MS-900: Microsoft 365 Fundamentals
Critical parts of a planning an enterprise deployment
(1) assessing your environment and network, and (2) making sure your existing hardware and applications will work with the new software.
Authorization
After authentication, the user is premitted access to the resources you've previously granted them permissions to.
Azure AD Premium
Azure AD Premium is the central identity store used for all the applications in EMS and Microsoft 365. The P1 and P2 versions of Azure AD Premium include features that are important for unified endpoint management. Some of the additional features included with the P1 and P2 plans are: # Self-service password reset # Write-back from Azure AD to on-premises Active Directory Domain Services (meaning your cloud and on-premises data is linked) # Microsoft Azure Multi-Factor Authentication (MFA) for cloud and on-premises apps # Conditional access based on group, location, and device state # Conditional access based on sign-in or user risk (P2 plan only)
Hybrid Azure AD
Azure Active Directory (Azure AD) allows you to link your users, devices, and applications across both cloud and on-premises environments. Registering your devices to Azure AD helps you improve productivity for your users and improve security for your resources. Having devices in Azure AD is the foundation for both co-management and device-based conditional access. It also includes: # Single sign-on to cloud resources # Windows Hello for Business # Device-based conditional access # Automatic device licensing # Self Service functionality # Enterprise state roaming
Azure Advanced Threat Protection
Azure Advanced Threat Protection (ATP) is a cloud-based solution to identify, detect, and investigate threats, compromises, and malicious actions. ATP helps you: # Detect and investigate advanced attacks on-premises and in the cloud. # Identify suspicious user and device activity with both known-technique detection and behavioral analytics. # Analyze threat intelligence from the cloud and on-premises. # Protect user identities and credentials stored in Active Directory. # View clear attack information on a simple timeline for fast triage. # Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection.
Azure Information Protection
Azure Information Protection encrypts documents and enforces policies on how they can be used. Only authorized users can access the contents.
Peer-to-peer update download solutions
Branch cache, peer cache, delivery optimization.
BranchCache
BranchCache can help you download source files in distributed environments without saturating the network. BranchCache fetches content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally.
Client Health
Client Health. Configuration Manager monitors client device health while it's connected to your network. On a co-managed device, Intune communicates with and monitors the health of the device - even when it's not connected to your network. With co-management, Intune can report on the health of the client. It provides timestamp information for the validity of the data, which tells you if your devices are healthy, able to connect, able to install apps, or able to update to the required OS builds. With this feature, you have an external data source with Intune. It allows you to determine what the next steps should be when troubleshooting client issues. You don't need to create additional reports or use other tools to get client data, which saves you time and effort.
Cloud App Security
Cloud App Security uses data collected from your firewalls and proxy servers to identify cloud application usage. This can help identify unauthorized applications that might be a threat to your data. Additionally, it can identify unusual usage patterns that might indicate a problem.
Conditional access
Conditional access evaluates each access request on a number of different criteria and then using policies you define, decides if it should be allowed, if stricter controls are needed or if the access attempt should be blocked altogether.
Conditional access
Conditional access. Conditional access makes sure that only trusted users can access your organizational resources on trusted devices using trusted apps. With co-management, Intune evaluates every device in your network to determine how trustworthy it is. Intune makes sure devices and apps are managed and securely configured, and detects active security incidents on a device.
Configuration Manager (deployment tool for O365 Pro Plus)
Configuration Manager. For enterprises that already use Configuration Manager to deploy and manage software, we recommend using it for Office deployment as well. Configuration Manager scales for large environments and enables extensive control over installation, updates, and settings. It also has built-in features for deploying and managing Office and Windows.
Deployment options for Office 365 ProPlus
Configuration manager, office deployment tool, Microsoft Intune, install directly from the Office 365 portal.
Delivery Optimization
Delivery Optimization allows clients to download source files from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Configuration Manager.
Long-term Servicing Channel (update channel)
Designed to be used only with specialized devices that can't be regularly updated or that don't need to be updated (like ATMs or a PC that runs medical equipment). The long-term servicing channel is released every two to three years. (Note that this channel is updated with security fixes as needed - your devices will still be secure.) Office 365 ProPlus isn't supported on this channel.
Enterprise Mobility + Security (EMS)
Designed to help manage and protect users, devices, apps, and data in a mobile-first, cloud-first world. Includes Microsoft Intune, Azure AD Premium, and Azure Rights Management.
Dynamic provisioning
Dynamic provisioning. Create a provisioning package to quickly configure one or more devices, even those without network connectivity. You create provisioning packages with the Windows Configuration Designer and can install them over a network, from removable media (like a USB drive), or in near field communication (NFC) tags or barcodes.
E5
E5 has all the features of E3, plus the following additional features.
FastTrack
FastTrack for Microsoft 365 helps organizations accelerate deployment and gain end-user adoption of Office 365, Windows 10, and Enterprise Mobility + Security.
Types of Windows Updates
Feature updates and quality updates. Feature updates. These updates provide new functionality and are usually released twice a year. You should deploy these updates using your existing tools. Because these new features come out more often, the individual updates themselves are smaller, making it easier to deploy across your organization. It also introduces less change per update - less for your users to get used to with each update. Quality updates. These updates provide security updates and fixes and are usually released once a month. On the second Tuesday of the month ("patch Tuesday"), Microsoft releases a cumulative update that includes all the past quality updates. This helps make sure your devices are up to date and, to make our own testing more effective, more closely aligned to the devices we use for testing at Microsoft.
Modern Desktop and feature updates
For both Windows 10 and Office 365 ProPlus, feature updates are released more frequently, which means your users will get security and productivity capabilities multiple times a year, instead of once every three years.
Windows Insider Program (update channel)
Get early access to pre-release Windows 10 builds, which update frequently (sometimes weekly). Use Insider builds to explore and test new and modified features before you deploy them. You can also provide direct feedback to Microsoft on these updates, helping improve the experience for others.
Security pillars
Identity and access management, threat protection, information protection, security management.
Windows Hello
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices - a new type of user credential that's tied to a device and uses a biometric or PIN. Windows Hello for Business lets users authenticate to an Active Directory or Azure Active Directory account.
Cloud Service Provider (CSP)
In general, CSPs provide one version of an app for all customers and license it In through a monthly or annual subscription.
Inner Loop (Teams)
In regards to teamwork in Microsoft 365, the inner loop refers to the people you work with regularly on core projects. For the inner loop, Microsoft Teams is the best solution for collaboration tools.
Outer Loop (Teams)
In regards to teamwork in Microsoft 365, the outer loop refers to the people you connect with openly across the organization. For the outer loop, Yammer is the best solution for collaboration tools.
In-place upgrade
In-place upgrade. Upgrade a device's operating system without reinstalling. You can migrate apps, user data, and settings from one version of Windows to another (like going from Windows 8.1 to Windows 10). You can also update from one release of Windows 10 to the next (like going from Windows 10, version 1803, to Windows 10, version 1809).
Office 365 Enterprise (Product)
Includes Office 365 ProPlus, the latest Office apps for your PC and Mac (like Word, Excel, PowerPoint, and Outlook), and a full suite of online services for email, file storage and collaboration, meetings, and more.
Install directly from the Office 365 portal (deployment tool for O365 Pro Plus)
Install directly from the Office 365 portal. The simplest approach is to have your users install Office on their client devices directly from the Office 365 portal. This method requires the least amount of administrative setup but gives you less control over the deployment. You can, however, still define how frequently your users receive feature updates. This option requires that your users have local administrative rights on their client devices.
Intune
Intune is a cloud-based enterprise mobility management (EMM) service that enables user productivity while keeping your corporate data protected. Intune integrates with Azure Active Directory for identity and access control, and Azure Information Protection for data protection. Intune can enforce security policies, wipe devices remotely, and deploy apps.
Microsoft 365 Subscription Plans
M365 Enterprise, M365 Business, M365 Education, M365 Firstline Worker
Microsoft 365 Business
Microsoft 365 Business is designed for small- and medium-sized organizations. Like Microsoft 365 Enterprise, Microsoft 365 Business offers the full set of Office 365 productivity tools and includes security and device management features. It doesn't include some of the more advanced information protection, compliance, or analytics tools available to enterprise subscribers. It's designed for organizations that need up to 300 licenses; if your organization is larger than that, you'll have to subscribe to a Microsoft 365 Enterprise plan instead.
Microsoft 365 Education
Microsoft 365 Education is available for educational organizations. Academic licenses can be tailored to fit any institution's needs, including productivity and security solutions for faculty, staff, and students.
Microsoft 365 Enterprise
Microsoft 365 Enterprise provides enterprise-class services to organizations that want a productivity solution that includes robust threat protection, security, compliance, and analytics features. There are two available plans for Microsoft 365 Enterprise, letting you further refine what's included in your implementation - E3 and E5. E5 includes all of the same features as E3 plus the latest advanced threat protection, security, and collaboration tools.
Microsoft 365 for firstline workers
Microsoft 365 F1 connects your firstline workers - such as customer service representatives, support and repair technicians, and service professionals - through purpose-built tools and resources that allow them to do their best work. These people are commonly the first point of contact for customers, and they need the right productivity and collaboration tools to do their jobs. Microsoft 365 F1 has many of the same features and services as Microsoft 365 Enterprise but has been modified to better fit the needs of firstline workers. For example, firstline workers don't generally need to create virtual environments in their day-to-day work, so Microsoft 365 F1 includes Windows 10 E3, without virtualization rights.
Microsoft Advanced Threat Analytics
Microsoft Advanced Threat Analytics can: # Detect suspicious activities and malicious attacks. # Adapt to the changing nature of cyber-security threats. # Provide focus and clarity around what is important with a simple attack timeline. # Reduce false positives.
Microsoft Graph
Microsoft Graph provides a connection between people and relevant content.
Microsoft Identity Manager 2016
Microsoft Identity Manager 2016 binds Microsoft's identity and access management solutions together by seamlessly bridging multiple on-premises authentication stores like Active Directory, LDAP, Oracle, and other applications with Azure Active Directory. This provides consistent identity experiences for both on-premises business applications and SaaS solutions.
Microsoft Intune (deployment tool for O365 Pro Plus)
Microsoft Intune. For organizations that want to deploy and manage Office from the cloud, Intune provides a cloud-based service that manages mobile devices and PCs, along with the applications on those devices (like Office 365 ProPlus). Intune can also be used to manage Windows 10 on your PCs.
Microsoft Search in Office.com
Microsoft Search in Office.com surfaces the same search scope across Microsoft 365, allowing you to find what you need and get back to your work faster. Find recent and recommended documents, as well as content flagged by colleagues for your review, and keep up-to-date with what has been worked on since you last looked at it.
Microsoft Search (Sharing/Collecting Knowledge)
Microsoft Search provides a rich, familiar, and consistent search experience across the web and the apps used in your organization. Regardless of the interface used, you get the same experience, personalized and contextualized for that specific interaction point.
Microsoft Stream (Sharing/Collecting Knowledge)
Microsoft Stream enables everyone in the organization to securely create, discover, and share videos, and it integrates into the teamwork apps employees use most, including Teams, OneNote, SharePoint, and Yammer.
Microsoft Teams
Microsoft Teams is the digital hub for teamwork in Microsoft 365. It brings together team conversations and content so your users can stay up-to-date on critical projects. It includes everything teams need to stay connected—chat, phone calls, content, and meetings—and can be customized with applications and bots that support a given project. With guest access in Teams, you can invite people from both inside and outside your organization to work on projects.
Management challenges of devices
Mobile devices connect to unsecured networks, mobile devices that intermittently connect to organizational networks, backing up data, lost or stolen devices, compromised devices that connect to the internal network, user-owned mobile devices.
Modern Desktop
Modern desktop describes a Windows 10 device that runs Office 365 ProPlus apps and is managed by Microsoft Enterprise Mobility + Security. The modern desktop is always up-to-date and uses insights and security powered by the cloud. Shifting to a modern desktop improves productivity and security for users and streamlines work for IT professionals. Right now, the top reason organizations are switching to the modern desktop is to address security concerns.
Types of updates for Office 365 ProPlus
Monthly channel, semi-annual channel (targeted), semi-annual channel. Monthly Channel, which receives feature updates approximately every month. Semi-Annual Channel (Targeted), which receives feature updates in March and September. This is typically used for pilot users and application compatibility testers. Semi-Annual Channel, which receives feature updates every six months, in January and July.
Office 365 Groups
Office 365 Groups enable a single team identity across apps and services and centralized policy management enhances security and compliance.
Office Deployment Tool (deployment tool for O365 Pro Plus)
Office Deployment Tool. For organizations that don't have Configuration Manager but still want to manage their deployment, you can use the Office Deployment Tool, which provides control over installation, updates, and settings. You can use this as a standalone tool or in conjunction with third-party software deployment tools.
Meetings & Projects with Teams
Outlook provides calendar and file integration to ensure meeting tools can be accessed seamlessly. Team members can access shared Outlook calendars and link to shared files in SharePoint and OneNote. Microsoft Teams lets employees form teams around important projects by organizing conversations, files, meetings, and tools into a single hub for teamwork complete with rich audio and video capabilities. Collaboration begins the moment the meeting is scheduled. Attendees can immediately connect on group chat to prepare for the meeting and share relevant documents ahead of time. Learn about meeting participants by hovering over Teams profiles to see organizational and LinkedIn background.
Peer cache
Peer cache is a solution in Configuration Manager that enables clients to share source files with other clients directly from their local cache. You can use peer cache to help manage deployment of source files to clients in remote locations. BranchCache and peer cache are complementary and can work together in the same environment.
Remote actions
Remote actions. You can manage every registered device every time it connects, no matter where it is. Remote device actions give you management controls on the device without interfering with personal data of your users. These remote device actions allow you to: # Delete company data on lost or stolen devices # Rename a device # Restart a device # Review device inventory # Remotely control a device # Wipe out pre-installed OEM apps with a Fresh Start reboot # Do a factory reset on any Windows 10 device
Software as a Service (SaaS)
SaaS is software that's centrally hosted and managed by a cloud service provider (CSP) for customers. Office 365 and Intune are examples of SaaS.
Microsoft Search in Bing.com
Searching in Bing returns both your organizational results and web results, making it an easy choice for broad searches. Recently added capabilities allow you to search across conversations in both Teams and Yammer simultaneously.
System Center Configuration Manager
System Center Configuration Manager is an on-premises product used to manage Windows, macOS PCs, and servers. Configuration Manager has a rich set of capabilities that allow you to highly customize the following areas: # Application management # OS deployment # Software update management # Device compliance
Desktop App Assure
The FastTrack Center Benefit for Windows 10 provides access to Desktop App Assure, a new service designed to address issues with Windows 10 and Office 365 ProPlus application compatibility. For customers with an eligible subscription, a Microsoft engineer works with you to address valid application issues.
Microsoft Authenticator
The Microsoft Authenticator app helps you keep your accounts more secure, especially while viewing sensitive information. You can use this app in two ways: 2FA, Phone sign-in.
Microsoft Search in the Outlook mobile app
The Outlook mobile app, available for iOS and Android, prioritizes the search experience by providing easy access to commands, content, and people. By placing your cursor in the search box, you can use "zero query search" to see recommendations powered by AI and Microsoft Graph.
Microsoft Search in the SharePoint mobile app
The SharePoint mobile app includes search as the default experience when you enter the app. The search interface shows common questions, personalized results, and frequent searches that you can curate for your organization.
Windows 10 Enterprise (Product)
The most productive and secure version of Windows with comprehensive deployment, device, and app management.
Windows Analytics Upgrade Readiness
The recommended tool for assessing desktop device and application readiness. It provides application and driver compatibility information to give you a detailed assessment of issues that might block your upgrade. It's supported with links to suggested fixes known to Microsoft.
The Readiness Toolkit for Office add-ins and VBA
This tool can help you identify compatibility issues with your Microsoft VBA macros and add-ins that you use with Office. The toolkit can scan for VBA macros in Word, Excel, PowerPoint, Outlook, Access, Project, Visio, and Publisher files for Office versions as far back as Office 2003. It can also scan for certain types of add-ins used with Office.
Deploying the Modern Desktop
To deploy, you can use cloud-based services, including Microsoft Intune, or existing software management solutions such as System Center Configuration Manager.
Unified endpoint management
Unified endpoint management is a concept that describes a platform that includes device and app management. Microsoft Intune and System Center Configuration Manager (Configuration Manager), part of Enterprise Mobility + Security (EMS) in your Microsoft 365 subscription, help simplify modern workplace management. Use them to create a productive Microsoft 365 environment where your users can work on the devices and apps they choose, while still protecting your org's data.
Benefits of Microsoft 365 services
Unlocks creativity, built for teamwork, integrated for simplicity, intelligent holistic
Semi-Annual Channel (update channel)
Updated twice a year with new features. Devices in the semi-annual channel get updates as soon as Microsoft releases them. You can further control the timing of when specific devices get updated by using the deferral feature (available with Windows Update for Business, Configuration Manager, or Windows Server Update Services) to delay installation until it's convenient for your organization.
Subscription activation
Use a subscription to switch from one edition of Windows 10 to another. For example, you can switch from Windows 10 Pro to Windows 10 Enterprise. When a licensed user signs into a device (and they have credentials associated with a Windows 10 E3 or E5 license), the OS changes from Windows 10 Pro to Windows 10 Enterprise, and all the appropriate Windows 10 Enterprise features are unlocked. If the subscription expires (or is transferred to another user), the device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
Authentication
When a user's identity is established.
Co-authoring
When users work on a document in real-time. You can co-author a document when it is stored in OneDrive for Business or Sharepoint. OneDrive for Business and SharePoint in Microsoft 365 provide shared storage, document version controls, and permission settings to enable multiple users to seamlessly edit the same document.
Windows 10 Autopilot
When you use co-management and Autopilot together, new devices entering your network get configured the same way as existing devices. In this setup, devices are enrolled in Intune and have a Configuration Manager client. It allows you to use the Windows 10 provisioning model and helps you eliminate the need to create, maintain, and update custom operating system images. It can also reduce time, costs, and complexity, and lets you use Autopilot and Configuration Manager to migrate existing Windows 7 devices to Windows 10.
Workplace Analytics
While MyAnalytics provides insight at the individual level, Workplace Analytics focuses on the organization. Use Workplace Analytics to identify collaboration patterns that impact productivity, workforce effectiveness, and employee engagement. It helps you understand how your organization spends its time and how groups work together. When you understand how your org works, you can look for efficiencies and best practices.
Tools to assess your applications and hardware are compatible
Windows Analytics Upgrade Readiness, The Readiness Toolkit for Office add-ins and VBA, Desktop App Assure.
Deployment options for Windows 10
Windows Autopilot, in-place upgrade, dynamic provisioning, subscription activation.
Windows Autopilot
Windows Autopilot. Customize the out-of-box experience (OOBE) to deploy apps and settings that are pre-configured for your organization. Include just the apps your users need. Autopilot is the easiest way to deploy a new PC running Windows 10. You can also use it with Configuration Manager to upgrade Windows 7 or Windows 8.1 to Windows 10.
Update channels in Windows 10
Windows Insider Program, Semi-annual channel, long-term servicing channel.
Outlook (Teams/Collaboration Tool)
With the familiar Outlook email-based experience you can stay in touch with colleagues, and share calendars, files, and tasks, to make sure important deliverables get attention.
Yammer
Yammer is a community conversation tool designed to help encourage open dialogue, idea generation, and connections across the company. Yammer lets you create communities of interest and forums that bring people together, improve transparency, and give everyone a voice. You can even grant external access to partners and customers as needed.
Yammer (Sharing/Collecting Knowledge)
Yammer is designed to help you encourage open dialogue, idea generation, and connections across your company. With Yammer you can modernize organization-wide communication, with two-way executive forums or live company-wide meetings, giving everyone a voice. Create communities of interest, executive forums and even facilitate live town hall meetings to improve transparency. Yammer even grants external access to partners and customers where necessary.
Protect identities in M365
You can protect identities in Microsoft 365 with: Azure AD Identity Protection, Microsoft Cloud app security, Azure Advanced Threat Protection, Windows 10.
OneDrive for Business / Sharepoint (Teams/Collaboration Tool)
You can store your content in the cloud with SharePoint and OneDrive for Business. This lets you access your files on any device and share them with others inside and outside your organization. Because the files are in the cloud, team members can collaborate on them in real time using familiar Office applications like Word, Excel, and PowerPoint.
MyAnalytics
lets you see how you spend your time at work and then suggests ways to work smarter - from cutting unproductive meeting time to getting better work/life balance. MyAnalytics does this by looking at data about emails, meetings, and Teams calls and chats, as well as how you use Office 365. MyAnalytics is included in the Microsoft 365 E5 subscriptions.
