Configuring Azure AD join – Managing Azure Active Directory Objects

With Azure AD join, you are able to join devices directly to Azure AD without the need to join your on-premises Active Directory in a hybrid environment. While hybrid Azure AD join with an on-premises AD might still be preferred for some scenarios, Azure AD join simplifies the process of adding devices and modernizes device management for your organization. This can result in the reduction of device-related IT costs.

Your users are getting access to corporate assets through their devices. To protect these corporate assets, you want to control these devices. This allows your administrators to ensure that your users are accessing resources from devices that meet your standards for security and compliance.

Azure AD join is a good solution when you want to manage devices with a cloud device management solution, modernize your application infrastructure, simplify device provisioning for geographically distributed users, and when your company is adopting Microsoft 365 as the productivity suite for your users.

Azure AD join can be deployed by using any of the following methods:

  • Bulk deployment: This method is used to join large numbers of new Windows devices to Azure AD and Microsoft Intune.
  • Windows Autopilot: This is a collection of technologies used to preconfigure Windows 10 devices so that the devices are ready for productive use. Autopilot can also be used to reset, repurpose, and recover devices.
  • Self-service experience: This is also referred to as a first-run experience, which is mainly used to join a new device to Azure AD.

When it comes to joining devices to Azure AD, there are two main ways of managing those devices:

  1. MDM only: This is when the device is managed exclusively by an MDM provider such as Intune.
  2. Comanagement: This is when the device is managed by an MDM provider and System Center Configuration Manager (SCCM).

When joining a Windows 10 device to Azure AD, there are two scenarios that we need to look at:

  1. Joining a new Windows 10 device via the Out-of-Box Experience (OOBE).
  2. Joining an already configured Windows 10 device to Azure AD.

Let’s take a look at how we can join an existing Windows 10 device to Azure AD:

  1. On the Windows 10 device, search for Settings and open Accounts.
  2. Select Access work or school, and choose Connect:

Figure 1.25 – The Windows 10 settings menu to add and connect a device to Azure AD

  1. Under Alternate actions, choose Join this device to Azure Active Directory:

Figure 1.26 – TheWindows 10 device with the selected option to join the device to Azure AD

  1. A new window will pop up and ask you to sign in. Sign in with your organization’s account. In my case, this will be [email protected]:

Figure 1.27 – TheWindows 10 device that requires you to sign in to an Azure AD account to join it to Azure AD

  1. You will be prompted to verify whether you want to join your domain. Proceed by clicking on the Join button:

Figure 1.28 – The Windows 10 device summary page before joining it to Azure AD

  1. And now the Windows 10 device has been successfully joined to Azure AD:

Figure 1.29 – TheWindows 10 device that has successfully been joined to Azure AD

  1. As a final step, let’s navigate to the Azure portal under Manage, select Devices, and our newly Azure AD joined device will show up:

Figure 1.30 – Displaying the recently joined Windows 10 device in Azure AD under the Devices blade
That brings an end to this section. We have learned what Azure AD join is, the methods to enroll, and we have also shown the steps of how to manually join a Windows 10 device to Azure AD.
We encourage students to read up further by using the following links, which will provide additional information around Azure AD join, Windows Autopilot, and bulk device enrollment:
• https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
• https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
• https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
• https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-joined-devices-frx
In the next section, we are going to take a look at SSPR.

Performing bulk updates- Managing Azure Active Directory Objects

Performing bulk user updates is similar to managing single users (such as internal and guest users). The only property that can’t be set for multiple users is resetting the password. This has to be done for a single user.

Azure has also improved its bulk user settings by adding a drop-down menu that enables you to do the following via the downloadable CSV template and then re-uploading it:

  • Bulk user creation
  • Bulk user invitation
  • Bulk user deletion
  • Bulk user downloads

To perform a bulk user update, you have to perform the following steps:

  1. Navigate to the Users overview blade again in Azure AD.
  2. Select the Bulk operations drop-down menu:

 Figure 1.19 – The Azure AD bulk user operations optionFigure 1.19 – The Azure AD bulk user operations option

  • From the menu, select the action you want to complete; for example, select Download users:

 Figure 1.20 – The Azure AD bulk user download settingFigure 1.20 – The Azure AD bulk user download setting

  • Also, you can update multiple users by selecting them and choosing to delete them or configure MFA for each user:

 Figure 1.21 – The alternative Azure AD method for bulk user operationsFigure 1.21 – The alternative Azure AD method for bulk user operations 

This concludes our demonstration on how to perform bulk user updates and how it works.

We encourage students to read up further by using the following links, which will look at adding bulk users:

In the next section, we are going to cover how you can manage guest accounts.

Managing guest accounts

You can also add guest accounts in Azure AD using Azure AD B2B. Azure AD B2B is a feature on top of Azure AD that allows organizations to work safely with external users. To be added to Azure B2B, external users don’t require a Microsoft work or personal account that has been added to an existing Azure AD tenant.

All sorts of accounts can be added to Azure B2B. You don’t have to configure anything in the Azure portal to use B2B; this feature is enabled by default for all Azure AD tenants. Let’s see how to manage the guest accounts by performing the following steps:

  1. Adding guest accounts to your Azure AD tenant is similar to adding internal users to your tenant. When you navigate to the Users overview blade, you can choose + New guest user from the top-level menu, as follows:

 Figure 1.22 – The Azure AD Users blade to add a new guest userFigure 1.22 – The Azure AD Users blade to add a new guest user

  • Then, you can provide an email address and a personal message, which is sent to the user’s inbox. This personal message includes a link to log in to your tenant:
  • Select Invite user to add the user to your Azure AD tenant, and send an invitation to the user’s inbox:

 Figure 1.23 – Azure AD – inviting a guest userFigure 1.23 – Azure AD – inviting a guest user

  • To manage external users after creation, you can select them from the Users overview blade. They will have a User type value, which is named Guest. Simply select the user from the list, and you will be able to manage the settings that are displayed in the top-level menu for this user, as follows:

 Figure 1.24 – The Azure AD Users blade displaying the account as Guest under User typeFigure 1.24 – The Azure AD Users blade displaying the account as Guest under User type 

And that brings an end to this section. In this short section, we have reviewed guest accounts in Azure AD and learned how to configure them.

We encourage students to read up further by using the following links, which will provide additional information around restricting guest permissions:

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

In the next section, we are going to look at what Azure AD join is and how to configure it for Windows 10 devices.

Managing device settings- Managing Azure Active Directory Objects

Azure AD offers the ability to ensure that users are accessing Azure resources from devices that meet corporate security and compliance standards. Device management is the foundation of device-based conditional access, where you can ensure that access to the resources in your environment is only possible from managed devices.

Device settings can be managed from the Azure portal. To manage your device settings, your device needs to be registered or joined to Azure AD.

To manage the device settings from the Azure portal, you have to perform the following

steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. In the Azure AD Overview blade, under Manage, select Devices, as follows:

 Figure 1.14 – The Azure AD Devices bladeFigure 1.14 – The Azure AD Devices blade 

The device management blade will open. Here, you can configure your device management settings, locate your devices, perform device management tasks, and review the device management-related audit logs.

  • To configure the device settings, select Device settings from the left-hand menu. From here, you can configure the following settings, which are shown in the following screenshot:
    • Users may join devices to Azure AD: Here, you can set which users can join their devices to Azure AD. This setting is only applicable to Azure AD join on Windows 10.
    • Users may register their devices with Azure AD: This setting needs to be configured to allow devices to be registered with Azure AD. There are two options here: None, that is, devices are not allowed to register when they are not Azure AD joined or hybrid Azure AD joined, and All, that is, all devices are allowed to register. Enrolment with Microsoft Intune or MDM for Office 365 requires registration. If you have configured either of these services, All is selected and None is not available.
    • Require Multi-Factor Authentication to register or join devices with Azure AD: Here, you can request that the user is required to perform MFA when registering a device. Before you can enable this setting, MFA needs to be configured for the users who register their devices.
    • Maximum number of devices per user: This setting allows you to select the maximum number of devices that a user can have in Azure AD.
    • Manage Additional local administrators on all Azure AD joined devices: This setting allows you to add additional local administrators for Azure AD joined devices.
    • Manage Enterprise State Roaming settings: This setting provides users with a unified experience across all of their Windows devices and reduces the turnaround time when configuring new devices:

 Figure 1.15 – The Azure AD Device settings bladeFigure 1.15 – The Azure AD Device settings blade

  • To locate your devices, under Manage, select All devices. In this overview, you will see all the joined and registered devices, as follows:

 Figure 1.16 – The Azure AD All Devices blade displaying all of the devices linked to Azure ADFigure 1.16 – The Azure AD All Devices blade displaying all of the devices linked to Azure AD

  • Additionally, you can select the different devices from the list to get more detailed information about the device. From here, global administrators and cloud device administrators can Disable or Delete the device, as follows:

 Figure 1.17 – The Azure AD Device details for a specific device with the option to Disable or Delete the selected deviceFigure 1.17 – The Azure AD Device details for a specific device with the option to Disable or Delete the selected device

  • To audit logs, under Activity, select Audit logs. From here, you can view and download the different log files. Additionally, you can create filters to search through the logs, as follows:

 Figure 1.18 – The Azure AD Device Audit logs bladeFigure 1.18 – The Azure AD Device Audit logs blade 

This concludes our section on how to manage your device settings via the Azure portal.

We encourage students to read up further by using the following links:

Next, we are going to look at how to perform bulk user updates.

Managing user and group properties- Managing Azure Active Directory Objects

Part of an Azure administrator’s task is to understand what can be done from a user and group perspective within Azure AD. Let’s take a look at what we can configure for an Azure AD user account:

  • Profile: This is where you can view and update information such as the name, user type, job information, and more.
  • Assigned roles: This setting is where you can view all of the role assignments for that specific account; assignments can be in the form of eligible, active, or expired assignments.
  • Administrative units: This setting displays the AUs that the user is part of.
  • Groups: This setting displays the AD groups that the user is part of.
  • Applications: This setting displays the application assignments.
  • Licenses: This setting displays what licenses are currently assigned to the user account.
  • Devices: This setting shows what devices are associated with the user account, including the join type such as Azure AD joined.
  • Azure role assignments: This setting displays the resources on a subscription level to which the account has access.
  • Authentication methods: This setting displays the authentication contact information, such as the phone number and email address for MFA. From here, you can also set the account to reregister for MFA or revoke current MFA sessions.

Now that we have reviewed all the user properties, let’s take a look at the group settings.

Azure AD groups have the following settings available:

  • Overview: This displays the membership type, the source directory, the object ID, the creation date, and more.
  • Properties: This setting displays the general settings for the group, such as the group name, the description, the group type, and the membership type, which can be changed here.
  • Members: This setting displays all of the current members of the group; bulk operations can also be performed from here.
  • Owners: This setting displays the owners of the group who can modify the group and the members within it.
  • Administrative units: This setting displays the AUs that the group is part of.
  • Group memberships: This setting displays all of the security groups that the group belongs to (nested grouping).
  • Applications: This setting displays the application assignments.
  • Licenses: This setting displays the licenses that are assigned to the group, which group members will inherit automatically.
  • Azure role assignments: This setting displays the resources of a subscription level to which the group members have access.
  • Dynamic membership rules: This setting displays the configuration rules; for dynamic groups, this is where you can change the configuration rules, which will affect the members of the group.

And that brings an end to the user and group properties. In this section, we have looked at all of the different settings for Azure AD users and Azure AD groups.

We encourage students to read up further by using the following links, which will provide additional information around managing group settings via the command line and also dive into external user attribute flows:

Next, we are going to look at how to manage device settings within Azure.

Creating Azure AD AUs- Managing Azure Active Directory Objects

Azure AD AUs are used in scenarios where granular administrative control is required. AUs have the following prerequisites:

  • An Azure AD Premium P1 license is required for each AU administrator.
  • An Azure AD Free license is required for AU members.
  • A privileged role administrator or global administrator is required for configuration.

Tip

AUs can be created via the Azure portal or PowerShell.

The easiest way to explain AUs is by using a scenario. A company called Contoso is a worldwide organization with users across 11 countries. Contoso has decided that each country is responsible for its own users from an administrative point of view. That is where Azure AD AUs come in handy. With AUs, Contoso can group users per country and assign administrators that only have control over these users and cannot administrate users in other countries.

The following diagram displays a high-level overview of how AUs work in the same tenant across different departments. The following example, is based on different regions:

 Figure 1.8 – An AU overview displaying the separation of users for USA sales and UK salesFigure 1.8 – An AU overview displaying the separation of users for USA sales and UK sales 

The following roles can be assigned within an AU:

  • Authentication administrator
  • Groups administrator
  • Help desk administrator
  • License administrator
  • Password administrator
  • User administrator

Important Note

Groups can be added to the AU as an object; therefore, any user within the group is not automatically part of the AU.

Now, let’s go ahead and create an AU via the Azure portal:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Administrative units and click on Add:

 Figure 1.9 – The AU blade within Azure ADFigure 1.9 – The AU blade within Azure AD

  • Enter a name for the group. I’m using South Africa Users. In the Description field, it is best practice to add a brief description of what this AU is going to be used for:

 Figure 1.10 – The creation blade for an AUFigure 1.10 – The creation blade for an AU

  • Next, under Assign roles, add the users that you want to be administrators based on the available roles. Then, select Password Administrator and choose PacktUser1.
  • Click on Review + create:

 Figure 1.11 – The AU summary pageFigure 1.11 – The AU summary page

  • The next step is to add all the users you want PacktUser1 to manage; in our case, we need to add PacktUser1, PacktUser2, and PacktUser3. On the left-hand side, under Manage, click on Add member and select the members:

 Figure 1.12 – Adding users to the AUFigure 1.12 – Adding users to the AU

  • Now you will see that all three users have been added to the AU:

 Figure 1.13 – Displaying the users added to the AUFigure 1.13 – Displaying the users added to the AU

  • You can now log in with PacktUser1, and you should be able to reset the password of PacktUser2.

Important Note

Remember, you need to assign an Azure AD P1 license to administrators within the AU.

In this section, we explained what an AU is and how it can be used. Additionally, we went through the creation of an AU step by step.

We encourage students to read up further by using the following links, which will provide additional information around AU management:

Now, let’s move on and take a look at how to manage user and group properties.

Technical requirements- Managing Azure Active Directory Objects-2

Figure 1.2 – The Azure AD user creation page part 1

  1. Leave the sections under Groups and Roles in their default settings for now.
  2. Next, we need to fill in information regarding the following:
    1. Job title: Azure administrator
    1. Department: IT
    1. Company name: Packt1
    1. Usage location: South Africa
    1. Block sign in: No
    1. Manager: No manager selected:

 Figure 1.3 – The Azure AD user creation page part 2Figure 1.3 – The Azure AD user creation page part 2

  • Click on Create.
  • Repeat these steps to create two more users: PacktUser2 and PacktUser3.

Now that we have created users in our Azure AD tenant, we can add them to a group in Azure AD.

Creating groups in Azure AD

There are two main group types, as follows:

  • Security groups: These groups serve the same function as traditional on-premises groups, which is to secure objects within a directory. In this case, it is to secure objects within Azure AD.
  • Microsoft 365 groups: These groups are used to provide a group of people access to a collection of shared resources that is not just limited to Azure AD but also includes shared mailboxes, calendars, SharePoint libraries, and other Microsoft 365-related services.

Security groups are used as container units to group users or devices together. There are three main membership types for security groups:

  • Assigned: This is where you manually assign users to a group.
  • Dynamic user: This is where you can specify parameters to automatically group users, for example, grouping all users who have the same job title.
  • Dynamic device: This is where you can specify parameters to automatically group devices, for example, grouping all devices that have the same operating system version.

To create and manage groups from the Azure AD tenant in the Azure portal, you have to perform the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Groups | All groups. Then, select the + New group option from the top-level menu, as follows:

 Figure 1.4 – The Azure AD group creation page part 1Figure 1.4 – The Azure AD group creation page part 1

  • Add the following values to create the new group:
    • Group type: Security
    • Group name: Azure Admins
    • Group description: Dynamic group for all Azure Admins
    • Azure AD roles can be assigned to the group: No
    • Membership type: Dynamic User
    • Owners: No owners selected:

 Figure 1.5 – The Azure AD group creation page part 2Figure 1.5 – The Azure AD group creation page part 2

  • Refer to the following screenshot to add a dynamic query.

For the Dynamic Query rule, the property is jobTitle, the operator is Equals, and the value is Azure Administrator, as shown in the following screenshot:

 Figure 1.6 – The Azure AD group dynamic queryFigure 1.6 – The Azure AD group dynamic query

  • Click on Create.

Tip

Remember that when using dynamic groups, a Premium P1 license needs to be assigned to the user.

Now that we have created the group, replication takes around 5 minutes. Refresh the Azure web page, and the users will appear as members of the Azure Admins group that we just created:

 Figure 1.7 – The Azure AD group's dynamic group users added automatically based on the membership rulesFigure 1.7 – The Azure AD group’s dynamic group users added automatically based on the membership rules 

In this section, we took a look at Azure AD users and groups and created a few accounts. We also created a dynamic membership group to include users via dynamic membership rules.

We encourage students to read up further by using the following links, which are based on Azure AD fundamentals such as adding users in Azure AD, assigning RBAC roles, creating Azure AD groups, and also creating dynamic groups in Azure AD:

Next, we are going to look at Azure AUs, specifically where they can be used and how to create an AU.

Technical requirements- Managing Azure Active Directory Objects-1

This first chapter of this book is focused on learning how to manage Azure Active Directory (Azure AD) objects. In this chapter, you will learn how to create and manage users and groups within Azure AD, including user and group properties. Additionally, we will look at Azure AD’s administrative units (AUs) and discover how to create them alongside managing device settings and performing bulk user updates. You will also learn how to manage guest accounts within Azure AD, configure Azure AD join, and configure Self-Service Password Reset (SSPR).

In brief, in this chapter, the following topics will be covered:

  • Creating Azure AD users and groups
  • Creating AUs
  • Managing user and group properties
  • Managing device settings
  • Performing bulk user updates
  • Managing guest accounts
  • Configuring Azure AD join
  • Configuring SSPR

Technical requirements

In order to follow along with the hands-on exercises, you will need access to an Azure AD as a global administrator. If you do not have access to this, students can enroll for a free account at https://azure.microsoft.com/en-in/free/.

An Azure AD Premium P1 license is also required for some of the sections. Luckily, there is also a free one-month trial for students at https://azure.microsoft.com/en-us/trial/get-started-active-directory/.

Creating Azure AD users and groups

Azure AD offers a directory and identity management solution within the cloud. It offers traditional username and password identity management, alongside roles and permissions management. On top of that, it offers more enterprise-grade solutions, such as Multi-Factor Authentication (MFA) and application monitoring, solution monitoring, and alerting.

Azure AD can easily be integrated with your on-premises Active Directory to create a hybrid infrastructure.

Azure AD offers the following pricing plans:

  • Free: This offers the most basic features, such as support for single sign-on (SSO) across Azure, Microsoft 365, and other popular SaaS applications, Azure Business-to-Business (B2B) for external users, support for Azure AD Connect synchronization, self-service password change, user and group management, and standard security reports.
  • Office 365 Apps: Specific Office 365 subscriptions also provide some functionality such as user and group management, cloud authentication, including pass-through authentication, password hash synchronization, seamless SSO, and more.
  • Premium P1: This offers advanced reporting, MFA, conditional access, Mobile Device Management (MDM) auto-enrollment, Azure AD Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.
  • Premium P2: In addition to the Free and Premium P1 features, the Premium P2 license includes Azure AD Identity Protection, Privileged Identity Management, access reviews, and Entitlement Management.

Note

For a detailed overview of the different Azure AD licenses and all the features that are offered in each plan, you can refer to https://www.microsoft.com/nl-nl/security/business/identity-access-management/azure-ad-pricing?rtc=1&market=nl.

Creating users in Azure AD

We will begin by creating a couple of users in our Azure AD tenant from the Azure portal. To do this, perform the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Users | All users. Then, select the + New user option from the top-level menu, as follows:

 Figure 1.1 – The Azure AD Users bladeFigure 1.1 – The Azure AD Users blade

  • We are going to create three users. Add these values that are shown in the following screenshot:
    • Name: PacktUser1.
    • User name: The username is the identifier that the user enters to sign in to Azure AD. Select your domain name, which has been configured, and add this to the end of the username. The default is usually an onmicrosoft.com domain, but in my case, I have assigned a custom domain name, called safezone.fun. In the First name section, I have chosen Packt, and in the Last name section, I have added User1. Therefore, the User name value, in my case, will be [email protected]:

News and commentary about the exam objective updates-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

The current official Microsoft Study Guide for the MS-900 Microsoft 365 Fundamentals exam is located at https://learn.microsoft.com/en-us/certifications/resources/study-guides/MS-900. This page has the most recent version of the exam objective domain.

This statement was last updated in August 2023, before Exam Ref MS-900 Microsoft 365 Fundamentals, Second Edition was published.

This version of this Chapter has no news to share about the next exam release.

In the most recent version of this Chapter, the MS-900 Microsoft 365 Fundamentals exam version number was Version 1.1.

Updated technical content

The current version of this Chapter has no additional technical content.

Objective mapping

This Exam Ref is structured by the author(s) based on the topics and technologies covered on the exam and is not structured based on the specific order of topics in the exam objectives. The table below maps the current version of the exam objectives to chapter content, allowing you to locate where a specific exam objective item has coverage without consulting the index.

TABLE 7-1 Exam Objectives mapped to chapters.

Exam ObjectiveChapter
Describe cloud concepts 
Describe the different types of cloud services available
Describe Microsoft SaaS, IaaS, and PaaS concepts and use cases
Describe differences between Office 365 and Microsoft 365
1
Describe the benefits of and considerations for using cloud, hybrid, or on-premises services Describe public, private, and hybrid cloud modelsCompare costs and advantages of cloud, hybrid, and on-premises services
Describe the concept of hybrid work and flexible work
1
Describe Microsoft 365 apps and services 
Describe productivity solutions of Microsoft 365
Describe the core productivity capabilities and benefits of Microsoft 365 including Microsoft Outlook and Microsoft Exchange, Microsoft 365 apps, and OneDrive
Describe core Microsoft 365 Apps including Microsoft Word, Excel, PowerPoint, Outlook, and OneNote
Describe work management capabilities of Microsoft 365 including Microsoft Project, Planner, Bookings, Forms, Lists, and To Do
2
Describe collaboration solutions of Microsoft 365
Describe the collaboration benefits and capabilities of Microsoft 365 including Microsoft Exchange, Outlook, Yammer, SharePoint, OneDrive, and Stream
Describe the collaboration benefits and capabilities of Microsoft Teams and Teams Phone
Describe the Microsoft Viva apps
Describe the ways that you can extend Microsoft Teams by using collaborative apps
2
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
2
Describe analytics capabilities of Microsoft 365
Describe the capabilities of Viva Insights
Describe the capabilities of the Microsoft 365 Admin center and Microsoft 365 user portal
Describe the reports available in the Microsoft 365 Admin center and other admin centers
2
Describe security, compliance, privacy, and trust in Microsoft 365 
Describe identity and access management solutions of Microsoft 365
Describe the identity and access management capabilities of Microsoft Entra IDDescribe cloud identity, on-premises identity, and hybrid identity concepts
Describe how Microsoft uses methods such as multi-factor authentication (MFA), self-service password reset (SSPR), and conditional access to keep identities, access, and data secure
3
Describe threat protection solutions of Microsoft 365
Describe Microsoft 365 Defender, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and the Microsoft 365 Defender PortalDescribe Microsoft Secure Score benefits and capabilities
Describe how Microsoft 365 addresses the most common types of threats against endpoints, applications, and identities
3
Describe trust, privacy, risk, and compliance solutions of Microsoft 365
Describe the Zero Trust ModelDescribe Microsoft Purview and compliance solutions such as insider risk, auditing, and eDiscoveryDescribe how Microsoft supports data residency to ensure regulatory compliance
Describe information protection features such as sensitivity labels and data loss preventionDescribe the capabilities and benefits of Microsoft Priva
3
Describe Microsoft 365 pricing, licensing, and support 
Identify Microsoft 365 pricing and billing management options
Describe the pricing model for Microsoft cloud services including enterprise agreements, cloud solution providers, and direct billing
Describe available billing and bill management options including billing frequency and methods of payment
4
Identify licensing options available in Microsoft 365 Describe license managementDescribe the differences between base licensing and add-on licensing4
Identify support options for Microsoft 365 services
Describe how to create a support request for Microsoft 365 services
Describe support options for Microsoft 365 services
Describe service level agreements (SLAs) including service creditsDetermine service health status by using the Microsoft 365 admin center or the Microsoft Entra admin center.
4

The purpose of this chapter-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

For all the other chapters, the content should remain unchanged throughout this edition of the book. Instead, this chapter will change over time, with an updated online PDF posted so you can see the latest version of the chapter, even after you purchase this book.

Why do we need a chapter that updates over time? For three reasons.

  1. To add more technical content to the book before it is time to replace the current book edition with the next edition. This chapter will include additional technology content and possibly additional PDFs containing more content.
  2. To communicate detail about the next version of the exam, to tell you about our publishing plans for that edition, and to help you understand what that means to you.
  3. To accurately map the current exam objectives to existing chapter content. While exam objectives evolve and are updated and products are renamed, much of the content in this book will remain accurate and relevant. In addition to covering any content gaps that appear through additions to the objectives, this chapter will provide explanatory notes on how the new objectives map to the current text.

After the initial publication of this book, Microsoft Press will provide supplemental updates as digital downloads for minor exam updates. If an exam has major changes or accumulates enough minor changes, we will then announce a new edition. We will do our best to provide any updates to you free of charge before we release a new edition. However, if the updates are significant enough in between editions, we may release the updates as a low-priced standalone eBook.

If we do produce a free updated version of this chapter, you can access it on the book’s companion website. Simply go to the companion website page and go to the “Exam Updates Chapter” section of the page.

If you have not yet accessed the companion website, follow this process below:

Step 1. Browse to microsoftpressstore.com/register.

Step 2. Enter the print book ISBN (even if you are using an eBook).

Step 3. After registering the book, go to your account page and select the Registered Products tab.

Step 4. Click on the Access Bonus Content link to access the companion website. Select the Exam Updates Chapter link or scroll down to that section to check for updates.

About possible exam updates

Microsoft reviews exam content periodically to ensure that it aligns with the technology and job role associated with the exam. This includes but is not limited to, incorporating functionality and features related to technology changes, changing skills needed for success within a job role, and revisions to product names. Microsoft updates the exam details page to notify candidates when changes occur. If you have registered this book and an update occurs to this chapter, Microsoft Press will notify you of the availability of this updated chapter.

Impact on you and your study plan

Microsoft’s information helps you plan, but it also means that the exam might change before you pass the current exam. That impacts you, affecting how we deliver this book to you. This chapter gives us a way to communicate in detail about those changes as they occur. But you should watch other spaces as well.

For those other information sources to watch, bookmark and check these sites for news. In particular:

Microsoft Learn Check the main source for up-to-date information: microsoft.com/learn. Make sure to sign up for automatic notifications from on that page.

Microsoft Press Find information about products, offers, discounts, and free downloads: microsoftpressstore.com. Make sure to register your purchased products.

As changes arise, we will update this Chapter with more detail about exam and book content. At that point, we will publish an updated version of this Chapter, listing our content plans. That detail will likely include the following:

  • Content removed, so if you plan to take the new exam version, you can ignore those when studying.
  • New content planned per new exam topics, so you know what’s coming.

The remainder of the Chapter shows the new content that may change over time.

Summary-Understand Microsoft 365 pricing and support

  • Microsoft 365 editions include various combinations of Office productivity applications and Microsoft 365 cloud services. Multiple subscription levels exist for the Microsoft 365 Business and Microsoft 365 Enterprise products.
  • There are special editions of Microsoft 365 for frontline, government, and educational users. In addition, there are add-on subscriptions available that can enable administrators to create their own service combinations.
  • The key selling points for Microsoft 365 are divided into four major areas: productivity, collaboration, security, and compliance.
  • To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL).
  • Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is relatively simple; there is a monthly or annual fee for each Microsoft 365 user subscription, and those subscriber fees are predictable and ongoing. Predicting the cost of an on-premises network requires businesses to categorize their expenses by distinguishing between capital expenditures (CapEx) and operational expenditures (OpEx).
  • Organizations can purchase Microsoft 365 subscriptions directly from Microsoft individually or by using a variety of volume licensing agreements, including Enterprise Agreements (EA), Microsoft Products and Services Agreements (MPSA), or arrangements with Cloud Solution Providers (CSP).
  • Typically, contracts with cloud service providers include a service level agreement (SLA), which guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met.
  • Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites.
  • The Service Health page in the Microsoft 365 admin center displays a list of Microsoft 365 services with a status indicator for each.

Thought experiment

In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answer to this thought experiment in the next section.

Ralph is responsible for planning the IT software deployment for his company’s new branch office, which will have 50 users. He is currently trying to determine the more economically viable licensing choice: a cloud-based solution or on-premises servers. For the cloud-based solution, Ralph is considering Microsoft 365 Business, which costs $20 per user, per month. For an on-premises alternative providing the services his users need most, Ralph has searched through several online sources and found the software licensing prices shown in Table 4-8.

 

TABLE 4-8 Sample software licensing prices

Quantity neededProductPrice each
2Microsoft Windows Server 2019 Standard (16 core)$976.00
1Microsoft Windows Server 2019 Client Access Licenses (Pack of 50)$1,869.99
50Microsoft Office Home & Business 2019$249.99
1Microsoft Exchange Server 2019 Standard$726.99
50Microsoft Exchange Server 2019 Standard CAL$75.99
1Microsoft SharePoint Server$5,523.99
50Microsoft SharePoint Client Access License$55.99

It is obvious to Ralph that the on-premises solution will require a much larger capital expenditure, but he is wondering whether it might be the more economical solution in the long term. Based on these prices and disregarding all other expenses (including hardware, facilities, and personnel), how long would it be before the ongoing Microsoft 365 Business subscription fees for 50 users become more expensive than the on-premises software licensing costs?

Thought experiment answer

Ralph has calculated the total software licensing costs for his proposed on-premises solution and has arrived at a total expenditure of $29,171.47, as shown in Table 4-9.

 

TABLE 4-9 Sample software licensing prices (with totals)

Quantity neededProductPrice eachTotal
2Microsoft Windows Server 2019 Standard (16 core)$976.00$1,952.00
1Microsoft Windows Server 2019 Client Access Licenses (Pack of 50)$1,869.99$1,869.99
50Microsoft Office Home & Business 2019$249.99$12,499.50
1Microsoft Exchange Server 2019 Standard$726.99$726.99
50Microsoft Exchange Server 2019 Standard CAL$75.99$3,799.50
1Microsoft SharePoint Server$5,523.99$5,523.99
50Microsoft SharePoint Client Access License$55.99$2,799.50
 Grand Total $29,171.47

The Microsoft 365 Business subscription fees for 50 users amount to $1,000 per month. Therefore, Ralph has concluded that after 30 months, the subscription’s ongoing cost will exceed the one-time cost for the on-premises server licensing fees. However, Ralph has been instructed not to consider an on-premises datacenter’s hardware, utility, and administration costs. These expenses would vastly increase both the initial outlay and the ongoing costs of an on-premises solution.