Configuring Azure AD join – Managing Azure Active Directory Objects

With Azure AD join, you are able to join devices directly to Azure AD without the need to join your on-premises Active Directory in a hybrid environment. While hybrid Azure AD join with an on-premises AD might still be preferred for some scenarios, Azure AD join simplifies the process of adding devices and modernizes device management for your organization. This can result in the reduction of device-related IT costs.

Your users are getting access to corporate assets through their devices. To protect these corporate assets, you want to control these devices. This allows your administrators to ensure that your users are accessing resources from devices that meet your standards for security and compliance.

Azure AD join is a good solution when you want to manage devices with a cloud device management solution, modernize your application infrastructure, simplify device provisioning for geographically distributed users, and when your company is adopting Microsoft 365 as the productivity suite for your users.

Azure AD join can be deployed by using any of the following methods:

  • Bulk deployment: This method is used to join large numbers of new Windows devices to Azure AD and Microsoft Intune.
  • Windows Autopilot: This is a collection of technologies used to preconfigure Windows 10 devices so that the devices are ready for productive use. Autopilot can also be used to reset, repurpose, and recover devices.
  • Self-service experience: This is also referred to as a first-run experience, which is mainly used to join a new device to Azure AD.

When it comes to joining devices to Azure AD, there are two main ways of managing those devices:

  1. MDM only: This is when the device is managed exclusively by an MDM provider such as Intune.
  2. Comanagement: This is when the device is managed by an MDM provider and System Center Configuration Manager (SCCM).

When joining a Windows 10 device to Azure AD, there are two scenarios that we need to look at:

  1. Joining a new Windows 10 device via the Out-of-Box Experience (OOBE).
  2. Joining an already configured Windows 10 device to Azure AD.

Let’s take a look at how we can join an existing Windows 10 device to Azure AD:

  1. On the Windows 10 device, search for Settings and open Accounts.
  2. Select Access work or school, and choose Connect:

Figure 1.25 – The Windows 10 settings menu to add and connect a device to Azure AD

  1. Under Alternate actions, choose Join this device to Azure Active Directory:

Figure 1.26 – TheWindows 10 device with the selected option to join the device to Azure AD

  1. A new window will pop up and ask you to sign in. Sign in with your organization’s account. In my case, this will be [email protected]:

Figure 1.27 – TheWindows 10 device that requires you to sign in to an Azure AD account to join it to Azure AD

  1. You will be prompted to verify whether you want to join your domain. Proceed by clicking on the Join button:

Figure 1.28 – The Windows 10 device summary page before joining it to Azure AD

  1. And now the Windows 10 device has been successfully joined to Azure AD:

Figure 1.29 – TheWindows 10 device that has successfully been joined to Azure AD

  1. As a final step, let’s navigate to the Azure portal under Manage, select Devices, and our newly Azure AD joined device will show up:

Figure 1.30 – Displaying the recently joined Windows 10 device in Azure AD under the Devices blade
That brings an end to this section. We have learned what Azure AD join is, the methods to enroll, and we have also shown the steps of how to manually join a Windows 10 device to Azure AD.
We encourage students to read up further by using the following links, which will provide additional information around Azure AD join, Windows Autopilot, and bulk device enrollment:
• https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
• https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
• https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
• https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-joined-devices-frx
In the next section, we are going to take a look at SSPR.

Creating Azure AD AUs- Managing Azure Active Directory Objects

Azure AD AUs are used in scenarios where granular administrative control is required. AUs have the following prerequisites:

  • An Azure AD Premium P1 license is required for each AU administrator.
  • An Azure AD Free license is required for AU members.
  • A privileged role administrator or global administrator is required for configuration.

Tip

AUs can be created via the Azure portal or PowerShell.

The easiest way to explain AUs is by using a scenario. A company called Contoso is a worldwide organization with users across 11 countries. Contoso has decided that each country is responsible for its own users from an administrative point of view. That is where Azure AD AUs come in handy. With AUs, Contoso can group users per country and assign administrators that only have control over these users and cannot administrate users in other countries.

The following diagram displays a high-level overview of how AUs work in the same tenant across different departments. The following example, is based on different regions:

 Figure 1.8 – An AU overview displaying the separation of users for USA sales and UK salesFigure 1.8 – An AU overview displaying the separation of users for USA sales and UK sales 

The following roles can be assigned within an AU:

  • Authentication administrator
  • Groups administrator
  • Help desk administrator
  • License administrator
  • Password administrator
  • User administrator

Important Note

Groups can be added to the AU as an object; therefore, any user within the group is not automatically part of the AU.

Now, let’s go ahead and create an AU via the Azure portal:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Administrative units and click on Add:

 Figure 1.9 – The AU blade within Azure ADFigure 1.9 – The AU blade within Azure AD

  • Enter a name for the group. I’m using South Africa Users. In the Description field, it is best practice to add a brief description of what this AU is going to be used for:

 Figure 1.10 – The creation blade for an AUFigure 1.10 – The creation blade for an AU

  • Next, under Assign roles, add the users that you want to be administrators based on the available roles. Then, select Password Administrator and choose PacktUser1.
  • Click on Review + create:

 Figure 1.11 – The AU summary pageFigure 1.11 – The AU summary page

  • The next step is to add all the users you want PacktUser1 to manage; in our case, we need to add PacktUser1, PacktUser2, and PacktUser3. On the left-hand side, under Manage, click on Add member and select the members:

 Figure 1.12 – Adding users to the AUFigure 1.12 – Adding users to the AU

  • Now you will see that all three users have been added to the AU:

 Figure 1.13 – Displaying the users added to the AUFigure 1.13 – Displaying the users added to the AU

  • You can now log in with PacktUser1, and you should be able to reset the password of PacktUser2.

Important Note

Remember, you need to assign an Azure AD P1 license to administrators within the AU.

In this section, we explained what an AU is and how it can be used. Additionally, we went through the creation of an AU step by step.

We encourage students to read up further by using the following links, which will provide additional information around AU management:

Now, let’s move on and take a look at how to manage user and group properties.

Technical requirements- Managing Azure Active Directory Objects-2

Figure 1.2 – The Azure AD user creation page part 1

  1. Leave the sections under Groups and Roles in their default settings for now.
  2. Next, we need to fill in information regarding the following:
    1. Job title: Azure administrator
    1. Department: IT
    1. Company name: Packt1
    1. Usage location: South Africa
    1. Block sign in: No
    1. Manager: No manager selected:

 Figure 1.3 – The Azure AD user creation page part 2Figure 1.3 – The Azure AD user creation page part 2

  • Click on Create.
  • Repeat these steps to create two more users: PacktUser2 and PacktUser3.

Now that we have created users in our Azure AD tenant, we can add them to a group in Azure AD.

Creating groups in Azure AD

There are two main group types, as follows:

  • Security groups: These groups serve the same function as traditional on-premises groups, which is to secure objects within a directory. In this case, it is to secure objects within Azure AD.
  • Microsoft 365 groups: These groups are used to provide a group of people access to a collection of shared resources that is not just limited to Azure AD but also includes shared mailboxes, calendars, SharePoint libraries, and other Microsoft 365-related services.

Security groups are used as container units to group users or devices together. There are three main membership types for security groups:

  • Assigned: This is where you manually assign users to a group.
  • Dynamic user: This is where you can specify parameters to automatically group users, for example, grouping all users who have the same job title.
  • Dynamic device: This is where you can specify parameters to automatically group devices, for example, grouping all devices that have the same operating system version.

To create and manage groups from the Azure AD tenant in the Azure portal, you have to perform the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Groups | All groups. Then, select the + New group option from the top-level menu, as follows:

 Figure 1.4 – The Azure AD group creation page part 1Figure 1.4 – The Azure AD group creation page part 1

  • Add the following values to create the new group:
    • Group type: Security
    • Group name: Azure Admins
    • Group description: Dynamic group for all Azure Admins
    • Azure AD roles can be assigned to the group: No
    • Membership type: Dynamic User
    • Owners: No owners selected:

 Figure 1.5 – The Azure AD group creation page part 2Figure 1.5 – The Azure AD group creation page part 2

  • Refer to the following screenshot to add a dynamic query.

For the Dynamic Query rule, the property is jobTitle, the operator is Equals, and the value is Azure Administrator, as shown in the following screenshot:

 Figure 1.6 – The Azure AD group dynamic queryFigure 1.6 – The Azure AD group dynamic query

  • Click on Create.

Tip

Remember that when using dynamic groups, a Premium P1 license needs to be assigned to the user.

Now that we have created the group, replication takes around 5 minutes. Refresh the Azure web page, and the users will appear as members of the Azure Admins group that we just created:

 Figure 1.7 – The Azure AD group's dynamic group users added automatically based on the membership rulesFigure 1.7 – The Azure AD group’s dynamic group users added automatically based on the membership rules 

In this section, we took a look at Azure AD users and groups and created a few accounts. We also created a dynamic membership group to include users via dynamic membership rules.

We encourage students to read up further by using the following links, which are based on Azure AD fundamentals such as adding users in Azure AD, assigning RBAC roles, creating Azure AD groups, and also creating dynamic groups in Azure AD:

Next, we are going to look at Azure AUs, specifically where they can be used and how to create an AU.

Technical requirements- Managing Azure Active Directory Objects-1

This first chapter of this book is focused on learning how to manage Azure Active Directory (Azure AD) objects. In this chapter, you will learn how to create and manage users and groups within Azure AD, including user and group properties. Additionally, we will look at Azure AD’s administrative units (AUs) and discover how to create them alongside managing device settings and performing bulk user updates. You will also learn how to manage guest accounts within Azure AD, configure Azure AD join, and configure Self-Service Password Reset (SSPR).

In brief, in this chapter, the following topics will be covered:

  • Creating Azure AD users and groups
  • Creating AUs
  • Managing user and group properties
  • Managing device settings
  • Performing bulk user updates
  • Managing guest accounts
  • Configuring Azure AD join
  • Configuring SSPR

Technical requirements

In order to follow along with the hands-on exercises, you will need access to an Azure AD as a global administrator. If you do not have access to this, students can enroll for a free account at https://azure.microsoft.com/en-in/free/.

An Azure AD Premium P1 license is also required for some of the sections. Luckily, there is also a free one-month trial for students at https://azure.microsoft.com/en-us/trial/get-started-active-directory/.

Creating Azure AD users and groups

Azure AD offers a directory and identity management solution within the cloud. It offers traditional username and password identity management, alongside roles and permissions management. On top of that, it offers more enterprise-grade solutions, such as Multi-Factor Authentication (MFA) and application monitoring, solution monitoring, and alerting.

Azure AD can easily be integrated with your on-premises Active Directory to create a hybrid infrastructure.

Azure AD offers the following pricing plans:

  • Free: This offers the most basic features, such as support for single sign-on (SSO) across Azure, Microsoft 365, and other popular SaaS applications, Azure Business-to-Business (B2B) for external users, support for Azure AD Connect synchronization, self-service password change, user and group management, and standard security reports.
  • Office 365 Apps: Specific Office 365 subscriptions also provide some functionality such as user and group management, cloud authentication, including pass-through authentication, password hash synchronization, seamless SSO, and more.
  • Premium P1: This offers advanced reporting, MFA, conditional access, Mobile Device Management (MDM) auto-enrollment, Azure AD Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.
  • Premium P2: In addition to the Free and Premium P1 features, the Premium P2 license includes Azure AD Identity Protection, Privileged Identity Management, access reviews, and Entitlement Management.

Note

For a detailed overview of the different Azure AD licenses and all the features that are offered in each plan, you can refer to https://www.microsoft.com/nl-nl/security/business/identity-access-management/azure-ad-pricing?rtc=1&market=nl.

Creating users in Azure AD

We will begin by creating a couple of users in our Azure AD tenant from the Azure portal. To do this, perform the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Users | All users. Then, select the + New user option from the top-level menu, as follows:

 Figure 1.1 – The Azure AD Users bladeFigure 1.1 – The Azure AD Users blade

  • We are going to create three users. Add these values that are shown in the following screenshot:
    • Name: PacktUser1.
    • User name: The username is the identifier that the user enters to sign in to Azure AD. Select your domain name, which has been configured, and add this to the end of the username. The default is usually an onmicrosoft.com domain, but in my case, I have assigned a custom domain name, called safezone.fun. In the First name section, I have chosen Packt, and in the Last name section, I have added User1. Therefore, the User name value, in my case, will be [email protected]:

News and commentary about the exam objective updates-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

The current official Microsoft Study Guide for the MS-900 Microsoft 365 Fundamentals exam is located at https://learn.microsoft.com/en-us/certifications/resources/study-guides/MS-900. This page has the most recent version of the exam objective domain.

This statement was last updated in August 2023, before Exam Ref MS-900 Microsoft 365 Fundamentals, Second Edition was published.

This version of this Chapter has no news to share about the next exam release.

In the most recent version of this Chapter, the MS-900 Microsoft 365 Fundamentals exam version number was Version 1.1.

Updated technical content

The current version of this Chapter has no additional technical content.

Objective mapping

This Exam Ref is structured by the author(s) based on the topics and technologies covered on the exam and is not structured based on the specific order of topics in the exam objectives. The table below maps the current version of the exam objectives to chapter content, allowing you to locate where a specific exam objective item has coverage without consulting the index.

TABLE 7-1 Exam Objectives mapped to chapters.

Exam ObjectiveChapter
Describe cloud concepts 
Describe the different types of cloud services available
Describe Microsoft SaaS, IaaS, and PaaS concepts and use cases
Describe differences between Office 365 and Microsoft 365
1
Describe the benefits of and considerations for using cloud, hybrid, or on-premises services Describe public, private, and hybrid cloud modelsCompare costs and advantages of cloud, hybrid, and on-premises services
Describe the concept of hybrid work and flexible work
1
Describe Microsoft 365 apps and services 
Describe productivity solutions of Microsoft 365
Describe the core productivity capabilities and benefits of Microsoft 365 including Microsoft Outlook and Microsoft Exchange, Microsoft 365 apps, and OneDrive
Describe core Microsoft 365 Apps including Microsoft Word, Excel, PowerPoint, Outlook, and OneNote
Describe work management capabilities of Microsoft 365 including Microsoft Project, Planner, Bookings, Forms, Lists, and To Do
2
Describe collaboration solutions of Microsoft 365
Describe the collaboration benefits and capabilities of Microsoft 365 including Microsoft Exchange, Outlook, Yammer, SharePoint, OneDrive, and Stream
Describe the collaboration benefits and capabilities of Microsoft Teams and Teams Phone
Describe the Microsoft Viva apps
Describe the ways that you can extend Microsoft Teams by using collaborative apps
2
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
2
Describe analytics capabilities of Microsoft 365
Describe the capabilities of Viva Insights
Describe the capabilities of the Microsoft 365 Admin center and Microsoft 365 user portal
Describe the reports available in the Microsoft 365 Admin center and other admin centers
2
Describe security, compliance, privacy, and trust in Microsoft 365 
Describe identity and access management solutions of Microsoft 365
Describe the identity and access management capabilities of Microsoft Entra IDDescribe cloud identity, on-premises identity, and hybrid identity concepts
Describe how Microsoft uses methods such as multi-factor authentication (MFA), self-service password reset (SSPR), and conditional access to keep identities, access, and data secure
3
Describe threat protection solutions of Microsoft 365
Describe Microsoft 365 Defender, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and the Microsoft 365 Defender PortalDescribe Microsoft Secure Score benefits and capabilities
Describe how Microsoft 365 addresses the most common types of threats against endpoints, applications, and identities
3
Describe trust, privacy, risk, and compliance solutions of Microsoft 365
Describe the Zero Trust ModelDescribe Microsoft Purview and compliance solutions such as insider risk, auditing, and eDiscoveryDescribe how Microsoft supports data residency to ensure regulatory compliance
Describe information protection features such as sensitivity labels and data loss preventionDescribe the capabilities and benefits of Microsoft Priva
3
Describe Microsoft 365 pricing, licensing, and support 
Identify Microsoft 365 pricing and billing management options
Describe the pricing model for Microsoft cloud services including enterprise agreements, cloud solution providers, and direct billing
Describe available billing and bill management options including billing frequency and methods of payment
4
Identify licensing options available in Microsoft 365 Describe license managementDescribe the differences between base licensing and add-on licensing4
Identify support options for Microsoft 365 services
Describe how to create a support request for Microsoft 365 services
Describe support options for Microsoft 365 services
Describe service level agreements (SLAs) including service creditsDetermine service health status by using the Microsoft 365 admin center or the Microsoft Entra admin center.
4

Summary-Understand Microsoft 365 pricing and support

  • Microsoft 365 editions include various combinations of Office productivity applications and Microsoft 365 cloud services. Multiple subscription levels exist for the Microsoft 365 Business and Microsoft 365 Enterprise products.
  • There are special editions of Microsoft 365 for frontline, government, and educational users. In addition, there are add-on subscriptions available that can enable administrators to create their own service combinations.
  • The key selling points for Microsoft 365 are divided into four major areas: productivity, collaboration, security, and compliance.
  • To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL).
  • Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is relatively simple; there is a monthly or annual fee for each Microsoft 365 user subscription, and those subscriber fees are predictable and ongoing. Predicting the cost of an on-premises network requires businesses to categorize their expenses by distinguishing between capital expenditures (CapEx) and operational expenditures (OpEx).
  • Organizations can purchase Microsoft 365 subscriptions directly from Microsoft individually or by using a variety of volume licensing agreements, including Enterprise Agreements (EA), Microsoft Products and Services Agreements (MPSA), or arrangements with Cloud Solution Providers (CSP).
  • Typically, contracts with cloud service providers include a service level agreement (SLA), which guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met.
  • Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites.
  • The Service Health page in the Microsoft 365 admin center displays a list of Microsoft 365 services with a status indicator for each.

Thought experiment

In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answer to this thought experiment in the next section.

Ralph is responsible for planning the IT software deployment for his company’s new branch office, which will have 50 users. He is currently trying to determine the more economically viable licensing choice: a cloud-based solution or on-premises servers. For the cloud-based solution, Ralph is considering Microsoft 365 Business, which costs $20 per user, per month. For an on-premises alternative providing the services his users need most, Ralph has searched through several online sources and found the software licensing prices shown in Table 4-8.

 

TABLE 4-8 Sample software licensing prices

Quantity neededProductPrice each
2Microsoft Windows Server 2019 Standard (16 core)$976.00
1Microsoft Windows Server 2019 Client Access Licenses (Pack of 50)$1,869.99
50Microsoft Office Home & Business 2019$249.99
1Microsoft Exchange Server 2019 Standard$726.99
50Microsoft Exchange Server 2019 Standard CAL$75.99
1Microsoft SharePoint Server$5,523.99
50Microsoft SharePoint Client Access License$55.99

It is obvious to Ralph that the on-premises solution will require a much larger capital expenditure, but he is wondering whether it might be the more economical solution in the long term. Based on these prices and disregarding all other expenses (including hardware, facilities, and personnel), how long would it be before the ongoing Microsoft 365 Business subscription fees for 50 users become more expensive than the on-premises software licensing costs?

Thought experiment answer

Ralph has calculated the total software licensing costs for his proposed on-premises solution and has arrived at a total expenditure of $29,171.47, as shown in Table 4-9.

 

TABLE 4-9 Sample software licensing prices (with totals)

Quantity neededProductPrice eachTotal
2Microsoft Windows Server 2019 Standard (16 core)$976.00$1,952.00
1Microsoft Windows Server 2019 Client Access Licenses (Pack of 50)$1,869.99$1,869.99
50Microsoft Office Home & Business 2019$249.99$12,499.50
1Microsoft Exchange Server 2019 Standard$726.99$726.99
50Microsoft Exchange Server 2019 Standard CAL$75.99$3,799.50
1Microsoft SharePoint Server$5,523.99$5,523.99
50Microsoft SharePoint Client Access License$55.99$2,799.50
 Grand Total $29,171.47

The Microsoft 365 Business subscription fees for 50 users amount to $1,000 per month. Therefore, Ralph has concluded that after 30 months, the subscription’s ongoing cost will exceed the one-time cost for the on-premises server licensing fees. However, Ralph has been instructed not to consider an on-premises datacenter’s hardware, utility, and administration costs. These expenses would vastly increase both the initial outlay and the ongoing costs of an on-premises solution.

Describe service level agreements (SLAs), including service credits-Understand Microsoft 365 pricing and support-1

When an enterprise uses on-premises servers, they know issues they experience that prevent the servers from functioning are their problem, and they must have the resources to resolve them. This is why organizations often use redundant components, servers, or even datacenters to keep business-critical services available. Many IT professionals prefer this self-reliance; they can be confident of their continued functionality by planning and implementing their services correctly. However, an enterprise that uses cloud-based services must rely on others to keep its services running.

For IT professionals, service outages are one of the potential showstopper issues for the adoption of Microsoft 365 and other cloud-based services. If the services suffer downtime, business stops. While it might not be the IT professionals’ fault, it is their responsibility. What is worse, there is nothing they can do about it except call the provider and shout at them. Depending on the nature of the organization’s business, service downtime can result in lost productivity, lost income, and—in extreme cases—even lost lives.

To address this issue, contracts with cloud service providers typically include a service level agreement (SLA). The SLA guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met. It is important to remember that an organization usually has more than one service provider that is needed to access the cloud. For example, an organization can contract with Microsoft for a certain number of Microsoft 365 subscriptions, but the reliability specified in Microsoft’s SLA means nothing if the organization’s Internet service provider (ISP) fails to provide them with access to the cloud. Therefore, an organization should have a contract with every cloud service provider they use that includes SLA terminology.

When negotiating an SLA with any cloud service provider or Internet service provider, there should be language included to address questions like the following:

  • What formula is used to calculate the service levels that are actually achieved?
  • Who is responsible for maintaining records of service levels?
  • How and when is the subscriber provided with written reports of the service levels achieved?
  • Are there exceptional circumstances specified in the SLA under which service outages are not classified as downtime?
  • How much downtime is expected or allowable for the provider’s scheduled and emergency maintenance?
  • What are the terms of the agreement regarding service interruptions resulting from acts of war, extreme weather, or natural disasters?
  • What are the terms of the agreement regarding service interruptions caused by third-party services, such as power outages?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the provider?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the subscriber?
  • What remedy or penalty does the provider supply when they fail to meet the agreed-upon service levels?
  • What is the liability to which the provider is subject when service interruptions cause a loss of business or productivity?

These questions are designed to quantify the nature of the SLA and how it can legally affect the relationship between the provider and the subscriber. For example, a provider can guarantee a 99 percent uptime rate. However, without specific language addressing the point, there is no way to determine exactly what constitutes uptime or downtime. What if a service is only partially operational, with some tasks functional and others not? Does that constitute downtime? There is also the question of what happens when downtime in excess of the guaranteed amount does occur. Is it the responsibility of the subscriber to make a claim? If excessive downtime occurs, is the provider responsible for the subscriber’s lost business during that downtime or just for a prorated subscription fee? If issues like these are not discussed with specific language in the SLA, then they are potential arguments the provider can use to avoid supporting their uptime guarantee.

SLA Limitations

As an example of the terms that might appear in an SLA to limit the responsibility of the cloud service provider, consider the following excerpt from Microsoft’s SLA for Microsoft Entra ID (Azure Active Directory):

This SLA and any applicable Service Levels do not apply to any performance or availability issues:

Disaster, war, acts of terrorism, riots, government action, or a network or device failure external to our data centers, including at your site or between your site and our data center);

That result from the use of services, hardware, or software not provided by us, including, but not limited to, issues resulting from inadequate bandwidth or related to third-party software or services;

That results from failures in a single Microsoft Datacenter location, when your network connectivity is explicitly dependent on that location in a non-geo-resilient manner;

Caused by your use of a Service after we advised you to modify your use of the Service, if you did not modify your use as advised;

During or with respect to preview, pre-release, beta or trial versions of a Service, feature or software (as determined by us) or to purchases made using Microsoft subscription credits;

That result from your unauthorized action or lack of action when required, or from your employees, agents, contractors, or vendors, or anyone gaining access to our network by means of your passwords or equipment, or otherwise resulting from your failure to follow appropriate security practices;

That result from your failure to adhere to any required configurations, use supported platforms, follow any policies for acceptable use, or your use of the Service in a manner inconsistent with the features and functionality of the Service (for example, attempts to perform operations that are not supported) or inconsistent with our published guidance;

That result from faulty input, instructions, or arguments (for example, requests to access files that do not exist);

That result from your attempts to perform operations that exceed prescribed quotas or that resulted from our throttling of suspected abusive behavior;

Due to your use of Service features that are outside of associated Support Windows; or

For licenses reserved, but not paid for, at the time of the Incident.

These limitations are not standard for all SLAs, but they are typical.

Describe support options for Microsoft 365 services-Understand Microsoft 365 pricing and support

All Microsoft 365 subscriptions include access to basic support services, but for some types of subscribers or subscribers with special needs, there are alternative methods for obtaining support, such as the following:

  • FastTrack Microsoft’s FastTrack program uses a specialized team of engineers and selected partners to provide subscribers transitioning to the cloud with assistance in the envisioning, onboarding, and ongoing administration processes. Subscribers participating in this program are provided with a contact for support issues during the FastTrack transition.
  • Volume Licensing Subscribers with an Enterprise Agreement or a Microsoft Products and Services Agreement that includes Software Assurance receive a specified number of support incidents as part of their agreement. The Software Assurance program includes 24×7 telephone support for business-critical issues and business hours or email support for noncritical issues.
  • Cloud Solution Providers For subscribers who obtain Microsoft 365 through a Cloud Solution Provider (CSP), the CSP should be their first point of contact for all service and support issues during the life of the subscription. The reseller agreement between CSPs and Microsoft calls for the CSP to take full responsibility for supporting their customers, although the CSP can still escalate issues to Microsoft when they cannot resolve them independently.
  • Microsoft Professional Support Subscribers with support issues beyond the standard service provided with Microsoft 365 can use Microsoft Professional Support to open support requests on a pay-per-incident basis, as shown in Figure 4-16. Individual incidents are available, as are five packs of incidents.

  

FIGURE 4-16 The Create a New Support Request screen in Microsoft Professional Support

  • Microsoft Unified Support Subscribers can purchase a Microsoft Unified Support plan in addition to their Microsoft 365 subscriptions. Microsoft Unified Support is available at three levels: Core Support, Advanced Support, and Performance Support; each level provides increasing levels of included support hours, incident response times, and access to a technical account manager (TAM), along with increasing prices. Customers also receive access to the Microsoft Services Hub, a support portal that provides forms for submitting support requests, access to ongoing Microsoft support incidents, tools for assessing enterprise workloads, and on-demand education and training materials.
Software assurance

For Enterprise Agreement and, optionally, for Microsoft Products and Services Agreement customers, Software Assurance provides a variety of additional services, including the following, which can benefit Microsoft 365 licensees:

  • Planning Services Provides a number of partner service days, based on the number of users/devices licensed, to deploy Microsoft operating systems, applications, and services.
  • Microsoft Desktop Optimization Pack (MDOP) Provides a suite of virtualization, management, and restoration utilities, including Advanced Group Policy Management (AGPM), Microsoft Application Virtualization (App-V), Microsoft User Experience Virtualization (UE-V), Microsoft BitLocker Administration and Monitoring (MBAM), and Microsoft Diagnostics and Recovery Toolset (DaRT).
  • Windows Virtual Desktop Access Rights (VDA) Provides users with the rights needed to access virtualized Windows instances.
  • Windows to Go Use Rights Enables administrators to create and furnish users with USB storage devices containing bootable Windows images that include line-of-business applications and corporate data.
  • Windows Thin PC Enables administrators to repurpose older computers as Windows Virtual Desktop Interface (VDI) terminals.
  • Enterprise Source Licensing Program Provides organizations with at least 10,000 users or devices with access to the Windows source code for their own software development projects.
  • Training Vouchers Provides a number of training days based on the number of users/devices licensed for the technical training of IT professionals and software developers.
  • Step-up License Availability Allows licensees to migrate their licensed software products to a high-level edition.
  • Spread Payments Enables organizations to pay for three-year license agreements in three equal, annual payments.

Note Additional Software Assurance Benefits

There are additional Software Assurance benefits included that are intended for on-premises server software licensees, such as New Version Rights, which provides the latest versions of the licensed software released during the term of the agreement, and Server Disaster Recovery Rights and Fail-Over Rights, which provide licensees the right to maintain passive redundant servers for fault-tolerance purposes.

Describe how to create a support request for Microsoft 365 services-Understand Microsoft 365 pricing and support

The Microsoft 365 support subscribers receive depends on their subscription level and how they obtained it. Nearly every page in the Microsoft 365 admin center console has a Help & Support button in the bottom-right corner and a Support menu allowing administrators to search for help with specific problems and create support requests when a solution is unavailable in the existing help information. Telephone and email support are also available.

To prevent excessive use and abuse of its support services, Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites. Table 4-3 lists some of the responsibilities of each entity.

 

TABLE 4-3 Responsibilities of Microsoft 365 administrators and Microsoft Support

Microsoft 365 Administrator ResponsibilitiesMicrosoft Support Responsibilities
Service setup, configuration, and maintenanceRespond to support issues submitted by subscribers
User account creation, configuration, and maintenanceGather information about technical support issues from subscribers
Primary support contact for enterprise usersProvide subscribers with technical guidance for submitted issues
Gather information from users about technical support issuesTroubleshoot subscriber issues and relay pertinent solution information
Address user software installation and configuration issuesMaintain communication with subscribers regarding ongoing service issues
Troubleshoot service availability issues within the bounds of the organizationProvide guidance for presales and trial-edition evaluators
Utilize Microsoft online resources to resolve support issuesProvide licensing, subscription, and billing support
Authorization and submission of support issues to MicrosoftGather customer feedback for service improvement purposes

Microsoft 365 administrators are expected to do what they can to address a support issue before submitting a support request to Microsoft. There are considerable Microsoft online support, training, blog, and forum resources available for this purpose, including the following:

When an administrator clicks the Help & Support button in the Microsoft 365 admin center console or opens the Support menu and selects New Service Request, a How Can We Can We Help? pane appears, prompting a description of the issue. Based on the furnished description, relevant material appears, such as step-by-step procedures and links to product documentation that might be helpful, as shown in Figure 4-14.

  

FIGURE 4-14 Microsoft 365 admin center’s How Can We Help? pane

At the bottom of the How Can We Help? pane is a Contact Support link that opens the pane shown in Figure 4-15. In this pane, the administrator can provide a more detailed description of the issue, add contact information, specify time zone and language references, and attach documents pertinent to the issue.

  

FIGURE 4-15 Microsoft 365 admin center’s Contact Support pane

Support provided with the Microsoft 365 product is intended primarily to provide help with service installation and configuration issues, such as the following:

  • Microsoft Entra ID (Azure Active Directory) Domain setup, synchronization with on-premises Active Directory, and single sign-on configuration
  • Microsoft 365 Service configuration issues
  • Exchange Online Mailbox migration and configuration, autodiscover configuration, setting mailbox permissions, sharing mailboxes, and creating mail forwarding rules
  • SharePoint Creation of user groups, assigning site permissions, and external user configuration
  • Microsoft 365 Apps for Business Office application installation on various device platforms
  • Microsoft Teams Setup of a Microsoft Teams environment and creating contacts
  • Microsoft Intune Mobile device and application management setup

When subscribers submit support requests to Microsoft, they go through a triage process and are assigned a severity level using the values shown in Table 4-4.

 

TABLE 4-4 Microsoft Support severity levels

Severity LevelDescriptionExamples
Critical (Sev A)One or more services are inaccessible or nonfunctional.Productivity or profit is impacted. Multiple users are affected.Immediate attention is required.Problems sending or receiving email with Outlook/Exchange Online.SharePoint or OneDrive sites are inaccessible.Cannot send or receive messages or calls in Microsoft Teams.
High (Sev B)One or more services are impaired but still usable.A single user or customer is affected. Attention can wait until business hours.Critical service functionality is delayed or partially impaired but operational.Noncritical functions of a critical service are impaired.A function is unusable in a graphical interface but accessible using PowerShell.
Non-critical (Sev C)One or more functions with minimal productivity or profit impact are impaired.One or more users are affected, but a workaround allows continued functionality.Problems configuring password expiration options.Problems archiving messages in Outlook/Exchange Online.Problems editing SharePoint sites.

After submitting support requests, administrators can monitor their progress in the Microsoft 365 admin center by selecting View Service Requests from the Support menu to display a list of all the support tickets associated with the account.

Describe the differences between base licensing and add-on licensing-Understand Microsoft 365 pricing and support

Many Microsoft 365 services are maintained as separate add-on products, often in two plans, which customers can purchase to augment the capabilities of their base licenses.

For example, the IT administrators for an organization might decide that the price of purchasing Microsoft 365 Enterprise E5 licenses for all of their users is just too high and that the users don’t need all of the advanced features in the E5 product anyway. They choose the Microsoft 365 Enterprise E3 subscription instead, representing substantial cost savings.

Many administrators were attracted to the E5 product because it includes Microsoft Defender for Endpoint Plan 2, which provides endpoint detection and automated incident remediation. However, this feature alone was not enough to justify the difference in price between E3 and E5. Later, the administrators discovered they could purchase the Microsoft 365 E3 subscriptions as their users’ base license and then purchase Microsoft Defender for Endpoint Plan 2 as an add-on license. For this organization, the total cost of the two subscriptions was far less than the price of Microsoft 365 E5.

Microsoft has many add-on products that allow administrators to assemble a working environment with a curated selection of features. Add-on licenses come in two types, as follows:

  • Traditional add-on An add-on license linked to a particular base subscription. The add-on subscription is also terminated if the base subscription lapses or is canceled.
  • Standalone add-on An add-on license that appears as a separate subscription on the Billing pages in the Microsoft 365 admin center, with its own expiration date, independent of the base subscription.

Implementing best practices

As mentioned throughout this book, the Microsoft 365 product is a bundle of services, many of which remain available as separate subscriptions. In addition, subscriptions are available for combinations of individual features within these products.

Finally, to further complicate the picture, combining different licenses in a single Microsoft Entra ID tenancy is possible. With all these options available, organizations contemplating a migration to a cloud-based infrastructure or thinking of adding cloud services to an on-premises infrastructure should design a licensing strategy fulfilling the following requirements:

  • Provide the organization’s users with the services they need
  • Avoid providing users with unnecessary services that complicate the maintenance and support processes
  • Minimize subscription costs

Generally speaking, a Microsoft 365 subscription will likely be significantly less expensive than purchasing subscriptions for each component separately. This might be true even if some users do not need all the Microsoft 365 components.

Obviously, the simplest solution is to choose one Microsoft 365 product and purchase the same subscription for all the organization’s users. This can easily fulfill the first of the requirements but might not be a solution for the other two.

Depending on the nature of the business the organization is engaged in, an Enterprise E5 subscription might be suitable for some users, but there might also be many workers who do not need all the applications and services included in Enterprise E5. Depending on the number of users in each group, the expense of purchasing E5 subscriptions for everyone could be extremely wasteful and require additional administrative effort to provide customized environments for the different user groups. This is one of the primary reasons why Microsoft offers the Microsoft 365 F1 subscription for first-line workers.

Note Microsoft 365 F1

For more information on the Microsoft 365 F1 package, see the “Microsoft 365 Frontline” section earlier in this chapter.

Therefore, the best practice is to compare the features included in each of the Microsoft 365 licenses with the requirements of the various types of users in the organization. In a large enterprise, this can be a complicated process, but in the case of a major migration like this, prior planning is crucial and can save a great deal of expense and effort.

Quick check

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. Simplify
  2. Assess
  3. Protect
  4. Respond

Quick check answer

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. The three phases of the Microsoft compliance effort are Assess, Protect, and Respond. Simplify is not one of the three phases.

Skill 4.3: Identify support options for Microsoft 365 services

For many IT professionals, there are important concerns about what happens after their organization commits itself to the use of cloud-based applications and services. These issues include concerns about downtime, monitoring the continuity of Microsoft services, and the product support provided by Microsoft and its partners.