Products and Capabilities

Services and scenarios supported by FastTrack

This topic includes details on the workload scenarios supported by FastTrack and the source environment expectations necessary before we can begin. Based on your current setup, we work with you to create a remediation plan that brings your source environment up to the minimum requirements for successful onboarding.

FastTrack provides guidance to help you first with core capabilities (common for all Microsoft Online Services) and then with onboarding each eligible service:

Note

For information on source environment expectations for Office 365 US Government, see Source Environment Expectations for Office 365 US Government.

General

Service FastTrack guidance details Source environment expectations
Core onboarding We provide remote guidance on core onboarding, which involves service provisioning, tenant, and identity integration. It also includes steps for providing a foundation for onboarding services like Exchange Online, SharePoint Online, and Microsoft Teams, including a discussion on security, network connectivity, and compliance.

Onboarding for one or more eligible services can begin once core onboarding is finished.

Identity Integration

We provide remote guidance for:

  • Preparing on-premises Active Directory Identities for synchronization to Azure Active Directory (Azure AD) including installing and configuring Azure AD Connect (single- or multi-forest) and licensing (including group-based licensing).
  • Creating cloud identities including bulk import and licensing including using group-based licensing.
  • Choosing and enabling the correct authentication method for your cloud journey, Password Hash Sync, Pass-through Authentication, or Active Directory Federation Services (AD FS).
  • Choosing and enabling a more convenient authentication experience for your users with passwordless authentication (Fast Identity Online (FIDO)2 or Microsoft Authenticator App).
  • Enabling AD FS for customers with a single Active Directory forest and identities synchronized with the Azure AD Connect tool. This requires Windows Server 2012 R2 Active Directory Federation Services 2.0 or greater.
  • Migrating authentication from AD FS to Azure AD using Password Hash Sync or Pass-through Authentication.
  • Migrating pre-integrated apps (like Azure AD gallery software-as-a-service (SaaS) apps) from AD FS to Azure AD for single sign-on (SSO).
  • Enabling SaaS app integrations with SSO from the Azure AD gallery.
  • Enabling automatic user provisioning for pre-integrated SaaS apps as listed in the App integration tutorial list (limited to Azure AD gallery SaaS apps and outbound provisioning only).
Network enablement
As part of the FastTrack benefit, we advise you as to best practices for connecting to cloud services to ensure the highest levels of performance of Microsoft 365. Active Directory forests These have the functional forest level set to Windows Server 2003 onward, with the following forest configuration:
  • A single Active Directory forest.
  • A single Active Directory account forest and resource forest (Exchange and/or Lync 2010, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests and resource forest (Exchange and/or Lync 2010, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests with one of the forests being a centralized Active Directory account forest that includes Exchange and/or Lync 2010, Lync 2013, or Skype for Business.
  • Multiple Active Directory account forests, each with its own Exchange organization.
  • Tasks required for tenant configuration and integration with Azure Active Directory, if needed. 
Important
  • For multi-forest Active Directory scenarios, if Lync 2010, Lync 2013, or Skype for Business is deployed, it must be deployed in the same Active Directory forest as Exchange.
  • When implementing multiple Active Directory forests with multiple Exchange organizations in an Exchange multi-hybrid configuration, shared user principal name (UPN) namespaces between source forests aren't supported. Primary SMTP namespaces between Exchange organizations should also be separated. For more information, see Hybrid deployments with multiple Active Directory forests.
  • For all multiple forests configurations, Active Directory Federation Services (AD FS) deployment is out of scope. Contact a Microsoft Partner for assistance with this.
Microsoft 365 Apps We provide remote deployment guidance for:
  • Addressing deployment issues.
  • Assigning end-user and device-based licenses using the Microsoft 365 admin center and Windows PowerShell.
  • Installing Microsoft 365 Apps from the Office 365 portal using Click-to-Run.
  • Installing Office Mobile apps (like Outlook Mobile, Word Mobile, Excel Mobile, and PowerPoint Mobile) on your iOS or Android devices.
  • Configuring update settings using the Office 365 Deployment Tool.
  • Selection and setup of a local or cloud installation.
  • Creation of the Office Deployment Tool configuration XML with the Office Customization Tool or native XML to configure the deployment package.
  • Deployment using Microsoft Endpoint Configuration Manager, including assistance with the creation of Microsoft Endpoint Configuration Manager packaging. Additionally, if you have a macro or add-in that worked with prior versions of Office and you experience compatibility issues, we provide guidance to remediate the compatibility issue at no additional cost through the App Assure program. See the App Assure portion of Windows 10 for more details.
Network health We provide remote guidance with obtaining and interpreting key network connectivity data from your environment showing how aligned your organization’s sites are to Microsoft’s principles of network connectivity. This highlights your network score which directly impacts migration velocity, user experience, service performance, and reliability. We also guide you through any remediation steps highlighted by this data to help you improve your network score.

Security and Compliance

Service FastTrack guidance details Source environment expectations
Azure Active Directory (Azure AD) and Azure AD Premium We provide remote guidance for securing your cloud identities for the following scenarios.

Secure foundation infrastructure

  • Configuring and enabling strong authentication for your identities, including protecting with Azure Multi-Factor Authentication (MFA) (cloud only), the Microsoft Authenticator app, and combined registration for Azure MFA and self-service password reset (SSPR).
  • Deploying FIDO2 or Microsoft Authenticator App.
  • For non-Azure AD Premium customers, guidance is provided to secure your identities using security defaults.
  • For Azure AD premium customers, guidance is provided to secure your identities with Conditional Access.
  • Detecting and blocking the use of weak passwords with Azure AD Password Protection.
  • Securing remote access to on-premises web apps with Azure AD Application Proxy.
  • Enabling risk-based detection and remediation with Azure Identity Protection.
  • Enabling a customized sign-in screen, including logo, text, and images with custom branding.
  • Securely sharing apps and services with guest users using Azure AD B2B.
  • Managing access for your Office 365 admins using role-based access control (RBAC) built-in administrative roles and to reduce the number of privileged admin accounts.
  • Configuring hybrid Azure AD join.
  • Configuring Azure AD join.
Monitor and reporting
  • Enabling remote monitoring for AD FS, Azure AD Connect, and domain controllers with Azure AD Connect Health.
Governance
  • Managing your Azure AD identity and access lifecycle at scale with Azure AD entitlement management.
  • Managing Azure AD group memberships, enterprise app access, and role assignments with Azure AD access reviews.
  • Reviewing Azure AD Terms of Use.
  • Managing and controlling access to privileged admin accounts with Azure AD Privileged Identity Management.
Automation and efficiencies
  • Enabling Azure AD SSPR.
  • Allowing users to create and manage their own cloud security or Office 365 groups with Azure AD self-service group management.
  • Managing delegated access to enterprise apps with Azure AD delegated group management.
  • Enabling Azure AD dynamic groups.
  • Organizing apps in the My Apps portal using collections.
The on-premises Active Directory and its environment have been prepared for Azure AD Premium, including remediation of identified issues that prevent integration with Azure AD and Azure AD Premium features.
Azure Information Protection For more information on Azure Information Protection, see Microsoft Information Protection further in this table.
Discover & Respond

Advanced eDiscovery

We provide remote guidance for:

  • Creating a new case.
  • Putting custodians on hold.
  • Performing searches.
  • Adding search results to a review set.
  • Running analytics on a review set.
  • Reviewing and tagging documents.
  • Exporting data from the review set.
  • Importing non-Office 365 data.

Advanced Audit (only supported in E5)

We provide remote guidance for:

  • Enabling advanced auditing.
  • Performing a search audit log UI and basic audit PowerShell commands.

Compliance Manager

We provide remote guidance for:

  • Reviewing role types.
  • Adding and configuring assessments.
  • Assessing compliance by implementing improvement actions and determining how this impacts your compliance score.
  • Reviewing built-in control mapping and assessing controls.
  • Generating a report within an assessment.

The following is out of scope

  • Custom scripting or coding.
  • eDiscovery API.
  • Data connectors.
  • Compliance boundaries and security filters.
  • Data investigations.
  • Data subject requests.
  • Design, architect, and third-party document review.
  • Compliance with industry and regional regulations and requirements.
  • Hands-on implementation of recommended improvement actions for assessments in Compliance Manager.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Insider Risk Management We provide remote guidance for:
  • Creating policies and reviewing settings.
  • Accessing reports and alerts.
  • Creating cases.
  • Creating notice templates.
  • Guidance on creating the human resources (HR) connector.

Communication Compliance

We provide remote guidance for:

  • Creating policies and reviewing settings.
  • Accessing reports and alerts.
  • Creating notice templates.

Compliance Manager

We provide remote guidance for:

  • Reviewing role types.
  • Adding and configuring assessments.
  • Assessing compliance by implementing improvement actions and determining how this impacts your compliance score.
  • Reviewing built-in control mapping and assessing controls.
  • Generating a report within an assessment.

The following is out of scope

  • Creating and managing Power Automate flows.
  • Data connectors (beyond the HR connector).
  • Custom regular expression (RegEx) configurations.
  • Design, architect, and third-party document review.
  • Information barriers.
  • Privileged access management.
  • Compliance with industry and regional regulations and requirements.
  • Hands-on implementation of recommended improvement actions for assessments in Compliance Manager.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Microsoft 365 Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against sophisticated attacks. We provide remote guidance for:

  • Providing an overview of the Microsoft 365 security center.
  • Reviewing cross-product incidents, including focusing on what's critical by ensuring the full attack scope, impacted assets, and automated remediation actions that are grouped together.
  • Demonstrating how Microsoft 365 Defender can orchestrate the investigation of assets, users, devices, and mailboxes that might have been compromised through automated self-healing.
  • Explaining and providing examples of how customers can proactively hunt for intrusion attempts and breach activity affecting your email, data, devices, and accounts across multiple data sets.
  • Showing customers how they can review and improve their security posture holistically using Microsoft Secure Score.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Deployment guidance or education on:
    • How to remediate or interpret the various alert types and monitored activities.
    • How to investigate a user, computer, lateral movement path, or entity.
    • Custom threat hunting.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Security information and event management (SIEM) or API integration.
Microsoft Cloud App Security Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your Microsoft and third-party cloud services. We provide remote guidance for:
  • Configuring the portal, including:
    • Importing user groups.
    • Managing admin access and settings.
    • Scoping your deployment to select certain user groups to monitor or exclude from monitoring.
    • How to set up IP ranges and tags.
    • Personalizing the end-user experience with your logo and custom messaging.
  • Integrating first-party services including:
    • Microsoft Defender for Endpoint.
    • Microsoft Defender for Identity.
    • Azure AD Identity Protection.
    • Azure Information Protection.
  • Setting up cloud discovery using:
    • Microsoft Defender for Endpoints.
    • Zscaler.
    • iboss.
  • Creating app tags and categories.
  • Customizing app risk scores based on your organization’s priorities.
  • Sanctioning and unsanctioning apps.
  • Reviewing the Cloud App Security and Cloud Discovery dashboards.
  • Connecting featured apps using app connectors.
  • Protecting apps with Conditional Access App Control in the Conditional Access within Azure AD and Cloud App Security portals.
  • Deploying Conditional Access App Control for featured apps.
  • Using the activity and file logs.
  • Managing OAuth apps.
  • Reviewing and configuring policy templates.
  • Providing configuration assistance with the top 20 use cases for CASBs (including the creation or updating of up to six (6) policies) except:
    • Auditing the configuration of your internet as a service (IaaS) environments (#18).
    • Monitoring user activities to protect against threats in your IaaS environments (#19).
  • Understanding incident correlation in the Microsoft 365 Defender portal.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Discussions comparing Cloud App Security to other CASB offerings.
  • Configuring Cloud App Security to meet specific compliance or regulatory requirements.
  • Deploying the service to a non-test production environment.
  • Deploying Cloud App Discovery as a proof of concept.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Setting up the infrastructure, installation, or deployment of automatic log uploads for continuous reports using Docker or a log collector.
  • Creating a Cloud Discovery snapshot report.
  • Blocking app usage using block scripts.
  • Connecting custom apps.
  • Onboarding and deploying Conditional Access App Control for non-featured apps.
  • Integrating with third-party identity providers (IsPs) and data loss prevention (DLP) providers.
  • Training or guidance covering advanced hunting.
  • Automated investigation and remediation including Microsoft Power Automate playbooks.
  • Security information and event management (SIEM) or API integration (including Azure Sentinel).
Microsoft Defender for Endpoint Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. We provide remote guidance for:
  • Deploying the technologies to secure your endpoints.
  • Configuring endpoint protection and device restriction profiles.
  • Assessing the OS version and device management (including Intune, Microsoft Endpoint Configuration Manager, Group Policy Objects (GPOs), and third-party configurations) as well as the status of your Windows Defender AV services or other endpoint security software.
  • Assessing the status of your Windows AV services or other endpoint security software.
  • Assessing proxies and firewalls restricting network traffic.
  • Enabling the Microsoft Defender for Endpoint service by explaining how to deploy a Defender for Endpoint endpoint detection and response (EDR) agent profile using one of the supported management methods.
  • Deployment guidance, configuration assistance, and education on:
    • Threat and vulnerability management.
    • Attack surface reduction.
    • Next-generation protection.
    • EDR.
    • Automated investigation and remediation.
    • Secure score for devices.
    • Microsoft Defender SmartScreen configuration using Microsoft Endpoint Manager.
    • Device discovery.
  • Reviewing simulations and tutorials (like practice scenarios, fake malware, and automated investigations).
  • Overview of reporting and threat analytics features.
  • Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoint.
  • Conduct walkthroughs of the Microsoft Defender Security Center portal.
  • Onboarding and configuraion of the following operating systems:
    • Windows 10.
    • Windows Server 2016.
    • Windows Server 2019.
    • Windows Server 2019 Core Edition.
    • Windows Server Semi-Annual Channel (SAC) version 1803.
    • Supported macOS versions (see System requirements for more details).
Note: All Windows Server versions must be managed by the latest version of System Center Configuration Manager 2012 (versions 1012 R2, 1511, or 1602) or Microsoft Endpoint Configuration Manager (version 2002 or greater).

The following is out of scope

  • Project management of the customer's remediation activities.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • On-site support.
  • Ongoing management and threat response.
  • Onboarding or configuration for the following Microsoft Defender for Endpoint agents:
    • Windows Server 2008.
    • Windows Server 2012.
    • Linux.
    • Mobile devices (Android and iOS).
    • Virtual Desktop Infrastructure (VDI) (persistent or non-persistent).
  • Server onboarding and configuration:
    • Configuring a proxy server for offline communications.
    • Configuring Configuration Manager deployment packages on down-level Configuration Manager instances and versions.
    • Onboarding servers to Azure Security Center.
    • Servers not managed by Configuration Manager.
  • macOS onboarding and configuration:
    • Manual Intune-based deployment.
    • JAMF-based deployment.
    • Other mobile device management (MDM) product-based deployment.
    • Manual deployment.
  • Configuration of the following attack surface reduction capabilities:
    • Hardware-based isolation.
    • App control.
    • Device control.
    • Exploit protection.
    • Network firewall.
  • Configuration or management of account protection features like:
    • Windows Hello
    • Credential Guard
  • Configuration or management of BitLocker.
  • Configuration or management of network device discovery.
  • Configuration or management of the following device discovery capabilities:
    • Onboarding of unmanaged devices not in scope for FastTrack (like Linux).
    • Integration with third-party tooling.
    • Exclusions for device discovery.
    • Preliminary networking assistance.
    • Troubleshooting network issues.
  • Enrollment or configuration of Microsoft Threat Experts.
  • Configuration or training reviewing API or security information and event management (SIEM) connections.
  • Enrollment or configuration of Microsoft 365 Defender.
  • Training or guidance covering advanced hunting.
  • Training or guidance covering the use of or creation of Kusto queries.
  • Training or guidance covering Defender SmartScreen configuration using Group Policy Objects (GPOs), Windows Security, or Microsoft Edge.
Contact a Microsoft Partner for assistance with these services.
Microsoft Defender for Identity Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. We provide remote guidance for:
  • Running the sizing tool for resource capacity planning.
  • Creating your instance of Defender for Identity.
  • Connecting Defender for Identity to Active Directory.
  • Deploying the sensor to capture and parse network traffic and Windows events directly from your domain controllers, including:
    • Downloading the sensor package.
    • Configuring the sensor.
    • Installing the sensor on your domain controller silently.
    • Deploying the sensor to your multi-forest environment.
    • Configuring the Windows Event Collector.
  • Configuring the portal, including:
    • Integrating Defender for Identity with Microsoft Cloud App Security (Cloud App Security licensing isn't required).
    • Configuring entity tags.
    • Tagging sensitive accounts.
    • Receiving email notifications for health issues and security alerts.
    • Configuring alert exclusions.
  • Providing deployment guidance, configuration assistance, and education on:
    • Understanding the Identity Security Posture Assessment report.
    • Understanding the User Investigation Priority Score and User Investigation ranking report.
    • Understanding the inactive user report.
    • Explanation of the remediation options on a compromised account.
  • Facilitating the migration from Advanced Threat Analytics (ATA) to Defender for Identity.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Deploying Defender for Identity as a proof of concept.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Deploying or performing the following Defender for Identity sensor activities:
    • Manual capacity planning.
    • Running the Auditing tool.
    • Deploying the standalone sensor.
    • Deploying to Active Directory Federation Services (AD FS) servers.
    • Deploying the sensor using a Network Interface Card (NIC) Teaming adaptor.
    • Deploying the sensor through a third-party tool.
    • Connecting to the Defender for Identity cloud service through a web proxy connection.
  • Configuring the Microsoft account (MSA) in Active Directory.
  • Creation and management of honeytokens.
  • Enabling Network Name Resolution (NNR).
  • Configuration of Deleted Objects container.
  • Deployment guidance or education on:
    • Remediating or interpreting various alert types and monitored activities.
    • Investigating a user, computer, lateral movement path, or entity.
    • Threat or advanced hunting.
    • Incident response.
  • Providing a security alert lab tutorial for Defender for Identity.
  • Providing notification when Defender for Identity detects suspicious activities by sending security alerts to your syslog server through a nominated sensor.
  • Configuring Defender for Identity to perform queries using security account manager remote (SAMR) protocol to identify local admins on specific machines.
  • Configuring VPN solutions to add information from the VPN connection to a user’s profile page.
  • Security information and event management (SIEM) or API integration (including Azure Sentinel).
  • Aligned with Microsoft Defender for Identity prerequisites.
  • Active Directory deployed.
  • The domain controllers you intend to install Defender for Identity sensors on have internet connectivity to the Defender for Identity cloud service.
    • Your firewall and proxy must be open to communicate with the Defender for Identity cloud service (*.atp.azure.com port 443 must be open).
  • Domain controllers running on one of the following:
    • Windows Server 2008 R2 SP1.
    • Windows Server 2012.
    • Windows Server 2012 R2.
    • Windows Server 2016.
    • Windows Server 2019 with KB4487044 (OS Build 17763.316 or later).
  • Microsoft .NET Framework 4.7 or later.
  • A minimum of five (5) GB of disk space is required and 10 GB is recommended.
  • Two (2) cores and six (6) GB of RAM installed on the domain controller.
Microsoft Defender for Office 365 Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

We provide remote guidance for:

  • Enabling Safe Links, Safe Attachments, and anti-phishing.
  • Configuring automation, investigation, and response.
  • Using Attack Simulator.
  • Reporting and threat analytics.
  • Understanding incident correlation in the Microsoft 365 Defender portal.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Discussions comparing Defender for Office 365 to other security offerings.
  • Deploying Defender for Office 365 as a proof of concept.
  • Connecting custom apps.
  • Training or guidance covering advanced hunting.
  • Automated investigation and remediation including Microsoft Power Automate playbooks.
  • Security information and event management (SIEM) or API integration (including Azure Sentinel).
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Microsoft Information Governance We provide remote guidance for:
  • Creating and publishing retention labels and policies (only supported in E5).
  • Records management (only supported in E5).
    • Reviewing file plan creation.
    • Creating and managing records (including event-based records).
    • Reviewing disposition.

Compliance Manager

We provide remote guidance for:

  • Reviewing role types.
  • Adding and configuring assessments.
  • Assessing compliance by implementing improvement actions and determining how this impacts your compliance score.
  • Reviewing built-in control mapping and assessing controls.
  • Generating a report within an assessment.

The following is out of scope

  • Development of a records management file plan.
  • Data connectors.
  • Development of information architecture in SharePoint.
  • Custom scripting and coding.
  • Design, architect, and third-party document review.
  • Support for E3.
  • Compliance with industry and regional regulations and requirements.
  • Hands-on implementation of recommended improvement actions for assessments in Compliance Manager.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Microsoft Information Protection We provide remote guidance for:
  • Data classification (supported in E3 and E5).
  • Sensitive information types (supported in E3 and E5).
  • Creating sensitivity labels (supported in E3 and E5).
  • Applying sensitivity labels (supported in E3 and E5).
  • Trainable classifiers (supported in E5).
  • Knowing your data with content explorer and activity explorer (supported in E5).
  • Publishing labels using policies (manual and automatic) (supported in E5).
  • Creating Endpoint data loss prevention (DLP) policies for Windows 10 devices (supported in E5).
  • Creating DLP policies for Microsoft Teams chats and channels.

Compliance Manager

We provide remote guidance for:

  • Reviewing role types.
  • Adding and configuring assessments.
  • Assessing compliance by implementing improvement actions and determining how this impacts your compliance score.
  • Reviewing built-in control mapping and assessing controls.
  • Generating a report within an assessment.

Azure Information Protection

We provide remote guidance for:

  • Activating and configuring your tenant.
  • Creating and setting up labels and policies (supported in P1 and P2).
  • Applying information protection to documents (supported in P1 and P2).
  • Automatically classifying and labeling information in Office apps (like Word, PowerPoint, Excel, and Outlook) running on Windows and using the Azure Information Protection client (supported in P2).
  • Discovering and labeling files at rest using the Azure Information Protection scanner (supported in P1 and P2).
  • Monitoring emails in transit using Exchange Online mail flow rules.

We also provide guidance if you want to apply protection using Microsoft Azure Rights Management Services (Azure RMS), Office 365 Message Encryption (OME), and data loss prevention (DLP).

The following is out of scope

  • Customer key.
  • Custom regular expressions (RegEx) development for sensitive information types.
  • Creation or modification of keyword dictionaries.
  • Custom scripting and coding.
  • Azure Purview.
  • Design, architect, and third-party document review.
  • Compliance with industry and regional regulations and requirements.
  • Hands-on implementation of recommended improvement actions for assessments in Compliance Manager.
Aside from the Core onboarding portion in General, there are no minimum system requirements with the exception of Azure Information Protection.

Azure Information Protection

Customer prerequisite responsibilities include:

Microsoft Intune We provide remote guidance on getting ready to use Intune as the cloud-based mobile device management (MDM) and mobile app management (MAM) provider for your apps and devices. The exact steps depend on your source environment and are based on your mobile device and mobile app management needs. The steps can include:
  • Licensing your end users.
  • Configuring identities to be used by Intune by leveraging either your on-premises Active Directory or cloud identities (Azure AD).
  • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
  • Configuring your MDM authority, based on your management needs, including:
    • Setting Intune as your MDM authority when Intune is your only MDM solution.
  • Providing MDM guidance for:
    • Configuring tests groups to be used to validate MDM management policies.
    • Configuring MDM management policies and services like:
      • App deployment for each supported platform through web links or deep links.
      • Conditional Access policies.
      • Deployment of email, wireless networks, and VPN profiles if you have an existing certificate authority, wireless network, or VPN infrastructure in your organization.
      • Connecting to the Intune Data Warehouse.
      • Integrating Intune with:
        • Team Viewer for remote assistance (a Team Viewer subscription is required).
        • Mobile Threat Defense (MTD) partner solutions (an MTD subscription is required).
        • A telecom expense management solution (a telecom expense management solution subscription is required).
      • Enrolling devices of each supported platform to Intune.
  • Providing app protection guidance on:
    • Configuring app protection policies for each supported platform.
    • Configuring Conditional Access policies for managed apps.
    • Targeting the appropriate user groups with the previously mentioned MAM policies.
    • Using managed-apps usage reports.
  • Providing migration guidance from legacy PC management to Intune MDM.
Cloud-attach

We guide you through getting ready to cloud-attach existing Configuration Manager environments with Intune. The exact steps depend on your source environment. These steps can include:

  • Licensing your end users.
  • Configuring identities to be used by Intune by leveraging your on-premises Active Directory and cloud identities.
  • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
  • Providing guidance setting up hybrid Azure AD join.
  • Providing guidance on setting up Azure AD for MDM auto-enrollment.
  • Providing guidance on how to set up cloud management gateway when used as a solution for co-management of remote internet-based device management.
  • Configuring supported workloads that you want to switch to Intune.
  • Installing the Configuration Manager client on Intune-enrolled devices.

Deploy Outlook mobile for iOS and Android securely
We can provide guidance to help you deploy Outlook mobile for iOS and Android securely in your organization to ensure your users have all the required apps installed.
The steps to securely deploy Outlook mobile for iOS and Android with Intune depends on your source environment. It can include:

  • Downloading the Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps through the Apple App Store or Google Play Store.
  • Providing guidance on setting up:
    • The Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps deployment with Intune.
    • App protection policies.
    • Conditional Access policies.
    • App configuration policies.
IT admins need to have existing Certificate Authority, wireless network, and VPN infrastructures already working in their production environments when planning on deploying wireless network and VPN profiles with Intune. Note: The FastTrack service benefit doesn't include assistance for setting up or configuring Certificate Authorities, wireless networks, VPN infrastructures, or Apple MDM push certificates for Intune. Note: The FastTrack service benefit doesn't include assistance for setting up or upgrading either the Configuration Manager site server or Configuration Manager client to the minimum requirements needed to support cloud-attach. Contact a Microsoft Partner for assistance with this.

Intune integrated with Microsoft Defender for Endpoint

Note: We provide assistance on integrating Intune with Microsoft Defender for Endpoint and creating device compliance policies based on its Windows 10 risk level assessment. We don't provide assistance on purchasing, licensing, or activation. Contact a Microsoft Partner for assistance with this.

Windows Autopilot

IT admins are responsible for registering their devices to their organization by either having the hardware vendor upload their hardware IDs on their behalf or by uploading it themselves into the Windows Autopilot service.

Office 365

Service FastTrack guidance details Source environment expectations
Exchange Online For Exchange Online, we guide you through the process to get your organization ready to use email. The exact steps depend on your source environment and your email migration plans. We provide remote guidance for:
  • Setting up Exchange Online Protection (EOP) features for all mail-enabled domains validated in Office 365.
  • Pointing your mail exchange (MX) records to Office 365.
  • Setting up the Microsoft Defender for Office 365 feature if it’s a part of your subscription service. For more information, see the Microsoft Defender for Office 365 portion of this table.
  • Setting up the data loss prevention (DLP) feature for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
  • Setting up Office 365 Message Encryption (OME) for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
Note: The Mailbox Replication service (MRS) attempts to migrate Information Rights Managed (IRM) emails from your on-premises mailbox to the corresponding Exchange Online mailbox. Ability to read the protected content post-migration depends on the customer mapping and copying Active Directory Rights Managed Services (AD RMS) templates to the Azure Rights Management Service (Azure RMS).
  • Configuring firewall ports.
  • Setting up DNS, including the required Autodiscover, sender policy framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) and MX records (as needed).
  • Setting up email flow between your source messaging environment and Exchange Online (as needed).
  • Undertaking mail migration from your source messaging environment to Office 365.
  • Configuring mailbox clients (Outlook for Windows, Outlook on the web, and Outlook for iOS and Android).
Data migration
For information on using the FastTrack benefit for data migration to Office 365, see Data Migration.
Your source environment must have one of the following minimum levels:
  • Single or multiple Exchange organizations with Exchange Server 2003 onward.
  • A single Internet Message Access Protocol (IMAP)-capable email environment.
  • A single G Suite environment (Gmail, Contacts, and Calendar only).
  • For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in Exchange Online.
Online client software like Project for Office 365, Outlook for Windows, Outlook for iOS and Android, OneDrive for Business sync client, Power BI Desktop, and Skype for Business must be at a minimum level as defined in System requirements for Microsoft 365 Office.
Microsoft Defender for Office 365 For more information, see Microsoft Defender for Office 365 in Security and Compliance.
Microsoft Information Governance For more information, see Microsoft Information Governance in Security and Compliance.
Microsoft Information Protection For more information, see Microsoft Information Protection in Security and Compliance.
Microsoft Teams We provide remote guidance for:
  • Confirming minimum requirements in Exchange Online, SharePoint Online, Office 365 Groups, and Azure AD to support Teams.
  • Configuring firewall ports.
  • Setting up DNS.
  • Confirming Teams is enabled on your Office 365 tenant.
  • Enabling or disabling user licenses.
  • Network assessment for Teams:
    • Port and endpoint checks.
    • Connection quality checks.
    • Bandwidth estimates.
    • Configuring Teams app policy (Teams web app, Teams Desktop app, and Teams for iOS and Android app).
    If applicable, we also provide guidance for:
    • Microsoft Teams Room Devices:
      • Creation of online accounts needed for supported telephony and conference room devices listed in the Teams devices catalog.
      • Remote assistance with service-side configuration of certified Microsoft Teams Rooms devices.
      • Enabling Audio Conferencing:
        • Organization setup for conference bridge default settings.
        • Assignment of conference bridge to licensed users.
      • Phone System:
        • Organization setup for Cloud Voice default settings.
        • Calling Plans guidance (available markets):
          • Assignment of numbers to licensed users.
          • Local number porting guidance through user interface (UI) up to 999.
          • Local number porting service request (SR) support over 999.
        • Direct Routing guidance:
          • Organization setup guidance for Direct Routing design of partner-hosted scenarios, or customer-deployed scenarios for up to 10 sites.
          • Session Border Controller (SBC) configuration review.
          • Remote assistance with dial plan configuration.
          • Voice route configuration.
          • Media bypass and local media optimization.
      • Enabling Teams live events.
      • Organization setup and integration into Microsoft Stream.
      • Guidance for Skype for Business to Teams transition.
  • Identities enabled in Azure AD for Office 365.
  • Users enabled for SharePoint Online.
  • Exchange mailboxes are present (online and on-premises in an Exchange hybrid configuration).
  • Enabled for Office 365 Groups.
Note: If users aren't assigned and enabled with SharePoint Online licenses, they won't have OneDrive for Business storage in Office 365. File sharing continues to work in Channels, but users can't share files in Chats without OneDrive for Business storage in Office 365. Teams doesn't support SharePoint on-premises.
Note: The ideal state is for all users to have their mailboxes homed on Exchange Online. Users with mailboxes homed on-premises must have their identities synchronized to the Office 365 directory through Azure AD Connect. For these Exchange hybrid customers, if the user's mailbox is on-premises, the user cannot add or configure Connectors. The installers for the Microsoft Teams Windows and Mac desktop clients can be downloaded from https://go.microsoft.com/fwlink/?linkid=839411.
Outlook for iOS and Android We provide remote guidance for:
  • Identities enabled in Azure AD for Office 365.
  • Exchange Online configured and licenses assigned.
Power BI We provide remote guidance for:
  • Assigning Power BI licenses.
  • Deploying the Power BI Desktop app.
Online client software like Power BI Desktop must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
Project Online We provide remote guidance for:
  • Verifying basic SharePoint functionality that Project Online relies on.
  • Adding the Project Online service to your tenant (including adding subscriptions to users).
  • Setting up the Enterprise Resource Pool (ERP).
  • Creating your first project.
Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
Project Online Professional and Premium We provide remote guidance for:
  • Addressing deployment issues.
  • Assigning end-user licenses using the Microsoft 365 admin center and Windows PowerShell.
  • Installing Project Online Desktop Client from the Office 365 portal using Click-to-Run.
  • Configuring update settings using the Office 365 Deployment Tool.
  • Setting up a single on-site distribution server for Project Online Desktop Client, including assistance with the creation of a configuration.xml file for use with the Office 365 Deployment Tool.
  • Connecting Project Online Desktop Client to Project Online Professional or Project Online Premium.
Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
SharePoint Online and OneDrive for Business We provide remote guidance for:
  • Setting up DNS.
  • Configuring firewall ports.
  • Provisioning users and licenses.
  • Enabling site creation for your SharePoint Online admin.
  • Planning site collections.
  • Securing content and managing permissions.
  • Configuring SharePoint Online features.
  • Configuring SharePoint hybrid features, like hybrid search, hybrid sites, hybrid taxonomy, content types, hybrid self-service site creation (SharePoint Server 2013 only), extended app launcher, hybrid OneDrive for Business, and extranet sites.
  • Your migration approach.
Additional guidance is provided for OneDrive for Business depending on your SharePoint version, like:
  • Identifying integration options and reviewing on-premises and online network infrastructure and bandwidth.
  • Installing SharePoint Online 2013 SP1 (if applicable), planning and implementing sync and identity requirements, and identifying your OneDrive for Business sync client.
  • Planning and implementing a single rollout for all users (or a phased rollout).
  • Assigning licenses, redirecting My Sites and personal document libraries to Office 365 (applicable to SharePoint Online 2013), setting up audiences to control access to OneDrive (applicable to SharePoint Online 2013).
  • Redirecting or moving known folders to OneDrive.
  • Deploying the OneDrive for Business client sync.
Data migration
For information on using the FastTrack benefit for data migration to Office 365, see Data Migration.

For SharePoint hybrid:
  • SharePoint hybrid configuration includes configuring hybrid search, sites, taxonomy, content types, OneDrive for Business, an extended app launcher, extranet sites, and self-service site creation connected from on-premises to a single target SharePoint Online environment.
Note: Self-service site creation is not in scope with on-premises servers running SharePoint 2013.
  • To enable SharePoint hybrid, you must have one of the following on-premises SharePoint Server environments: 2013, 2016, or 2019.
Note: Upgrade of on-premises SharePoint environments to SharePoint Server is not in scope. Contact a Microsoft Partner for assistance. For more information, see Minimum public update levels for SharePoint hybrid features.
Note: For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
Yammer Enterprise We provide remote guidance for enabling the Yammer Enterprise service. Online client software must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.

Enterprise Mobility + Security

Service FastTrack guidance details Source environment expectations
Azure Active Directory (Azure AD) and Azure AD Premium For more information, see Azure Active Directory (Azure AD) and Azure AD Premium in Security and Compliance.
Azure Information Protection For more information on Azure Information Protection, see Microsoft Information Protection in Security and Compliance.
Microsoft Intune For more information, see Microsoft Intune in Security and Compliance.

Windows 10

Service FastTrack guidance details Source environment expectations
Windows 10 We provide guidance for upgrading from Windows 7 Professional and Windows 8.1 Professional to Windows 10 Enterprise. We provide remote guidance for:
  • Understanding your Windows 10 intention.
  • Assessing your source environment and the requirements (ensure that Microsoft Endpoint Configuration Manager is upgraded to the required level to support the Windows 10 deployment).
  • Deploying Windows 10 Enterprise and Microsoft 365 Apps using Microsoft Endpoint Configuration Manager or Microsoft 365.
  • Recommending options for you to assess your Windows 10 apps.
  • Enabling use of Desktop Analytics and guidance through creation of a Desktop Analytics deployment plan.
  • Microsoft 365 Apps compatibility assessment by leveraging the Office 365 readiness dashboard in Configuration Manager or with the stand-alone Readiness Toolkit for Office plus assistance deploying Microsoft 365 Apps.
  • Creating a remediation checklist on what you need to do to bring your source environment up to the minimum requirements for a successful deployment.
  • Providing upgrade guidance for your existing devices to Windows 10 Enterprise if they meet the needed device hardware requirements.
  • Providing upgrade guidance to support your existing deployment motion. FastTrack recommends and provides guidance for an in-place upgrade to Windows 10. Guidance is also available for Windows clean image installation and Windows Autopilot deployment scenarios.
  • Deploying Microsoft 365 Apps using Configuration Manager as part of the Windows 10 deployment.
  • Providing guidance to help your organization stay up to date with Windows 10 Enterprise and Microsoft 365 Apps using your existing Configuration Manager environment or Microsoft 365.
The following is out of scope
  • Upgrading Configuration Manager to Current Branch.
  • Creating custom images for Windows 10 deployment.
  • Creating and supporting deployment scripts for Windows 10 deployment.
  • Converting a Windows 10 system from BIOS to Unified Extensible Firmware Interface (UEFI).
  • Enabling Windows 10 security features.
  • Configuring Windows Deployment Services (WDS) for Preboot Execution Environment (PXE) booting.
  • Using the Microsoft Deployment Toolkit (MDT) to capture and deploy Windows 10 images.
  • Using the User State Migration Tool (USMT).
Contact a Microsoft Partner for assistance with these services.
For PC upgrade, you must meet these requirements:
  • Source OS: Windows 7 Enterprise or Professional, Windows 8.1 Enterprise or Professional.
  • Devices: Desktop, notebook, or tablet form factor.
  • Target OS: Window 10 Enterprise.
For infrastructure upgrade, you must meet these requirements:
  • Microsoft Endpoint Configuration Manager.
  • The Configuration Manager version must be supported by the Windows 10 target version. For more information, see the Configuration Manager support table at Support for Windows 10 in Configuration Manager.
Microsoft Defender for Endpoint For more information, see Microsoft Defender for Endpoint in Security and Compliance.

Windows Virtual Desktop

Service FastTrack guidance details Source environment expectations
Windows Virtual Desktop

We provide deployment guidance for onboarding to Windows Virtual Desktop (a desktop and app virtualization service). Windows Virtual Desktop takes advantage of Windows 10 multi-session experience and is optimized for Microsoft 365 Apps for Enterprise with integrated security and management for Microsoft 365.

We provide remote guidance for:

  • Deploying Windows 10 Enterprise multi-session and Microsoft 365 Apps for Enterprise using the following:
    • Azure Marketplace Image.
    • Shared image.
    • Office Deployment Toolkit (ODT).
  • Configuring Microsoft 365 Apps for FSLogix in a native Windows Virtual Desktop. For FSLogix:
    • Deploying the Agent.
    • Configuring Profile and Office containers.
    • Configuring content exclusions and folder redirections for Microsoft 365 Apps.
  • Deploying Microsoft Edge.
  • Deploying Microsoft Teams with optimization.

The following is out of scope

  • Project management of the customer's Windows Virtual Desktop infrastructure deployment.
  • Third-party app virtualization and deployment.
  • Creation of custom images for Windows Virtual Desktop.
  • Migrations and scenarios involving VMware and Citrix.
  • Linux scenarios.
  • Conversion or migrations of user profiles.
  • Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager configuration for Windows Virtual Desktop (including patching and management).
  • Microsoft 365 Defender with Windows 10 multi-session.
Contact a Microsoft Partner for assistance with these services.
You should already have the following:
  • Azure AD general setup:
    • Identity strategy (you can use only one of the following three options):
      • Active Directory with Azure AD Connect in Azure.
      • Active Directory with Azure AD Connect on-premises over VPN or ExpressRoute.
      • Active Directory Domain Services (AD DS).

App Assure

Service FastTrack guidance details Source environment expectations
App Assure App Assure is a service designed to address issues with Windows and Microsoft 365 Apps app compatibility. When you request the App Assure service, we work with you to address valid app issues at no additional cost to you with an eligible subscription. We also provide guidance to customers who face compatibility issues when deploying Windows 365 Cloud PC, Windows Virtual Desktop, and Microsoft Edge and make every reasonable effort to resolve compatibility issues. We provide remediation assistance for apps deployed on the following Microsoft products:

The following is out of scope

  • App inventory and testing to determine what does and doesn't work on Windows and Microsoft 365 Apps. For more guidance on this process, visit the Desktop Deployment Center. If you're interested in an in-depth upgrade readiness assessment, complete the Customer Request for Modern Desktop Assessment form.
  • Researching third-party ISV apps for Windows compatibility and support statements. For more information, see Desktop Analytics.
  • App packaging-only services. However, the App Assure team packages apps that we have remediated for Windows to ensure they can be deployed in the customer's environment.

Customer responsibilities include

  • Creating an app inventory.
  • Validating those apps on Windows and Microsoft 365 Apps.
Note: Microsoft can't make changes to your source code. However, the App Assure team can provide guidance to app developers if the source code is available for your apps.

Contact a Microsoft Partner for assistance with these services.

Windows and Microsoft 365 Apps
  • Apps that worked on Windows 7, Windows 8.1, and Windows 10 also work on Windows 10 and Windows 11.
  • Apps that worked on Office 2010, Office 2013, Office 2016, and Office 2019 also work on Microsoft 365 Apps.
Windows 365 Cloud PC
  • Apps that worked on Windows 7, Windows 8.1, and Windows 10 also work on Windows 365 Cloud PC.
Windows on ARM
  • Apps that worked on Windows 7, Windows 8.1, and Windows 10 also work on Windows 10 and Windows 11 on ARM64 devices.
Note:
  • x64 (64-bit) emulation is available in preview for customers participating in the Windows Insider Program.
  • For non-Windows Insider customers on Windows 10 version 2004 (or later), ARM64 Photoshop is supported using the OpenCL and OpenGL Compatibility Pack.
  • Customers in the Windows Insider Program can download an Insider version of the OpenCL and OpenGL Compatibility Pack for use with additional apps.
Microsoft Edge
  • If your web apps or sites work on Internet Explorer 11, supported versions of Google Chrome, or any version of Microsoft Edge, they'll also work with Microsoft Edge.
  • As the web is constantly evolving, be sure to review this published list of known site compatibility-impacting changes for Microsoft Edge.
Windows Virtual Desktop
  • Apps running on Windows 7, Windows 8.1, Windows 10, or Windows Server (as virtualized apps) also run on:
    • Windows 10 Enterprise and Windows 11 Enterprise.
    • Windows 10 Enterprise and Windows 11 Enterprise multi-session.
Note: Windows Enterprise multi-session compatibility exclusions and limitations include:
  • Limited redirection of hardware.
  • A/V-intensive apps may perform in a diminished capacity.
  • 16-bit apps aren't supported for 64-bit Windows Virtual Desktop.

Microsoft Edge

Service FastTrack guidance details Source environment expectations
Microsoft Edge We provide remote deployment and adoption guidance and compatibility assistance for:
  • Deploying Microsoft Edge on Windows 10 with Microsoft Endpoint Manager (Microsoft Endpoint Configuration Manager or Intune).
  • Configuring Microsoft Edge (using group policies or Intune app configuration and app policies).
  • Inventorying the list of sites that may require use in Internet Explorer mode.
  • Enabling Internet Explorer mode with the existing Enterprise Site List. (For more information, see Engaging FastTrack. Additionally, if you have a web app or site that works with Internet Explorer or Google Chrome and you experience compatibility issues, we provide guidance to resolve the issue at no additional cost. To request compatibility support for App Assure, sign in to the FastTrack portal to start an engagement.
  • Planning guidance for Edge adoption and configuration guidance for Microsoft Search bookmarks.

The following is out of scope

  • Project management of the customer's Microsoft Edge deployment.
  • On-site support.