Unit 1

What is Microsoft 365?

Microsoft 365 is a cloud-powered productivity platform. The tools of

Microsoft 365 help drive productivity, collaboration, and communication
securely across many devices, whether you are at home, in the office, out in
the field, or on the go.
Microsoft Graph is the gateway to rich, people-centered data and
intelligence in Microsoft 365.
Microsoft Graph plays a vital role in Microsoft 365 Copilot, an AI-powered
productivity tool in Microsoft 365. Microsoft 365 Copilot is powered by large
language models (LLMs) and utilizes your data from the Microsoft
Graph and integrates with Microsoft 365 apps and services.

What is Microsoft 365 Fundamentals?

Microsoft 365 fundamentals consist of three learning paths:

 Describe Microsoft 365 apps and services. Learn about how the
productivity, collaboration, and endpoint management solutions
through Microsoft 365 empower people and organizations to achieve
more.
 Describe Microsoft 365 security and compliance
capabilities. Learn about how the security, compliance, and identity
solutions through Microsoft help people and organizations secure their
entire digital estate, simplify compliance and reduce risk.
 Describe Microsoft 365 pricing, licensing and support. Learn
about how people and organizations can get the most out of their
Microsoft 365 investments through pricing models, continuous support,
and licensing options that are designed to meet their needs.

The evolution of Office 365 to Microsoft 365

Over 10 years ago Microsoft introduced Office 365. Evolving from

Microsoft’s Business Productivity Online Suite (BPOS), Office 365 was
designed to bring together its existing online products to an ever up-to-date
cloud service. It combined the core productivity apps such as Word, Excel,
PowerPoint, OneNote, Outlook, etc., and the collaboration and
communication services such as Microsoft Exchange, SharePoint, and Skype
for Business.
Over the last several years, Microsoft’s cloud productivity apps and services
have grown well beyond what people traditionally think of as ‘Office’, which
has led to Microsoft 365. Microsoft 365 brings together the best-in-class
productivity apps from Office 365 with advanced device management,
intelligent security, and innovative online services.

The differences between Office 365 and Microsoft 365

Office 365 is a cloud-based service that includes apps such as Word, Excel,
PowerPoint, and Outlook along with services such as Microsoft Exchange,
SharePoint, Teams and OneDrive. Microsoft 365 is a cloud-based service
that includes the same Office apps and services, plus Windows, and
Enterprise Mobility + Security.
Enterprise Mobility + Security (EMS) is a mobility management and
security platform that helps protect and secure your organization and
empower your employees. The platform includes services such as Microsoft
Entra ID (formally known as Azure Active Directory or Azure AD) and
Microsoft Intune. Microsoft Entra ID provides a complete identity and access
management solution with integrated security to manage and protect access
for employees, customers, and partners as they connect to their apps,
devices, and data. Microsoft Intune is a cloud-based endpoint management
and security solution for managing users, devices, and apps across platforms
like iOS, Android, Windows, and macOS. These topics will be discussed in
later learning paths and modules.
There are Microsoft 365 subscription plans for personal use, small
businesses, large enterprises, schools, and more. Depending on your
subscription, Office 365 for home and business automatically become
Microsoft 365 subscriptions, so no action is needed from your end.
Enterprise-sized organizations have the option to get the best-in-class
productivity apps through an Office 365 subscription, or integrate them with
enterprise-grade management and advanced security through a Microsoft
365 subscription.

Describe how Microsoft 365 empowers workers in this hybrid

world of work

Hybrid work is a combination of traditional, in-person office work and

remote, offsite work. This mix of work locations allows employees to enjoy
greater flexibility in their lives. Flexible work is a hybrid work model that
allows you to combine remote and in-person days however works best for
you. This model gives employees the most freedom as they can set their own
schedules with a combination of the two.

Hybrid and flexible work affect everyone and so organizations are looking to
incorporate tools that empower their entire workforce—from information
workers to frontline workers, to help them adjust to the day-to-day realities
of hybrid and flexible work.
Just like information workers, frontline workers need to be able to connect
and collaborate across the entire organization. Frontline workers are
employees whose primary function is to work directly with customers or the
general public providing services, support, and selling products, or
employees directly involved in the manufacturing and distribution of
products or services. A few examples of frontline workers are retail, rescue,
and healthcare workers. Empowering frontline workers with the right
technology not only makes their jobs easier but it enables secure
communication between customers, each other, and corporate.

Microsoft 365 has the capabilities to empower your organization to meet the
diverse needs of all your workers, giving them the ability to work either
onsite or remotely.

Connected

Stay connected from anywhere in the world and at any time, your workers
can access:

 Cloud-based services and data in your Microsoft 365 subscription.

 Organization resources, such as those offered by on-premises
application datacenters.

Secure

Sign-ins are secured with multifactor authentication (MFA). And the built-in
security features of Microsoft 365 and Windows 10 or 11 protect against
malware, malicious attacks, and data loss.

MFA is a process in which users are prompted during the sign-in process for
an additional form of identification, such as a code on their cellphone or a
fingerprint scan.

Managed

Your worker's devices can be managed from the cloud with security settings,
allowed apps, and to require compliance with system health.

Productive and collaborative

Your workers can be as productive as on-premises in a highly collaborative

way with:
  Online meetings, chat sessions, and push-to-talk communication with
Microsoft Teams.
 Shared workspaces for cloud-based file storage with global accessibility
and real-time collaboration with SharePoint and OneDrive.
 Shared tasks to divide up the work and automated business processes
to increase operational efficiency.

Employee experiences

Foster an inclusive company culture and increase employee wellbeing while

making sure all of your workers have the resources they need to succeed
with Microsoft Viva or Yammer.

Describe how Microsoft 365 Copilot unlocks a new way of

working

Microsoft is bringing the power of artificial intelligence (AI) to work.

Introducing Microsoft 365 Copilot, your copilot for work. It combines the
power of large language models (LLMs) with your data in the Microsoft
Graph and the Microsoft 365 apps to turn your words into the most
powerful productivity tool on the planet. And it does so within our existing
commitments to data security and privacy in the enterprise
Microsoft 365 Copilot works alongside you in two ways, integrated in
the Microsoft 365 apps you use every day such as Word, Excel,
PowerPoint, Outlook, Teams and more, and through Microsoft 365
Copilot, to unleash creativity, unlock productivity and develop
skills. Similarly, to AI chat apps, Microsoft 365 Copilot can search the web,
with the added advantage of using your work content, such as chats, emails,
and files to help you create content, keep up with what you might have
missed, and find answers to specific work questions. With Copilot for
Microsoft 365, you’re always in control and you decide what to keep, modify
or discard.
Microsoft 365 Copilot unleashes creativity in Microsoft 365 apps by
generating first drafts, beautiful presentations, and data visuals to iterate on.
It helps save time and move unique ideas forward while keeping you in
control. Microsoft 365 Copilot unlocks productivity by surfacing the
information you need across Microsoft 365 apps, summarizing emails and
meetings, taking notes, identifying action items, and enabling anyone to
build apps and bots faster.
Copilot has foundational skills for productivity and collaboration. Copilot
knows how to command apps and work across them, and is designed to
continuously learn new domain skills, eventually taking on more advanced
tasks.

Explore Microsoft 365 tenant

The Microsoft 365 Developer Program includes a Microsoft 365 E5 developer
subscription that you can use to create your own sandbox and develop
solutions. This program is independent of your production environment. The
program includes 25 user licenses and lasts for 90 days. You can build
Microsoft Teams apps, Office add-ins for Word, Excel, PowerPoint, or Outlook,
or SharePoint add-ins, using Microsoft Graph, the SharePoint Framework,
Power Apps, and more.
A Microsoft 365 tenant is a dedicated instance of the services of Microsoft
365 and your organization data stored within a specific default location.

Unit 2

Describe productivity solutions of Microsoft 365

People and organizations need productivity solutions that will make it easier
to stay organized, plan and prioritize tasks, create content, schedule time
more effectively, and remember things better. Microsoft 365 delivers
industry-leading productivity solutions, powered by artificial intelligence (AI),
that can help you to unleash your creativity and strengthen your day-to-day.
Microsoft 365 brings together the best productivity solutions for you to stay
connected, produce your best work and optimize performance, wherever you
are. Whether you’re using a laptop or your mobile device, you can easily
create impressive content, access important files, stay up-to-date, organized
and collaborate with anyone from anywhere, anytime.
 Unleash your creativity and perform tasks faster
 Create professional-looking content in real-time
 Organize and access files and photos wherever you are
 Work and communicate with your team from anywhere
 Always stay connected and organized
 Stay up-to-date through business-class email and calendaring
 Optimize and simplify operations
 Streamline everyday processes

Describe Microsoft 365 Apps

Microsoft 365 Apps is an always up-to-date desktop, mobile, and web

version of the core Office apps. Microsoft 365 Apps are available in
both Microsoft 365 Apps for business and Microsoft 365 Apps for
enterprise subscriptions. Depending on the subscription, the apps that
might be included are Access (PC only),Excel, Microsoft Teams,
OneDrive, OneNote, Outlook, PowerPoint, Publisher (PC
only), and Word. You can use these applications to connect with services
such as Microsoft Exchange Online and SharePoint Online.

Microsoft 365 Apps has the benefits of the cloud, giving you the flexibility to
work anytime, anywhere, on any device helping you be more productive.

 Work across multiple devices. Get the fully installed Office apps on
multiple PCs, Macs, tablets, and mobile devices (including Windows, iOS,
and Android). View and edit files at home, in the office or on the go.
 Work with apps that are always up-to-date. You don't need to
spend time installing updates or worrying about when features will be
released because it's all done for you. Microsoft 365 Apps is updated
regularly, as often as monthly. You'll always be working with the most
current features.
 Work intelligently through connected experiences. Microsoft 365
Apps include intelligent features, also called connected experiences, to
help you get work done faster and create amazing content.
 Work in an entirely new way. Microsoft 365 Copilot works
alongside you, seamlessly embedded into the Microsoft 365 Apps you
use daily. Microsoft 365 Copilot helps you stay in the flow of work and
frees you to focus more on the task at hand and less on the busy work.

The following list describes the applications and services that might be
included in Microsoft 365 Apps:
 Microsoft Teams can help you bring everyone together in one place
to meet, chat, call, and collaborate. Microsoft 365 Copilot in
Teams makes meetings more productive with real-time summaries
and action items directly in the context of the conversation.
 Word
 Excel
 Power Point
  Outlook can help you manage your email, calendar, tasks, and
contacts together in one place. Microsoft 365 Copilot in
Outlook helps you draft emails or write better emails, and catch up on
important conversations.
 OneNote can help you with your note taking needs by organizing your
notes into tabs and subsections creating a single digital
notebook. Microsoft 365 Copilot in OneNote supercharges your
note taking and helps you understand, create, and recall information at
the click of a button.
 OneDrive can help you save, access, edit and share files and photos
wherever you are. Microsoft 365 Copilot in OneDrive helps
enhance file organization, categorization and retrieval through natural
language searches.
 Access (PC only) can help you create your own database apps easily
without being a developer.
 Publisher (PC only) can help you create polished, professional
content from greeting cards, labels to newsletters and marketing
materials.

Describe work management tools in Microsoft 365

The work management solutions through Microsoft 365 allow your teams
to work the way they want, giving organizations the results they need. The
work management tools available include Microsoft Project,
Planner, Bookings, To Do, Forms, and Lists.

Microsoft Project

Project is a robust, project management tool designed for complex work

efforts with many tasks, resources, and dependencies. Project provides
advanced project management capabilities to meet most needs of business
professionals, such as project managers. Project managers and team
members can use Project to plan and track work that might require dynamic
scheduling, budgeting, subtasks, and/or dependent tasks, regardless of team
size.
 Quickly kick off a project and assign tasks and schedules keeping team
members and managers on the same page.
 Automatically update the timeline through the powerful scheduling
engine helping you reduce your time and effort.
 Utilize the easy-to-use views such as grid views, Kanban-style task
boards, and timeline Gantt charts.
 Integrate with Microsoft Teams to enrich collaboration across the
project.
  Create stunning interactive dashboards in Power BI so you can visualize
every aspect of the project at a glance.
 Extensible with other platform apps and data because Project is built on
the Power Platform.

Microsoft Planner

Planner is an intuitive, collaborative, light-weight task management tool

that enables people to plan, manage, and complete task-based initiatives.
Planner provides a simple and visual way for teams to organize their work.
As a web-based tool, Planner is accessible from anywhere and available as a
mobile app for both iOS and Android.
 Add structure to task-based teamwork and organize the activities in
your project by creating a plan.
 Assign and manage tasks on a Kanban board using task cards and add
those tasks to buckets.
 Task cards populate with various information, such as due dates, status,
priority, checklists, labels, and file attachments.
 Receive notifications to stay on top of deadlines.
 Monitor your team’s progress with colorful visual cues and built-in status
reporting.
 Utilize the visuals such as the task board, charts page, and a schedule
view to summarize the status of your entire plan and individual tasks.
 Integrate with Teams by adding a "Tasks by Planner" tab,
use @mentions in Word, Excel, and PowerPoint to assign tasks, and add
your tasks to your calendar in Outlook or Microsoft To Do.

Microsoft Bookings

Bookings is an appointment scheduling and management system. Bookings

simplify the process of scheduling and managing appointments. It includes a
web-based booking calendar and integrates with Outlook to optimize your
staff’s calendar and give your customers the flexibility to book a time that
works best for them.
 Manage staff schedules, set business hours, services, and pricing.
 Define appointment types and details, and customize how appointments
are scheduled through a web-based business-facing page.
 Add buffer time between appointments for any required pre or post-
appointment activities.
 Create a booking page where your customers and clients can schedule
and reschedule appointments on their own.
  Share the booking page via a direct link, your Facebook page, and link
embedding within your website.
 Ensure customers receive proper confirmations and reminders with
automatic appointment notifications through email and SMS.
 Utilize the business-facing mobile app to view your appointments,
access customer lists, and contact information, and make manual
bookings on the go.
 Integrate with Microsoft Teams or Skype for Business to support virtual
appointments and Bookings calendar management through the
Bookings app in Teams.

Microsoft To Do

To Do is an intelligent task management app that makes it easy to plan and

manage your day. Access To Do across devices including iOS, Android,
Windows, and the web. Whether you need to complete a task for work,
school or home, To Do empowers you to complete the most important things
you need to get done, every day.
 Focus and achieve your most important tasks with a daily to-do list
called "My Day."
 Utilize smart suggestions to add tasks, upcoming or overdue tasks.
 Share lists and assign tasks with colleagues, friends, and family.
 Break down more complex tasks into subtasks.
 Schedule reminders and repeatable tasks.
 Sync your tasks across Outlook, Teams and Planner, and generate tasks
from flagged Outlook emails

Microsoft Forms

Forms is a simple, lightweight app that allows you to quickly and easily
capture the information you need. Create surveys, quizzes, polls,
questionnaires, registrations and more. Forms work from any web browser,
on any device.

 Insert quizzes, surveys, polls, and other types of forms into other Office
products.
 Enhance your form by adding a logo, displaying pictures or videos next
to questions.
 Share your quiz or form and collaborate with others or share it as a
template.
 Invite others to respond to your form using any web browser or mobile
device.
 View real-time results as they're submitted.
 Use built-in analytics to evaluate responses.
  Export results to Excel for more analysis or grading.

Microsoft Lists

Lists is a smart information tracking app that gives you and your team a
flexible way to organize information and work.

 Quickly create a list from scratch or use a ready-made template.

 Create a list in a SharePoint site or in Microsoft Teams.
 Create a list with various columns, include links, pictures and attach
files.
 Sort, group, format and filter lists to highlight the most important
information.
 Automate a list to streamline work and save time.
 Track history of a list item over time with versions.

Describe additional Microsoft 365 productivity apps

Microsoft 365 has more apps that can help you and your organization boost
productivity.
 Clipchamp is an in-browser video creation and editing experience.
 Delve helps manage your Microsoft 365 profile.
 Dynamics 365 is a set of intelligent business applications that helps
you run your entire business and deliver greater results through
predictive, artificial intelligence (AI) driven insights.
 Loop is a co-creation experience that brings together teams, content
and tasks across your tools and devices.
 Power BI is a cloud-based suite of business analytics tools that lets
anyone connect to, visualize, and analyze data.
 Sway helps you express ideas using an interactive, web-based canvas.
 Whiteboard is a freeform, digital canvas. It functions like a traditional
whiteboard, but hosted virtually.

Unit 3
Describe collaboration solutions of Microsoft 365

Collaboration solutions such as Microsoft Teams, Microsoft 365 Copilot,

Microsoft Viva, SharePoint, Exchange, Yammer and more. Microsoft 365
brings all these collaboration solutions together in an interconnected
platform to help bring people and organizations together to empower them
to get more done.
Describe the collaboration capabilities and benefits of
Microsoft 365

Microsoft 365 brings together the best collaboration solutions for you to
work together with others to get things done. Whether you’re using a laptop
or your mobile device, you can easily attend meetings online, reply to a chat,
share files or information, co-author in real time, network, and collaborate
with anyone from anywhere.
Microsoft 365 Copilot in Teams helps you get the most of your team
chats and meetings through meeting recaps, identifying follow-up tasks,
summarizing key takeaways and more.

Share news and content with people inside and outside your
organization

Employees can get company news and information as well as share and
manage content, through SharePoint, an intelligent intranet. Seamlessly
collaborate and communicate inside and outside your organization through
the creation of SharePoint sites. Store and share files, and co-author on
documents through team sites. Share company news, announcements, and
events through communication sites. Microsoft 365 Copilot in
SharePoint helps turn your words into powerful tools for creating and
editing SharePoint sites and pages.

Collaborate on files in real-time

Access, share, and collaborate on files from anywhere with OneDrive, a

cloud-based storage service. It's the underlying technology that powers the
collaborative files experience across Microsoft 365. Access your files and
photos from all your devices and coauthor in real-time with Office integration
across web, mobile and desktop. Stay up-to-date with @mentions, comments
and notifications. Securely share files, folders, photos and manage access
with people inside or outside your organization by sending a link via email or
text. Microsoft 365 Copilot in OneDrive helps enhance file organization,
categorization and retrieval through natural language searches.

Network and engage with people across your organization

Have open and dynamic communication with leaders, employees and

partners through Yammer, a social network for organizations. Share
knowledge, news, events, blogs, and polls. Deliver live and on-demand
events and training. Discuss ideas, give feedback, and network with others
through communities.
Distribute videos across your team or organization

Create, share and manage live and on-demand videos within a small team,
or across an organization with MicrosoftStream (on SharePoint), an
intelligent enterprise video experience. Enhance collaboration by using video
in applications you rely on every day, like Microsoft Teams, Yammer and
SharePoint. Use the intelligent features like in-video face detection and
speech to text transcript. Microsoft 365 Copilot in Stream lets you catch
up on videos by quickly summarizing the video or answering your questions
about the content in the video.

Collaborate through business-class email and calendaring

Sync your emails, calendars, and contact information across your devices,
keeping you up to date wherever you are with Microsoft Exchange, a
hosted messaging solution. Exchange delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. Share your calendar to coordinate
schedules with people in different organizations so you can work together on
projects or plan social events. Create a public folder for shared access of
information or create a shared mailbox so people can access to read and
send emails.

Stay connected and share your availability

Have your emails, calendar appointments, and contacts all in one place, so
you can stay connected and organized wherever you go with Outlook, an
email messaging app. Send emails and use @mentions to get a person's
attention. Share files through email to collaborate on attachments. Simplify
scheduling by sharing your availability with coworkers, friends or family and
set up online meetings using Microsoft Teams. Create a group to send
messages, share files, and schedule events on a group calendar. Microsoft
365 Copilot in Outlook helps you draft emails, summarize long threads,
and catch up on important conversations.

Empower people and teams to be their best

Bring together communications, knowledge, learning, resources, and insights

into the flow of work with Microsoft Viva, an employee experience
platform. People can hone their skills and discover new ones through online
courses. Viva binds each employee to their company mission and its culture
to focus on goal setting and alignment, so everyone sees how their work
impacts the bigger picture. Managers can gain data-driven insights that help
them make better decisions and help improve employee wellbeing. Leaders
listen, using continuous feedback to improve engagement and culture and
can amplify workplace communications to energize employees. Microsoft
365 Copilot in Viva helps boost engagement, productivity, and business
success by providing leaders new ways to access insights and interact with
the workforce through intelligent experiences.

Describe how Microsoft Teams promotes collaboration and

enhances teamwork

Microsoft Teams is a collaboration app, a place for teamwork. It’s an app

for people and teams to come together, stay connected, and get things
done, across work, home, school, and on the go. Teams helps you pull
together a team and connect with colleagues through real-time messaging
and engaging and inclusive meetings. You can use channels to share files
and data, manage tasks, and collaborate on documents with people inside
and outside your organization. All these features can be done while staying
secure and compliant. Make Teams your own by adding notes, websites, and
integrating your business processes and workflows with other apps, 3rd
party and line of business (LOB) applications.
Microsoft 365 Copilot and Microsoft 365 Copilot in Teams is a new AI
tool that helps you find information faster and get the most out of your
teams chats and meetings. Have more effective meetings by getting a
summary of key discussion points and suggested action items, all in real
time during a meeting. Catch up on chats by quickly reviewing the main
points, action items and decisions. Bring everything together in Teams with
Microsoft 365 Chat. Microsoft 365 Chat can find and use info that's buried in
documents, presentations, emails, calendar invites, notes, and contacts to
help you get your work done.

Teams and channels

Organize and collaborate across projects and workloads. Get started by

creating a team and/or channel.

 Teams is a collection of people, content, and tools surrounding different

projects, interests or outcomes. It’s designed to bring together a group
of people to get things done. Conversations, and resources shared in
standard channels will be visible to all the team's members.
o Teams can be created to be private to only invited users.
o Teams can also be public and open to anyone within the organization.
o A team has a limit of up to 10,000 members.

 Channels are dedicated sections within a team to keep conversations

and content organized by specific topics, projects, disciplines, or
whatever works for your team. Channels are where discussions happen
 and where the work actually gets done. For instance, users in a team
could have a channel with a tab for a specific report that they're all
contributing to. Files that you share in a channel (on the Files tab) are
stored in SharePoint.
o Standard channels are open to all team members.
o Private channels are for selected team members.
o Shared channels are for people both inside and outside the
team. You can invite anyone to a shared channel, even if they
are not part of the team the channel belongs to.

Chat and instant messaging

Chat and instant messaging let you work together, without cluttering up
your email and keeping it clear for important messages. Instant messaging is
ideal if you need to check something with a colleague or ask a quick
question. You can also have a group discussion to encourage open
conversation and promote thoughtful debate. The following list describes
some of the benefits of Teams chat and instant messaging:

 Instantly connect. Message a team member one on one or the entire

team in a group chat. Hop on a call or share your screen for immediate
feedback.
 Take conversations anywhere.
 Keep the team focused. Organize your conversations, files, and apps
in one place to keep the team in sync.
 Reduce email clutter. Move email threads into quick chats. Share
photos and documents with one person or the team.

Microsoft 365 Copilot in Teams chats empowers you to ask questions

about your chat conversations in Teams. You can use Microsoft 365 Copilot
to quickly review the main points, action items, and decisions from your
chats, without having to scroll through long threads. You can also choose to
view highlights from the past 1, 7, or 30 days of conversation. Microsoft 365
Copilot can't reference images, loop components, or files shared in the chat
thread.

In Microsoft teams, a “team” is a workspace where a group of people can

collaborate on work, projects, or common interests. Sometimes it’s your
whole organization.

We can see the different teams that user belongs to. Each team Is made up
of “channels”. The default channel for team-wide discussions is the General
channel, but you can create other channels dedicated to specific topics,
departments, or projects.
Channels are where the work actually gets done – where files are shared,
where apps are added, and where conversations happen.
By default, channels contain three tabs: Posts, Files Wiki. But you can add
other custom tabs, such as the ones shown for this channel.
Files shared within a channel are stored in the team’s SharePoint folder.
Team members can also view and edit documents right from there.

We can create a team from scratch, from an existing group or team, or use a
template as a starting point.
In the left site navigation bar:
 Activity displays a feed of all your recent activity – such as unread
messages, @mentions, replays, and more.
 Chat is where you can have private conversations with one or more
people on you team.
 Teams displays all your teams and channels.
 Calendar sows you a schedule of all you upcoming meetings and
appointments for the week. It includes everything that was scheduled
in Teams, Exchange, and Outlook. You can also schedule Teams
meetings from here.
 Calls is where you can make and receive calls, find your contacts,
listen to your voicemail, and check you call history
 Files displays a list of all the files ever shared across your teams.

Online meetings

Meetings help teams share status updates, brainstorm ideas, and solve
issues together. Microsoft Teams is designed to help you have more
productive meetings whether that’s collaborating through online meetings,
webinars, live events, or audio and video conferencing. Microsoft Teams
comes with many different features that can help your team quickly engage
and improve how they work together through meetings.
 Manage all meeting activities in one place. A user's calendar in
Teams is connected to their Exchange calendar so when users
schedule a meeting in Outlook, their meeting is automatically visible
and accessible from Teams and vice versa.
 Conduct different types of meetings. Meetings, webinars, and live
events are all types of meetings, but webinars and live events provide
extra control for the organizer over the conversation and participants.
Teams can detect what's said in a meeting and present real-time
captions with speaker attribution. You can blur or use custom
backgrounds during video meetings and share your screen or content.
o Meetings in Teams include audio, video, and screen sharing for
up to 1,000 people. View-only capabilities are for participants
over 1,000 up to 20,000. Participants don't need to be a member
of an organization (or have a Teams account) to join a Teams
 meeting. They can join directly from the calendar invitation via
the "Join meeting" link or call in via audio if available.
o Webinars are structured meetings where presenters and
participants have clear roles, often used for training purposes or
sales and marketing lead generation scenarios. Webinars provide
two-way interaction. Participants up to 1,000 have fully
interactive capabilities.
o Live events are structured meetings that enable your
organization to schedule and produce events that stream to
large online audiences, up to 20,000 participants.

Extend Teams by using collaborative apps

A collaborative app is a solution integrated or built into Teams that

enables employees to work better together, using the tools they already
know. Microsoft Teams is an extensible platform that you can create custom
applications on. Apps for Teams can be as simple or as complex, as you
need, from sending notifications to channels or users, to complex multi-
surface apps incorporating conversational bots, natural language processing,
and embedded web experiences. You can build apps for an individual, your
team, your organization, or for all Microsoft Teams users everywhere.

Some of the ways that you can extend Teams using collaborative apps are:

 Power BI in Teams can empower your organization to collaborate with

data to deliver improved outcomes.
 Power Apps can help you build apps to add directly into Teams by
creating a tab.
 Power Automate can help you automate tasks and processes all within
Teams.
 Dynamics 365 and Teams integration can provide high-level details of
your customers to ensure you have helpful context and can be prepared
in customer meetings.
 Power Virtual Agents allows you to create chatbots that can be
integrated into Teams.
 Integrate with third-party partners and services for more
capabilities within Teams, like ServiceNow or Salesforce. Integration
with third-parties can be done through incoming and outgoing webhooks
and connectors.

Describe the Microsoft Viva apps

Microsoft Viva is an integrated employee experience platform

(EXP) that empowers people and teams to be their best. An employee
experience platform is a digital platform that helps organizations create a
thriving culture with engaged employees and inspiring leaders. Microsoft
Viva is powered by Microsoft 365 and designed for everyone to connect,
learn, and grow. It's built right into Microsoft Teams and experienced through
Microsoft 365, so employees can find what they need when they need it.
Viva is easily customizable and extensible, accessible from anywhere, and
integrates with the tools that organizations already use. Microsoft 365
Copilot in Microsoft Viva helps boost engagement, productivity, and
business success by providing leaders new ways to access insights and
interact with the workforce through intelligent experiences.

Microsoft Viva brings together all the tools employees need to be successful
in today’s world of work into one unified solution across four unique
experience areas:

 Connection. To keep everyone informed, included, and inspired.

 Insight. To improve productivity and wellbeing with actionable insights.
 Purpose. To align people's work to team and organizational goals.
 Growth. To help employees learn, grow, and succeed.

Role-based

 Viva Sales is a seller experience application that uses Microsoft 365

and Microsoft Teams to automatically capture, access, and register data
into any customer relationship management (CRM) system. It's
designed to help sellers boost productivity, lighten workloads, save
time, and help salespeople sell more.

Describe how Yammer helps communities connect and grow

Yammer is a secure enterprise social network designed for connecting and
engaging people across your organization. Yammer helps facilitate
community collaboration and idea-sharing among leaders, coworkers and
partners from anywhere.

Yammer offers two types of networks to help users communicate and

collaborate in the most convenient and effective ways possible:

 Internal network, also known as a home network, is restricted to users

inside the organization. Only employees with a valid corporate email
address can join the internal network and access its content and users.
 External network, includes invited users from outside your
organization. It's a space for you to engage with outside partners, like
customers, suppliers, or investors.
Leader engagement

 Align people toward a shared vision and objectives to drive

organizational change.
 Foster two-way dialogue between employees and leaders with a
leadership community.
 Broadcast company meetings with live events and real-time Q&A.
 Communicate at scale with a site for leaders to share news, events,
blogs, and polls.

Modernize employee communication

 Keep everyone informed and engaged, across web and mobile.

 Share news and announcements that reach users as interactive
discussions in Microsoft Teams and Outlook.
 Target specific communities or reach your entire organization using the
All Company community.
 Pin and feature important conversations and send essential
announcements to ensure delivery of critical information.
 Create compelling communications with rich text, GIFs, photos, and
videos.

Knowledge sharing

 Share knowledge, best practices, ideas, and feedback across the

organization.
 Use questions and answers to gain solutions, highlight the best answers,
and upvote replies.
 Call in experts with @mentions.
 Extend the power of experts with FAQ bots that can auto-respond to
common questions.
 Follow topics across conversations and communities with tags.

Engage your employees

 Ensure that every voice within the organization is heard.

 Provide communities for employees to connect, share, and build
relationships.
 Find and join recommended communities around common interests.
 Designate official communities where employees can find what they
need and join the discussion.
 Empower employees to express and represent themselves with inclusive
reactions.
Powering communities in Microsoft 365

 Engage in fully interactive discussions without leaving your Outlook

inbox.
 Bring the power of communities to SharePoint with the Yammer
conversations web part.
 Embed a Yammer community on any HTML page.
 Collaborate on Office files and Excel documents within Yammer.
 In-line video playing and auto-transcription with Microsoft Stream.
 Instantly translate messages in 60+ languages.

Unit 4
What is Microsoft Search?

Microsoft Search is a secure, easily managed enterprise search experience.

It's integrated across Microsoft 365 applications, your desktop, and browser
to deliver more relevant internal results and increase productivity.
Using the power of AI and Microsoft Graph, Microsoft Search provides a
familiar search experience to help people in your organization find
information—like files, sites, people, answers, and more. Best of all, there's
no initial admin setup and it’s included at no extra cost with your Microsoft
365 subscription. As an owner, decision maker, or admin for your company,
school, or nonprofit, use the info in this module to evaluate the experience
and potential cost savings of this solution.
Microsoft Search is available as part of your Microsoft 365 or Office 365
subscription. While no setup is required, you can improve the overall
experience with some basic administration or editing tasks.
The Search & intelligence settings is where you’ll spend most of your time
administering and creating custom content. It’s important to remember that
only Search admins or Search editors can access these tools and settings.

Here’s how to get to them:

1. In your browser, go to admin.microsoft.com.

2. If the left navigation menu is collapsed, select Show all.
3. Select Settings, then Search & intelligence.

Unit 5
Assign admin and editor roles
Administrators in the following three roles manage the Search & intelligence
settings and content experience for Microsoft Search:
Global admin: Has complete control over and access to Search &
intelligence features and all other enterprise apps and services that
contribute to the Microsoft Search experience. This includes settings for
branding, news feed, and the Bing homepage. Only a Global admin can
assign the roles of Search admins or Search editors.
Search admin: Can create and manage answer content and settings, add
connectors to make more data accessible, and make other configurations
and customizations. They can perform all of the content-management tasks
a Search editor can.
Search editor: Typically tasked with the management of answer content
such as bookmarks, acronyms, and Q&As.

Search data is available for:

 Office.com
 Microsoft Search in Bing work tab (page URLs that begin with
bing.com/work)
 SharePoint Home (the site with URL ending in /SharePoint.aspx)

Unit 6
Introduction to Microsoft 365 Copilot
Microsoft 365 Copilot is a powerful Artificial Intelligence (AI) tool designed to
enhance your productivity and streamline your daily tasks. Copilot is an
intelligent assistant integrated into Microsoft 365 applications, providing you
with real-time support and insights. Whether you're drafting emails, creating
documents, or managing your calendar, Copilot can help you work smarter
and more efficiently. One of the key benefits of Copilot is its ability to
understand and respond to natural language queries. You can ask Copilot to
perform tasks, find information, or provide recommendations just by typing
or speaking your request.
Additionally, Copilot leverages the power of artificial intelligence to provide
personalized assistance tailored to your needs. It learns from your
interactions and adapts to your preferences, ensuring that the support you
receive is always relevant and helpful. With Copilot, you can collaborate
more effectively with your team, stay organized, and make informed
decisions with ease.

Microsoft 365 Copilot transforms work in three meaningful ways:

 Unleash creativity. Copilot helps you create content faster and more
efficiently.
 Unlock productivity. Copilot helps you focus on what matters most.
  Improve skills. Copilot makes you better at what you’re good at and
helps you quickly master what you have yet to learn.

What is Microsoft 365 Copilot?

Microsoft 365 Copilot represents a new paradigm in work, where employees
collaborate with AI for increased productivity. Copilot addresses the modern
challenge where the pace of work is overtaking our ability to keep up.
Microsoft 365 Copilot is designed to transform how we work in the digital
age. Powered by Large Language Models (LLMs) and utilizing your business
data from Microsoft Graph, Copilot aims to spark creativity, boost
productivity, and foster new skills. This innovative tool integrates seamlessly
with the Microsoft 365 suite, including popular applications like Teams, Word,
Outlook, PowerPoint, Excel, and more to elevate productivity and creativity in
the workplace.

Examples of Microsoft 365 Copilot in action may include:

 Outlook. Summarize the content of a large email thread.

 PowerPoint. Create a PowerPoint slide presentation based on a report.
 Word. Rewrite a paragraph in a different tone or style.
 Teams. Summarize meetings and chat threads.
Before you can access Microsoft 365 Copilot, you must meet the following
requirements:
 Microsoft Entra ID. Users must have Microsoft Entra ID accounts. You
can add or sync users using the onboarding wizard in the Microsoft 365
admin center.
 Microsoft 365 Copilot licensing.
 Microsoft 365 Apps.
 OneDrive Account.
 Outlook for Windows.
 Microsoft Teams.
 Microsoft Loop.
 Microsoft Whiteboard.
 Office Feature Updates task. The Office Feature Updates task is
required for ensuring the proper installation and functionality of core
Copilot experiences in apps such as Word, PowerPoint, Excel, and
OneNote. This task should be allowed to run on its regular schedule and
allowed to access the required network resources.

Explore how Microsoft 365 Copilot works

At its core, Microsoft 365 Copilot isn't just another feature—it's an intelligent
partner that accompanies you throughout your day-to-day Microsoft 365
interactions. Be it in Outlook, PowerPoint, Word, Excel, Teams, or other
applications, Copilot's goal is to save you time by generating new content,
offering relevant suggestions, and making you more productive.

Copilot's understanding context and user needs

 Analyzing content. Whether it's the document you're drafting, the

email you're composing, or the meeting you're in, Copilot scrutinizes the
subject matter, tone, structure, and semantics to determine your intent
and meaning.
 Getting context from your work data in Microsoft 365. Your
communications, activity history, and content help Copilot to get
additional context in real-time as it responds to your prompts.

Transform how you work

With a deep understanding of your context, Microsoft 365 Copilot doesn't

stop at just observations. It takes action:

 Search and retrieval. Copilot uses powerful search capabilities that

identify useful data and content sources that can assist you.
 Natural phrasing with large language models. Large language
models (LLMs) provide the engine that powers Copilot. These models
enable Copilot to craft naturally phrased recommendations, ensuring
that any content it generates aligns with your unique situation.
 Refining recommendations. It's not about quantity, but quality.
Copilot evaluates potential suggestions, refining them to ensure what
you get is contextually relevant and specific.

Logical architecture
Microsoft 365 Copilot uses your organization's data that you as an individual
user have access to. For example, calendar events, emails, chats,
documents, and meetings from the Microsoft Graph. It maps this data and
relationships, providing personalized, relevant, and actionable information.
Your data remains secure within the Microsoft 365 service boundary,
adhering to the latest security, compliance, and privacy policies.
Furthermore, communication between your tenant and Copilot components
is encrypted.

1. Copilot receives an input prompt from a user in an app, such as Word or

PowerPoint.
2. Copilot then preprocesses the input prompt through an approach called
grounding. Grounding improves the specificity of the prompt, to help
you get answers that are relevant and actionable to your specific task.
The prompt can include text from input files or other content discovered
by Copilot, and Copilot sends this prompt to the LLM for processing.
Copilot only accesses data that an individual user has existing access to,
based on, for example, existing Microsoft 365 role-based access
controls.
3. Copilot takes the response from the LLM and post-processes it. This
post-processing includes other grounding calls to Microsoft Graph,
 responsible AI checks, security, compliance and privacy reviews, and
command generation.
4. Copilot returns the response to the app, where the user can review and
assess the response.

Explore the core components of Microsoft 365 Copilot

Large language models

Large language models (LLMs) represent a class of artificial intelligence

models that specialize in understanding and generating human-like text. The
"large" in LLM signifies both the size of the models in terms of the number of
parameters they encompass, and the vast volume of data on which they're
trained. LLMs, including models like ChatGPT, are a type of generative AI.
Instead of merely predicting or classifying, generative AI, like LLMs, can
produce entirely new content. When applied to text, LLMs can generate
contextually relevant and syntactically correct responses based on the
provided prompts.

In the context of Microsoft 365 Copilot, LLMs are the engine that drives
Microsoft 365 Copilot's capabilities. Microsoft's Azure OpenAI Service
privately hosts these models, which Microsoft 365 Copilot uses to understand
user inputs and generate relevant responses. Through the careful application
of these models, Microsoft 365 Copilot helps you navigate your work more
effectively, while ensuring privacy and data integrity.

Microsoft 365 keeps your data logically isolated by tenant. This design,
together with encryption, ensures privacy while processing and at rest.

Natural language processing

Natural language processing (NLP) is a pivotal AI technology that helps

machines understand, interpret, and respond to human language in a way
that's meaningful. In essence, NLP is the technology behind Copilot's ability
to read, comprehend, and generate text similar to how humans would. Some
of the components involved are:
 Tokenization. Simplifies complex paragraphs by breaking down text
into smaller chunks, like words or phrases.
 Semantic Analysis. Helps Copilot understand the underlying meaning
or context.
  Sentiment Analysis. Assess the mood or emotion behind a text,
Copilot can understand user intent more accurately.
 Language Translation. Aids in multilingual tasks, allowing Copilot to
assist users across different languages.

NLP is integral to Microsoft 365 Copilot. It bridges the gap between human
language and machine understanding. This technology ensures that when
you ask Copilot something, it understands and responds effectively.

Microsoft Graph

Microsoft Graph serves as the connective tissue that integrates all your
Microsoft 365 services and data. Microsoft 365 Copilot applies Microsoft
Graph to synthesize and search content from multiple sources within your
tenant. The Microsoft Graph API brings more context from user signals into
the prompt, such as information from emails, chats, documents, and
meetings. This information includes data from services like Outlook,
OneDrive, SharePoint, Teams, and more.
Microsoft Graph brings this information together so that users don't need to
navigate away or switch apps. It enables Microsoft 365 Copilot to bring the
relevant information to you. When doing so, Microsoft 365 Copilot takes into
account Microsoft 365 user permissions, data security, and compliance
policies. It only generates
responses based on the
information the user has
permission to access.
Prompts, responses, and data
accessed through Microsoft
Graph aren't used to train
foundation LLMs, including those
used by Microsoft 365 Copilot.

Microsoft 365 apps

Apps such as Word, Excel, PowerPoint, Outlook, Teams, Loop, and any newly
integrated apps operate with Copilot to support users in the context of their
work. For example, Copilot in Word specifically assists users in the process of
creating, comprehending, and editing documents. In a similar way, Copilot in
the other apps helps users in the context of their work within those apps.
Microsoft 365 Copilot Chat

Copilot Chat is the shared chat experience in Microsoft 365 Copilot, enabling
users to leverage cross-app intelligence. The conversational chat interface
allows Microsoft 365 Copilot to understand user intent and provide ongoing
dialogue, with the latest enhancements ensuring even greater flexibility and
integration. The chat format enhances the context, providing users with a
simpler way to work with multiple apps.
Users access Copilot Chat in the same way they would interact using open
prompts with ChatGPT or using Microsoft Copilot on the web. Those prompts
are grounded in the LLM and contextualized with the users' business data
and apps. By doing so, Copilot Chat surfaces the information and insights
into the chat experience that users need from their organization's data.
Prompts work with Copilot Chat across a range of experiences, including
Teams (chat), Bing, Microsoft Edge, and the Microsoft 365 app.

Here are a few things you can do with the Copilot Chat:

 Catch up on things. Copilot Chat can synthesize and summarize large

amounts of data into simple, easy-to-digest summaries.
 Create content and brainstorm. Copilot Chat can help you
brainstorm ideas and draft new content based on anything from a
storyboard or a script to an agenda or an executive summary.
 Get quick answers. Copilot Chat enables you to act as your own
personal search engine. Ask questions about specific files and
messages, or find information you know is out there, but you can't
remember where it's stored.

It's important to note that Copilot Chat differs from other Copilots available
in Microsoft 365 Apps. Copilot Chat works across multiple apps and
content, giving you the power of AI together with your secure work data.

Examine how Microsoft is committed to responsible AI

Microsoft integrates AI into its operations with a strong emphasis on ethics

and responsibility. The guiding principles of this approach are:

 Fairness. Microsoft aims to eliminate biases, ensuring equal treatment

for all users.
 Reliability & Safety. Rigorous testing ensures Microsoft's AI performs
consistently and safely.
 Privacy & Security. Your data is protected. Both in training and post-
deployment phases, Microsoft places a premium on safeguarding user
details.
  Inclusiveness. AI tools are crafted to be accessible and beneficial for
everyone, regardless of physical ability, gender, or ethnicity.
 Transparency. Microsoft believes in keeping users informed about how
its AI systems work and their intended purposes.
 Accountability. Ethical and legal standards are at the forefront, with AI
developers and designers held accountable for their creations.

Microsoft's Strategy for Responsible AI

Microsoft is a global leader in developing and deploying AI solutions that are

ethical, trustworthy, and secure. To achieve this vision, Microsoft has
invested in various teams, processes, resources, and initiatives that work
collaboratively to ensure that AI is designed and used responsibly and
transparently. On this note, Brad Smith released a blueprint for AI
governance, which presents Microsoft's proposals to governments and other
stakeholders for creating extensible, interoperable, and appropriate
regulatory frameworks for AI.

Microsoft harnesses a blend of:

 Ethical AI principles
 Compliance standards for responsible AI
 Comprehensive AI research, including privacy-centric machine learning
and ongoing updates to ensure alignment with the latest ethical
guidelines

An interdisciplinary team of researchers, engineers, and policy specialists

continually refines Microsoft's AI systems. They work on enhancing training
data, filtering out harmful content, and addressing biases.

Exam Cericification
Unit 7
Microsoft, as both a cloud provider and operating system (OS) provider, has
built comprehensive cloud computer management solutions. These solutions
provide IT departments with remote computer configurations and simplified
endpoint management tools.
Describe the endpoint management capabilities of Microsoft
365
Microsoft provides the tools and services to enable you to simplify the
management of all devices through their endpoint management
solutions.

Microsoft Intune is a family of products and services that offer a cloud-

based unified endpoint management solution. The Intune family
includes Microsoft Intune service, Configuration Manager, co-
management, Endpoint Analytics, Windows Autopilot and Intune
admin center. These solutions can help manage, protect and monitor all
your organization's endpoints.

Endpoints are physical devices, such as mobile devices, desktop

computers, virtual machines, embedded devices, and servers that connect to
and exchange information with a computer network.

These solutions support data protection on both company-owned and

personal devices using non-intrusive app management. It champions a Zero
Trust security model through data protection and endpoint compliance
while enhancing IT efficiency and improving both admin and end user
experiences in hybrid work settings.

Zero Trust is a security model consisting of three guiding principles: Verify

explicitly, use least privilege access, and assume breach.

Microsoft Intune

Microsoft Intune is a cloud-based endpoint management solution that

manages user access to organizational resources and simplifies app and
device management across your many devices, including mobile devices,
desktop computers, and virtual endpoints. Some of the key features and
benefits of Intune include:

 Allows management of users and devices (both organizational and

personal) across platforms like Android, AOSP, iOS/iPadOS, macOS, and
Windows, enabling secure access to organization resources through
user-defined policies.
 Intune streamlines app management, offering in-built deployment,
updates, and removal capabilities, integration with private app stores,
Microsoft 365 app support, Win32 app deployment, and tools for app
protection policies and data access control.
 Intune automates policy deployment for apps, security, device
configuration, compliance, conditional access and more.
 The Company Portal app provides self-service features for employees
and students, such as PIN/password resets, app installations, and more.
  Intune partners with mobile threat defense tools, including Microsoft
Defender for Endpoint and third-party services, to emphasize endpoint
security, enabling policies for real-time threat response and automated
remediation.
 Intune's web-based admin center emphasizes endpoint management
and data-driven reporting, allowing admins to sign in from any device
with internet access.

Configuration Manager

Configuration Manager is an on-premises management solution to

manage desktops, Windows servers, and laptops that are on your network or
internet-based. Configuration Manager boosts IT productivity by reducing
manual tasks and letting you focus on high-value projects. Configuration
Manager enhances IT services by securely deploying applications and
updates at scale, facilitating real-time actions on devices, offering cloud-
driven analytics for both on-site and online devices, managing compliance
settings, and providing thorough oversight of servers and computers.
Configuration Manager collaborates with numerous Microsoft technologies.
You can cloud-attach your Configuration Manager environment allowing
you to modernize and streamline your management solution.

If you need to manage a combination of both cloud and on-premises

endpoints, you can use cloud attach to use
both Intune and Configuration Manager. Cloud attach allows you to
connect your on-premises Configuration Manager to the cloud without having
to worry about disruption or risk. A Configuration Manager environment is
considered cloud attached when it uses at least one of the three primary
cloud attach features which consists of co-management, tenant
attach, and Endpoint analytics. You can enable these three features in
any order you wish, or all at once.

Co-management

Co-management is one of the primary ways to attach your existing

Configuration Manager deployment to the Microsoft 365 cloud, enhancing
capabilities like conditional access. It allows simultaneous management of
Windows 10 or later devices through both Configuration Manager and
Microsoft Intune, enhancing your Configuration Manager's functions.

Conditional access allows organizations to implement policies that control

and restrict access to their resources based on certain conditions and
criteria.
Tenant-attach

Tenant attach allows your device records to be in the cloud, enabling you
to act on these devices from a cloud console. It provides real-time data from
Configuration Manager clients, including those online. It also lets you
manage endpoint security for both Windows Servers and Client devices from
the Intune admin center, including antivirus status and malware reports.

Endpoint Analytics

Endpoint Analytics is a cloud-native service that provides metrics and

recommendations on the health and performance of your Windows client
devices. Endpoint Analytics is part of the Microsoft Adoption Score. These
analytics give you insights for measuring how your organization is working
and the quality of the experience you're delivering to your users. Endpoint
analytics can help identify policies or hardware issues that might be slowing
down devices and help you proactively make improvements before end-
users generate a help desk ticket. You can use Endpoint Analytics on devices
that are managed with Intune or Configuration Manager connected to the
cloud.

Windows Autopilot

Windows Autopilot is a cloud-native service that sets up and pre-

configures new devices, getting them ready for use. You can also use
Windows Autopilot to reset, repurpose, and recover devices. It's designed to
simplify the lifecycle of Windows devices, for both IT and end-users, from
initial deployment through end of life. You can use Autopilot to preconfigure
devices, automatically join devices to Microsoft Entra ID (formally known
as Azure Active Directory or Azure AD) or enroll devices in Intune, customize
out of box experience and more. You can also integrate Autopilot with
Configuration Manager and co-management for more device configurations.

Microsoft Entra ID (formally known as Azure Active Directory or Azure AD)

is is a cloud-native service that is used by Intune to manage the identities of
users, devices, and groups. The Intune policies you create are assigned to
these users, devices, and groups. When devices are enrolled in Intune, your
users sign into their devices with their Microsoft Entra ID accounts.

Intune admin center

The Intune admin center is a one-stop web site to add users and groups,
create and manage policies, and monitor your policies using report data. If
you use Configuration Manager tenant-attach or co-management, you can
see your on-premises devices and run some actions on these devices.

Manage devices through the Intune admin center

Microsoft Endpoint manager

 Manage enrolled devices

 Enforce compliance

 Protect data

Endpoint manager is a single, integrated endpoint management platform for

keeping data secure on all your devices, and it is where you’ll find Microsoft
Intune.

As an IT admin, you can use Microsoft Intune to manage the devices that
your organization’s workforce uses for mobile device management (MDM)

The device overview shows a visual snapshot of the enrolled devices are
using the different platforms, and more.

To use Intune mobile device management, the device must first be enrolled
in the Intune service. Enrolled devices are issued an MDM certificate that is
used to communicate with the Intune service.

Intune integrates with other services, including Microsoft 365 and Azure
Active Directory (Azure AD) to control who has access, and what they have
access to, and Azure Information Protection for data protection.

In hardware section we can see details about the device hardware, starting
with system identifiers, the operating system and version, storage space,
and more.
If Intune finds apps installed on the device, the name and version of each
app will be displayed here.

For personal devices, Intune never collects information on unmanaged apps.

For corporate devices, Intune collects information on all apps, whether or not
they are managed.

In Intune, compliance policies help protect organizational data by requiring

users and devices to meet specific requirements.
In the Device compliance section we can see list of all compliance policies
assigned to the device, and whether the device is compliant with each
policy.

In the Device configuration section we can see list of all the device
configuration polices assigned to the device, and if each policy succeeded or
failed.

In the App configuration section we can see list of all the app configuration
polices assigned to the device, and if each policy succeeded or failed.

In the Endpoint security configuration section we can see the endpoint

security configurations applied to the device.

Any available BitLocker keys found for the device will show up In the
Recovery keys section

In the Managed Apps section we can see list of the managed apps that
Intune has configured and deployed to the device.

To view the specific devices, select the platform. (Windows, iOS, macOS,
Android)

In Windows platform:

 Windows Devices section shows all the enrolled Windows devices

you manage.
 Windows enrollment: there are seven different ways a windows 10
PC can be enrolled into Intune by users or admins.
1. Automatic Enrollment: It enables a single-step process for users.
Here we can configure Windows devices to enroll automatically
when users add their work account to their personally owned
devices or join corporate-owned devices to Azure Active Directory.

In iOS platform: Enrollment section we can see different types for iOS,
which are different from the enrollment methods.
iOS policies: Compliance policies: We can see policies: We can review
and edit the properties for the policy in the Manage:Properties section.

Configuration Profiles: With configuration profiles we can create and

customize device restriction settings based on organization’s needs. After
creating a profile, we can push or deploy it to devices in organization.

In Android platform: Android Enrollment section we can set up devices

with one of these Android Enterprise solutions. Android Enterprise supports
the most up-to-date and secure management features for personal and
company-owned devices. To enable this features in organization, we must
link our managed Google Play account to Intune.

Enrollment restrictions: We can create and manage enrollment

restrictions that define what devices can enroll into management with
Intune. There are two types of restrictions:
 Device type restrictions define which platforms, versions, and
management types can enroll. By default, all platforms are allowed.
 Device limit restrictions define how many devices each user can enroll.
By default, the limit is 15 devices.

Configuration profiles: As part of the mobile device management solution, we

can use configuration profiles to complete different tasks, such as allowing or
preventing access to Bluetooth, managing software updates, and more.
We can create profiles for different devices and platforms and then use
Intune to apply the profile to devices.

The Windows settings in Intune correlate to the on-premises group policy

path you see in Local Group Policy Editor (gpedit).

 Gatekeeper lets us configure locations users can download apps from.

We can create compliance polices to block users and devices that don’t meet
requirements or to monitor the compliance status of devices in your
organization.

 Intune follows the device check-in schedule for all compliance

evaluations on the device.

Conditional access gives us granular control over which devices and apps
can connect to your email and company resources, without compromising a
great user experience. Conditional Access in Intune in powered by Azure
Active Directory to add device compliance and mobile app management
capabilities.

 Conditional access is included with the Azure Active Directory Premium

license.
Intune provides a rich set of capabilities that enable you to monitor the
status and compliance of devices your organization manages.

Compare the differences of Windows 365 and Azure Virtual

Desktop

As organizations move towards remote work, cloud-based solutions such

as Windows 365 and Azure Virtual Desktop (AVD) have become
powerful tools for improving productivity and granting remote access to
applications and data. Windows 365 and AVD services are both virtual
desktop solutions, also known as Desktop-as-a-Service. Both these
solutions allow you to experience Microsoft’s client operating system
(OS), Windows.

Windows 11 is the current version and is built on the same foundation

as Windows 10 but offers further enhancements such as universal search,
accessibility features, desktop personalization, PC and phone syncing and
much more.

Windows 365 and AVD allow your end users to experience all these features
of Windows from anywhere with internet connection and a compatible
device. While these solutions offer similar functionality there are some
differences.

Windows 365

Windows 365 is a cloud-based service that automatically creates a new

type of Windows virtual machine (VM), known as Cloud PCs, for your end
users. Windows 365 introduces a new way to experience Windows client to
organizations of all sizes. Securely stream the full Windows experience
including apps, data, and settings, from the Microsoft cloud to any personal
or corporate device.

A virtual machine (VM) is a virtual computer or software-defined computer

with a physical server, existing only as code.

 Stream your apps, data, content, and settings from the Microsoft cloud
to any device and pick up where you left off.
 Personalized Windows 365 Cloud PCs available across devices.
 Dedicated to a single user.
 Simple to deploy and manage from a single console.
 Easily set up and scale Cloud PCs to fit your needs and securely support
changing workforce needs and new business scenarios.
 Assign a license to a user and Windows 365 is automatically provisioned
for that user.
 Azure computing and storage are managed by Microsoft with a fixed
cost.

Windows 365 is available in two editions: Windows 365

Business and Windows 365 Enterprise.

Azure Virtual Desktop

Azure Virtual Desktop (AVD) is a modern and secure desktop and app
virtualization solution that runs on the cloud. AVD allows users to connect to
a Windows desktop running in the cloud. It's the only solution that delivers
multi-session on Windows. AVD gives you the ability to access your desktop
and applications from virtually anywhere.

 Set up a multi-session Windows Client deployment that delivers a full

Windows experience with scalability.
 Dedicated to a single user or used by multiple users, using FSLogix
technology.
 Present Microsoft 365 Apps for Enterprise and optimize it to run in multi-
user virtual scenarios.
 Bring your existing Remote Desktop Services (RDS) and Windows Server
desktops and apps to any computer.
 Virtualize both desktops and apps.
 Manage desktops and apps from different Windows and Windows Server
operating systems with a unified management experience.
 Azure computing and storage are customer managed with consumption-
based costs.

Azure Virtual Desktop on Surface lets you run Virtual Desktop

Infrastructure (VDI) on a Surface device. AVD on Surface blurs the lines
between the local desktop experience and the virtual desktop, where touch,
pen, ink, and biometric authentication span both physical and virtual
environments.

Describe the deployment and release models for Windows-

as-a-Service (WaaS)

Windows Client is a comprehensive desktop operating system that allows

you to work efficiently and securely. It's important to keep the desktop
operating system up to date because it helps devices run efficiently and stay
protected. Windows-as-a-Service (WaaS) is a new way to work with the
Windows desktop. The WaaS model is designed to make life easier for both
users and IT professionals by simplifying the deployment and servicing of
Windows client computers. WaaS maintains a consistent and current
Windows experience for users.

Servicing
Release types

With Windows client, there are two release types:

 Feature updates add new functionality and are released twice a year.
Because these updates are more frequent, they're smaller. There are
many benefits:

o There's less disruption and effort to apply new features.

o Users are more productive with earlier access to new Windows
features.
o Users take less time to adapt to smaller changes.
o The workload and cost impact of updating Windows is reduced.

 Quality updates provide security and reliability fixes. These updates

are issued once a month as non-security releases or combined
security + non-security releases. Non-security releases allow IT
admins to do an early validation of content. In addition, a cumulative
update is released which includes all previous updates. There are a
couple of benefits:

o Identified security issues are fixed and deployed quickly, helping to

keep devices secure.
o Everyone receives security fixes regularly, keeping all devices
aligned.

Servicing channels

Servicing channels are the first way to separate users into deployment
groups for feature and quality updates. There are three servicing channels.
Each channel each provides different levels of flexibility for when these
updates are delivered to client computers.

 Windows Insider Program provides organizations with the

opportunity to test and provide feedback on features that will be
shipped in the next feature update. New features are delivered to the
Windows Insider community during the development cycle through a
process called flighting. This process will allow organizations to see
exactly what Microsoft is developing and start their testing as soon as
possible. Microsoft recommends that all organizations have at least a
few devices enrolled in this program.
 General Availability Channel receives new functionality with feature
update releases annually. This model is ideal for pilot deployments and
testing of feature updates. It's also ideal for users such as developers
who need to work with the latest features. Organizations can choose
 when to deploy updates once the latest release has gone through pilot
deployment and testing.
 Long-term servicing channel is designed for specialist systems and
devices that don't run Office apps such as medical equipment or ATMs.
These devices typically perform a single task and don't need frequent
updates compared to other devices in the organization. This channel
receives new features every two or three years.

Deployment

Deployment rings
Deployment rings are a deployment method used to separate devices into
a deployment timeline. Each “ring” comprises a group of users or devices
that receive a particular update together. IT administrators set criteria that
should be met to control delay time or completion before deployment to the
next broader ring of devices and users can occur.

A common ring structure uses three deployment groups:

 Preview is for planning and development.

o The purpose of the preview ring is to evaluate the new features of the
update.
 Limited is for pilot and validation.
o The purpose of the limited ring is to validate the update on
representative devices across the network.
 Broad is for wide deployment.
o Once the devices in the limited ring have had a sufficient stabilization
period, it’s time for broad deployment across the network.

Deployment methods
To successfully deploy Windows in your organization, it's important to
understand the different ways that it can be deployed. There are three types
of deployment methods:

 Modern deployment methods grasp both traditional on-premises and

cloud services to deliver a streamlined, cost effective deployment
experience.
o Windows Autopilot allows IT professionals to customize the out-of-
box experience (OOBE) for Windows PCs and provide end users with a
fully configured new Windows device. Users can go through the
deployment process independently, without the need to consult their
IT administrator.
 o In-place upgrade provides a simple, automated process that uses
the Windows installation program to upgrade from an earlier version
of Windows. This process automatically preserves all data, settings,
drivers, and applications from the existing operating system version.
In-place upgrade requires the least IT effort, because there's no need
for any complex deployment infrastructure.
 Dynamic deployment methods enable you to configure applications
and settings for specific use cases without having to deploy a new
custom organization image to the device.
o Subscription activation uses a subscription to switch from one
edition of Windows to another when a licensed user signs into a
device. For example, you can switch from Windows 10 Pro to
Windows 10 Enterprise.
o Azure Active Directory (Azure AD) joined with automatic
mobile device management (MDM)
enrollment automatically joins the device to Azure AD and is
configured by MDM. The organization member just needs to
provide their work or school user ID and password.
o Provisioning package configuration uses the Windows
Imaging and Configuration Designer (ICD) tool. This tool is used
to create provisioning packages that contain all the
configuration, settings, and apps that can be applied to devices.
 Traditional deployment methods use existing tools to deploy
operating system images.
o New computer, or also called bare metal, is when you deploy a
new device or wipe an existing device and deploy with a fresh
image.
o Computer refresh, or also called wipe-and-load, is when you
redeploy a device by saving the user state, wiping the disk, then
restoring the user state.
o Computer replace is when you replace an existing device with
a new one. You save the user state on the old device and then
restore it to the new device.

Identify deployment methods and update channels for

Microsoft 365 Apps

Deployment methods

Microsoft 365 Apps can be installed individually by users on their devices.

But it's often beneficial to manage updates and deploy a customized
selection of apps to users’ devices to ensure that all users have the apps
they need. The following list explains the different methods you can use to
deploy Microsoft 365
 Deploy from a local source with Configuration Manager. Manage
your deployment with Configuration Manager, and download and deploy
Office from distribution points on your network.
 Deploy from the cloud with the Office Deployment Tool
(ODT). Manage your deployment with the ODT and install Office on
client devices directly from the Office Content Delivery Network (CDN).
The deployment tool is run from the command line and uses a
configuration file to determine what settings to apply when deploying
Office. Microsoft recommends using the Office Customization Tool to
create a configuration file.
 Deploy from a local source with the Office Deployment Tool
(ODT). Manage your deployment with the ODT, and download and
deploy Office from a local source on your network.
 Self-install from the cloud. Manage your deployment from the Office
portal and have your users install Office on their client devices directly
from the portal.

Deploy Microsoft 365 interactive guide

Office Customization tool: we can use to create the configuration files that
define which application and languages are installed, how those applications
should be updated, and application preferences.

Update channel determines how frequently your client devices are updated
with new features.

OTD is a command-line tool that you can use to download and deploy Office
365 ProPlus to your client computers. It gives you more control over an
Office installation: you can define which products and languages are
installed, how those products should be updated, and whether to display the
install experience to your users.

After downloading ContosoBaseInstall

In the command promt:

C:\ Users\ admin > CD C:\FolderName

C:\FolderName > DIR
C:\FolderName > setup.exe / download ContosoBaseInstall.xml
C:\FolderName > DIR

C:\ Users\ admin > DIR \\ DC\ FolderName

C:\ Users\ admin > \\ DC\ FolderName \setup.exe /configure \\DC\
FolderName \ ContosoBaseInstall.xml
C:\ Users\ admin >

Second Office deployment method – using System Center Configuration

Manager
Navigate to Software Library in Configuration Manager.
Select Office 365 Client Management:
+ Office 365 Installer

Third method for deploying Office, using Microsoft Intune.

Intune lets you assign and install Office 364 apps to your Windows 10 clients.
Navigate to Clients apps: Apps: +add
Select Office 365 Suite: Windows 10

After we’ve added an app to Intune, you can assign the app to users and
devices. Including those devices not managed by Intune.

Update channels

One of the benefits of Microsoft 365 Apps is that Microsoft provides new
and updated features for Office apps regularly.

As needed, Microsoft also provides each update channel with two other types
of updates that are released every month:

 Security updates, are updates that help keep Office protected from
potential malicious attacks.
 Non-security updates (quality updates), are updates that provide
stability or performance improvements for Office.

Here are the three primary update channels for Microsoft 365 Apps:

 Current Channel receives feature updates as soon as they're ready,

but there's no set schedule. This channel also receives security and non-
security updates around two or three times a month. Microsoft
recommends this channel because it provides users with the newest
Office features as soon as they’re ready.
 Monthly Enterprise Channel receives feature updates once a month,
on the second Tuesday of the month. This monthly update can include
feature, security, and non-security updates. Microsoft recommends this
 channel if you want to provide your users with new Office features once
a month on a predictable release schedule.
 Semi-Annual Enterprise Channel receives feature updates every six
months, in January and July on the second Tuesday of the month. This
update can include feature, security, and non-security updates.
Microsoft recommends this channel only for those select devices in your
organization where extensive testing is needed before rolling out new
Office features.

The update channel of Microsoft 365 Apps you deploy to the users in your
organization can depend on several factors, such as application compatibility
testing and user readiness. Not all users in your organization need to be on
the same update channel.

How updates are installed for Microsoft 365 Apps

Microsoft 365 Apps checks for updates regularly, and they're downloaded
and installed automatically. There aren’t separate downloads for feature,
security, or non-security updates. The updates are cumulative, so the most
current update includes all the updates that have been previously released
for that update channel. While updates are being downloaded, your users
can continue to use Office apps. After they're downloaded, all the available
updates for that update channel will install at the same time. If any Office
apps are open, your users will be prompted to save their work and close the
apps, so that the updates can finish installing.

Unit 8
Explore pricing models for Microsoft cloud services

Cloud Solution Provider

The Cloud Solution Provider (CSP) model is a Microsoft partner program

that provides the expertise and services you need through an expert CSP
partner.

Your Microsoft 365 subscription is provided through a CSP partner who can
manage your entire subscription, provide billing and technical support. The
CSP partner will have admin privileges that will allow them to access your
tenant. They'll have the ability to directly support, configure and manage
licenses and settings. The CSP partner can provide extra consultancy and
advice to ensure security and productivity targets are met. Furthermore,
other Microsoft cloud-based products and services can be added to your
subscription such as Microsoft Entra services and Dynamics 365.

The Cloud Solution Provider (CSP) program provides a pay-as-you-go

subscription model with per-user, per-month pricing that enables your
business to scale up or down from month to month as your needs change.

Enterprise Agreement

The Microsoft Enterprise Agreement (EA) is designed for organizations

that want to license software and cloud services for a minimum three-year
period. The Enterprise Agreement offers the best value to organizations with
500 or more users or devices. One of the benefits of the Enterprise
Agreement is that it's manageable, giving you the flexibility to buy cloud
services and software licenses under a single organization-wide agreement.
Additionally, through Software Assurance, your organization can receive
24x7 technical support, planning services, end-user and technical training.

Direct Billing

Buy and pay for your Microsoft 365 subscription with a credit or debit card,
or a bank account. The payment method you use to pay will continue to be
charged until the subscription expires or is canceled. Payment methods can
be managed through the Microsoft 365 admin center.

Trial

Sign up for a free trial subscription for Microsoft 365 Business Standard,
Microsoft 365 Business Premium, or Microsoft 365 Apps for business and try
it out for 30 days.

Explore the billing and bill management options

Billing account options

 Microsoft Online Services Program: This billing account is created

when you sign up for a Microsoft 365 subscription directly.
  Microsoft Products & Services Agreement (MPSA) Program: This
billing account is created when your organization signs an MPSA Volume
Licensing agreement to purchase software and online services.
 Microsoft Customer Agreement: This billing account is created when
your organization works with a Microsoft representative, an authorized
partner, or purchases independently.

Consumption and fixed cost models

 Consumption-based price: You're charged for only what you use. This
model is also known as Pay-As-You-Go.
 Fixed-price: You provision resources and are charged for those
instances whether or not they're used.

Bill management

Microsoft 365 billing is managed from the Microsoft 365 admin

center. The admin center allows you to manage subscriptions, view billing
statements, update payment methods, change your billing frequency, and
more. The following list describes in further detail what can be reviewed and
modified in the Microsoft 365 admin center:

 Upgrade, renew, reactivate or cancel subscriptions.

 Buy, remove, and view the number of subscription licenses and
how many of those licenses are assigned to individual users for each
service.
 Assign and unassign licenses from users.
 View a bill, invoice, and past billing statements.
 Modify payment methods like updating, deleting, replacing, and
adding other types of payment. Payment options can include credit
card, debit card, or pay by invoice using a check or electronic funds
transfer (EFT).
 Modify your billing frequency to monthly or annual billing.
 Buy and manage other services or features. For example,
depending on your Microsoft 365 subscription, you can add on
eDiscovery (Premium), Microsoft Defender XDR, Microsoft Teams Calling
Plan, and more.
 Manage your billing notification emails and invoice
attachments, such as the list of email accounts of who should receive
automated billing notifications, and renewal reminders for the
subscription.
Explore the available licensing and management options

Every organization and person has unique requirements, so Microsoft offers

various subscription plans and a range of licensing options to meet the needs
of people and organizations.

Subscription plans

The pricing associated with your account depends on the subscription and
the number of licensed users. Each service has a specified price that's
typically rated on a per-user, per-month basis.

Microsoft 365 for home

Microsoft 365 for home exists to bring the same great productivity
benefits into your personal and family life. Microsoft 365 Home comes in two
plans, Microsoft 365 Personal and Microsoft 365 Family. Personal is for
a single person with multiple devices and family is for up to six people.

Microsoft 365 Education

Microsoft 365 Education is available for educational institutions to help

empower educators to unlock creativity and promote teamwork while
providing a safe experience in a single, affordable solution. Academic
licenses can be tailored to fit any institution’s needs, including productivity
and security solutions for faculty, staff, and students. Microsoft 365
Education has three subscription plans for faculty and students that include
different features: A1, A3, and A5.
Microsoft 365 Government

Microsoft 365 Government is available for government institutions to help

empower US public sector employees to work together in a secure way.
Microsoft 365 Government has two subscription plans that include different
features: G3, and G5. Your organization can also choose from two Office
365 subscription tiers: Office 365 Government G3 and Office 365
Government G5.

Microsoft 365 for business

Microsoft 365 for business is designed for small to medium-sized

organizations that have up to 300 employees. It offers the full set of Office
365 productivity tools and includes security and device management
features. There are four subscription tiers that include different
features: Microsoft 365 Business Basic, Microsoft 365 Business
Standard, Microsoft 365 Business Premium, and Microsoft 365 Apps
for business.

Microsoft 365 Enterprise

Microsoft 365 Enterprise is designed for enterprise-sized organizations. It

provides enterprise-class services to organizations that want a productivity
solution that includes robust threat protection, security, compliance, and
analytics features. Microsoft 365 Enterprise has three subscription tiers that
include different features: Microsoft 365 E3, Microsoft 365 E5,
and Microsoft 365 F3. Your organization can also choose from four Office
365 subscription tiers: Microsoft 365 Apps for enterprise, Office 365
E1, Office 365 E3, and Office 365 E5.

Licenses

A license, or base license allows users to use the features and services
included in the subscription plan. When you buy a subscription, you specify
the number of licenses you need, based on the number of people you have in
your organization. After you buy a subscription, you create accounts for
people in your organization, and then assign a license to each person. As
your organizational needs change, you can buy more licenses to
accommodate new people, or reassign licenses to other users when
someone leaves your organization.
 Microsoft 365 products and services are available as user subscription
licenses (USLs) and are licensed on a per-user basis. Each user accessing
Microsoft 365 products and services is required to be assigned a USL.
Administrators manage licenses in the Microsoft 365 admin center. They
can assign the licenses to individual user or guest accounts. The following list
describes the options available:

 Full USLs are for new customers who haven't previously purchased
Microsoft products and services.
 Add-on USLs are for on-premises software customers who want to add
Microsoft 365 cloud products and services.
 From SA USLs are for on-premises Software Assurance customers that
want to transition to the cloud.
 Step Up USLs are for customers who want to upgrade the level of their
service.

Types of add-ons
 Microsoft 365 business plans have add-ons that you can purchase for
your subscriptions. Add-ons provide more capabilities to enhance your
subscription. There are two types of add-ons:
 Traditional add-ons are linked to a specific subscription. If you cancel
the subscription, the linked add-on is also canceled.
 Standalone add-ons appear as a separate subscription on the "Your
products" page within the Microsoft 365 admin center. They have their
own expiration date and are managed the same way you would any
other subscription.

Explore support options for Microsoft 365 services

Your organization can get access to support in the following ways:

Support type Description

Community- Your organization can take advantage of community-based support through the Microsoft
based support 365 community or Microsoft Support Community. You can collaborate with others, ask
questions and solve problems and issue with members of Microsoft and the community.
Self-help Your organization can receive help via the Microsoft 365 admin center by using the "Help &
support" button, or navigating to Contact Microsoft Support. Ask a question and view the
results. If the recommended instructions or articles don't answer your question, then you
can contact technical support.
Web chat, Your organization can submit issues to Microsoft support for technical, billing, and
email, and subscription support via email, online web chat, or phone. To contact support, see Contact
phone support Us - Microsoft Support.
Q&A forums Find accurate answers to questions about Microsoft technologies through Microsoft
and online Q&A, Microsoft Q&A. You can also find information and answers to questions through online
help help such as, Microsoft 365 help & learning or Microsoft Learn.
Support type Description
Pre-sales Your organization is provided with assistance on subscription features, benefits, and your
support purchasing decision for Microsoft 365 services.
FastTrack FastTrack is a service provided by Microsoft that helps customers onboard Microsoft Cloud
solutions and drive user adoption. Customers with eligible subscriptions to Microsoft 365,
Azure, or Dynamics 365 can use FastTrack at no extra cost for the life of their subscription.
Microsoft Microsoft Unified support is a service that provides comprehensive support across your
Unified entire organization through 24/7 as-needed technical support, an assigned Customer
support Success Account Manager, advisory support, cloud assistance, technical training and more.
Support Your organization can get support directly through a certified Microsoft 365 partner. For
through a example, if your organization has purchased a Microsoft 365 subscription through a cloud
Microsoft services provider (CSP), they'll receive direct support from the CSP. The CSP will act as the
Partner first line of support for all issues and will escalate issues to Microsoft if they're unable to
resolve them.
Other support Your organization can install the Microsoft Support and Recovery Assistant to help identify
options problems by running tests and offer the best solution for those problems. It can currently
fix Office, Microsoft 365, or Outlook problems. Business Assist for Microsoft 365 is available
for small businesses to give you and your employees around-the-clock support and access
to small business specialists as you grow your business, from onboarding to everyday use.

Administrators and users in your organization might find it difficult to resolve

issues on their own. It’s helpful to know they can receive assistance for
Microsoft 365 services whenever they need it through various support
options.

The support option chosen to deal with a particular issue depends on:

 The tool or service where the issue has arisen.

 The type of subscription your organization uses.
 The kind of support your organization needs.

Create a support request

If you need help with Microsoft 365 create a support request through the Microsoft
365 admin center. You can also view existing support requests. The following steps
describe how to create a support request as an administrator:

1. Sign into the Microsoft 365 admin center with your Microsoft 365 admin
account.
2. In the left navigation menu, select Show all to expand more options.
3. Select Support to expand the support options.
4. Select Help & support.
5. On the right, a support window will open where you can enter your support
problem and view the results.
6. If the recommended instructions or articles don’t answer your questions, select
on the headset icon at the top of the support window, or select the
blue Contact support button at the bottom to contact technical support.
 7. Fill in the required information like Title, Description, Preferred contact
method, etc.
8. Select Contact me and a support agent will contact you.

In the Microsoft 365 admin center, we can discover support options, manage
licenses, monitor the health of your services, and more.

 Customer Lockbox Requests are requests that require a Microsoft support

engineer to access you environment to assist in resolving an issue.

Support issues can vary in nature and complexity, which is why there are several
options to choose from – ranging from self-help tools to being contacted directly by
a support agent.

Explain service level agreement (SLAs) concepts

It’s vital that organizations know that the products and services they’re using
are reliable and secure. Microsoft 365 services guarantees level of service for
your organization. Level of service is detailed in a legal agreement referred
to as a Service Level Agreement (SLA). The SLA describes Microsoft's
commitments for uptime and connectivity for Microsoft Online Services.

In addition to the Microsoft Online Service Level Agreement, your

organization can also take advantage of the Service Level Agreement with
your Cloud Service Provider. The guarantees of service provided for Microsoft
365 services will vary between Cloud Service Providers.

Microsoft’s Online Service Level Agreement introduces several concepts:

Concept Description
Service The performance metric(s) set forth in the SLA that Microsoft agrees to
level meet in the delivery of the Services.
Incident A set of events or single event that results in downtime.
Uptime The total time your services are functional.
Downtime The total time your services aren't functional, but what is considered
downtime depends on the relevant service, which is defined in the
SLA. For example, for Microsoft Teams, any period of time when end
users are unable to see presence status, conduct instant messaging
conversations, or initiate online meetings is considered downtime.
Scheduled Periods of downtime related to network, hardware, or service
downtime maintenance or upgrades.
Claim A claim raises information about an incident. Your organization is
responsible for submitting a claim on an incident. The organization
should provide the details about the experienced downtime, affected
users, and how it was attempted to resolve the incident. Microsoft is
responsible for processing the claim.
Concept Description
Applicable The total fees paid by you for a Service that are applied to the month
monthly in which a service credit is owed.
service fees
Service The percentage of the applicable monthly service fees credited to you
credit following Microsoft’s claim approval. Service credits are submitted by
your organization’s admin through a claim. If the claim is successfully
approved by Microsoft, your organization will receive service credits.
Service credits apply only to fees paid for the particular service,
service resource, or service tier for which a service level hasn't been
met.
Uptime The uptime agreement is defined by the monthly uptime percentage.
agreement This percentage is for a given active tenant in a calendar month and

example, the calculation could be as follows: 𝑈𝑠𝑒𝑟 𝑀𝑖𝑛𝑢𝑡𝑒𝑠 −

the calculation varies depending on the product or service. For

𝐷𝑜𝑤𝑛𝑡𝑖𝑚𝑒 / 𝑈𝑠𝑒𝑟 𝑀𝑖𝑛𝑢𝑡𝑒𝑠 𝑥 100.

Microsoft is confident in its commitment to service levels. The percentage of

service credit your organization can receive is linked to your monthly uptime
percentage.

Monthly uptime percentage Service credit

< 99.9% 25%
< 99% 50%
< 95% 100%

Your organization should always review all Service Level Agreements and ask
questions, including the following list:

 If you're using a Cloud Service Provider, how do they determine service

levels and whether they're achieved or not?
 Who is responsible for reports? How can your organization access
reports?
 Are there any exceptions in the agreement?
 What does the agreement say about both unexpected and scheduled
maintenance?
 What does the agreement say about what happens if your infrastructure
goes down because of an attack? What about natural disasters and
other situations outside of your control?
 Does the agreement cover non-Microsoft service or system failures?
 What are the limits to the Cloud Service Provider’s liability in the
agreement?
Identify how to track the service health status

It's crucial for an organization to know the health status of the Microsoft 365
services they're using. Your organization’s administrators can use
the Microsoft 365 admin center to view the current health status for
each of your Microsoft 365 services and tenant. They can also view the
history of services that have been affected in the last 30 days, and
information about current outages or disruptions to services. It's useful to
view the health to find out whether you're dealing with a known issue that
has a solution in progress and you don't spend time troubleshooting, or if
you should contact support.

How to check service health in the Microsoft 365 admin center

1. Sign into the Microsoft 365 admin center with your admin account.
2. On the left navigation menu, select Show all to expand more options.
3. Select Health to expand health options.
4. Select Dashboard to view the current health status of your apps and
services and recommended actions to keep your services updated and
secure.
5. On the left navigation menu, select Service health to view active
issues, the current health status of your Microsoft services, issue history
and reported issues.
6. Under Service health, select Reported issues then Report an issue in
the toolbar if your organization is experiencing a service issue.
7. On the navigation menu, select Message center to view upcoming
changes, new and changed features, planned maintenance, or other
important announcements.
8. On the navigation menu, under Admin centers, select All admin
centers to expand more options. Select Microsoft Entra to view the
health status of your Microsoft Entra ID Domain Services managed
domain. You can also navigate directly to the Microsoft Entra admin
center and sign in with your admin account.

Other ways to check the status of services

 Sign up for email notifications of new incidents that affect your tenant
and status changes for an active incident. You can also subscribe to
email notifications for individual events instead of every event for a
service.
 Use the Microsoft 365 Admin app on your mobile device to view Service
health and stay up-to-date with push notifications.
 Use the Microsoft 365 Service health status (office365.com) page to
check for known issues.
  Sign up to follow Microsoft 365 at @MSFT365status on Twitter to see
information on certain events or issues.
Explore how organizations can share feedback on Microsoft
365 services

Microsoft always strives to better serve their customer and partners. You can
directly influence change at Microsoft by providing feedback. Your
organization’s administrators and users often have great insight into how
specific elements of products and services can be improved based on their
daily experiences. Microsoft values your feedback and encourages idea
sharing to improve products and services for everybody. You can make the
greatest impact on the products and features you'd like to see or improve by
providing clear feedback.

Microsoft has a few ways for you to submit feedback on Microsoft 365
products and services. For example, if you're using Feedback, the
community feedback web portal, you can submit new feedback directly
within the web portal. Community feedback is publicly displayed within
different forums. You can participate in existing feedback by voting or
commenting on existing topics. Review feedback you've submitted, its
impact, and status, by viewing official responses from the Microsoft product
teams.

The following list describes the ways you can provide feedback to Microsoft:

 Send feedback from within an application, for example, in Microsoft

Word under Help select Feedback to provide your input.
 Send feedback directly within the community feedback web
portal, Feedback.
 Send feedback from the Windows Feedback Hub, located directly on
your Windows device.

Unit 9
Introduction to Microsoft Azure Fundamentals

Microsoft Azure is a cloud computing platform with an ever-expanding set of

services to help you build solutions to meet your business goals. Azure
services support everything from simple to complex. Azure has simple web
services for hosting your business presence in the cloud. Azure also supports
running fully virtualized computers managing your custom software
solutions. Azure provides a wealth of cloud-based services like remote
storage, database hosting, and centralized account management. Azure also
offers new capabilities like artificial intelligence (AI) and Internet of Things
(IoT) focused services.

What is Azure Fundamentals?

Azure Fundamentals is a series of three learning paths that familiarize you

with Azure and its many services and features.

Whether you're interested in compute, networking, or storage services;

learning about cloud security best practices; or exploring governance and
management options, think of Azure Fundamentals as your curated guide to
Azure.

Azure Fundamentals includes interactive exercises that give you hands-on

experience with Azure. Many exercises provide a temporary Azure portal
environment called the sandbox, which allows you to practice creating cloud
resources for free at your own pace.

Introduction to cloud computing

Cloud computing is the delivery of computing services over the internet.

Computing services include common IT infrastructure such as virtual
machines, storage, databases, and networking. Cloud services also expand
the traditional IT offerings to include things like Internet of Things (IoT),
machine learning (ML), and artificial intelligence (AI).

Because cloud computing uses the internet to deliver these services, it

doesn’t have to be constrained by physical infrastructure the same way that
a traditional datacenter is. That means if you need to increase your IT
infrastructure rapidly, you don’t have to wait to build a new datacenter—you
can use the cloud to rapidly expand your IT footprint.

Cloud computing lets you choose the power and features that you need to run your
software.
The difference is, with cloud computing, the PC is in a Cloud provider’s data center
instead of physically with you. This lets you pay for only the services you use, plus
someone else gets to manage the upkeep of the computer.
Each Cloud provider will have their own selection of services to choose from, but the
basic services provided by all cloud providers are compute power and storage.
Compute power is how much processing you computer can do.
Storage is the volume of data you can store on your computer.
Describe the shared responsibility model

Start with a traditional corporate datacenter. The company is responsible for

maintaining the physical space, ensuring security, and maintaining or
replacing the servers if anything happens. The IT department is responsible
for maintaining all the infrastructure and software needed to keep the
datacenter up and running. They’re also likely to be responsible for keeping
all systems patched and on the correct version.

With the shared responsibility model, these responsibilities get shared

between the cloud provider and the consumer. Physical security, power,
cooling, and network connectivity are the responsibility of the cloud provider.
The consumer isn’t collocated with the datacenter, so it wouldn’t make sense
for the consumer to have any of those responsibilities.

At the same time, the consumer is responsible for the data and information
stored in the cloud. The consumer is also responsible for access security,
meaning you only give access to those who need it.

Then, for some things, the responsibility depends on the situation. If you’re
using a cloud SQL database, the cloud provider would be responsible for
maintaining the actual database. However, you’re still responsible for the
data that gets ingested into the database. If you deployed a virtual machine
and installed an SQL database on it, you’d be responsible for database
patches and updates, as well as maintaining the data and information stored
in the database.

o With an on-premises datacenter, you’re responsible for everything. With

cloud computing, those responsibilities shift. The shared responsibility
model is heavily tied into the cloud service types (covered later in this
learning path): infrastructure as a service (IaaS), platform as a service
(PaaS), and software as a service (SaaS). IaaS places the most
responsibility on the consumer, with the cloud provider being responsible
for the basics of physical security, power, and connectivity. On the other
end of the spectrum, SaaS places most of the responsibility with the cloud
provider. PaaS, being a middle ground between IaaS and SaaS, rests
somewhere in the middle and evenly distributes responsibility between
the cloud provider and the consumer.
The following diagram highlights how the Shared Responsibility Model
informs who is responsible for what, depending on the cloud service type.

When using a cloud provider, you’ll always be responsible for:

 The information and data stored in the cloud

 Devices that are allowed to connect to your cloud (cell phones,
computers, and so on)
 The accounts and identities of the people, services, and devices within
your organization

The cloud provider is always responsible for:

 The physical datacenter

 The physical network
 The physical hosts

Your service model will determine responsibility for things like:

 Operating systems
 Network controls
 Applications
  Identity and infrastructure

Define cloud models

What are cloud models? The cloud models define the deployment type of
cloud resources. The three main cloud models are: private, public, and
hybrid.

Private cloud

Let’s start with a private cloud. A private cloud is, in some ways, the natural
evolution from a corporate datacenter. It’s a cloud (delivering IT services
over the internet) that’s used by a single entity. Private cloud provides much
greater control for the company and its IT department. However, it also
comes with greater cost and fewer of the benefits of a public cloud
deployment. Finally, a private cloud may be hosted from your on site
datacenter. It may also be hosted in a dedicated datacenter offsite,
potentially even by a third party that has dedicated that datacenter to your
company.

Public cloud

A public cloud is built, controlled, and maintained by a third-party cloud

provider. With a public cloud, anyone that wants to purchase cloud services
can access and use resources. The general public availability is a key
difference between public and private clouds.

Hybrid cloud

A hybrid cloud is a computing environment that uses both public and private
clouds in an inter-connected environment. A hybrid cloud environment can
be used to allow a private cloud to surge for increased, temporary demand
by deploying public cloud resources. Hybrid cloud can be used to provide an
extra layer of security. For example, users can flexibly choose which services
to keep in public cloud and which to deploy to their private cloud
infrastructure.
The following table highlights a few key comparative aspects between the
cloud models.

Public cloud Private cloud Hybrid cloud

No capital expenditures to scale up Organizations have complete Provides the most flexibility
control over resources and security

Applications can be quickly Data is not collocated with other Organizations determine where to
provisioned and deprovisioned organizations’ data run their applications

Organizations pay only for what Hardware must be purchased for Organizations control security,
they use startup and maintenance compliance, or legal requirements

Organizations don’t have complete Organizations are responsible for

control over resources and security hardware maintenance and updates

Multi-cloud
A fourth, and increasingly likely scenario is a multi-cloud scenario. In a multi-
cloud scenario, you use multiple public cloud providers. Maybe you use
different features from different cloud providers. Or maybe you started your
cloud journey with one provider and are in the process of migrating to a
different provider. Regardless, in a multi-cloud environment you deal with
two (or more) public cloud providers and manage resources and security in
both environments.

Azure Arc

Azure Arc is a set of technologies that helps manage your cloud

environment. Azure Arc can help manage your cloud environment, whether
it's a public cloud solely on Azure, a private cloud in your datacenter, a
hybrid configuration, or even a multi-cloud environment running on multiple
cloud providers at once.

Azure VMware Solution

What if you’re already established with VMware in a private cloud

environment but want to migrate to a public or hybrid cloud? Azure VMware
Solution lets you run your VMware workloads in Azure with seamless
integration and scalability.

Describe the consumption-based model

When comparing IT infrastructure models, there are two types of expenses

to consider. Capital expenditure (CapEx) and operational expenditure
(OpEx).

CapEx is typically a one-time, up-front expenditure to purchase or secure

tangible resources. A new building, repaving the parking lot, building a
datacenter, or buying a company vehicle are examples of CapEx.

In contrast, OpEx is spending money on services or products over time.

Renting a convention center, leasing a company vehicle, or signing up for
cloud services are all examples of OpEx.

Cloud computing falls under OpEx because cloud computing operates on a

consumption-based model. With cloud computing, you don’t pay for the
physical infrastructure, the electricity, the security, or anything else
associated with maintaining a datacenter. Instead, you pay for the IT
resources you use. If you don’t use any IT resources this month, you don’t
pay for any IT resources.

This consumption-based model has many benefits, including:

 No upfront costs.
 No need to purchase and manage costly infrastructure that users might
not use to its fullest potential.
 The ability to pay for more resources when they're needed.
 The ability to stop paying for resources that are no longer needed.

In a cloud-based model, you don’t have to worry about getting the resource
needs just right. If you find that you need more virtual machines, you add
more. If the demand drops and you don’t need as many virtual machines,
you remove machines as needed. Either way, you’re only paying for the
virtual machines that you use, not the “extra capacity” that the cloud
provider has on hand.

Compare cloud pricing models

Cloud computing is the delivery of computing services over the internet by

using a pay-as-you-go pricing model. You typically pay only for the cloud
services you use, which helps you:

 Plan and manage your operating costs.

 Run your infrastructure more efficiently.
 Scale as your business needs change.

To put it another way, cloud computing is a way to rent compute power and
storage from someone else’s datacenter. You can treat cloud resources like
you would resources in your own datacenter. However, unlike in your own
datacenter, when you're done using cloud resources, you give them back.
You’re billed only for what you use.

Instead of maintaining CPUs and storage in your datacenter, you rent them
for the time that you need them. The cloud provider takes care of
maintaining the underlying infrastructure for you. The cloud enables you to
quickly solve your toughest business challenges and bring cutting-edge
solutions to your users.

Describe the benefits of high availability and scalability in

the cloud

When building or deploying a cloud application, two of the biggest

considerations are uptime (or availability) and the ability to handle demand
(or scale).

High availability
When you’re deploying an application, a service, or any IT resources, it’s
important the resources are available when needed. High availability focuses
on ensuring maximum availability, regardless of disruptions or events that
may occur.

When you’re architecting your solution, you’ll need to account for service
availability guarantees. Azure is a highly available cloud environment with
uptime guarantees depending on the service. These guarantees are part of
the service-level agreements (SLAs).

Scalability

Another major benefit of cloud computing is the scalability of cloud

resources. Scalability refers to the ability to adjust resources to meet
demand. If you suddenly experience peak traffic and your systems are
overwhelmed, the ability to scale means you can add more resources to
better handle the increased demand.

The other benefit of scalability is that you aren't overpaying for services.
Because the cloud is a consumption-based model, you only pay for what you
use. If demand drops off, you can reduce your resources and thereby reduce
your costs.

Scaling generally comes in two varieties: vertical and horizontal. Vertical

scaling is focused on increasing or decreasing the capabilities of resources.
Horizontal scaling is adding or subtracting the number of resources.

Vertical scaling

With vertical scaling, if you were developing an app and you needed more
processing power, you could vertically scale up to add more CPUs or RAM to
the virtual machine. Conversely, if you realized you had over-specified the
needs, you could vertically scale down by lowering the CPU or RAM
specifications.

Horizontal scaling

With horizontal scaling, if you suddenly experienced a steep jump in

demand, your deployed resources could be scaled out (either automatically
or manually). For example, you could add additional virtual machines or
containers, scaling out. In the same manner, if there was a significant drop in
demand, deployed resources could be scaled in (either automatically or
manually), scaling in.

Describe the benefits of reliability and predictability in the

cloud
Reliability and predictability are two crucial cloud benefits that help you
develop solutions with confidence.

Reliability

Reliability is the ability of a system to recover from failures and continue to

function. It's also one of the pillars of the Microsoft Azure Well-Architected
Framework.

Predictability

Predictability in the cloud lets you move forward with confidence.

Predictability can be focused on performance predictability or cost
predictability. Both performance and cost predictability are heavily
influenced by the Microsoft Azure Well-Architected Framework. Deploy a
solution built around this framework and you have a solution whose cost and
performance are predictable.

Performance

Performance predictability focuses on predicting the resources needed to

deliver a positive experience for your customers. Autoscaling, load
balancing, and high availability are just some of the cloud concepts that
support performance predictability. If you suddenly need more resources,
autoscaling can deploy additional resources to meet the demand, and then
scale back when the demand drops. Or if the traffic is heavily focused on one
area, load balancing will help redirect some of the overload to less stressed
areas.

Cost

Cost predictability is focused on predicting or forecasting the cost of the

cloud spend. With the cloud, you can track your resource use in real time,
monitor resources to ensure that you’re using them in the most efficient
way, and apply data analytics to find patterns and trends that help better
plan resource deployments. By operating in the cloud and using cloud
analytics and information, you can predict future costs and adjust your
resources as needed. You can even use tools like the Total Cost of Ownership
(TCO) or Pricing Calculator to get an estimate of potential cloud spend.
Describe the benefits of manageability in the cloud

A major benefit of cloud computing is the manageability options. There are

two types of manageability for cloud computing that you’ll learn about in this
series, and both are excellent benefits.

Management of the cloud

Management of the cloud speaks to managing your cloud resources. In the

cloud, you can:

 Automatically scale resource deployment based on need.

 Deploy resources based on a preconfigured template, removing the
need for manual configuration.
 Monitor the health of resources and automatically replace failing
resources.
 Receive automatic alerts based on configured metrics, so you’re aware
of performance in real time.

Management in the cloud

Management in the cloud speaks to how you’re able to manage your cloud
environment and resources. You can manage these:

 Through a web portal.

 Using a command line interface.
 Using APIs.
 Using PowerShell.

Unit 10
Describe analytics capabilities of Microsoft 365

As organizations are adapting to hybrid work environments, they're focused

on encouraging their employees to build better work habits. They want their
employees and teams to achieve a balance between productivity and
wellbeing while fostering a positive team culture. Organizations need
insights into how their employees are balancing their time and utilizing the
apps and services into their daily work. The analytics capabilities of Microsoft
365 unlock the data your organization needs to empower their employees to
reflect on their work habits and find ways to balance productivity and
wellbeing. It also gives leaders guidance on strategic decision-making based
on people and technology experience patterns and trends.

Describe the capabilities of Viva Insights

Microsoft Viva Insights is part of Microsoft Viva. Viva Insights provides

privacy-protected insights and actionable recommendations that help
everyone in the organization work smarter and achieve balance. Employees
can get personal insights that only they can see to help identify
opportunities to help build better work
habits. Team and organization insights can empower managers and
business leaders to identify opportunities to improve effectiveness and bring
balance to productivity and wellbeing. Through advanced insights,
understand the impact of hybrid work on your people and your business and
address the challenges important to your organization.

Personal Insights

Employees can gain valuable insights to improve work patterns through

actionable recommendations created just for them.

Viva Insights in Microsoft Teams and on the web

 The Home tab helps you discover insights and actions to improve
wellbeing, productivity, and teamwork.

o The Recommended for you section provides personalized

suggestions for praise, meeting norms, focus time, email
management, quiet time, virtual commuting, meditation, and
reflection.
o The Your progress section tracks metrics related to meetings,
quiet time, focus time booking, and more.
o The Inspiration library provides curated wellbeing and
productivity content from experts.

 The Wellbeing tab helps you understand and improve your work
habits, manage time, and promote work-life balance.
 o The Take action section provides wellbeing recommendations
like focus time planning, scheduling emails/messages, setting
quiet time, taking breaks, disconnecting after work, and more.
o The Track your progress section monitors metrics like focus
time stats and booked focus time to show how the wellbeing
actions are going.
o The Act with intention section offers content for focus,
meditation, and wellbeing articles to help you be intentional.
o The Reflect on your emotions section allows you to check in
on your feelings and reflection trends.

 The Productivity tab provides insights and tools related to

meetings, time management, and tasks to help you improve
meeting effectiveness, productivity, and collaboration.

o The Meeting habits section shows insights into your habits or

practices in the meetings you organize and accept.
o The Meeting category insights section shows how you’re
allocating time across your Outlook meeting categories.
o The Meeting effectiveness surveys section provides
aggregated feedback from attendees on the meetings you
organized to help you understand what's going well and what
you could improve in future meetings.
o The Shared meeting plans section helps you promote healthy
meeting habits with colleagues by automating settings like
meeting duration, Teams link and feedback.
o The Suggested tasks section helps you stay productive and
connected with collaborators by identifying important contacts,
tracking commitments, catching up on shared docs,
getting @mentions, and RSVPing to meetings.

 The Teamwork tab helps you build and strengthen connections

within your team by giving you a better understanding of who your
top collaborators are and how much time you spend collaborating
with them.

If you're a leader or manager, you'll see an additional section at the top of

your Teamwork tab which is discussed in the Teams and Organizational
insights sections.

Viva Insights through email

 Viva Insights in Outlook add-in. The Viva Insights add-in shows you
insights within Microsoft Outlook on how to prepare for upcoming
 meetings, gain focus time, maintain work relationships, and plan time
away from work.
 Briefing emails in Outlook. The daily briefing email from Viva
automatically appears in your inbox near the start of the day. It provides
recommendations of documents for you to review prior to the day’s
meetings, outstanding commitments, requests, follow-ups and
suggested focus time.
 Digests in Outlook. Gives you key highlights about your work patterns
in a digest email in your Outlook inbox.
 Inline suggestions in Outlook. These brief, data- and AI-driven
notifications appear in Outlook while you are either reading or
composing an email or a meeting invitation.

Team Insights

Viva Insights provides managers with team insights within the Viva Insights
app in Teams and on the web. Team insights can help managers foster
productivity and wellbeing for teams large or small. Gain insights into your
habits as a manager as well as team meeting habits and how it impacts your
team while getting suggestions on how to improve team collaboration habits.
Shared plans within Viva Insights give managers a way to set positive team
norms for meetings, focus, and wellbeing. These insights empower you as a
manager to lead by example and to create a positive team culture.

Organization Insights

Viva Insights provides business leaders and managers with organization

insights within the Viva Insights app in Teams and on the web. Organization
insights help managers and leaders understand how their organizations are
succeeding at work and current team or company-wide norms. Leaders and
managers can see key indicators of their organization’s wellbeing,
productivity, and team culture. These insights allow them to understand how
their organizations are performing, help identify opportunities to make
changes that can improve business outcomes and find features and tools to
help support their teams. Organization insights empower leaders and
managers to create positive change within their team and organization.

Advanced Insights

Like organization insights, advanced insights can provide business leaders

with a greater understanding of how work shapes their people and their
business. These insights can help leaders address critical questions about
organizational resiliency and work culture. Leaders can see opportunities
where a change in process could improve business outcomes and take steps
to protect employee wellbeing.

Describe the capabilities of the Microsoft 365 admin center

and Microsoft 365 user portal

Microsoft 365 admin center

The Microsoft 365 admin center is where you can manage your Microsoft
365 subscription (you must have the right admin permissions to access). To
access the admin center, go to admin.microsoft.com and sign in with your
account information.

The Microsoft 365 admin center has two views: simplified view and
dashboard view. You can switch between the two views. Simplified view
helps smaller organizations manage their most common tasks such as
managing users, subscriptions, and Teams. The dashboard view includes
more complex settings and tasks. You can also customize their dashboard by
adding tile cards for tasks that you perform frequently.

The following list describes some of the common tasks that you can do in the
admin center:

 Manage users by adding, deleting, restoring users or resetting a user's

password.
 Manage licenses by adding and removing licenses.
 Manage a Microsoft 365 group by creating a group, deleting a group,
and editing the name or description.
 Manage billing like viewing, purchasing or canceling subscriptions.
 View or create service requests.
 Manage global settings for apps.
 View activity reports to see how your organization is using Microsoft
365.
 View the health of your Microsoft services.

admin.microsoft.com
Microsoft 365 user portal

The Microsoft 365 user portal gives you access to your email, calendar,
and documents through Microsoft 365 apps like Office, Teams, Outlook, and
more, on the web. You can access your data from anywhere with a device
and internet access.

Describe the reports available in the Microsoft 365 admin

center and other admin centers

Reports in the Microsoft 365 admin center

Get insights on how employees are using Microsoft 365 apps and services
through the available reports in the Microsoft 365 admin center. Reports
are available for the last 7 days, 30 days, 90 days, and 180 days. You need
to have the right admin permissions to be able to view these reports.

The following list describes the two types of reports available in the admin
center:

 Adoption score. Adoption score provides insights into your

organization's digital transformation journey through its use of Microsoft
365 and the technology experiences that support it. Your organization's
score reflects people and technology experience measurements and can
be compared to benchmarks from organizations similar to yours.
Adoption score provides metrics, insights and recommendations in two
areas: people experiences and technology experiences.

o People experiences. Quantifies how the organization works using

Microsoft 365 categories like content collaboration, mobility,
communication, meetings and teamwork.
o Technology experiences. Quantifies how reliable and well-
performing the technology is and the efficient use of Microsoft 365.
These insights can be viewed through Endpoint analytics and network
connectivity.

 Usage. Usage reports help you see how users are using Microsoft 365
apps and services across your organization. These reports can help you
make changes or steer user behavior to maximize the benefits you get
with Microsoft 365. You can drill down into each product report to get
more detailed insights about the activities within each product. For
example, you can understand the activity of each user licensed to use
Microsoft 365 Apps by looking at their activity across the apps and how
they're utilized across platforms.
You can use Microsoft 365 usage analytics within Power BI to get more
insights on how your organization is adopting the various apps and services
within Microsoft 365. You can visualize and analyze Microsoft 365 usage
data, create custom reports and share the insights within your organization.
You can also gain insights into how specific regions or departments are using
Microsoft 365.

Reports in other admin centers

The Microsoft 365 admin center also gives you access to other admin
centers for specific products and services, such as Exchange, Teams, and
more. To access the other admin centers, go to admin.microsoft.com and
sign in with your account information (you must have the right admin
permissions to access). Once you're logged in, select Show all in the left
navigation menu to find the other admin centers.

Each specialist admin center gives you more options for that specific area
including reports. The following list describes some of the other admin
centers and some of the reports available:

 Security - Microsoft 365 Defender. View information about security

trends and track the protection status of your identities, data, devices,
apps, and infrastructure.
 Compliance - Microsoft Purview. View status and trends for the
compliance of your Microsoft 365 devices, data, identities, apps, and
infrastructure.
 Endpoint Manager. View reports through Microsoft Intune on endpoint
compliance, health, and trends in your organization.
 Microsoft Entra ID (formally known as Azure Active Directory or
Azure AD). View activity reports, which include registration and usage.
These reports help you understand the behavior of users in your
organization like registrations and sign-ins.
 Exchange. View reports of email flow within your organization and
mailbox migration batches created for your organization.
 SharePoint. View reports on the security and compliance of your data
in SharePoint. These reports include sharing links to identify potential
oversharing and sensitivity labels applied to files to monitor sensitive
content.
 Teams. View usage reports to gain insights and information on Teams
usage. Your organization can use these reports to better understand
usage patterns like how users are using Teams, and what devices they
use to connect to Teams.
MS-900 Microsoft 365 Fundamentals: Describe Microsoft 365
security and compliance capabilities

When it comes to security, your organization can no longer rely on its

network boundary. To allow employees, partners, and customers to
collaborate securely, organizations need to shift to an approach whereby
identity becomes the new security perimeter. Using an identity provider
helps organizations manage that shift and all the aspects of identity security.

Describe Microsoft Entra ID

Microsoft Entra ID, formerly Azure Active Directory, is Microsoft’s cloud-

based identity and access management service. Organizations use Microsoft
Entra ID to enable their employees, guests, and others to sign in and access
the resources they need, including:

 Internal resources, such as apps on your corporate network and

intranet, and cloud apps developed by your own organization.
 External services, such as Microsoft Office 365, the Azure portal, and
any SaaS applications used by your organization.

Microsoft Entra ID simplifies the way organizations manage authorization and

access by providing a single identity system for their cloud and on-premises
applications. Microsoft Entra ID can be synchronized with your existing on-
premises Active Directory, synchronized with other directory services, or
used as a standalone service.

Microsoft Entra ID also allows organizations to securely enable the use of

personal devices, such as mobiles and tablets, and enable collaboration with
business partners and customers.

Identity Secure Score

Microsoft Entra ID includes an identity secure score, which is a percentage

that functions as an indicator for how aligned you are with Microsoft's best
practice recommendations for security. Each improvement action in identity
secure score is tailored to your specific configuration.

Identity secure score, which is available in all editions of Microsoft Entra ID,
helps you to objectively measure your identity security posture, plan identity
security improvements, and review the success of your improvements.

Basic terminology

When talking about Microsoft Entra ID, there's some basic terminology that is
important to understand.

 Tenant - A Microsoft Entra tenant is an instance of Microsoft Entra ID in

which information about a single organization resides including
organizational objects such as users, groups, devices, and application
registrations. A tenant also contains access and compliance policies for
resources, such as applications registered in the directory. Each
Microsoft Entra tenant has a unique ID (tenant ID) and a domain name
(for example, contoso.onmicrosoft.com) and serves as a security and
administrative boundary, allowing the organization to manage and
control access to resources, applications, devices, and services.
 Directory - The terms Microsoft Entra directory and Microsoft Entra
tenant are often used interchangeably. The directory is a logical
container within a Microsoft Entra tenant that holds and organizes the
various resources and objects related to identity and access
management including users, groups, applications, devices, and other
directory objects. Basically, the directory is like a database or catalog of
identities and resources associated with an organization's tenant. A
Microsoft Entra tenant consists of only one directory.
 Multi-tenant - A multi-tenant organization is an organization that has
more than one instance of Microsoft Entra ID. Reasons why an
organization might have multiple tenants include organizations with
multiple subsidiaries or business units that operate independently,
organizations that merge or acquire companies, multiple geographical
boundaries with various residency regulations, and more.

Who uses Microsoft Entra ID?

Microsoft Entra ID is used by IT admins to control access to corporate apps

and resources, based on business requirements. For example, Microsoft
Entra ID can also be set up to require multi-factor authentication when
accessing important organizational resources. It provides powerful tools to
automatically help protect user identities and credentials and to meet an
organization’s access governance requirements.

Developers use Microsoft Entra ID as a standards-based approach for adding

single sign-on (SSO) to their apps, so that users can sign in with their pre-
existing credentials. Microsoft Entra ID also provides application
programming interfaces (APIs) that allow developers to build personalized
app experiences using existing organizational data.
Subscribers to Azure services, Microsoft 365, or Dynamics 365 automatically
have access to Microsoft Entra ID. Users of these services can take
advantage of included services and can also enhance their Microsoft Entra
implementation by upgrading to premium licenses.

Describe types of identities

In Microsoft Entra ID, there are different types of identities that are
supported. The terms you'll hear and are introduced in this unit are user
identities, workload identities, device identities, external identities, and
hybrid identities. Each of these terms is described in more detail in the
sections that follow.

When you ask the question, to what can I assign an identity in Microsoft
Entra ID, there are three categories.

 You can assign identities to people (humans). Examples of identities

assigned to people are employees of an organization that are typically
configured as internal users, and external users that include customers,
consultants, vendors, and partners. For our purposes, we'll refer to
these as user identities.
 You can assign identities to physical devices, such as mobile phones,
desktop computers, and IoT devices.
 Lastly, you can assign identities to software-based objects, such as
applications, virtual machines, services, and containers. These identities
are referred to as workload identities.
User

User identities represent people such as employees and external users

(customers, consultants, vendors, and partners). In Microsoft Entra ID, user
identities are characterized by how they authenticate and the user type
property.

How the user authenticates is asked relative to the host organization’s

Microsoft Entra tenant and can be internal or external. Internal
authentication means the user has an account on the host organization’s
Microsoft Entra ID and uses that account to authenticate to Microsoft Entra
ID. External authentication means the user authenticates using an external
Microsoft Entra account that belongs to another organization, a social
network identity, or other external identity provider.

The user type property describes the user’s relationship to the organization
or more specifically, the host organization’s tenancy. The user can be a
guest or a member of the organization’s Microsoft Entra tenant. By default,
guests of the organization have limited privileges in the organization’s
directory, relative to members of the organization.
 Internal member: These users are typically considered employees of
your organization. The user authenticates internally via their
organization’s Microsoft Entra ID, and the user object created in the
resource Microsoft Entra directory has a UserType of Member.
 External guest: External users or guests, including consultants, vendors,
and partners, typically fall into this category. The user authenticates
using an external Microsoft Entra account or an external identity
provider (such as a social identity). The user object created in the
resource Microsoft Entra directory has a UserType of Guest, giving them
limited, guest-level permissions.
 External member: This scenario is common in organizations consisting
of multiple tenants. Consider the scenario where the Contoso Microsoft
Entra tenant and the Fabrikam Microsoft Entra tenant are tenants within
one large organization. Users from the Contoso tenant need member
level access to resources in Fabrikam. In this scenario, Contoso users
are configured in the Fabrikam Microsoft Entra directory such that they
authenticate with their Contoso account, which is external to Fabrikam,
but have a UserType of Member to enable member-level access to
Fabrikam’s organizational resources.
 Internal guest: This scenario exists when organizations who collaborate
with distributors, suppliers, and vendors set up internal Microsoft Entra
 accounts for these users but designate them as guests by setting the
user object UserType to Guest. As a guest, they have reduced
permissions in the directory. This is considered a legacy scenario as it is
now more common to use B2B collaboration. With B2B collaboration
users can use their own credentials, allowing their external identity
provider to manage authentication and their account lifecycle.

External guests and external members are business-to-business (B2B)

collaboration users that fall under the category of external identities in
Microsoft Entra ID and is described in more detail in the subsequent unit.

Workload identities

A workload identity is an identity you assign to a software workload. This

enables the software workload to authenticate to and access other services
and resources. This helps secure your workload.

Securing your workload identities is important because unlike a human user,

a software workload may deal with multiple credentials to access different
resources and those credentials need to be stored securely. It’s also hard to
track when a workload identity is created or when it should be revoked.
Enterprises risk their applications or services being exploited or breached
because of difficulties in securing workload identities.

Microsoft Entra Workload ID helps resolve these issues when securing

workload identities. In Microsoft Entra, workload identities are applications,
service principals, and managed identities.

Applications and service principals

A service principal is essentially, an identity for an application. For an application to

delegate its identity and access functions to Microsoft Entra ID, the application must
first be registered with Microsoft Entra ID to enable its integration. Once an
application is registered, a service principal is created in each Microsoft Entra
tenant where the application is used. The service principal enables core features
such as authentication and authorization of the application to resources that are
secured by the Microsoft Entra tenant.

For the service principals to be able to access resources secured by the Microsoft
Entra tenant, application developers must manage and protect the credentials. If
not done correctly, this can introduce security vulnerabilities. Managed identities
help off-load that responsibility from the developer.
Managed identities

Managed identities are a type of service principal that are automatically

managed in Microsoft Entra ID and eliminate the need for developers to
manage credentials. Managed identities provide an identity for applications
to use when connecting to Azure resources that support Microsoft Entra
authentication and can be used without any extra cost.

For a list of Azure Services that support managed identities, refer to the
Learn more section of the Summary and resources unit.

There are two types of managed identities: system-assigned and user-

assigned.

 System-assigned. Some Azure resources, such as virtual machines,

allow you to enable a managed identity directly on the resource. When
you enable a system-assigned managed identity an identity is created in
Microsoft Entra that's tied to the lifecycle of that Azure resource.
Because the identity is tied to the lifecycle of that Azure resource when
the resource is deleted, Azure automatically deletes the identity for you.
An example where you may find a system-assigned identity is when a
workload is contained within a single Azure resource, such as an
application that runs on a single virtual machine.
 User-assigned. You may also create a managed identity as a
standalone Azure resource. Once you create a user-assigned managed
identity, you can assign it to one or more instances of an Azure service.
For example, a user-assigned managed identity can be assigned to
multiple VMs. With user-assigned managed identities, the identity is
managed separately from the resources that use it. Deleting the
resources that use the user-assigned managed identity doesn't delete
the identity. The user-assigned managed identity must be explicitly
 deleted. This is useful in a scenario where you may have multiple VMs
that all have the same set of permissions but may get recycled
frequently. Deleting any of the VMs doesn’t impact the user-assigned
managed identity. Similarly, you can create a new VM and assign it the
existing user-assigned managed identity.

Device

A device is a piece of hardware, such as mobile devices, laptops, servers, or

printers. A device identity gives administrators information they can use
when making access or configuration decisions. Device identities can be set
up in different ways in Microsoft Entra ID.

 Microsoft Entra registered devices. The goal of Microsoft Entra

registered devices is to provide users with support for bring your own
device (BYOD) or mobile device scenarios. In these scenarios, a user can
access your organization’s resources using a personal device. Microsoft
Entra registered devices register to Microsoft Entra ID without requiring
an organizational account to sign in to the device.
 Microsoft Entra joined. A Microsoft Entra joined device is a device
joined to Microsoft Entra ID through an organizational account, which is
then used to sign in to the device. Microsoft Entra joined devices are
generally owned by the organization.
 Microsoft Entra hybrid joined devices. Organizations with existing
on-premises Active Directory implementations can benefit from the
functionality provided by Microsoft Entra ID by implementing Microsoft
Entra hybrid joined devices. These devices are joined to your on-
premises Active Directory and Microsoft Entra ID requiring
organizational account to sign in to the device.

Registering and joining devices to Microsoft Entra ID gives users Single Sign-
on (SSO) to cloud-based resources. Additionally, devices that are Microsoft
Entra joined benefit from the SSO experience to resources and applications
that rely on on-premises Active Directory.

Groups

In Microsoft Entra ID, if you have several identities with the same access
needs, you can create a group. You use groups to give access permissions to
all members of the group, instead of having to assign access rights
individually. Limiting access to Microsoft Entra resources to only those
identities who need access is one of the core security principles of Zero
Trust.
There are two group types:

 Security: A security group is the most common type of group and it's
used to manage user and device access to shared resources. For
example, you may create a security group for a specific security policy
such as Self-service password reset or for use with a conditional access
policy to require MFA. Members of a security group can include users
(including external users), devices, other groups, and service principals.
Creating security groups requires a Microsoft Entra administrator role.
 Microsoft 365: A Microsoft 365 group, which is also often referred to as a
distribution group, is used for grouping users according to collaboration
needs. For example, you can give members of the group access to a
shared mailbox, calendar, files SharePoint sites, and more. Members of
a Microsoft 365 group can only include users, including users outside of
your organization. Because Microsoft 365 groups are intended for
collaboration, the default is to allow users to create Microsoft 365
groups, so you don’t need an administrator role.

Groups can be configured to allow members to be assigned, that is manually

selected, or they can be configured for dynamic membership. Dynamic
membership uses rules to automatically add and remove identities.

Describe hybrid identity

While there's no denying the rapid pace at which organizations are moving
their workloads to the cloud, many businesses, and corporations are still a
mixture of on-premises and cloud applications. Regardless of where an
application is hosted, users expect and require easy access. As such, there's
need to have a single identity across these various applications.

Microsoft’s identity solutions span on-premises and cloud-based capabilities.

These solutions create a common identity for authentication and
authorization to all resources, regardless of location. We call this hybrid
identity.

Hybrid identity is accomplished through provisioning and synchronization.

 Inter-directory provisioning is provisioning an identity between two

different directory services systems. For a hybrid environment, the most
common scenario for inter-directory provisioning is when a user already
in Active Directory is provisioned into Microsoft Entra ID.
 Synchronization is responsible for making sure identity information for
your on-premises users and groups is matching the cloud.
One of the available methods for accomplishing inter-directory provisioning
and synchronization is through Microsoft Entra Cloud Sync. Microsoft Entra
Cloud Sync is designed to meet and accomplish your hybrid identity goals for
the provisioning and synchronization of users, groups, and contacts to
Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud
provisioning agent. The agent provides a lightweight inter-directory
provisioning experience that acts as a bridge between Microsoft Entra ID and
Active Directory. An organization only needs to deploy the agent in their on-
premises or IaaS-hosted environment. The provisioning configuration is
stored in Microsoft Entra ID and managed as part of the service.

The Microsoft Entra Cloud Sync provisioning agent uses the System for
Cross-domain Identity Management (SCIM) specification with Microsoft Entra
ID to provision and deprovision users and groups. The SCIM specification is a
standard that is used to automate the exchanging of user or group identity
information between identity domains such as Microsoft Entra ID and is
becoming the de facto standard for provisioning.

Describe external identities

Today’s world is about collaboration, working with people both inside and
outside of your organization. That means you'll sometimes need to provide
access to your organization’s applications or data to external users.

Microsoft Entra External ID combines powerful solutions for working with

people outside of your organization. With External ID capabilities, you can
allow external identities to securely access your apps and resources.
Whether you’re working with external partners, consumers, or business
customers, users can bring their own identities. These identities can range
from corporate or government-issued accounts to social identity providers
like Google or Facebook.

Microsoft Entra External ID addresses the scenarios that are encountered

when it comes to working with external users.

 Collaborate with business guests

 Secure your apps for consumers and business customers

Also, each of these scenarios suggests a different approach for how an

organization configures their Microsoft Entra ID tenant.

There are two ways to configure a tenant, depending on how the

organization intends to use the tenant and the resources they want to
manage:
  A workforce tenant configuration is for your employees, internal
business apps, and other organizational resources. You can invite
external business partners and guests to your workforce tenant.
 An external tenant configuration is used exclusively for External ID
scenarios where you want to publish apps to consumers or business
customers.

Collaborate with business guests

If you want to enable your employees to collaborate with business partners

and guests, use External ID for B2B collaboration.

External ID B2B collaboration allows your workforce to collaborate with

external business partners.

Using your workforce tenant, you can use B2B collaboration to share your
company's applications and services with guests, while maintaining control
over your own corporate data. You can invite anyone to sign in to your
Microsoft Entra organization using their own credentials so they can access
the apps and resources you want to share with them.

Use B2B collaboration when you need to let business guests access your
Office 365 apps, software-as-a-service (SaaS) apps, and line-of-business
applications. There are no credentials associated with business guests.
Instead, they authenticate with their home organization or identity provider,
and then your organization checks the user’s eligibility for guest
collaboration.

Secure your apps for consumers and business customers

If you’re an organization or a developer creating consumer apps, use

External ID to quickly add authentication and customer identity and access
management (CIAM) to your application.

Microsoft Entra External ID includes Microsoft's customer identity and access

management (CIAM) solution that includes features like self-service
registration, personalized sign-in experiences including single sign-on (SSO)
with social and enterprise identities, and customer account management.
Because these CIAM capabilities are built into Microsoft Entra ID, you also
benefit from platform features like enhanced security, compliance, and
scalability.
Describe access management capabilities of Microsoft Entra

Describe Conditional Access

Conditional Access is a feature of Microsoft Entra ID that provides an extra

layer of security before allowing authenticated users to access data or other
assets. Conditional Access is implemented through policies that are created
and managed in Microsoft Entra ID. A Conditional Access policy analyses
signals including user, location, device, application, and risk to automate
decisions for authorizing access to resources (apps and data).

Conditional Access policies at their simplest are if-then statements. For

example, a Conditional Access policy might state that if a user belongs to a
certain group, then they're required to provide multifactor authentication to
sign in to an application.

Conditional Access policies are enforced after first-factor authentication is

completed. Conditional Access isn't intended to be an organization's first line
of defense for scenarios like denial-of-service (DoS) attacks, but it can use
signals from these events to determine access.

Conditional access
policy components

A conditional access policy in

Microsoft Entra ID consists of
two components,
assignments and access
controls.
Assignments

When creating a conditional access policy, admins can determine which

signals to use through assignments. The assignments portion of the policy
controls the who, what, where, and when of the Conditional Access policy. All
assignments are logically ANDed. If you have more than one assignment
configured, all assignments must be satisfied to trigger a policy. Some of the
assignments include:

 Users assign who the policy will include or exclude. This assignment
can include all users in the directory, specific users and groups,
directory roles, external guests, and workload identities.
 Target resources include applications or services, user actions, Global
Secure Access (preview), or authentication context.
o Cloud apps - Administrators can choose from the list of applications or
services that include built-in Microsoft applications, including
Microsoft Cloud applications, Office 365, the Windows Azure Service
Management API, Microsoft Admin portals, and any Microsoft Entra
registered applications.
o User actions - Administrators can choose to define policy not based
on a cloud application but on a user action like Register security
information or Register or join devices, allowing Conditional Access to
enforce controls around those actions.
o Global Secure Access (preview) - Administrators can use conditional
Access policies to secure the traffic that passes through the Global
Secure Access service. This is done by defining traffic profiles in
Global Secure Access. Conditional Access policies can then be
assigned to the Global Secure Access traffic profile.
o Authentication context - Authentication context can be used to
further secure data and actions in applications. For example, users
that have access to specific content in a SharePoint site may be
 required to access that content via a managed device or agree to
specific terms of use.
 Network allows you to control user access based on the user's network
or physical location. You can include any network or location, locations
marked as trusted networks or trusted IP address ranges, or named
locations. You can also identify compliant networks that are made up of
users and devices that comply with your organization's security policies.
 Conditions define where and when the policy will apply. Multiple
conditions can be combined to create fine-grained and specific
Conditional Access policies. Some of the conditions include:
o Sign-in risk and user risk. Integration with Microsoft Entra ID
Protection allows Conditional Access policies to identify suspicious
actions related to user accounts in the directory and trigger a policy.
Sign-in risk is the probability that a given sign-in, or authentication
request, isn't authorized by the identity owner. User risk is the
probability that a given identity or account is compromised.
o Insider risk. Administrators with access to Microsoft Purview
adaptive protection can incorporate risk signals from Microsoft
Purview into Conditional Access policy decisions. Insider risk takes
into account your data governance, data security, and risk and
compliance configurations from Microsoft Purview.
o Devices platform. Device platform, which is characterized by the
operating system that runs on a device can be used when enforcing
Conditional Access policies.
o Client apps. Client apps, the software the user is employing to
access the cloud app, including browsers, mobile apps, desktop
clients, can also be used in access policy decision.
o Filters for devices. Organizations can enforce policies based on
device properties, by using the filters for devices option. As an
example, this option may be used to target policies to specific
devices like privileged access workstations.

In essence, the assignments portion controls the who, what, and where of
the Conditional Access policy.

Access controls

When the Conditional Access policy has been applied, an informed decision
is reached on whether to block access, grant access, grant access with extra
verification, or apply a session control to enable a limited experience. The
decision is referred to as the access controls portion of the Conditional
Access policy and defines how a policy is enforced. Common decisions are:
  Block access
 Grant access. Administrators can grant access without any additional
control, or they can choose to enforce one or more controls when
granting access. Examples of controls used to grant access include
requiring users to perform multifactor authentication, requiring specific
authentication methods to access a resource, requiring devices to meet
specific compliance policy requirements, require a password change,
and more. For a complete list, refer to Grant controls in Conditional
Access policy.
 Session. Within a Conditional Access policy, an administrator can make
use of session controls to enable limited experiences within specific
cloud applications. As an example, Conditional Access App Control uses
signals from Microsoft Defender for Cloud Apps to block the download,
cut, copy, and print capabilities for sensitive documents, or to require
labeling of sensitive files. Other session controls include sign-in
frequency and application enforced restrictions that, for selected
applications, use the device information to provide users with a limited
or full experience, depending on the device state. For a complete list,
refer Session controls in Conditional Access policy.

Describe Global Secure Access in Microsoft Entra

Microsoft Entra now provides a new set of products under the heading of
Microsoft Global Secure Access. Global Secure Access is the unifying term
used for both Microsoft Entra Internet Access and Microsoft Entra Private
Access.

Microsoft Entra Internet Access secures access to Software as a Service

(SaaS) applications, including Microsoft Services, and public internet apps
while protecting users, devices, and data against internet threats.

Microsoft Entra Private Access provides your users, whether in an office or

working remotely, secure access to your private, corporate resources.

Microsoft Entra Internet Access and Microsoft Entra Private Access come
together as a solution that converges Zero Trust network, identity, and
endpoint access controls so that you can secure access to any app or
resource, from any location, device, or identity. This type of solution
represents a new network security category called Security Service Edge
(SSE).

SSE helps address security challenges such as:

  The need to reducing the risk of lateral movement through a
compromised VPN tunnel.
 The need to put a perimeter around internet-based assets.
 The need to improve service in remote office locations, such branch
offices.

Microsoft Entra Private Access

VPN solutions are often used as a primary method to control corporate

network access. Once private network connectivity is established, the front
door to your network is unlocked and on top of that, it's common for users
and devices to be over-permissioned. This significantly increases your
organization's attack surface.

Microsoft Entra Private Access can be deployed to block lateral attack

movement, reduce excessive access, and replace legacy VPNs. The service
provides your users - whether in an office or working remotely - secured
access to your private, corporate resources.

Conceptually, the way Private Access works is that for a given set of private
resources you want to secure, you set up a new enterprise application that
serves as a container for those private resources. The new application has a
network connector that serves as a broker between the Private Access
service and the resource a user wants to access. Now clearly, enterprises
have different requirements for accessing different private resources, so
Microsoft Entra Private Access provides two ways in which you can set up the
private resources you want to have accessed through the service.

 Quick Access - As previously described, Private Access works by creating

a new enterprise application that serves as a container for the private
resources you want to secure. With Quick Access, you determine which
private resources to add to the "container" or enterprise application;
which, we'll call the Quick Access application. The private resources you
add to the Quick Access Application are defined by the FQDN, IP
address, IP or address range, and ports used to access the resource.
This information is referred to as a Quick Access application segment.
You can add many application segments to the Quick Access
 application. You can then link conditional access policies to the Quick
Access application.

 Global Secure Access app - Global Secure Access app, also referred to as
Per-app Access, provides a more granular approach. With Global Secure
Access app, you can create multiple "containers" or enterprise
application. For each of these new enterprise apps, you define the
properties of the private resource, and you assign users and groups and
assign specific conditional access policies. For example, you may have a
group of private resources you need to secure, but for which you want to
set different access policies based on how they're accessing the
resource or for a specific time frame.

Microsoft Entra Internet Access

A Secure Web Gateway (SWG) is a cybersecurity solution that protects users

from web-based threats by filtering internet traffic and enforcing security
policies.

Microsoft Entra Internet Access provides an identity-centric Secure Web

Gateway (SWG) solution for Software as a Service (SaaS) applications,
including Microsoft Services, and other Internet traffic. It protects users,
devices, and data from the Internet's wide threat landscape with best-in-
class security controls and visibility through Traffic Logs.

Some of the key features include:

 Protection against user identity or token theft by using Conditional

Access policies to perform a compliant network check for access to
resources.
o Compliant network enforcement happens at authentication plane and
at the data plane. Authentication plane enforcement is performed by
Microsoft Entra ID at the time of user authentication. Data plane
enforcement works with services that support Continuous Access
Evaluation (CAE)
o Continuous Access Evaluation (CAE) is a security feature where apps
and Microsoft Entra constantly communicate to ensure user access is
up-to-date and secure. If something changes, like a user’s location or
a security concern arises, the system can quickly adjust or block
access in near real-time, ensuring policies are always enforced.
 Tenant restrictions to prevent data exfiltration to other tenants or
personal accounts including anonymous access.
  Internet Access traffic forwarding profile policies to control which
internet sites can be accessed to ensure remote workers connect to the
internet in a controlled and secure way.
 Web content filtering to regulate access to websites based on their
content categories and domain names.
 and many more...

Global Secure Access Dashboard

Global Secure Access includes a dashboard that provides you with

visualizations of the network traffic acquired by the Microsoft Entra Private
and Microsoft Entra Internet Access services. The dashboard compiles the
data from your network configurations, including devices, users, and tenants
into several widgets. Those widgets, in turn, provide you with information
you can use to monitor and improve your network configurations. Some of
the available widgets include:

 Global Secure Access snapshot

 Alerts and notifications (preview)
 Usage profiling (preview)
 Cross-tenant access
 Web category filtering
 Device status

Global Secure Access snapshot

The Global Secure Access snapshot widget provides a summary of how many
users and devices are using the service and how many applications were
secured through the service. The widget defaults to showing all types of
traffic, but you can change the filter to show Internet Access, Private Access,
or Microsoft traffic.

Usage profiling (preview)

The Usage profiling widget displays usage patterns for Internet Access,
Private Access, or Microsoft 365 over a selected period of time and by
category.

Alerts and notifications (preview)

The Alerts and notifications widget shows what is happening in the network
and helps identify suspicious activities or trends identified by the network
data.

This widget provides the following alerts:

  Unhealthy remote network: An unhealthy remote network has one or
more device links disconnected.
 Increased external tenants activity: The number of users accessing
external tenants has increased.
 Token and device inconsistency: The original token is used on a different
device.
 Web content blocked: Access to the website has been blocked.

Cross-tenant access Global Secure Access provides visibility into the

number of users and devices that are accessing other tenants. This widget
displays the following information:

 Sign-ins: The number of sign-ins through Microsoft Entra ID to Microsoft

services in the last 24 hours. This widget provides you with information
about the activity in your tenant.
 Total distinct tenants: The number of distinct tenant IDs seen in the last
24 hours.
 Unseen tenants: The number of distinct tenant IDs that were seen in the
last 24 hours, but not in the previous seven days.
 Users: The number of distinct user sign-ins to other tenants in the last
24 hours.
 Devices: The number of distinct devices that signed in to other tenants
in the last 24 hours.

Web category filtering

The Web category filtering widget displays the top categories of web content
that were blocked or allowed by the service. These categories can be used to
determine what sites or categories of sites you might want to block.

Device status The Device status widgets display the active and inactive
devices that you have deployed.

Describe Microsoft Entra roles and role-based access control

(RBAC)

Microsoft Entra roles control permissions to manage Microsoft Entra

resources. For example, allowing user accounts to be created, or billing
information to be viewed. Microsoft Entra ID supports built-in and custom
roles.
Managing access using roles is known as role-based access control
(RBAC). Microsoft Entra built-in and custom roles are a form of RBAC in that
Microsoft Entra roles control access to Microsoft Entra resources. This is
referred to as Microsoft Entra RBAC.

Built-in roles

Microsoft Entra ID includes many built-in roles, which are roles with a fixed
set of permissions. A few of the most common built-in roles are:

 Global administrator: users with this role have access to all

administrative features in Microsoft Entra. The person who signs up for
the Microsoft Entra tenant automatically becomes a global
administrator.
 User administrator: users with this role can create and manage all
aspects of users and groups. This role also includes the ability to
manage support tickets and monitor service health.
 Billing administrator: users with this role make purchases, manage
subscriptions and support tickets, and monitor service health.

All built-in roles are preconfigured bundles of permissions designed for

specific tasks. The fixed set of permissions included in the built-in roles can't
be modified.

Custom roles

Although there are many built-in admin roles in Microsoft Entra, custom roles
give flexibility when granting access. A custom role definition is a collection
of permissions that you choose from a preset list. The list of permissions to
choose from are the same permissions used by the built-in roles. The
difference is that you get to choose which permissions you want to include in
a custom role.

Granting permission using custom Microsoft Entra roles is a two-step

process. The first step involves creating a custom role definition, consisting
of a collection of permissions that you add from a preset list. Once you’ve
created your custom role definition, the second step is to assign that role to
users or groups by creating a role assignment.

A role assignment grants the user the permissions in a role definition, at a

specified scope. A scope defines the set of Microsoft Entra resources the role
member has access to. A custom role can be assigned at organization-wide
scope, meaning the role member has the role permissions over all resources.
A custom role can also be assigned at an object scope. An example of an
object scope would be a single application. The same role can be assigned to
one user over all applications in the organization and then to another user
with a scope of only the Contoso Expense Reports app.

Custom roles require a Microsoft Entra ID P1 or P2 license.

Only grant the access users need

It's best practice, and more secure, to grant users the least privilege to get
their work done. It means that if someone mostly manages users, you should
assign the user administrator role, and not global administrator. By assigning
least privileges, you limit the damage that could be done with a
compromised account.

Categories of Microsoft Entra roles

Microsoft Entra ID is an available service if you subscribe to any Microsoft

Online business offer, such as Microsoft 365 and Azure.

Available Microsoft 365 services include Microsoft Entra ID, Exchange,

SharePoint, Microsoft Defender, Teams, Intune, and many more.

Over time, some Microsoft 365 services, such as Exchange and Intune, have
developed their own role-based access control systems (RBAC), just like the
Microsoft Entra service has Microsoft Entra roles to control access to
Microsoft Entra resources. Other services such as Teams and SharePoint
don’t have separate role-based access control systems, they use Microsoft
Entra roles for their administrative access.

To make it convenient to manage identity across Microsoft 365 services,

Microsoft Entra ID has added some service-specific, built-in roles, each of
which grants administrative access to a Microsoft 365 service. This means
that Microsoft Entra built-in roles differ in where they can be used. There are
three broad categories.

 Microsoft Entra specific roles: These roles grant permissions to manage

resources within Microsoft Entra-only. For example, User Administrator,
Application Administrator, Groups Administrator all grant permissions to
manage resources that live in Microsoft Entra ID.
  Service-specific roles: For major Microsoft 365 services, Microsoft Entra
ID includes built-in, service-specific roles that grant permissions to
manage features within the service. For example, Microsoft Entra ID
includes built-in roles for Exchange Administrator, Intune Administrator,
SharePoint Administrator, and Teams Administrator roles that can
manage features with their respective services.

 Cross-service roles: There are some roles within Microsoft Entra ID that
span services. For example, Microsoft Entra ID has security-related
roles, like Security Administrator, that grant access across multiple
security services within Microsoft 365. Similarly, the Compliance
Administrator role grants access to manage Compliance-related settings
in Microsoft 365 Compliance Center, Exchange, and so on.

Difference between Microsoft Entra RBAC and Azure RBAC

As described above, Microsoft Entra built-in and custom roles are a form of
RBAC in that they control access to Microsoft Entra resources. This is
referred to as Microsoft Entra RBAC. In the same way that Microsoft Entra
roles can control access to Microsoft Entra resources, so too can Azure roles
control access to Azure resources. This is referred to as Azure RBAC.
Although the concept of RBAC applies to both Microsoft Entra RBAC and
Azure RBAC, what they control are different.

 Microsoft Entra RBAC - Microsoft Entra roles control access to Microsoft

Entra resources such as users, groups, and applications.
 Azure RBAC - Azure roles control access to Azure resources such as
virtual machines or storage using Azure Resource Management.

Unit 11

Describe Microsoft’s Service Trust

portal and privacy capabilities
Microsoft Cloud services are built on a foundation of trust, security, and
compliance. The Microsoft Service Trust Portal provides a variety of content,
tools, and other resources about Microsoft security, privacy, and compliance
practices.
Microsoft also helps organizations meet their privacy requirements, with
Microsoft Priva. Priva helps organizations safeguard personal data and build
a privacy-resilient workplace.

Describe the offerings of the Service

Trust portal
The Microsoft Service Trust Portal provides a variety of content, tools, and
other resources about how Microsoft cloud services protect your data, and
how you can manage cloud data security and compliance for your
organization.

The Service Trust Portal (STP) is Microsoft's public site for publishing audit
reports and other compliance-related information associated with Microsoft’s
cloud services. STP users can download audit reports produced by external
auditors and gain insight from Microsoft-authored whitepapers that provide
details on how Microsoft cloud services protect your data, and how you can
manage cloud data security and compliance for your organization.

Accessing the Service Trust Portal

To access some of the resources on the Service Trust Portal, you must log in
as an authenticated user with your Microsoft cloud services account
(Microsoft Entra organization account) and review and accept the Microsoft
non-disclosure agreement for Compliance Materials.

Service Trust Portal Content Categories

The Service Trust Portal landing page includes content that is organized into
the following categories:

 Certifications, Regulations, and Standards

 Reports, Whitepapers, and Artifacts
 Industry and Regional Resources
 Resources for your Organization

Certifications, Regulations and Standards

The certification, regulations, and standards section of the STP provides a

wealth of security implementation and design information with the goal of
making it easier for you to meet regulatory compliance objectives by
understanding how Microsoft Cloud services keep your data secure.

Selecting a tile will provide a list of available documents, including a

description and when it was last updated. The screenshot that follows shows
some of the documents available by selecting the ISO/IEC tile.

Reports, Whitepapers, and Artifacts

This section includes general documents relating to the following categories:

 BCP and DR - Business Continuity and Disaster Recovery

 Pen Test and Security Assessments - Attestation of Penetration tests
and security assessments conducted by third parties
 Privacy and Data Protection - Privacy and Data Protection Resources
 FAQ and Whitepapers - Whitepapers and answers to frequently asked
questions

Industry and Regional Resources

This section includes documents that apply to the following industries and
regions:

 Financial Services - Resources elaborating regulatory compliance

guidance for FSI (by country/region)
 Healthcare and Life Sciences - Capabilities offered by Microsoft for
Healthcare Industry
 Media and Entertainment - Media and Entertainment Industry Resources
 United States Government - Resources exclusively for US Government
customers
 Regional Resources - Documents describing compliance of Microsoft's
online services with various regional policies and regulations

Resources for your Organization

This section lists documents applying to your organization (restricted by

tenant) based on your organization’s subscription and permissions.

My Library
Use the My Library feature to add documents and resources on the Service
Trust Portal to your My Library page. This lets you access documents that are
relevant to you in a single place. To add a document to your My Library,
select the ellipsis (...) menu to the right of a document and then select Save
to library.

Additionally, the notifications feature lets you configure your My Library so

that an email message is sent to you whenever Microsoft updates a
document that you've added to your My Library. To set up notifications, go to
your My Library and select Notification Settings. You can choose the
frequency of notifications and specify an email address in your organization
to send notifications to. Email notifications include links to the documents
that have been updated and a brief description of the update.

If a document is part of a series, you'll be subscribed to the series, and will

receive notifications when there's an update to that series.

Describe Microsoft's privacy principles

Microsoft's approach to privacy is built on the following six principles:

 Control: Putting you, the customer, in control of your data and your
privacy with easy-to-use tools and clear choices. Your data is your
business, and you can access, modify, or delete it at any time. Microsoft
will not use your data without your agreement, and when we have your
agreement, we use your data to provide only the services you have
chosen. Your control over your data is reinforced by Microsoft
compliance with broadly applicable privacy laws and privacy standards.
 Transparency: Being transparent about data collection and use so that
everyone can make informed decisions. We only process your data
based on your agreement and in accordance with the strict policies and
procedures that we've contractually agreed to. When we deploy
subcontractors or subprocessors to perform work that requires access to
your data, they can perform only the functions that Microsoft has hired
them to provide, and they're bound by the same contractual privacy
commitments that Microsoft makes to you. The Microsoft Online
Services Subprocessor List identifies authorized, subprocessors, who
have been audited against a stringent set of security and privacy
requirements in advance. This document is available as one of the data
protection resources in the Service Trust Portal.
  Security: Protecting the data that's entrusted to Microsoft by using
strong security and encryption. With state-of-the-art encryption,
Microsoft protects your data both at rest and in transit. Our encryption
protocols erect barriers against unauthorized access to the data,
including two or more independent encryption layers to protect against
compromises of any one layer. All Microsoft-managed encryption keys
are properly secured and offer the use of technologies such as Azure
Key Vault to help you control access to passwords, encryption keys, and
other secrets.
 Strong legal protections: Respecting local privacy laws and fighting
for legal protection of privacy as a fundamental human right. Microsoft
defends your data through clearly defined and well-established
response policies and processes, strong contractual commitments, and
if necessary, the courts. We believe all government requests for your
data should be directed to you. We don’t give any government direct or
unfettered access to customer data. We will not disclose data to a
government or law enforcement agency, except as you direct or where
required by law. Microsoft scrutinizes all government demands to
ensure they're legally valid and appropriate. If Microsoft receives a
request for your data, we'll promptly notify you and provide a copy of
the request unless legally prohibited from doing so. Moreover, we'll
direct the requesting party to seek the data directly from you. Our
contractual commitments to our enterprise and public sector customers
include defending your data, which builds on our existing protections.
We'll challenge every government request for commercial and public
sector customer data where we can lawfully do so.
 No content-based targeting: Not using email, chat, files, or other
personal content to target advertising. We do not share your data with
advertiser-supported services, nor do we mine it for any purposes like
marketing research or advertising.
 Benefits to you: When Microsoft does collect data, it's used to benefit
you, the customer, and to make your experiences better. For example:
o Troubleshooting: Troubleshooting for preventing, detecting, and
repairing problems affecting operations of services.
o Feature improvement: Ongoing improvement of features including
increasing reliability and protection of services and data.
o Personalized customer experience: Data is used to provide
personalized improvements and better customer experiences.

These principles form Microsoft’s privacy foundation, and they shape the way
that products and services are designed.

Describe Microsoft Priva

Privacy is top of mind for organizations and consumers today, and concerns
about how private data is handled are steadily increasing. Regulations and
laws impact people around the world, setting rules for how organizations
store personal data and giving people rights to manage personal data
collected by an organization.

To meet regulatory requirements and build customer trust, organizations

need to take a "privacy by default" stance. Rather than manual processes
and a patchwork of tools, organizations need a comprehensive solution.

Microsoft Priva is a comprehensive set of privacy solutions that support

privacy operations across your organization's entire digital estate and
enables your organization to consolidate privacy protection across your data
landscape, streamline compliance to regulations, and mitigate privacy risk.

The Priva suite of solutions has expanded to include the following solutions:

 Subject Rights Requests

 Privacy Risk Management
 Consent Management (preview)
 Privacy Assessments (preview)
 Tracker Scanning (preview)

These solutions can be found in the new Microsoft Priva portal (preview).

Priva Privacy Risk Management

Microsoft Priva Privacy Risk Management gives you the capability to set up
policies that identify privacy risks in your Microsoft 365 environment and
enable easy remediation. Policy options in Privacy Risk Management can
help you find issues in the following areas of privacy concern and guide your
users through recommended steps for remediation.

 Limit data overexposure. Data overexposure policies, which can be

set up to cover both Microsoft 365 and multicloud (preview) locations,
can help you detect and handle situations in which data that your
organization has stored is insufficiently secure. For example, Privacy
Risk Management can alert you if access to an internal site is open to
too many people or your permissions settings haven't been maintained.
Privacy Risk Management also offers remediation options that help your
 users resolve any issues that are found. For data overexposure, these
include making content items private, notifying content owners, or
tagging items for further review.
 Find and mitigate data transfers. Data transfer policies allow you to
monitor for transfers between different world regions or between
departments in your organization, and transfers outside of your
organization. When a policy match is detected, you can send users
email notifications that allow them to take corrective action right in the
email, such as making content items private, notifying content owners,
or tagging items for further review.
 Minimize stored data. Data minimization policies allow you to look for
data that your organization has been storing for at least a certain length
of time. This can help you manage your ongoing storage practices.
When policy matches are found, remediation options include marking
items for deletion, notifying content owners, or tagging items for further
review.

The summary and resources unit of this module, includes a link to learn more
about Privacy Risk Management policies that provides more details on policy
settings, including data sources supported and the data types to monitor.

Priva Subject Rights Requests

In accordance with certain privacy regulations around the world, individuals

(or data subjects) may make requests to review or manage the personal data
about themselves that companies have collected. These requests are
sometimes also referred to as data subject requests (DSRs), data subject
access requests (DSARs), or consumer rights requests. For companies that
store large amounts of information, finding the relevant data can be a
formidable task.

Microsoft Priva can help you handle these inquiries through the Subject
Rights Requests solution, which can address subject rights request for data
within your organization's Microsoft 365 environment or for subject rights
request for data beyond Microsoft 365, currently in preview. The
solution provides automation, insights, and workflows to help organizations
fulfill requests more confidently and efficiently.

Consent Management (preview)

Nearly all interactions with companies, service providers, websites,

programs, and apps are conducted digitally, which has resulted in an
explosion of data belonging to individuals. It’s never been more important for
organizations to meet the requirements of data privacy regulations to
provide the right type of consent and notice around the collection and use of
personal data.

Consent models refer to the approaches used by organizations to obtain,

manage, and record user consent for the collection, processing, and sharing
of personal data. These models are crucial for ensuring that organizations
comply with privacy regulations.

Priva Consent Management is a regulatory-independent solution for

streamlining the management of consented personal data. Consent
management empowers organizations to effectively track consumer consent
across their entire data estate.

Consent management provides customizable consent models that allow you

to add branding and style elements specific to your organization. Consent
models also support adding, importing, or machine-generating language
translations to support visitors in multiple regions who have different
language requirements. The consent models you create don’t need to be
created for specific websites, meaning you can use the same model across
your public domains.

When you’re ready to publish your consent models, a centralized process

allows you to publish consent models at scale to multiple regions.

Privacy Assessments (preview)

Organizations today face significant challenges in maintaining current

justified documentation of data usage across their data estates. The
assessment of personal data use often involves manual and time-consuming
tasks like generating and updating custom questionnaires as well as
monitoring data use across the business. As a result, privacy impact
assessments are performed after the fact or quickly become stale, failing to
accurately reflect the current state of data use within the organization.

Priva Privacy Assessments automates the discovery, documentation, and

evaluation of personal data use across your entire data estate. Using this
regulatory-independent solution, you can automate privacy assessments and
build a complete compliance record for the responsible use of personal data.

Tracker Scanning (preview)

Web tracker compliance refers to the adherence of websites to legal and

regulatory requirements regarding the use of web tracking technologies.
These technologies, such as cookies and other tracking mechanisms, are
used to monitor and collect data about users' activities on a website.

Many organizations find it challenging to effectively manage and monitor

web tracker compliance. Navigating the intricate realm of tracker compliance
is a complex and often burdensome task due to the swift evolution of
technology, the proliferation of websites, and the evolving landscape of
privacy regulations.

Priva Tracker Scanning empowers organizations to automate the

identification of tracking technologies across multiple web properties, driving
the efficient management of website privacy compliance. With Tracker
Scanning you can automate scans for trackers, evaluate and manage web
trackers, and streamline compliance reporting.

Priva portal (preview)

The new Priva portal (preview) has a unified experience that streamlines
navigation for all Priva solutions and provides a single-entry point for
settings, search, and roles and permissions management.

The classic Microsoft Purview compliance portal doesn't support the newest
solutions currently in preview: Consent Management, Privacy Assessments,
Tracker scanning, and Subject Rights Request beyond Microsoft 365.

Describe the data compliance solutions of

Microsoft Purview
Microsoft Purview is a comprehensive set of solutions, accessed through the
Microsoft Purview portal, that helps organizations govern, protect, and
manage data, wherever it lives across their entire data estate.

Describe audit in Microsoft Purview

Auditing solutions in Microsoft Purview help organizations effectively respond
to security events, forensic investigations, internal investigations, and
compliance obligations. Thousands of user and admin operations performed
in dozens of Microsoft 365 services and solutions, and also Security Copilot
(if enabled) are captured, recorded, and retained in your organization's
unified audit log. Audit records for these events are searchable by security
ops, IT admins, insider risk teams, and compliance and legal investigators in
your organization. This capability provides visibility into the activities
performed across your Microsoft 365 organization.
Microsoft Purview provides two auditing solutions:

 Audit (Standard)
 Audit (Premium)

Audit (Standard)

Audit (Standard) is turned on by default for all organizations with the

appropriate subscription and available to users with the appropriate
permissions. When an audited activity is performed by a user or admin, an
audit record is generated and stored in the audit log for your organization. In
Audit (Standard), records are retained for 180 days. You can retrieve audit
logs that occur in most of the Microsoft 365 services in your organization by
using the following methods:

 The audit log search tool in the Microsoft Purview portal.

 The Office 365 Management Activity API
 The Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell

After you search the audit log, you can export the audit records returned by
the search, to a CSV file, enabling further analysis using Microsoft Excel or
Excel Power Query.

Audit (Premium)

Audit (Premium) builds on the capabilities of Audit (Standard) by providing

audit log retention policies, longer retention of audit records, high-value
intelligent insights, and higher bandwidth access to the Office 365
Management Activity API.

 Audit log retention policies. You can create customized audit log
retention policies to retain audit records for longer periods of time up to
one year (and up to 10 years for users with required add-on license).
 Longer retention of audit records. Microsoft Entra ID, Exchange,
OneDrive, and SharePoint audit records are retained for one year by
default. Audit records for all other activities are retained for 180 days by
default, or you can use audit log retention policies to configure longer
retention periods.
 Audit (Premium) intelligent insights. Audit records for intelligent insights
can help your organization conduct forensic and compliance
investigations by providing visibility to events such as when mail items
were accessed, or when mail items were replied to and forwarded, or
 when and what a user searched for in Exchange Online and SharePoint
Online. These intelligent insights can help you investigate possible
breaches and determine the scope of compromise.
 Higher bandwidth to the Office 365 Management Activity API. Audit
(Premium) provides organizations with more bandwidth to access
auditing logs through the Office 365 Management Activity API.

Licensing

Licensing for Audit (Standard) or Audit (Premium) requires the appropriate

organization-level subscription and corresponding per-user licensing. For
additional information on licensing requirements, visit the Learn more
section in the Summary and resources unit.

Describe eDiscovery
Electronic discovery, or eDiscovery, is the process of identifying and
delivering electronic information that can be used as evidence in legal cases.

eDiscovery is one of the solutions available through the Microsoft Purview

portal, under the Risk & Compliance set of solutions.

The Microsoft Purview portal presents a unified UI experience for eDiscovery.

If you previously worked with eDiscovery through the Microsoft Purview
compliance portal, a key difference is that you'll no longer experience a
different UI for eDiscovery (Standard) and eDiscovery (Premium). Instead,
you have one consistent UI and depending on the licensing and subscriptions
for your organization, you can further manage cases and analyze content
using premium eDiscovery features.

To access any of the eDiscovery-related tools, a user must be assigned the

appropriate permissions.

eDiscovery can be accessed through the Microsoft Purview compliance

portal, but the Microsoft Purview compliance portal is scheduled for
retirement by the end of 2024. Unless otherwise stated, information in this
unit refers to eDiscovery functionality available through the Microsoft
Purview portal.

You can use Microsoft Purview eDiscovery to identify, review, and manage
content in Microsoft 365 services to support your investigations. Supported
Microsoft 365 services include:

 Exchange Online
  Microsoft Teams
 Microsoft 365 Groups
 OneDrive
 SharePoint
 Viva Engage

eDiscovery workflow

The eDiscovery workflow helps you more quickly identify, investigate, and
take action on electronic stored information (ESI) in your organization.
Identifying and taking action on ESI items with eDiscovery (preview) uses the
following workflow:

Step 1: Escalate from trigger event: Trigger events are activities that are
escalated in your organization and prompt the creation of a new case in
eDiscovery (preview).

Step 2: Create and manage case: A case in eDiscovery (preview) contains

all searches, holds, and review sets related to a specific investigation.

Step 3: Search, evaluate results, and refine: After you create a case,
use the built-in search tools in eDiscovery (preview) to search the content
locations in your organization.

Step 4a: Actions include:

 Export search results

 Create review sets from the search results: A review set is a secure,
Microsoft-provided Azure Storage location in the Microsoft cloud. When
you add data to a review set, the collected items are copied from their
original content location to the review set. Review sets provide a static,
known set of content that you can search, filter, tag, and analyze.
 Create holds: You can create holds to preserve content that might be
relevant to an eDiscovery case.

Step 5: Review and take action from review sets: There are many
different actions you can take. Some of the actions include:

 Run analytics: eDiscovery provides integrated analytics tool that helps

you further cull data from the review set that you determine isn't
relevant to the investigation.
 Tag items - When experts, attorneys, or other users review content in a
review set, their opinions related to the content can be captured by
using tags.
  Export items - After you search for and find data that's relevant to your
investigation, you can export it out of your Microsoft 365 organization
for review by people outside of the investigation team.

eDiscovery features and capabilities

The list that follows is a small subset of the capabilities available with
eDiscovery. For a complete listing, refer to the features and capabilities
section of the article titled, "Learn about eDiscovery (preview)" linked in the
summary and resources unit of this module.

 Search for content: Search for content that's stored in Exchange

mailboxes, OneDrive accounts, SharePoint sites, Microsoft Teams,
Microsoft 365 Groups, and Viva Engage Teams.
 Export search results: Export search results to a local computer in
your organization. When you export search results, items are copied
from their original content location and packaged. Then you can
download those items in the export package to a local computer.
 Place content locations on hold: Preserve content relevant to your
investigation by placing a hold on the content locations in a case. Holds
let you secure electronically stored information from inadvertent (or
intentional) deletion during your investigation.
 Review sets (premium feature) - A review set is a secure, Microsoft-
provided Azure Storage location in the Microsoft cloud. When you add
data to a review set, the collected items are copied from their original
content location to the review set. Review sets provide a static, known
set of content that you can search, filter, tag, analyze, and predict
relevancy using predictive coding models.
 Optical character recognition (OCR) (premium feature) - When
content is added to a review set, OCR functionality extracts text from
images, and includes the image text with the content that's added to a
review set. This lets you search for image text when you query the
content in the review set.
 Conversation threading (premium feature) - When chat messages
from Teams and Viva Engage conversations are added to a review set,
you can collect the entire conversation thread. This lets you review chat
items in the context of the back-and-forth conversation.

Integration with Microsoft Security Copilot

Microsoft Purview eDiscovery supports integration with Microsoft Security

Copilot, through the embedded experience. Users whose organization has
been onboarded to Copilot, have enabled Copilot to access data from
Microsoft 365 services, and have the appropriate role permissions can
experience Copilot integration through the following supported capabilities:

 Gain contextual summary of evidence collected in eDiscovery review

sets (Preview).
 Natural language to keyword query language (keyQL) queries.

Gain contextual summary of evidence collected in

eDiscovery review sets (Preview)

eDiscovery admins or managers spend a significant amount of time

reviewing evidence collected in review sets. You can use Security Copilot in
Microsoft Purview to provide a contextual summary of most items in a review
set.

The summary provided is in the context of text included in a selected item.

This summary can save time for reviewers by quickly identifying information
helpful when tagging or exporting items.

Security Copilot summarizes the entire item, including documents, meetings

transcripts, or attachments. You can also ask follow-up contextual questions
about the summary.

Natural language to KeyQL queries

With Copilot integration in eDiscovery, eDiscovery managers can use natural

language prompts to generate keyQL queries. With the query generated, you
can save it or run the query. Copilot also provides prompt suggestions that
can be generated into a query.

Describe Compliance Manager

Microsoft Purview Compliance Manager is one of the solutions available
through the Microsoft Purview portal, under the Risk & Compliance set of
solutions.

Microsoft Purview Compliance Manager that helps you automatically assess

and manage compliance across your multicloud environment. Compliance
Manager can help you throughout your compliance journey, from taking
inventory of your data protection risks to managing the complexities of
implementing controls, staying current with regulations and certifications,
and reporting to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

 Prebuilt assessments based on common regional and industry

regulations and standards. Admins can also use custom assessment to
help with compliance needs unique to the organization.
 Workflow capabilities that enable admins to efficiently complete risk
assessments for the organization.
 Step-by-step improvement actions that admins can take to help meet
regulations and standards relevant to the organization. Some actions
are managed for the organization by Microsoft. Admins get
implementation details and audit results for those actions.
 Compliance score, which is a calculation that helps an organization
understand its overall compliance posture by measuring how it's
progressing with improvement actions.

The Compliance Manager dashboard shows the current compliance score,

helps admins to see what needs attention, and guides them to key
improvement actions.

Compliance Manager uses several data elements to help manage compliance

activities. As admins use Compliance Manager to assign, test, and monitor
compliance activities, it’s helpful to have a basic understanding of the key
elements: controls, assessments, regulations, and improvement actions.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how

to assess and manage system configuration, organizational process, and
people responsible for meeting a specific requirement of a regulation,
standard, or policy.

Compliance Manager tracks the following types of controls:

 Microsoft-managed controls: controls for Microsoft cloud services,

which Microsoft is responsible for implementing.
 Your controls: sometimes referred to as customer-managed controls,
these are implemented and managed by the organization.
 Shared controls: responsibility for implementing these controls is
shared by the organization and Microsoft.
Compliance Manager continuously assesses controls by scanning through
your Microsoft 365 environment and detecting your system settings,
continuously and automatically updating your technical action status.

Assessments

An assessment is a grouping of controls from a specific regulation, standard,

or policy. Completing the actions within an assessment helps to meet the
requirements of a standard, regulation, or law. For example, an organization
may have an assessment that, when completed, helps to bring the
organization’s Microsoft 365 settings in line with ISO 27001 requirements.

An assessment consists of several components including the services that

are in-scope, the Microsoft managed controls, your controls, shared controls,
and an assessment score that shows progress towards completing the
actions needed for compliance.

Compliance Manager provides templates to help admins to quickly create

assessments. They can modify these templates to create an assessment
optimized for their needs. All of your assessments are listed on the
Assessments page of Compliance Manager.

Regulations

The Regulations page in Compliance Manager displays the list of regulations

and certifications for which Compliance Manager provides control-mapping
templates. Compliance Manager provides over 360 regulatory templates
from which you can quickly create assessments.

Improvement actions

Improvement actions help centralize compliance activities. Each

improvement action provides recommended guidance that's intended to help
organizations to align with data protection regulations and standards.
Improvement actions can be assigned to users in the organization to do
implementation and testing work. Admins can also store documentation,
notes, and record status updates within the improvement action.
Benefits of Compliance Manager

Compliance Manager provides many benefits, including:

 Translating complicated regulations, standards, company policies, or

other control frameworks into a simple language.
 Providing access to a large variety of out-of-the-box assessments and
custom assessments to help organizations with their unique compliance
needs.
 Mapping regulatory controls against recommended improvement
actions.
 Providing step-by-step guidance on how to implement the solutions to
meet regulatory requirements.
 Helping admins and users to prioritize actions that have the highest
impact on their organizational compliance by associating a score with
each action.

In summary, Compliance Manager helps organizations measure progress in

completing actions that help reduce risks around data protection and
regulatory standards.

Describe Communication Compliance

Microsoft Purview Communication Compliance is an insider risk solution that
helps you detect, capture, and act on inappropriate messages that can lead
to potential data security or compliance incidents within your organization.
Communication compliance evaluates text and image-based messages in
Microsoft and third-party apps (Teams, Viva Engage, Outlook, WhatsApp,
etc.) for potential business policy violations. Including inappropriate sharing
of sensitive information, threatening or harassing language and potential
regulatory violations.

Communication Compliance has predefined and custom policies that allow

you to check internal and external communications for policy matches so
that designated reviewers can examine them. Reviewers can investigate
email, Microsoft Teams, Microsoft Copilot for Microsoft 365, Viva Engage, or
third-party communications in your organization and take appropriate
actions to make sure they're compliant with your organization's message
standards.

With role-based access controls, Communication compliance supports the

separation of duties between your IT admins and your compliance
management team. For example, the IT group for your organization might be
responsible for setting up communication compliance role permissions,
groups, and policies. While investigators and reviewers might be responsible
for message triage, review, and mitigation actions.

Identifying and resolving compliance issues with communication compliance

in Microsoft Purview uses the following workflow:

 Configure – in this step, admins identify compliance requirements and

configure applicable communication compliance policies.
 Investigate – admins look deeper into the issues detected when
matching your communication compliance policies. Tools and steps that
help include alerts, issue management to help remediation, document
reviews, reviewing user history, and filters.
 Remediate – remediate communications compliance issues. Options
include: resolving an alert, tagging a message, notifying the user,
escalating to another reviewer, marking an alert as a false positive,
removing a message in Teams, and escalating for investigation.
 Monitor – Keeping track and managing compliance issues identified by
communication compliance policies spans the entire workflow process.
Communication compliance dashboard widgets, export logs, and events
recorded in the unified audit logs can be used to continually evaluate
and improve your compliance posture.

Some important compliance areas where communication compliance policies

can assist with reviewing messages include:
  Corporate policies - Users have to follow corporate policies like usage
and ethical standards in their day-to-day business communications.
With communication compliance, admins can scan user communications
across the organization for potential concerns of offensive language or
harassment.
 Risk management - Communication compliance can help admins scan
for unauthorized communication about projects that are considered to
be confidential, such as acquisitions, earnings disclosures, and more.
 Regulatory compliance - Most organizations are expected to follow
some regulatory compliance standards during their day-to-day
operations. For example, a regulation might require organizations to
review communications of its brokers to safeguard against potential
insider trading, money laundering, or bribery. Communication
compliance enables the organization to scan and report on these types
of communications in a way that meets their requirements.

Communication compliance is a powerful tool that can help maintain and

safeguard your staff your data and your organization.

Integration with Microsoft Security Copilot

Microsoft Purview Communication Compliance supports integration with

Microsoft Security Copilot, through the embedded experience. Users whose
organization is onboarded to Copilot, enable Copilot to access data from
Microsoft 365 services, and have the appropriate role permissions can
experience Copilot integration through the following supported capabilities:

 Get a contextual summary of a message and its attachments in the

context of classifier conditions that flagged the message.
 Ask follow-up contextual questions about the message and its
attachments.

Contextual Summarization currently supports trainable classifiers as context

and contextual summaries are only eligible for messages and attachments
with a combined length of 100 words or more.

To access Copilot from within Microsoft Purview Communication Compliance:

1. Navigate to the Communication Compliance solution from the Microsoft

Purview compliance portal, or the new Microsoft Purview portal currently
in preview, then navigate to the Policies tab in Communication
Compliance.
2. Navigate to a policy that uses trainable classifiers as part of the policy’s
configurations and view message content by selecting a policy match.
 3. A Copilot action button appears in the upper left command bar or a
Summarize action button in the lower right command bar. Select either
action to generate a contextual summary of the message and supported
attachments.
4. To learn more about the message, explore other default prompts or
type your own follow-up question into the text prompt in the Security
Copilot side panel.

Describe Data Lifecycle Management

Microsoft Purview Data Lifecycle Management provides you with tools and
capabilities to retain the content that you need to keep, and delete the
content that you don't. Retaining and deleting emails, documents, and
messages are often needed for compliance and regulatory requirements.
However, deleting content that no longer has business value also reduces
your attack surface.

Retention policies and retention labels

Retention policies and retention labels are important tools for data lifecycle
management. They help organizations to manage and govern information by
ensuring content is kept only for a required time, and then permanently
deleted. Applying retention labels and assigning retention policies helps
organizations:

 Comply proactively with industry regulations and internal

policies that require content to be kept for a minimum time.
 Reduce risk when there's litigation or a security breach by
permanently deleting old content that the organization is no longer
required to keep.
 Ensure users work only with content that's current and relevant
to them. Content that is no longer relevant should be deleted.

Managing content commonly requires two actions: retaining content and

deleting content.

 Retaining content prevents permanent deletion and ensures content

remains available for eDiscovery.
 Deleting content permanently deletes content from your organization.

With these two retention actions, you can configure retention settings for the
following outcomes:

 Retain-only: Retain content forever or for a specified period of time.

  Delete-only: Permanently delete content after a specified period of time.
 Retain and then delete: Retain content for a specified period of time and
then permanently delete it.

When content has retention settings assigned to it, that content remains in
its original location. People can continue to work with their documents or
mail as if nothing changed. But if they edit or delete content included in the
retention policy, a copy of the content is automatically kept in a secure
location. The secure locations and the content aren't visible to most people.
In most cases, people don't even need to know that their content is subject
to retention settings.

Retention settings work with the following different workloads:

 SharePoint
 OneDrive
 Microsoft Teams
 Viva Engage
 Exchange

To assign your retention settings to content, use retention policies and

retention labels with label policies. You can use just one of these methods, or
combine them.

When using retention policies and retention labels to assign retention

settings to content, there are some points to understand about each. Listed
below are just a few of the key points. For more information, see the article,
"Learn about retention policies and retention labels" linked in the Summary
and resources unit of this module.

Retention policies

 Retention policies are used to assign the same retention settings to

content at a site level or mailbox level.
 A single policy can be applied to multiple locations, or to specific
locations or users.
 Items inherit the retention settings from their container specified in the
retention policy. If a policy is configured to keep content, and an item is
then moved outside that container, a copy of the item is kept in the
workload's secured location. However, the retention settings don't travel
with the content in its new location.

Retention labels

 Retention labels are used to assign retention settings at an item level,

such as a folder, document, or email.
  An email or document can have only a single retention label assigned to
it at a time.
 Retention settings from retention labels travel with the content if it’s
moved to a different location within your Microsoft 365 tenant, but don't
persist if the content is moved outside of your Microsoft 365 tenant.
 Admins can enable users in the organization to apply a retention label
manually.
 A retention label can be applied automatically if it matches defined
conditions.
 A default label can be applied for SharePoint documents.
 Retention labels support disposition review to review the content before
it's permanently deleted.

Describe Records Management

Organizations of all types require a management solution to manage

regulatory, legal, and business-critical records across their corporate data.
Microsoft Purview Records Management helps an organization look after their
legal obligations. It also helps to demonstrate compliance with regulations,
and increases efficiency with regular disposition of items that are no longer
required to be kept, no longer of value, or no longer required for business
purposes. Microsoft Purview Records Management includes many features,
including:

 Labeling content as a record.

 Establishing retention and deletion policies within the record label.
 Triggering event-based retention.
 Reviewing and validating disposition.
 Proof of records deletion.
 Exporting information about disposed items.

When content is labeled as a record, by using a retention label, the following

happens:

 Restrictions are put in place to block certain activities.

 Activities are logged.
 Proof of disposition is kept at the end of the retention period.

To enable items to be marked as records, an administrator sets up retention

labels.

Items such as documents and emails can then be marked as records based
on those retention labels. Items might be marked as records, but they can
also be shown as regulatory records. Regulatory records provide other
controls and restrictions such as:

 A regulatory label can’t be removed when an item has been marked as

a regulatory record.
 The retention periods can’t be made shorter after the label has been
applied.

For more information on comparing restrictions between records and

regulatory records, see the section, "Compare restrictions for what actions
are allowed or blocked section" in the article "Learn about records
management," linked in the summary and resources unit of this module.

The most important difference is that if content has been marked as a

regulatory record, nobody, not even a global administrator, can remove the
label. Marking an item as a regulatory record can have irreversible
consequences, and should only be used when necessary. As a result, this
option isn’t available by default, and has to be enabled by the administrator
using PowerShell.

Common use cases for Microsoft Purview Records

Management

There are different ways in which Microsoft Purview Records Management

can be used across an organization, including:

 Enabling administrators and users to manually apply retention and

deletion actions for documents and emails.
 Automatically applying retention and deletion actions to documents and
emails.
 Enabling site admins to set default retain and delete actions for all
content in a SharePoint library, folder, or document set.
 Enabling users to automatically apply retain and delete actions to
emails by using Outlook rules.

To ensure Microsoft Purview Records Management is used correctly across

the organization, administrators can work with content creators to put
together training materials. Documentation should explain how to apply
labels to drive usage, and ensure a consistent understanding.
Unit 12

Describe threat protection with

Microsoft Defender XDR
Extended Detection and Response (XDR) solutions are designed to deliver a
holistic, simplified, and efficient approach to protect organizations against
advanced attacks.

Microsoft Defender XDR is an XDR solution not just in name but also in
practice. Microsoft Defender XDR delivers a unified pre- and post-breach
enterprise defense suite that natively coordinates detection, prevention,
investigation, and response across endpoints, identities, email, and
applications to provide integrated protection against sophisticated attacks.

Describe Microsoft Defender XDR

services
Microsoft Defender XDR is an enterprise defense suite of solutions that
protects against sophisticated cyberattacks. Microsoft Defender XDR allows
admins to assess threat signals from endpoints, applications, email, and
identities to determine an attack's scope and impact. It gives greater insight
into how the threat occurred, and what systems have been affected.
Microsoft Defender XDR can then take automated action to prevent or stop
the attack.

The Microsoft Defender XDR suite includes:

 Microsoft Defender for Endpoint - Microsoft Defender for Endpoint is

a unified endpoint platform for preventative protection, post-breach
detection, automated investigation, and response.
 Defender Vulnerability Management - Microsoft Defender
Vulnerability Management delivers continuous asset visibility, intelligent
risk-based assessments, and built-in remediation tools to help your
security and IT teams prioritize and address critical vulnerabilities and
misconfigurations across your organization.
  Microsoft Defender for Office 365 - Defender for Office 365
safeguards your organization against malicious threats posed by email
messages, links (URLs), and collaboration tools.
 Microsoft Defender for Identity - Microsoft Defender for Identity uses
Active Directory signals to identify, detect, and investigate advanced
threats, compromised identities, and malicious insider actions directed
at your organization.
 Microsoft Defender for Cloud Apps - Microsoft Defender for Cloud
Apps delivers full protection for software as a service (SaaS)
applications. Defender for Cloud apps is a cloud access security broker
that brings deep visibility, strong data controls, and enhanced threat
protection to your cloud apps.

Microsoft Defender XDR now also integrates with Microsoft Security

Copilot. Integration with Security Copilot can be experienced through the
standalone and embedded experiences.

The information and insights surfaced by the Microsoft Defender XDR suite of
solutions are centralized in the Microsoft Defender portal, which delivers
a unified security operations platform. As a unified security operations
platform, the Microsoft Defender portal now includes information and
insights from other Microsoft security products, including Microsoft Sentinel
and Microsoft Defender for Cloud.

Users also access the Microsoft Threat Intelligence solution from the
Microsoft Defender XDR portal. Microsoft Defender TI aggregates and
enriches critical threat information to help security analyst triage, incident
response, threat hunting, and vulnerability management workflows.

Throughout the rest of this module, you'll learn more about the solutions that
are part of Microsoft Defender XDR, the Microsoft Defender portal, the
integration of Microsoft Defender XDR with Microsoft Security Copilot, and
Microsoft Defender Threat Intelligence.

Describe Microsoft Defender for

Office 365
Microsoft Defender for Office 365 is a seamless integration into your Office
365 subscription that provides protection against threats, like phishing and
malware that arrive in email links (URLs), attachments, or collaboration tools
like SharePoint, Teams, and Outlook. Defender for Office 365 provides real-
time views of threats. It also provides investigation, hunting, and
remediation capabilities to help security teams identify, prioritize,
investigate, and respond to threats.

Microsoft Defender for Office 365, which is available in two plans Microsoft
Defender for Office 365 Plan 1 and Plan 2, safeguards organizations against
malicious threats by providing admins and security operations (sec ops)
teams a wide range of capabilities.

These capabilities can be categorized into the following security emphases:

 Preventing and detecting threats

 Investigating threats
 Responding to threats

Prevent and detect

Some of the features of Microsoft Defender for Office 365 that help
organizations prevent and detect email and collaboration based threats
include:

 Anti-malware protection that protects against major categories of

malware, including viruses, spyware, and ransomware.
 Anti-spam protection that uses content filtering technologies to identify
and separate junk email from legitimate email.
 Anti-phishing (spoofing) protection to protect against phishing (spoofed)
email attacks that try to steal sensitive information in messages that
appear to be from legitimate or trusted senders.
 Outbound spam filtering
 Connection filtering to help identify good or bad source email servers by
IP addresses.
 Quarantine policies to define the user experience for quarantined
messages
 The Submissions page in the Microsoft Defender portal to submit
messages, URLs, and attachments to Microsoft for analysis.
 Safe attachments that provide an additional layer of protection against
malware. After files are scanned by the common virus detection engine
in Microsoft 365, Safe Attachments opens files in a virtual environment
to see what happens (a process known as detonation).
 Safe Links scanning that protects your organization from malicious links
that are used in phishing and other attacks.
 Email and collaboration alerts
  Attack simulation training, which allows admins to run realistic attack
scenarios in your organization. These simulated attacks help identify
and train vulnerable users before a real attack impacts your bottom line.
 Security information and event management (SIEM) integration for
alerts.

Investigate

Some of the features of Microsoft Defender for Office 365 that help
organizations detect email and collaboration based threats include:

 Audit log search by users with appropriate permissions such as admins,

insider risk teams, compliance and legal investigators, to provide
visibility into the activities of the organization.
 Message trace capabilities. Message trace follows email messages as
they travel through your Microsoft 365 organization. You can determine
if a message was received, rejected, deferred, or delivered by the
service. It also shows what actions were taken on the message before it
reached its final status.
 Reports to help you see how email security features are protecting your
organization.
 Explorer (also known as Threat Explorer) or Real-time detections that
are near real-time tools to help Security Operations (SecOps) teams
investigate and respond to threats. Explorer allows admins to see
malware detected by Microsoft 365 security features, start an
automated investigation and response process, Investigate malicious
email, and more.
 Security information and event management (SIEM) integration for
detections.
 URL trace that allows admins to investigate a domain to see if the
devices and servers in your enterprise network have been
communicating with a known malicious domain.
 Threat trackers that are queries that you create and save to
automatically or manually discover cybersecurity threats in your
organization.
 The campaigns feature that identifies and categorizes coordinated
phishing and malware email attacks. The campaigns feature lets you
see the overall picture of an email attack faster and more completely
than any human.

Respond

Some of the features of Microsoft Defender for Office 365 that help
organizations detect email and collaboration based threats include:
  Zero-hour auto purge (ZAP) that retroactively detects and neutralizes
malicious phishing, spam, or malware messages that have already been
delivered to Exchange Online mailboxes.
 Automated investigation and response (AIR) capabilities that include
automated investigation processes in response to well-known threats
that exist today.
 Security information and event management (SIEM) integration for
automated responses.

For a complete listing of the features in each plan, see the Microsoft
Defender for Office 365 security product overview document that is linked in
summary and resources unit of this module.

Microsoft Defender for Office 365 in the Microsoft Defender

portal

Microsoft Defender for Office 365 is experienced through the Microsoft

Defender portal. The Defender portal is the home for monitoring and
managing security across your Microsoft identities, data, devices, apps, and
infrastructure, allowing security admins to perform their security tasks, in
one location.

Microsoft Defender for Office 365 functionality can be found under the Email
& collaboration node on the left navigation panel of the Microsoft Defender
portal.

 Investigations - View, manage, and remediate threats using automated

investigation and response.
 Explorer - Investigate, hunt for, and remediate threats in emails and
documents.
 Review - Manage quarantined items and restricted senders.
 Campaigns - Analyze coordinated attacks against your environment.
 Threat tracker - Monitor threat trends using widgets and custom
searches.
 Exchange message trace - Analyze message flow in the Exchange admin
center.
 Attack simulation training - Access and build user resilience using
simulated attacks and training.
 Policies & rules - Configure security policies for email and other
Microsoft 365 workspaces.
Describe Microsoft Defender for
Endpoint
Microsoft Defender for Endpoint is a platform designed to help enterprise
networks protect endpoints including laptops, phones, tablets, PCs, access
points, routers, and firewalls. It does so by preventing, detecting,
investigating, and responding to advanced threats. Microsoft Defender for
Endpoint embeds technology built into Windows 10 and beyond, and
Microsoft cloud services. This technology includes:

 Endpoint behavioral sensors that are embedded in Windows 10 and

beyond that collect and process signals from the operating system.
 Cloud security analytics that translate behavioral signals into insights,
detections, and recommended responses to advanced threats.
 Threat intelligence that enables Defender for Endpoint to identify
attacker tools, techniques, and procedures, and generate alerts when
they're observed in collected sensor data.

Microsoft Defender for Endpoint includes:

 Core Defender Vulnerability Management: Built-in core

vulnerability management capabilities use a risk-based approach to the
discovery, assessment, prioritization, and remediation of endpoint
vulnerabilities and misconfigurations.
 Attack surface reduction: The attack surface reduction set of
capabilities provides the first layer of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques
are applied, the capabilities resist attacks and exploitation. This set of
capabilities also includes network protection and web protection, which
regulate access to malicious IP addresses, domains, and URLs.
 Next generation protection: Next-generation protection was
designed to catch all types of emerging threats. In addition to Microsoft
Defender Antivirus, your next-generation protection services include the
following capabilities:
o Behavior-based, heuristic, and real-time antivirus protection.
o Cloud-delivered protection, which includes near-instant detection and
blocking of new and emerging threats.
o Dedicated protection and product updates, which include updates
related to keeping Microsoft Defender Antivirus up to date.
 Endpoint detection and response: Provides advanced attack
detections that are near real time and actionable. Security analysts can
 prioritize alerts, see the full scope of a breach, and take response
actions to remediate threats.
 Automated investigation and remediation (AIR): The technology in
automated investigation uses various inspection algorithms and is
based on processes that are used by security analysts. AIR capabilities
are designed to examine alerts and take immediate action to resolve
breaches. AIR capabilities significantly reduce alert volume, allowing
security operations to focus on more sophisticated threats and other
high-value initiatives.
 Microsoft Secure Score for Devices: Microsoft Secure Score for
Devices helps you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take
recommended actions to improve the overall security of your
organization.
 Microsoft Threat Experts: Microsoft Threat Experts is a managed
threat hunting service that provides proactive hunting, prioritization,
and additional context and insights that further empower Security
operation centers (SOCs) to identify and respond to threats quickly and
accurately.
 Management and APIs: Defender for Endpoint offers an API model
designed to expose entities and capabilities through a standard
Microsoft Entra ID-based authentication and authorization model.

Microsoft Defender for Endpoint also integrates with various components in

the Microsoft Defender suite, and with other Microsoft solutions including
Intune and Microsoft Defender for Cloud.

Microsoft Defender for Endpoint is available in two plans, Defender for

Endpoint Plan 1 and Plan 2. Information on what's included in each plan is
detailed in the Compare Microsoft Defender for Endpoint plans document
linked in the summary and resources unit.

Microsoft Defender for Endpoints in the Microsoft Defender

portal

Microsoft Defender for Endpoints is experienced through the Microsoft

Defender portal. The Defender portal is the home for monitoring and
managing security across your Microsoft identities, data, devices, apps, and
infrastructure, allowing security admins to perform their security tasks, in
one location.

The Endpoints node on the left navigation panel of the Microsoft Defender
portal includes the following:
  Vulnerability management - Manage vulnerabilities and other risk
sources on devices. From here you can access the vulnerability
management dashboard, recommendations, remediation, weaknesses,
and more. More details on Microsoft Defender Vulnerability Management
are in a subsequent unit of this module.
 Partners and APIs - From here you can select Connected applications
and API explorer.
o Connected applications - The Connected applications page provides
information about the Microsoft Entra applications (SaaS applications
that are preintegrated with Microsoft Entra ID) connected to Microsoft
Defender for Endpoint in your organization.
o API Explorer - Defender for Endpoint exposes much of its data and
actions through a set of programmatic APIs. Those APIs enable you to
automate workflows and innovate based on Defender for Endpoint
capabilities. The Microsoft Defender for Endpoint API Explorer is a tool
that helps you explore various Defender for Endpoint APIs
interactively. You can use the API explorer to test Microsoft Defender
for Endpoint capabilities by running sample queries or creating and
testing your own API query.
 Configuration management - Define endpoint policies and track
deployment.

Describe Microsoft Defender for

Cloud Apps
Software as a service (SaaS) apps are ubiquitous across hybrid work
environments. Protecting SaaS apps and the important data they store is a
significant challenge for organizations. The rise in app usage, combined with
employees accessing company resources outside of the corporate perimeter
has also introduced new attack vectors. To combat these attacks effectively,
security teams need an approach that protects their data within cloud apps
beyond the traditional scope of cloud access security brokers (CASBs).

Microsoft Defender for Cloud Apps delivers full protection for SaaS
applications, helping you monitor and protect your cloud app data across the
following feature areas:

 Fundamental cloud access security broker (CASB) functionality. A CASB

acts as a gatekeeper to broker real-time access between your enterprise
users and the cloud resources they use. CASBs help organizations
protect their environment by providing a wide range of capabilities
across key functional areas including: discovery into cloud app usage
and shadow IT, protection against app-based threats from anywhere in
the cloud, information protection, and compliance.
  SaaS Security Posture Management (SSPM) features, enabling security
teams to improve the organization’s security posture

 Advanced threat protection, as part of Microsoft's extended detection

and response (XDR) solution, enabling powerful correlation of signal and
visibility across the full kill chain of advanced attacks

 App-to-app protection, extending the core threat scenarios to OAuth-

enabled apps that have permissions and privileges to critical data and
resources.

Discover SaaS applications

Defender for Cloud Apps shows the full picture of risks to your environment
from SaaS app usage and resources, and gives you control of what’s being
used and when.

 Identify: Defender for Cloud apps uses data based on an assessment of

network traffic and an extensive app catalog to identify apps accessed
by users across your organization.
 Assess: Evaluate discovered apps for more than 90 risk indicators,
allowing you to sort through the discovered apps and assess your orgs
security and compliance posture.
 Manage: Set policies that monitor apps around the clock. For example, if
anomalous behavior happens, like unusual spikes in usage, you're
automatically alerted and guided to action.

Information protection

Defender for Cloud Apps connects to SaaS apps to scan for files containing
sensitive data uncovering which data is stored where and who is accessing
it. To protect this data, organizations can implement controls such as:

 Apply a sensitivity label

 Block downloads to an unmanaged device
 Remove external collaborators on confidential files

The Defender for Cloud Apps integration with Microsoft Purview also enables
security teams to leverage out-of-the-box data classification types in their
information protection policies and control sensitive information with data
loss protection (DLP) features.

SaaS Security Posture Management (SSPM)

Optimizing an organization's security posture is important, but security
teams are challenged by needing to research best practices for each app
individually. Defender for Cloud Apps helps by surfacing misconfigurations
and recommending specific actions to strengthen the security posture for
each connected app. Recommendations are based on industry standards like
the Center for Internet Security and follow best practices set by the specific
app provider.

Defender for Cloud Apps automatically provides SSPM data in Microsoft

Secure Score, for any supported and connected app.

Advanced threat protection

Cloud apps continue to be a target for adversaries trying to exfiltrate

corporate data. Sophisticated attacks often cross modalities. Attacks often
start from email as the most common entry point then move laterally to
compromise endpoints and identities, before ultimately gaining access to in-
app data.

Defender for Cloud Apps offers built-in adaptive access control (AAC),
provides user and entity behavior analysis (UEBA), and helps you mitigate
these types of attacks.

Defender for Cloud Apps is also integrated directly into Microsoft Defender
XDR, correlating eXtended detection and response (XDR) signals from the
Microsoft Defender suite and providing incident-level detection,
investigation, and powerful response capabilities. Integrating SaaS security
into Microsoft's XDR experience gives SOC teams full kill chain visibility and
improves operational efficiency and effectivity.

App to app protection with app governance

OAuth, an open standard for token-based authentication and authorization,

enables a user's account information to be used by third-party services,
without exposing the user's password. Apps that use OAuth often have
extensive permissions to access data in other apps on behalf of a user,
making OAuth apps susceptible to a compromise.

Defender for Cloud Apps closes the gap on OAuth app security, helping you
protect inter-app data exchange with application governance. With Defender
for Cloud Apps, you can watch for unused apps and monitor both current and
expired credentials to govern the apps used in your organization and
maintain app hygiene.
Microsoft Defender for Cloud Apps in the Microsoft Defender
portal

Microsoft Defender for Cloud Apps is experienced through the Microsoft

Defender portal. The Defender portal is the home for monitoring and
managing security across your Microsoft identities, data, devices, apps, and
infrastructure, allowing security admins to perform their security tasks, in
one location.

Microsoft Defender for Cloud apps functionality can be found under the Cloud
apps node on the left navigation panel of the Microsoft Defender portal. The
list that follows is a subset of the functionality supported.

 Cloud discovery - Identify cloud app usage in your environment.

 Cloud app catalog - Reference information about known cloud apps.
 App governance - Get in-depth visibility and control over OAuth apps
integrated with Microsoft Entra ID, Google, and Salesforce.
 Activity log - View all activities involving connected apps.
 Governance log - Review actions taken to secure cloud apps.
 Policies - Configure security policies for cloud apps.

Describe Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution that uses
signals from your on-premises identity infrastructure servers to detect
threats, like privilege escalation or high-risk lateral movement, and reports
on easily exploited identity issues.

At a high level, the way Microsoft Defender for Identity works is as follows:

 Microsoft Defender for Identity uses software-based sensors installed on

your on-premises identity infrastructure servers (domain controllers and
servers running Active Directory Federated Services and Active
Directory Certificate Services).

 The Defender for Identity sensor accesses the event logs it requires
directly from the servers. After the logs and network traffic are parsed
by the sensor, Defender for Identity sends only the parsed information
to the Defender for Identity cloud service. The Defender for Identity
cloud service uses the data/signals obtained to deliver an identity threat
detection and response (IDTR) solution. Microsoft Defender for Identity
helps security professionals, managing a hybrid environment, the
functionality to:

o Prevent breaches, by proactively assessing your identity posture.

 o Detect threats, using real-time analytics and data intelligence.
o Investigate suspicious activities, using clear, actionable incident
information.
o Respond to attacks, using automatic response to compromised
identities.

 The configuration of the service and the signals and insights generated
by the Microsoft Defender for Identity service are exposed through the
Microsoft Defender portal that provides security teams a unified
experience for investigating and responding to attacks.

Proactively assess your identity posture

Defender for Identity provides you with a clear view of your identity security
posture, helping you to identify and resolve security issues before they can
be exploited by attackers. For example, Microsoft Defender for Identity
continuously monitors your environment to identify sensitive accounts with
the riskiest lateral movement paths that expose a security risk, and reports
on these accounts to assist you in managing your environment. Defender for
Identity security assessments, available from Microsoft Secure Score, provide
extra insights to improve your organizational security posture and policies.

Detect threats, using real-time analytics and data

intelligence

Defender for Identity monitors and analyzes user activities and information
across your network, including permissions and group membership, creating
a behavioral baseline for each user. Defender for Identity then identifies
anomalies with adaptive built-in intelligence. It gives insights into suspicious
activities and events, revealing the advanced threats, compromised users,
and insider threats facing your organization. Defender for Identity identifies
these advanced threats at the source throughout the entire cyberattack kill-
chain:

 Reconnaissance - Identify rogue users and attackers' attempts to gain

information.
 Compromised credentials - Identify attempts to compromise user
credentials using brute force attacks, failed authentications, user group
membership changes, and other methods.
 Lateral movements - Detect attempts to move laterally inside the
network to gain further control of sensitive users.
 Domain dominance - View attacker behavior if threat actors gain control
over Active Directory, referred to as domain dominance, through remote
code execution on the domain controller or other methods.
Investigate alerts and user activities

Defender for Identity is designed to reduce general alert noise, providing

only relevant, important security alerts in a simple, real-time organizational
attack timeline.

Use the Defender for Identity attack timeline view and the intelligence of
smart analytics to stay focused on what matters. Also, you can use Defender
for Identity to quickly investigate threats, and gain insights across the
organization for users, devices, and network resources.

Microsoft Defender for Identity protects your organization from compromised

identities, advanced threats, and malicious insider actions.

Remediation actions

Microsoft Defender for Identity supports remediation actions to be performed

directly on your on-premises identities. Examples include:

 Disable user in Active Directory: This will temporarily prevent a user

from signing in to the on-premises network. This can help prevent
compromised users from moving laterally and attempting to exfiltrate
data or further compromise the network.

 Reset user password – This will prompt the user to change their
password on the next sign-in, ensuring that this account can't be used
for further impersonation attempts.

Depending on your Microsoft Entra ID roles, you may see additional Microsoft
Entra ID actions, such as requiring users to sign in again and confirming a
user as compromised.

Microsoft Defender for Identity in the Microsoft Defender

portal

Microsoft Defender for Identity is experienced through the Microsoft

Defender portal. The Defender portal is the home for monitoring and
managing security across your Microsoft identities, data, devices, apps, and
infrastructure, allowing security admins to perform their security tasks, in
one location.

The Identities node on the left navigation panel of the Microsoft Defender
portal includes the following:

 The Microsoft Defender for Identity Dashboard provides critical insights

and real time data about identity threat detection and response (ITDR).

 The health Issues page lists any current health issues for your Defender
for Identity deployment and sensors, alerting you to any problems in
your Defender for Identity deployment.

 The tools page lists additional information to help manage your

Microsoft Defender for Identity environment. Examples include a
readiness script that you can run to determine if all the Microsoft
Defender for Identity prerequisites are in place, a PowerShell module
with a collection of functions designed to help you configure and
validate your environment for working Microsoft Defender for Identity,
and more.

Describe Microsoft Defender Vulnerability

Management
Defender Vulnerability Management delivers asset visibility, intelligent
assessments, and built-in remediation tools for Windows, macOS, Linux,
Android, iOS, and network devices.

Using Microsoft threat intelligence, breach likelihood predictions, business

contexts, and devices assessments, Defender Vulnerability Management
rapidly and continuously prioritizes the biggest vulnerabilities on your most
critical assets and provides security recommendations to mitigate risk.

Continuous asset discovery and monitoring

Defender Vulnerability Management built-in and agentless scanners

continuously monitor and detect risk in your organization even when devices
aren't connected to the corporate network.

Consolidated inventories provide a real-time view of your organization's

software applications, digital certificates, hardware and firmware, and
browser extensions to help you monitor and assess all your organization's
assets. Examples include:
  Visibility into software and vulnerabilities - Get a view of the
organization's software inventory, and software changes like
installations, uninstalls, and patches.
 Network share assessment - Assess vulnerable internal network shares
configuration with actionable security recommendations.
 Browser extensions assessment - View a list of the browser extensions
installed across different browsers in your organization. View
information on an extension's permissions and associated risk levels.
 Digital certificates assessment - View a list of certificates installed
across your organization in a single central certificate inventory page.
Identify certificates before they expire and detect potential
vulnerabilities due to weak signature algorithms.
 And more...

Risk-based intelligent prioritization

Defender Vulnerability Management uses Microsoft's threat intelligence,

breach likelihood predictions, business contexts, and device assessments to
quickly prioritize the biggest vulnerabilities in your organization.

Risk-based intelligent prioritization focuses on emerging threats to align the

prioritization of security recommendations with vulnerabilities currently
being exploited in the wild and emerging threats that pose the highest risk.
Risk-based intelligent prioritization also pinpoints active breaches and
protects high value assets.

A single view of prioritized recommendations from multiple security feeds,

along with critical details including related Common Vulnerabilities and
Exposures (CVEs) and exposed devices, helps you quickly remediate the
biggest vulnerabilities on your most critical assets.

Remediation and tracking

Remediation and tracking enable security administrators and IT

administrators to collaborate and seamlessly remediate issues with built-in
workflows.

 Remediation requests sent to IT - Create a remediation task in Microsoft

Intune from a specific security recommendation.
 Block vulnerable applications - Mitigate risk with the ability to block
vulnerable applications for specific device groups.
 Alternate mitigations - Gain insights on other mitigations, such as
configuration changes that can reduce risk associated with software
vulnerabilities.
  Real-time remediation status - Real-time monitoring of the status and
progress of remediation activities across the organization.

Microsoft Defender Vulnerability Management in the

Microsoft Defender portal

Microsoft Defender Vulnerability Management is experienced through the

Microsoft Defender portal. The Defender portal is the home for monitoring
and managing security across your Microsoft identities, data, devices, apps,
and infrastructure, allowing security admins to perform their security tasks,
in one location.

The Vulnerability management node is listed under Endpoints on the left

navigation panel of the Microsoft Defender portal. From this section, you can
access Microsoft Defender Vulnerability functionality.

 Dashboard - You can use Defender Vulnerability Management

dashboard in the Microsoft Defender portal to view your exposure score
and Microsoft Secure Score for Devices, along with top security
recommendations, software vulnerability, remediation activities,
exposed devices, and more.
 Recommendations - From the recommendations page, you can view
recommendations, the number of weaknesses found, related
components, threat insights, number of exposed devices, and much
more.
 Remediation - When you submit a remediation request from the Security
recommendations page, it kicks off a remediation activity. A security
task is created that can be tracked on a Remediation page. From the
Remediation page, you can follow the remediation steps, track progress,
view the related recommendation, export to CSV, or mark as complete.
 Inventories - The Software inventory page opens with a list of software
installed in your network, including the vendor name, weaknesses
found, threats associated with them, exposed devices, impact to
exposure score, and tags. Software that isn't currently supported by
vulnerability management may be present in the software inventory
page, but because it isn't supported, only limited data will be available.
 Weaknesses - The Weaknesses page opens with a list of the CVEs your
devices are exposed to. You can view the severity, Common
Vulnerability Scoring System (CVSS) rating, corresponding breach and
threat insights, and more.
 Event timeline - The Event timeline helps you interpret how risk is
introduced into the organization through new vulnerabilities or exploits.
You can view events that may impact your organization's risk. You can
view the all the necessary info related to an event.
  Baseline assessments - A security baseline profile is a customized profile
that you create to assess and monitor endpoints in your organization
against industry security benchmarks. On the security baselines
assessment overview page you can view device compliance, profile
compliance, top failing devices, and top misconfigured devices for the
available baselines.

Describe Microsoft Defender Threat Intelligence

Threat intelligence analysts struggle with balancing a breadth of threat

intelligence ingestion with the analysis of which threat intelligence poses the
biggest threats to their organization and/or industry. Similarly, vulnerability
intelligence analysts battle correlating their asset inventory with Common
Vulnerabilities and Exposures (CVE) information to prioritize the investigation
and remediation of the most critical vulnerabilities associated with their
organization.

Microsoft Defender Threat Intelligence addresses these challenges by

aggregating and enriching critical data sources and displaying them in an
innovative, easy-to-use interface. Analysts can then correlate indicators of
compromise (IOCs) with related articles, actor profiles, and vulnerabilities.
Defender TI also lets analysts collaborate with fellow Defender TI-licensed
users within their tenant on investigations.

Microsoft Defender Threat Intelligence functionality includes:

 Threat analytics
 Intel Profiles
 Intel Explorer
 Projects

Threat analytics

Threat analytics helps you, as an analyst, understand how emerging threats

impact your organization's environment.

Threat analytics reports provide an analysis of a tracked threat and

extensive guidance on how to defend against that threat. It also incorporates
data from your network, indicating whether the threat is active and if you
have applicable protections in place. You can filter and search on reports, but
Defender TI also provides a dashboard.
The threat analytics dashboard highlights the reports that are most relevant
to your organization. It summarizes the threats into three categories:

 Latest threats - Lists the most recently published or updated threat

reports, along with the number of active and resolved alerts.
 High-impact threats - Lists the threats that have the highest impact to
your organization. This section lists threats with the highest number of
active and resolved alerts first.
 Highest exposure - Lists threats to which your org has the highest
exposure. Your exposure level to a threat is calculated using two pieces
of information: how severe the vulnerabilities associated with the threat
are, and how many devices in your organization could be exploited by
those vulnerabilities.

Each report provides an overview, an analyst report, related incidents,

impacted assets, endpoints exposure, and recommended actions.

Intel profiles

Intel profiles are a definitive source of Microsoft's shareable knowledge on

tracked threat actors, malicious tools, and vulnerabilities. This content is
curated and continuously updated by Microsoft's Threat Intelligence experts
to provide relevant and actionable threat context.

Intel explorer

The intel explorer is where analysts can quickly scan new featured articles
and perform a keyword, indicator, or CVE ID search to begin their intelligence
gathering, triage, incident response, and hunting efforts.

Microsoft Defender Threat Intelligence articles are narratives that provide

insight into threat actors, tooling, attacks, and vulnerabilities. The articles
summarize different threats and also link to actionable content and key IOCs
to help users take action.

Defender TI offers CVE-ID searches to help users identify critical information

about the CVE. CVE-ID searches result in Vulnerability Articles.

Intel Projects

Microsoft Defender Threat Intelligence (Defender TI) lets you create projects
to organize indicators of interest and indicators of compromise (IOCs) from
an investigation. Projects contain a listing of all associated artifacts and a
detailed history that retains the names, descriptions, collaborators, and
monitoring profiles.

Microsoft Defender Threat Intelligence in the Microsoft

Defender portal

Microsoft Defender TI is experienced through the Microsoft Defender portal.

The Threat intelligence node on the navigation panel of the Microsoft

Defender portal is where you can find the Microsoft Defender Threat
Intelligence functionality.

To view a screen capture from each of the categories, select the tab from the
image that follows. In each case, there's a side panel that shows the
embedded Microsoft Security Copilot capability.

Microsoft Security Copilot integration with Microsoft Threat

Intelligence

Security Copilot integrates with Microsoft Defender TI. With the Defender TI
plugin enabled, Copilot delivers information about threat activity groups,
indicators of compromise (IOCs), tools, and contextual threat intelligence.
You can use the prompts and promptbooks to investigate incidents, enrich
your hunting flows with threat intelligence information, or gain more
knowledge about your
organization's or the global
threat landscape.

Microsoft Defender Threat

Intelligence capabilities in
Copilot are built-in prompts
that you can use, but you can
also enter your own prompts
based on the capabilities
supported. The image that
follows shows only a subset of
the capabilities supported.
Copilot also includes a builtin promptbook that deliver information from
Defender TI, including:

 Vulnerability impact assessment - Generates a report summarizing the

intelligence for a known vulnerability, including steps on how to address
it.
 Threat actor profile - Generates a report profiling a known activity
group, including suggestions to defend against their common tools and
tactics.

Copilot integration with Defender TI can also be experienced through the

embedded experience. You can experience Security Copilot's capability to
look up threat intelligence in the following pages of the Microsoft Defender
portal:

 Threat analytics
 Intel profiles
 Intel explorer
 Intel projects

For each of these pages, you can use one of the available prompts or you
can enter your own prompt.

Describe the Microsoft Defender portal

A unified security operations platform is a fully integrated toolset for security
teams to prevent, detect, investigate, and respond to threats across their
entire environment. For Microsoft, this means delivering the best of SIEM,
XDR, posture management, and threat intelligence with advanced generative
AI as a single platform.

Through the Microsoft Defender portal, Microsoft delivers on the promise of a

unified security operations platform so you can view the security health of
your organization. The Microsoft Defender portal combines protection,
detection, investigation, and response to threats across your entire
organization and all its components, in a central place.
To access the portal, you must be assigned an appropriate role such as
Global Reader or Administrator, Security Reader or Administrator, or Security
Operator in Microsoft Entra ID to access the Microsoft Defender portal.

The Defender portal emphasizes quick access to information, simpler

layouts, and bringing related information together for easier use.

The Microsoft Defender portal home page shows many of the common cards
that security teams need. The composition of cards and data depends on the
user role. Because the Microsoft Defender portal uses role-based access
control, different roles see cards that are more meaningful to their day-to-
day jobs.

The Microsoft Defender portal allows you to tailor the navigation pane to
meet daily operational needs. You can customize the navigation pane to
show or hide functions and services based on their specific preferences.
Customization is specific to you, so other admins won’t see these changes.

The left navigation pane provides easy access to the suite of Microsoft
Defender XDR services. You also get access to Microsoft Sentinel and many
other capabilities The sections that follow provide a brief description of the
capabilities accessible from the left navigation bar in the Microsoft Defender
portal.

Exposure management

Microsoft Security Exposure Management is a security solution that provides

a unified view of security posture across company assets and workloads.
Security Exposure Management enriches asset information with security
context that helps you to proactively manage attack surfaces, protect critical
assets, and explore and mitigate exposure risk.

With Security Exposure Management you can discover and monitor assets,
get rich security insights, investigate specific risk areas with security
initiatives, and track metrics across the organization to improve security
posture.

Attack surface

Security Exposure Management automatically generates attack paths based

on the data collected across assets and workloads. It simulates attack
scenarios, and identifies vulnerabilities and weaknesses that an attacker
could exploit.

Security insights

Exposure insights in Microsoft Security Exposure Management continuously

aggregate security posture data and insights across workloads and
resources, into a single pipeline.

 Initiatives provide a simple way to assess security readiness for a

specific security area or workload, and to constantly track and measure
exposure risk for that area or workload over time.
 Metrics in Microsoft Security Exposure Management measure security
exposure for a specific scope of assets or resources within a security
initiative.
 Recommendations help you to understand the compliance state for a
specific security initiative.
 Events help you to monitor initiative changes.

Secure score

Microsoft Secure Score, one of the tools in the Microsoft Defender portal, is a
representation of a company's security posture. The higher the score, the
better your protection. From a centralized dashboard in the Microsoft
Defender portal, organizations can monitor and work on the security of their
Microsoft 365 identities, apps, and devices.

Secure Score provides a breakdown of the score, the improvement actions

that can boost the organization's score, and how well the organization's
Secure Score compares to other similar organizations.

Data connectors

Using data connectors you can connect data sources for a richer, more
centralized exposure management experience.

Investigation & response

The investigation and response tab includes access to incidents and alerts,
hunting, actions & submissions, and a partner catalog.
Incidents and alerts

An incident in the Microsoft Defender portal is a collection of related alerts,

assets, investigations, and evidence to give you a comprehensive look into
the entire breadth of an attack. It serves as a case file that your SOC can use
to investigate that attack and manage, implement, and document the
response to it. Because the Microsoft Defender portal is built upon a unified
security operations platform, you get a view of all incidents including
incidents generated from the suite of Microsoft Defender XDR solutions,
Microsoft Sentinel, and other solutions.

Within an incident, you analyze the alerts that affect your network,
understand what they mean, and collate the evidence so that you can devise
an effective remediation plan. The information provided for an incident
includes:

 The full story of the attack, including all the alerts, assets, and
remediation actions taken.
 All the alerts related to the incident.
 All the assets (devices, users, mailboxes, and apps) that have been
identified to be part of or related to the incident.
 All the automated investigations triggered by the alerts in the incident.
 All the supported evidence and response.

If your organization is onboarded Microsoft to Security Copilot you can also

view an incident summary, guided responses, and more.

Hunting

Advanced hunting is a query-based threat hunting tool that lets you explore
up to 30 days of raw data, from Microsoft Defender XDR and Microsoft
Sentinel. You can proactively inspect events in your network to locate threat
indicators and entities, through hunting queries. Hunting queries can be
created via the query editor, if you're familiar with Kusto Query Language
(KQL), using a query builder, or through Security Copilot. For users
onboarded to Microsoft Security Copilot, you can make a request or ask a
question in natural language and Security Copilot generates a KQL query
that corresponds to the request.

You can use the same threat hunting queries to build custom detection rules.
These rules run automatically to check for and then respond to suspected
breach activity, misconfigured machines, and other findings.
Actions and submissions

The unified Action center brings together remediation actions across

Microsoft Defender for Endpoint and Microsoft Defender for Office 365. It lists
pending and completed remediation actions for your devices, email &
collaboration content, and identities in one location.

In Microsoft 365 organizations with Exchange Online mailboxes, admins can

use the Submissions page in the Microsoft Defender portal to submit
messages, URLs, and attachments to Microsoft for analysis.

Partner catalog

The partner catalog lists supported technology partners and professional

services that can help your organization enhance the detection,
investigation, and threat intelligence capabilities of the platform.

Threat intelligence

From the Threat Intelligence tab, users access Microsoft Defender Threat
Intelligence. For more information, see the unit "Describe Microsoft Defender
Threat Intelligence."

Assets

The Assets tab allows you to view and manage your organization's inventory
of protected and discovered assets (devices and identities).

The Device inventory shows a list of the devices in your network where alerts
were generated. By default, the queue displays devices seen in the last 30
days. At a glance, you see information such as domain, risk level, OS
platform, and other details for easy identification of devices most at risk.

The identity inventory provides a comprehensive view of all corporate

identities, both cloud and on-premises.

Microsoft Sentinel

Some Microsoft Sentinel capabilities, like the unified incident queue, are
accessed through the incidents and alerts page of the Defender portal, along
with incidents from other Microsoft Defender services. Many other Microsoft
Sentinel capabilities are available in the Microsoft Sentinel section of the
Defender portal.
For more information, see the module "Describe the capabilities in Microsoft
Sentinel," whose link is included in the summary and resources unit.

Identities

The Identities node on the left navigation panel of the Microsoft Defender
portal maps to functionality associated with Microsoft Defender for Identity.
For more information, see the unit "Describe Microsoft Defender for Identity."

Endpoints

The Endpoints node on the left navigation panel of the Microsoft Defender
portal maps to functionality associated with Microsoft Defender for
Endpoints. For more information, see to the unit "Describe Microsoft
Defender for Endpoints."

Email and collaboration

The email and collaboration node on the left navigational panel is where you
find Microsoft Defender for Office 365 functionality that allows you to track
and investigate threats to your users' email, track campaigns, and more. For
more information, see the unit "Describe Microsoft Defender for Office 365."
Cloud apps

The Cloud apps node on the left navigational panel is where you find
Microsoft Defender for Cloud Apps functionality. For more information, see
the unit "Describe Microsoft Defender for Cloud Apps."
SOC Optimization

Security operations center (SOC) teams actively look for opportunities to

optimize both processes and outcomes.

SOC optimization surfaces ways you can optimize your security controls,
gaining more value from Microsoft security services as time goes on.

Reports

Reports are unified in the Microsoft Defender portal. Admins can start with a
general security report, and branch into specific reports about endpoints,
email & collaboration, cloud apps, infrastructure, and identities. The links
here are dynamically generated based upon workload configuration.

Learning hub

The learning hub links you Microsoft Learn where you can get access to
training courses, tutorials, documentation, and other relevant material.

System

The system option in the Defender portal includes selections to configure

permissions, view service health, and general settings.

Describe Copilot integration with Microsoft

Defender XDR
Microsoft Defender XDR integrates with Microsoft Security Copilot.
Integration with Security Copilot can be experienced through the standalone
and embedded experiences.

The standalone experience

For businesses that are onboarded to Microsoft Security Copilot, the

integration is enabled through plugins accessed through the Copilot portal
(the standalone experience). There are two separate plugins that support
integration with Microsoft Defender XDR:

 Microsoft Defender XDR

 Natural language to KQL for Microsoft Defender XDR
Microsoft Defender XDR plugin

The Microsoft Defender XDR plugin includes capabilities that enable users to:

 Analyze files
 Generate an incident report
 Generate a guided response
 List incidents and related alerts
 Summarize the security state of the device
 more...

Microsoft Defender XDR capabilities in Copilot are built-in prompts that you
can use, but you can also enter your own prompts based on the capabilities
supported.

Copilot also includes a builtin promptbook for Microsoft Defender XDR

incident investigation you can use to get a report about a specific incident,
with related alerts, reputation scores, users, and devices.

Natural language to KQL for Microsoft Defender plugin

The Natural language to KQL for Microsoft Defender plugin enables query
assistant functionality that converts any natural-language question in the
context of threat hunting, into a ready-to-run Kusto Query Language (KQL)
query. The query assistant saves security teams time by generating a KQL
query that can then be automatically run or further tweaked according to the
analyst’s needs.

The embedded experience

With the plugin enabled, Copilot integration with Defender XDR can also be
experienced through the embedded experience, which is referred to as
Copilot in Microsoft Defender XDR.

Copilot in Microsoft Defender XDR enables security teams to quickly and

efficiently investigate and respond to incidents, through the Microsoft
Defender XDR portal. Copilot in Microsoft Defender XDR supports the
following features.

 Summarize incidents
 Guided responses
 Script analysis
 Natural language to KQL queries
 Incident reports
 Analyze files
  Device and identity summaries

Users can also seamlessly pivot from the embedded experience to the
standalone experience.

Summarize incidents

To immediately understand an incident, you can use Copilot in Microsoft

Defender XDR to summarize an incident for you. Copilot creates an overview
of the attack containing essential information for you to understand what
transpired in the attack, what assets are involved, the timeline of the attack,
and more. Copilot automatically creates a summary when you navigate to an
incident's page. Incidents containing up to 100 alerts can be summarized
into one incident summary.

Guided responses

Copilot in Microsoft Defender XDR uses AI and machine learning capabilities

to contextualize an incident and learn from previous investigations to
generate appropriate response actions, which are shown as guided
responses. The guided response capability of Copilot allows incident
response teams at all levels to confidently and quickly apply response
actions to resolve incidents with ease.

Guided responses recommend actions in the following categories:

 Triage - includes a recommendation to classify incidents as

informational, true positive, or false positive
 Containment - includes recommended actions to contain an incident
 Investigation - includes recommended actions for further investigation
 Remediation - includes recommended response actions to apply to
specific entities involved in an incident

Each card contains information about the recommended action, including

why the action is recommended, similar incidents, and more. For example,
the View similar incidents action becomes available when there are other
incidents within the organization that are similar to the current incident.
Incident response teams can also view user information for remediation
actions such as resetting passwords.

Not all incidents/alerts provide guided responses. Guided responses are

available for incident types such as phishing, business email compromise,
and ransomware.
Analyze scripts and codes

The script analysis capability of Copilot in Microsoft Defender XDR provides

security teams added capacity to inspect scripts and code without using
external tools. This capability also reduces complexity of analysis, minimizing
challenges and allowing security teams to quickly assess and identify a script
as malicious or benign.

There are several ways you can access the script analysis capability. The
image that follows shows the process tree for an alert that includes
execution of a PowerShell script. Selecting the analyze button generates the
Copilot script analysis.

Generate KQL queries

Copilot in Microsoft Defender XDR comes with a query assistant capability in

advanced hunting.

To access the natural language to KQL query assistant, users with access to
Copilot select advanced hunting from the left navigation pane of the
Defender XDR portal.

Copilot provides prompts you can use to start hunting for threats with
Copilot, or you can write your own natural language question, in the prompt
bar, to generate a KQL query. For example,"Give me all the devices that
signed in within the last 10 minutes." Copilot then generates a KQL query
that corresponds to the request using the advanced hunting data schema.

The user can then choose to run the query by selecting Add and run. The
generated query then appears as the last query in the query editor. To make
further tweaks, select Add to editor.

Create incident reports

A comprehensive and clear incident report is an essential reference for

security teams and security operations management. However, writing a
comprehensive report with the important details present can be a time-
consuming task for security operations teams as it involves collecting,
organizing, and summarizing incident information from multiple sources.
Security teams can now instantly create an extensive incident report within
the portal.

While an incident summary provides an overview of an incident and how it

happened, an incident report consolidates incident information from various
data sources available in Microsoft Sentinel and Microsoft Defender XDR. The
incident report also includes all analyst-driven steps and automated actions,
the analysts involved in the response, the comments from the analysts, and
more.

To create an incident report, the user selects Generate incident report on the
top right corner of the incident page or the icon in the Copilot pane. Once the
incident report is generated, selecting the ellipses on the incident report
presents the user with the option to copy the report to the clipboard, post to
an activity log, regenerate the report, or opt to open in the Copilot
standalone experience.

Analyze files

Sophisticated attacks often use files that mimic legitimate or system files to
avoid detection. Copilot in Microsoft Defender XDR enables security teams to
quickly identify malicious and suspicious files through AI-powered file
analysis capabilities.

There are many ways to access the detailed profile page of a specific file. In
this example, you navigate to files through the incident graph of an incident
with impacted files. The incident graph shows the full scope of the attack,
how the attack spread through your network over time, where it started, and
how far the attacker went.

From the incident graph, selecting files displays the option to view files.
Selecting view files opens a panel on the right side of the screen listing
impacted files. Selecting any file displays an overview of the file details and
the option to analyze the file. Selecting Analyze opens the Copilot file
analysis.

Summarize devices and identities

The device summary capability of Copilot in Defender enables security teams

to get a device’s security posture, vulnerable software information, and any
unusual behaviors. Security analysts can use a device’s summary to speed
up their investigation of incidents and alerts.

There are many ways to access a device summary. In this example, you
navigate to the device summary through the incident assets page. Selecting
the assets tab for an incident displays all the assets. From the left navigation
panel, select Devices then select a specific device name. From the overview
page that opens on the right is the option to select Copilot.
Similarly, Copilot in Microsoft Defender XDR can summarize identities.