-*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.

-*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.

-*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.

-*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only.

-To note, Active users of Word, Excel, and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might be lower than expected if there are people in your organization using the Coach feature on Outlook Win32 over the selected time period. We are currently working on integrating this data into our reports and will notify you as soon as it becomes available.

-Note that automated prompts are not included in this feature.

- - PowerShell

- - Ent_Office_Other

- - has-azure-ad-ps-ref

-description: "Learn how to assign licenses to user accounts and disable specific service plans at the same time using PowerShell for Microsoft 365."

-# Disable access to Microsoft 365 services while assigning user licenses

-*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*

-Microsoft 365 subscriptions come with service plans for individual services. Microsoft 365 administrators often need to disable certain plans when assigning licenses to users. With the instructions in this article, you can assign a Microsoft 365 license while disabling specific service plans using PowerShell for an individual user account or multiple user accounts.

-## Use the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-Next, list the license plans for your tenant with this command.

-```powershell

-Get-AzureADSubscribedSku | Select SkuPartNumber

-```

-Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN).

-Next, compile a list of services to enable. For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference).

-For the command block below, fill in the user principal name of the user account, the SKU part number, and the list of service plans to enable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt.

-```powershell

-$userUPN="<user account UPN>"

-$skuPart="<SKU part number>"

-$serviceList=<double-quoted enclosed, comma-separated list of enabled services>

-$user = Get-AzureADUser -ObjectID $userUPN

-$skuID= (Get-AzureADSubscribedSku | Where {$_.SkuPartNumber -eq $skuPart}).SkuID

-$SkuFeaturesToEnable = @($serviceList)

-$StandardLicense = Get-AzureADSubscribedSku | Where {$_.SkuId -eq $skuID}

-$SkuFeaturesToDisable = $StandardLicense.ServicePlans | ForEach-Object { $_ | Where {$_.ServicePlanName -notin $SkuFeaturesToEnable }}

-$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

-$License.SkuId = $StandardLicense.SkuId

-$License.DisabledPlans = $SkuFeaturesToDisable.ServicePlanId

-$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

-$LicensesToAssign.AddLicenses = $License

-Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $LicensesToAssign

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-Next, run this command to see your current subscriptions:

-```powershell

-Get-MsolAccountSku

-```

->[!Note]

->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

->

-In the display of the `Get-MsolAccountSku` command:

-Note the AccountSkuId for your Microsoft 365 subscription that contains the users you want to license. Also, ensure that there are enough licenses to assign (subtract **ConsumedUnits** from **ActiveUnits**).

-Next, run this command to see the details about the Microsoft 365 service plans that are available in all your subscriptions:

-```powershell

-Get-MsolAccountSku | Select -ExpandProperty ServiceStatus

-```

-From the display of this command, determine which service plans you would like to disable when you assign licenses to users.

-Here's a partial list of service plans and their corresponding Microsoft 365 services.

-The following table shows the Microsoft 365 service plans and their friendly names for the most common services. Your list of service plans might be different.

-|**Service plan**|**Description**|

-|:--|:--|

-| `SWAY` <br/> |Sway <br/> |

-| `TEAMS1` <br/> |Microsoft Teams <br/> |

-| `YAMMER_ENTERPRISE` <br/> |Viva Engage <br/> |

-| `RMS_S_ENTERPRISE` <br/> |Azure Rights Management (RMS) <br/> |

-| `OFFICESUBSCRIPTION` <br/> |Microsoft 365 Apps for enterprise *(previously named Office 365 ProPlus)* <br/> |

-| `MCOSTANDARD` <br/> |Skype for Business Online <br/> |

-| `SHAREPOINTWAC` <br/> |Office <br/> |

-| `SHAREPOINTENTERPRISE` <br/> |SharePoint Online <br/> |

-| `EXCHANGE_S_ENTERPRISE` <br/> |Exchange Online Plan 2 <br/> |

-For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference).

-Now that you have the AccountSkuId and the service plans to disable, you can assign licenses for an individual user or for multiple users.

-### For a single user

-For a single user, fill in the user principal name of the user account, the AccountSkuId, and the list of service plans to disable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt.

-```powershell

-$userUPN="<the user's account name in email format>"

-$accountSkuId="<the AccountSkuId from the Get-MsolAccountSku command>"

-$planList=@( <comma-separated, double-quote enclosed list of the service plans to disable> )

-$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList

-Set-MsolUserLicense -UserPrincipalName $userUpn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue

-Sleep -Seconds 5

-Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue

-```

-Here's an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE:

-```powershell

-$userUPN="belindan@contoso.com"

-$accountSkuId="contoso:ENTERPRISEPACK"

-$planList=@( "RMS_S_ENTERPRISE","SWAY","INTUNE_O365","YAMMER_ENTERPRISE" )

-$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList

-Set-MsolUserLicense -UserPrincipalName $userUpn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue

-Sleep -Seconds 5

-Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue

-```

-### For multiple users

-To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here's an example:

-```powershell

-UserPrincipalName,UsageLocation

-ClaudeL@contoso.onmicrosoft.com,FR

-LynneB@contoso.onmicrosoft.com,US

-ShawnM@contoso.onmicrosoft.com,US

-```

-Next, fill in the location of the input and output CSV files, the account SKU ID, and the list of service plans to disable, and then run the resulting commands at the PowerShell command prompt.

-```powershell

-$inFileName="<path and file name of the input CSV file that contains the users, example: C:\admin\Users2License.CSV>"

-$outFileName="<path and file name of the output CSV file that records the results, example: C:\admin\Users2License-Done.CSV>"

-$accountSkuId="<the AccountSkuId from the Get-MsolAccountSku command>"

-$planList=@( <comma-separated, double-quote enclosed list of the plans to disable> )

-$users=Import-Csv $inFileName

-$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList

-ForEach ($user in $users)

-{

-$user.Userprincipalname

-$upn=$user.UserPrincipalName

-Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue

-sleep -Seconds 5

-Set-MsolUserLicense -UserPrincipalName $upn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue

-$users | Get-MsolUser | Select UserPrincipalName, Islicensed,Usagelocation | Export-Csv $outFileName

-}

-```

-This PowerShell command block:

-## See also

-[Disable access to Microsoft 365 services with PowerShell](disable-access-to-services-with-microsoft-365-powershell.md)

-[Disable access to Sway with PowerShell](disable-access-to-sway-with-microsoft-365-powershell.md)

-[Manage Microsoft 365 user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md)

-[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)

-description: Find information about moving a OneDrive site to a different geo location, including how to schedule site moves and communicating expectations to users.

-# Move a OneDrive site to a different geo location

-With OneDrive geo move, you can move a user's OneDrive to a different geo location. OneDrive geo move is performed by the SharePoint administrator or the Microsoft 365 global administrator. Before you start a OneDrive geo move, be sure to notify the user whose OneDrive is being moved and recommend they close all files during the move. (If the user has a document open using the Office client during the move, then upon move completion the document needs to be saved to the new location.) The move can be scheduled for a future time, if desired.

-The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive will be moved from the source to destination geo location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive will be restored as soon as the destination OneDrive is available.

-During the OneDrive geo move window (about 2-6 hours), the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint. After OneDrive geo move is complete, the user will be automatically connected to their OneDrive at the destination geo location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location.

-The procedures in this article require the [Microsoft SharePoint Online PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588).

-## Communicating to your users

-When moving OneDrive sites between geo locations, it's important to communicate to your users what to expect. This can help reduce user confusion and calls to your help desk. Email your users before the move and let them know the following information:

-Be sure to send your users an email when the move has successfully completed informing them that they can resume working in OneDrive.

-## Scheduling OneDrive site moves

-You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you're comfortable with the process, you can schedule moves as follows:

-## Moving a OneDrive site

-To perform a OneDrive geo move, the tenant administrator must first set the user's Preferred Data Location (PDL) to the appropriate geo location. Once the PDL is set, wait for at least 24 hours for the PDL update to sync across the geo locations before starting the OneDrive geo move.

-When using the geo move cmdlets, connect to the SharePoint Service at the user's current OneDrive geo location, using the following syntax:

-```powershell

-Connect-SPOService -url https://<tenantName>-admin.sharepoint.com

-```

-For example: To move OneDrive of user 'Matt@contosoenergy.onmicrosoft.com', connect to EUR SharePoint Admin center as the user's OneDrive is in EUR geo location:

-```powershell

-Connect-SPOService -url https://contosoenergyeur-admin.sharepoint.com

-```

-

-## Validating the environment

-Before you start a OneDrive geo move, we recommend that you validate the environment.

-To ensure that all geo locations are compatible, run:

-```powershell

-Get-SPOGeoMoveCrossCompatibilityStatus

-```

-This displays all your geo locations and whether the environment is compatible with the destination geo location. If a geo location is incompatible, that means an update is in progress in that location. Try again in a few days.

-If a OneDrive contains a subsite, for example, it can't be moved. You can use the Start-SPOUserAndContentMove cmdlet with the -ValidationOnly parameter to validate if the OneDrive is able to be moved:

-```powershell

-Start-SPOUserAndContentMove -UserPrincipalName <UPN> -DestinationDataLocation <DestinationDataLocation> -ValidationOnly

-```

-This returns **Success** if the OneDrive is ready to be moved or **Fail** if there's a legal hold or subsite that would prevent the move. Once you validate that the OneDrive is ready to move, you can start the move.

-## Start a OneDrive geo move

-To start the move, run:

-```powershell

-Start-SPOUserAndContentMove -UserPrincipalName <UserPrincipalName> -DestinationDataLocation <DestinationDataLocation>

-```

-Using these parameters:

-For example, to move the OneDrive of matt@contosoenergy.onmicrosoft.com from EUR to AUS, run:

-```powershell

-Start-SPOUserAndContentMove -UserPrincipalName matt@contosoenergy.onmicrosoft.com -DestinationDataLocation AUS

-```

-

-To schedule a geo move for a later time, use one of the following parameters:

-## Cancel a OneDrive geo move

-You can stop the geo move of a user's OneDrive, provided the move isn't in progress or completed by using the cmdlet:

-```powershell

-Stop-SPOUserAndContentMove ΓÇô UserPrincipalName <UserPrincipalName>

-```

-Where _UserPrincipalName_ is the UPN of the user whose OneDrive move you want to stop.

-## Determining current status

-You can check the status of a OneDrive geo move in or out of the geo that you're connected to by using the ```Get-SPOUserAndContentMoveState``` cmdlet.

-The move statuses are described in the following table.

-|Status|Description|

-|||

-|NotStarted|The move hasn't started|

-|InProgress (*n*/4)|The move is in progress in one of the following states: <ul><li>Validation (1/4)</li><li>Backup (2/4)</li><li>Restore (3/4)</li><li>Cleanup (4/4)</li></ul>|

-|Success|The move has completed successfully.|

-|Failed|The move failed.|

-To find the status of a specific user's move, use the *UserPrincipalName* parameter:

-```powershell

-Get-SPOUserAndContentMoveState -UserPrincipalName <UPN>

-```

-To find the status of all of the moves in or out of the geo location that you're connected to, use the *MoveState* parameter with one of the following values: NotStarted, InProgress, Success, Failed, All.

-```powershell

-Get-SPOUserAndContentMoveState -MoveState <value>

-```

-You can also add the *Verbose* parameter for more verbose descriptions of the move state.

-## User Experience

-Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different geo location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed.

-### User's OneDrive

-While the move is in progress the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new geo location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser.

-### Permissions on OneDrive content

-Users with permissions to OneDrive content will continue to have access to the content during the move and after it's complete.

-### OneDrive sync app

-The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new OneDrive location once the OneDrive geo move is complete. The user doesn't need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)

-If a user updates a file while the OneDrive geo move is in progress, the sync app notifies them that file uploads are pending while the move is underway.

-### Sharing links

-Upon OneDrive geo move completion, the existing shared links for the files that were moved will automatically redirect to the new geo location.

-### OneNote Experience

-OneNote Win32 client and UWP (Universal) App will automatically detect and seamlessly sync notebooks to the new OneDrive location once OneDrive geo move is complete. The user doesn't need to sign-in again or take any other action. The only visible indicator to the user is notebook sync would fail when OneDrive geo move is in progress. This experience is available on the following OneNote client versions:

-### Teams app

-Upon OneDrive geo move completion, users have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive prior to geo move will continue to work after move is complete.

-### OneDrive Mobile App (iOS)

-Upon OneDrive geo move completion, the user would need to sign out and sign in again on the iOS Mobile App to sync to the new OneDrive location.

-### Existing followed groups and sites

-Followed sites and groups show up in the user's OneDrive regardless of their geo location. Sites and groups hosted in another geo location will open in a separate tab.

-### Delve Geo URL updates

-Users will be sent to the Delve geo corresponding to their PDL only after their OneDrive has been moved to the new geo.

-1. First, install the required software and connect to your Microsoft 365 subscription. For instructions, see [Connect with the Microsoft Azure Active Directory module for Windows PowerShell](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-2. Use **Set-MsolDirSyncEnabled** to disable directory synchronization:

- Set-MsolDirSyncEnabled -EnableDirSync $false

-Visit [Set-MsolDirSyncEnabled](/powershell/module/msonline/set-msoldirsyncenabled) for more detailed information on cmdlet usage and switches.

-##### Apply the Microsoft Defender for Endpoint installation and onboarding packages using Group policy

-The Defender Experts for XDR service typically sends automated emails whenever a managed response with completed or pending actions is published in the Microsoft XDR portal, or when it needs to remind you about incidents awaiting your action.

-While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](onboarding-defender-experts-for-hunting.md#collaborate-with-experts-on-demand)

-description: Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints

-## Collaborate with experts on demand

-> [!NOTE]

-> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

-Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Ask Defender Experts can help:

-### Required permissions for submitting inquiries in the Ask Defender Experts panel

-You need to select one of the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions).

-|**Product name**|**Product RBAC permission**|

-||||

-| Microsoft Defender for Endpoint RBAC | Manage security settings in the Security Center|

-| Microsoft Defender XDR Unified RBAC | Authorization and settings \ Security settings \ Core security settings (manage)</br>Authorization and settings \ Security settings \ Detection tuning (manage) |

-### Where to find Ask Defender Experts

-The option to **Ask Defender Experts** is available in several places throughout the portal:

- 

- 

- 

- 

-### Sample questions you can ask from Defender Experts

-**Alert information**

-**Possible device compromise**

-**Threat intelligence details**

-**Microsoft Defender Experts for Hunting alert communications**

- - A security analyst [starts an automated investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer-real-time-detections-about.md).

-> For a more detailed overview, see [How AIR works](air-about-office.md).

-|Email|Missed phish email [reported](submissions-users-report-message-add-in-configure.md) by a user|[Automated investigation triggered by the user's report](air-about-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)|

-If [automated investigation and response (AIR) capabilities in Office 365](air-about-office.md) missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include:

-|**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).|

-|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](threat-explorer-investigate-delivered-malicious-email.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team|

-When a user reported message arrives in the reporting mailbox, Defender for Office 365 automatically generates the alert named **Email reported by user as malware or phish**. This alert launches an [AIR playbook](air-about-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook). The playbook performs a series of automated investigations steps:

-Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), and post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md).

-Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. AIR processes can begin whenever certain alerts are triggered, or when started by your security operations team. To learn more, see [automated investigation and response in Office 365](air-about-office.md).

-[Automated investigation and response (AIR) in Office 365](air-about-office.md)

-[How automated investigation and response works in Microsoft Defender for Office 365](../air-about-office.md).

-For more information, see [Trigger an investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).

-[Automated investigation and response (AIR)](air-about-office.md) in Defender for Office 365 Plan 2 can save time and effort as you investigate and mitigate cyberattacks. You can configure alerts that trigger a security playbook, and you can start AIR in Threat Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).

- When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md).

-|[</li></ul>|

-### Common attacks and Microsoft capabilities that protect your organization

-Learn about the most common cyber attacks and how Microsoft can help your organization at every stage of an attack.

-|[</li></ul>|

-|[](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> [PDF](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> Updated November 2021 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Microsoft Entra IDaaS capabilities </li><li>Zero Trust identity and device access policies</li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Microsoft Entra ID </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>|

-|[](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) <br/> [View as a PDF](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) \| [Download as a PDF](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) \| [Download as a Visio](https://download.microsoft.com/download/d/4/0/d405b909-ee8f-4d08-a5e3-ed0f04ec1b47/MSFT_cloud_architecture_networking.vsdx) <br/>Updated August 2020 | This model contains: <ul><li> Evolving your network for cloud connectivity </li><li> Common elements of Microsoft cloud connectivity </li><li> ExpressRoute for Microsoft cloud connectivity </li><li> Designing networking for Microsoft SaaS, Azure PaaS, and Azure IaaS </li></ul><br/> <br/>|

-|[](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) <br/> [View as a PDF](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.vsdx) <br>Updated August 2020 | This model contains: <ul><li> Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements </li><li> Hybrid cloud architecture for Microsoft's cloud offerings </li><li> Hybrid cloud scenarios for Microsoft SaaS (Office 365), Azure PaaS, and Azure IaaS </li></ul><br/>|

-|[](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) <br/> [PDF](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) \| [Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-teams-logical-architecture.vsdx) <br>Updated April 2019 |Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities. <br/> <br/>This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.|

-|[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.pdf) \| [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.vsdx)<br>Updated March 2020 |Using a single Microsoft 365 tenant for your global organization is the best choice and experience for many reasons. However, many architects wrestle with how to meet security and information protection objectives across different regions. This set of topics provides recommendations. |

-<!--

-<a name="BKMK_O365IDP"></a>

-## Zero Trust identity and device protection for Microsoft 365

-Recommended Zero Trust capabilities for protecting identities and devices that access Microsoft 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

-| Item | Description |

-|:--|:--|

-|[](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx) <br/> Updated November 2021|It's important to use consistent levels of protection across your data, identities, and devices. This model shows you which Zero Trust capabilities are comparable with more information on capabilities to protect identities and devices. <br/> |

-[See a larger version of this image](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/tenant-management-overview/tenant-management-tenant-build-step2.png)