Determine service health status by using the Microsoft 365 admin center or the Microsoft Entra admin center-Understand Microsoft 365 pricing and support

Monitoring the continuous operation of the Microsoft 365 services is a critical part of the administration process, and the Microsoft 365 admin center includes a Health menu that provides a real-time display of the status of the individual services when administrators select the Service Health option, as shown in Figure 4-17.

  

FIGURE 4-17 The Service Health page in the Microsoft 365 admin center

In addition to displaying the healthy services, the Service Health screen also lists other service status conditions:

  • Advisories Indicates that the service is still available but that a known condition is inhibiting its performance. The condition might cause intermittent interruptions, affect only some users, or be limited in scope. In some cases, a workaround might be available.
  • Incidents Indicates that a critical issue has been discovered that is rendering all or a significant part of the service unavailable or unusable. Typically, incidents are updated on their detail pages with information about the issue’s investigation, mitigation, and resolution.

Selecting the Issue History tab on the Service Health page displays details about the resolved incidents and advisories, as shown in Figure 4-18, including the service affected, its current status, and the time the advisory was posted.

  

FIGURE 4-18 The Issue History tab of the Service Health page in the Microsoft 365 admin center

The Status indicators on the Service Health pages can have values such as the following:

  • Investigating Indicates that Microsoft is aware of the issue and is currently gathering information before taking action
  • Service Degradation Indicates that the service is experiencing intermittent interruptions, performance slowdowns, or failure of specific features
  • Service Interruption Indicates that a significant, repeatable issue is occurring, which is preventing users from accessing the service
  • Restoring Service Indicates that the cause of the issue has been determined and remediation is underway, which will result in service restoration
  • Extended Recovery Indicates that remediation of the issue is in progress, but restoring service for all users may take some time or that an interim fix is in place that restores service until a permanent solution is applied
  • Investigation Suspended Indicates that Microsoft is awaiting information from subscribers or other parties before the issue can be diagnosed or further action can be taken
  • Service Restored Indicates that Microsoft has taken corrective action to address the issue and has successfully brought the service back to a healthy state
  • Post-Incident Report Published Indicates that documentation on the issue has been published containing an explanation of the root cause and steps to prevent a reoccurrence

Each advisory or incident includes a detail page containing more information, as shown in Figure 4-19. This information may include a greater elaboration on the user impact of the advisory or incident and a log of its status as it proceeds through the process of being addressed, documented, and resolved.

  

FIGURE 4-19 An advisory detail pane in the Microsoft 365 admin center

When an incident prevents administrators from signing in to the Microsoft 365 admin center console, a separate Microsoft 365 Service Health Status page (available at status.office365.com) indicates the health of the Microsoft 365 services, as shown in Figure 4-20.

  

FIGURE 4-20 The Microsoft 365 Service Health Status page

It is also possible to monitor the health of the various Microsoft 365 services in the Microsoft Entra admin center and create new service requests, as shown in Figure 4-21.

  

FIGURE 4-21 The New Support Request page in the Microsoft Entra admin center

Describe service level agreements (SLAs), including service credits-Understand Microsoft 365 pricing and support-2

In the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services document, dated August 1, 2023, the terms for each of the individual cloud services are listed with the following information:

  • Downtime Specifies exactly what type or types of service interruption legally constitute downtime in the terms of the agreement. Some of the definitions of downtime for cloud services included in Microsoft 365 are shown in Table 4-5.
  • Monthly Uptime Percentage Specifies the formula by which the percentage of uptime is calculated for each month, considering the number of minutes the service was considered to be down and the number of user licenses affected by the outage. For example, the following formula subtracts the total number of downtime minutes for all the users from the total user minutes and calculates a percentage from that:

User Minutes−Downtime MinutesUser Minutes

  • Service Credit Specifies the percentage of the monthly subscription fee that will be credited to the subscriber’s account based on the calculated monthly uptime percentage. For example, Microsoft’s SLA for Microsoft 365 Apps for Enterprise guarantees 99.9 percent uptime, so the service credit for months that do not meet that percentage is calculated as shown in Table 4-6. Other Microsoft services can have different SLA guarantees, such as Azure Active Directory, which has a 99.99 percent guaranteed uptime.
  • Additional Terms Identifies other parts of the document that might define other conditions constituting a refundable service outage. For example, a failure of Exchange Online to detect viruses or filter spam as agreed in the SLA can qualify for a service credit, even if no downtime occurs.

 

TABLE 4-5 Definitions of downtime in the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services

Cloud ServiceDefinition of downtime
Azure Active Directory PremiumAny period of time when users are unable to log in to the Azure Active Directory service, or Azure Active Directory fails to successfully emit the authentication and authorization tokens required for users to log into applications connected to the service.
Exchange OnlineAny period of time when users are unable to send or receive email with Outlook Web Access.
Microsoft TeamsAny period of time when end users are unable to conduct instant messaging conversations or initiate online meetings.
Microsoft 365 Apps for BusinessAny period of time when Office applications are put into reduced functionality mode due to an issue with Office 365 activation.
Office OnlineAny period of time when users are unable to use the web applications to view and edit any Office document stored on a SharePoint Online site for which they have appropriate permissions.
OneDrive for BusinessAny period of time when users are unable to view or edit files stored on their personal OneDrive for Business storage.
SharePoint OnlineAny period of time when users are unable to read or write any portion of a SharePoint Online site collection for which they have appropriate permissions.
Yammer EnterpriseAny period of time greater than 10 minutes when more than 5 percent of end users are unable to post or read messages on any portion of the Yammer network for which they have appropriate permissions.
Microsoft IntuneAny period of time when the customer’s IT administrator or users authorized by customer are unable to log on with proper credentials. Scheduled downtime will not exceed 10 hours per calendar year.
Microsoft Defender for EndpointThe total accumulated minutes that are part of Maximum Available Minutes in which the Customer unable to access any portion of a Microsoft Defender for Endpoint portal site collections for which they have appropriate permissions and customer has a valid, active, license.

 

TABLE 4-6 Service credit for monthly uptime percentages in the Microsoft Volume Licensing Service Level Agreement for Microsoft 365 Apps for Enterprise

Monthly Uptime PercentageService Credit
Less than 99.9 percent25 percent
Less than 99 percent50 percent
Less than 95 percent100 percent

Microsoft requires subscribers to file a claim for service credits containing evidence of the outages, as described in the following SLA excerpt:

In order for Microsoft to consider a claim, you must submit the claim to customer support at Microsoft Corporation including all information necessary for Microsoft to validate the claim, including but not limited to: (i) a detailed description of the Incident; (ii) information regarding the time and duration of the Downtime; (iii) the number and location(s) of affected users (if applicable); and (iv) descriptions of your attempts to resolve the Incident at the time of occurrence.

Generally speaking, it appears as though the SLA for Microsoft’s online services is rarely even needed. For example, Table 4-7 lists the worldwide quarterly uptime percentages for the Microsoft 365 cloud services in recent years, and none of the figures even comes close to dropping below the 99.9 percent uptime guaranteed for most of the Microsoft 365 services. This is not to say that there weren’t a few isolated outages resulting in service credits, but the overall record for the Microsoft 365 products is impressive.

 

TABLE 4-7 Quarterly Uptime Percentages for Microsoft 365, 2019 to 2023

YearQuarter 1Quarter 2Quarter 3Quarter 4
202399.98 percent99.99 percent  
202299.98 percent99.98 percent99.99 percent99.99 percent
202199.97 percent99.98 percent99.99 percent99.98 percent
202099.98 percent99.99 percent99.97 percent99.97 percent
201999.97 percent99.97 percent99.98 percent99.98 percent

Describe service level agreements (SLAs), including service credits-Understand Microsoft 365 pricing and support-1

When an enterprise uses on-premises servers, they know issues they experience that prevent the servers from functioning are their problem, and they must have the resources to resolve them. This is why organizations often use redundant components, servers, or even datacenters to keep business-critical services available. Many IT professionals prefer this self-reliance; they can be confident of their continued functionality by planning and implementing their services correctly. However, an enterprise that uses cloud-based services must rely on others to keep its services running.

For IT professionals, service outages are one of the potential showstopper issues for the adoption of Microsoft 365 and other cloud-based services. If the services suffer downtime, business stops. While it might not be the IT professionals’ fault, it is their responsibility. What is worse, there is nothing they can do about it except call the provider and shout at them. Depending on the nature of the organization’s business, service downtime can result in lost productivity, lost income, and—in extreme cases—even lost lives.

To address this issue, contracts with cloud service providers typically include a service level agreement (SLA). The SLA guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met. It is important to remember that an organization usually has more than one service provider that is needed to access the cloud. For example, an organization can contract with Microsoft for a certain number of Microsoft 365 subscriptions, but the reliability specified in Microsoft’s SLA means nothing if the organization’s Internet service provider (ISP) fails to provide them with access to the cloud. Therefore, an organization should have a contract with every cloud service provider they use that includes SLA terminology.

When negotiating an SLA with any cloud service provider or Internet service provider, there should be language included to address questions like the following:

  • What formula is used to calculate the service levels that are actually achieved?
  • Who is responsible for maintaining records of service levels?
  • How and when is the subscriber provided with written reports of the service levels achieved?
  • Are there exceptional circumstances specified in the SLA under which service outages are not classified as downtime?
  • How much downtime is expected or allowable for the provider’s scheduled and emergency maintenance?
  • What are the terms of the agreement regarding service interruptions resulting from acts of war, extreme weather, or natural disasters?
  • What are the terms of the agreement regarding service interruptions caused by third-party services, such as power outages?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the provider?
  • What are the terms of the agreement regarding service interruptions resulting from malicious cyberattacks against the subscriber?
  • What remedy or penalty does the provider supply when they fail to meet the agreed-upon service levels?
  • What is the liability to which the provider is subject when service interruptions cause a loss of business or productivity?

These questions are designed to quantify the nature of the SLA and how it can legally affect the relationship between the provider and the subscriber. For example, a provider can guarantee a 99 percent uptime rate. However, without specific language addressing the point, there is no way to determine exactly what constitutes uptime or downtime. What if a service is only partially operational, with some tasks functional and others not? Does that constitute downtime? There is also the question of what happens when downtime in excess of the guaranteed amount does occur. Is it the responsibility of the subscriber to make a claim? If excessive downtime occurs, is the provider responsible for the subscriber’s lost business during that downtime or just for a prorated subscription fee? If issues like these are not discussed with specific language in the SLA, then they are potential arguments the provider can use to avoid supporting their uptime guarantee.

SLA Limitations

As an example of the terms that might appear in an SLA to limit the responsibility of the cloud service provider, consider the following excerpt from Microsoft’s SLA for Microsoft Entra ID (Azure Active Directory):

This SLA and any applicable Service Levels do not apply to any performance or availability issues:

Disaster, war, acts of terrorism, riots, government action, or a network or device failure external to our data centers, including at your site or between your site and our data center);

That result from the use of services, hardware, or software not provided by us, including, but not limited to, issues resulting from inadequate bandwidth or related to third-party software or services;

That results from failures in a single Microsoft Datacenter location, when your network connectivity is explicitly dependent on that location in a non-geo-resilient manner;

Caused by your use of a Service after we advised you to modify your use of the Service, if you did not modify your use as advised;

During or with respect to preview, pre-release, beta or trial versions of a Service, feature or software (as determined by us) or to purchases made using Microsoft subscription credits;

That result from your unauthorized action or lack of action when required, or from your employees, agents, contractors, or vendors, or anyone gaining access to our network by means of your passwords or equipment, or otherwise resulting from your failure to follow appropriate security practices;

That result from your failure to adhere to any required configurations, use supported platforms, follow any policies for acceptable use, or your use of the Service in a manner inconsistent with the features and functionality of the Service (for example, attempts to perform operations that are not supported) or inconsistent with our published guidance;

That result from faulty input, instructions, or arguments (for example, requests to access files that do not exist);

That result from your attempts to perform operations that exceed prescribed quotas or that resulted from our throttling of suspected abusive behavior;

Due to your use of Service features that are outside of associated Support Windows; or

For licenses reserved, but not paid for, at the time of the Incident.

These limitations are not standard for all SLAs, but they are typical.

Describe support options for Microsoft 365 services-Understand Microsoft 365 pricing and support

All Microsoft 365 subscriptions include access to basic support services, but for some types of subscribers or subscribers with special needs, there are alternative methods for obtaining support, such as the following:

  • FastTrack Microsoft’s FastTrack program uses a specialized team of engineers and selected partners to provide subscribers transitioning to the cloud with assistance in the envisioning, onboarding, and ongoing administration processes. Subscribers participating in this program are provided with a contact for support issues during the FastTrack transition.
  • Volume Licensing Subscribers with an Enterprise Agreement or a Microsoft Products and Services Agreement that includes Software Assurance receive a specified number of support incidents as part of their agreement. The Software Assurance program includes 24×7 telephone support for business-critical issues and business hours or email support for noncritical issues.
  • Cloud Solution Providers For subscribers who obtain Microsoft 365 through a Cloud Solution Provider (CSP), the CSP should be their first point of contact for all service and support issues during the life of the subscription. The reseller agreement between CSPs and Microsoft calls for the CSP to take full responsibility for supporting their customers, although the CSP can still escalate issues to Microsoft when they cannot resolve them independently.
  • Microsoft Professional Support Subscribers with support issues beyond the standard service provided with Microsoft 365 can use Microsoft Professional Support to open support requests on a pay-per-incident basis, as shown in Figure 4-16. Individual incidents are available, as are five packs of incidents.

  

FIGURE 4-16 The Create a New Support Request screen in Microsoft Professional Support

  • Microsoft Unified Support Subscribers can purchase a Microsoft Unified Support plan in addition to their Microsoft 365 subscriptions. Microsoft Unified Support is available at three levels: Core Support, Advanced Support, and Performance Support; each level provides increasing levels of included support hours, incident response times, and access to a technical account manager (TAM), along with increasing prices. Customers also receive access to the Microsoft Services Hub, a support portal that provides forms for submitting support requests, access to ongoing Microsoft support incidents, tools for assessing enterprise workloads, and on-demand education and training materials.
Software assurance

For Enterprise Agreement and, optionally, for Microsoft Products and Services Agreement customers, Software Assurance provides a variety of additional services, including the following, which can benefit Microsoft 365 licensees:

  • Planning Services Provides a number of partner service days, based on the number of users/devices licensed, to deploy Microsoft operating systems, applications, and services.
  • Microsoft Desktop Optimization Pack (MDOP) Provides a suite of virtualization, management, and restoration utilities, including Advanced Group Policy Management (AGPM), Microsoft Application Virtualization (App-V), Microsoft User Experience Virtualization (UE-V), Microsoft BitLocker Administration and Monitoring (MBAM), and Microsoft Diagnostics and Recovery Toolset (DaRT).
  • Windows Virtual Desktop Access Rights (VDA) Provides users with the rights needed to access virtualized Windows instances.
  • Windows to Go Use Rights Enables administrators to create and furnish users with USB storage devices containing bootable Windows images that include line-of-business applications and corporate data.
  • Windows Thin PC Enables administrators to repurpose older computers as Windows Virtual Desktop Interface (VDI) terminals.
  • Enterprise Source Licensing Program Provides organizations with at least 10,000 users or devices with access to the Windows source code for their own software development projects.
  • Training Vouchers Provides a number of training days based on the number of users/devices licensed for the technical training of IT professionals and software developers.
  • Step-up License Availability Allows licensees to migrate their licensed software products to a high-level edition.
  • Spread Payments Enables organizations to pay for three-year license agreements in three equal, annual payments.

Note Additional Software Assurance Benefits

There are additional Software Assurance benefits included that are intended for on-premises server software licensees, such as New Version Rights, which provides the latest versions of the licensed software released during the term of the agreement, and Server Disaster Recovery Rights and Fail-Over Rights, which provide licensees the right to maintain passive redundant servers for fault-tolerance purposes.

Describe how to create a support request for Microsoft 365 services-Understand Microsoft 365 pricing and support

The Microsoft 365 support subscribers receive depends on their subscription level and how they obtained it. Nearly every page in the Microsoft 365 admin center console has a Help & Support button in the bottom-right corner and a Support menu allowing administrators to search for help with specific problems and create support requests when a solution is unavailable in the existing help information. Telephone and email support are also available.

To prevent excessive use and abuse of its support services, Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites. Table 4-3 lists some of the responsibilities of each entity.

 

TABLE 4-3 Responsibilities of Microsoft 365 administrators and Microsoft Support

Microsoft 365 Administrator ResponsibilitiesMicrosoft Support Responsibilities
Service setup, configuration, and maintenanceRespond to support issues submitted by subscribers
User account creation, configuration, and maintenanceGather information about technical support issues from subscribers
Primary support contact for enterprise usersProvide subscribers with technical guidance for submitted issues
Gather information from users about technical support issuesTroubleshoot subscriber issues and relay pertinent solution information
Address user software installation and configuration issuesMaintain communication with subscribers regarding ongoing service issues
Troubleshoot service availability issues within the bounds of the organizationProvide guidance for presales and trial-edition evaluators
Utilize Microsoft online resources to resolve support issuesProvide licensing, subscription, and billing support
Authorization and submission of support issues to MicrosoftGather customer feedback for service improvement purposes

Microsoft 365 administrators are expected to do what they can to address a support issue before submitting a support request to Microsoft. There are considerable Microsoft online support, training, blog, and forum resources available for this purpose, including the following:

When an administrator clicks the Help & Support button in the Microsoft 365 admin center console or opens the Support menu and selects New Service Request, a How Can We Can We Help? pane appears, prompting a description of the issue. Based on the furnished description, relevant material appears, such as step-by-step procedures and links to product documentation that might be helpful, as shown in Figure 4-14.

  

FIGURE 4-14 Microsoft 365 admin center’s How Can We Help? pane

At the bottom of the How Can We Help? pane is a Contact Support link that opens the pane shown in Figure 4-15. In this pane, the administrator can provide a more detailed description of the issue, add contact information, specify time zone and language references, and attach documents pertinent to the issue.

  

FIGURE 4-15 Microsoft 365 admin center’s Contact Support pane

Support provided with the Microsoft 365 product is intended primarily to provide help with service installation and configuration issues, such as the following:

  • Microsoft Entra ID (Azure Active Directory) Domain setup, synchronization with on-premises Active Directory, and single sign-on configuration
  • Microsoft 365 Service configuration issues
  • Exchange Online Mailbox migration and configuration, autodiscover configuration, setting mailbox permissions, sharing mailboxes, and creating mail forwarding rules
  • SharePoint Creation of user groups, assigning site permissions, and external user configuration
  • Microsoft 365 Apps for Business Office application installation on various device platforms
  • Microsoft Teams Setup of a Microsoft Teams environment and creating contacts
  • Microsoft Intune Mobile device and application management setup

When subscribers submit support requests to Microsoft, they go through a triage process and are assigned a severity level using the values shown in Table 4-4.

 

TABLE 4-4 Microsoft Support severity levels

Severity LevelDescriptionExamples
Critical (Sev A)One or more services are inaccessible or nonfunctional.Productivity or profit is impacted. Multiple users are affected.Immediate attention is required.Problems sending or receiving email with Outlook/Exchange Online.SharePoint or OneDrive sites are inaccessible.Cannot send or receive messages or calls in Microsoft Teams.
High (Sev B)One or more services are impaired but still usable.A single user or customer is affected. Attention can wait until business hours.Critical service functionality is delayed or partially impaired but operational.Noncritical functions of a critical service are impaired.A function is unusable in a graphical interface but accessible using PowerShell.
Non-critical (Sev C)One or more functions with minimal productivity or profit impact are impaired.One or more users are affected, but a workaround allows continued functionality.Problems configuring password expiration options.Problems archiving messages in Outlook/Exchange Online.Problems editing SharePoint sites.

After submitting support requests, administrators can monitor their progress in the Microsoft 365 admin center by selecting View Service Requests from the Support menu to display a list of all the support tickets associated with the account.

Describe the differences between base licensing and add-on licensing-Understand Microsoft 365 pricing and support

Many Microsoft 365 services are maintained as separate add-on products, often in two plans, which customers can purchase to augment the capabilities of their base licenses.

For example, the IT administrators for an organization might decide that the price of purchasing Microsoft 365 Enterprise E5 licenses for all of their users is just too high and that the users don’t need all of the advanced features in the E5 product anyway. They choose the Microsoft 365 Enterprise E3 subscription instead, representing substantial cost savings.

Many administrators were attracted to the E5 product because it includes Microsoft Defender for Endpoint Plan 2, which provides endpoint detection and automated incident remediation. However, this feature alone was not enough to justify the difference in price between E3 and E5. Later, the administrators discovered they could purchase the Microsoft 365 E3 subscriptions as their users’ base license and then purchase Microsoft Defender for Endpoint Plan 2 as an add-on license. For this organization, the total cost of the two subscriptions was far less than the price of Microsoft 365 E5.

Microsoft has many add-on products that allow administrators to assemble a working environment with a curated selection of features. Add-on licenses come in two types, as follows:

  • Traditional add-on An add-on license linked to a particular base subscription. The add-on subscription is also terminated if the base subscription lapses or is canceled.
  • Standalone add-on An add-on license that appears as a separate subscription on the Billing pages in the Microsoft 365 admin center, with its own expiration date, independent of the base subscription.

Implementing best practices

As mentioned throughout this book, the Microsoft 365 product is a bundle of services, many of which remain available as separate subscriptions. In addition, subscriptions are available for combinations of individual features within these products.

Finally, to further complicate the picture, combining different licenses in a single Microsoft Entra ID tenancy is possible. With all these options available, organizations contemplating a migration to a cloud-based infrastructure or thinking of adding cloud services to an on-premises infrastructure should design a licensing strategy fulfilling the following requirements:

  • Provide the organization’s users with the services they need
  • Avoid providing users with unnecessary services that complicate the maintenance and support processes
  • Minimize subscription costs

Generally speaking, a Microsoft 365 subscription will likely be significantly less expensive than purchasing subscriptions for each component separately. This might be true even if some users do not need all the Microsoft 365 components.

Obviously, the simplest solution is to choose one Microsoft 365 product and purchase the same subscription for all the organization’s users. This can easily fulfill the first of the requirements but might not be a solution for the other two.

Depending on the nature of the business the organization is engaged in, an Enterprise E5 subscription might be suitable for some users, but there might also be many workers who do not need all the applications and services included in Enterprise E5. Depending on the number of users in each group, the expense of purchasing E5 subscriptions for everyone could be extremely wasteful and require additional administrative effort to provide customized environments for the different user groups. This is one of the primary reasons why Microsoft offers the Microsoft 365 F1 subscription for first-line workers.

Note Microsoft 365 F1

For more information on the Microsoft 365 F1 package, see the “Microsoft 365 Frontline” section earlier in this chapter.

Therefore, the best practice is to compare the features included in each of the Microsoft 365 licenses with the requirements of the various types of users in the organization. In a large enterprise, this can be a complicated process, but in the case of a major migration like this, prior planning is crucial and can save a great deal of expense and effort.

Quick check

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. Simplify
  2. Assess
  3. Protect
  4. Respond

Quick check answer

Which of the following is not one of the three phases of the Microsoft compliance effort?

  1. The three phases of the Microsoft compliance effort are Assess, Protect, and Respond. Simplify is not one of the three phases.

Skill 4.3: Identify support options for Microsoft 365 services

For many IT professionals, there are important concerns about what happens after their organization commits itself to the use of cloud-based applications and services. These issues include concerns about downtime, monitoring the continuity of Microsoft services, and the product support provided by Microsoft and its partners.

Describe license management-Understand Microsoft 365 pricing and support

To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL). Typically, an administrator for an organization deploying Microsoft 365 creates a tenancy in Microsoft Entra ID (Azure Active Directory), purchases a specific number of USLs, and then assigns them to users in the Microsoft 365 admin center console by selecting Licenses in the Billing menu, as shown in Figure 4-12.

  

FIGURE 4-12 A License Details page in Microsoft 365 admin center

Global administrators or user management administrators can assign licenses to up to 20 users at once from this interface. It is also possible to assign licenses to hybrid user accounts created through Active Directory synchronization or federation or while creating new user accounts in the Microsoft 365 admin center.

Assigning a Microsoft 365 license to a user causes the following events to occur:

  • Exchange Online creates a mailbox for the user
  • SharePoint grants the user edit permissions for the default team site
  • Microsoft 365 enables the user to download and install the Office productivity applications on up to five devices

From the Purchase Services page in the admin center, administrators can also purchase additional Microsoft 365 USLs or licenses for add-on products, as shown in Figure 4-13.

  

FIGURE 4-13 The Purchase Services page in Microsoft 365 admin center

Microsoft offers four different USL types for each of the Microsoft 365 products, depending on the purchaser’s existing relationship with the company, as follows:

  • Full USL This is a complete Microsoft 365 license for new purchasers who do not have existing Microsoft product licenses or for owners of on-premises Microsoft product licenses that do not include Software Assurance—Microsoft’s software maintenance agreement.
  • Add-on USL This is a license for purchasers with existing on-premises Microsoft product licenses, including Software Assurance, who want to maintain their infrastructure while adding Microsoft 365 cloud services in a pilot or hybrid deployment.
  • From SA USL This is a license for purchasers with existing perpetual Microsoft product licenses, including Software Assurance, who want to transition to a cloud-based infrastructure with continued Software Assurance for the Microsoft 365 product. Qualifying purchasers can only obtain From SA USLs at their contract renewal time and must maintain their existing Software Assurance agreement. A Microsoft 365 Software Assurance agreement includes cloud-oriented benefits, such as Deployment Planning Services, Home Use Program, online user training courses, and additional support incidents.
  • Step-up USL This is a license for current Microsoft customers who want to upgrade their subscriptions during an existing enrollment or agreement period, such as from Office 365 to Microsoft 365 or from Microsoft 365 Business to Microsoft 365 Enterprise E3.

Because the Add-on USLs, From SA USLs, and Step-up USLs are intended for existing Microsoft customers, their prices reflect significant discounts from the Full USL price.

Security-Understand Microsoft 365 pricing and support

For many IT professionals who are hesitant to move their operations to the cloud, security is the biggest issue that concerns them. The idea of storing sensitive company data on Internet servers, over which they have no direct control—and for which they do not even know the exact location—can be frightening. However, Microsoft has invested an enormous amount of time, effort, and expense into securing its datacenters, and Microsoft 365 includes an array of security tools that subscribers can utilize to provide defense against outside intrusions.

Every security situation is a matter of judgment. Administrators must evaluate the organization’s data and decide how much security it requires. In cases of highly sensitive data, the prospect of storing it in the cloud should rightly be frightening. In such cases, it might be necessary for an organization to maintain local storage and split the enterprise functionality between cloud-based and on-premises systems.

As noted elsewhere in this book, Microsoft maintains dozens of datacenters worldwide. The fact that Microsoft’s cloud services are storing data for thousands of organizations means they have the incentive and the capital to build datacenters with equipment and physical security that only the largest corporations could conceivably duplicate. For most prospective Microsoft 365 subscribers, the cloud will provide greater physical security, higher availability, and more fault tolerance than they could provide themselves.

Therefore, if the Microsoft datacenters can be considered safe against physical theft and most natural disasters, the remaining security concerns are centered around protecting identities, devices, and documents. These concerns threaten any enterprise network, whether on-premises or in the cloud. Unauthorized users can conceivably gain access to sensitive data wherever it is stored, and IT professionals must always try to prevent that from happening.

Security is a continuously developing challenge, with threats growing as quickly as the means to protect against them. For administrators who want to use Microsoft products to keep up with the latest developing threats, there is no question that the latest and best security tools that Microsoft makes are to be found in cloud-based platforms, such as Microsoft 365. Perpetual products, such as Exchange Server and Office 2021, are being left behind in their security capabilities in favor of Software as a Service (SaaS) products like Microsoft 365, Exchange Online, and the cloud-based SharePoint.

The Microsoft 365 security components include the following:

  • Microsoft Intune Provides device and application management services that allow mobile devices to join the network only if they comply with security policies that ensure they are appropriately equipped and configured
  • Azure Information Protection Enables users and administrators to apply classification labels to documents and implement various types of protection based on the labels, such as access restrictions and data encryption
  • Data Loss Prevention Enables the automated discovery of documents that contain common data patterns, such as those of credit cards and Social Security numbers, using preconfigured sensitive information types
  • Microsoft Defender for Cloud Apps Analyzes traffic logs and proxy scripts to identify the cloud apps that users are accessing and enables administrators to analyze app security and sanction or unsanction individual apps
  • Microsoft Entra ID Protection Evaluates the sign-in activities of individual user accounts and assigns them risk levels that increment when multiple negative events occur
  • Microsoft Defender for Identity Uses machine intelligence to prevent, detect, and remediate security threats unique to the Azure environment by analyzing user behavior and comparing it to known attack patterns
  • Microsoft Advanced Threat Analytics Captures network traffic and log information and analyzes it to identify suspicious behaviors related to known phases of typical attack processes

Another aspect of Microsoft 365 that might help to convince traditionalists that a cloud platform can be secure is its use of intelligent analysis to identify behavior indicative of an attack. Tools like Microsoft 365 Defender gather information from Microsoft 365 devices, applications, and services and use endpoint behavioral sensors, cloud security analytics, and threat intelligence to prevent, discover, investigate, and remediate potential and actual threats.

Cost-benefit analysis for cloud vs. on-premises networks-Understand Microsoft 365 pricing and support

Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is the relatively simple part of a cost-benefit analysis. There is a monthly or annual fee for each Microsoft 365 user subscription, and those subscriber fees are predictable and ongoing. Contracts might be renewed with different prices at intervals, but those costs still remain predictable. It is possible that costs could rise precipitously in the future when the contracts are renewed, and the subscriber might feel locked into one provider, but that is a risk with any software product.

Predicting the cost of an on-premises network is more difficult. It is common for businesses to categorize their expenses by distinguishing between two types of expenditures, as follows:

  • Capital expenditures (CapEx) are money spent on fixed assets, such as buildings, servers, and other hardware, deployment expenses, and purchased software.
  • Operational expenditures (OpEx) are ongoing expenses, such as rent, utilities, staff, and maintenance.

The basic differences between CapEx and OpEx expenditures are shown in Table 4-2.

 

TABLE 4-2 Capital expenditures versus operational expenditures

 Capital Expenditures (CapEx)Operational Expenditures (OpEx)
PurposeHardware and software assets with at least one year of usefulnessOngoing business costs
PaymentInitial lump sumRecurring monthly or annual
AccountingThree or more years of asset depreciationCurrent month or year
DescriptionProperty, equipment, softwareOperating costs
TaxesMultiple years of deduction based on depreciationCurrent year deduction

For a Microsoft 365 shop, nearly all the expenses are OpEx, including the subscription fees. There are virtually no CapEx expenses involved, except perhaps for things like initial administrator cloud training. Businesses like working with OpEx expenses because they enable them to create accurate budgets and forecasts.

For an on-premises network, the CapEx outlay required to set up the infrastructure can be enormous, including the cost of building and equipping datacenters and purchasing server software products. Depending on the nature of the business and the sensitivity of the data involved, these expenses can by multiplied by the need for redundant datacenters and equipment. These big expenses must be paid before the network can even go live. These CapEx costs can be amortized or depreciated in the company’s accounts over a period of years, but the initial investment is substantial compared to that of a cloud-based network, which requires almost none.

An on-premises network also has OpEx expenses, including rent, power, and other utilities datacenters require, and the salaries of the staff needed to operate and maintain the datacenter equipment. There are also expensive software upgrades to consider every two to three years. The main cost benefit of an on-premises network is that hardware and software are purchased outright and do not require monthly subscription fees.

There are other factors to consider as well. When designing an on-premises network, the organization must consider the possibility of future growth, as well as seasonal business fluctuations. Therefore, the already substantial CapEx outlay can be increased by the cost of the additional datacenter space and equipment needed to support the busiest times of the year, as well as several years of predicted growth.

A cloud-based infrastructure like that of Microsoft 365 uses a pay-as-you-go model, which can accommodate virtually unlimited growth and occasional business fluctuations with no extra expenses other than the increased subscription fees for the extra services. The organization never pays for hardware and software that it isn’t using. In addition, the growth and fluctuations can be accommodated almost immediately and downsized when necessary, while on-premises resources can require months to approve, obtain, and install.

The entire cost-benefit analysis can be further complicated if the organization has already invested substantially in on-premises infrastructure. For example, if the expanding company already has sufficient space in its datacenters and sufficient IT staff, the CapEx needed for a network expansion can be much less than it would be for an entirely new network installation. The question then becomes whether it is more economical to add to the existing on-premises infrastructure or expand into the cloud, creating a hybrid network that might require additional planning and training to bring personnel up to speed in cloud technologies.

Therefore, the result can only be that every organization must consider its own economic, personnel, and business situations and calculate the TCO of its network options. In a new deployment, a subscription-based, cloud-based option, such as Microsoft 365, can be faster and less expensive to implement, but there are many situations in which organizations might be compelled to consider an on-premises network instead.

 Exam Tip

Candidates for the MS-900 exam seeking greater familiarity with the characteristics of cloud-based services versus on-premises services should also consult the “Describe the benefits of and considerations for using cloud, hybrid, or on-premises services” section in Chapter 1, “Describe cloud concepts.”

Compliance-Understand Microsoft 365 pricing and support

As the proliferation and value of data increases over time, businesses, agencies, and individuals are becoming increasingly concerned with the privacy and protection of their data. Hundreds of regulatory bodies—private and governmental—quantify the nature of this data protection and publish standards for data storage and handling.

Some of the most common data privacy standards in use today are as follows:

  • Federal Information Security Modernization Act (FISMA) Specifies how U.S. federal agencies must protect information
  • Health Insurance Portability and Accountability Act (HIPAA) Regulates the privacy of personal health information
  • Family Educational Rights and Privacy Act (FERPA) Regulates the disclosure of student education records
  • Personal Information Protection and Electronic Documents Act (PIPEDA) Specifies how commercial business organizations can gather, retain, and share personal information
  • Gramm–Leach–Bliley Act (GLBA) Specifies how financial institutions must protect and share the personal information of their customers
  • General Data Protection Regulation (GDPR) Specifies data protection and privacy regulations for citizens of the European Union

These standards can define elements such as the following:

  • The controls that organizations must exercise to protect the privacy of personal data
  • How organizations can and cannot use personal data
  • The rights of government and other official agencies to access personal data held by an organization
  • The lengths of time an organization can and must retain individuals’ personal data
  • The rights of individuals to access and correct their personal data held by organizations

Whether adopting certain standards is mandatory or voluntary, many organizations are concerned with whether the tools and procedures they use for storing and handling data comply with these standards.

Every organization must assess its own data resources and determine what standards should apply to them. The nature of the business in which the organization is engaged can often dictate compliance with particular standards. For example, companies in the health care industry or those with government contracts might be legally required to store, handle, and protect their data in specific ways. Indeed, there are regulatory standards to which Microsoft 365 products on their own cannot possibly comply, such as those requiring data to be stored on devices and in locations wholly owned and controlled by the organization, precluding cloud storage entirely.

However, many of the hundreds of privacy standards in use do allow the possibility of compliance when data is stored in the cloud, and Microsoft is well aware of the importance of adherence to these standards for many organizations considering a migration to the cloud. For IT professionals who are hesitant to become Microsoft 365 adopters because they fear that changing the location and the data storage conditions will negatively affect their compliance with standards like these, Microsoft has tested their products’ compliance with many different standards and published documents certifying the results.

Microsoft divides the compliance effort into three phases, as shown in Figure 4-11. The phases are described as follows:

  

FIGURE 4-11 Microsoft compliance phases

  • Assess The organization gathers the information needed to assess its current compliance status and produce a plan to achieve or maintain compliance with specific standards. Microsoft’s Service Trust Portal website contains a vast library of documents specifying information about the testing processes and the third parties involved in compliance testing. Also, Microsoft Purview includes Compliance Manager, a risk assessment tool organizations can use to record their actions to achieve compliance with specific standards.
  • Protect The organization implements a protection plan for its data, based on its sensitivity, using the tools provided in the Microsoft 365 services, including access control permissions, file encryption, Information Protection, and Data Loss Prevention.
  • Respond The organization develops protocols for responding to regulatory requests using artificial intelligence tools such as Microsoft 365 eDiscovery to perform complex searches of Exchange Online mailboxes, Microsoft 365 Groups, SharePoint and OneDrive sites, and Microsoft Teams conversations.

Need More Review? Microsoft 365 Compliance

For additional information on Microsoft 365’s compliance efforts, see the “Describe trust, privacy, risk, and compliance solutions in Microsoft 365” section in Chapter 3, “Describe security, compliance, privacy, and trust in Microsoft 365.”

Quick check

What is the difference between a Cloud Solution Provider that is an indirect reseller and one that is an indirect provider?

Quick check answer

  • An indirect reseller is typically a smaller company concentrating on locating, cultivating, and signing customers for Microsoft cloud-based products and services. An indirect provider is a larger company engaged by indirect resellers responsible for supplying products, customer service, billing, and technical support services to customers.