Chapter 4. Understand Microsoft 365 pricing and support
Microsoft 365 is designed to be a complete solution for organizations of various sizes that provides the operating system, productivity applications, and cloud-based services that most users need. For many businesses, Microsoft 365 can be a complete solution; other might have to install additional applications as well.
Candidates preparing for the MS-900 examination must understand the components included in the Microsoft 365 packages and the features and benefits they provide, as discussed in the preceding chapters. However, they must also be aware of the various licensing options available for Microsoft 365 subscribers, how they are priced, what support options are available, and what the expected lifecycle of the Microsoft 365 product is expected to be. This information is necessary for IT professionals to make an informed purchasing decision for their organizations.
Skills in this chapter:
Skill 4.1: Understand licensing options available in Microsoft 365
Microsoft 365 is not a “one-size-fits-all” product. It is intended to support a range of organization sizes and also organizations with different security and feature requirements. To do this, there are various editions of the product that have different feature sets and, of course, different prices. As with Office 365, Microsoft 365 is available only by subscription, but unlike Office 365, there is no need for subscribers to purchase an operating system.
All Microsoft 365 editions include the following three basic components:
Windows 10 Enterprise
Office 365 Pro Plus
Enterprise Mobility + Security
However, all these components are available in their own plans, and the Microsoft 365 editions include them in various combinations.
Microsoft 365 subscriptions
Most organizations interested in Microsoft 365 as an introduction to cloud-based networking, either as a new deployment or an addition to a traditional on-premises network, will opt for Microsoft 365 Business or one of the Microsoft 365 Enterprise subscription options described in the following sections. In addition, there are specialized versions of Microsoft 365 designed for educational and governmental environments.
Microsoft 365 Business
Intended for small and medium-sized businesses with up to 300 users, the Microsoft 365 Business subscription includes Windows 10 Pro, Office 365 Pro Plus, and most (but not all) of the features included in Enterprise Mobility + Security E3. The intention behind the product is to create a comprehensive package for organizations that do not maintain a full-time IT staff, which is the case with many small businesses. The process of deploying Microsoft 365 workstations is largely automated, and the package includes the Microsoft 365 Admin Center, which provides a unified interface for the setup and management of identities and devices.
Microsoft 365 Business includes Windows Autopilot, which streamlines the process of deploying new Windows workstations or upgrading existing ones. For computers that already have Windows 7, Windows 8, or Windows 8.1 installed, Microsoft 365 provides an upgrade to Windows 10 Pro. In addition to Autopilot, Microsoft 365 includes device management settings in Azure Active Directory that can automatically apply policies to newly deployed workstations, including those for functions like the following:
Activation of the Microsoft 365 subscription
Windows 10 and Office 365 updates
Automated installation of Office 365 applications on Windows 10
Control of the device’s screen when the system is idle
Access control to Microsoft Store apps
Access control to Cortana
Access control to Windows tips and advertisements from Microsoft
Another priority of Microsoft 365 is to provide security in areas where small businesses often fall short, as shown in Figure 4-1. The suite of security functions and services included in the product provides protection for all the primary areas of a business network: identities, with multifactor authentication; devices, with management capabilities for on-premises and mobile devices; applications, with usage restrictions; email, with threat detection and data loss prevention; and documents, with classification, encryption, and access control.
FIGURE 4-1 Security functions in Microsoft 365 Business
Microsoft 365 Business allows up to 300 user subscriptions in one tenancy, but this does not mean than an organization’s network is limited to 300 users. It is not required that every user on the network have a Microsoft 365 Business license, although only the license-holders can utilize the cloud services included with the product. It is also possible to combine license types in a single tenancy. This means that if an organization running Microsoft 365 Business expands to the point at which there are more than 300 users, it is possible to add more users with Microsoft 365 Enterprise licenses without having to upgrade the original 300 Business users.
Microsoft 365 Enterprise
For organizations with more than 300 users, there are two subscription options, called Microsoft 365 Enterprise E3 and Microsoft 365 Enterprise E5. Both include Windows 10 Enterprise and Office 365 Pro Plus, as well as Enterprise Mobility + Security, and both support an unlimited number of users. The feature lists for the E3 and E5 subscriptions are largely identical, with Microsoft 365 Enterprise E5 including all the features of E3 plus more advanced security, threat protection, and analytics tools.
Exam Tip
Candidates for the MS-900 exam should understand that while Microsoft 365 Enterprise is targeted at larger organizations, more than 300 users are not required. Small- or medium-sized businesses that require the additional security and analytical capabilities in the Enterprise E3 or E5 product can use it as well.
Several of the elements included in Microsoft 365 are also available as individual subscriptions and are available in two plans—referred to as Plan 1 (P1) and Plan 2 (P2)—and include the following:
Azure Active Directory Premium
Office 365 Advanced Threat Protection
Azure Information Protection
In each case, Plan 2 includes all the features of Plan 1, plus some additional capabilities. Microsoft 365 Enterprise E5 includes Plan 2 for all three features, while Plan 1 is included in one or more of the other subscriptions, as shown later in Table 4-1.
TABLE 4-1 Features and benefits in Microsoft 365 subscriptions
FEATURES INCLUDED |
MICROSOFT 365 BUSINESS |
MICROSOFT 365 ENTERPRISE E3 |
MICROSOFT 365 ENTERPRISE E5 |
MICROSOFT 365 F1 |
Windows 10 |
Pro |
Enterprise |
Enterprise |
Enterprise |
Office 365 |
Office 365 Pro Plus |
Office 365 Pro Plus |
Office 365 Pro Plus |
Office 365 F1 (Office for Mobile apps and Office for the Web) |
Exchange Online |
Yes, with 50 GB mailbox |
Yes, with 50 GB mailbox |
Yes, with 50 GB mailbox |
Yes, with 2 GB mailbox |
SharePoint Online |
Yes |
Yes |
Yes |
Yes (without personal site, site mailbox, or form creation) |
Microsoft Teams |
Yes |
Yes |
Yes |
Yes (one-to-one calls only, meetings join only) |
OneDrive |
1 TB |
5 TB (five or more users) 1 TB (less than five users) |
5 TB (five or more users) 1 TB (less than five users) |
2 GB (without desktop synchronization) |
OneDrive for Business |
No |
Unlimited |
Unlimited |
No |
Microsoft Stream |
Yes |
Yes |
Yes |
Yes (consume only) |
Audio conferencing/Phone System |
No |
No |
Yes |
No |
Yammer |
Yes |
Yes |
Yes |
Yes |
Planner |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
Yes |
Yes (consume only, 750 runs per user per month) |
Sway |
Yes |
Yes |
Yes |
Yes |
Windows Hello |
Yes |
Yes |
Yes |
Yes |
Azure Active Directory Premium |
Plan 1 |
Plan 1 |
Plan 2 |
Plan 1 |
Azure Active Directory Privileged Identity Management |
No |
No |
Yes |
No |
Microsoft 365 Admin Center |
Yes |
Yes |
Yes |
Yes |
Microsoft Intune |
Yes |
Yes |
Yes |
Yes |
System Center Configuration Manager |
No |
Yes |
Yes |
Yes |
Windows Autopilot |
Yes |
Yes |
Yes |
Yes |
Microsoft Advanced Threat Analytics |
No |
Yes |
Yes |
Yes |
Microsoft Defender Advanced Threat Protection |
No |
No |
Yes |
No |
Office 365 Advanced Threat Protection |
Plan 1 |
No |
Plan 2 |
No |
Office 365 Threat Intelligence |
No |
No |
Yes |
No |
Azure Advanced Threat Protection |
No |
No |
Yes |
No |
Office 365 Data Loss Prevention |
Yes |
Yes |
Yes |
No |
Azure Information Protection |
Plan 1 |
Plan 1 |
Plan 2 |
Plan 1 |
Windows Information Protection |
Yes |
Yes |
Yes |
Yes |
Office 365 Privileged Access Management |
No |
No |
Yes |
No |
MyAnalytics |
No |
Yes |
Yes |
Yes |
Power BI Pro |
No |
No |
Yes |
No |
Cloud App Security |
No |
No |
Yes |
No |
Microsoft Security and Compliance Center |
Yes |
Yes |
Yes |
Yes |
For organizations subscribing to Microsoft 365 Enterprise E3, it is also possible to add certain advanced E5 features in two additional subscription packages, as follows:
Identity & Threat Protection Includes Azure Advanced Threat Protection (ATP), Windows Defender Advanced Threat Protection, and Office 365 Advanced Threat Protection, as well as Microsoft Cloud App Security and Azure Active Directory Premium P2
Information Protection & Compliance Includes Office 365 Advanced Compliance and Azure Information Protection P2
Microsoft 365 F1
Microsoft envisions the Microsoft 365 product as a crucial step in an organization’s transition from traditional on-premises computing to cloud-based services. For that transition to be complete, they consider it essential for workers at all levels of the business to participate. Microsoft 365 F1 is intended for first-line workers—that is, the segment of an organization’s work force that provides that provides the first point of contact between the organization and the outside world. This refers specifically to workers in the field, in call centers, on shop floors, and in customer service roles.
The Microsoft 365 F1 subscription provides a streamlined version of the same basic functionality as the other Microsoft 365 subscriptions, including similar productivity, collaboration, and security tools but at a lower price and with limitations that are suitable to first-line workers’ typical needs. The components in the Microsoft 365 F1 subscription are as follows:
Windows 10 Enterprise
Office 365 F1 (formally Office 365 Enterprise K1)
Enterprise Mobility + Security
The primary difference in the F1 subscription, compared to the Enterprise and Business subscriptions, is that users receive access to the Office 365 productivity applications in their web and mobile versions only; the installable applications are not included. The product includes access to the Office 365 cloud-based services, including Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Microsoft Intune, Stream, Yammer, Sway, and Planner but with limitations that suit the tasks they typically perform and the devices that these workers employ, including the following:
Exchange Online mailboxes are limited to 2 GB.
SharePoint Online access is included, without personal sites, site mailboxes, or the ability to create forms.
OneDrive is limited to 2 GB of cloud storage, without desktop synchronization.
Microsoft Teams is limited to one-to-one calls only; users can join but not create meetings.
Stream is limited to consumption only; users cannot create or upload video streams.
Flow is limited to consumption only, with a limit of 750 flow runs per user per month.
Microsoft 365 F1 also includes many of the same threat protection and device management services as the Microsoft 365 Business and Enterprise E3 subscriptions. The end result is a package that enables first-line workers to fully participate in the culture and community of the organization, with access to the same productivity, collaboration, and security tools as users with Microsoft 365 Enterprise or Business subscriptions. At the same time, first-line workers can gain skills and experience with tools that can enable them to grow and develop within the work force.
Microsoft 365 Business and Enterprise feature comparison
The components and features included in the main Microsoft 365 subscriptions are shown in Table 4-1.
Note: Microsoft 365 International Users
The exact features included in the Microsoft 365 subscriptions, as well as their pricing and licensing requirements, can vary depending on the country or geographical region in which the subscription is purchased.
Microsoft 365 Government
In addition to the core Microsoft 365 subscriptions mentioned earlier, Microsoft has also created specialized packages for governmental and educational organizations that are designed to suit their specific needs. The Microsoft 365 Government G3 and G5 subscriptions contain the same tools and services found in their Enterprise E3 and E5 equivalents, but the packages are designed to adhere to the additional compliance regulations and requirements to which United States government entities are often subject.
For all the Microsoft 365 Government products, data is stored under special conditions, including the following:
All Microsoft 365 Government user content, including Exchange Online mailboxes, SharePoint Online site content, Skype for Business conversations, and Microsoft Teams chat transcripts, is stored in data centers located within the United States.
The user content generated by Microsoft 365 Government subscribers is logically segregated from commercial Microsoft 365 user content within the Microsoft data centers.
Access to Microsoft 365 Government user content within the Microsoft data centers is restricted to employees who have undergone additional security screening.
Access to the Microsoft 365 Government products is restricted to United States federal, state, local, tribal, or territorial government entities, as well as to other entities that are required to handle government data in compliance with the same regulations and requirements as a government entity. Eligibility to purchase these products is subject to verification by Microsoft using various government resources, including those of law enforcement agencies and the Department of State, as well as government standards, such as the International Traffic in Arms Regulations (ITAR) and the FBI’s Criminal Justice Information Services (CJIS) Policy.
In addition to the Microsoft 365 Government G3 and G5 subscriptions, which define the products’ feature sets, there are versions of Microsoft 365 Government that define various levels of security and compliance, including the following:
Microsoft 365 U.S. Government Community (GCC) Intended for Federal Risk and Authorization Management Program (FedRAMP) moderate risk impact situations; also complies with the Internal Revenue Service Publication 1075 standard, the U.S. Criminal Justice Information Services (CJIS) Security Policy, and the U.S. Department of Defense (DoD) Defense Information Systems Agency (DISA) Level 2 requirement for noncontrolled unclassified information.
Microsoft 365 U.S. Government Community (GCC) High Intended for FedRAMP high-impact situations; complies with the International Traffic in Arms Regulations (ITAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
Microsoft 365 DoD Restricted to the exclusive use by U.S. Department of Defense agencies; complies with the U.S. DoD Defense Information Systems Agency (DISA) Level 5 requirement for controlled unclassified information and unclassified national security systems.
In addition to the Microsoft 365 Government subscriptions, Microsoft also maintains an alternative means of accessing Office 365 cloud services, called Azure Government ExpressRoute, which is a private, dedicated network connection to the Microsoft cloud services for eligible subscribers that have regulatory requirements that prevent them from using the public Internet.
Microsoft 365 Education
Microsoft 365 Education is another specialized version of Microsoft 365 that includes additional tools and services that are specifically targeted at teachers and students. There are two subscription levels, called Microsoft 365 Education A3 and Microsoft Education A5, which correspond to the Enterprise E3 and E5 subscriptions in most of their features and services. The subscriptions include specialized versions of the three major components, as follows:
Windows 10 Education
Office 365 Education
Management & Security
Some of the tools included in the Education subscriptions are specially modified for classroom use, and there are additional educational tools included as well.
Note: Microsoft 365 Education A1
In addition to Microsoft Education A3 and A5, there is also a Microsoft Education A1 product, which is a one-time, per-device license that includes the Office 365 for the web applications and cloud-based email, Teams, video conferencing, and compliance and information-protection tools; it does not include the installable Office 365 applications and also omits some of the educational, security, and analytics tools found in the A3 and A5 subscriptions.
The education-specific modifications in the Microsoft 365 Education A3 and A5 subscriptions include the following:
OneNote Class Notebook A shared OneNote implementation that includes a collaboration space for class work, a content library for handout documents, and a personal notebook space for each student.
Yammer Academic An implementation of the Yammer private social networking service that includes school branding capability, administration capabilities that provide content management and access control.
Minecraft Education Edition with Code Builder An educational adaptation of the Minecraft game that enables students to learn how to code software by dragging and dropping visual code blocks.
Take a Test app An application that enables teachers to deploy high-stakes or low-stakes tests to students in a distraction-free environment, as shown in Figure 4-2. Once students have begun taking a test, they are not able to browse the web, print or share the screen, open other applications, use the Windows clipboard, or change system settings.
FIGURE 4-2 A test question in the Take a Test application
Set Up School PCs app An application that enables administrators or teachers to easily set up computers running Windows 10 by joining them to an Azure Active Directory tenant, installing approved applications (as shown in Figure 4-3), removing unapproved applications, configuring Windows Update to install updates outside of class time, and locking down the system to prevent its use for anything other than educational purposes.
School Data Sync (SDS) A service that uses data synchronized from a school’s Student Information System (SIS) to create Office 365 groups for Exchange Online and SharePoint Online, Microsoft Intune groups, class teams for Microsoft Teams, and class notebooks for OneNote, as shown in Figure 4-4. Also, SDS can populate many other third-party applications with student information.
FIGURE 4-3 Adding applications in the Set Up School PCs application
FIGURE 4-4 School Information System data synchronization
Office Lens A tool that uses the camera of a smartphone or tablet to take pictures of printed pages or whiteboards. This tool crops, straightens, and sharpens them, and it converts them to PDF, Word, or PowerPoint files and then saves them to a OneNote notebook, a OneDrive folder, or a local drive.
Intune for Education A streamlined version of Microsoft Intune that provides device management and application-deployment services for teacher and student devices through a web-based portal, as shown in Figure 4-5.
FIGURE 4-5 Intune for Education application deployment
Quick check
Which of the following is one of the features included in Microsoft 365 F1?
Install Office 365 on up to five devices
50 GB Exchange Online mailboxes
2 GB of OneDrive cloud storage
SharePoint Online personal sites
Quick check answer
C. Microsoft 365 F1 does not include the installable versions of the Office 365 applications, includes only 2 GB Exchange Online mailboxes, and does not include SharePoint Online personal sites.
Selling Microsoft 365
As noted elsewhere in this book, there are many IT professionals who are hesitant to buy into the idea of cloud-based services, and the cloud is the first and biggest buzzword for the Microsoft 365 product. As a result, Microsoft has devoted a great deal of time, effort, and expense to developing a product and a campaign that can convince people like these to adopt—or at least consider—Microsoft 365 as a viable route for the development of their enterprise infrastructures. The following sections discuss the key selling points for Microsoft 365 in four major areas.
Need More Review?: Microsoft 365 Key Selling Points
For additional information on Microsoft 365’s key selling points, see the “Cloud adoption showstoppers” section in Chapter 3, “Understand security, compliance, privacy, and trust in Microsoft 365.”
Productivity
Few IT professionals must be sold on the Microsoft Office productivity applications, such as Word, Excel, and PowerPoint; they are industry standards that are virtually without competition. However, there are those who do need to be sold on a cloud-based, subscription-based implementation such as Office 365 ProPlus, as opposed to on-premises versions like Office Professional Plus 2019. The selling points that make an effective case for Office 365 include the following:
Applications Some people might think that with Office 365, the productivity applications are accessible only from the cloud and that an Internet connection is required to run them. While the productivity applications are indeed accessible from the cloud with an Office 365 ProPlus subscription, such as that included in Microsoft 365, the product also includes fully installable versions of the productivity applications, just like those in Office 2019.
Devices An Office 2019 Professional Plus license enables a user to install the productivity applications on a single computer; however, with an Office 365 ProPlus subscription, a user can install the applications on up to five PC, Mac, or mobile devices and sign in to any or all them at the same time. This means that users can run the Office 365 applications on an office computer, a home computer, and a smartphone, plus two other devices, with a single license, while an Office 2019 user would need a separate license for each device.
Installation An Office 365 ProPlus license includes access to a cloud-based portal, with which users can install the productivity applications themselves on any computer. Office 2019 and other on-premises versions include no self-service portal access and require administrators to install the applications on each device.
Activation When users install the Office 365 productivity applications from the self-service portal, they are automatically activated. They remain activated as long as the computers connect to the Office Licensing Service in the cloud at least once every 30 days. If a device exceeds the 30-day requirement, Office 365 goes into reduced functionality mode, which limits the user to viewing and printing existing documents. Office 2019 and other on-premises versions in an enterprise environment require administrators to keep track of the product key for each individual license or utilize a network-based activation method, such as Key Management Service (KMS) or Multiple Activation Key (MAK). Once activated, Office 2019 installations do not require periodic reactivation.
Updates Office 365 installations are automatically updated either monthly or semi-annually with the latest security, quality, and feature updates. Office 2019 and other on-premises versions receive security updates but no feature updates. There is also no upgrade path to the next major on-premises version of Office. For example, Office 2016 users must pay full price for a new license to install Office 2019.
Support Office 2019 and other on-premises versions include free technical support for the installation process only. Office 365 subscriptions include free technical support for the life of the subscription.
Storage An Office 365 ProPlus subscription includes 1 TB of OneDrive cloud storage. Office 2019 and other on-premises versions do not include cloud storage.
Mobile apps Access to the Office mobile apps on devices with screens smaller than 10.1 inches with core editing functionality is free to everyone. Office 365 subscribers receive extra features on all the mobile apps. Users of Office 2019 or other on-premises versions do not receive the extra features.
Collaboration
The nature of collaboration in the workplace has changed, so the tools that facilitate collaboration must change with it. One of the primary advantages of cloud-based computing is that it provides users with the ability to access enterprise resources from any location. Microsoft 365 takes advantage of that benefit by making it possible to access the cloud using nearly any device with an Internet connection. Azure Active Directory and Microsoft Intune are services, based in the cloud, which provide identity and device management functions that these user connections to the cloud secure. These components, along with the increased capabilities and emphasis on smartphones and other mobile devices in the business world, have made Microsoft 365 an unprecedented platform for collaboration.
With an infrastructure in place that can provide users with all but universal access to enterprise resources, the next step toward a collaboration platform is the applications and services that enable users to communicate and share data. Microsoft 365 includes four primary collaboration services—shown in Figure 4-6—that provide different types of communication for different situations. There are also additional services that provide more specific functions for the other services.
FIGURE 4-6 Microsoft 365 collaboration services
The services that contribute to the collaboration capabilities in Microsoft 365 are as follows:
SharePoint Online Provides content storage and publishing services for group and personal intranet websites and for all the other Microsoft 365 collaboration tools. A SharePoint site can be a collaboration platform of its own, or its elements can be embedded in other service publications.
Exchange Online/Outlook Provides standard email communication, as well as calendar and scheduling functions. Email is asynchronous communication that can be one-to-one, or with the aid of distribution lists, one-to-many. Scheduling functions can be embedded in other services.
Microsoft Teams Provides synchronous chat- and call-based communication among team members that must communicate quickly and frequently. By incorporating elements from other services, such as Exchange Online scheduling, SharePoint Online content, and Stream video, Teams can function as a comprehensive collaboration platform.
Yammer Provides a group-based or company-wide private social media service that is designed to accommodate larger groups than Teams or to foster a sense of community within the enterprise. Yammer also provides a platform for the functions provided by other services, such as content from SharePoint Online sites or scheduling with Exchange Online.
Stream Provides video storage and distribution services, both directly to users in web browsers or embedded in other Microsoft 365 collaboration services, including Exchange Online, SharePoint Online, Teams, and Yammer.
Planner Provides project management services that enable users to create schedules containing tasks, files, events, and other content from Microsoft 365 services.
OneDrive for Business Provides file storage for individual users that is private unless the user explicitly shares specific documents.
Need More Review?: Microsoft 365 Collaboration Tools
For more information about the collaboration capabilities of the Microsoft 365 services, see the “Understand collaboration and mobility with Microsoft 365” section in Chapter 2, “Understand core Microsoft 365 services and concepts.”
Azure Active Directory and Office 365 Groups provide the identity-management infrastructure for all the Microsoft 365 collaborative services. This enables users and administrators to set up and use these services any way they want. However, the content from the various services is combined, there is only one set of user accounts and group memberships that applies to all of them. This turns the collection of Microsoft 365 collaboration services into a flexible and interoperable toolkit.
Microsoft has illustrated one possible scenario, shown in Figure 4-7, illustrating how workers and teams can use the Microsoft 365 collaboration services to work together by creating a digital daily plan containing specific tasks and the circumstances in which they might be performed.
FIGURE 4-7 A sample Microsoft 365 collaboration task schedule
Security
For many IT professionals who are hesitant to move their operations to the cloud, security is the biggest issue that concerns them. The idea of storing sensitive company data on Internet servers, over which they have no direct control and of which they do not even know the exact location, can be frightening. However, Microsoft has invested an enormous amount of time, effort, and expense into securing its data centers, and Microsoft 365 includes an array of security tools that subscribers can utilize to provide defense in depth against outside intrusions.
Every security situation is a matter of judgment. Administrators must evaluate the organization’s data and decide how much security it requires. In cases of highly sensitive data, the prospect of storing it in the cloud should rightly be frightening. In such cases, it might be necessary for an organization to maintain local storage and split the enterprise functionality between cloud-based and on-premises systems.
As noted elsewhere in this book, Microsoft maintains dozens of data centers around the world. The very fact that Microsoft’s cloud services are storing data for thousands of organizations means that they have the incentive and the capital to build data centers with equipment and physical security that only the largest corporations could conceivably duplicate. For most prospective Microsoft 365 subscribers, the cloud will provide greater physical security, higher availability, and more fault tolerance than they could provide themselves.
Therefore, if the Microsoft data centers can be considered safe against physical theft and most natural disasters, the remaining security concerns are centered around the protection of identities, devices, and documents. These are concerns that are a threat to any enterprise network, whether on-premises or in the cloud. Unauthorized users can conceivably gain access to sensitive data wherever it is stored, and IT professionals might try to prevent that from happening.
Security is a continuously developing challenge, with threats growing as quickly as the means to protect against them. For administrators who want to use Microsoft products to keep up with the latest developing threats, there is no question that the latest and best security tools that Microsoft makes are to be found in cloud-based platforms, such as Microsoft 365. On-premises products, such as Exchange Server and Office 2019, are being left behind in their security capabilities in favor of Software as a Service (SaaS) products like Office 365, Exchange Online, and SharePoint Online, all of which are part of the Microsoft 365 product.
The Microsoft 365 security components include the following:
Microsoft Intune Provides device and application management services that enable mobile devices to join the network if they comply with security policies that ensure they are appropriately equipped and configured
Azure Information Protection Enables users and administrators to apply classification labels to documents and implement various types of protection based on the labels, such as access restrictions and data encryption
Data Loss Prevention Enables the automated discovery of documents that contain common data patterns, such as those of credit cards and Social Security numbers, using preconfigured sensitive information types
Cloud App Security Analyzes traffic logs and proxy scripts to identify the apps that users are accessing and enables administrators to analyze app security and sanction or unsanction individual apps
Azure Active Directory Identity Protection Evaluates the sign-in activities of individual user accounts and assigns them risk levels that increment when multiple negative events occur
Azure Advanced Threat Protection Uses machine intelligence to prevent, detect, and remediate security threats unique to the Azure environment by analyzing user behavior and comparing it to known attack patterns
Microsoft Advanced Threat Analytics Captures network traffic and log information and analyzes it to identify suspicious behaviors related to known phases of typical attack processes
Another aspect of Microsoft 365 that might help to convince traditionalists that a cloud platform can be secure is its use of intelligent analysis to identify behavior indicative of an attack. Tools like Windows Defender Threat Protection gather information from Microsoft 365 devices, applications and services and use endpoint behavioral sensors, cloud security analytics, and threat intelligence to prevent, discover, investigate, and remediate potential and actual threats.
Compliance
As the proliferation and value of data increases over time, businesses, agencies, and individuals are becoming increasingly concerned with the privacy and protection of their data. To quantify the nature of this data protection, there are hundreds of regulatory bodies—both private and governmental—that publish standards for data storage and handling.
Some of the most common data privacy standards in use today are as follows:
Federal Information Security Modernization Act (FISMA) Specifies how U.S. federal agencies must protect information
Health Insurance Portability and Accountability Act (HIPAA) Regulates the privacy of personal health information
Family Educational Rights and Privacy Act (FERPA) Regulates the disclosure of student education records
Personal Information Protection and Electronic Documents Act (PIPEDA) Specifies how commercial business organizations can gather, retain, and share personal information
Gramm{{#}}8211;Leach{{#}}8211;Bliley Act (GLBA) Specifies how financial institutions must protect and share the personal information of their customers
General Data Protection Regulation (GDPR) Specifies data protection and privacy regulations for citizens of the European Union
These standards can define elements such as the following:
The controls that organizations must exercise to protect the privacy of personal data
The ways in which organizations can and cannot use personal data
The rights of government and other official agencies to access personal data held by an organization
The lengths of time an organization can and must retain individuals’ personal data
The rights of individuals to access their personal data held by organizations and correct it
Whether their adoption of certain standards is mandatory or voluntary, many organizations are concerned with whether the tools and procedures they use for storing and handling data are compliant with these standards.
Every organization must be responsible for assessing its own data resources and determining what standards should apply to them. The nature of the business in which the organization is engaged can often dictate compliance with particular standards. For example, companies in the health care industry or those with government contracts might be required by law to store, handle, and protect their data in specific ways. Indeed, there are regulatory standards to which the Microsoft 365 products on their own cannot possibly comply, such as those which require data to be stored on devices and in locations wholly owned and controlled by the organization, which preclude the use of cloud storage entirely.
However, many of the hundreds of privacy standards in use do allow the possibility of compliance when data is stored in the cloud, and Microsoft is well aware of the importance of adherence to these standards for many organizations considering a migration to the cloud. For IT professionals who are hesitant to become Microsoft 365 adopters because they fear that changing the location and the conditions of their data storage will negatively affect their compliance with standards like these, Microsoft has had their products’ compliance with many different standards tested and has published documents certifying the results.
Microsoft divides the compliance effort into three phases, as shown in Figure 4-8. The phases are described as follows:
FIGURE 4-8 Microsoft compliance phases
Assess The organization gathers the information needed to assess their current compliance status and produce a plan to achieve or maintain compliance with specific standards. Microsoft’s Service Trust Portal website contains a vast library of documents specifying information about the testing processes and the third parties involved in compliance testing. In addition, the site provides access to Compliance Manager, a risk assessment tool that organizations can use to record the actions they take to achieve compliance with specific standards.
Protect The organization implements a protection plan for their data, based on its sensitivity, using the tools provided in the Microsoft 365 services, including access control permissions, file encryption, Information Protection, and Data Loss Prevention.
Respond The organization develops protocols for responding to regulatory requests using artificial intelligence tools such as Office 365 eDiscovery to perform complex searches of Exchange Online mailboxes, Office 365 Groups, SharePoint Online and OneDrive for Business sites, and Microsoft Teams conversations.
Licensing Microsoft 365
To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL). An administrator for an organization deploying Microsoft 365 typically creates a tenancy in Azure Active Directory, purchases a specific number of USLs and then assigns them to users in the Microsoft 365 Admin Center console by selecting Licenses in the Billing menu, as shown in Figure 4-9.
FIGURE 4-9 The Licenses page in Microsoft 365 Admin Center
Global administrators or user management administrators can assign licenses to up to 20 users at once from this interface. It is also possible to assign licenses to hybrid user accounts created through Active Directory synchronization or federation, or while creating new user accounts in the Microsoft 365 Admin Center.
Assigning a Microsoft 365 license to a user causes the following events to occur:
Exchange Online creates a mailbox for the user
SharePoint Online grants the user edit permissions for the default team site
Office 365 ProPlus enables the user to download and install the Office 365 productivity applications on up to five devices
From the Purchase Services page in the Admin Center, administrators can also purchase additional Microsoft 365 USLs or licenses for add-on products, as shown in Figure 4-10.
FIGURE 4-10 The Purchase Services page in Microsoft 365 Admin Center
Microsoft offers four different USL types for each of the Microsoft 365 products, depending on the purchaser’s existing relationship with the company, as follows:
Full USL A complete Microsoft 365 license for new purchasers that do not have existing Microsoft product licenses or for owners of on-premises Microsoft product licenses that do not include Software Assurance, Microsoft’s software maintenance agreement.
Add-on USL A license for purchasers with existing on-premises Microsoft product licenses that include Software Assurance and who want to maintain their on-premises infrastructure while adding Microsoft 365 cloud services in a pilot or hybrid deployment.
From SA USL A license for purchasers with existing on-premises Microsoft product licenses that include Software Assurance and who want to transition to a cloud-based infrastructure with continued Software Assurance for the Microsoft 365 product. Qualifying purchasers can only obtain From SA USLs at their contract renewal time, and they must maintain their existing Software Assurance agreement. A Microsoft 365 Software Assurance agreement includes cloud-oriented benefits, such as Deployment Planning Services, Home Use Program, online user training courses, and additional support incidents.
Step-up USL A license for current Microsoft customers who want to upgrade their subscriptions during an existing enrollment or agreement period, such as from Office 365 to Microsoft 365 or from Microsoft 365 Business to Microsoft 365 Enterprise E3.
Because the Add-on USLs, From SA USLs, and Step-up USLs are intended for existing Microsoft customers, their prices reflect significant discounts from the Full USL price.
Need More Review: Microsoft 365 Payment Models
For a discussion of Microsoft billing and payment practices, see the “Plan, predict, and compare pricing” section, later in this chapter.
Implementing best practices
As mentioned throughout this book, the Microsoft 365 product is a bundle consisting of Windows, Office 365, and Enterprise Mobility + Security, all of which continue to be available as separate subscriptions. In addition, there are subscriptions available for combinations of individual features within these products, such as the Identity & Threat Protection and Information Protection & Compliance packages.
Finally, to complicate the picture even further, it is possible to combine different licenses in a single Azure Active Directory tenancy. With all these options available, organizations that are contemplating a migration to a cloud-based infrastructure, or that are thinking of adding cloud services to an on-premises infrastructure, should undertake to design a licensing strategy that will fulfill all the following requirements:
Provide the organization’s users with the services they need
Avoid providing users with unnecessary services that complicate the maintenance and support processes
Minimize subscription costs
Generally speaking, a Microsoft 365 subscription will likely be significantly less expensive than purchasing subscriptions for each of its components separately. This might be true even if there are some users who do not need all the Microsoft 365 components.
Obviously, the simplest solution is to choose one Microsoft 365 product and purchase the same subscription for all the organization’s users. This can easily fulfill the first of the requirements but might not be a solution for the other two.
Depending on the nature of the business the organization is engaged in, an Enterprise E5 subscription might be suitable for some users, but there might also be many workers who do not need all the applications and services included in Enterprise E5. Depending on the number of users in each group, the expense of purchasing E5 subscriptions for everyone could be extremely wasteful and require additional administrative effort to provide customized environments for the different user groups. This is one of the primary reasons why Microsoft offers the Microsoft 365 F1 subscription for first-line workers.
Note: Microsoft 365 F1
For more information on the Microsoft 365 F1 package, see the “Microsoft 365 F1” section, earlier in this chapter.
Quick check
Which of the following is not one of the three phases of the Microsoft compliance effort?
Simplify
Assess
Protect
Respond
Quick check answer
A. The three phases of the Microsoft compliance effort are Assess, Protect, and Respond. Simplify is not one of the three phases.
Therefore, the best practice is to compare the features included in each of the Microsoft 365 licenses with the requirements of the various types of users in the organization. In a large enterprise, this can be a complicated process, but in the case of a major migration like this, prior planning is crucial and can save a great deal of expense and effort.
Skill 4.2: Plan, predict, and compare pricing
Cost is always a factor when considering the introduction of a new technology into a business network, and the question of whether Microsoft 365 is an economically sound choice when compared to a traditional on-premises network infrastructure is a complicated one. Every organization contemplating an entry into cloud-based computing must factor the results of a cost-benefit analysis (CBA) into its decision. However, in a comparison of Microsoft 365 to on-premises server products, it is not just a matter of how much the technologies cost but also when the costs are incurred.
Cost-benefit analysis for cloud vs. on-premises networks
Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is the relatively simple part of a cost-benefit analysis. There is a monthly or annual fee for each Microsoft 365 user subscription and those subscriber fees are predictable and ongoing. Contracts might be renewed with different prices at intervals, but those costs still remain predictable. It is possible that costs could rise precipitously in the future when the contracts are renewed, and the subscriber might feel locked in to one provider, but that is a risk with any software product.
Predicting the cost of an on-premises network is more difficult. It is common for businesses to categorize their expenses by distinguishing between two types of expenditures, as follows:
Capital expenditures (CapEx) is money spent on fixed assets, such as buildings, servers and other hardware, deployment expenses, and purchased software.
Operational expenditures (OpEx) is ongoing expenses, such as rent, utilities, staff, and maintenance.
The basic differences between CapEx and OpEx expenditures are shown in Table 4-2.
TABLE 4-2 Capital expenditures versus operational expenditures
|
CAPITAL EXPENDITURES (CAPEX) |
OPERATIONAL EXPENDITURES (OPEX) |
PURPOSE |
Hardware and software assets with at least one year of usefulness |
Ongoing business costs |
PAYMENT |
Initial lump sum |
Recurring monthly or annual |
ACCOUNTING |
Three or more years of asset depreciation |
Current month or year |
DESCRIPTION |
Property, equipment, software |
Operating costs |
TAXES |
Multiple years of deduction based on depreciation |
Current year deduction |
For a Microsoft 365 shop, nearly all the expenses are OpEx, including the subscription fees. There are virtually no CapEx expenses involved, except perhaps for things like initial cloud training for administrators. Businesses like working with OpEx expenses because they enable them to create accurate budgets and forecasts.
For an on-premises network, the CapEx outlay required to set up the infrastructure can be enormous, including the cost of building and equipping data centers and purchasing server software products. Depending on the nature of the business and the sensitivity of the data involved, these expenses can by multiplied by the need for redundant data centers and equipment. These are big expenses that must be paid before the network can even go live. These CapEx costs can be amortized or depreciated in the company’s accounts over a period of years, but the initial investment is substantial compared to that of a cloud-based network, which requires almost none.
An on-premises network has OpEx expenses as well, including rent, power and other utilities data centers require, and the salaries of the staff needed to operate and maintain the data center equipment. There are also expensive software upgrades to consider every two to three years. The main cost benefit of an on-premises network is that hardware and software are purchased outright and do not require monthly subscription fees.
There are other factors to consider as well. When designing an on-premises network, the organization must consider the possibility of future growth, as well as seasonal business fluctuations. Therefore, the already substantial CapEx outlay can be increased by the cost of the additional data center space and equipment needed to support the busiest times of the year, as well as several years of predicted growth.
A cloud-based infrastructure like that of Microsoft 365 uses a pay-as-you-go model, which can accommodate virtually unlimited growth and occasional business fluctuations with no extra expenses other than the increased subscription fees for the extra services. The organization is never paying for hardware and software that isn’t being used. In addition, the growth and fluctuations can be accommodated almost immediately and downsized when necessary, while on-premises resources can require months to approve, obtain, and install.
The entire cost-benefit analysis can be complicated further if the organization has already made a substantial investment in on-premises infrastructure. For example, if the company that is expanding already has sufficient space in its data centers and sufficient IT staff, the CapEx needed for a network expansion can be much less than it would be for an entirely new network installation. The question then becomes whether it is more economical to add to the existing on-premises infrastructure or expand into the cloud, creating a hybrid network that might require additional planning and training to bring personnel up to speed in cloud technologies.
Therefore, the end result can only be that every organization must consider its own economic, personnel, and business situations and calculate the TCO of its network options for itself. In a new deployment, a subscription-based, cloud-based option, such as Microsoft 365, can be faster and less expensive to implement, but there are many situations in which organizations might be compelled to consider an on-premises network instead.
Exam Tip
Candidates for the MS-900 exam seeking greater familiarity with the characteristics of cloud-based services versus on-premises services should also consult the “Compare core services in Microsoft 365 with corresponding on-premises services” section in Chapter 2.
Volume licensing
It is possible for organizations to purchase Microsoft 365 subscriptions directly from Microsoft individually or by using a variety of volume licensing agreements, including the following:
Enterprise Agreement (EA) A volume licensing agreement for organizations with at least 500 users or devices seeking to license software for a period of at least three years, which provides discounts of 15 to 45 percent based on the number of users. Available with up-front or subscription payment terms, the agreement includes Software Assurance and the ability to add users and services during the life of the agreement.
Microsoft Products and Services Agreement (MPSA) An ongoing, partner-based, transactional license agreement for organizations with 250 to 499 users or devices that optionally includes Software Assurance and requires no organization-wide commitment.
Cloud Solution Provider (CSP) A partner-based licensing channel that enables organizations of all sizes to obtain Microsoft 365 products through an ongoing relationship with a selected partner.
Software assurance
For Enterprise Agreement and, optionally, for Microsoft Products and Services Agreement customers, Software Assurance provides a variety of additional services, including the following, which can benefit Microsoft 365 licensees:
Planning Services Provides a number of partner service days, based on the number of users/devices licensed, for the purpose of deploying Microsoft operating systems, applications, and services.
Microsoft Desktop Optimization Pack (MDOP) Provides a suite of virtualization, management, and restoration utilities, including Microsoft Application Virtualization (App-V), Microsoft User Experience Virtualization (UE-V), Microsoft BitLocker Administration and Monitoring (MBAM), and Microsoft Diagnostics and Recovery Toolset (DaRT).
Windows Virtual Desktop Access Rights (VDA) Provides users with the rights needed to access virtualized Windows instances.
Windows to Go Use Rights Enables administrators to create and furnish users with USB storage devices containing bootable Windows images that include line-of-business applications and corporate data.
Windows Thin PC Enables administrators to repurpose older computers as Windows Virtual Desktop Interface (VDI) terminals.
Enterprise Source Licensing Program Provides organizations with at least 10,000 users or devices with access to the Windows source code for their own software development projects.
Training Vouchers Provides a number of training days based on the number of users/devices licensed for the technical training of IT professionals and software developers.
24x7 Problem Resolution Support Provides 24x7 telephone support for business-critical issues and business hours or email support for noncritical issues. The number of incidents allowed is based on the type of volume licensing agreement and the products licensed.
Step-up License Availability Provides licensees with the ability to migrate their licensed software products to a high-level edition.
Spread Payments Enables organizations to pay for three-year license agreements in three equal, annual payments.
Note: Additional Software Assurance Benefits
There are additional Software Assurance benefits included that are intended for on-premises server software licensees, such as New Version Rights, which provides the latest versions of the licensed software released during the term of the agreement, and Server Disaster Recovery Rights and Fail-Over Rights, which provide licensees the right to maintain passive redundant servers for fault-tolerance purposes.
Cloud solution providers
The Cloud Solution Provider (CSP) program enables partners to establish ongoing relationships with end-user organizations of all sizes and provide them with sales and support for Windows 10 and all the Microsoft 365 Enterprise, Business, and Education products. Members of the Microsoft Partner Network can become CSPs and play a more prominent part of their customers cloud solutions.
Rather than simply reselling products, such as Windows 10 and Microsoft 365, a CSP can be a customer’s single contact for everything from providing solutions, to billing, to providing technical support. CSP partners can enhance their relationships with their customers by adding value to the Microsoft products, such as by bundling industry-specific software products with Microsoft 365 or by offering managed services, such as data migrations and internal help desk support. CSP partners can also offer Microsoft products that were previously unavailable to smaller companies. For example, at one time, Windows 10 Enterprise was available only to customers with a Microsoft Volume Licensing Agreement; CSP partners can now offer the Enterprise edition of the operating system to small- and medium-sized companies.
Depending on the capabilities of the Microsoft partner, the CSP program operates in two ways—direct (Tier 1) and indirect (Tier 2)—as shown in Figure 4-11.
FIGURE 4-11 The Microsoft Cloud Solution Provider partner options
The CSP direct model enables the partners to work directly with Microsoft and function as their customers’ sole point of contact. The CSP direct partner is the only conduit between Microsoft’s products and services and the customer. For a partner to participate in the CSP direct model, the partner’s company must have existing billing and technical support infrastructures. The customer’s entire relationship is with the partner; they have no direct contact with Microsoft at all. The CSP partner’s relationship with Microsoft and with their customers proceeds as follows:
The CSP partner cultivates customers, sells them on Microsoft 365 and/or other Microsoft cloud-based subscription products, and sets them a price based on both the cost of the subscriptions and the added value the CSP partner provides.
The CSP partner sets up the customer’s tenancy in Azure Active Directory and provides them with the necessary software, such as Windows 10 and any other products they might include in the customer’s negotiated package.
The customer uses the supplied Microsoft products and contacts the CSP partner for any support issues they might have.
Each month, Microsoft uses the Partner Center portal to bill the CSP partner for all the user subscriptions they have sold to their customers.
The CSP partner bills the customers at their negotiated rate for the Microsoft subscriptions, technical support, and other services.
The upside of this model is that the relationship with the customers is wholly in the hands of the CSP partners. They are responsible for building and maintaining relationships with their customers, and they can establish whatever prices they feel are appropriate for their services. However, this responsibility also means that a CSP partner must have a company infrastructure that can fulfill all the customers’ needs without any help from Microsoft.
For partners that do not have the infrastructure to handle all the billing and support issues that their customers might require, there is the CSP indirect model, which defines two levels of partners, as follows:
Indirect provider Typically, this is a larger company engaged by indirect resellers to take on the responsibility for supplying products, customer service, billing, and technical support services to customers. Some indirect providers are also willing to provide indirect resellers with other types of assistance, such as technical training and marketing; some also provide financing and credit terms.
Indirect reseller Typically, these are smaller companies or individuals who concentrate on locating, cultivating, and signing customers for Windows 10, Microsoft 365, and other cloud-based products and services. To become an indirect reseller, an individual or firm must do the following:
Join the Microsoft Partner Network (MPN) and obtain an ID
Enroll in the CSP program as an indirect reseller by supplying an MPN ID, business address, banking information, and a contact email address
Establish a relationship with an indirect provider, to obtain product, billing, and support services
The CSP indirect partner model enables individual consultants or small consulting companies to sign up as indirect resellers and concentrate on locating customers and developing relationships with them, rather than concentrating on back-end services, such as billing and support.
Quick check
What is the difference between a Cloud Solution Provider that is an indirect reseller and one that is an indirect provider?
Quick check answer
Typically, an indirect reseller is a smaller company that concentrates on locating, cultivating, and signing customers for Microsoft cloud-based products and services. An indirect provider is a larger company engaged by indirect resellers to take on the responsibility for supplying products, customer service, billing, and technical support services to customers.
Billing and bill management
Subscription-based products like Microsoft 365 require regular attention to billing to keep them current. If subscriptions are allowed to lapse, they become unusable. For example, if an Office 365 subscription is allowed to lapse, or if the computer does not connect to the cloud at least every 30 days, it deactivates and goes into reduced functionality mode. In this mode, users can view or print their existing documents, but they cannot create or edit new ones.
The Billing menu in the Microsoft 365 Admin Center is where administrators can manage all aspects of the billing process. The menu contains the following items:
Purchase Services Contains tiles with cloud-based subscription products that administrators can add to their tenancies
Products & Services Lists the subscriptions that are currently active and specifies how many licenses have been assigned and any balance that is due, as shown in Figure 4-12
FIGURE 4-12 The Products & services page in the Microsoft 365 Admin Center
Licenses Contains a list of the subscriptions the tenancy currently possesses and specifies how many licenses are assigned. Selecting a subscription displays a list of the users to which licenses have been assigned and enables administrators to create new assignments.
Bills & Payments Displays a history of the invoices for the current subscriptions, the payment methods configured by the administrator, and the payment frequency (monthly or annual).
Billing Accounts Displays the account profile of the legal entity in the subscriber’s organization responsible for signing software agreements and making purchases, as well as a list of the subscriber’s partnerships.
Payment Methods Displays a list of the subscriber’s current payment methods and enables the addition of new ones.
Billing Notifications Displays a list of the users who will receive billing notifications and renewal reminders from Microsoft, as shown in Figure 4-13.
FIGURE 4-13 The Billing Notifications page in the Microsoft 365 Admin Center
For Microsoft partners, there is a Billing menu in the Partner Center console that displays the invoices from Microsoft for the products that the partners have resold to customers. Microsoft bills partners for the license and usage fees of their customers 60 days in arrears, so that the partners have time to collect. This Billing menu only handles the charges that partners remit to Microsoft. There are no conditions or requirements in the partnership agreement about how or when the partners invoice their customers and collect their payments.
Skill 4.3: Describe support offerings for Microsoft 365 services
For many IT professionals, there are important concerns about what happens after their organization commits itself to the use of cloud-based applications and services. These issues include concerns about downtime, monitoring the continuity of the Microsoft services, and the product support provided by Microsoft and its partners.
Service level agreements
When an enterprise uses on-premises servers, they know issues they experience that prevent the servers from functioning are their problem, and they must have the resources to resolve them. This is why organizations often use redundant components, servers, or even data centers to keep business-critical services available. Many IT professionals prefer this self-reliance; by planning and implementing their services correctly, they can be confident of their continued functionality. An enterprise that uses cloud-based services, however, must rely on others to keep its services running.
For IT professionals, service outages are one of the potential showstopper issues for the adoption of Microsoft 365 and other cloud-based services. If the services suffer downtime, business stops. While it might not be the IT professionals’ fault, it is their responsibility. What is worse, there is nothing they can do about it except call the provider and shout at them. Depending on the nature of the organization’s business, service downtime can result in lost productivity, lost income, and in extreme cases, even lost lives.
To address this issue, contracts with cloud service providers typically include a service level agreement (SLA). The SLA guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met. It is important to remember that an organization usually has more than one service provider that is needed to access the cloud. For example, an organization can contract with Microsoft for a certain number of Microsoft 365 subscriptions, but the reliability specified in Microsoft’s SLA means nothing if the organization’s Internet service provider (ISP) fails to provide them with access to the cloud. Therefore, an organization should have a contract with every cloud service provider they use that includes SLA terminology.
When negotiating an SLA with any cloud service provider or Internet service provider, there should be language included to address questions like the following:
What formula is used to calculate the service levels that are actually achieved?
Who is responsible for maintaining records of service levels?
How and when is the subscriber provided with written reports of the service levels achieved?
Are the exceptional circumstances specified in the SLA under which service outages are not classified as downtime?
How much downtime is expected or allowable for the provider’s maintenance, both scheduled and emergency?
What are the terms of the agreement regarding service interruptions that are the result of acts of war, extreme weather, or natural disasters?
What are the terms of the agreement regarding service interruptions that are caused by third-party services, such as power outages?
What are the terms of the agreement regarding service interruptions that are the result of malicious cyberattacks against the provider?
What are the terms of the agreement regarding service interruptions that are the result of malicious cyberattacks against the subscriber?
What remedy or penalty does the provider supply when they fail to meet the agreed upon service levels?
What is the liability to which the provider is subject when service interruptions cause a loss of business or productivity?
These questions are designed to quantify the nature of the SLA and how it can legally affect the relationship between the provider and the subscriber. For example, a provider can guarantee a 99 percent uptime rate. However, without specific language addressing the point, there is no way to determine exactly what constitutes uptime or downtime. What if a service is only partially operational, with some tasks functional and others not? Does that constitute downtime? There is also the question of what happens when downtime in excess of the guaranteed amount does occur. Is it the responsibility of the subscriber to make a claim? If excessive downtime does occur, is the provider responsible for the subscriber’s lost business during that downtime or just for a prorated amount of the subscription fee? If issues like these are not discussed with specific language in the SLA, then they are potential arguments that the provider can use to avoid supporting their uptime guarantee.
SLA Limitations
As an example of the terms that might appear in an SLA to limit the responsibility of the cloud service provider, consider the following excerpt from Microsoft’s SLA for Azure Active Directory:
This SLA and any applicable Service Levels do not apply to any performance or availability issues:
Due to factors outside our reasonable control (for example, natural disaster, war, acts of terrorism, riots, government action, or a network or device failure external to our data centers, including at your site or between your site and our data center);
That result from the use of services, hardware, or software not provided by us, including, but not limited to, issues resulting from inadequate bandwidth or related to third-party software or services;
That results from failures in a single Microsoft Datacenter location, when your network connectivity is explicitly dependent on that location in a non-geo-resilient manner;
Caused by your use of a Service after we advised you to modify your use of the Service, if you did not modify your use as advised;
During or with respect to preview, pre-release, beta or trial versions of a Service, feature or software (as determined by us) or to purchases made using Microsoft subscription credits;
That result from your unauthorized action or lack of action when required, or from your employees, agents, contractors, or vendors, or anyone gaining access to our network by means of your passwords or equipment, or otherwise resulting from your failure to follow appropriate security practices;
That result from your failure to adhere to any required configurations, use supported platforms, follow any policies for acceptable use, or your use of the Service in a manner inconsistent with the features and functionality of the Service (for example, attempts to perform operations that are not supported) or inconsistent with our published guidance;
That result from faulty input, instructions, or arguments (for example, requests to access files that do not exist);
That result from your attempts to perform operations that exceed prescribed quotas or that resulted from our throttling of suspected abusive behavior;
Due to your use of Service features that are outside of associated Support Windows; or
For licenses reserved, but not paid for, at the time of the Incident.
These limitations are not standard for all SLAs, but they are typical.
As with any contract, an SLA is a contract, and the language should be negotiable; both parties must agree to all the final terms. If a provider refuses to negotiate the terms of the SLA or modify any of its language, this should set off alarms for the potential subscriber. The alternatives in this instance are to either find a different service provider or purchase insurance to cover the organization for any losses they might incur as a result of service interruptions that are not covered by the SLA.
In the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services document, dated August 1, 2019, the terms for each of the individual cloud services are listed with the following information:
Downtime Specifies exactly what type or types of service interruption legally constitute downtime in the terms of the agreement. Some of the definitions of downtime for cloud services included in Microsoft 365 are shown in Table 4-3.
Monthly Uptime Percentage Specifies the formula by which the percentage of uptime is calculated for each month, taking into account the number of minutes the service was considered to be down, and the number of user licenses affected by the outage. For example, the following formula subtracts the total number of downtime minutes for all the users from the total user minutes and calculates a percentage from that:
Service Credit Specifies the percentage of the monthly subscription fee that will be credited to the subscriber’s account, based on the calculated monthly uptime percentage. Microsoft’s SLA guarantees 99.9 percent uptime, so the service credit for months that do not meet that percentage are calculated as shown in Table 4-4.
Additional Terms Identifies other parts of the document that might define other conditions constituting a refundable service outage. For example, a failure of Exchange Online to detect viruses or filter spam as agreed in the SLA can qualify for a service credit, even if no downtime occurs.
TABLE 4-3 Definitions of downtime in the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services
CLOUD SERVICE |
DEFINITION OF DOWNTIME |
Azure Active Directory Premium |
Any period of time when users are not able to log in to the service, log in to the Access Panel, access applications on the Access Panel and reset passwords or any period of time IT administrators are not able to create, read, write and delete entries in the directory and/or provision/deprovision users to applications in the directory. |
Exchange Online |
Any period of time when users are unable to send or receive email with Outlook Web Access. |
Microsoft Teams |
Any period of time when users are unable to see presence status, conduct instant messaging conversations, or initiate online meetings. |
Office 365 ProPlus |
Any period of time when Office applications are put into reduced functionality mode due to an issue with Office 365 activation. |
Office Online |
Any period of time when users are unable to use the web applications to view and edit any Office document stored on a SharePoint Online site for which they have appropriate permissions. |
OneDrive for Business |
Any period of time when users are unable to view or edit files stored on their personal OneDrive for Business storage. |
SharePoint Online |
Any period of time when users are unable to read or write any portion of a SharePoint Online site collection for which they have appropriate permissions. |
Yammer Enterprise |
Any period of time greater than 10 minutes when more than 5 percent of users are unable to post or read messages on any portion of the Yammer network for which they have appropriate permissions. |
Microsoft Intune |
Any period of time when the customer’s IT administrator or users authorized by customer are unable to log in with proper credentials. Scheduled downtime will not exceed 10 hours per calendar year. |
Microsoft Defender Advanced Threat Protection |
The total accumulated minutes that are part of the maximum available minutes in which the customer is unable to access any portion of a Microsoft Defender Advanced Threat Protection portal site collections for which they have appropriate permissions and customer has a valid, active license. |
TABLE 4-4 Service credit for monthly uptime percentages in the Microsoft Volume Licensing Service Level Agreement for Microsoft Online Services
MONTHLY UPTIME PERCENTAGE |
SERVICE CREDIT |
Greater than or equal to 99.9 percent |
0 percent |
Less than 99.9 percent |
25 percent |
Less than 99 percent |
50 percent |
Less than 95 percent |
100 percent |
Microsoft requires subscribers to file a claim for service credits, containing evidence of the outages, as described in the following SLA excerpt:
In order for Microsoft to consider a claim, you must submit the claim to customer support at Microsoft Corporation including all information necessary for Microsoft to validate the claim, including but not limited to: (i) a detailed description of the Incident; (ii) information regarding the time and duration of the Downtime; (iii) the number and location(s) of affected users (if applicable); and (iv) descriptions of your attempts to resolve the Incident at the time of occurrence.
Generally speaking, it appears as though the SLA for Microsoft’s online services is rarely even needed. Table 4-5 lists the worldwide quarterly uptime percentages for the Office 365 cloud services since 2017, and none of the figures even comes close to dropping below the guaranteed 99.9 percent. This is not to say that there weren’t a few isolated outages resulting in service credits, but the overall record for the Office 365 products is an impressive one.
TABLE 4-5 Quarterly Uptime Percentages for Office 365, 2017 to 2019
YEAR |
QUARTER 1 |
QUARTER 2 |
QUARTER 3 |
QUARTER 4 |
2017 |
99.99 percent |
99.97 percent |
99.98 percent |
99.99 percent |
2018 |
99.99 percent |
99.98 percent |
99.97 percent |
99.98 percent |
2019 |
99.97 percent |
99.97 percent |
|
|
Creating support requests
The support that subscribers receive for Microsoft 365 depends on their subscription level and how they obtained it. Nearly every page in the Microsoft 365 Admin Center console has a Need help? button in the bottom-right corner, and there is a Support menu that enables administrators to search for help with specific problems and create a support request when a solution is not available in the existing help information. Telephone and email support are also available.
To prevent excessive use and abuse of its support services, Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites. Table 4-6 lists some of the responsibilities for each of these entities.
TABLE 4-6 Responsibilities of Microsoft 365 administrators and Microsoft Support
MICROSOFT 365 ADMINISTRATOR RESPONSIBILITIES |
MICROSOFT SUPPORT RESPONSIBILITIES |
Service setup, configuration, and maintenance |
Respond to support issues submitted by subscribers |
User account creation, configuration, and maintenance |
Gather information about technical support issues from subscribers |
Primary support contact for enterprise users |
Provide subscribers with technical guidance for submitted issues |
Gather information from users about technical support issues |
Troubleshoot subscriber issues and relay pertinent solution information |
Address user software installation and configuration issues |
Maintain communication with subscribers regarding ongoing service issues |
Troubleshoot service availability issues within the bounds of the organization |
Provide guidance for presales and trial-edition evaluators |
Utilize Microsoft online resources to resolve support issues |
Provide licensing, subscription, and billing support |
Authorization and submission of support issues to Microsoft |
Gather customer feedback for service improvement purposes |
Microsoft 365 administrators are expected to do what they can to address a support issue before submitting a support request to Microsoft. There are considerable Microsoft online support, training, blog, and forum resources available for this purpose, including the following:
Microsoft Support (support.microsoft.com)
Office Help & Training (support.office.com)
Microsoft Community (answers.microsoft.com)
Microsoft 365 Tech Community (techcommunity.microsoft.com/t5/Microsoft-365/ct-p/microsoft365)
When an administrator clicks the Need Help? button in the Microsoft 365 Admin Center console or opens the Support menu and selects New Service Request, a Need Help? pane appears, prompting you for a description of the issue. Based on the furnished description, relevant material appears, such as step-by-step procedures and links to product documentation that might be helpful, as shown in Figure 4-14.
FIGURE 4-14 The Need Help? pane from the Microsoft 365 Admin Center
At the bottom of the Need Help? pane is a Contact Support link that opens the pane shown in Figure 4-15. In this pane, the administrator can provide a more detailed description of the issue, add contact information, specify time zone and language references, and attach documents pertinent to the issue.
FIGURE 4-15 The Contact support pane from the Microsoft 365 Admin Center
The support that Microsoft provides with the Microsoft 365 product is intended primarily to provide help with service installation and configuration issues, such as the following:
Azure Active Directory Domain setup, synchronization with on-premises Active Directory Domain Services, and single sign-on configuration
Microsoft 365 Service configuration issues
Exchange Online Mailbox migration and configuration, autodiscover configuration, setting mailbox permissions, sharing mailboxes, and creating mail forwarding rules
SharePoint Online Creation of user groups, assigning site permissions, and external user configuration
Office 365 ProPlus Office application installation on various device platforms
Microsoft Teams Setup of a Teams environment and creating contacts
Microsoft Intune Mobile device and application management setup
When subscribers submit support requests to Microsoft, they go through a triage process and are assigned a severity level, using the values shown in Table 4-7.
TABLE 4-7 Microsoft Support severity levels
SEVERITY LEVEL |
DESCRIPTION |
EXAMPLES |
Critical (Sev A) |
|
|
High (Sev B) |
|
|
Non-critical (Sev C) |
|
|
After submitting support requests, administrators can monitor their progress in the Microsoft 365 Admin Center by selecting View Service Requests from the Support menu to display a list of all the support tickets associated with the account.
All Microsoft 365 subscriptions include access to basic support services, but for some types of subscribers or subscribers with special needs, there are alternative methods for obtaining support, such as the following:
FastTrack Microsoft’s FastTrack program uses a specialized team of engineers and selected partners to provide subscribers transitioning to the cloud with assistance in the envisioning, onboarding, and ongoing administration processes. Subscribers participating in this program are provided with a contact to which they can turn for support issues during the FastTrack transition.
Volume Licensing Subscribers with an Enterprise Agreement or a Microsoft Products and Services Agreement that includes Software Assurance receive a specified number of support incidents as part of their agreement. The Software Assurance program includes 24x7 telephone support for business-critical issues and business hours or email support for noncritical issues.
Cloud Solution Providers For subscribers that obtain Microsoft 365 through a Cloud Solution Provider (CSP), the CSP should be their first point of contact for all service and support issues during the life of the subscription. The reseller agreement between CSPs and Microsoft calls for the CSP to take on full responsibility for supporting their customers, although the CSP can still escalate issues to Microsoft when they cannot resolve them on their own.
Microsoft Professional Support Subscribers with support issues that go beyond the standard service provided with Microsoft 365 can use Microsoft Professional Support to open support requests on a pay-per-incident basis, as shown in Figure 4-16. Individual incidents are available, as are five-packs of incidents.
FIGURE 4-16 The New Support Request screen in Microsoft Professional Support
Microsoft Unified Support Subscribers can purchase a Microsoft Unified Support plan in addition to their Microsoft 365 subscriptions. Microsoft Unified Support is available at three levels: Core Support, Advanced Support, and Performance Support; each level provides increasing levels of included support hours, incident response times, and access to a technical account manager (TAM), along with increasing prices. Customers also receive access to the Microsoft Services Hub, a support portal that provides forms for submitting support requests (as shown in Figure 4-17), access to ongoing Microsoft support incidents, tools for assessing enterprise workloads, and on-demand education and training materials.
FIGURE 4-17 The Create A New Support request screen from the Microsoft Services Hub
Determining service health
Monitoring the continuous operation of the Microsoft 365 services is a critical part of the administration process, and the Microsoft 365 Admin Center includes a Health menu that provides a real-time display of the status of the individual services when administrators select the Service Health option, as shown in Figure 4-18.
FIGURE 4-18 The Service Health page in the Microsoft 365 Admin Center
In addition to displaying the services that are healthy, the Service Health screen also lists other service status conditions, as follows:
Advisories Indicates that the service is still available but that there is a known condition inhibiting its performance. The condition might cause intermittent interruptions, affect only some users, or be limited in scope. In some cases, a workaround might be available.
Incidents Indicates that a critical issue has been discovered that is rendering all or a significant part of the service unavailable or unusable. Typically, incidents are updated on their detail pages with information about the investigation, mitigation, and resolution of the issue.
Selecting the Advisories tab on the Service Health page displays details about the current advisories, as shown in Figure 4-19, including the service affected, its current status, and the time the advisory was posted. The Incidents page displays the same information about more serious occurrences. The History page lists all the incidents and advisories that have occurred during the last 7 or 30 days.
FIGURE 4-19 The Advisories tab of the Service Health page in the Microsoft 365 Admin Center
The Status indicators on the Service Health pages can have values such as the following:
Investigating Indicates that Microsoft is aware of the issue and is currently gathering information prior to taking action
Service Degradation Indicates that the service is experiencing intermittent interruptions, performance slowdowns, or failure of specific features
Service Interruption Indicates that a significant, repeatable issue is occurring, which is preventing users from accessing the service
Restoring Service Indicates that the cause of the issue has been determined and remediation is underway, which will result in service restoration
Extended Recovery Indicates that remediation of the issue is in progress, but restoring service for all users may take some time or that an interim fix is in place that restores service until a permanent solution is applied
Investigation Suspended Indicates that Microsoft is awaiting information from subscribers or other parties before the issue can be diagnosed or further action can be taken
Service Restored Indicates that Microsoft has taken corrective action to address the issue and has successfully brought the service back to a healthy state
Post-Incident Report Published Indicates that documentation on the issue has been published containing an explanation of the root cause and steps to prevent a reoccurrence
Each advisory or incident includes a detail page containing more information, as shown in Figure 4-20. This information may include a greater elaboration on the user impact of the advisory or incident and a log of its status as it proceeds through the process of being addressed, documented, and resolved.
FIGURE 4-20 An advisory detail page in the Microsoft 365 Admin Center
When an incident that prevents administrators from signing in to the Microsoft 365 Admin Center console, there is a separate Microsoft 365 Service Health Status page available at status.office365.com that indicates the health of the Microsoft 365 service itself, as shown in Figure 4-21.
FIGURE 4-21 The Microsoft 365 Service Health Status page
The Service Health pages in the Microsoft 365 Admin Center do not contain planned maintenance events that might cause interruptions in service. For information about these interruptions, see the Message Center page, accessible from the Health menu, as shown in Figure 4-22.
FIGURE 4-22 The Message Center page in the Microsoft 365 Admin Center
Skill 4.4: Understand the service lifecycle in Microsoft 365
With the introduction of their subscription-based software products, such as Microsoft 365, Microsoft has had to redefine its service lifecycle policies. The service lifecycle defines how long a particular product continues to be supported by Microsoft through the release of software updates, the acceptance of feature design requests, and the availability of product support. Microsoft now has two lifecycle policies, as follows:
Fixed Lifecycle Policy Applies to permanently licensed products available through retail purchase or volume licensing channels and defines a 10-year period of support; the license remains valid after this time, but support is discontinued.
Modern Lifecycle Policy Applies to subscription-based products and services that are licensed continuously and for which the support is ongoing, as long as the customer stays current by applying all servicing updates within a specified time period.
In the Fixed Lifecycle policy, the 10-year support period is split into two phases: Mainstream Support and Extended Support.
Mainstream Support During the five-year Mainstream Support phase, the product receives both security and feature updates, incident support is available, and feature enhancement requests are accepted.
Extended Support After the Mainstream Support period expires, the product enters a five-year Extended Support phase in which only security updates are released, and support is only available on a paid basis. At the end of the Extended Support phase, the product enters the Beyond End of Support phase, in which no updates are released, and only paid support is available.
The Modern Lifecycle Policy is intended for products for which development and support is ongoing, such as Microsoft 365. There is no set end to the lifecycle, so subscribers continue to receive both security and nonsecurity updates, feature updates, and new product builds. Telephone and online support is ongoing. When Microsoft decides to end support for a product governed by the Modern Lifecycle Policy without providing a replacement or successor product, they provide a minimum of 12 months’ notice of the end of the lifecycle.
The only customer requirements for a modern lifecycle product are as follows:
The customer must maintain a license for the product by paying the required subscription fees.
The customer must stay current by accepting all service updates for the product before a specified time frame has expired.
Because subscription-based modern lifecycle products like Microsoft 365 do not have major version upgrades, new and enhanced features are released as they become available. Because Microsoft 365 is a bundled product consisting of many applications and services, new features for individual components are developed and released separately.
In some cases, features and feature updates undergo a preview release cycle, so that customers can evaluate the technology and provide feedback to the developers at Microsoft. Depending on the product and the feature, the release cycle might include the following phases:
Private preview An invitation-only preview distributed to a small number of selected customers for evaluation purposes by the product or feature’s development team.
Public preview A prerelease version of a product or feature released to all users by the development team that the customer can activate or deactivate as needed. For example, the Microsoft 365 Admin Center includes a Try The New Admin Center switch in the upper-right corner of most of its screens enabling administrators to switch between the original and the new Admin Center interface, as shown in Figure 4-23.
FIGURE 4-23 The Try The New Admin Center switch in the Microsoft 365 Admin Center
General Availability (GA) Based on testing and customer feedback, preview releases might be withdrawn and returned for further development and additional previews. However, when the preview phases are completed successfully, the product or feature might be released to General Availability, meaning that it is provided to all customers as an official component of the product.
The terms and conditions of preview releases are specific to the product being tested. In nearly all cases, they are free, and they might or might not be covered by the customer support terms specified in the product license. However, in most cases, there is a mechanism to provide feedback to the developers regarding the performance or usability of the preview release.
To provide information to customers about the status of the update releases for specific products, Microsoft maintains roadmap sites that lists the updates in various phases of completion. The updates are listed as being in one of the following categories:
In Development Updates that have not yet been released because they are currently in the process of being developed or tested
Rolling Out Updates that have entered the release process, but which might not yet be available to all customers
Launched Updates that have completed the development and any preview phases and have now entered the General Availability phase, which makes them available to all customers
The Microsoft 365 Roadmap site, shown in Figure 4-24, contains a total of 644 updates at the time of this writing. The Filters on the left side of the screen enable the user to narrow down the list of updates displayed, based on products, platforms, cloud instances, and feature date.
FIGURE 4-24 The Microsoft 365 Roadmap site
Each update in the list contains a description, a status indicator, tags or keywords that pertain to the release, and an anticipated release date. When a user selects one of the updates, it expands to display additional information about its function and pertinent dates, as shown in Figure 4-25. In some cases, the expanded description includes a More Info link to additional Microsoft documentation of the feature and a Mail to link to forward the information to another user.
FIGURE 4-25 Update detail from the Microsoft 365 Roadmap site
Summary
All Microsoft 365 editions include Windows 10 Enterprise, Office 365 Pro Plus, and Enterprise Mobility + Security. However, all these components are available in their own plans, and the Microsoft 365 editions include them in various combinations.
The key selling points for Microsoft 365 are divided into four major areas: productivity, collaboration security, and compliance.
To install and run the Microsoft 365 components and access the Microsoft 365 cloud services, each user in an organization must have a Microsoft 365 user subscription license (USL).
Evaluating the total cost of ownership (TCO) for a Microsoft 365 implementation is relatively simple; there is a monthly or annual fee for each Microsoft 365 user subscription and those subscriber fees are predictable and ongoing. Predicting the cost of an on-premises network requires businesses to categorize their expenses by distinguishing between capital expenditures (CapEx) and operational expenditures (OpEx).
Organizations can purchase Microsoft 365 subscriptions directly from Microsoft individually or by using a variety of volume licensing agreements, including Enterprise Agreements (EA), Microsoft Products and Services Agreements (MPSA), or arrangements with Cloud Solution Providers (CSP).
Typically, contracts with cloud service providers include a service level agreement (SLA), which guarantees a certain percentage of uptime for the services and specifies the consequences if that guarantee is not met.
Microsoft carefully defines the division of responsibilities between the Microsoft support team and the administrators at Microsoft 365 subscription sites.
The Service health page in the Microsoft 365 Admin Center, displaying a list of the Microsoft 365 services with a status indicator for each one.
Microsoft has two lifecycle policies: Fixed Lifecycle Policy and Modern Lifecycle Policy.
Thought experiment
In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answer to this thought experiment in the next section.
Ralph is responsible for planning the IT deployment for his company’s new branch office, which will have 50 users. He is currently trying to determine which is the more economically viable choice: a cloud-based solution or on-premises servers. For the cloud-based solution, Ralph is considering Microsoft 365 Business, which has a price of $20.00 per user, per month. For an on-premises alternative providing the services his users need most, Ralph has searched through several online sources and found the software licensing prices shown in Table 4-8.
TABLE 4-8 Sample software licensing prices
QUANTITY NEEDED |
PRODUCT |
PRICE EACH |
2 |
Microsoft Windows Server 2019 Standard (16 core) |
$976.00 |
1 |
Microsoft Windows Server 2019 Client Access Licenses (Pack of 50) |
$1,869.99 |
50 |
Microsoft Office Home & Business 2019 |
$249.99 |
1 |
Microsoft Exchange Server 2019 Standard |
$726.99 |
50 |
Microsoft Exchange Server 2019 Standard CAL |
$75.99 |
1 |
Microsoft SharePoint Server |
$5,523.99 |
50 |
Microsoft SharePoint Client Access License |
$55.99 |
It is obvious to Ralph that the on-premises solution will require a much larger capital expenditure, but he is wondering whether it might be the more economical solution in the long term. Based on these prices and disregarding all other expenses (including hardware, facilities, and personnel) how long would it be before the ongoing Microsoft 365 Business subscription fees for 50 users become more expensive than the on-premises software licensing costs?
Thought experiment answer
Ralph has calculated the total software licensing costs for his proposed on-premises solution and has arrived at a total expenditure of $29,171.47, as shown in Table 4-9.
TABLE 4-9 Sample software licensing prices (with totals)
QUANTITY NEEDED |
PRODUCT |
PRICE EACH |
TOTAL |
2 |
Microsoft Windows Server 2019 Standard (16 core) |
$976.00 |
$1,952.00 |
1 |
Microsoft Windows Server 2019 Client Access Licenses (Pack of 50) |
$1,869.99 |
$1,869.99 |
50 |
Microsoft Office Home & Business 2019 |
$249.99 |
$12,499.50 |
1 |
Microsoft Exchange Server 2019 Standard |
$726.99 |
$726.99 |
50 |
Microsoft Exchange Server 2019 Standard CAL |
$75.99 |
$3,799.50 |
1 |
Microsoft SharePoint Server |
$5,523.99 |
$5,523.99 |
50 |
Microsoft SharePoint Client Access License |
$55.99 |
$2,799.50 |
|
Grand Total |
|
$29,171.47 |
The Microsoft 365 Business subscription fees for 50 users amount to $1,000.00 per month. Therefore, Ralph has concluded that after 30 months, the ongoing cost for the subscriptions will exceed the one-time cost for the on-premises server licensing fees.