Microsoft 365 Enterprise services and concepts

Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security (EMS) to empower everyone to be creative and work together, securely. Microsoft 365 Enterprise includes an enterprise edition of Windows 10 and Office applications through Office 365 ProPlus.

Both Windows 10 and Office 365 ProPlus provide new feature releases to the enterprise in March and September via the Semi-Annual Channel. A feature release of Semi-Annual Channel is supported for 18 months. Both Microsoft Intune and System Center Configuration Manager provide capabilities to deploy and update Windows 10 and Office 365 ProPlus.

Here are the most current versions of Windows 10, Office 365 ProPlus, Microsoft Intune, and System Center Configuration Manager:

Semi-Annual Channel (Targeted) Semi-Annual Channel
Windows 10 Windows 10 Fall Creators Update (coming soon) Version 1703
Office 365 ProPlus Version 1803 Version 1708
Intune N/A Version 1708
System Center Configuration Manager Technical Preview Version 1708 Version 1706*

* Update 1706 for System Center Configuration Manager current branch is available as an in-console update for previously installed sites that run version 1606, 1610, or 1702.


Microsoft Azure services are also updated on a regular basis, but are not referenced by a version number. To review the latest updates, and what's coming, for Azure services, see the cloud platform roadmap.

For more information about the features available in these versions, see the following articles:

Services overview

This section provides an overview of the EMS and Office 365 services included with Microsoft 365 Enterprise and also introduces the core concepts necessary to understand how to best use it for your oganizational needs. These services provide capabilities that enable Microsoft cloud enterprise administrators to not just protect company employees’ identities and devices, but also control access to company data itself; both in transit and at rest.

Service Description
Microsoft Azure Active Directory Azure AD provides a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting.
Azure AD Identity Protection This service enables you to detect potential vulnerabilities affecting your organization’s identities and configure automated responses via conditional access policies to low, medium and high sign-in risk and user risk.
Azure AD Privileged Identity Management This service enables organizations to minimize the number of people who have persistent access to privileged operations; Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
Azure Information Protection Azure Information Protection is a cloud-based solution, delivered as part of the EMS E5 offering, that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared.

Azure Information Protection policy settings are protected by Azure Rights Management. Similar to how the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications.
Microsoft Intune Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. Intune integrates closely with Azure AD for identity and access control and is used for device and application management. Intune’s device management capabilities are used to configure and protect your user’s devices, including Windows PCs.

Intune device management capabilities support both Bring Your Own Device (BYOD) enrollment which lets users enroll their personal phones, tablets, or PCs, and Corporate-owned Device (COD) enrollment that enable management scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirement configurations. For added security, you can even require MFA to enroll a device. Once enrolled into management, Intune can configure device features and settings to enable secure access to company resources.

Important concepts to understand

Core concepts and EMS capabilities that you should be familiar with are described in the table below.

Core Concept Description
Azure Multi-Factor Authentication (MFA) As Microsoft's two-step verification solution, Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification methods, including phone call, text message, or mobile app verification.
Azure AD Conditional Access This capability of Azure AD enables you to enforce controls on the access to cloud apps in your environment based on specific conditions. With controls, you can either tie additional requirements to the access or you can block it. The implementation of conditional access is based on policies.
Exchange Online Data Loss Prevention (DLP) Exchange Online Data Loss Prevention (DLP) policies, available as a premium feature of Exchange Online Plan 2 and Office 365 subscriptions, enable organizations to identify, monitor, and automatically protect sensitive information across Office 365.

With Exchange Online DLP policies you can identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business. For example, these policies help you identify documents containing sensitive information or prevent the accidental sharing of sensitive information with people outside your organization.
Exchange Mail Flow/Transport Rules Exchange mail flow rules, also known as transport rules, look for specific conditions in messages that pass through your organization and act on them. Mail flow rules are like the Inbox rules that are available in many email clients. The main difference between mail flow rules and rules you would set up in a client application such as Outlook is that mail flow rules act on messages while they’re in transit as opposed to after the message is delivered. Mail flow rules also contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
Intune Mobile Device Management Intune provides mobile device management (MDM) by using the protocols or APIs that are available in the mobile operating systems. It includes tasks like enrolling devices into management so IT has an inventory of devices that are accessing corporate services, configuring devices to ensure they meet company security and health standards, providing certificates and Wi-Fi/VPN profiles to access corporate services, reporting on and measuring device compliance to corporate standards, and removing corporate data from managed devices.
Intune app protection policies Intune app protection policies can be used to protect your company’s data in mobile apps with or without enrolling devices into management. In fact, your users' mobile devices can even be managed by another non-Microsoft MDM solution while Intune helps protect Office 365 information. While making sure your employees can still be productive, you can also prevent data loss—intentional and unintentional. By implementing app-level policies, you can restrict access to company resources and keep data within the control of your IT department.
Azure AD Token Lifetime You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.
Microsoft Identity Brokers Microsoft provides applications for every mobile platform that allow for the bridging of credentials across applications from different vendors and allows for special enhanced features that require a single secure place from where to validate credentials. We call these brokers. On iOS and Android these brokers are provided through the Microsoft Authenticator and Intune Company Portal apps. In Windows 10, this functionality is provided by an account chooser built in to the operating system, known technically as the Web Authentication Broker.

Security best practices and recommendations

While there is no single best recommendation for all customer environments, the recommended security policies and configurations article introduces important security best practices concepts to understand. This article also describes general Microsoft recommendations about how to apply policy and configuration within the Microsoft cloud to ensure that your employees are both secure and productive.

General identity and device access policy recommendations describes the common recommended policies to help you secure Microsoft 365 Enterprise. Also discussed are the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical pre-requisites for conditional access.

Exchange Online access policies

Policy recommendations to help secure email provides Microsoft recommendations to help you secure organizational email, and email clients that support Modern Authentication and Conditional Access. These recommendations are in addition to the common identity and access policy recommendations.

SharePoint Online access policies

Recommendations are provided to safeguard SharePoint Online file access in addition to the common identity and access policy recommendations and policy recommendations to help secure email. This article describes the new policies that must be created, and how existing policies should be amended, to protect both Exchange Online email and SharePoint online file access.

Deploy Windows 10 and Office 365 ProPlus

Learn how to deploy Windows 10 and Office 365 ProPlus and integrate into Microsoft Azure Active Directory (Azure AD) or on-premises Active Directory Domain Services (AD DS). Deploy Windows 10, Office 365 ProPlus, and your other line-of-business apps to new devices or upgrade existing devices to Windows 10 using Intune, System Center Configuration Manager, and Group Policy to manage devices.

For more information, see the following articles:

For deployment assistance with Microsoft 365, contact FastTrack.

Manage updates to Windows 10 and Office 365 ProPlus

The following links show you how to gain maximum control over quality and feature updates for Windows 10 and Office 365 ProPlus. Learn how to effectively control bandwidth usage and keep Windows and Office up-to-date with the newest features, capabilities, and security updates.

For more information, see the following articles:

* Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.

Next steps

Microsoft 365 Enterprise product page
Cloud platform roadmap