Figure 7-05: Ac ve Directory Services

Azure Active Directory is the next formation of identity and access

management solutions. It offers organizations an Identity as a Service
(IDaaS) solution for all their apps across the cloud and on-premises. It
focuses on Azure AD, Microsoft's cloud-based identity provider.

Concept of Federation
Federation lets the access of services across organizational or domain
boundaries by establishing trust relationships between the respective
domain's identity providers. With federation, users are not required to
maintain a different username and password when viewing resources
in other domains.

Figure 7-06: Concept of Federa on

The modified way to think about this federation scenario is as follows:
The website, in domain A, uses the authentication services of
Identity Provider A (IdP-A)
The user, in domain B, authenticates with Identity Provider B
(IdP-B)
IdP-A has a trust relationship contained with IdP-B
When the user, who wants to access the website, provides
their credentials to the website, the website trusts the user
and allows access. This access is allowed because of the trust
between the two identity providers
With federation, trust is not always bidirectional. Although IdP-A may
trust IdP-B and let the user in domain B view the website in domain A,
the opposite is invalid unless that trust relationship is configured.
In this case, Twitter is an identity provider, and the third-party site
might be using a separate identity provider, such as Azure AD. There is
a strong relationship between Azure AD and Twitter.

Conditional Access
By establishing conditions that must be satisfied before allowing access
to a piece of material, conditional access safeguards controlled content
in a system. If-then clauses are the most basic form of conditional
access restrictions. The completion of an activity is required for users
to access a resource.
Conditional Access Policies
Conditional Access policies might provide you greater control if your
company needs more precise sign-in security requirements. With
conditional access, you can design rules that respond to sign-in events
and demand further steps before allowing a user access to a service or
application.
Customers who have purchased Azure AD Premium P1 or licenses that
contain it, such as Microsoft 365 Business Premium and Microsoft 365
E3, are eligible for Conditional Access. Create a Conditional Access
policy for additional details.
Through the Azure AD Premium P2 license or licenses that contain it,
such Microsoft 365 E5, risk-based conditional access is allowed.

Mind Map
 Figure 7-07: Mind Map

Practice Questions
1. What is the benefit of single sign-on?
A. A central identity provider can be used
B. The user signs in once and can access many applications or
resources
C. Passwords always expire after 72 days
D. None of the above

2. Which relationship allows federated services to access resources?

A. Claim relationship
B. Shared access relationship
C. Trust relationship
D. All of the above
3. Authentication is the process of doing what?
A. Verifying that a user or device is who they say they are
B. The process of tracking user behavior
C. Enabling federated services
D. All of the above

4. Identity infrastructure can be organized into _______ fundamental

pillars.
A. One
B. Two
C. Three
D. Four

5. The _________ pillar tells the story of how much an IT system

needs to know about identity.
A. Administration
B. Authentication
C. Authorization
D. Auditing

6. The ________ pillar is about processing the incoming identity data.

A. Administration
B. Authentication
C. Authorization
D. Auditing
7. The _______ pillar tracks who does what, when, where, and how.
A. Administration
B. Authentication
C. Authorization
D. Auditing

8. __________ is the process of proving that a person is who they say

they are.
A. Authentication
B. Authorization
C. Both of the above
D. None of the above

9. __________ determines the level of access or the permissions an

authenticated person has to your data and resources.
A. Authentication
B. Authorization
C. Both of the above
D. None of the above

10. Federation enables the access of services across _______ or

________ boundaries by establishing trust relationships.
A. Organizational
B. Domain
C. Both of the above
D. None of the above
Chapter 08: Threat Protection with Microsoft 365 Defender

Introduction
This chapter will teach you how Microsoft 365 Defender can help
protect your organization. You will explore each of the different
Defender services to understand how they can protect: Identity, Office
365, Endpoint, and cloud apps. You will also explore the capabilities of
the Microsoft 365 Defender portal, including Microsoft Secure Score,
reports, and incident management.

Microsoft 365 Defender Services

Microsoft 365 Defender is a defense suite that prevents cyberattacks.
With Microsoft 365 Defender, you can natively communicate the
detection, prevention, investigation, and response to threats across
endpoints, identities, emails, and applications.
Microsoft 365 Defender gives administrators the ability to evaluate
danger signals from endpoints, applications, emails, and identities to
ascertain the breadth and effect of an assault. It sheds more light on
how the threat materialized and which systems were impacted. The
assault can then be prevented or stopped automatically by Microsoft
365 Defender.
 Figure 8-01: Microso 365 Defender Services
Microsoft 365 Defender suite prevents:
Indicate with Microsoft Defender for Identity and Azure
AD Identity Protection - It utilizes Active Directory signals
to identify, define, and investigate advanced threats,
compromised identities, and malicious insider actions
formed at your company
Endpoints with Microsoft Defender for Endpoint - It is a
single endpoint for preventative protection, post-breach
identification, automated investigation, and response
Applications with Microsoft Defender for Cloud Apps -
Microsoft Defender for Cloud Apps is a leading cross-SaaS
solution that offers deep visibility, strong data controls, and
identify threat protection
Email and collaboration with Microsoft Defender for
Office 365 protect your organization against malicious
threats from email messages, links (URLs), and collaboration
tools
Use Microsoft Defender to safeguard your organization against
sophisticated cyberattacks. It comprises your detection, prevention,
investigation, and response to threats across endpoints, identities,
emails, and applications.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 protects your organization against
malicious threats from email messages, links (URLs), and collaboration
tools containing Microsoft Teams, SharePoint Online, OneDrive for
Business, and other Office clients.
Microsoft Defender for Office 365 contains these key areas:
Threat protection policies: Describe threat protection
policies to set the appropriate level of protection for your
organization
Reports: View real-time reports to monitor your
organization's Microsoft Defender for Office 365
performance
Threat investigation and response capabilities: Use
leading-edge technologies to identify, understand, simulate,
and modify threats
Microsoft Defender for Office 365 is accessible in two plans. The plan
you choose influences the tools you will see and use. It is important to
make sure you select the best plan to meet your organization's needs.
Microsoft Defender for Office 365 Plan 1
This plan offers configuration, protection, and identification tools for
your Office 365 suite:
Safe Attachments: Verifies email attachments for harmful
content
Safe Links: A safe link remains accessible but stops harmful
links
Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams: Prevents your organization when users
collaborate and share files by defining and blocking
malicious files in team sites and document libraries
Anti-phishing protection: Recognize attempts to
impersonate your users and internal or custom domains
 Real-time detections: A real-time report lets you detect
and analyze recent threats
Microsoft Defender for Office 365 Plan 2
This plan contains all the core features of Plan 1 and provides
automation, investigation, remediation, and simulation tools to help
prevent your Office 365 suite:
Threat Trackers: Offer the latest intelligence on prevailing
cybersecurity issues, allowing an organization to take
countermeasures before an actual threat
Threat Explorer: A real-time report that lets you detect and
analyze new threats
Automated Investigation and Response (AIR): This
contains a set of security playbooks that can be formed
automatically, such as when an alert is formed or manually
Attack Simulator: This lets you run realistic attack cases in
your organization to identify vulnerabilities.
Proactively hunt for threats with advanced hunting in
Microsoft 365 Defender: Advanced hunting is a query-
based threat hunting tool that lets you explore up to 30 days
of raw data
Investigate alerts and incidents in Microsoft 365
Defender: Microsoft Defender for Office 365 P2 customers
can view Microsoft 365 Defender integration to efficiently
detect, review, and respond to incidents and alerts
Microsoft Defender for Office 365 Availability
If the subscription does not contain Defender for Office 365, you can
buy it as an add-on. Use Microsoft 365 Defender for Office 365 to
prevent your organization's collaboration tools and messages.

Microsoft Defender for Endpoint

This technology contains endpoint behavioral sensors that gather and
prevent signals from the operating system, cloud security analytics that
converts signals into insights, detections, and recommendations, and
threat intelligence to detect attacker tools & techniques and generate
alerts.

Figure 8-02: Microso Defender for Endpoint

Microsoft Defender for Endpoint includes:
Attack Surface Reduction: The capabilities resist attacks
and exploitation by ensuring configuration settings are
correctly set and exploit mitigation techniques are applied.
This set of capabilities also includes network protection and
web protection, which regulate access to malicious IP
addresses, domains, and URLs, helping prevent apps from
accessing dangerous locations
Next-Generation Protection: Brings machine learning,
extensive data analysis, in-depth threat resistance research,
and the Microsoft cloud infrastructure to identify devices in
your enterprise organization
Endpoint Detection and Response: Offers advanced
attack detections that are near real-time and actionable
Microsoft Threat Experts: A managed threat hunting
ability that offers Security Operation Centers (SOCs)
monitoring and analysis tools to ensure critical threats are
not missed.
Microsoft Defender for Endpoint integrates various components in the
Microsoft Defender suite and other Microsoft solutions, including
Intune and Microsoft Defender for Cloud.

Microsoft Defender for Cloud Apps

Moving to the cloud enhances flexibility for employees and IT teams.
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker
(CASB). It is a comprehensive cross-SaaS solution that operates as an
intermediary between a cloud user and the provider.
What is a Cloud Access Security Broker?
In order to facilitate real-time access between your enterprise users and
the cloud resources they need, regardless of where they are located or
the device they are using, a CASB serves as a gatekeeper. CASBs offer a
broad range of capabilities across the following pillars to assist
organizations in protecting their environment:
Visibility - Detect cloud services and app use and provide
visibility into Shadow IT
Threat protection - Monitor user activities for abnormal
behaviors, control access to resources through access
controls, and mitigate malware
Data security - Identify, classify and control sensitive
information, protecting against malicious actors
Compliance - Assess the compliance of cloud services
These capability areas view the basis of the Defender for Cloud Apps
framework described below.
The Defender for Cloud Apps Framework
Microsoft Defender for Cloud Apps is built on a framework that offers
the following key points:
 Monitor and control the use of Shadow IT: Detect the
cloud apps and IaaS and PaaS services used by your
organization. Investigate usage patterns, and assess the risk
levels and business readiness of more than 25,000 SaaS apps
against more than 80 risks
Protect against cyber threats and anomalies: Identify
unusual behavior across cloud apps to detect ransomware,
and compromised users, analyze high-risk usage, and remove
automatically to limit risks
Microsoft Defender for Cloud Apps Functionality
Defender for Cloud Apps Security delivers on the framework's
components through an extensive list of features and functionality.
Listed below are some examples.
Cloud Discovery maps and identifies your cloud
environment and your organization's cloud apps. Cloud
Discovery utilizes your traffic logs to dynamically discover
and view the cloud apps
Sanctioning and unsanctioned apps in your organization
using the Cloud apps catalog that includes over 25,000 cloud
apps
Use App connectors to integrate Microsoft and non-
Microsoft cloud apps with Microsoft Defender for Cloud
Apps, extending control and protection
Conditional Access App Control protection provides real-
time visibility and control over access and activities within
your cloud apps
 Figure 8-03: Policies

Note: Visit the

https://edxinteractivepage.blob.core.windows.net/edxpages/sc-
900/LP03M04-Describe-threat-protection-with-Microsoft-
365/index.html. You will learn about the features offered by Microsoft
Defender for Cloud Apps in this interactive guide.

Office 365 Cloud App Security

Office 365 Cloud App Security is a part of Microsoft Defender for Cloud
Apps that offer enhanced visibility and control for Office 365. Office
365 Cloud App Security consists of threat detection based on user
activity logs.
It offers a subset of the core Microsoft Defender for Cloud Apps
features. It also provides a reduced subset of the Microsoft Defender for
Cloud Apps discovery capabilities.
Use Microsoft Defender for Cloud Apps to intelligently and proactively
identify and respond to threats across your organization's Microsoft
and non-Microsoft cloud services.

Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution. It
utilizes your on-premises Active Directory data (called signals) to
identify, detect, and investigate advanced threats, compromised
identities, and malicious insider actions moved at your organization.
Microsoft Defender for Identity provides security professionals
managing hybrid environments functionality to:
Monitor and profile user behavior and activities
Prevent user identities and reduce the attack surface
Identify and investigate suspicious activities and advanced
attacks across the cyberattack kill chain
Monitor and Profile User Behavior and Activities
Defender for Identity manages and analyzes user activities and
information across your network, containing permissions and group
membership, forming a baseline for each user. Defender for Identity
then describes anomalies with adaptive built-in intelligence.
Protect User Identities and Lower the Attack Surface
Defender for Identity provides insights on identity configurations and
suggested security best practices. It offers extra insights into how to
improve security posture and policies.
For hybrid environments in which Active Directory Federation Services
(AD FS) is present, Defender for Identity protects the AD FS by
detecting on-premises attacks and providing visibility into
authentication events generated by the AD FS.
Detect Suspicious Activities and Advanced Attacks Across
the Cyberattack Kill-Chain
These assets might comprise sensitive accounts, domain
administrators, and highly sensitive data. Defender for Identity
identifies these advanced threats at the source throughout the entire
cyber-attack kill-chain:
Reconnaissance
Compromised credentials
Lateral movements
Domain dominance

Microsoft Defender Protection

Microsoft's 365 Defender services defend against:
Endpoints equipped with Defender for Endpoint – Defender
for Endpoint is a unified endpoint platform for proactive
security, post-breach detection, automated investigation, and
response
Defender's assets Microsoft Defender Vulnerability
Management provides continuous asset visibility, intelligent
risk-based assessments, and built-in remediation tools to
assist your security and IT teams in prioritizing and
addressing important vulnerabilities and misconfigurations
throughout your organization
Email and collaboration with Defender for Office 365 -
Defender for Office 365 protects your business from harmful
threats from collaboration tools, links (URLs), and email
communications
Defender for Identity uses your on-premises Active Directory
Domain Services (AD DS) signals to identify, detect, and
look into advanced threats, compromised identities, and
malicious insider actions targeted at your company. Identity
protection with Azure Active Directory (Azure AD) and
 Defender for Identity. Azure AD Identity Protection
automates identifying and correcting identity-based hazards
in your cloud-based Azure AD

Microsoft 365 Defender portal

Microsoft 365 Defender natively coordinates detection, prevention,
investigation, and response across endpoints, identities, emails, and
applications to provide integrated protection against sophisticated
attacks. The Microsoft 365 Defender portal combines this functionality
into a central place designed to meet security teams' needs and
emphasizes quick access to information and more straightforward
layouts. You can view your organization's security health through the
Microsoft 365 Defender portal.

Figure 8-04: Microso 365 Defender Portal

The Microsoft 365 Defender portal lets admins tailor the navigation
pane to meet daily operational requirements. Admins can customize
the navigation pane to view or hide functions and services based on
specific preferences.
The left navigation pane provides security professionals easy access to
the email and collaboration capabilities of Microsoft Defender for
Office 365 and the capabilities of Microsoft Defender for Endpoint,
described in the previous sections. Listed below, we describe a few
other capabilities accessible from the left navigation bar in the
Microsoft 365 Defender portal.
Incidents and Alerts
Individual alerts offer valuable clues about a completed or ongoing
attack, and Microsoft 365 Defender automatically aggregates these
alerts. The grouping of these related alerts forms an incident, and the
incident provides a comprehensive view and context of an attack.
The incidents queue is a central location that lists each incident by
severity. Choosing an incident name displays a summary of the
incident and offers access to tabs with additional information,
including:
All the alerts related to the incident
All the users that have been detected to be part of or related
to the incident
All the mailboxes that have been detected to be part of or
related to the incident
The alerts in the incident triggered all the automated
investigations
All the supporting evidence and response
 Figure 8-05: Incidents and Alerts
Hunting
Advanced hunting is a query-based threat-hunting option that lets
security professionals explore up to 30 days of raw data. Advanced
hunting queries enable security professionals to proactively search for
threats, malware, and malicious activity across your endpoints, Office
365 mailboxes, and more. Threat-hunting queries can be used to build
custom detection rules. These rules automatically check for and
respond to suspected breach activity, misconfigured machines, and
other findings.
Threat Analytics
Threat analytics is our in-product threat intelligence solution from
expert Microsoft security researchers. It is designed to assist security
teams in tracking and responding to emerging threats. The threat
analytics dashboard highlights the most relevant reports to your
organization. It includes the latest threats, high-impact threats (threats
with the most active alerts affecting your organization), and high-
exposure threats.
Selecting a specific threat from the dashboard provides a threat
analytics report that provides more detailed information, including
detailed analyst reports, impacted assets, mitigations, and much more.

Figure 8-06: Threat Analy cs

Secure Score
An indicator of a company's security posture is the Microsoft Secure
Score, one of the features in the Microsoft 365 Defender site. Your
protection will be better the higher the score. The security of an
organization's Microsoft 365 identities, apps, and devices can be
monitored and improved via a single dashboard through the Microsoft
365 Defender site.
Using Secure Score, enterprises can:
Provide an update on their security posture.
By offering discoverability, visibility, direction, and control,
their security posture will be strengthened.
Identify benchmarks and important performance indicators
(KPIs).
Microsoft Teams, Azure Active Directory, Microsoft Defender for
Endpoint, Microsoft Defender for Identity, Microsoft Secure Score, and
Microsoft 365 (including Exchange Online) are currently supported.
The image below displays an organization's Secure Score, a score
breakdown by points, and the improvement actions that can boost the
organization's score. Finally, it indicates how well the organization's
Secure Score compares to similar organizations.

Figure 8-07: Secure Score

To explore Microsoft Secure Score, select the interactive guide below
and follow the prompts on the screen.
Alternatively, navigate to
https://edxinteractivepage.blob.core.windows.net/edxpages/sc-
900/LP03M04-Describe-threat-protection-with-Microsoft-
365/index.html

Figure 8-08: Security Fundamentals

Differences between secure Score in Microsoft 365 Defender and
Microsoft Defender for Cloud
There is a secure score for Microsoft 365 Defender and Microsoft
Defender for Cloud, but they are subtly different. Secure Score in
Microsoft Defender for Cloud measures the security posture of your
Azure subscriptions.

EXAM TIP: A secure score in the Microsoft 365 Defender portal

measures the organization's security posture across your apps,
devices, and identities.
Learning hub
The Microsoft 365 Defender portal contains a learning hub that
bubbles up official guidance from resources, for example, the Microsoft
security blog, the Microsoft security community on YouTube, and the
official documentation at docs.microsoft.com.

Figure 8-09: Learning Hub

Reports
The Microsoft 365 Defender portal contains a Reports section that
contains a general security report, reports related to endpoints, and
reports related to email and collaboration.
 Figure 8-10: Security Reports and Dashboards
Security Report
The general security report allows admins to see information about
security trends and track the protection status of your identities, data,
devices, apps, and infrastructure.
By default, cards are categorized by the following categories:
Identities - user accounts and credentials
Data - email and document contents
Devices - computers, mobile phones, and other devices
Apps - programs and connected online services
The cards are grouped by category (only two of the four categories are
displayed in the image).
 Figure 8-11: Security Report
You can also group cards by topic, which will reorganize the cards and
group them into the following areas:
Risk - Cards highlighting entities, such as accounts and
devices that could be at risk
Detection trends - Cards highlighting new threat
detections, anomalies, and policy violations
Configuration and health - Cards dealing with the
configuration and deployment of security controls,
comprising device onboarding states to management services
Endpoint Reports
The endpoints section on the reports page contains a threat
protection report, a device health and compliance report, and a
vulnerable devices report.
The threat protection report offers high-level information about
alerts created in your organization. The report contains trending
information displaying the detection sources, categories, severities,
statuses, classifications, and determinations of alerts across time.
The report's dashboard is organized into two sections:
Alert trends - By default, the alert trends display alert
information from the 30 days ending in the latest full day
Alert summary - The alert summary takes alert information
scoped to the current day

Figure 8-12: Endpoint Reports

The device health and compliance report enables admins to
monitor the health state, antivirus status, operating system
platforms, and Windows 10 versions for devices in your
organization
This report's dashboard is also organized into two sections:
Device trends - By default, the device trends display device
information from the 30-day ending in the latest full day. By
adjusting the period, you can fine-tune the reporting period
to understand your organization's trends better
Device summary - The device summary displays device
information scoped to the current day
 Figure 8-13: Report's Dashboard
The vulnerable devices report allows admins to view
information about the vulnerable devices in your
organization, involving their exposure to vulnerabilities by
severity level, exploitability, age, and more

Figure 8-14: Vulnerable Devices Report

Email and Collaboration Reports
The email and collaboration reports allow admins to review
Microsoft suggested actions to help enhance email and collaboration
security.
 Figure 8-15: Email and Collabora on Reports
Incidents Capabilities
Incidents are a group of correlated alerts made when a suspicious event
is found. Alerts are created from different devices, users, and mailbox
entities. They can come from many different domains. Microsoft 365
Defender automatically aggregates these alerts.
Permissions & roles
View to Microsoft 365 Defender is configured with Azure Active
Directory global roles or by using custom roles.
 Figure 8-16: Permissions
Incident Management
Managing incidents is critical in safeguarding that threats are covered
and addressed. In Microsoft 365 Defender, you can control incidents on
devices, users' accounts, and mailboxes.
Incidents are automatically given a name based on an alert. When you
examine cases where you want to move alerts from one incident to
another, you can also do so from the Alerts tab. You will make a larger
or smaller incident that includes all relevant alerts.
Mind Map

Figure 8-17: Mind Map

Practice Questions
1. A lead admin for a company is looking to prevent harmful threats
posed by email messages, links (URLs), and collaboration tools.
Which solution from the following best suits this purpose?
A. Microsoft Defender for Office 365
B. Microsoft Defender for Endpoint
C. Microsoft Defender for Identity
D. All of the above

2. A Cloud Access Security Broker (CASB) protects 4 areas/pillars:

visibility to detect all cloud services, data security, threat protection,
and compliance. These pillars view the basis of the Cloud App
Security framework upon which Microsoft Defender for Cloud Apps
is built. Which pillar is accountable for identifying and controlling
sensitive information?
A. Threat protection
B. Compliance
C. Data Security
D. All of the above

3. Which of the following is a cloud-based security solution that

identifies, detects, and helps identify advanced threats, compromised
identities, and harmful insider actions moved at your organization?
A. Microsoft Defender for Office 365
B. Microsoft Defender for Identity
C. Microsoft Defender for Cloud Apps
D. All of the above

4. Admins in the organization use the Microsoft 365 Defender portal

daily. They want to understand the organization's current security
posture quickly. Which option in the Microsoft 365 Defender portal
will they use?
A. Reports
B. Secure Score
C. Policies
D. All of the above
5. Microsoft Defender for Office 365 is available in _____ plans.
A. One
B. Two
C. Three
D. Four
Chapter 09: Service Trust Portal and Privacy at Microsoft

Introduction
Organizations all across the world are very concerned about data
protection and compliance. Thanks to the Service Trust Portal launch,
those striving to support or safeguard users' right to privacy in
Microsoft's online environment may now rest comfortably.
Microsoft Cloud services are built on trust, security, and compliance.
The Microsoft Service Trust Portal provides various content, tools, and
other resources about Microsoft security, privacy, and compliance
practices.
Microsoft also helps organizations meet their privacy requirements
with Microsoft Priva. Priva helps organizations protect personal data
and build a privacy-resilient workplace.
In this chapter, you will study Service Trust Portal and its resources,
including audit reports, security assessments, and compliance guides
that enable organizations to manage compliance. You will learn about
Microsoft's commitment to privacy and its privacy principles. Lastly,
you will learn about Microsoft Priva, which helps organizations meet
their privacy goals.

Trust Center
Trust Center is a shortcut to knowing everything that Microsoft does to
ensure you do not lose trust in Microsoft. With this, you have a link to
learn about security, privacy, GDPR, data location, compliance, and
more. This link lets you know more about security implementations,
privacy implementations, etc.
The Trust Center demonstrates how Microsoft implements and
supports security, privacy, compliance, and transparency in all of its
cloud products and services and the company's guiding principles for
preserving data integrity in the cloud. The Microsoft Trusted Cloud
Initiative's Trust Center is a key component that offers materials and
assistance to the legal and compliance sector.
The Trust Center gives you:
Comprehensive details on the capabilities, offerings, rules,
and practices used by Microsoft cloud solutions in terms of
security, privacy, and compliance
Additional sources for every subject.
Links to forthcoming events and the security, privacy, and
compliance blogs
For additional employees in your company who might be
involved in compliance, security, and privacy, the Trust
Center is a valuable resource. These individuals consist of
business managers, privacy and risk officers, and legal
compliance teams
Service Trust Portal (STP)
The Service Trust Portal, often known as STP, is a tool included in
Microsoft Office 365 that offers existing and potential users of the
software a variety of information on how the tech giant maintains
privacy, compliance, and security.
Microsoft publishes information on this platform that businesses need
to do due diligence on and assess all of Microsoft's cloud services.
Microsoft introduced this service to make its users' assessments more
transparent, better understood, and simpler.
What is contained in the STP?
A lot of helpful data has been compiled from all of the Microsoft cloud
services and is available in the Microsoft Service Trust Portal (STP).
Additionally, it includes the information and tools that enterprises
require for everything related to security, compliance, and privacy.
The Service Trust Portal offers information, tools, and other resources
about Microsoft security, privacy, and compliance practices.
From the main menu, you access:

Figure 9-01: Service Trust Portal

Service Trust Portal – This link provides a quick way to get
back to the home page for the Service Trust Portal
Compliance Manager – This link currently directs users to
Compliance Manager in the Microsoft Purview compliance
portal. Users are encouraged to use the Microsoft Purview
compliance portal to access Compliance Manager and other
compliance management capabilities in Microsoft 365
Trust Documents – Trust Documents provides a wealth of
security implementation and design information to make it
easier for organizations to meet regulatory compliance
objectives by understanding how Microsoft Cloud services
keep customer data secure
Audit Reports provides a list of independent audit and
assessment reports on Microsoft's Cloud services. These
reports provide information about Microsoft Cloud service's
compliance with data protection standards and regulatory
requirements
Data Protection consists of a wealth of resources such as
audited controls, white papers, FAQs, penetration tests, risk
assessment tools, and compliance guides
Azure Stack contains documents that provide security and
compliance solutions and support tailored to the needs of
Azure Stack customers
Industries & Regions – This link provides access to
compliance information about Microsoft Cloud services
organized by industry and region
Industry Solutions directs users to the landing page for the
Financial Services industry. This includes information such
as compliance offerings, FAQs, and success stories
Regional Solutions provides documents on Microsoft
Cloud services compliance with the laws of various
countries/regions. Specific countries/regions include
Australia, Canada, the Czech Republic, Denmark, Germany,
Poland, Romania, Spain, and the United Kingdom.
Trust Center – The option links to the Microsoft Trust
Center, which provides more information about privacy,
security, and compliance in the Microsoft Cloud
Resources – This option links to Security & Compliance for
Office 365, the Microsoft Global Datacenters, and Frequently
Asked Questions
My Library – This feature lets you save documents so that
you can quickly view them on your My Library page
More - This option provides a selection for settings and user
privacy settings that are available only to Global
Administrators and relate to options associated with
 Compliance Manager. Admins, however, are encouraged to
use the Microsoft Purview compliance portal
Accessing the STP
STP is a free tool accessible to everyone, including users of Microsoft
online services who are already subscribers as well as those who are
just investigating the cloud-based platform.
You must have a Microsoft cloud services account and be logged in to
the platform to access the Microsoft Service Trust Portal or any STP
documents.
Log into your account to access the available tools and resources,
whether you have a Microsoft account or an Azure Active Directory
one. Click "Accept" to proceed after being prompted to accept their
Non-Disclosure Agreement for Compliance Materials.

Microsoft's Privacy Principles

Introduction
The development and rising popularity of cloud computing bring up
crucial policy issues, such as geographical location, shared data storage,
transparency, access, and security. Cloud computing services and their
uptake are still constrained by competing legal duties and competing
claims of governmental jurisdiction over data usage. Different laws
governing data retention, privacy, and other topics are ambiguous and
present serious legal difficulties.
Since the introduction of the Microsoft Network in 1994, Microsoft has
been addressing privacy concerns relating to cloud computing and
online services. Microsoft is still dedicated to keeping its customers'
information private. We are aware that trustworthy privacy measures
are crucial to fostering cloud computing's growth and enabling it to
realize its full potential. Because of this, we carefully considered data
protection when developing Office 365, working with a specialized
team of privacy experts.
Privacy Principles
Microsoft privacy principles and standards provide our staff with a
clear framework to ensure that we manage data responsibly. These
guidelines are used to gather and use customer and partner
information at Microsoft. We have made significant investments to
create an extensive privacy governance program to put our values and
standards into practice. In addition to the hundreds of other employees
who help ensure privacy policies, processes, and technologies are used
across all of Microsoft's products and services, the company employs
many full-time privacy professionals.
Microsoft's international privacy community also works to ensure that
our business divisions implement the company's privacy policies,
practices, and technology. As part of this community, engineers,
marketers, lawyers, and business executives collaborate with privacy
champs, leads, and managers to examine Microsoft products and
services and offer advice on privacy-related matters.
Microsoft's products and services run on trust. Microsoft's approach to
privacy is built on the following six principles:
Control: Put you, the customer, in control of your data and
privacy with easy-to-use tools and clear choices. Microsoft's
control over your data is reinforced by compliance with
broadly applicable privacy laws and standards
The Microsoft Online Services Subprocessor List: It
utilizes authorized subprocessors that have been audited
 against stringent security and privacy requirements in
advance. This document is available as one of the data
protection resources in the Service Trust Portal
Security: Protecting the data that is trusted to Microsoft by
using strong security and encryption. With state-of-the-art
encryption, Microsoft protects your data at rest and in
transit
Strong legal protections: Respecting local privacy laws and
fighting for legal protection of privacy as a fundamental
human right. Microsoft protects your data through clearly
defined and well-established response policies and processes,
solid contractual commitments, and, if necessary, the courts
No content-based targeting: Not using email, chat, files, or
other personal content to target advertising
Benefits to you: When Microsoft does collect data, it is used
to benefit you, the customer, and to make your experiences
better. For example:
Troubleshooting: Troubleshooting for preventing,
detecting, and repairing problems affecting operations
of services
Feature improvement: Ongoing improvement of
features, including increasing reliability and protection
of services and data
Personalized customer experience: Data provides
personalized improvements and better customer
experiences

EXAM TIP: The privacy principles form Microsoft's private

foundation and shape how products and services are designed.

Microsoft Priva
Privacy is critical for organizations and consumers today, and concerns
about managing private data are steadily increasing. Regulations and
laws impact people worldwide, setting rules for how organizations keep
personal data and giving people rights to operate personal data
collected by an organization.
Organizations must take a "privacy by default" stance to meet
regulatory requirements and build customer trust. Instead of manual
processes and a patchwork of tools, organizations require a
comprehensive solution to address common challenges such as:
Helping users adopt sound data handling practices and
training them to identify and solve issues
Understanding the risks in the amount and type of personal
data they store and share
Fulfilling subject data requests, or subject rights requests,
efficiently and on-time
Microsoft Priva helps you meet these challenges to achieve your
privacy goals. Priva's capabilities are available through two
solutions: Priva Privacy Risk Management, which provides visibility
into your organization's data and policy templates for reducing risks;
and Priva Subject Rights Requests, which provides automation and
workflow tools for fulfilling data requests.
Priva Privacy Risk Management
Microsoft Priva helps you manage the data your organization keeps by
automating the discovery of personal data assets and visualizing
essential information. These visualizations can be seen on the overview
and data profile pages, currently accessible through the Microsoft
Purview compliance portal.
The overview dashboard offers an overview of your organization's data
in Microsoft 365.
 Figure 9-02: Priva Privacy Risk Management
The data profile page in Priva provides a snapshot view of your
organization's personal data stores in Microsoft 365 and where it lives.
It also gives a view into the types of data you store.
 Figure 9-03: Data Profile
Priva evaluates your organization's data stored in the following
Microsoft 365 services within your Microsoft 365 tenant:
Exchange Online
SharePoint Online
OneDrive for Business
Microsoft Teams
Privacy Risk Management in Microsoft Priva also allows you to set up
policies that detect privacy risks in your Microsoft 365 environment
and allow easy remediation. Privacy, Risk Management policies, are
defined to be internal information and can help you:
Identify overexposed personal data so that users can protect
it
Identify and limit transfers of personal data across
departments or regional borders
Help users detect and reduce the amount of unused personal
data you store
Priva Subject Rights Requests
By specific privacy regulations around the world, individuals (or data
subjects) may make requests to review or manage the personal data
about themselves that companies have collected. These requests are
sometimes referred to as Data Subject Requests (DSRs), Data Subject
Access Requests (DSARs), or consumer rights requests. Finding the
relevant data can be a formidable task for companies that store large
amounts of information.
Microsoft Priva can help you handle these inquiries through the
Subject Rights Requests solution. It provides workflow, automation,
and collaboration capabilities for helping you search for subject data,
reviews your findings, collects appropriate files, and produces reports.

Mind Map

Figure 9-04: Mind Map

Practice Questions

1. When browsing Microsoft compliance documentation in the

Service Trust Portal, you have found several documents that are
specific to your industry. What is the best way of ensuring you keep
up to date with the latest updates?
A. Save the files to your My Library
B. Print each document so you can easily refer to them
C. Download each document
D. None of the above
2. Microsoft's approach to privacy is built on six principles: Three of
the principles are strong legal protections for privacy, no content-
based targeting, and benefits to customers from any data we collect.
Identify the three other principles part of Microsoft's approach to
privacy.
A. Customer control, transparency, and security
B. Shared responsibility, transparency, and security
C. Customer control, transparency, and zero trust
D. None of the above
3. Microsoft Cloud services are built on a foundation of ________.
A. Trust
B. Security
C. Compliance
D. All of the above
4. Microsoft's approach to privacy is built on the ______ principles.
A. Three
B. Four
C. Five
D. Six
5. Priva's capabilities are available through ________ solutions.
A. One
B. Two
C. Three
D. Four
CHAPTER 10: IDENTIFY LICENSING
O P T I O N S AVA I L A B L E I N M I C RO S O F T
3 65

Introduction
Microsoft 365 is available through various licensing models and home,
business, enterprise, and subscription plans. These options let you
choose the best model and plan for your management and operational
needs. By choosing the optimum subscription and license, you can be
sure that the functionality you need is in the most cost-effective
package.

Explore the Pricing Model for Microsoft Cloud Services

Microsoft offers various licensing programs and channels where you
can buy Microsoft 365 products and services. These programs include
Microsoft Volume Licensing (VL), Cloud Solution Provider Program
(CSP), or Web Direct Programs (MOSP). For example, in Volume
Licensing, Microsoft 365 is available for customers through the
Enterprise Agreement (EA). If you need a dedicated expert to
provide hands-on support, Microsoft has many qualified partners in
their Cloud Solution Provider (CSP) program who can help.
Cloud Solution Provider Model
The Cloud Solution Provider (CSP) model is a Microsoft partner
program that provides the expertise and services you need through an
expert CSP partner.
Your Microsoft 365 subscription is provided through a CSP partner
who can manage your entire subscription and provide billing and
technical support. The CSP partner will have admin privileges that will
allow them to access your tenant, and they will be able to support,
configure and manage licenses and settings directly. The CSP partner
can provide extra consultancy and advice to meet security and
productivity targets. Furthermore, other Microsoft cloud-based
products and services can be added to your subscription, such as
Microsoft Azure services and Dynamics 365.
The Cloud Solution Provider (CSP) program provides a pay-as-you-go
subscription model with per-user, per-month pricing that lets your
business scale up or down from month to month as your needs
change.
Enterprise Agreements
The Microsoft Enterprise Agreement (EA) is designed for
organizations that want to license software and cloud services for a
minimum three-year period. The Enterprise Agreement describes the
best value to organizations with 500 or more users or devices. One of
the benefits of the Enterprise Agreement is that it is manageable,
giving you the flexibility to bring cloud services and software licenses
inside a single organization-wide agreement. Another benefit is that
your organization can get 24x7 technical support, planning services,
end-user and technical training, and unique technologies with
Software Assurance.

Explore the Billing and Bill Management Options

Microsoft Bill Account
When you register to sample or purchase Microsoft goods, a billing
account is generated. You control your account settings, invoices,
payment options, and purchases through your billing account. Access
to several billing accounts is possible. For instance, you have access to
your company's Enterprise Agreement, Microsoft Products & Services
Agreement, or Microsoft Customer Agreement, or you directly signed
up for Microsoft 365. You would have a different billing account for
each of these situations.
The following billing account types are now supported by the
Microsoft 365 admin center:
Microsoft Online Service Program: This billing account is created
when you immediately sign up for a Microsoft 365 subscription
through the Microsoft Online Services Program.
Microsoft Products % Services Agreement (MPSA) Program:
When your company enters an MPSA Volume Licensing agreement to
buy software and online services, a billing account called the
Microsoft Products & Services Agreement (MPSA) Program is formed.
The Microsoft Customer Agreement: It states that when your
company works with a Microsoft agent, an authorized partner, or
makes an independent purchase, a billing account is formed.
Your Microsoft business accounts are displayed on the Billing accounts
page. Your business automatically has at least one billing account
connected to an agreement that was accepted through a direct
purchase or as part of a volume licensing agreement.
Billing Account Options
A billing account is formed when you sign up to try or buy Microsoft
products. You use your billing account to control your account
settings, invoices, payment methods, and purchases. The Microsoft
365 admin center currently supports the below billing accounts:
Microsoft Online Services Program. This billing account
is created when you sign up for a Microsoft 365 subscription
directly
Microsoft Products & Services Agreement (MPSA)
Program: This billing account is created when your
organization signs an MPSA Volume Licensing agreement to
purchase software and online services
Microsoft Customer Agreement: This billing account is
created when your organization works with a Microsoft
representative, an authorized partner, or purchases
independently
Bill Management
Microsoft 365 billing is managed from the Microsoft 365 admin
center. The admin center allows you to manage subscriptions, view
billing statements, update payment methods, change your billing
frequency, and more. The following list defines in further detail what
can be reviewed and modified in the Microsoft 365 admin center:
Upgrade, renew, reactivate or cancel subscriptions
View the number of purchased licenses. Also, see how many
of those licenses are assigned to individual users for each
service
View a bill, invoice, and past billing statements
Modify payment methods like updating, deleting, replacing,
and adding other payment types. Payment options can
include credit or debit card, bank account, or pay by invoice
using a check or Electronic Funds Transfer (EFT)
Modify your billing frequency to monthly or annual billing
 Buy and manage other services or features. For example,
depending on your Microsoft 365 subscription, you can add
on Advanced eDiscovery storage, Microsoft Defender for
Office 365, Microsoft Teams Calling Plan, and more
Manage your billing notification emails and invoice
attachments, such as the list of email accounts of who
should receive automated billing notifications and renewal
reminders for the subscription

Figure 10-01: Bill Management

Explore the Available Licensing and Management

Options
Subscription Plans
The pricing associated with your account depends on the subscription
and the number of licensed users. Microsoft 365 offers various
subscription plans for home users and organizations and various
licensing options to meet your needs. Each service has a specified
price that is typically rated on a per-user, per-month basis. The
following list describes the subscription plans offered:
Microsoft 365 for home consists of Microsoft 365
Personal and Microsoft 365 Family. Personal is for a single
person with multiple devices, and family is for up to six
people
Microsoft 365 Education is for the education department
and has two subscription plans for faculty and students that
include different features: A1, A3, and A5
Microsoft 365 Government is for government institutions
and has two subscription plans with different features: G1,
G3, and G5
Microsoft 365 Business is for small to medium-sized
organizations with up to 300 employees. It has four
subscription tiers that include different features: Apps for
Business, Business Basic, Business Standard, and Business
Premium
Microsoft 365 for frontline workers is designed to
empower and optimize frontline impact. It has three
subscription tiers that include different features: F1, F3, and
F5
Microsoft 365 Enterprise is for enterprise-sized
organizations and has four subscription tiers that include
different features: Apps for Enterprise, E3, E5, and F3
Licenses
A license allows your users to use the features and services included
in the subscription plan. Microsoft 365 products and services are
available as user subscription Licenses (USLs) and are licensed per-
user basis. The following list describes the options available:
Full USLs are for new users without previously paid
Microsoft products and services
Add-on USLs are for on-premises software customers who
want to add Microsoft 365 cloud products and services
From SA, USLs are for on-premises Software Assurance
customers that want to transition to the cloud
Step Up USLs are for customers who want to upgrade their
service level
Each user accessing Microsoft 365 products and services must be
assigned a USL. Administrators manage licenses in the Microsoft 365
admin center, and they can assign the licenses to individual users or
guest accounts.
Types of add-ons
Microsoft 365 business plans have add-ons you can purchase for your
subscriptions, and Add-ons provide more capabilities to enhance your
subscription. There are two kinds of add-ons:
Traditional add-ons are connected to a specific
subscription; the linked add-on is canceled if you cancel the
subscription
Standalone add-ons appear as a separate subscription on
the products page within the Microsoft 365 admin center.
They have their expiration date and are managed the same
way you would any other subscription

Group-based Licensing
According to the membership of a group, group-based licensing
automatically gives or removes licenses for a user account. Dynamic
group membership allows for adding or deleting group members
based on user account attributes like Department or Country. This
section provides the examples of adding and removing group
members in your test environment for Microsoft 365 for Enterprise.
Group-based Licensing in Azure Active Directory
Licenses are necessary for Microsoft's premium cloud services like
Dynamics 365, Enterprise Mobility + Security, and Microsoft 365. Each
user who requires access to these services is given a license.
Administrators use PowerShell cmdlets and one of the administration
portals (Office or Azure) to manage licenses. The foundational
technology that allows identity management for all Microsoft cloud
services is called Azure Active Directory (Azure AD). Information
about the user's license assignment states is stored in Azure AD.
Until now, licenses could only be distributed to specific users, which
might be challenging for large-scale management. A complicated
PowerShell script must frequently be written by an administrator to
add or remove user licenses based on organizational changes, such as
users entering or departing the company or a department. This script
contacts the cloud service one by one.
Group-based licensing is now a feature of Azure AD to help with these
issues. A group may be given access to one or more product licenses.
Azure AD makes sure that the licenses are distributed to each group
member. Any new members are given the proper licenses as soon as
they join the club. Those licenses are taken away when they leave the
group. With the help of this licensing management, it is no longer
necessary to automate license management using PowerShell to take
account of changes in the organizational and departmental structure
on an individual user basis.
Licensing Requirements
Each user who gains access to group-based licensing must own one of
the following licenses:
Azure AD Premium P1 and above subscription, whether it is
paid or trial
Microsoft 365 Business Premium, Office 365 Enterprise E3,
Office 365 A3, Office 365 GCC G3, Office 365 E3 for GCCH,
or Office 365 E3 for DOD and above, whether it is a paid-for
or trial version.
Required no of License
You are required to have a license for each individual member of any
group to which one has been granted. You do not have to give each
group member a license, but you need to have enough licenses to
cover everyone. For instance, in order to comply with the licensing
agreement, you must have at least 1,000 licenses if your tenant has
1,000 unique members that are a part of licensed groups.
Features
The key characteristics of group-based licensing are as follows:
In Azure AD, licenses can be allocated to any security group.
Using Azure AD Connect, security groups from on-premises
may be synchronized. Additionally, you can automatically
build security groups using the Azure AD dynamic group
functionality or directly in Azure AD (also known as cloud-
only groups).
The administrator can disable one or more of the product's
service plans when a product license is given to a group.
This task is typically performed when the company is not
 yet prepared to begin employing a service that is a part of a
product. For instance, the administrator might provide a
department access to Microsoft 365 while momentarily
turning off the Yammer service.
Support is provided for all Microsoft cloud services that
demand user-level licensing. All Microsoft 365 products,
Enterprise Mobility + Security, and Dynamics 365 are all
supported by this service.
Only the Azure portal presently offers group-based
licensing. You may continue to manage users and groups
using other administration portals, such as the Microsoft
365 admin center. However, if you want to manage licenses
at the group level, use the Azure portal.
Changes in group membership that result in license
revisions are automatically managed by Azure AD. Usually,
licensing changes take effect right away after a membership
change.
A user may belong to several groups with different license
policies. A user may also possess some licenses that were
given to them directly, independently of any groups. All
allocated product and service licenses combine to form the
user state that is the end outcome. The same license will
only be used once if a user is given it from several sources.
Licenses occasionally cannot be given to a user. For instance,
there might not be enough licenses available in the tenant,
or potentially conflicting services may have been assigned
concurrently. Information about users for whom Azure AD
was unable to fully process group licenses is available to
administrators. Based on that knowledge, they can then
take appropriate action.

Mind Map
 Figure 10-02: Mind Map

Practice Questions
1. With the Cloud Solution Provider (CSP) model, who provides your
subscription?
A. A CSP partner provides it
B. It is provided directly from Microsoft
C. A retail store provides it
D. All of the above

2. Which of the following portals below allows modifying the

payment method and frequency of a Microsoft 365 subscription?
A. Microsoft 365 Subscription Center
B. Microsoft 365 Security Center
C. Microsoft 365 Admin Center
D. All of the above

3. Which of the following Microsoft 365 subscription plans is

appropriate for companies with under 300 employees?
A. Microsoft 365 Enterprise
B. Microsoft 365 Business
C. Microsoft 365 Education
D. All of the above

4. The Enterprise Agreement offers the best value to organizations

with _______ or more users or devices.
A. 200
B. 300
C. 400
D. 500

5. There are ______ types of add-ons.

A. One
B. Two
C. Three
D. Four
C H A P T E R 1 1 : D E S C R I B E S U PP O RT
O F F E R I N G S FO R M I C RO S O F T 3 65
S E RV I C E S

Introduction
Support plays an important role in the cloud environment. As we have
learned, at least some portion of infrastructure management moves to
the cloud provider when we move to the cloud. When something goes
wrong, you must get the help you need to keep your applications
available. It is also important to understand what level of support is
being provided for specific services, in particular services that may be
in previewing and not published officially.
Microsoft is committed to helping you get the best out of your
Microsoft 365 services. You can rely on easy-to-access support options
with Microsoft 365 to help your organizations remain productive and
efficient. Microsoft 365 services guarantee your organization's service
level through Service Level Agreements. When you need help using
Microsoft 365, create or view an existing support request through the
Microsoft 365 admin center. Your organization will also benefit from
transparent service health status updates on your Microsoft 356
products or services. Lastly, your organization can use open feedback
sharing to help improve products and services based on user
experience.

Explore Support Options for Microsoft 365 Services

Administrators and users in your organization might find it
challenging to resolve issues independently. Knowing they can receive
assistance for Microsoft 365 services whenever they need it through
various support options is helpful.
The support option chosen to deal with a particular issue depends on:
The tool or service where the issue has arisen
The type of subscription your organization uses
The kind of support your organization needs
Your organization can get access to support in the following ways:
Table 11-01: Support Op ons
Explain Service Level Agreement (SLAs) Concepts
Organizations must know that the products and services are reliable
and secure. Microsoft 365 services guarantee the level of service for
your organization. The level of service is detailed in a legal agreement
referred to as a Service Level Agreement. Microsoft details its
commitment to provide and maintain agreed service levels for
Microsoft 365 services through its Microsoft Online Services
Agreement.
In addition to the Microsoft Online Service Level Agreement, your
organization can also take advantage of the Service Level Agreement
with your Cloud Service Provider. The guarantees of service provided
for Microsoft 365 services will vary between cloud service providers.
Microsoft's Online Service Level Agreement introduces several
concepts:
 Table 11-02: Service Level Agreement
Microsoft is confident in its commitment to service levels. The
percentage of service credit your organization can receive is linked to
your monthly uptime percentage. For example, if downtime has
resulted in a monthly uptime percentage lower than 95 percent, your
organization could receive a 100% service credit. The table describes
the monthly uptime percentage and corresponding service credit:
Monthly Uptime Percentage Service Credit

Table 11-03: Up me Percentage Service Credit

Your organization should always review all Service Level Agreements
and ask questions, including the following list:
If you are using a CSP, how does it determine service levels
and whether they are achieved or not?
Who is responsible for reports? How can your organization
access reports?
Are there any exceptions in the agreement?
What does the agreement say about both unexpected and
scheduled maintenance?
What does the agreement say about what happens if your
infrastructure goes down because of an attack? What about
natural disasters and other situations outside of your
control?
Does the agreement cover non-Microsoft service or system
failures?
What are the limits to the cloud service provider's liability in
agreement?

Office 365 Support

Microsoft offers a range of plans to help you get the assisted business
assistance you need, including pay-per-incident choices and premium
care that is available day and night.
Your Microsoft Office 365 subscription includes basic technical help,
which you can request via the Microsoft Office 365 online site. You can
buy Microsoft Office 365 support plans directly from Microsoft or
through volume licensing programs for extra services and quicker
response times.

Microsoft 365 Technical Support

Technical support is included with Microsoft 365. However, when
purchased alone or as part of a Microsoft 365 service plan, the
following restrictions apply to Microsoft 365 subscription support for
Microsoft 365 Apps for enterprise or Microsoft 365 Apps for business.
Professional assistance covers most break-fix issues or technical issues
you encounter while using Microsoft 365 Apps. A term used in the
industry, "break-fix," describes the "effort involved in supporting a
technology when it fails in the normal course of its function and needs
the assistance of a support organization to be returned to working
order."
The following problems are not covered by professional support:
Customer suggestions regarding product attributes
Onsite support
Root cause investigation (investigation of the cause of the
issue)
Ensuring that third-party gear or products integrate properly
with Microsoft 365 Apps.
Data Recovery
Office Add-ins, Visual Basic for Applications, Microsoft
Access, or Publisher developer support includes writing,
reviewing, and debugging user-generated code.
Extensive investigation of performance problems
 Extensive troubleshooting is necessary when a product
freezes or crashes.

Identify How to Track the Service Health Status

View Health Status of Microsoft 365 Services
An organization must know the health status of the Microsoft 365
services. Your organization's administrators can use the Microsoft 365
admin center to view the current health status of each of your
Microsoft 365 services and tenant. They can also view the history of
services that have been affected in the last 30 days and information
about current outages or disruptions to services. It is helpful to view
the health to find out whether you are dealing with a known issue with
a progress solution, so you do not have to spend time troubleshooting
or calling support.
To view service health, go to the Microsoft 365 admin center.
Select health under the left navigation pane, then Service health. You
can also select the service health card on the home dashboard.
 Figure 11-01: Health Status
If your organization is experiencing a service issue, your administrators
can report it by going to Reported Issues, selecting Report an issue,
and completing a short form. Administrators can also view specific
details about other service issues, like what kind of impact an issue
may have on the service, by selecting Incidents or Advisories.
 Figure 11-02: Service Health
Keep track of incidents
Your organization can set up notifications for any new incidents or
updates to any active incidents that might affect your organization.
Microsoft will provide two different types of notifications:
Unplanned downtime - Where an incident has caused a
service to become unresponsive or unavailable
Planned maintenance - Where Microsoft regularly carries
out service updates to the software and infrastructure that
run services
Microsoft also analyzes unplanned service incidents for you
through Post-Incident Reviews. Through these reviews, you will
receive a preliminary review within the first two days of incident
resolution and a final review within five business days. Final Post-
Incident Reviews will detail the following information:
How you might have been impacted, and how the user
experience was impacted
A date and time breakdown detailing when an incident
started and when it was resolved
 An analysis of the root cause and what actions are to be
carried out to prevent the incident in the future
Your organization can keep track of the health status of services in
different ways:

Table 11-04: Track Services

For example, to protect and keep your organization's data available,
Microsoft does the following:
Data storage redundancy - Microsoft stores your data
through multiple levels of redundancy using data replication
and secure data protection capabilities. These capabilities
 make it possible to ensure rapid availability and recovery of
your data
Monitoring data - Your databases are monitored for you,
and your data is monitored for packet loss, latencies in
queries, and more
Preventative measures - Microsoft regularly carries out
checks for database consistency, reviews of error logs, and
more

Explore How Organizations Share Feedback on Microsoft

365 Services
There is always room for modification, and Microsoft is committed to
improving its services. Your organization's administrators and users
often have great insight into how specific elements of products and
services can be improved based on their daily experiences. Microsoft
encourages idea sharing to improve products and services for
everybody.
Microsoft has various channels for you to submit feedback about
Microsoft 365 products and services. For example, if you are
using feedback from the community feedback web portal, you can
submit new feedback directly within the web portal. Community
feedback is publicly displayed within different forums. You can
participate in existing feedback by voting or commenting on existing
topics. Review your submitted feedback, impact, and status by viewing
official responses from the Microsoft product teams.
The following list defines the ways you can communicate directly with
Microsoft:
Feedback
In-product experiences
 Windows Feedback Hub
Microsoft Tech Community
Microsoft Store
UserVoice forums
Take advantage of these sites to share your thoughts and help improve
Microsoft products and services for your organization and other users
worldwide.

Mind Map

Figure 11-03: Mind Map

Practice Questions

1. How can your organization receive on-site support from Microsoft?

A. Community-Based Support
B. Proactive Support
C. Premier Support
D. All of the above

2. Who is responsible for submitting a claim for service credit?

A. The cloud service provider
B. Your organization
C. Microsoft
D. All of the above

3. Which portals below can you use to view the current health status
of your Microsoft 365 services and tenant?
A. Microsoft 365 Security Center
B. Microsoft 365 Compliance Center
C. Microsoft 365 Admin Center
D. All of the above

4. What is the best place to share ideas about improving a feature for
Microsoft 365 products and services?
A. Comment on Microsoft's social media posts
B. Create a support ticket through the Microsoft 365 admin center
C. Create a post in the feedback web portal
D. All of the above

5. Microsoft will provide _____ different types of notifications.

A. One
B. Two
C. Three
D. Four
Chapter 12: Describe the Service Life Cycle in Microsoft 365

Introduction
Every product or service has a lifecycle, including those in Microsoft
365. Microsoft envisions, designs, develops and tests everything
internally. Once these features, products, and services are mature
enough, they are made available to evaluate and test by users in a
preview release. After the tests succeed, the feature, product, or service
is released and generally available. Over time, as more product releases
occur, older products and services can no longer be supported, and
they will reach the end of support. Your organization can stay current
on the feature, product, and service updates and releases by using the
Microsoft 365 Roadmap.
Service Life Cycle
Microsoft 365 is an evergreen product that is always being improved.
Development, testing, and release of new features occur often. In
comparison to conventional software, Microsoft 365 has a different life
cycle.
Microsoft Lifecycle offers uniform and predictable principles for
support throughout a product's life, assisting clients in managing their
IT investments and environments while making long-term plans.

Describe Private, Public Preview, and General Availability

Releases
A product or service lifecycle typically has three phases:
. Private Preview
 . Public Preview
. General Availability (GA)
When a product or a service retires, it reaches the phase end of
support.
Private preview
In this phase, Microsoft might release a product or service to a limited
number of users to test and evaluate new features or functionality. This
phase does not include legal support. Typically, users can sign up to be
members of a private preview, but the preview release is not made
available to the public.
Public preview
In this phase, Microsoft typically releases public previews of products
and services before their GA release to receive suggestions from a wide
range of users. They are marked as previews and include beta or pre-
release features and services. Doing this allows users to explore and
test upcoming functionality. Users may also receive some limited
support depending on the product or service.
General Availability (GA)
After the public preview is completed, Microsoft releases the product
or service. The product or service becomes available to all customers
with proper support, known as the release version. The products and
services in this phase have been through complete development and
test lifecycle to ensure stability and reliability. With Microsoft 365, new
features are periodically added to the products and services. It is
helpful for IT developers and administrators to be aware of preview
features before they have their general availability released.
Organizations can then educate users about these new features, ensure
products are used optimally and be aware of the change in existing
functionality.
End of support
Eventually, older products or retired services can no longer be
supported, and they will reach the end of support. Once that happens,
the product or service will no longer receive updates or assisted
support. Customers are encouraged to shift to the latest version.

Describe the Modern Lifecycle Policy

Microsoft 365 is covered by the Modern Lifecycle Policy. The policy
includes products and services that are serviced and supported
continuously. Products and services managed by the Modern Lifecycle
Policy are supported as long as the following criteria are met:
Customers stay current as per the servicing and system
requirements published for the product or service. Staying
current means that customers accept and apply all servicing
updates for their products and services
Customers must be licensed to use the product or service
Microsoft must currently offer support for the product or
service
Under the Modern Lifecycle Policy, Microsoft gives a minimum of 12
months' notice before ending support for products. These notifications
do not include any free services or preview releases.

Utilize the Microsoft 365 Roadmap Portal to Learn About

Upcoming Features
Your organization can plan for the future with the Microsoft 365
Roadmap. Microsoft regularly includes updates for its products and
services in the Microsoft 365 roadmap. The roadmap is the central
location for business decision-makers, IT professionals, and anyone
interested in seeing what is coming. It was formed to help you plan,
communicate changes, and fully utilize your Microsoft 365
subscription.
The roadmap displays feature cards that include the title, status,
release dates, product category, platform, and cloud instance. The
roadmap also groups the features into three update phases:
. In development
. Rolling out
. Launched

Figure 12-01: Microso 365 Roadmap

The following list describes what the Microsoft 365 Roadmap allows
you to do:
 Search by product, keyword, or feature ID
Filter by product, release phase, cloud instance, platform, or
new or updated
Sort by general availability date or newest to oldest
Download the current features in development as a CSV file
View additional information about each update
Use the RSS feed to be notified of feature updates in real-
time
Share an entire roadmap page or email a single feature

Mind Map

Figure 12-02: Mind Map

Practice Questions
1. Which phase of a product is the release version?
A. Private Preview
B. Public Preview
C. General Availability (GA)
D. All of the above
2. What is the minimum amount of months Microsoft will give
notice before ending support for products under the Modern
Lifecycle Policy?
A. 6 months
B. 12 months
C. 24 months
D. None of the above

3. What three phases does a feature have in the Microsoft 365

Roadmap?
A. In Development, Launched, Retired
B. In Development, Rolling Out, Launched
C. In Development, Testing, Launched
D. All of the above

4. The roadmap groups the features into _______ update phases.

A. One
B. Two
C. Three
D. Four

5. A product or service lifecycle typically has __________ phases.

A. One
B. Two
C. Three
D. Four
C H A P T E R 13 : M O B I L E D EV I C E
M A N AG E M E N T

Introduction
This chapter focuses on implementing Mobile Device Management
(MDM) in Microsoft 365. Before the introduction of MDM solutions,
companies traditionally joined desktop devices to on-premises AD DS
and managed them through Group Policies and Configuration
Manager. But in today's world, users employ desktops and various
devices. Most devices are mobile, and they are used from anywhere.
They are often not connected to the company network, and some run
non-Windows operating systems. In many cases, joining such devices
to an on-premises AD DS is unsuitable or even possible.
In this chapter, you will learn that Mobile Device Management
manages all popular mobile devices without joining them to an on-
premises AD DS. To manage a device with MDM, enroll it in your
MDM solution. At Microsoft, enrolling it in Intune or Basic Mobility
and Security. After the device is enrolled in MDM, you can still manage
it through group policies and profiles if you want. However, MDM
provides more device management features not available in on-
premises AD DS, such as device compliance and Conditional Access.
An organization should first plan its MDM solution before deploying
MDM, enrolling devices in it, and managing device compliance. This
chapter will examine the features of effective MDM planning, including
the built-in capabilities of mobile device management for Microsoft
365, a comparison of Microsoft's two MDM solutions, policy settings
for mobile devices, and controlling email and document access.
This following section will examine the two MDM authority solutions
included in Microsoft 365 - Microsoft Intune and Basic Mobility and
Security. It will also compare the essential features of Microsoft Intune
and Basic Mobility and Security. You will learn about the policy settings
for mobile devices in each solution.

Device Management Overview

Protecting and securing the data and resources of an organization on
devices within that organization is a crucial responsibility of any
Administrator. Device management is the task at hand. Users use
personal accounts to send and receive email, access websites when
dining out and at home, and download apps and games. Students and
employees are also among these users. They desire easy access to work
and school resources on their devices, such as email and OneNote. In
addition to keeping users' access to these resources simple across all of
their various devices, it is your responsibility as an administrator to
keep them safe.
Organizations may use device management to safeguard their data and
resources from various devices.
A business can ensure that only authorized individuals and devices
have access to confidential information by using a device management
provider. Similar to this, customers who know their smartphone
satisfies their organization's security criteria can feel at peace accessing
work data from their phone. You can question as a company, "What
should we utilize to secure our resources?"
Intune by Microsoft is the solution. Mobile device management
(MDM) and mobile application management are services provided by
Intune (MAM). Some essential duties of any MDM or MAM solution
include:
Support a variety of mobile environments and safely manage
Windows, macOS, Android, iOS, and iPadOS devices.
Check that devices and apps adhere to the security standards
set by your company.
Make policies to protect your company's data on both
company-owned and personal devices.
Use a single, integrated mobile solution to manage users,
groups, devices, apps, and enforcement of these policies.
Control how your staff accesses and shares data to protect
the information that belongs to your business.
Microsoft Azure, Microsoft 365, and Azure Active Directory all come
with Intune (Azure AD). Controlling who has access and what they can
access is made easier by Azure AD.
Microsoft Intune
Microsoft is just one of many companies that utilize Intune to protect
confidential information that users access from both company-owned
and personal devices. Software update guidelines, installation statuses,
and device and app configuration standards are all part of Intune
(charts, tables, and reports). These tools support you in securing and
managing data access.
People frequently own several devices that run on several platforms.
For instance, a worker might use a Surface Pro for work and an Android
smartphone or tablet for personal use. People frequently use these
various devices to access corporate resources like Microsoft Outlook
and SharePoint.
You may manage many devices per person with Intune and the various
operating systems that each device runs, including iOS/iPadOS,
macOS, Android, and Windows. By device platform, Intune divides
policies and settings. Therefore, managing and viewing devices for a
certain platform is simple.
A fantastic resource for seeing how Intune addresses typical issues
when working with mobile devices is common scenarios. There are
scenarios related to:
Email security using on-premises Exchange
Safe and secure Microsoft 365 access
Accessing organizational resources through personal devices

Explore Mobile Device Management

This section examines how to implement Mobile Device Management
(MDM) in Microsoft 365. Before the introduction of MDM solutions,
companies traditionally joined desktop devices to on-premises AD DS
and managed them through Group Policies and Configuration
Manager. But in today's world, users are employing not only desktops
but a wide assortment of devices. Most devices are mobile, and they are
used from anywhere. They are often not connected to the company
network, and some run non-Windows operating systems. In many
cases, joining such devices to an on-premises AD DS is unsuitable or
even possible.
Mobile Device Management manages all popular mobile devices
without joining them to an on-premises AD DS. To manage a device
with MDM, you just need to enroll it in your MDM solution. At
Microsoft, enrolling it in Intune or Basic Mobility and Security. After
the device is enrolled in MDM, you can still manage it through group
policies and profiles if you want. However, MDM provides more device
management features not available in on-premises AD DS, such as
device compliance and Conditional Access.
An organization should first plan its MDM solution before deploying
MDM, enrolling devices in it, and managing device compliance. This
section examines the features of effective MDM planning, including the
built-in capabilities of mobile device management for Microsoft 365, a
comparison of Microsoft's two MDM solutions, policy settings for
mobile devices, and controlling email and document access.
Explore Mobile Device Management in Microsoft 365
Mobile device management (MDM) is an industry-standard for
managing mobile devices, such as smartphones, tablets, laptops, and
desktop computers. Before using Microsoft 365 services with your
device, you first need to enroll it in MDM.
MDM is implemented by using an MDM authority and MDM clients.
Microsoft offers two MDM authority solutions:
Basic Mobility and Security
Microsoft Intune
MDM client functionality is comprised as part of the Windows 10
operating system. MDM authority can manage several devices that
contain MDM client functionality, such as Android, iOS, and Windows
10. Some device settings can be controlled on all MDM enrolled
devices, while other settings are device-specific and can only be
configured using device-specific MDM policies.
MDM functionality includes the distribution of applications, data, and
configuration settings to devices enrolled in MDM. Windows 10 devices
can be enrolled in MDM using any of the following methods:
Manually
By using the Settings app
By submitting a package
By using Group Policy
By enrolling into Azure AD, if integration between Azure AD
and MDM is configured
MDM authority, such as Intune, offers the following responsibilities:
Device Enrollment - MDM can operate only supported
devices enrolled to MDM. For MDM to manage a device. The
device can either include MDM client functionality, for
example, Windows 10, or you should install a Company
Portal app (for example, on Android or iOS devices)
Configuring Devices - Organizations can use profiles and
policies to configure devices, control user access, and set
device settings to follow company policy. You can also deploy
settings that enable devices to access company resources,
such as WiFi and VPN profiles
Monitoring and Reporting – In the MDM management
tool, you can get notifications about devices that have issues
or when an MDM policy is unsuccessful, such as when
devices do not follow company requirements. You can also
add devices to groups and display a list of enrolled devices.
By using Intune, organizations can also configure Windows
Autopilot device deployment
Application Management - By using MDM and MAM, an
organization can deploy applications, manage their settings,
and separate data created by personal and business apps
Selective Delete Data - If a device is misplaced or stolen, or
the user is no longer a company employee, you can remove
company data stored on the device. You can either wipe all
 device data or do a selective wipe, which leaves personal user
data on the device intact
Devices can be managed by MDM even if they are not members of a
domain.
Organizations can manage all important aspects of Windows 10 by
using MDM. Each new Windows 10 version includes support for more
MDM settings, and since version 1703, you can use many ADMX-
backed policies to MDM.
By using MDM, organizations can manage configurations for the
following Windows 10 configuration areas:
Enrollment
Inventory
Device configuration and security
Application management
Remote assistance
An enrollment
The following diagram summarizes all the benefits of using MDM to
manage Windows 10 devices.
 Figure 13-01: Mobile Device Management
The following diagram displays what happens when a user with a new
device signs in to an application that offers access control with Basic
Mobility and Security.
 Figure 13-02: Basic Mobility and Security
Explore the Mobile Device Management Services in
Microsoft 365
Microsoft 365 includes two Mobile Device Management (MDM)
services: Basic Mobility and Security and Microsoft Intune. This section
provides a detailed examination of each offer.
Introduction to Basic Mobility and Security
The Basic Mobility and Security service provide a built-in MDM
solution within Microsoft 365. This service provides the core device
management features available in Microsoft 365. It is hosted by the
Intune service and includes a subset of Intune services. Even though it
includes some Intune features, it is not an "Intune-lite" solution. The
Basic Mobility and Security service provide core MDM functionality
within Microsoft 365 for managing devices in your organization.
After Basic Mobility and Security is set up and your users have
enrolled, you can manage the devices, block access, or even wipe a
device if needed.
Introduction to Microsoft Intune
Microsoft Intune provides the core features within Basic Mobility and
Security, plus more advanced device management features. Intune is
Microsoft's gold-level standard for MDM solutions. It is not only a
cloud-based service; its focus extends beyond Mobile Device
Management (MDM) and includes Mobile Application Management
(MAM).
Device Management - Intune enables an organization to
control how its devices are used, including mobile phones,
tablets, and laptops. It also enables people in your
organization to use their devices for school or work. Intune
helps ensure that organization data stays protected on
personal devices and can isolate organizational data from
personal data
Application Management
Many organizations, such as Microsoft, use Intune to secure
proprietary data users access from their company-owned and
personal mobile devices. Intune helps organizations secure and
monitor data access by including:
 Device and app configuration policies
Software update policies
Installation statuses (charts, tables, and reports)
It is common for people to have devices that use different platforms.
For example, an employee may use Surface Pro for work and an
Android mobile device in their personal life. People can also easily
access organizational resources, such as Microsoft Outlook and
SharePoint, from each of their devices.
MDM within Microsoft 365 Plans
Basic Mobility & Security is part of the Microsoft 365 plans, while
Microsoft Intune is a standalone product with specific Microsoft 365
plans.
Differences in capabilities
While Microsoft Intune and built-in Basic Mobility & Security allow
you to manage mobile devices in your organization, there are key
differences in capabilities between the two solutions.
The Basic Mobility and Security service provide core MDM
functionality and a subset of the functionality provided by Intune. For
organizations requiring a more advanced MDM solution, Microsoft
Intune provides this same core functionality as Basic Mobility and
Security, plus advanced MDM features and MAM.
Examine MDM Policy Settings in Microsoft 365
MDM policies and profiles are groups of settings that control features
on mobile devices. Whether related to encryption, passwords, security,
email management, or another fundamental issue, policies are the
cornerstone of MDM in an organization.
When organizations create policies or profiles, they can only deploy
them by assigning them to groups of users, and they cannot assign
them directly to individual devices or users. When policies are assigned
to groups, the users in those groups get an enrollment message on
their devices. When they have completed device enrollment, their
devices are restricted by the policies you have set up. You can then
monitor policy deployment in the MDM management tool.
Microsoft offers two solutions for managing devices with MDM: Basic
Mobility and Security and Microsoft Intune. Both solutions can
manage enrolled devices, but they offer different capabilities. Both
solutions use Microsoft 365 Endpoint Manager for administering their
MDM solutions.
MDM Policy Settings in Basic Mobility and Security
The Basic Mobility and Security service enable organizations to create
device policies that help protect their company information on
Microsoft 365 from unauthorized access. An organization can apply
policies to any mobile device in the company where the user has an
applicable Microsoft 365 license and enrolled the device in Basic
Mobility and Security. In Basic Mobility and Security, organizations can
manage the following mobile devices settings:
Organization-wide device access settings - Using these
settings, an organization can specify whether it wants to
allow or block access to Exchange mail for devices not
supported by Basic Mobility and Security and which security
groups should be excluded from access control.
Device security policies - Organizations can use device
security policies to protect their devices from unauthorized
access. Device security policies include password settings,
encryption settings, managing email profile settings, and
 other settings that control device features, such as video
conferencing and Bluetooth connectivity.
Organizations can create device security policies and apply them to
users in Microsoft 365 Endpoint Manager groups. The policies apply to
the users; they require users to enroll their devices in Basic Mobility
and Security before the device can be used to access Microsoft 365
data. The policies that an organization sets up determine settings for
mobile devices, such as how often passwords must be reset or whether
data encryption is required.
MDM Policy Settings in Microsoft Intune
Organizations can manage the same settings in Microsoft Intune as in
Basic Mobility and Security, along with many other settings. These
different device settings that Intune can manage include:
Device enrollment and restrictions
Device compliance policies
Device configuration policies
Conditional Access
Software updates include Windows 10 update rings and
update policies for iOS
Apps deployment, app configuration policies, and app
protection policies
Policy and Security Configuration
Microsoft 365 includes default MDM policies based on Microsoft's
digital security requirements. These policies help ensure that corporate
security is maintained while also providing a good user experience.
Their data on their work devices is more secure when policies manage
other users and devices in the same environment. The following list
provides examples of how these policies affect the entire Microsoft 365
experience:
 Security. The default policies enforce Microsoft corporate
compliance settings on mobile devices, such as password
policy and encryption settings
Messaging. The default policies for Exchange align policy
settings between Exchange ActiveSync (EAS) and MDM
Compliance. Microsoft took advantage of the default
compliance rules for mobile devices built into Configuration
Manager. Microsoft then created a configuration baseline for
those CIs and targeted the configuration baseline to the
collection of mobile devices
An essential benefit of using MDM for managing devices is that
organizations can allow access to email and documents only from
devices managed by MDM and follow company policy
Using MDM policies, Microsoft 365
Organizations can define company policy using the Device Security
policy in Microsoft 365. They can control access to email, documents,
and other cloud apps by using Conditional Access policies. Compliance
with company policy is just one criterion that can be evaluated in a
Conditional Access policy. Organizations can also evaluate sign-in risk,
device type, location, and client apps.
Devices that are not enrolled in MDM cannot have their compliance
evaluated. However, organizations can still prevent access to mailboxes,
documents, and cloud apps from such devices. If a user tries to access
their mailbox from such a device, depending on how the policy is set
up, they may experience one of the following outcomes:
They are removed from accessing Microsoft 365 resources
They are, redirected to enroll the device in MDM
The user could have access, but Microsoft 365 would report a
policy violation
 Figure 13-03: MDM Policies

Mind Map

Figure 13-04: Mind Map

Deploy Mobile Device Management

This section examines how to deploy Mobile Device Management in
Microsoft 365. Before organizations can start managing devices in
Microsoft 365, they must first activate and configure MDM and then
enroll their devices. Organizations can activate Microsoft Intune by
choosing the MDM authority in Microsoft 365 Endpoint Manager. For
Basic Mobility and Security, they must run a link to activate it.
Activate the Mobile Device Management services in
Microsoft 365
While Microsoft has two solutions for MDM, Intune and Basic Mobility
and Security, they do not have the exact prerequisites. Preparing your
MDM environment will be slightly different depending on which
solution you want.
Essential Mobility and Security - Start by activating the
Mobile Device Management service. Once you activate the
MDM service, you must do several other steps to complete
the deployment
Intune - Choose the MDM authority before you can start
managing devices
Basic Mobility and Security
In Microsoft 365, you activate the Basic Mobility and Security MDM
service by running the following link:
https://admin.microsoft.com/EAdmin/Device/IntuneInventory.a
spx#
It takes some time for the service to start, after which you will receive
an email that explains the next steps for setting up Basic Mobility and
Security. These steps include:
. Configure domains for Basic Mobility and Security. If
you do not have a domain associated with Microsoft 365 or
are not managing Windows devices, you can skip this step.
Otherwise, you will need to add DNS records for the domain
 at your DNS host. This step is complete if you have already
added the records to set up your domain with Microsoft 365.
After you add the records, the Microsoft 365 users who sign in on their
Windows device with an email that uses your domain are redirected to
enroll in Basic Mobility and Security.
. Configure an Apple Push Notification Service (APNS)
certificate for iOS devices. To operate iOS devices like iPad
and iPhones, you must first create an APNS certificate.
. Set up multi-factor authentication. MFA helps secure
users sign in to Microsoft 365 for mobile device enrollment
by requiring a second form of authentication.
. Manage device security policies. Organizations should
create and deploy device security policies to help protect
their Microsoft 365 data.
. Make sure users enroll their devices. After you have
created and deployed an MDM policy, each licensed
Microsoft 365 user in your organization will receive an
enrollment message the next time they sign in to Microsoft
365 if the policy applies to their device.
Microsoft Intune
Organizations must configure the MDM authority to set up Microsoft
Intune for device management. Device management in Intune is
initially disabled, and MDM authority is unknown. Before an
organization can start enrolling and managing devices, it must
configure the MDM authority by selecting one of three available
options:
Intune MDM Authority - This option sets the MDM
authority solely to Microsoft Intune. Intune is a cloud-only
MDM solution, and it is managed by using a web browser.
Microsoft recommends that organizations select this
deployment option when using Intune
 Configuration Manager MDM Authority - This option is
referred to as Hybrid MDM because it assumes the
organization uses Configuration Manager for managing on-
premises devices. This scenario integrates Intune's MDM
capabilities into Configuration Manager in the following
manner:
It uses Configuration Manager's on-premises
infrastructure to administer content and manage the
devices
None. This option indicates that no MDM Authority has
been chosen, and Intune can only manage devices if an
MDM authority is chosen.
If organizations want to enroll and manage iOS devices, they must also
add an APNS certificate to Intune. No certificate is needed for enrolling
and managing Android and Windows 10 devices.
An organization can use the Configuration Manager console if it wants
to change its MDM authority setting. In the past, you had to contact
Microsoft Support to make this change, and you also had to unenroll
and re-enroll your existing managed devices. However, organizations
can now make this change independently, and they no longer need to
unenroll and re-enroll their managed devices.
To set up mobile device management with Intune, you must complete
the following steps.
. Supported configurations. Need-to-know information
before you start. This information includes supported
configurations and networking requirements.
. Sign in to Intune. Sign in to your trial subscription or form
a new Intune subscription.
. Configure a domain name. Set DNS registration to link
your company's domain name with Intune. This setting gives
 users a familiar domain when connecting to Intune and
using resources.
. Add users and groups. Add users and groups, or link Active
Directory to sync with Intune. This step is required unless
your devices are "useless," such as kiosk devices. Groups of
users are used to assign apps, settings, and other resources.
. Assign licenses. Each user or userless device needs an
Intune license to connect to the service.
. Set the MDM authority. Groups are used to form apps,
settings, and other resources.
. Add apps. Apps can be assigned to groups of users and
automatically or optionally installed.
. Configure devices. Set up profiles that operate device
settings. Device profiles can preconfigure settings for email,
VPN, WiFi, and device features. They can also restrict
devices to help protect both devices and data.
. Customize Company Portal. Customize the Intune
Company Portal users use to enroll devices and install apps.
These settings appear in both the Company Portal app and
the Intune Company Portal website.
. Enable device enrollment. Enable Intune management of
iOS/iPadOS, Windows, Android, and Mac devices by setting
the MDM authority and enabling specific platforms.
. Configure app policies. Supply specific settings based on
app protection policies in Microsoft Intune.
Configure Domains for Mobile Device Management
An organization can enable its users to enroll their Windows 10 devices
in Mobile Device Management (MDM) using the Autodiscover service.
Windows devices (Windows Phone 8.1 and 10 and Windows PCs 8.1
and 10) have a UI built into the operating system to enroll a device for
management. The user enters a corporate email address that matches
the User Principal Name (UPN) set for user identity. The device tries to
auto-discover the enrollment server and start the enrollment process. If
the Autodiscover service is not configured, the device enrollment
server will not be found. In this case, the device presents a screen for
the user to enter the server address.
The Autodiscover service is configured when you create an alias
(CNAME resource record type) in the domain DNS zone that
automatically redirects enrollment requests to Intune servers.
Autodiscover will not be configured if you do not add
this CNAME record. In this case, users can still enroll
devices to MDM, but they will have to provide the address of
the enrollment server manually
Autodiscover will be configured if you add this CNAME
record. With the Autodiscover service enabled, users just
have to provide credentials when they want to enroll their
devices to MDM
A company using Azure AD Premium can integrate Azure AD with
Intune to configure automatic MDM enrollment. This allows Windows
10 devices joined to Azure AD to be automatically enrolled in Intune.
In such a scenario, you do not have to add a CNAME record to the
domain DNS zone to enable the Autodiscover service. But if your
organization is not using Azure AD Premium, or if users manually
enroll devices to MDM using the Settings app, you can still benefit
from autodiscovery.
The Autodiscover service is simple to set up for your domain because it
only requires that you create a CNAME resource record in your external
(public) DNS. CNAME records let you hide the implementation details
of your network from the clients that connect to it. Used internally in
your network, CNAME records enable users to use the simpler URI
mail.domain.com instead of host.examplemachinename.domain.com.
Creating a CNAME resource record type in the domain DNS zone that
automatically redirects enrollment requests to Intune servers is used in
multiple scenarios. For example:
If your company uses the contoso.com DNS domain, you will
create a CNAME record that redirects
contoso.com to enterpriseenrollment.manage.microsoft
.com
If your company uses multiple DNS domains or UPN
suffixes, you must create one CNAME record for each
domain name and point it to manage.microsoft.com
Many organizations also want to enable the Autodiscover service for
registering devices in Azure AD. In such environments, you would also
add an EnterpriseRegistration CNAME DNS record that points
to EnterpriseRegistration.windows.net.
Android and iOS devices are enrolled in MDM using the Company
Portal app. The Company Portal app includes information on locating
enrollment servers and does not use auto-discover DNS records.
Obtain an Apple Push Notification Service certificate for
iOS Devices
Organizations do not need to add certificates to MDM to manage
Windows or Android devices with either Intune or Basic Mobility and
Security. However, suppose they want to manage Apple-related
products such as iPad, iPhone, and Mac devices using MDM. In that
case, they need an Apple Push Notification Service (APNS) certificate
to communicate securely with those devices.