Demonstrate fundamental knowledge of Microsoft 365 security and compliance capabilities

When a product or service is GA, it's the release version and is fully supported. GA products and services have been through a full development and test lifecycle to ensure stability and reliability. With Microsoft 365, new features are added to the products and services periodically. It's useful for IT developers, and administrators, to be aware of preview features before they have their GA release. Organizations can then educate users about these new features and ensure products are used optimally.

Microsoft 365 is covered by the Modern Lifecycle Policy.

Products and services governed by the Modern Lifecycle Policy are supported as long as customers stay current as per the servicing and licensing requirements published for the product or service and have the rights to use the product or service. Microsoft gives a minimum of 12 months' prior notification before ending support for products governed by the Modern Lifecycle Policy. These notifications don't include any free services, or preview releases.

Stay current means that customers accept and apply all servicing updates for their products and services.

For Microsoft 365, customers have the right to use the products or services as long as they have an active subscription.

Hybrid is a combination of cloud services with on-premises services to support your IT needs

A hybrid cloud migration lets you keep critical resources on-premises while also working with cloud services. It connects on-premises resources to the cloud, effectively making the new cloud services an extension of your on-premises infrastructure. The hybrid cloud model lets you extend capabilities or features that aren't available in your existing on-premises systems (like mobility and productivity) to your infrastructure.

Reasons to upgrade to Microsoft 365 licenses:

- After April 2023, accessing Office 365 services (like Exchange Online, SharePoint) won't be supported if you're using Office 2013.

- Office 2010 is only supported until 2020 and Office 2007 isn’t supported at all.

Reasons to upgrade to Office 365 services:

- Office Server 2013 and Office Server 2016 products (like Exchange Server and SharePoint Server) don’t take advantage of the cloud-based services and enhancements.

- Some Office Server 2010 products have a specified end-of-support date.

- Office Server 2007 products are no longer supported. To help with migration from this version, hire a Microsoft partner. You can then roll out the new functionality and work processes to your users and decommission the on-premises servers running Office 2007 server products when you no longer need them.

Perform an in-place upgrade to Windows 10 Enterprise.

Deploy Microsoft 365 Apps using Click-to-Run

Administrators can use the Office 365 Client Configuration Service to create a configuration file in the cloud that specifies the Microsoft 365 apps that are installed. The configuration file also specifies settings such as the update channel, the End User License Agreement (EULA), and whether to automatically apply updates.

Users install Office through Click-to-Run and the configuration is automatically applied to their installation.

Deploy Microsoft 365 Apps from a local source

You can deploy Microsoft 365 Apps from a local source using the same steps as deploying Microsoft 365 Apps using Click-to-Run. With this approach, you download the files to a local server which has the benefit that many users are not downloading the same files from the Internet and consuming bandwidth. Furthermore, you can use this approach if users do not have a reliable Internet connection.

Deploy Microsoft 365 Apps with Microsoft Endpoint Configuration Manager (current branch)

If your organization already uses Configuration Manager, we recommend upgrading to the current branch and using it to deploy Microsoft 365 Apps. You can deploy Office as an application using the Office Client Management dashboard and Office 365 Installer wizard in Configuration Manager. For more information, see Deployment guide for Microsoft 365 Apps.

Deploy Microsoft 365 interactive guide

In this interactive guide, you will explore three methods for deploying Office 365 to your organization. The techniques remain the same for Microsoft 365 Apps:

When Microsoft 365 Apps is updated, all the available updates for that update channel are installed at the same time. There aren’t separate downloads for feature, security, or quality updates. Also, updates are cumulative, so the most current update includes all the feature, security, and quality updates that have been previously released for that update channel.

Microsoft 365 Apps checks for updates on a regular basis, and they're downloaded and installed automatically. While updates are being downloaded, your users can continue to use Office apps. After they're downloaded, the updates are installed. If any Office apps are open, your users will be prompted to save their work and close the apps, so that the updates can finish being installed.

• The Office Content Delivery Network (CDN) on the internet
• A shared folder on your local network
• An enterprise software deployment tool, such as Configuration Manager

If network connectivity or other considerations based on your organization’s requirements aren’t an issue, Microsoft recommends updating Microsoft 365 Apps from the Office CDN, because it requires the least amount of administrative effort.

If you have network bandwidth concerns or want more administrative control, you can download the latest version of Microsoft 365 Apps to a shared folder on your local network. Then you can configure devices to use that shared folder location to update Microsoft 365 Apps. If you’re using a shared folder to distribute updates, you'll need to do a manual download each time an updated version of Microsoft 365 Apps is released. Additionally, if your organization is using multiple update channels, you'll need to do separate downloads for each update channel.

If you already use an enterprise software deployment tool to deploy and update software, you can use it to manage updates to Microsoft 365 Apps. Configuration Manager, for example, has built-in capabilities that simplify the administrative effort to download and distribute updates for Microsoft 365 Apps.

Not all users in your organization need to get updates from the same location. For example, administrative staff at the corporate headquarters would get updates from Configuration Manager. But, sales associates that travel frequently and are rarely in the office would get their updates directly from the Office CDN on the Internet.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure.

Secure Score helps organizations:

• Report on the current state of the organization's security posture.
• Improve their security posture by providing discoverability, visibility, guidance, and control.
• Compare with benchmarks and establish key performance indicators (KPIs).
•  

• Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
• Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
• Security: Protecting the data that's entrusted to Microsoft by using strong security and encryption.
• Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
• No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
• Benefits to you: When Microsoft does collect data, it's used to benefit you, the customer, and to make your experiences better.

User or group membership
Policies can be targeted to specific users and groups, giving administrators fine-grained control over access.

IP Location information
Organizations can create trusted IP address ranges that can be used when making policy decisions. Also, Administrators can opt to block or allow traffic from an entire countries IP range.

Device
When enforcing Conditional Access policies, users with devices of specific platforms or marked with a specific state can be used

Application
Users attempting to access specific applications can trigger different Conditional Access policies.

Real-time and calculated risk detection
Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.

Microsoft Cloud App Security (MCAS)
Enables user application access and sessions to be monitored and controlled in real-time, increasing visibility and control over access to and activities performed within your cloud environment.

Azure AD supports Fast Identity Online 2 (FIDO2). FIDO2 is an open standard for passwordless authentication. FIDO2 allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

Users can access a device based on organization controls and authenticate based on a PIN or biometric and using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables. Passwordless authentication with Azure AD is applicable for shared PCs and where a mobile phone is not a viable option (such as for help desk personnel, public kiosk, or hospital team).

• A Microsoft, Active Directory, or Microsoft Azure Active Directory (Azure AD) account.
• An Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication

After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.

Microsoft 365 Defender solutions integrate with Azure Sentinel. Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing alert detection, threat visibility, proactive hunting, and threat response.

• Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
• Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
• Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
• Respond to incidents rapidly with built-in orchestration and automation of common tasks

Servicing channels are a method of controlling the frequency at which organizations deploy Windows 10 features. Servicing channels allow you to control how and when updates are applies. Windows-as-a-Service offers three servicing channels, each receiving feature updates at different frequencies:

• Insider preview. This channel receives Windows features before general release, often during development. This allows organizations to test and evaluate new features and provide feedback to Microsoft.
• Semi-annual channel. Feature updates are released to the semi-annual channel twice a year.
• Long-term servicing channel. Designed for specialist devices that do not run Office apps such as medical equipment or ATMs. These receive new features every two or three years.

Deployment rings are groups of devices that are used to pilot new features, before they are deployed to the rest of the organization.

In Configuration Manager, you can view the state of Windows-as-a-Service (WaaS) in your environment. You can create servicing plans to form deployment rings and ensure that Windows 10 systems are kept up to date when new builds are released. You can also view alerts when Windows 10 clients are near end of support for their Semi-Annual Channel build.

• Windows Autopilot. Customize the out-of-box experience (OOBE) to deploy apps and settings that are pre-configured for your organization. Include just the apps your users need. Autopilot is the easiest way to deploy a new PC running Windows 10. You can also use it with Configuration Manager to upgrade Windows 7 or Windows 8.1 to Windows 10.
• In-place upgrade. Upgrade a device’s operating system without reinstalling. You can migrate apps, user data, and settings from one version of Windows to another (like going from Windows 8.1 to Windows 10). You can also update from one release of Windows 10 to the next (like going from Windows 10, version 1803, to Windows 10, version 1809).
• Dynamic provisioning. Create a provisioning package to quickly configure one or more devices, even those without network connectivity. You create provisioning packages with the Windows Configuration Designer and can install them over a network, from removable media (like a USB drive), or in near field communication (NFC) tags or barcodes.
• Subscription activation. Use a subscription to switch from one edition of Windows 10 to another. For example, you can switch from Windows 10 Pro to Windows 10 Enterprise. When a licensed user signs into a device (and they have credentials associated with a Windows 10 E3 or E5 license), the OS changes from Windows 10 Pro to Windows 10 Enterprise, and all the appropriate Windows 10 Enterprise features are unlocked. If the subscription expires (or is transferred to another user), the device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.

Customize the out-of-box experience (OOBE) to deploy apps and settings that are pre-configured for your organization. Include just the apps your users need. Autopilot is the easiest way to deploy a new PC running Windows 10. You can also use it with Configuration Manager to upgrade Windows 7 or Windows 8.1 to Windows 10.

Upgrade a device’s operating system without reinstalling. You can migrate apps, user data, and settings from one version of Windows to another (like going from Windows 8.1 to Windows 10). You can also update from one release of Windows 10 to the next (like going from Windows 10, version 1803, to Windows 10, version 1809).

Create a provisioning package to quickly configure one or more devices, even those without network connectivity. You create provisioning packages with the Windows Configuration Designer and can install them over a network, from removable media (like a USB drive), or in near field communication (NFC) tags or barcodes.

Use a subscription to switch from one edition of Windows 10 to another. For example, you can switch from Windows 10 Pro to Windows 10 Enterprise. When a licensed user signs into a device (and they have credentials associated with a Windows 10 E3 or E5 license), the OS changes from Windows 10 Pro to Windows 10 Enterprise, and all the appropriate Windows 10 Enterprise features are unlocked. If the subscription expires (or is transferred to another user), the device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.

To reduce bandwidth consumption, you can enable peer-to-peer content sharing. There are two peer-to-peer options for content distribution: Delivery Optimization and BranchCache.

Delivery Optimization allows Windows 10 clients to source content from other devices on their local network that have already downloaded the updates, or from peers over the internet. BranchCache is a bandwidth optimization technology included in some editions of Windows Server 2016, Windows 10 operating system, and some other operating systems. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed.

Or, if your organization uses Windows Intune, Windows updates can be deployed using Intune.

• Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability.
• Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios.
• Provide Windows 7 virtual desktops with free Extended Security Updates.
• Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer.
• Virtualize both desktops and apps.
• Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience.

Azure Virtual Desktop is a service that allows users to connect to a Windows desktop running in the cloud. They enjoy all the benefits of Windows desktop and Microsoft 365 apps, without the overhead of installing software on the local device.

• Week in the life gives a summary of day-to-day collaboration in the organization.
• Meetings overview gives a summary of meeting norms within your organization.
• Management and coaching gives a summary of collaboration between leaders, managers, and employees.
• Internal networks shows network connections between different people within a company exclusively, for example, between the sales department and the human resources department.
• External collaboration gives a summary of employees' network patterns with people outside the company.
• Teams collaboration shows insights and communication trends about how your organization's employees use Teams for communication and collaboration.

MyAnalytics provides insights into two of the key factors in personal productivity: how people spend their time and who they spend it with. You and your team can get these benefits after an administrator sets up MyAnalytics within your organization. MyAnalytics is delivered as an email every week. Alternatively, go to https://myanalytics.microsoft.com to access your personal dashboard. Metrics include:

• Focus and wellbeing. Shows whether you have enough time for uninterrupted work, with tips on how to protect your calendar and manage distractions.
• Network and collaboration. Shows information about your relationships with the people in your network, based on your work activities over the past year.
• Productivity insights. Shows insights into your work patterns around focus, network, wellbeing, and collaboration over the past four weeks. These insights show observations and trends of your most recent work habits based on your Office 365 data.