Performing bulk updates- Managing Azure Active Directory Objects

Performing bulk user updates is similar to managing single users (such as internal and guest users). The only property that can’t be set for multiple users is resetting the password. This has to be done for a single user.

Azure has also improved its bulk user settings by adding a drop-down menu that enables you to do the following via the downloadable CSV template and then re-uploading it:

  • Bulk user creation
  • Bulk user invitation
  • Bulk user deletion
  • Bulk user downloads

To perform a bulk user update, you have to perform the following steps:

  1. Navigate to the Users overview blade again in Azure AD.
  2. Select the Bulk operations drop-down menu:

 Figure 1.19 – The Azure AD bulk user operations optionFigure 1.19 – The Azure AD bulk user operations option

  • From the menu, select the action you want to complete; for example, select Download users:

 Figure 1.20 – The Azure AD bulk user download settingFigure 1.20 – The Azure AD bulk user download setting

  • Also, you can update multiple users by selecting them and choosing to delete them or configure MFA for each user:

 Figure 1.21 – The alternative Azure AD method for bulk user operationsFigure 1.21 – The alternative Azure AD method for bulk user operations 

This concludes our demonstration on how to perform bulk user updates and how it works.

We encourage students to read up further by using the following links, which will look at adding bulk users:

In the next section, we are going to cover how you can manage guest accounts.

Managing guest accounts

You can also add guest accounts in Azure AD using Azure AD B2B. Azure AD B2B is a feature on top of Azure AD that allows organizations to work safely with external users. To be added to Azure B2B, external users don’t require a Microsoft work or personal account that has been added to an existing Azure AD tenant.

All sorts of accounts can be added to Azure B2B. You don’t have to configure anything in the Azure portal to use B2B; this feature is enabled by default for all Azure AD tenants. Let’s see how to manage the guest accounts by performing the following steps:

  1. Adding guest accounts to your Azure AD tenant is similar to adding internal users to your tenant. When you navigate to the Users overview blade, you can choose + New guest user from the top-level menu, as follows:

 Figure 1.22 – The Azure AD Users blade to add a new guest userFigure 1.22 – The Azure AD Users blade to add a new guest user

  • Then, you can provide an email address and a personal message, which is sent to the user’s inbox. This personal message includes a link to log in to your tenant:
  • Select Invite user to add the user to your Azure AD tenant, and send an invitation to the user’s inbox:

 Figure 1.23 – Azure AD – inviting a guest userFigure 1.23 – Azure AD – inviting a guest user

  • To manage external users after creation, you can select them from the Users overview blade. They will have a User type value, which is named Guest. Simply select the user from the list, and you will be able to manage the settings that are displayed in the top-level menu for this user, as follows:

 Figure 1.24 – The Azure AD Users blade displaying the account as Guest under User typeFigure 1.24 – The Azure AD Users blade displaying the account as Guest under User type 

And that brings an end to this section. In this short section, we have reviewed guest accounts in Azure AD and learned how to configure them.

We encourage students to read up further by using the following links, which will provide additional information around restricting guest permissions:

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

In the next section, we are going to look at what Azure AD join is and how to configure it for Windows 10 devices.

Creating Azure AD AUs- Managing Azure Active Directory Objects

Azure AD AUs are used in scenarios where granular administrative control is required. AUs have the following prerequisites:

  • An Azure AD Premium P1 license is required for each AU administrator.
  • An Azure AD Free license is required for AU members.
  • A privileged role administrator or global administrator is required for configuration.

Tip

AUs can be created via the Azure portal or PowerShell.

The easiest way to explain AUs is by using a scenario. A company called Contoso is a worldwide organization with users across 11 countries. Contoso has decided that each country is responsible for its own users from an administrative point of view. That is where Azure AD AUs come in handy. With AUs, Contoso can group users per country and assign administrators that only have control over these users and cannot administrate users in other countries.

The following diagram displays a high-level overview of how AUs work in the same tenant across different departments. The following example, is based on different regions:

 Figure 1.8 – An AU overview displaying the separation of users for USA sales and UK salesFigure 1.8 – An AU overview displaying the separation of users for USA sales and UK sales 

The following roles can be assigned within an AU:

  • Authentication administrator
  • Groups administrator
  • Help desk administrator
  • License administrator
  • Password administrator
  • User administrator

Important Note

Groups can be added to the AU as an object; therefore, any user within the group is not automatically part of the AU.

Now, let’s go ahead and create an AU via the Azure portal:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Administrative units and click on Add:

 Figure 1.9 – The AU blade within Azure ADFigure 1.9 – The AU blade within Azure AD

  • Enter a name for the group. I’m using South Africa Users. In the Description field, it is best practice to add a brief description of what this AU is going to be used for:

 Figure 1.10 – The creation blade for an AUFigure 1.10 – The creation blade for an AU

  • Next, under Assign roles, add the users that you want to be administrators based on the available roles. Then, select Password Administrator and choose PacktUser1.
  • Click on Review + create:

 Figure 1.11 – The AU summary pageFigure 1.11 – The AU summary page

  • The next step is to add all the users you want PacktUser1 to manage; in our case, we need to add PacktUser1, PacktUser2, and PacktUser3. On the left-hand side, under Manage, click on Add member and select the members:

 Figure 1.12 – Adding users to the AUFigure 1.12 – Adding users to the AU

  • Now you will see that all three users have been added to the AU:

 Figure 1.13 – Displaying the users added to the AUFigure 1.13 – Displaying the users added to the AU

  • You can now log in with PacktUser1, and you should be able to reset the password of PacktUser2.

Important Note

Remember, you need to assign an Azure AD P1 license to administrators within the AU.

In this section, we explained what an AU is and how it can be used. Additionally, we went through the creation of an AU step by step.

We encourage students to read up further by using the following links, which will provide additional information around AU management:

Now, let’s move on and take a look at how to manage user and group properties.

News and commentary about the exam objective updates-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

The current official Microsoft Study Guide for the MS-900 Microsoft 365 Fundamentals exam is located at https://learn.microsoft.com/en-us/certifications/resources/study-guides/MS-900. This page has the most recent version of the exam objective domain.

This statement was last updated in August 2023, before Exam Ref MS-900 Microsoft 365 Fundamentals, Second Edition was published.

This version of this Chapter has no news to share about the next exam release.

In the most recent version of this Chapter, the MS-900 Microsoft 365 Fundamentals exam version number was Version 1.1.

Updated technical content

The current version of this Chapter has no additional technical content.

Objective mapping

This Exam Ref is structured by the author(s) based on the topics and technologies covered on the exam and is not structured based on the specific order of topics in the exam objectives. The table below maps the current version of the exam objectives to chapter content, allowing you to locate where a specific exam objective item has coverage without consulting the index.

TABLE 7-1 Exam Objectives mapped to chapters.

Exam ObjectiveChapter
Describe cloud concepts 
Describe the different types of cloud services available
Describe Microsoft SaaS, IaaS, and PaaS concepts and use cases
Describe differences between Office 365 and Microsoft 365		1
Describe the benefits of and considerations for using cloud, hybrid, or on-premises services Describe public, private, and hybrid cloud modelsCompare costs and advantages of cloud, hybrid, and on-premises services
Describe the concept of hybrid work and flexible work		1
Describe Microsoft 365 apps and services 
Describe productivity solutions of Microsoft 365
Describe the core productivity capabilities and benefits of Microsoft 365 including Microsoft Outlook and Microsoft Exchange, Microsoft 365 apps, and OneDrive
Describe core Microsoft 365 Apps including Microsoft Word, Excel, PowerPoint, Outlook, and OneNote
Describe work management capabilities of Microsoft 365 including Microsoft Project, Planner, Bookings, Forms, Lists, and To Do		2
Describe collaboration solutions of Microsoft 365
Describe the collaboration benefits and capabilities of Microsoft 365 including Microsoft Exchange, Outlook, Yammer, SharePoint, OneDrive, and Stream
Describe the collaboration benefits and capabilities of Microsoft Teams and Teams Phone
Describe the Microsoft Viva apps
Describe the ways that you can extend Microsoft Teams by using collaborative apps		2
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps		2
Describe analytics capabilities of Microsoft 365
Describe the capabilities of Viva Insights
Describe the capabilities of the Microsoft 365 Admin center and Microsoft 365 user portal
Describe the reports available in the Microsoft 365 Admin center and other admin centers		2
Describe security, compliance, privacy, and trust in Microsoft 365 
Describe identity and access management solutions of Microsoft 365
Describe the identity and access management capabilities of Microsoft Entra IDDescribe cloud identity, on-premises identity, and hybrid identity concepts
Describe how Microsoft uses methods such as multi-factor authentication (MFA), self-service password reset (SSPR), and conditional access to keep identities, access, and data secure		3
Describe threat protection solutions of Microsoft 365
Describe Microsoft 365 Defender, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and the Microsoft 365 Defender PortalDescribe Microsoft Secure Score benefits and capabilities
Describe how Microsoft 365 addresses the most common types of threats against endpoints, applications, and identities		3
Describe trust, privacy, risk, and compliance solutions of Microsoft 365
Describe the Zero Trust ModelDescribe Microsoft Purview and compliance solutions such as insider risk, auditing, and eDiscoveryDescribe how Microsoft supports data residency to ensure regulatory compliance
Describe information protection features such as sensitivity labels and data loss preventionDescribe the capabilities and benefits of Microsoft Priva		3
Describe Microsoft 365 pricing, licensing, and support 
Identify Microsoft 365 pricing and billing management options
Describe the pricing model for Microsoft cloud services including enterprise agreements, cloud solution providers, and direct billing
Describe available billing and bill management options including billing frequency and methods of payment		4
Identify licensing options available in Microsoft 365 Describe license managementDescribe the differences between base licensing and add-on licensing4
Identify support options for Microsoft 365 services
Describe how to create a support request for Microsoft 365 services
Describe support options for Microsoft 365 services
Describe service level agreements (SLAs) including service creditsDetermine service health status by using the Microsoft 365 admin center or the Microsoft Entra admin center.		4

The purpose of this chapter-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

For all the other chapters, the content should remain unchanged throughout this edition of the book. Instead, this chapter will change over time, with an updated online PDF posted so you can see the latest version of the chapter, even after you purchase this book.

Why do we need a chapter that updates over time? For three reasons.

  1. To add more technical content to the book before it is time to replace the current book edition with the next edition. This chapter will include additional technology content and possibly additional PDFs containing more content.
  2. To communicate detail about the next version of the exam, to tell you about our publishing plans for that edition, and to help you understand what that means to you.
  3. To accurately map the current exam objectives to existing chapter content. While exam objectives evolve and are updated and products are renamed, much of the content in this book will remain accurate and relevant. In addition to covering any content gaps that appear through additions to the objectives, this chapter will provide explanatory notes on how the new objectives map to the current text.

After the initial publication of this book, Microsoft Press will provide supplemental updates as digital downloads for minor exam updates. If an exam has major changes or accumulates enough minor changes, we will then announce a new edition. We will do our best to provide any updates to you free of charge before we release a new edition. However, if the updates are significant enough in between editions, we may release the updates as a low-priced standalone eBook.

If we do produce a free updated version of this chapter, you can access it on the book’s companion website. Simply go to the companion website page and go to the “Exam Updates Chapter” section of the page.

If you have not yet accessed the companion website, follow this process below:

Step 1. Browse to microsoftpressstore.com/register.

Step 2. Enter the print book ISBN (even if you are using an eBook).

Step 3. After registering the book, go to your account page and select the Registered Products tab.

Step 4. Click on the Access Bonus Content link to access the companion website. Select the Exam Updates Chapter link or scroll down to that section to check for updates.

About possible exam updates

Microsoft reviews exam content periodically to ensure that it aligns with the technology and job role associated with the exam. This includes but is not limited to, incorporating functionality and features related to technology changes, changing skills needed for success within a job role, and revisions to product names. Microsoft updates the exam details page to notify candidates when changes occur. If you have registered this book and an update occurs to this chapter, Microsoft Press will notify you of the availability of this updated chapter.

Impact on you and your study plan

Microsoft’s information helps you plan, but it also means that the exam might change before you pass the current exam. That impacts you, affecting how we deliver this book to you. This chapter gives us a way to communicate in detail about those changes as they occur. But you should watch other spaces as well.

For those other information sources to watch, bookmark and check these sites for news. In particular:

Microsoft Learn Check the main source for up-to-date information: microsoft.com/learn. Make sure to sign up for automatic notifications from on that page.

Microsoft Press Find information about products, offers, discounts, and free downloads: microsoftpressstore.com. Make sure to register your purchased products.

As changes arise, we will update this Chapter with more detail about exam and book content. At that point, we will publish an updated version of this Chapter, listing our content plans. That detail will likely include the following:

  • Content removed, so if you plan to take the new exam version, you can ignore those when studying.
  • New content planned per new exam topics, so you know what’s coming.

The remainder of the Chapter shows the new content that may change over time.

Describe service level agreements (SLAs), including service credits-Understand Microsoft 365 pricing and support-1

When an enterprise uses on-premises servers, they know issues they experience that prevent the servers from functioning are their problem, and they must have the resources to resolve them. This is why organizations often use redundant components, servers, or even datacenters to keep business-critical services available. Many IT professionals prefer this self-reliance; they can be confident of their continued functionality by planning and implementing their services correctly. However, an enterprise that uses cloud-based services must rely on others to keep its services running.

For IT professionals, service outages are one of the potential showstopper issues for the adoption of Microsoft 365 and other cloud-based services. If the services suffer downtime, business stops. While it might not be the IT professionals’ fault, it is their responsibility. What is worse, there is nothing they can do about it except call the provider and shout at them. Depending on the nature of the organization’s business, service downtime can result in lost productivity, lost income, and—in extreme cases—even lost lives.

To address this issue, contracts with cloud service providers typically include a service level agreement (SLA). The SLA guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met. It is important to remember that an organization usually has more than one service provider that is needed to access the cloud. For example, an organization can contract with Microsoft for a certain number of Microsoft 365 subscriptions, but the reliability specified in Microsoft’s SLA means nothing if the organization’s Internet service provider (ISP) fails to provide them with access to the cloud. Therefore, an organization should have a contract with every cloud service provider they use that includes SLA terminology.

When negotiating an SLA with any cloud service provider or Internet service provider, there should be language included to address questions like the following:

  • What formula is used to calculate the service levels that are actually achieved?
  • Who is responsible for maintaining records of service levels?
  • How and when is the subscriber provided with written reports of the service levels achieved?
  • Are there exceptional circumstances specified in the SLA under which service outages are not classified as downtime?
  • How much downtime is expected or allowable for the provider’s scheduled and emergency maintenance?
  • What are the terms of the agreement regarding service interruptions resulting from acts of war, extreme weather, or natural disasters?
  • What are the terms of the agreement regarding service interruptions caused by third-party services, such as power outages?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the provider?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the subscriber?
  • What remedy or penalty does the provider supply when they fail to meet the agreed-upon service levels?
  • What is the liability to which the provider is subject when service interruptions cause a loss of business or productivity?

These questions are designed to quantify the nature of the SLA and how it can legally affect the relationship between the provider and the subscriber. For example, a provider can guarantee a 99 percent uptime rate. However, without specific language addressing the point, there is no way to determine exactly what constitutes uptime or downtime. What if a service is only partially operational, with some tasks functional and others not? Does that constitute downtime? There is also the question of what happens when downtime in excess of the guaranteed amount does occur. Is it the responsibility of the subscriber to make a claim? If excessive downtime occurs, is the provider responsible for the subscriber’s lost business during that downtime or just for a prorated subscription fee? If issues like these are not discussed with specific language in the SLA, then they are potential arguments the provider can use to avoid supporting their uptime guarantee.

SLA Limitations

As an example of the terms that might appear in an SLA to limit the responsibility of the cloud service provider, consider the following excerpt from Microsoft’s SLA for Microsoft Entra ID (Azure Active Directory):

This SLA and any applicable Service Levels do not apply to any performance or availability issues:

Disaster, war, acts of terrorism, riots, government action, or a network or device failure external to our data centers, including at your site or between your site and our data center);

That result from the use of services, hardware, or software not provided by us, including, but not limited to, issues resulting from inadequate bandwidth or related to third-party software or services;

That results from failures in a single Microsoft Datacenter location, when your network connectivity is explicitly dependent on that location in a non-geo-resilient manner;

Caused by your use of a Service after we advised you to modify your use of the Service, if you did not modify your use as advised;

During or with respect to preview, pre-release, beta or trial versions of a Service, feature or software (as determined by us) or to purchases made using Microsoft subscription credits;

That result from your unauthorized action or lack of action when required, or from your employees, agents, contractors, or vendors, or anyone gaining access to our network by means of your passwords or equipment, or otherwise resulting from your failure to follow appropriate security practices;

That result from your failure to adhere to any required configurations, use supported platforms, follow any policies for acceptable use, or your use of the Service in a manner inconsistent with the features and functionality of the Service (for example, attempts to perform operations that are not supported) or inconsistent with our published guidance;

That result from faulty input, instructions, or arguments (for example, requests to access files that do not exist);

That result from your attempts to perform operations that exceed prescribed quotas or that resulted from our throttling of suspected abusive behavior;

Due to your use of Service features that are outside of associated Support Windows; or

For licenses reserved, but not paid for, at the time of the Incident.

These limitations are not standard for all SLAs, but they are typical.

Describe the differences between base licensing and add-on licensing-Understand Microsoft 365 pricing and support

Many Microsoft 365 services are maintained as separate add-on products, often in two plans, which customers can purchase to augment the capabilities of their base licenses.

For example, the IT administrators for an organization might decide that the price of purchasing Microsoft 365 Enterprise E5 licenses for all of their users is just too high and that the users don’t need all of the advanced features in the E5 product anyway. They choose the Microsoft 365 Enterprise E3 subscription instead, representing substantial cost savings.

Many administrators were attracted to the E5 product because it includes Microsoft Defender for Endpoint Plan 2, which provides endpoint detection and automated incident remediation. However, this feature alone was not enough to justify the difference in price between E3 and E5. Later, the administrators discovered they could purchase the Microsoft 365 E3 subscriptions as their users’ base license and then purchase Microsoft Defender for Endpoint Plan 2 as an add-on license. For this organization, the total cost of the two subscriptions was far less than the price of Microsoft 365 E5.

Microsoft has many add-on products that allow administrators to assemble a working environment with a curated selection of features. Add-on licenses come in two types, as follows:

  • Traditional add-on An add-on license linked to a particular base subscription. The add-on subscription is also terminated if the base subscription lapses or is canceled.
  • Standalone add-on An add-on license that appears as a separate subscription on the Billing pages in the Microsoft 365 admin center, with its own expiration date, independent of the base subscription.

Implementing best practices

As mentioned throughout this book, the Microsoft 365 product is a bundle of services, many of which remain available as separate subscriptions. In addition, subscriptions are available for combinations of individual features within these products.

Finally, to further complicate the picture, combining different licenses in a single Microsoft Entra ID tenancy is possible. With all these options available, organizations contemplating a migration to a cloud-based infrastructure or thinking of adding cloud services to an on-premises infrastructure should design a licensing strategy fulfilling the following requirements:

  • Provide the organization’s users with the services they need
  • Avoid providing users with unnecessary services that complicate the maintenance and support processes
  • Minimize subscription costs

Generally speaking, a Microsoft 365 subscription will likely be significantly less expensive than purchasing subscriptions for each component separately. This might be true even if some users do not need all the Microsoft 365 components.

Obviously, the simplest solution is to choose one Microsoft 365 product and purchase the same subscription for all the organization’s users. This can easily fulfill the first of the requirements but might not be a solution for the other two.

Depending on the nature of the business the organization is engaged in, an Enterprise E5 subscription might be suitable for some users, but there might also be many workers who do not need all the applications and services included in Enterprise E5. Depending on the number of users in each group, the expense of purchasing E5 subscriptions for everyone could be extremely wasteful and require additional administrative effort to provide customized environments for the different user groups. This is one of the primary reasons why Microsoft offers the Microsoft 365 F1 subscription for first-line workers.

Note Microsoft 365 F1

For more information on the Microsoft 365 F1 package, see the “Microsoft 365 Frontline” section earlier in this chapter.

Therefore, the best practice is to compare the features included in each of the Microsoft 365 licenses with the requirements of the various types of users in the organization. In a large enterprise, this can be a complicated process, but in the case of a major migration like this, prior planning is crucial and can save a great deal of expense and effort.

Quick check

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. Simplify
  2. Assess
  3. Protect
  4. Respond

Quick check answer

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. The three phases of the Microsoft compliance effort are Assess, Protect, and Respond. Simplify is not one of the three phases.

Skill 4.3: Identify support options for Microsoft 365 services

For many IT professionals, there are important concerns about what happens after their organization commits itself to the use of cloud-based applications and services. These issues include concerns about downtime, monitoring the continuity of Microsoft services, and the product support provided by Microsoft and its partners.

Describe license management-Understand Microsoft 365 pricing and support

To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL). Typically, an administrator for an organization deploying Microsoft 365 creates a tenancy in Microsoft Entra ID (Azure Active Directory), purchases a specific number of USLs, and then assigns them to users in the Microsoft 365 admin center console by selecting Licenses in the Billing menu, as shown in Figure 4-12.

  

FIGURE 4-12 A License Details page in Microsoft 365 admin center

Global administrators or user management administrators can assign licenses to up to 20 users at once from this interface. It is also possible to assign licenses to hybrid user accounts created through Active Directory synchronization or federation or while creating new user accounts in the Microsoft 365 admin center.

Assigning a Microsoft 365 license to a user causes the following events to occur:

  • Exchange Online creates a mailbox for the user
  • SharePoint grants the user edit permissions for the default team site
  • Microsoft 365 enables the user to download and install the Office productivity applications on up to five devices

From the Purchase Services page in the admin center, administrators can also purchase additional Microsoft 365 USLs or licenses for add-on products, as shown in Figure 4-13.

  

FIGURE 4-13 The Purchase Services page in Microsoft 365 admin center

Microsoft offers four different USL types for each of the Microsoft 365 products, depending on the purchaser’s existing relationship with the company, as follows:

  • Full USL This is a complete Microsoft 365 license for new purchasers who do not have existing Microsoft product licenses or for owners of on-premises Microsoft product licenses that do not include Software Assurance—Microsoft’s software maintenance agreement.
  • Add-on USL This is a license for purchasers with existing on-premises Microsoft product licenses, including Software Assurance, who want to maintain their infrastructure while adding Microsoft 365 cloud services in a pilot or hybrid deployment.
  • From SA USL This is a license for purchasers with existing perpetual Microsoft product licenses, including Software Assurance, who want to transition to a cloud-based infrastructure with continued Software Assurance for the Microsoft 365 product. Qualifying purchasers can only obtain From SA USLs at their contract renewal time and must maintain their existing Software Assurance agreement. A Microsoft 365 Software Assurance agreement includes cloud-oriented benefits, such as Deployment Planning Services, Home Use Program, online user training courses, and additional support incidents.
  • Step-up USL This is a license for current Microsoft customers who want to upgrade their subscriptions during an existing enrollment or agreement period, such as from Office 365 to Microsoft 365 or from Microsoft 365 Business to Microsoft 365 Enterprise E3.

Because the Add-on USLs, From SA USLs, and Step-up USLs are intended for existing Microsoft customers, their prices reflect significant discounts from the Full USL price.

Compliance-Understand Microsoft 365 pricing and support

As the proliferation and value of data increases over time, businesses, agencies, and individuals are becoming increasingly concerned with the privacy and protection of their data. Hundreds of regulatory bodies—private and governmental—quantify the nature of this data protection and publish standards for data storage and handling.

Some of the most common data privacy standards in use today are as follows:

  • Federal Information Security Modernization Act (FISMA) Specifies how U.S. federal agencies must protect information
  • Health Insurance Portability and Accountability Act (HIPAA) Regulates the privacy of personal health information
  • Family Educational Rights and Privacy Act (FERPA) Regulates the disclosure of student education records
  • Personal Information Protection and Electronic Documents Act (PIPEDA) Specifies how commercial business organizations can gather, retain, and share personal information
  • Gramm–Leach–Bliley Act (GLBA) Specifies how financial institutions must protect and share the personal information of their customers
  • General Data Protection Regulation (GDPR) Specifies data protection and privacy regulations for citizens of the European Union

These standards can define elements such as the following:

  • The controls that organizations must exercise to protect the privacy of personal data
  • How organizations can and cannot use personal data
  • The rights of government and other official agencies to access personal data held by an organization
  • The lengths of time an organization can and must retain individuals’ personal data
  • The rights of individuals to access and correct their personal data held by organizations

Whether adopting certain standards is mandatory or voluntary, many organizations are concerned with whether the tools and procedures they use for storing and handling data comply with these standards.

Every organization must assess its own data resources and determine what standards should apply to them. The nature of the business in which the organization is engaged can often dictate compliance with particular standards. For example, companies in the health care industry or those with government contracts might be legally required to store, handle, and protect their data in specific ways. Indeed, there are regulatory standards to which Microsoft 365 products on their own cannot possibly comply, such as those requiring data to be stored on devices and in locations wholly owned and controlled by the organization, precluding cloud storage entirely.

However, many of the hundreds of privacy standards in use do allow the possibility of compliance when data is stored in the cloud, and Microsoft is well aware of the importance of adherence to these standards for many organizations considering a migration to the cloud. For IT professionals who are hesitant to become Microsoft 365 adopters because they fear that changing the location and the data storage conditions will negatively affect their compliance with standards like these, Microsoft has tested their products’ compliance with many different standards and published documents certifying the results.

Microsoft divides the compliance effort into three phases, as shown in Figure 4-11. The phases are described as follows:

  

FIGURE 4-11 Microsoft compliance phases

  • Assess The organization gathers the information needed to assess its current compliance status and produce a plan to achieve or maintain compliance with specific standards. Microsoft’s Service Trust Portal website contains a vast library of documents specifying information about the testing processes and the third parties involved in compliance testing. Also, Microsoft Purview includes Compliance Manager, a risk assessment tool organizations can use to record their actions to achieve compliance with specific standards.
  • Protect The organization implements a protection plan for its data, based on its sensitivity, using the tools provided in the Microsoft 365 services, including access control permissions, file encryption, Information Protection, and Data Loss Prevention.
  • Respond The organization develops protocols for responding to regulatory requests using artificial intelligence tools such as Microsoft 365 eDiscovery to perform complex searches of Exchange Online mailboxes, Microsoft 365 Groups, SharePoint and OneDrive sites, and Microsoft Teams conversations.

Need More Review? Microsoft 365 Compliance

For additional information on Microsoft 365’s compliance efforts, see the “Describe trust, privacy, risk, and compliance solutions in Microsoft 365” section in Chapter 3, “Describe security, compliance, privacy, and trust in Microsoft 365.”

Quick check

What is the difference between a Cloud Solution Provider that is an indirect reseller and one that is an indirect provider?

Quick check answer

  • An indirect reseller is typically a smaller company concentrating on locating, cultivating, and signing customers for Microsoft cloud-based products and services. An indirect provider is a larger company engaged by indirect resellers responsible for supplying products, customer service, billing, and technical support services to customers.

Collaboration-Understand Microsoft 365 pricing and support

The nature of collaboration in the workplace has changed, so the tools that facilitate collaboration must change with it. One of the primary advantages of cloud-based computing is that it allows users to access enterprise resources from any location. Microsoft 365 takes advantage of that benefit by enabling access to the cloud using nearly any device with an Internet connection. Microsoft Entra ID (formerly known as Azure Active Directory) and Microsoft Intune are services based in the cloud, providing identity and device management functions that secure these user connections to the cloud. These components, along with the increased capabilities and emphasis on smartphones and other mobile devices in the business world, have made Microsoft 365 an unprecedented platform for collaboration.

With an infrastructure in place that can provide users with all but universal access to enterprise resources, the next step toward a collaboration platform is the applications and services that enable users to communicate and share data. Microsoft 365 includes four primary collaboration services—shown in Figure 4-9—that provide different types of communication for different situations. Additional services also provide more specific functions for the other services.

  

FIGURE 4-9 Microsoft 365 collaboration services

The services that contribute to the collaboration capabilities in Microsoft 365 are as follows:

  • SharePoint Provides content storage and publishing services for group and personal intranet websites and for all the other Microsoft 365 collaboration tools. A SharePoint site can be a collaboration platform, or its elements can be embedded in other service publications.
  • Exchange Online/Outlook Provides standard email communication and calendar and scheduling functions. Email is asynchronous communication that can be one-to-one or, with the aid of distribution lists, one-to-many. Scheduling functions can be embedded in other services.
  • Microsoft Teams Provides synchronous chat- and call-based communication among team members who must communicate quickly and frequently. By incorporating elements from other services, such as Exchange Online scheduling, SharePoint content, and Stream video, Teams can function as a comprehensive collaboration platform.
  • Yammer Provides a group-based or company-wide private social media service designed to accommodate larger groups than Microsoft Teams or foster a sense of community within the enterprise. Yammer also provides a platform for the functions provided by other services, such as content from SharePoint sites or scheduling with Exchange Online.
  • Stream Provides video storage and distribution services directly to users in web browsers or embedded in other Microsoft 365 collaboration services, including Exchange Online, SharePoint, Microsoft Teams, and Yammer.
  • Planner Provides project management services that enable users to create schedules containing tasks, files, events, and other content from Microsoft 365 services.
  • OneDrive Provides private file storage for individual users unless the user explicitly shares specific documents.

Need More Review? Microsoft 365 collaboration tools

For more information about the collaboration capabilities of the Microsoft 365 services, see the “Describe collaboration solutions of Microsoft 365” section in Chapter 2, “Describe Microsoft 365 apps and services.”

Microsoft Entra ID (Azure Active Directory) and Microsoft 365 Groups provide the identity-management infrastructure for all the Microsoft 365 collaborative services. This enables users and administrators to set up and use these services any way they want. However, the content from the various services is combined; only one set of user accounts and group memberships applies to all. This turns the collection of Microsoft 365 collaboration services into a flexible and interoperable toolkit.

Figure 4-10 illustrates how workers and teams can use the Microsoft 365 collaboration services to work together by creating a digital daily plan containing specific tasks and the circumstances in which they might be performed.

  

FIGURE 4-10 A sample Microsoft 365 collaboration task schedule

Microsoft 365 subscriptions-Understand Microsoft 365 pricing and support

Most organizations interested in Microsoft 365 as an introduction to cloud-based networking, either as a new deployment or an addition to a traditional on-premises network, will opt for one of the Microsoft 365 Business options or one of the Microsoft 365 Enterprise subscriptions described in the following sections. In addition, there are specialized versions of Microsoft 365 designed for educational and governmental environments.

Microsoft 365 Business

Intended for small- and medium-sized businesses with up to 300 users, the Microsoft 365 Business product comes in three subscription levels: Basic, Standard, and Premium. All three include the standard Office productivity applications: Word, Excel, PowerPoint, and Outlook, and the Microsoft 365 cloud services: Exchange, SharePoint, Microsoft Teams, and OneDrive. The differences between the levels, other than the prices, are as follows:

  • Microsoft 365 Business Basic Includes only the web and mobile versions of the productivity applications
  • Microsoft 365 Business Standard Includes all Business Basic features plus downloadable desktop versions of the productivity applications, plus desktop versions of Access and Publisher
  • Microsoft 365 Business Premium Includes all Business Standard features, plus Azure Active Directory Premium Plan 1 and the advanced security capabilities of Microsoft Intune and the suite of Microsoft Defender applications

Note Microsoft 365 Business for Nonprofits

In addition to the commercial Microsoft 365 Business Basic, Standard, and Premium subscriptions, Microsoft offers full-featured versions at all three levels for qualified nonprofit organizations at special prices.

Microsoft 365 Business is a comprehensive package for organizations that do not maintain a full-time IT staff, which is the case with many small businesses. Deploying Microsoft 365 workstations is largely automated, and the package includes the Microsoft 365 admin center, which provides a unified interface for the setup and management of identities and devices.

Microsoft 365 Business Premium includes Windows Autopilot, which streamlines the deployment of new Windows workstations or upgrading existing ones. For computers with an earlier version of Windows installed, Microsoft 365 provides an upgrade to Windows 11. In addition to Autopilot, Microsoft 365 includes device management settings in Azure Active Directory that can automatically apply policies to newly deployed workstations, including those for functions like the following:

  • Activation of the Microsoft 365 subscription
  • Windows 11 and Microsoft 365 updates
  • Automated installation of Microsoft 365 productivity applications on Windows 11
  • Control of the device’s screen when the system is idle
  • Access control to Microsoft Store apps
  • Access control to Cortana
  • Access control to Windows tips and advertisements from Microsoft

Another priority of Microsoft 365 Business Premium is to provide security in areas where small businesses often fall short, as shown in Figure 4-1. The suite of security functions and services included in the product protects all the primary areas of a business network: identities, with multifactor authentication; devices, with management capabilities for on-premises and mobile devices; applications, with usage restrictions; email, with threat detection and data loss prevention; and documents, with classification, encryption, and access control.

  

FIGURE 4-1 Security functions in Microsoft 365 Business Premium

Microsoft 365 Business allows up to 300 user subscriptions in one tenancy, but this does not mean an organization’s network is limited to 300 users. Every user on the network does not need a Microsoft 365 Business license, although only the license-holders can utilize the cloud services included with the product. It is also possible to combine license types in a single tenancy, meaning if an organization running Microsoft 365 Business expands to more than 300 users, more users can be added with Microsoft 365 Enterprise licenses without upgrading the original 300 Business users.