Managing user and group properties- Managing Azure Active Directory Objects

Part of an Azure administrator’s task is to understand what can be done from a user and group perspective within Azure AD. Let’s take a look at what we can configure for an Azure AD user account:

  • Profile: This is where you can view and update information such as the name, user type, job information, and more.
  • Assigned roles: This setting is where you can view all of the role assignments for that specific account; assignments can be in the form of eligible, active, or expired assignments.
  • Administrative units: This setting displays the AUs that the user is part of.
  • Groups: This setting displays the AD groups that the user is part of.
  • Applications: This setting displays the application assignments.
  • Licenses: This setting displays what licenses are currently assigned to the user account.
  • Devices: This setting shows what devices are associated with the user account, including the join type such as Azure AD joined.
  • Azure role assignments: This setting displays the resources on a subscription level to which the account has access.
  • Authentication methods: This setting displays the authentication contact information, such as the phone number and email address for MFA. From here, you can also set the account to reregister for MFA or revoke current MFA sessions.

Now that we have reviewed all the user properties, let’s take a look at the group settings.

Azure AD groups have the following settings available:

  • Overview: This displays the membership type, the source directory, the object ID, the creation date, and more.
  • Properties: This setting displays the general settings for the group, such as the group name, the description, the group type, and the membership type, which can be changed here.
  • Members: This setting displays all of the current members of the group; bulk operations can also be performed from here.
  • Owners: This setting displays the owners of the group who can modify the group and the members within it.
  • Administrative units: This setting displays the AUs that the group is part of.
  • Group memberships: This setting displays all of the security groups that the group belongs to (nested grouping).
  • Applications: This setting displays the application assignments.
  • Licenses: This setting displays the licenses that are assigned to the group, which group members will inherit automatically.
  • Azure role assignments: This setting displays the resources of a subscription level to which the group members have access.
  • Dynamic membership rules: This setting displays the configuration rules; for dynamic groups, this is where you can change the configuration rules, which will affect the members of the group.

And that brings an end to the user and group properties. In this section, we have looked at all of the different settings for Azure AD users and Azure AD groups.

We encourage students to read up further by using the following links, which will provide additional information around managing group settings via the command line and also dive into external user attribute flows:

Next, we are going to look at how to manage device settings within Azure.

Technical requirements- Managing Azure Active Directory Objects-1

This first chapter of this book is focused on learning how to manage Azure Active Directory (Azure AD) objects. In this chapter, you will learn how to create and manage users and groups within Azure AD, including user and group properties. Additionally, we will look at Azure AD’s administrative units (AUs) and discover how to create them alongside managing device settings and performing bulk user updates. You will also learn how to manage guest accounts within Azure AD, configure Azure AD join, and configure Self-Service Password Reset (SSPR).

In brief, in this chapter, the following topics will be covered:

  • Creating Azure AD users and groups
  • Creating AUs
  • Managing user and group properties
  • Managing device settings
  • Performing bulk user updates
  • Managing guest accounts
  • Configuring Azure AD join
  • Configuring SSPR

Technical requirements

In order to follow along with the hands-on exercises, you will need access to an Azure AD as a global administrator. If you do not have access to this, students can enroll for a free account at https://azure.microsoft.com/en-in/free/.

An Azure AD Premium P1 license is also required for some of the sections. Luckily, there is also a free one-month trial for students at https://azure.microsoft.com/en-us/trial/get-started-active-directory/.

Creating Azure AD users and groups

Azure AD offers a directory and identity management solution within the cloud. It offers traditional username and password identity management, alongside roles and permissions management. On top of that, it offers more enterprise-grade solutions, such as Multi-Factor Authentication (MFA) and application monitoring, solution monitoring, and alerting.

Azure AD can easily be integrated with your on-premises Active Directory to create a hybrid infrastructure.

Azure AD offers the following pricing plans:

  • Free: This offers the most basic features, such as support for single sign-on (SSO) across Azure, Microsoft 365, and other popular SaaS applications, Azure Business-to-Business (B2B) for external users, support for Azure AD Connect synchronization, self-service password change, user and group management, and standard security reports.
  • Office 365 Apps: Specific Office 365 subscriptions also provide some functionality such as user and group management, cloud authentication, including pass-through authentication, password hash synchronization, seamless SSO, and more.
  • Premium P1: This offers advanced reporting, MFA, conditional access, Mobile Device Management (MDM) auto-enrollment, Azure AD Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.
  • Premium P2: In addition to the Free and Premium P1 features, the Premium P2 license includes Azure AD Identity Protection, Privileged Identity Management, access reviews, and Entitlement Management.

Note

For a detailed overview of the different Azure AD licenses and all the features that are offered in each plan, you can refer to https://www.microsoft.com/nl-nl/security/business/identity-access-management/azure-ad-pricing?rtc=1&market=nl.

Creating users in Azure AD

We will begin by creating a couple of users in our Azure AD tenant from the Azure portal. To do this, perform the following steps:

  1. Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory.
  3. Under the Manage blade of Azure AD in the left-hand menu, select Users | All users. Then, select the + New user option from the top-level menu, as follows:

 Figure 1.1 – The Azure AD Users bladeFigure 1.1 – The Azure AD Users blade

  • We are going to create three users. Add these values that are shown in the following screenshot:
    • Name: PacktUser1.
    • User name: The username is the identifier that the user enters to sign in to Azure AD. Select your domain name, which has been configured, and add this to the end of the username. The default is usually an onmicrosoft.com domain, but in my case, I have assigned a custom domain name, called safezone.fun. In the First name section, I have chosen Packt, and in the Last name section, I have added User1. Therefore, the User name value, in my case, will be [email protected]:

News and commentary about the exam objective updates-MS-900 Microsoft 365 Fundamentals, Second Edition exam updates

The current official Microsoft Study Guide for the MS-900 Microsoft 365 Fundamentals exam is located at https://learn.microsoft.com/en-us/certifications/resources/study-guides/MS-900. This page has the most recent version of the exam objective domain.

This statement was last updated in August 2023, before Exam Ref MS-900 Microsoft 365 Fundamentals, Second Edition was published.

This version of this Chapter has no news to share about the next exam release.

In the most recent version of this Chapter, the MS-900 Microsoft 365 Fundamentals exam version number was Version 1.1.

Updated technical content

The current version of this Chapter has no additional technical content.

Objective mapping

This Exam Ref is structured by the author(s) based on the topics and technologies covered on the exam and is not structured based on the specific order of topics in the exam objectives. The table below maps the current version of the exam objectives to chapter content, allowing you to locate where a specific exam objective item has coverage without consulting the index.

TABLE 7-1 Exam Objectives mapped to chapters.

Exam ObjectiveChapter
Describe cloud concepts 
Describe the different types of cloud services available
Describe Microsoft SaaS, IaaS, and PaaS concepts and use cases
Describe differences between Office 365 and Microsoft 365		1
Describe the benefits of and considerations for using cloud, hybrid, or on-premises services Describe public, private, and hybrid cloud modelsCompare costs and advantages of cloud, hybrid, and on-premises services
Describe the concept of hybrid work and flexible work		1
Describe Microsoft 365 apps and services 
Describe productivity solutions of Microsoft 365
Describe the core productivity capabilities and benefits of Microsoft 365 including Microsoft Outlook and Microsoft Exchange, Microsoft 365 apps, and OneDrive
Describe core Microsoft 365 Apps including Microsoft Word, Excel, PowerPoint, Outlook, and OneNote
Describe work management capabilities of Microsoft 365 including Microsoft Project, Planner, Bookings, Forms, Lists, and To Do		2
Describe collaboration solutions of Microsoft 365
Describe the collaboration benefits and capabilities of Microsoft 365 including Microsoft Exchange, Outlook, Yammer, SharePoint, OneDrive, and Stream
Describe the collaboration benefits and capabilities of Microsoft Teams and Teams Phone
Describe the Microsoft Viva apps
Describe the ways that you can extend Microsoft Teams by using collaborative apps		2
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps
Describe endpoint modernization, management concepts, and deployment options in Microsoft 365
Describe the endpoint management capabilities of Microsoft 365 including Microsoft Endpoint Manager (MEM), Intune, AutoPilot, and Configuration Manager with cloud attachCompare the differences between Windows 365 and Azure Virtual Desktop
Describe the deployment and release models for Windows-as-a-Service (WaaS) including deployment ringsIdentify deployment and update channels for Microsoft 365 Apps		2
Describe analytics capabilities of Microsoft 365
Describe the capabilities of Viva Insights
Describe the capabilities of the Microsoft 365 Admin center and Microsoft 365 user portal
Describe the reports available in the Microsoft 365 Admin center and other admin centers		2
Describe security, compliance, privacy, and trust in Microsoft 365 
Describe identity and access management solutions of Microsoft 365
Describe the identity and access management capabilities of Microsoft Entra IDDescribe cloud identity, on-premises identity, and hybrid identity concepts
Describe how Microsoft uses methods such as multi-factor authentication (MFA), self-service password reset (SSPR), and conditional access to keep identities, access, and data secure		3
Describe threat protection solutions of Microsoft 365
Describe Microsoft 365 Defender, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and the Microsoft 365 Defender PortalDescribe Microsoft Secure Score benefits and capabilities
Describe how Microsoft 365 addresses the most common types of threats against endpoints, applications, and identities		3
Describe trust, privacy, risk, and compliance solutions of Microsoft 365
Describe the Zero Trust ModelDescribe Microsoft Purview and compliance solutions such as insider risk, auditing, and eDiscoveryDescribe how Microsoft supports data residency to ensure regulatory compliance
Describe information protection features such as sensitivity labels and data loss preventionDescribe the capabilities and benefits of Microsoft Priva		3
Describe Microsoft 365 pricing, licensing, and support 
Identify Microsoft 365 pricing and billing management options
Describe the pricing model for Microsoft cloud services including enterprise agreements, cloud solution providers, and direct billing
Describe available billing and bill management options including billing frequency and methods of payment		4
Identify licensing options available in Microsoft 365 Describe license managementDescribe the differences between base licensing and add-on licensing4
Identify support options for Microsoft 365 services
Describe how to create a support request for Microsoft 365 services
Describe support options for Microsoft 365 services
Describe service level agreements (SLAs) including service creditsDetermine service health status by using the Microsoft 365 admin center or the Microsoft Entra admin center.		4

Describe service level agreements (SLAs), including service credits-Understand Microsoft 365 pricing and support-2

In the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services document, dated August 1, 2023, the terms for each of the individual cloud services are listed with the following information:

  • Downtime Specifies exactly what type or types of service interruption legally constitute downtime in the terms of the agreement. Some of the definitions of downtime for cloud services included in Microsoft 365 are shown in Table 4-5.
  • Monthly Uptime Percentage Specifies the formula by which the percentage of uptime is calculated for each month, considering the number of minutes the service was considered to be down and the number of user licenses affected by the outage. For example, the following formula subtracts the total number of downtime minutes for all the users from the total user minutes and calculates a percentage from that:

User Minutes−Downtime MinutesUser Minutes

  • Service Credit Specifies the percentage of the monthly subscription fee that will be credited to the subscriber’s account based on the calculated monthly uptime percentage. For example, Microsoft’s SLA for Microsoft 365 Apps for Enterprise guarantees 99.9 percent uptime, so the service credit for months that do not meet that percentage is calculated as shown in Table 4-6. Other Microsoft services can have different SLA guarantees, such as Azure Active Directory, which has a 99.99 percent guaranteed uptime.
  • Additional Terms Identifies other parts of the document that might define other conditions constituting a refundable service outage. For example, a failure of Exchange Online to detect viruses or filter spam as agreed in the SLA can qualify for a service credit, even if no downtime occurs.

 

TABLE 4-5 Definitions of downtime in the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services

Cloud ServiceDefinition of downtime
Azure Active Directory PremiumAny period of time when users are unable to log in to the Azure Active Directory service, or Azure Active Directory fails to successfully emit the authentication and authorization tokens required for users to log into applications connected to the service.
Exchange OnlineAny period of time when users are unable to send or receive email with Outlook Web Access.
Microsoft TeamsAny period of time when end users are unable to conduct instant messaging conversations or initiate online meetings.
Microsoft 365 Apps for BusinessAny period of time when Office applications are put into reduced functionality mode due to an issue with Office 365 activation.
Office OnlineAny period of time when users are unable to use the web applications to view and edit any Office document stored on a SharePoint Online site for which they have appropriate permissions.
OneDrive for BusinessAny period of time when users are unable to view or edit files stored on their personal OneDrive for Business storage.
SharePoint OnlineAny period of time when users are unable to read or write any portion of a SharePoint Online site collection for which they have appropriate permissions.
Yammer EnterpriseAny period of time greater than 10 minutes when more than 5 percent of end users are unable to post or read messages on any portion of the Yammer network for which they have appropriate permissions.
Microsoft IntuneAny period of time when the customer’s IT administrator or users authorized by customer are unable to log on with proper credentials. Scheduled downtime will not exceed 10 hours per calendar year.
Microsoft Defender for EndpointThe total accumulated minutes that are part of Maximum Available Minutes in which the Customer unable to access any portion of a Microsoft Defender for Endpoint portal site collections for which they have appropriate permissions and customer has a valid, active, license.

 

TABLE 4-6 Service credit for monthly uptime percentages in the Microsoft Volume Licensing Service Level Agreement for Microsoft 365 Apps for Enterprise

Monthly Uptime PercentageService Credit
Less than 99.9 percent25 percent
Less than 99 percent50 percent
Less than 95 percent100 percent

Microsoft requires subscribers to file a claim for service credits containing evidence of the outages, as described in the following SLA excerpt:

In order for Microsoft to consider a claim, you must submit the claim to customer support at Microsoft Corporation including all information necessary for Microsoft to validate the claim, including but not limited to: (i) a detailed description of the Incident; (ii) information regarding the time and duration of the Downtime; (iii) the number and location(s) of affected users (if applicable); and (iv) descriptions of your attempts to resolve the Incident at the time of occurrence.

Generally speaking, it appears as though the SLA for Microsoft’s online services is rarely even needed. For example, Table 4-7 lists the worldwide quarterly uptime percentages for the Microsoft 365 cloud services in recent years, and none of the figures even comes close to dropping below the 99.9 percent uptime guaranteed for most of the Microsoft 365 services. This is not to say that there weren’t a few isolated outages resulting in service credits, but the overall record for the Microsoft 365 products is impressive.

 

TABLE 4-7 Quarterly Uptime Percentages for Microsoft 365, 2019 to 2023

YearQuarter 1Quarter 2Quarter 3Quarter 4
202399.98 percent99.99 percent  
202299.98 percent99.98 percent99.99 percent99.99 percent
202199.97 percent99.98 percent99.99 percent99.98 percent
202099.98 percent99.99 percent99.97 percent99.97 percent
201999.97 percent99.97 percent99.98 percent99.98 percent

Describe how to create a support request for Microsoft 365 services-Understand Microsoft 365 pricing and support

The Microsoft 365 support subscribers receive depends on their subscription level and how they obtained it. Nearly every page in the Microsoft 365 admin center console has a Help & Support button in the bottom-right corner and a Support menu allowing administrators to search for help with specific problems and create support requests when a solution is unavailable in the existing help information. Telephone and email support are also available.

To prevent excessive use and abuse of its support services, Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites. Table 4-3 lists some of the responsibilities of each entity.

 

TABLE 4-3 Responsibilities of Microsoft 365 administrators and Microsoft Support

Microsoft 365 Administrator ResponsibilitiesMicrosoft Support Responsibilities
Service setup, configuration, and maintenanceRespond to support issues submitted by subscribers
User account creation, configuration, and maintenanceGather information about technical support issues from subscribers
Primary support contact for enterprise usersProvide subscribers with technical guidance for submitted issues
Gather information from users about technical support issuesTroubleshoot subscriber issues and relay pertinent solution information
Address user software installation and configuration issuesMaintain communication with subscribers regarding ongoing service issues
Troubleshoot service availability issues within the bounds of the organizationProvide guidance for presales and trial-edition evaluators
Utilize Microsoft online resources to resolve support issuesProvide licensing, subscription, and billing support
Authorization and submission of support issues to MicrosoftGather customer feedback for service improvement purposes

Microsoft 365 administrators are expected to do what they can to address a support issue before submitting a support request to Microsoft. There are considerable Microsoft online support, training, blog, and forum resources available for this purpose, including the following:

When an administrator clicks the Help & Support button in the Microsoft 365 admin center console or opens the Support menu and selects New Service Request, a How Can We Can We Help? pane appears, prompting a description of the issue. Based on the furnished description, relevant material appears, such as step-by-step procedures and links to product documentation that might be helpful, as shown in Figure 4-14.

  

FIGURE 4-14 Microsoft 365 admin center’s How Can We Help? pane

At the bottom of the How Can We Help? pane is a Contact Support link that opens the pane shown in Figure 4-15. In this pane, the administrator can provide a more detailed description of the issue, add contact information, specify time zone and language references, and attach documents pertinent to the issue.

  

FIGURE 4-15 Microsoft 365 admin center’s Contact Support pane

Support provided with the Microsoft 365 product is intended primarily to provide help with service installation and configuration issues, such as the following:

  • Microsoft Entra ID (Azure Active Directory) Domain setup, synchronization with on-premises Active Directory, and single sign-on configuration
  • Microsoft 365 Service configuration issues
  • Exchange Online Mailbox migration and configuration, autodiscover configuration, setting mailbox permissions, sharing mailboxes, and creating mail forwarding rules
  • SharePoint Creation of user groups, assigning site permissions, and external user configuration
  • Microsoft 365 Apps for Business Office application installation on various device platforms
  • Microsoft Teams Setup of a Microsoft Teams environment and creating contacts
  • Microsoft Intune Mobile device and application management setup

When subscribers submit support requests to Microsoft, they go through a triage process and are assigned a severity level using the values shown in Table 4-4.

 

TABLE 4-4 Microsoft Support severity levels

Severity LevelDescriptionExamples
Critical (Sev A)One or more services are inaccessible or nonfunctional.Productivity or profit is impacted. Multiple users are affected.Immediate attention is required.Problems sending or receiving email with Outlook/Exchange Online.SharePoint or OneDrive sites are inaccessible.Cannot send or receive messages or calls in Microsoft Teams.
High (Sev B)One or more services are impaired but still usable.A single user or customer is affected. Attention can wait until business hours.Critical service functionality is delayed or partially impaired but operational.Noncritical functions of a critical service are impaired.A function is unusable in a graphical interface but accessible using PowerShell.
Non-critical (Sev C)One or more functions with minimal productivity or profit impact are impaired.One or more users are affected, but a workaround allows continued functionality.Problems configuring password expiration options.Problems archiving messages in Outlook/Exchange Online.Problems editing SharePoint sites.

After submitting support requests, administrators can monitor their progress in the Microsoft 365 admin center by selecting View Service Requests from the Support menu to display a list of all the support tickets associated with the account.

Describe license management-Understand Microsoft 365 pricing and support

To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL). Typically, an administrator for an organization deploying Microsoft 365 creates a tenancy in Microsoft Entra ID (Azure Active Directory), purchases a specific number of USLs, and then assigns them to users in the Microsoft 365 admin center console by selecting Licenses in the Billing menu, as shown in Figure 4-12.

  

FIGURE 4-12 A License Details page in Microsoft 365 admin center

Global administrators or user management administrators can assign licenses to up to 20 users at once from this interface. It is also possible to assign licenses to hybrid user accounts created through Active Directory synchronization or federation or while creating new user accounts in the Microsoft 365 admin center.

Assigning a Microsoft 365 license to a user causes the following events to occur:

  • Exchange Online creates a mailbox for the user
  • SharePoint grants the user edit permissions for the default team site
  • Microsoft 365 enables the user to download and install the Office productivity applications on up to five devices

From the Purchase Services page in the admin center, administrators can also purchase additional Microsoft 365 USLs or licenses for add-on products, as shown in Figure 4-13.

  

FIGURE 4-13 The Purchase Services page in Microsoft 365 admin center

Microsoft offers four different USL types for each of the Microsoft 365 products, depending on the purchaser’s existing relationship with the company, as follows:

  • Full USL This is a complete Microsoft 365 license for new purchasers who do not have existing Microsoft product licenses or for owners of on-premises Microsoft product licenses that do not include Software Assurance—Microsoft’s software maintenance agreement.
  • Add-on USL This is a license for purchasers with existing on-premises Microsoft product licenses, including Software Assurance, who want to maintain their infrastructure while adding Microsoft 365 cloud services in a pilot or hybrid deployment.
  • From SA USL This is a license for purchasers with existing perpetual Microsoft product licenses, including Software Assurance, who want to transition to a cloud-based infrastructure with continued Software Assurance for the Microsoft 365 product. Qualifying purchasers can only obtain From SA USLs at their contract renewal time and must maintain their existing Software Assurance agreement. A Microsoft 365 Software Assurance agreement includes cloud-oriented benefits, such as Deployment Planning Services, Home Use Program, online user training courses, and additional support incidents.
  • Step-up USL This is a license for current Microsoft customers who want to upgrade their subscriptions during an existing enrollment or agreement period, such as from Office 365 to Microsoft 365 or from Microsoft 365 Business to Microsoft 365 Enterprise E3.

Because the Add-on USLs, From SA USLs, and Step-up USLs are intended for existing Microsoft customers, their prices reflect significant discounts from the Full USL price.

Security-Understand Microsoft 365 pricing and support

For many IT professionals who are hesitant to move their operations to the cloud, security is the biggest issue that concerns them. The idea of storing sensitive company data on Internet servers, over which they have no direct control—and for which they do not even know the exact location—can be frightening. However, Microsoft has invested an enormous amount of time, effort, and expense into securing its datacenters, and Microsoft 365 includes an array of security tools that subscribers can utilize to provide defense against outside intrusions.

Every security situation is a matter of judgment. Administrators must evaluate the organization’s data and decide how much security it requires. In cases of highly sensitive data, the prospect of storing it in the cloud should rightly be frightening. In such cases, it might be necessary for an organization to maintain local storage and split the enterprise functionality between cloud-based and on-premises systems.

As noted elsewhere in this book, Microsoft maintains dozens of datacenters worldwide. The fact that Microsoft’s cloud services are storing data for thousands of organizations means they have the incentive and the capital to build datacenters with equipment and physical security that only the largest corporations could conceivably duplicate. For most prospective Microsoft 365 subscribers, the cloud will provide greater physical security, higher availability, and more fault tolerance than they could provide themselves.

Therefore, if the Microsoft datacenters can be considered safe against physical theft and most natural disasters, the remaining security concerns are centered around protecting identities, devices, and documents. These concerns threaten any enterprise network, whether on-premises or in the cloud. Unauthorized users can conceivably gain access to sensitive data wherever it is stored, and IT professionals must always try to prevent that from happening.

Security is a continuously developing challenge, with threats growing as quickly as the means to protect against them. For administrators who want to use Microsoft products to keep up with the latest developing threats, there is no question that the latest and best security tools that Microsoft makes are to be found in cloud-based platforms, such as Microsoft 365. Perpetual products, such as Exchange Server and Office 2021, are being left behind in their security capabilities in favor of Software as a Service (SaaS) products like Microsoft 365, Exchange Online, and the cloud-based SharePoint.

The Microsoft 365 security components include the following:

  • Microsoft Intune Provides device and application management services that allow mobile devices to join the network only if they comply with security policies that ensure they are appropriately equipped and configured
  • Azure Information Protection Enables users and administrators to apply classification labels to documents and implement various types of protection based on the labels, such as access restrictions and data encryption
  • Data Loss Prevention Enables the automated discovery of documents that contain common data patterns, such as those of credit cards and Social Security numbers, using preconfigured sensitive information types
  • Microsoft Defender for Cloud Apps Analyzes traffic logs and proxy scripts to identify the cloud apps that users are accessing and enables administrators to analyze app security and sanction or unsanction individual apps
  • Microsoft Entra ID Protection Evaluates the sign-in activities of individual user accounts and assigns them risk levels that increment when multiple negative events occur
  • Microsoft Defender for Identity Uses machine intelligence to prevent, detect, and remediate security threats unique to the Azure environment by analyzing user behavior and comparing it to known attack patterns
  • Microsoft Advanced Threat Analytics Captures network traffic and log information and analyzes it to identify suspicious behaviors related to known phases of typical attack processes

Another aspect of Microsoft 365 that might help to convince traditionalists that a cloud platform can be secure is its use of intelligent analysis to identify behavior indicative of an attack. Tools like Microsoft 365 Defender gather information from Microsoft 365 devices, applications, and services and use endpoint behavioral sensors, cloud security analytics, and threat intelligence to prevent, discover, investigate, and remediate potential and actual threats.

Cost-benefit analysis for cloud vs. on-premises networks-Understand Microsoft 365 pricing and support

Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is the relatively simple part of a cost-benefit analysis. There is a monthly or annual fee for each Microsoft 365 user subscription, and those subscriber fees are predictable and ongoing. Contracts might be renewed with different prices at intervals, but those costs still remain predictable. It is possible that costs could rise precipitously in the future when the contracts are renewed, and the subscriber might feel locked into one provider, but that is a risk with any software product.

Predicting the cost of an on-premises network is more difficult. It is common for businesses to categorize their expenses by distinguishing between two types of expenditures, as follows:

  • Capital expenditures (CapEx) are money spent on fixed assets, such as buildings, servers, and other hardware, deployment expenses, and purchased software.
  • Operational expenditures (OpEx) are ongoing expenses, such as rent, utilities, staff, and maintenance.

The basic differences between CapEx and OpEx expenditures are shown in Table 4-2.

 

TABLE 4-2 Capital expenditures versus operational expenditures

 Capital Expenditures (CapEx)Operational Expenditures (OpEx)
PurposeHardware and software assets with at least one year of usefulnessOngoing business costs
PaymentInitial lump sumRecurring monthly or annual
AccountingThree or more years of asset depreciationCurrent month or year
DescriptionProperty, equipment, softwareOperating costs
TaxesMultiple years of deduction based on depreciationCurrent year deduction

For a Microsoft 365 shop, nearly all the expenses are OpEx, including the subscription fees. There are virtually no CapEx expenses involved, except perhaps for things like initial administrator cloud training. Businesses like working with OpEx expenses because they enable them to create accurate budgets and forecasts.

For an on-premises network, the CapEx outlay required to set up the infrastructure can be enormous, including the cost of building and equipping datacenters and purchasing server software products. Depending on the nature of the business and the sensitivity of the data involved, these expenses can by multiplied by the need for redundant datacenters and equipment. These big expenses must be paid before the network can even go live. These CapEx costs can be amortized or depreciated in the company’s accounts over a period of years, but the initial investment is substantial compared to that of a cloud-based network, which requires almost none.

An on-premises network also has OpEx expenses, including rent, power, and other utilities datacenters require, and the salaries of the staff needed to operate and maintain the datacenter equipment. There are also expensive software upgrades to consider every two to three years. The main cost benefit of an on-premises network is that hardware and software are purchased outright and do not require monthly subscription fees.

There are other factors to consider as well. When designing an on-premises network, the organization must consider the possibility of future growth, as well as seasonal business fluctuations. Therefore, the already substantial CapEx outlay can be increased by the cost of the additional datacenter space and equipment needed to support the busiest times of the year, as well as several years of predicted growth.

A cloud-based infrastructure like that of Microsoft 365 uses a pay-as-you-go model, which can accommodate virtually unlimited growth and occasional business fluctuations with no extra expenses other than the increased subscription fees for the extra services. The organization never pays for hardware and software that it isn’t using. In addition, the growth and fluctuations can be accommodated almost immediately and downsized when necessary, while on-premises resources can require months to approve, obtain, and install.

The entire cost-benefit analysis can be further complicated if the organization has already invested substantially in on-premises infrastructure. For example, if the expanding company already has sufficient space in its datacenters and sufficient IT staff, the CapEx needed for a network expansion can be much less than it would be for an entirely new network installation. The question then becomes whether it is more economical to add to the existing on-premises infrastructure or expand into the cloud, creating a hybrid network that might require additional planning and training to bring personnel up to speed in cloud technologies.

Therefore, the result can only be that every organization must consider its own economic, personnel, and business situations and calculate the TCO of its network options. In a new deployment, a subscription-based, cloud-based option, such as Microsoft 365, can be faster and less expensive to implement, but there are many situations in which organizations might be compelled to consider an on-premises network instead.

 Exam Tip

Candidates for the MS-900 exam seeking greater familiarity with the characteristics of cloud-based services versus on-premises services should also consult the “Describe the benefits of and considerations for using cloud, hybrid, or on-premises services” section in Chapter 1, “Describe cloud concepts.”

Compliance-Understand Microsoft 365 pricing and support

As the proliferation and value of data increases over time, businesses, agencies, and individuals are becoming increasingly concerned with the privacy and protection of their data. Hundreds of regulatory bodies—private and governmental—quantify the nature of this data protection and publish standards for data storage and handling.

Some of the most common data privacy standards in use today are as follows:

  • Federal Information Security Modernization Act (FISMA) Specifies how U.S. federal agencies must protect information
  • Health Insurance Portability and Accountability Act (HIPAA) Regulates the privacy of personal health information
  • Family Educational Rights and Privacy Act (FERPA) Regulates the disclosure of student education records
  • Personal Information Protection and Electronic Documents Act (PIPEDA) Specifies how commercial business organizations can gather, retain, and share personal information
  • Gramm–Leach–Bliley Act (GLBA) Specifies how financial institutions must protect and share the personal information of their customers
  • General Data Protection Regulation (GDPR) Specifies data protection and privacy regulations for citizens of the European Union

These standards can define elements such as the following:

  • The controls that organizations must exercise to protect the privacy of personal data
  • How organizations can and cannot use personal data
  • The rights of government and other official agencies to access personal data held by an organization
  • The lengths of time an organization can and must retain individuals’ personal data
  • The rights of individuals to access and correct their personal data held by organizations

Whether adopting certain standards is mandatory or voluntary, many organizations are concerned with whether the tools and procedures they use for storing and handling data comply with these standards.

Every organization must assess its own data resources and determine what standards should apply to them. The nature of the business in which the organization is engaged can often dictate compliance with particular standards. For example, companies in the health care industry or those with government contracts might be legally required to store, handle, and protect their data in specific ways. Indeed, there are regulatory standards to which Microsoft 365 products on their own cannot possibly comply, such as those requiring data to be stored on devices and in locations wholly owned and controlled by the organization, precluding cloud storage entirely.

However, many of the hundreds of privacy standards in use do allow the possibility of compliance when data is stored in the cloud, and Microsoft is well aware of the importance of adherence to these standards for many organizations considering a migration to the cloud. For IT professionals who are hesitant to become Microsoft 365 adopters because they fear that changing the location and the data storage conditions will negatively affect their compliance with standards like these, Microsoft has tested their products’ compliance with many different standards and published documents certifying the results.

Microsoft divides the compliance effort into three phases, as shown in Figure 4-11. The phases are described as follows:

  

FIGURE 4-11 Microsoft compliance phases

  • Assess The organization gathers the information needed to assess its current compliance status and produce a plan to achieve or maintain compliance with specific standards. Microsoft’s Service Trust Portal website contains a vast library of documents specifying information about the testing processes and the third parties involved in compliance testing. Also, Microsoft Purview includes Compliance Manager, a risk assessment tool organizations can use to record their actions to achieve compliance with specific standards.
  • Protect The organization implements a protection plan for its data, based on its sensitivity, using the tools provided in the Microsoft 365 services, including access control permissions, file encryption, Information Protection, and Data Loss Prevention.
  • Respond The organization develops protocols for responding to regulatory requests using artificial intelligence tools such as Microsoft 365 eDiscovery to perform complex searches of Exchange Online mailboxes, Microsoft 365 Groups, SharePoint and OneDrive sites, and Microsoft Teams conversations.

Need More Review? Microsoft 365 Compliance

For additional information on Microsoft 365’s compliance efforts, see the “Describe trust, privacy, risk, and compliance solutions in Microsoft 365” section in Chapter 3, “Describe security, compliance, privacy, and trust in Microsoft 365.”

Quick check

What is the difference between a Cloud Solution Provider that is an indirect reseller and one that is an indirect provider?

Quick check answer

  • An indirect reseller is typically a smaller company concentrating on locating, cultivating, and signing customers for Microsoft cloud-based products and services. An indirect provider is a larger company engaged by indirect resellers responsible for supplying products, customer service, billing, and technical support services to customers.

Microsoft 365 Government-Understand Microsoft 365 pricing and support

In addition to the core Microsoft 365 subscriptions mentioned earlier, Microsoft has also created specialized packages for governmental and educational organizations designed to suit their specific needs. The Microsoft 365 Government G3 and G5 subscriptions contain the same tools and services found in their Enterprise E3 and E5 equivalents, but the packages are designed to adhere to the additional compliance regulations and requirements to which United States government entities are often subject.

For all the Microsoft 365 Government products, data is stored under special conditions, including the following:

  • All Microsoft 365 Government user content, including Exchange Online mailboxes, SharePoint site content, Skype for Business conversations, and Microsoft Teams chat transcripts, is stored in datacenters located within the United States.
  • The user content generated by Microsoft 365 Government subscribers is logically segregated from commercial Microsoft 365 user content within the Microsoft datacenters.
  • Access to Microsoft 365 Government user content within the Microsoft datacenters is restricted to employees who have undergone additional security screening.

Access to Microsoft 365 Government products is restricted to United States federal, state, local, tribal, or territorial government entities and other entities required to handle government data in compliance with the same regulations and requirements as a government entity. Eligibility to purchase these products is subject to verification by Microsoft using various government resources, including those of law enforcement agencies and the Department of State, as well as government standards, such as the International Traffic in Arms Regulations (ITAR) and the FBI’s Criminal Justice Information Services (CJIS) Policy.

In addition to the Microsoft 365 Government G3 and G5 subscriptions, which define the products’ feature sets, there are versions of Microsoft 365 Government that define various levels of security and compliance, including the following:

  • Microsoft 365 U.S. Government Community (GCC) Intended for Federal Risk and Authorization Management Program (FedRAMP) moderate risk impact situations; also complies with the Internal Revenue Service Publication 1075 standard, the U.S. Criminal Justice Information Services (CJIS) Security Policy, and the U.S. Department of Defense (DoD) Defense Information Systems Agency (DISA) Level 2 requirement for noncontrolled unclassified information
  • Microsoft 365 U.S. Government Community (GCC) High Intended for FedRAMP high-impact situations; complies with the International Traffic in Arms Regulations (ITAR) and the Defense Federal Acquisition Regulation Supplement (DFARS)
  • Microsoft 365 DoD Restricted to the exclusive use by U.S. Department of Defense agencies; complies with the U.S. DoD Defense Information Systems Agency (DISA) Level 5 requirement for controlled unclassified information and unclassified national security systems

In addition to the Microsoft 365 Government subscriptions, Microsoft also maintains an alternative means of accessing Microsoft 365 cloud services, called Azure Government ExpressRoute, which is a private, dedicated network connection to the Microsoft cloud services for eligible subscribers that have regulatory requirements that prevent them from using the public Internet.