 4 key security pillars of protection. We looked include
identity and access management, threat protection, information protection, and security
management.
Next, we covered key identity and access management concepts.
After covering identity and access management concepts, we looked at threat protection
concepts, where you learned about the ways you can protect your network against threats from
devices and against network threats.
57 | P a g e
Rounding things out, you learned about information protection concepts and security
management concepts.
58 | P a g e
CHAPTER 8
MICROSOFT 365 SECURITY FEATURES
Welcome to Microsoft 365 Security Features. In this chapter, we are going to review a few key
Microsoft 365 security features.
We will start things off by covering identity and access in Microsoft 365. We'll look at secure
authentication solutions, conditional access, and identity protection.
Next, we’ll cover key threat protection solutions that Microsoft 365 offers. We'll review Azure
Active Directory Identity Protection, Advanced Threat Protection, Azure Security Center, and a
few others.
After covering the key threat protection solutions in Microsoft 365, we'll take a look at the
Microsoft Security Center and the Secure Score.
Identity and access in Microsoft 365

Identity and access management is probably the most important security pillar in Microsoft 365.
By offering secure authentication, Microsoft 365 helps you protect against account breaches.
Conditional access that is offered by Microsoft 365 offers granular access to corporate data.
Identity protection features in Microsoft 365 can be used to ensure hackers do not steal the
identity of your users.
Let’s start things off by taking a look at how Microsoft 365 provides secure authentication.
Secure Authentication
Protecting your organization against breaches means you need to protect your users. Ensuring
that your users use complex passwords is one way to protect them. However, such complex
passwords can be difficult to remember - and because complex passwords are so difficult to
remember, users will often just use the same complex password for all of their sites and
resources.
Relying solely on complex passwords can also be problematic because no matter how complex
the passwords are, they are subject to replay attacks and they are often exposed due to phishing
attacks. This obviously presents challenging security risks, especially since most breaches
originate with compromised passwords.
To help reduce the risks associated with passwords, Microsoft 365 offers a few replacement
options. These options include Multi-Factor Authentication, Windows Hello, and Microsoft
Authenticator.
Multi-Factor Authentication, or MFA, allows you to specify multiple factors for authentication.
It forces users to provide at least two authentication factors to identify themselves. These factors
59 | P a g e
typically consist of something the user knows, such as a password or pin, something the user has,
which would often be a smart card or digital certificate or even a phone, and it’s something the
user is, which is usually some sort of biometrics.
Windows Hello is a Windows 10 feature that replaces passwords with two factor authentication
on both PCs and mobile devices. This is a newer type of user credential that gets tied to a
specific device and leverages either a pin or some form of biometric. Users can use Windows
Hello to authenticate in Active Directory and in Azure Active Directory.
Microsoft Authenticator is an application that organizations can use to keep accounts secure. It
works by offering two factor verification and phone sign in. Two factor verification is the
standard verification method. The first factor is the user’s password. However, once a user signs
into a device, app, or site, using his username and password, the user must use Microsoft
Authenticator to either approve a notification or answer a verification code that is provided.
The phone sign-in option is another version of two factor verification that allows users to sign in
without a password. Instead of using a username and password combination, users can login with
a username and a mobile device with a fingerprint, face, or pin.
Conditional Access
Conditional access allows organizations to provide granular access to data and applications. It
allows users to work from virtually any location and from just about any device. Conditional
Access evaluates users, devices, apps, location, and risk before granting a specific user access to
a corporate resource. This ensures that only those approved users can access company resources
from only approved devices.
Conditional Access evaluates access
requests against several different criteria. It
then compares this criterion to policies that
you define. After comparing against these
policies, Conditional Access will decide
whether or not access is allowed.
I should mention that Conditional Access
spans multiple Microsoft 365 services
including Office 365, Windows 10, and
InTune.
Identity Protection
Because most security breaches occur as a result of stolen user identities, identity protection is
critical. Not only do you need to protect all of your user identities from being compromised, but
you also need to ensure that you are proactively preventing compromised identities from being
abused.
60 | P a g e
Microsoft 365 offers several ways for organizations to protect their identities. They include
Azure Active Directory Identity Protection, Microsoft Cloud App Security, Azure Advanced
Threat Protection, and Windows 10’s built-in identity protection capabilities.
Azure Active Directory Identity Protection helps organizations identify attempts to compromise
user accounts. Whenever it identifies unusual behavior from an account, Azure Active Directory
Identity Protection can block access and even require additional authentication options.
Microsoft Cloud App Security provides analytics for cloud apps and services. This helps
organizations understand protections that are in place for their data across cloud apps.
Azure Advanced Threat Protection, or ATP, is a cloud-based security solution. Using ATP,
organizations can identify, detect, and investigate many different threats, compromised identities,
and other malicious activity that’s directed at the organization.
The built-in identity protection capabilities of Windows 10, including Windows Hello, can be
used to further protect user identities.
So, as you can see by providing secure authentication, conditional access, and identity protection
features, Microsoft 365 helps organizations manage the first security pillar which is identity and
access management by helping them identify who is accessing resources and helping them
control what can be accessed.
Threat Protection in Microsoft 365

Organizations that leverage Azure Active Directory get the benefits of the adaptive machine
learning algorithms that it uses to detect suspicious incidents and identities that may be
compromised. This data is used by Azure Active Directory Identity Protection to create reports
and alerts that you can use to evaluate potential security issues and take action.
In addition to monitoring and reporting, Azure Active Directory Identity Protection allows you to
configure risk-based policies that will automatically respond to suspicious incidents that are
detected. These policies can be used with conditional access controls to automatically block
access and to even automatically take remediation actions.
Azure Advanced Threat Protection
61 | P a g e
Azure Advanced Threat Protection, or ATP, is a cloud-based security solution. What Azure
Advanced Threat Protection does is identify and detect advanced threats, compromised
identities, and certain malicious insider actions. The security reports and analytics that ATP
offers are useful for reducing your organizations attack surface.
Azure Security Center
Azure Security Center is another security tool. It offers advanced threat protection and unified
security management across hybrid cloud workloads, which include those workloads on-prem, in
the Azure cloud, and in other clouds. Azure Security Center will even allow you to automatically
discover and onboard new Azure resources. Defined security policies are automatically applied
to ensure such new resources are compliant with your security standards. You can use Azure
Security Center to collect and analyze security data from many different sources, including
firewalls and even partner solutions.
Microsoft Exchange Online Protection

The Microsoft Exchange Online Protection service, or EOP, is a cloud-based email filtering
service provided to Microsoft exchange online customers. This anti-spam and antimalware
solution provides email protection.
Microsoft InTune
Microsoft InTune is a mobile device management solution that is part of enterprise mobility and
security, or EMS. It integrates with other EMS components as well. For example, its integration
with Azure Active Directory helps provide identity and access control, while its integration with
Azure information protection helps secure data. Using Microsoft InTune with office 365 can help
protect your data while allowing users to work from virtually any device.
Office 365 Advanced Threat Protection
Office 365 Advanced Threat Protection is a security offering that is included in Microsoft 365
E5 subscriptions. It is used to identify threats before they make their way into a user’s mailbox
by scanning email and URLs, identifying and blocking malicious files, and detecting
impersonation attempts. The safe links feature of Office 365 Advanced Threat Protection scans
emails in real time. Users are presented with a warning message if they click on a link that may
62 | P a g e
be malicious. Attack Simulator, which comes with Advanced Threat Protection, can be used to
simulate realistic attacks as well.
Office 365 Threat Intelligence
Office 365 Threat Intelligence consists of insights and other information - and is available in the
Office 365 Security and Compliance Center. This tool can be used to understand different threats
against your users and data because it monitors different signals and gathers data from several
different sources, including email, compromised PCs, user activity, and other security incidents.
By leveraging these many different security tools, you can protect your users, identities, devices,
user data, apps, and infrastructure.
Microsoft 365 Security Center and the Secure Score

The Microsoft Security Center is used to track and manage
security for identities, data, devices, apps, and even
infrastructure. Security Center will generate alerts when
suspicious activities are identified. The real-time reports
that Microsoft Security Center offers allow organizations to
keep track of issues within their organization. Because it
provides many different insights and recommendations, the
Microsoft Security Center can help organizations improve
their security posture. You can even use the security Center
to configure device and data policies.
Within the Microsoft Security Center, you’ll find the
Microsoft Secure Score. The Secure Score is a configurable
security score assigned to your environment. This score
provides an overall view of your security posture. You can
use the centralized dashboard to not only monitor the
security of your environment, but you can also use it to
improve that security.
The Microsoft Secure Score offers detailed data
visualization as well as integration with other Microsoft products. You can even use it to
compare your score with other companies. By completing the improvement actions that are
called out, you can improve your score and harden your environment.
The way that the Secure Score works is rather straightforward. It assigns points whenever you
configure its recommended security features and when you perform certain security related tasks.
It also assigns points for addressing certain improvement actions. The idea is to get your Secure
Score as high as you can, while balancing the security and usability in your environment,
because some recommendations won’t necessarily work in your environment, given how you do
business.
63 | P a g e
Ultimately, what you want to do is use the Microsoft Secure Score recommendations to identify
the most important settings to you and to make changes that you deem necessary.

Congratulations! You’ve reached the end of Microsoft 365 Security Features. Let’s review
what you’ve learned.
We started things off by covering identity and access in Microsoft 365, where we looked at
secure authentication solutions, conditional access, and identity protection.
Next, we covered the key threat protection solutions that Microsoft 365 offers. We reviewed
Azure Active Directory Identity Protection, Advanced Threat Protection, Azure Security Center,
and a few others.
After covering the key threat protection solutions in Microsoft 365, we looked at the Microsoft
Security Center and the Secure Score.
64 | P a g e
CHAPTER 9
COMPLIANCE IN MICROSOFT 365
Welcome to Compliance in Microsoft 365. In this chapter, we are going to review a few key
Microsoft 365 compliance tools.
We will start things off by covering the Service Trust Portal and Compliance Manager. You'll
learn what they are, how to access them, and what features they offer. We will then look at
Compliance Center, where you’ll learn about what information it provides and how to access it.
Service Trust Portal and Compliance Manager

The Service Trust Portal and Compliance Manager are used for assessing compliance risk,
protecting and governing information, and responding to regulatory requests.
Service Trust Portal
The Service Trust Portal is a web portal that
provides all kinds of content and tools that
pertain to Microsoft security, privacy, and
compliance practices. The Service Trust
Portal also features third-party audits of
many of Microsoft’s online services, along
with information on how Microsoft’s
services can help you maintain and track
compliance with laws, regulations, and other
standards.
For example, the Service Trust Portal offers information on ISO compliance, service
organization controls, and information on NIST compliance. You’ll also find information on
GDPR and FedRAMP as well.
Compliance tools that you will find on the Service Trust Portal include Compliance Manager,
Trust Documents, Regional Compliance, and Privacy. Compliance Manager is a dashboard that
you can use to track standards, regulations, and assessments; while the Trust Documents area
includes audit reports and other data protection information as it relates to Microsoft services.
Regional Compliance information includes compliance information that is specific to your
region, and the Privacy information that is available includes information about the capabilities
of Microsoft services that can be used to address GDPR requirements.
The Service Trust Portal can be accessed by visiting this URL.
Compliance Manager
65 | P a g e
Compliance Manager is used to meet compliance obligations, such as GDPR, ISO, NIST, and
HIPAA.
The three main capabilities that Compliance Manager provides include ongoing risk assessment,
actionable insights, and simplified compliance. The ongoing risk assessment is essentially a
summary of your organization’s compliance posture when measured against regulatory
requirements that apply to your business. This information is provided in the context of using
Microsoft cloud services. The compliance score that is provided on the dashboard can be used to
help make compliance decisions.
Actionable insights offer information on the compliance responsibilities that are split between
the customer and Microsoft. For components and services that are managed by the customer, the
dashboard will present recommendations and instructions for implementing them.
To ensure simplified compliance, Compliance Manager offers built-in collaboration tools that
can be used, to assign tasks to teams within your organization. You can also create audit ready
reports that link out to evidence that you collect to demonstrate your compliance.
Microsoft Compliance Center

The Compliance Center is essentially a dashboard that’s designed for compliance, privacy, and
risk management staff. You use this dashboard to assess your organization’s compliance risks
through its integration with compliance manager. You also use Compliance Center to protect
your data and to govern it. It’s the place to go if you want or need to respond to regulatory
requests and to access other compliance and privacy solutions.
66 | P a g e
Due to its integration with Compliance Manager, you can use Microsoft Compliance Center to
gain insights into your organization’s compliance posture as it relates to key standards and
regulations like GDPR, ISO, and NIST. You can also perform risk assessments and follow
guidance that’s provided in order to improve your privacy controls and compliance.
Microsoft Cloud Apps Security Insights, or MCAS, is available from the Compliance Center as
well. You can use MCAS to do things like identify compliance risks across apps, monitor
noncompliant employee behavior, and even identify shadow IT situations.
Once you’ve enabled the Microsoft Compliance Center for your tenants you can access it at this
URL.
Congratulations! You’ve reached the end of Compliance in Microsoft 365! Let’s review what
you’ve learned.
In this chapter, we looked at a few key Microsoft 365 compliance tools. We started things off by
covering the Service Trust Portal and Compliance Manager. You learned what they are, how to
access them, and what features they offer. We then looked at Compliance Center, where you
learned what information it provides and how to access it.
67 | P a g e
CHAPTER 10
MICROSOFT 365 PRICING AND SUPPORT
Welcome to Microsoft 365 Pricing and Support. In this chapter, we are going to review the
Microsoft 365 subscription options that are available, how to manage Microsoft 365 licenses,
how to manage billing, and how to get Microsoft 365 support.
Microsoft 365 Subscription Options

As you’ve learned throughout this book, Microsoft 365 is a complete software-as-a-service
solution that includes Microsoft Office 365, Windows 10, and Enterprise Mobility + Security, all
bundled into a single subscription. Because every business is different and every business has
different requirements, Microsoft offers several different subscriptions and plans to
accommodate those differing requirements. These subscriptions include Microsoft 365
Enterprise, Microsoft 365 Business, Microsoft 365 Education, and Microsoft 365 for First Line
Workers.
Microsoft 365 Enterprise offers enterprise class services to organizations that require robust
threat protection, security, compliance, and analytics features. Under the Microsoft 365
Enterprise umbrella, you’ll find two different plans. They include the E3 plan and the E5 plan.
Feature E3 E5
Windows 10 Enterprise x x
Word, Excel, PowerPoint, OneNote, Access, Exchange, Outlook, Teams x x
StaffHub, PowerApps, Flow, Skype for Business, SharePoint, Yammer x x
Advanced Threat Analytics, Windows Defender Antivirus, Device Guard x x
Azure Active Directory Plan 1, Windows Hello, Credential Guard, Direct access x x
68 | P a g e
Intune, Windows Autopilot, Fine Tuned User Experience, Windows Analytics

x x
Device Health
Windows Information Protection, Bitlocker & Azure Information Protection P1 x x
Office 365 Data Loss Preventions, Delve x x
Power BI Pro, MyAnalytics, Audio conferencing, Phone System x
Windows Defender ATP, Office 365 ATP, Office 365 Threat Intelligence x
Azure Active Directory Plan 2 x
Azure Information Protection P2, Microsoft Cloud App Security, Office 365 Cloud App
x
Security
Advanced eDiscovery, Customer Lockbox, Advanced Data Governance x
The table above highlights the features that are included in each plan. As you can see, the E5
plan includes all of the same features as the E3 plan, plus more advanced threat protection,
security, and collaboration tools.
You can purchase Microsoft 365 Enterprise licenses through a cloud solution provider, or CSP,
or you can purchase them through an Enterprise Agreement subscription from Microsoft.
Microsoft 365 Business is well suited for smaller and medium-sized organizations. Like its
older brother, Microsoft 365 Enterprise, Microsoft 365 Business offers the same full set of office
365 productivity tools. While it does include many security and device management features,
Microsoft 365 Business does NOT include many of the advanced information protection,
compliance, or analytics tools that are available in the enterprise plan. Microsoft 365 Business is
69 | P a g e
designed for organizations with 300 users or fewer. If your organization requires more than 300
licenses, you will need to subscribe to an enterprise plan instead.
Microsoft 365 Education, as you can probably gather from its name, is intended for educational
organizations. Such organizations can obtain academic licenses that can be tailored to fit their
specific needs.
Microsoft 365 for First Line Workers is referred to as the Microsoft 365 F1 Subscription. This
plan is intended for first line workers, such as customer service reps, support engineers, and
service professionals.
While the Microsoft 365 F1 subscription is similar in many ways to the Microsoft 365 E3
subscription, the F1 plan is designed in a way that better fits the need of first line workers. For
example, since first line workers don’t typically use virtual machines, the Microsoft 365 F1
subscription includes Windows 10 E3, but doesn’t offer virtualization rights. I should also note
that Microsoft 365 F1 is far less expensive than the Microsoft 365 E1 and E3 enterprise plans.
So, the key takeaway here is that Microsoft 365 Enterprise is designed for large organizations.
Microsoft 365 Business is designed for small and medium-sized businesses. Microsoft 365
Education is for educational organizations and the Microsoft 365 F1 Subscription is designed for
first line workers.
Managing Microsoft 365 Licenses

When you purchase a Microsoft 365 subscription, you tell Microsoft how many licenses you
need, based on the number of people in your organization. When it comes time to create user
accounts and to assign licenses to your users, you use the Microsoft 365 admin center. As new
people come on, you use the admin center to assign licenses to them. As people leave, you can
remove their licenses and reassign them to other people within the organization.
You can also manage expired licenses from the Microsoft 365 admin center. Licenses expire
when you don’t renew them or if your bill is past due. When a license expires, the user with that
expired license will have limited use of their Microsoft 365 products. To regain full
functionality, you would need to either renew the license or assign a new, active license.
The admin center is also where you enable and disable features like Exchange Online and
Microsoft Teams. These features are enabled and disabled using a toggle switch or checkbox
70 | P a g e
within each license for each user. This same process is used to enable and disable many other
services and tools within a user’s license. I should note, however, that deactivating individual
features, or even all features for a specific user, does not free up the license itself. These
individual controls simply manage which features are available to the user within that assigned
license.
Admin Roles
There are various admin roles that are available within Microsoft 365. Each role can perform
different licensing actions. The roles include the Global Administrator, the Billing Administrator,
and the License Administrator.
The Global Administrator has access to all admin features in the Office 365 suite of services.
The person that signs up to buy Office 365 automatically becomes the Global Admin. It’s also
important to note that Global Admins are the only ones who can assign other admin roles, and
they are the only ones that can manage the accounts of other Global Admins.
The Billing Administrator is responsible for making purchases, managing subscriptions, and
managing support tickets. This role also monitors service health.
The License Administrator, as you may have guessed, is responsible for adding, removing, and
updating license assignments for users and groups. This role does not offer the ability to
purchase or manage subscriptions, nor does it offer the ability to create or manage users and
groups. It can, however, manage the usage location for users because that is relevant to the
licensing.
Billing and Support in Microsoft 365

Billing management is another task that is handled from the Microsoft 365 admin center. As you
might expect, the options that are available, as well as pricing, will depend on the specific
subscription and the number of users that are licensed. That said, each service has a set price
that’s usually charged on a per user per month basis.
You can use the Microsoft 365 admin center to review and modify all billing aspects of your
subscription. You can view the current number of purchased licenses and you can see how many
of those licenses have been assigned to users. You can also view any current charges that are due
on your account as well as the payment method and frequency that are on file. The frequency can
be monthly or annual.
The Microsoft admin center is also used to specify a list of email addresses that should receive
automated billing notifications and renewal reminders that are associated with the Microsoft 365
subscription.
When it comes to support in Microsoft 365, you have several options available. The specific
details of which support options you have available to you are dependent on your specific
situation. That said, let’s take a look at the different ways you can get support for Microsoft 365.
71 | P a g e
Fast-Track provides you with direct access to Microsoft 365 planning materials and to
dedicated Microsoft fast-track project managers and engineers. These resources are there to help
you deploy a Microsoft 365.
The O365 Assistant is an automated assistant bot that can be found in the Microsoft 365 admin
center. The O365 assistant is designed to help you find answers to common support questions.
Premier Support is another option available to Microsoft 365 subscribers. The Microsoft
Premier support services option is perfect for large and global enterprises with critical
dependence on Microsoft products, including Microsoft 365 and Microsoft Azure. Organizations
that are Premier Support members are assigned dedicated technical account managers and have
additional benefits like on-site support and even advisory services.
Cloud Service Provider Tier 1 Support is provided to organizations that have purchased their
Microsoft 365 subscription through a certified Tier-1 cloud solution provider, or CSP. The CSP,
in this case, is the first point of contact for all service-related issues. The CSP will escalate issues
that it can’t resolve to Microsoft.
Telephone Support is also available for some Microsoft 365 components.
Some other ways to get support for Microsoft 365 are the use of forums and communities. The
Microsoft 365 Tech Community, for example, allows you to connect with and collaborate with
other customers and to share your experiences, problems, and solutions.
The Microsoft 365 Support Forums are official Microsoft support forums that you can use to
ask questions and to get answers from both Microsoft and community members. Some of the
72 | P a g e
more popular Microsoft support forums include the Azure forums, the Windows forums, and the
Office forms.
So, as you can see billing and support are never more than a mouse click away.

Congratulations! You’ve reached the end of Microsoft 365 Pricing and Support. Let’s review
what you’ve learned.
In this chapter, we reviewed the various Microsoft 365 subscription options that are available
and how to manage Microsoft 365 licenses. We also covered billing management and the various
Microsoft 365 support options that are available.
73 | P a g e
SO NOW WHAT?
Now that you’ve read through this book, you should enroll in the video course that this book is
based on. While the full course covers the same topics that you’ve encountered in this book, it
does so through a series of 52 video lessons, over 500 engaging visuals, several hands-on
demonstrations, numerous quizzes, and an end-of-course practice test. There are also several
downloadable infographics available as well. All told, the full course spans 3 hours.
By reading through this book and completing the associated course, you should be ready to not
only plan, deploy, and manage Microsoft 365 and its various services, but you should also be
amply prepared to pass the MS-900 Microsoft 365 Fundamentals exam!
To enroll in this best-selling Microsoft 365 Fundamentals course today, visit this link.
74 | P a g e

MS-900 Exam Prep - Microsoft 365 Fundamentals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MS-900 Exam Prep - Microsoft 365 Fundamentals

Uploaded by

Copyright:

Available Formats

MS-900 Exam Prep: Microsoft 365 Fundamentals

About this Book

About the Author

Deployment Options for Office 365 ProPlus ............................................................................ 36

Microsoft 365 Subscription Options ......................................................................................... 68

Who this Book is For

What this Book Covers

To Get the Most out of this Book

Cloud Computing Principles

Funding Models and Compute Costs

Cloud Computing Models

Cloud Service Types

Cloud Computing Benefits

Chapter Review: What You’ve Learned

Other Cloud Solutions

Chapter Review: What You’ve Learned

Other Services in Microsoft 365

Office 365 ProPlus

Exchange Online vs Exchange Server

SharePoint Online vs on-premises SharePoint Server

Chapter Review: What You’ve Learned

To help with this process, Microsoft offers several different tools.

Windows 10 Deployment Options

Deployment Options for Office 365 ProPlus

Office 365 ProPlus Updates

Office 365 Licensing and Activation

Licensing Office 365

Chapter Review: What You’ve Learned

Device Management in the Modern Workplace

The modern workplace presents unique challenges

Enterprise Mobility + Security Components

Another component to EMS, is InTune. This cloud-based enterprise mobility management

Cloud-Connected Device Management

Chapter Review: What You’ve Learned

Facilitating Teamwork in Microsoft 365

Analytics in the Workplace

Chapter Review: What You’ve Learned

Identity and Access Management

Information Protection Concepts

Chapter Review: What You’ve Learned

Identity and access in Microsoft 365

Threat Protection in Microsoft 365

Microsoft Exchange Online Protection

Microsoft 365 Security Center and the Secure Score

Chapter Review: What You’ve Learned

Service Trust Portal and Compliance Manager

Microsoft Compliance Center

Chapter Review: What You’ve Learned

Click here for the full 3-hour video course.

Microsoft 365 Subscription Options

Word, Excel, PowerPoint, OneNote, Access, Exchange, Outlook, Teams x x

StaffHub, PowerApps, Flow, Skype for Business, SharePoint, Yammer x x

Advanced Threat Analytics, Windows Defender Antivirus, Device Guard x x

Intune, Windows Autopilot, Fine Tuned User Experience, Windows Analytics

Windows Information Protection, Bitlocker & Azure Information Protection P1 x x

Office 365 Data Loss Preventions, Delve x x

Power BI Pro, MyAnalytics, Audio conferencing, Phone System x

Azure Active Directory Plan 2 x

Advanced eDiscovery, Customer Lockbox, Advanced Data Governance x

Managing Microsoft 365 Licenses

Billing and Support in Microsoft 365

Chapter Review: What You’ve Learned

You might also like