Microsoft · cloud

Microsoft 365 Fundamentals MS-900

Master Microsoft 365 Fundamentals for the MS-900 exam: cloud concepts (IaaS/PaaS/SaaS), Microsoft 365 services (Exchange Online, SharePoint, OneDrive, Teams, Microsoft Viva, Copilot for M365), device management with Intune and Windows 365, identity with Microsoft Entra ID and Conditional Access, security with Defender XDR and Microsoft Purview, Zero Trust model, and Microsoft 365 licensing (E1/E3/E5, Business Premium, F3). 60 scenario-based practice questions.

6Modules
20 hoursDuration
beginnerLevel
⚡ Practice the exam 🗺️ Open Cert Quest path ← All courses
Field Details
Exam CodeMS-900
Questions40–60 multiple-choice, drag-drop, case study
Duration45 minutes
Passing Score700 / 1000
Price$99 USD
RecertificationNone (fundamentals certs don't expire)
Recommended ExperienceGeneral IT knowledge, cloud basics
PrerequisitesNone

Exam Domain Weights

Domain 1 — Describe Cloud Concepts ~10-15%
Domain 2 — Describe Microsoft 365 Apps and Services ~30-35%
Domain 3 — Describe Security, Compliance, Privacy, and Trust ~25-30%
Domain 4 — Describe Microsoft 365 Pricing, Licensing, and Support ~25-30%

Course Modules

Six in-depth modules mapped to the four MS-900 exam domains. Each opens to three lessons — intro, key concepts, study notes, takeaways, and a linked mini-quiz drawn from the MS-900 question bank.

01
Cloud Concepts & Microsoft 365 Overview
3 lessons · ~3h
MS-900 opens with cloud vocabulary. Before any Microsoft 365 app appears, the exam checks that you can place Microsoft 365 as SaaS, tell the deployment models (public, private, hybrid) apart from the service models (IaaS, PaaS, SaaS), name the benefits of cloud computing, and explain the shared responsibility model. Domain 1 is small (10–15%) but its ideas underpin every later module.
Lesson 1.1 — Cloud Deployment & Service Models

Key Concepts

  • Deployment models — where the cloud runs: Public cloud shares provider infrastructure across many customers (Microsoft 365, Azure). Private cloud is dedicated to one organisation. Hybrid cloud connects public and private/on-premises so workloads can span both.
  • Service models — how much you manage: IaaS gives you virtual machines and networks; you manage the OS and up. PaaS gives you a managed platform to build apps; the provider handles the OS and runtime. SaaS gives you finished software you just sign in to.
  • Microsoft 365 is SaaS: You consume Exchange, SharePoint, and Teams as a subscription — Microsoft runs every layer. This is the single most-tested classification on the exam.
  • Subscription model: Microsoft 365 is licensed per user per month — no servers to buy, capacity scales with the number of licences.
If a question describes managing Windows devices, building a custom app, or signing in to ready-made software, map it: managing VMs = IaaS, building on a managed platform = PaaS, using finished software = SaaS. Microsoft 365 is always SaaS.
Lesson 1.2 — Benefits of Cloud Computing

Key Concepts

  • Scalability: Add or remove capacity to match demand. Vertical scaling resizes a resource; horizontal scaling adds more instances.
  • Elasticity: Capacity adjusts automatically as load rises and falls — you pay for what you use, when you use it.
  • Agility: Resources and services can be provisioned in minutes, so the business responds to change quickly instead of waiting on hardware.
  • Reliability & availability: Redundant, geographically distributed infrastructure keeps services running and recoverable; Microsoft publishes Service Level Agreements (SLAs) for uptime.
  • OpEx vs CapEx: On-premises hardware is a capital expense (CapEx) paid up front. Cloud subscriptions are an operating expense (OpEx) — predictable, ongoing, and tied to actual usage.
Real-world frame: a retailer moving to Microsoft 365 stops buying email servers (CapEx) and pays a per-user monthly fee (OpEx). When seasonal staff join for the holidays, they add licences in minutes (agility, elasticity) and remove them in January.
Lesson 1.3 — The Shared Responsibility Model

Key Concepts

  • Shared responsibility: Security duties are split between Microsoft and the customer. The split shifts with the service model.
  • Always Microsoft: The physical datacentre, hosts, and network — regardless of IaaS, PaaS, or SaaS.
  • Always the customer: Their data, accounts, identities, and access management — even in SaaS like Microsoft 365.
  • The shifting middle: Operating system and application responsibility move toward Microsoft as you go IaaS → PaaS → SaaS.
  • Why it matters for M365: Microsoft keeps the service running, but the customer must still manage who has access, configure security features, and protect their own data.
Two constants to memorise: the customer is always responsible for data and identities; Microsoft is always responsible for the physical infrastructure. Adopting SaaS does not outsource responsibility for your accounts.

💻 Scenario — deciding between Microsoft 365 plans

Situation: A 150-person professional services firm currently pays for separate email hosting, a file server, and desktop Office licenses. The CEO asks IT: "Can Microsoft 365 consolidate all of this and how does pricing work?"

Answer: Microsoft 365 Business Premium includes Exchange Online (email), SharePoint/OneDrive (file storage), Teams (collaboration), and Office apps — all in one per-user subscription. The firm shifts from CapEx (server hardware, perpetual licenses) to OpEx (per-user/month billing). If they grow from 150 to 200 users, they just add licenses — no hardware planning required.

Which plan? Business Premium (up to 300 users) covers their entire stack including Intune device management and Defender for Business. Enterprise E3 or E5 is the path if they ever exceed 300 users or need advanced compliance features (E5 adds Defender for Endpoint P2, Purview eDiscovery, and Sentinel licensing).

Key takeaways
  • Deployment models say where the cloud runs (public / private / hybrid); service models say how much you manage (IaaS / PaaS / SaaS). Microsoft 365 is SaaS.
  • Cloud benefits cluster around scalability, elasticity, agility, reliability, and the shift from up-front CapEx to pay-as-you-go OpEx.
  • In shared responsibility the customer always owns data and identities; Microsoft always owns the physical layer — the OS/app middle shifts with the service model.
⚡ Mini-quiz — Drill deployment vs service models, cloud benefits, and the shared responsibility split.
Quick quiz →
02
Collaboration Services — Exchange, SharePoint, OneDrive, Teams
3 lessons · ~4h
Domain 2 (30–35%) is the largest, and these four services are its core. This module tours the productivity pillars of Microsoft 365 — Exchange Online for mail, SharePoint and OneDrive for files, and Microsoft Teams as the collaboration hub — and shows how they interconnect.
Lesson 2.1 — Exchange Online

Key Concepts

  • Exchange Online: The cloud-hosted enterprise email, calendar, and contacts service — the mailbox behind Outlook on the web, desktop, and mobile.
  • Mailbox types: User mailboxes for people, shared mailboxes for teams (e.g. support@), and resource mailboxes for rooms and equipment that can be booked.
  • Distribution groups vs Microsoft 365 groups: A distribution group fans an email out to members; a Microsoft 365 group provides a shared mailbox, calendar, and SharePoint site, and underpins Teams.
  • Protection & compliance: Exchange Online Protection (EOP) filters spam and malware on every message; mail flow rules and retention can be applied centrally.
  • Outlook is the client; Exchange is the service: A common exam distinction — the app you open vs the service that hosts the mailbox.
When a scenario needs an address several people monitor without extra licences, the answer is a shared mailbox. When it needs to book a conference room, the answer is a resource mailbox.
Lesson 2.2 — SharePoint Online & OneDrive for Business

Key Concepts

  • SharePoint Online: Cloud document management and intranet — team sites, communication sites, document libraries, lists, and news.
  • OneDrive for Business: Each user's personal cloud storage, with file sync across devices and easy sharing. Best for individual or in-progress work.
  • SharePoint vs OneDrive: Put shared, team-owned content in SharePoint; keep personal or draft content in OneDrive. Files shared in a Teams channel actually live in the team's SharePoint site.
  • Co-authoring & versioning: Both let multiple people edit a file at once and keep version history so changes can be rolled back.
  • Sharing controls: Links can be scoped to specific people, the organisation, or anyone — administrators set the allowed boundaries.
Mental model: OneDrive is "my files", SharePoint is "our files". A document a whole department relies on belongs in a SharePoint library, not one person's OneDrive.
Lesson 2.3 — Microsoft Teams

Key Concepts

  • Microsoft Teams: The unified hub for chat, channels, meetings, and calls — the front door to collaboration in Microsoft 365.
  • Teams and channels: A team is a group of people; channels organise its conversations and files by topic. Each team is backed by a Microsoft 365 group and a SharePoint site.
  • Chat vs channels: Chat is ad-hoc and private to participants; channel posts are visible to the whole team and persist as a record.
  • Meetings & Teams Phone: Teams hosts online meetings with video, screen share, and recording; Teams Phone adds full PSTN calling so Teams becomes the business phone system.
  • Apps & integration: Teams surfaces other Microsoft 365 services and third-party apps as tabs and bots, keeping work in one place.
Teams ties the module together: behind every team sits a Microsoft 365 group (Module 2.1) and a SharePoint site (Module 2.2). Files posted in a channel are stored in that SharePoint site, not in OneDrive.

💻 Scenario — migrating on-premises file shares to SharePoint + OneDrive

Situation: The firm has 8 TB of files on a Windows file server. Different departments need shared team folders; individual staff need personal storage; all files must be accessible from home without VPN.

Walk: Departmental shared files → SharePoint team sites (one per department, with Teams integration for real-time collaboration). Personal files → OneDrive for Business (1 TB per user, auto-sync to desktop). Result: file server can be decommissioned. Staff access files via browser, Teams, or the sync client. Co-authoring in Word/Excel works without emailing attachments.

Exam note: MS-900 tests the distinction: SharePoint = team/departmental shared content; OneDrive = personal content. Teams channels store their files in SharePoint behind the scenes.

Key takeaways
  • Exchange Online hosts mail and calendars; Outlook is just the client. Shared and resource mailboxes cover team addresses and bookable rooms.
  • OneDrive = "my files" (personal/draft); SharePoint = "our files" (team-owned). Teams channel files live in SharePoint.
  • Teams is the collaboration hub — chat, channels, meetings, and Teams Phone — and every team is backed by a Microsoft 365 group plus a SharePoint site.
⚡ Mini-quiz — Drill mailbox types, SharePoint vs OneDrive, and how Teams ties the services together.
Quick quiz →
03
Microsoft Viva, Power Platform & Copilot
3 lessons · ~3h
Beyond mail and files, Microsoft 365 includes a modern productivity layer the exam expects you to recognise: the Viva employee-experience suite, the Power Platform low-code stack, Microsoft 365 Copilot, and Microsoft Loop. You need to match each tool to its purpose, not configure it.
Lesson 3.1 — Microsoft Viva

Key Concepts

  • Microsoft Viva: An employee-experience platform that lives inside Teams, built from several modules.
  • Viva Connections: An intranet dashboard in Teams surfacing SharePoint news, resources, and dashboard cards.
  • Viva Engage: The social and community network (formerly Yammer) — communities, storylines, and leadership conversations.
  • Viva Insights: Personal and manager wellbeing and productivity analytics — focus time, meeting habits, work-life balance.
  • Viva Learning & Viva Topics: Learning aggregates training content into Teams; Topics uses AI to mine and surface organisational knowledge.
The exam tests Engage vs Connections directly: Engage is social (communities, discussions); Connections is the intranet dashboard. Insights = wellbeing, Learning = an LMS, Topics = knowledge mining.
Lesson 3.2 — Power Platform

Key Concepts

  • Power Platform: A low-code / no-code suite that lets non-developers build solutions on top of Microsoft 365 data.
  • Power BI: Business analytics — interactive reports and dashboards from many data sources.
  • Power Automate: Workflow automation — triggers and actions that connect apps (e.g. "save email attachments to SharePoint").
  • Power Apps: Custom business apps built visually, without traditional coding.
  • Power Pages & Copilot Studio: Power Pages builds external-facing websites; Copilot Studio builds custom conversational agents.
Match the verb in the question: "analyse / dashboard" → Power BI; "automate / workflow" → Power Automate; "build an app" → Power Apps; "build a website" → Power Pages.
Lesson 3.3 — Microsoft 365 Copilot & Loop

Key Concepts

  • Microsoft 365 Copilot: An AI assistant embedded across Word, Excel, PowerPoint, Outlook, and Teams — it drafts content, summarises, and answers questions grounded in your organisation's data.
  • Grounding with Microsoft Graph: Copilot uses the Microsoft Graph to base responses on your emails, files, and chats — and it respects existing permissions, so it only surfaces content the user can already access.
  • Copilot is a paid add-on: Microsoft 365 Copilot is licensed separately on top of an eligible base subscription — it is not included in standard plans.
  • Microsoft Loop: A collaborative app of flexible components — portable pieces of content that stay in sync wherever they are pasted (Teams chat, Outlook, a Loop workspace).
  • Where they fit: Copilot accelerates individual work; Loop keeps shared content live and consistent across apps.
Exam-relevant nuance: Copilot honours permissions — it cannot surface a file a user has no access to. And it is a separate paid licence, a frequent licensing-domain question.

💻 Scenario — automating a manual approval workflow with Power Automate

Situation: The finance team manually emails managers every time an invoice over $5,000 is submitted. The manager emails back "approved" or "rejected". This process takes 2–3 days and has no audit trail.

With Power Automate: A no-code flow is built in 30 minutes: Trigger = new item added to a SharePoint "Invoices" list with amount > $5,000. Action 1 = send an approval request to the manager via Teams adaptive card. Action 2 = if approved, update the SharePoint item status to "Approved" and notify accounts payable. Action 3 = if rejected, notify the submitter with the reason. All decisions are logged in the SharePoint list for audit.

MS-900 pattern: "Automate repetitive tasks without code" = Power Automate. "Build a simple business app without code" = Power Apps. "Analyse data visually" = Power BI.

Key takeaways
  • Viva modules each have one job: Connections = intranet, Engage = social, Insights = wellbeing, Learning = LMS, Topics = knowledge mining.
  • Power Platform is low-code: Power BI analyses, Power Automate automates, Power Apps builds apps, Power Pages builds sites.
  • Microsoft 365 Copilot is a paid add-on that grounds AI in Graph data and respects permissions; Loop keeps content synced across apps.
⚡ Mini-quiz — Drill the Viva modules, Power Platform tools, and what Copilot and Loop do.
Quick quiz →
🎧

Halfway through MS-900? The CertQuests podcast covers Microsoft 365 service comparisons and the E3-vs-E5 licensing maze — great for cementing these concepts away from the screen.

▶ Open Spotify
04
Device Management — Intune, Autopilot, Windows 365 & AVD
3 lessons · ~3h
Microsoft 365 manages and secures the modern endpoint. This module covers Microsoft Intune for device and app management, Windows Autopilot for zero-touch provisioning, and the difference between Windows 365 and Azure Virtual Desktop — a comparison the exam tests directly.
Lesson 4.1 — Microsoft Intune

Key Concepts

  • Microsoft Intune: The cloud endpoint-management service, part of Microsoft Intune Suite, for managing Windows, macOS, iOS, and Android devices.
  • Mobile Device Management (MDM): Enrols and manages a whole device — enforcing compliance policies, configuration profiles, and the ability to wipe a lost device.
  • Mobile Application Management (MAM): Manages and protects only the corporate apps and data on a device, leaving the rest untouched — ideal for personal (BYOD) devices.
  • App protection policies: Control corporate data within apps — block copy-paste to personal apps, require a PIN, selectively wipe company data without touching personal content.
  • Compliance & Conditional Access: Intune reports device compliance to Entra ID, so Conditional Access can require a compliant device before granting access.
Choose by ownership: a corporate-owned laptop calls for full MDM; an employee's personal phone calls for MAM / app protection policies so the company protects its data without controlling the whole device.
Lesson 4.2 — Windows Autopilot

Key Concepts

  • Windows Autopilot: A zero-touch deployment service — a new device ships straight from the vendor to the user and configures itself on first sign-in.
  • How it works: The device hardware ID is registered with the organisation; when the user signs in with their work account, Autopilot joins it to Entra ID and applies Intune policies and apps automatically.
  • No imaging: Autopilot removes the traditional IT step of building and applying a custom OS image to each machine.
  • Self-service provisioning: A remote employee can unbox a laptop and have a fully managed, policy-compliant device with no IT visit.
  • Works with Intune: Autopilot handles enrolment; Intune delivers the configuration, security policies, and apps.
Scenario cue: "New hires must receive ready-to-use laptops shipped directly to their homes, with no IT imaging." That is Windows Autopilot — registration plus first-sign-in provisioning.
Lesson 4.3 — Windows 365 vs Azure Virtual Desktop

Key Concepts

  • Cloud PC / virtual desktop: Both services stream a Windows desktop from the cloud to any device, so the desktop and its data never live on the local endpoint.
  • Windows 365: A per-user Cloud PC with fixed, predictable per-month pricing. It is delivered as SaaS — simple to buy, fast to provision, and easy to manage.
  • Azure Virtual Desktop (AVD): Runs on Azure infrastructure with consumption-based pricing. It supports multi-session Windows (several users on one VM) and offers far more flexibility and control.
  • Choosing between them: Pick Windows 365 for simplicity and predictable cost (one dedicated PC per user); pick AVD for cost optimisation at scale, multi-session, and deep customisation.
  • Common ground: Both improve security — data stays in the cloud — and both let users work from any device.
Decision shortcut: simple, predictable, one-PC-per-user → Windows 365. Flexible, consumption-priced, multi-session shared desktops → Azure Virtual Desktop.

💻 Scenario — zero-touch laptop deployment with Autopilot + Intune

Situation: IT needs to ship 50 laptops directly from a supplier to home-based employees without IT ever touching them. On first boot, each laptop should enrol into Microsoft 365, install required apps, and enforce security policies automatically.

Walk: 1) Supplier uploads hardware IDs to Windows Autopilot (via CSV or OEM programme). 2) IT configures an Autopilot deployment profile in Intune: OOBE skipped, domain joined, assigned to the employee's account. 3) Employee receives the laptop, powers it on, signs in with their Microsoft 365 account. 4) Autopilot registers the device with Intune automatically. 5) Intune pushes the required apps (Microsoft 365 Apps, company VPN, Defender for Endpoint) and compliance policies (BitLocker required, PIN lock enabled). Employee is productive within 45 minutes — IT never touched the device.

Exam note: Autopilot = zero-touch provisioning. Intune = ongoing device management (compliance + app deployment). Windows 365 = full Windows PC streamed from the cloud (Cloud PC).

Key takeaways
  • Intune manages endpoints: MDM for whole (corporate) devices, MAM / app protection for corporate data on personal (BYOD) devices.
  • Windows Autopilot is zero-touch provisioning — devices ship direct to users and configure themselves on first sign-in, no imaging.
  • Windows 365 = simple, fixed-price per-user Cloud PC; AVD = flexible, consumption-priced, multi-session virtual desktops.
⚡ Mini-quiz — Drill MDM vs MAM, Windows Autopilot, and Windows 365 vs Azure Virtual Desktop.
Quick quiz →
05
Identity & Security — Entra ID, Zero Trust, Defender XDR, Purview
3 lessons · ~5h
Domain 3 (25–30%) covers how Microsoft 365 keeps identities, devices, and data safe. This module covers Microsoft Entra ID and the Zero Trust model, the Defender XDR threat-protection family, and Microsoft Purview for compliance — the security spine of the platform.
Lesson 5.1 — Microsoft Entra ID & Zero Trust

Key Concepts

  • Microsoft Entra ID: The cloud identity and access service behind Microsoft 365 — formerly Azure Active Directory. The names are interchangeable; it is the same product.
  • Authentication & MFA: Entra ID verifies who users are. Multi-factor authentication adds a second factor (phone, app, key) and is the strongest defence against stolen passwords.
  • Single Sign-On (SSO): One sign-in grants access to many apps, reducing password fatigue and risk.
  • Conditional Access: An if-then policy engine — if signals like location, device, or risk meet a condition, then require MFA, require a compliant device, or block access.
  • Zero Trust: A security model with three principles — verify explicitly, use least-privilege access, and assume breach. It replaces "trust the internal network" with "never trust, always verify".
Do not be thrown by names: "Azure AD" and "Microsoft Entra ID" are the same identity service. The exam uses both — same features, same P1/P2 SKUs.
Lesson 5.2 — Microsoft Defender XDR

Key Concepts

  • Defender XDR: Microsoft's Extended Detection & Response suite — it correlates threat signals across identity, endpoints, email, and cloud apps into a unified portal.
  • Defender for Endpoint: Endpoint detection and response (EDR) protecting devices — Windows, macOS, Linux, mobile.
  • Defender for Office 365: Protects email and collaboration — Safe Links and Safe Attachments against phishing and malicious files.
  • Defender for Identity: Detects attacks against on-premises Active Directory using domain-controller signals.
  • Defender for Cloud Apps: A Cloud Access Security Broker (CASB) — discovers shadow IT and gives visibility and control over SaaS usage.
Match the noun to the product: "devices" → Defender for Endpoint, "email/phishing" → Defender for Office 365, "on-prem AD" → Defender for Identity, "shadow IT / SaaS" → Defender for Cloud Apps. The advanced (Plan 2) tiers are E5-only.
Lesson 5.3 — Microsoft Purview

Key Concepts

  • Microsoft Purview: The compliance and data-governance umbrella for Microsoft 365.
  • Sensitivity labels: Classify and protect documents and emails — applying encryption and visual markings that travel with the file.
  • Data Loss Prevention (DLP): Policies that detect and block the sharing of sensitive data — credit card numbers, IDs — across Microsoft 365.
  • Retention & records management: Govern how long content is kept and when it is deleted, satisfying regulatory requirements.
  • eDiscovery, Audit & Compliance Manager: eDiscovery finds and preserves content for legal cases; Audit is the immutable activity log; Compliance Manager scores your posture against regulations.
Advanced Purview features — Insider Risk Management, Communication Compliance, advanced eDiscovery, Records Management, Customer Lockbox — are E5-tier. If a scenario names one of these, the licence answer is E5.

💻 Scenario — enabling Zero Trust for a hybrid workforce

Situation: Employees work from corporate offices, home, and client sites using personal and company devices. IT wants to enforce Zero Trust: every access request must be verified regardless of location or device.

Walk: 1) Identity — enable MFA for all users in Entra ID. 2) Conditional Access — require compliant device (Intune-enrolled, BitLocker on) AND MFA for access to sensitive apps. Block access from untrusted countries. 3) Least privilege — assign Microsoft 365 roles by need only; use PIM for admin activations. 4) Device health — Intune compliance policy marks a device non-compliant if Defender real-time protection is off; Conditional Access blocks non-compliant devices. 5) Threat detection — Microsoft Defender XDR correlates identity (Defender for Identity), endpoint (Defender for Endpoint), and email (Defender for Office 365) signals into a unified incident view.

Result: An employee on a personal, unmanaged device from an unknown IP gets blocked. Same employee on their Intune-managed laptop passes all checks and gets access. Zero Trust in practice.

Key takeaways
  • Entra ID (formerly Azure AD) handles identity; MFA, SSO, and Conditional Access enforce Zero Trust — verify explicitly, least privilege, assume breach.
  • Defender XDR correlates threats — Endpoint (devices), Office 365 (email), Identity (on-prem AD), Cloud Apps (SaaS).
  • Microsoft Purview covers compliance — sensitivity labels, DLP, retention, eDiscovery, Audit, and Compliance Manager; advanced features are E5-only.
⚡ Mini-quiz — Drill Entra ID, Zero Trust, the Defender XDR family, and Purview compliance tools.
Quick quiz →
06
Licensing, Pricing & Support
3 lessons · ~2h
Domain 4 (25–30%) decodes the Microsoft 365 plan jungle. This module separates Microsoft 365 from Office 365, walks the plan families and the E1/E3/E5 ladder, and covers how customers buy and get support — including FastTrack and Microsoft Unified.
Lesson 6.1 — Microsoft 365 vs Office 365 & Plan Families

Key Concepts

  • Microsoft 365 vs Office 365: Office 365 is just the productivity apps and cloud services. Microsoft 365 bundles Office 365 + Windows Enterprise + Enterprise Mobility & Security (which includes Intune). If a scenario involves managing Windows devices or Intune, it is Microsoft 365.
  • Business plans: For small and medium businesses up to 300 seats — Business Basic, Business Standard, Business Premium.
  • Enterprise plans: For organisations of any size with no seat cap — E1, E3, E5.
  • Education plans: A1, A3, A5 for schools and universities.
  • Frontline plans: F1 and F3 — discounted plans for shift and frontline workers who mainly need communication and lightweight apps.
The 300-seat ceiling is the giveaway: Business plans cap at 300 users, Enterprise plans (E1/E3/E5) do not. A growing company that crosses 300 seats must move to Enterprise.
Lesson 6.2 — The E1 / E3 / E5 Decoder

Key Concepts

  • E1: Cloud services only — Exchange, SharePoint, Teams via the web and mobile. No installable desktop Office apps.
  • E3: Everything in E1 plus installed desktop Office apps, core security and compliance, and Intune device management.
  • E5: Everything in E3 plus advanced security (full Defender XDR Plan 2), advanced compliance (Insider Risk, Communication Compliance, advanced eDiscovery), Power BI Pro, and Teams Phone.
  • Pick by feature: If a scenario needs Power BI Pro, Teams Phone, or advanced threat protection, the answer is almost always E5.
  • Business Premium: The SMB equivalent of "E3-plus-advanced-security" — full Office apps, Intune, and Defender, capped at 300 seats.
Memorise the ladder: E1 = web only; E3 = + desktop apps + Intune; E5 = + advanced security/compliance + Power BI Pro + Teams Phone. The exam's licensing questions almost always hinge on an E5-exclusive feature.
Lesson 6.3 — Buying, Billing & Support

Key Concepts

  • Billing options: Microsoft 365 is sold per user, billed monthly or annually; an annual commitment is cheaper per month than month-to-month.
  • Purchase channels: Customers buy directly from Microsoft or through a Cloud Solution Provider (CSP) partner that bundles management and support.
  • Add-ons: Capabilities like Microsoft 365 Copilot and Teams Phone are licensed as separate add-ons on top of a base plan.
  • FastTrack: A free onboarding and deployment-guidance benefit for eligible subscriptions of 150+ licences — it helps migrate and roll out services. It is not break-fix support.
  • Microsoft Unified support: A paid support offering (the successor to Premier Support) with proactive services and an account team — distinct from FastTrack.
A favourite exam trap: FastTrack vs support. FastTrack is free deployment guidance; Microsoft Unified is paid, reactive-plus-proactive support. They solve different problems.

💻 Scenario — choosing the right Microsoft support plan

Situation: The firm's Microsoft 365 environment went down for 4 hours on a Tuesday morning. They had no Microsoft support contract — just the default self-service portal. The CEO asks: "What support plan do we need so this never takes 4 hours to resolve again?"

Support tiers: Basic (included) = online self-service + billing support only; no technical cases. Developer = for dev environments, limited hours. Standard = business hours support, no SLA on response. Professional Direct = <1 hour response for critical issues, designated support manager, proactive services. Unified (enterprise) = 24/7, assigned Technical Account Manager, on-site support.

Answer for this firm: Professional Direct — critical issues get a sub-1-hour response, and the proactive monitoring catch problems before they become 4-hour outages. MS-900 expects you to recognise the tier names and their primary differentiators (response time, proactivity, TAM).

Key takeaways
  • Microsoft 365 = Office 365 + Windows Enterprise + EMS/Intune; Office 365 is just the apps and services. Business plans cap at 300 seats; Enterprise plans do not.
  • The ladder: E1 web-only → E3 adds desktop apps + Intune → E5 adds advanced security/compliance + Power BI Pro + Teams Phone.
  • FastTrack is free deployment guidance (150+ seats); Microsoft Unified is paid support — never confuse the two.
⚡ Mini-quiz — Drill M365 vs O365, the E1/E3/E5 ladder, and FastTrack vs Unified support.
Quick quiz →
Test your knowledge as you study 60 scenario-based questions covering all 4 MS-900 domains. Instant explanations for every answer.
Take the Quiz Podcast

Key Concepts to Master

Concept 1

Microsoft 365 vs Office 365

This trips up nearly everyone. Microsoft 365 bundles Windows 11 Enterprise + Enterprise Mobility & Security (EMS) + Office 365. So Microsoft 365 E3 = Office 365 E3 + Windows 11 Enterprise E3 + EMS E3. Office 365 alone is just the productivity apps and cloud services (Exchange, SharePoint, Teams) — no Windows license, no Intune. If a question mentions managing Windows devices or includes Intune, it's M365, not O365.

Concept 2

Microsoft 365 Plan Decoder

E1 = cloud services only, no installable Office apps (web/mobile only). E3 = E1 + installed Office apps + basic security/compliance + Intune. E5 = E3 + advanced security (full Defender XDR) + Power BI Pro + Teams Phone + advanced compliance (Insider Risk, Communication Compliance, Records Management). When a scenario needs Power BI Pro, Teams Phone, or advanced threat protection, the answer is almost always E5.

Concept 3

FastTrack is NOT Premier Support

FastTrack is a free migration and deployment guidance benefit included with eligible subscriptions of 150+ licenses — it helps you onboard, migrate mailboxes, and roll out services. It is not reactive break-fix support. Premier Support (now Microsoft Unified) is a paid plan with a Technical Account Manager (TAM) and 24/7 incident response. The exam loves to mix these up — read the question carefully.

4-Week Study Plan

Week 1
Cloud Concepts & Collaboration Services Complete Modules 1 and 2. Make sure you can articulate IaaS vs PaaS vs SaaS with examples (M365 = SaaS), the public/private/hybrid models, and the shared responsibility split. Then walk through Exchange, SharePoint, OneDrive, and Teams. Take the first 20 practice questions.
Week 2
Viva, Power Platform, Copilot & Devices Complete Modules 3 and 4. Memorize each Viva module's purpose (Connections = intranet, Engage = social, Insights = wellbeing, Learning = LMS, Topics = knowledge mining). Compare Windows 365 vs Azure Virtual Desktop side-by-side. Take 20 more practice questions.
Week 3
Identity & Security Deep Dive Complete Module 5 — the largest single domain. Learn Entra ID basics (formerly Azure AD), MFA, Conditional Access, Zero Trust principles, and the four Defender XDR pillars (Endpoint, Office 365, Identity, Cloud Apps). Review the Microsoft Learn MS-900 learning path for any gaps.
Week 4
Licensing, Support & Full Practice Complete Module 6. Memorize the E1/E3/E5 feature matrix (especially what is E5-exclusive: Defender XDR advanced, Power BI Pro, Teams Phone). Take the full 60-question practice test, review every wrong answer, and re-test until you score >85% consistently.

Top 4 Mistakes on the MS-900 Exam

Mixing up E3 vs E5 features E5 adds Defender XDR advanced capabilities (Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity), Power BI Pro, Teams Phone, and advanced compliance (Insider Risk Management, Communication Compliance, Records Management, Customer Lockbox). If the question mentions any of these, the answer is E5.
Confusing Windows 365 with Azure Virtual Desktop Windows 365 is a per-user Cloud PC with flat predictable pricing (SaaS) — fastest to provision, simplest to manage. Azure Virtual Desktop (AVD) uses Azure infrastructure pricing, supports multi-session Windows 10/11 Enterprise (multiple users on one VM), is more complex but far more flexible. SMB or simple? Windows 365. Cost-optimized, multi-user shared desktops? AVD.
Thinking Microsoft Entra ID is separate from Azure AD They are the same product. "Microsoft Entra ID" is the 2023 rebrand of "Azure Active Directory." The exam will use both names interchangeably — don't second-guess yourself when you see "Azure AD" in one question and "Entra ID" in the next. Same identity service, same features, same SKUs (P1, P2).
Confusing Viva Engage with Viva Connections Viva Engage is the social/community network (formerly Yammer) — discussion communities, storylines, leadership posts. Viva Connections is the intranet dashboard inside Microsoft Teams that surfaces SharePoint news, resources, and dashboard cards. One is social, one is intranet. The exam tests this distinction directly.

MS-900 vs AZ-900 — What's the Difference?

Many IT pros take both as complementary credentials. MS-900 is easier and more business-focused; AZ-900 is slightly more technical. There is no required order — pick whichever maps to your day job first.

MS-900 — M365 Fundamentals

  • Exchange Online, SharePoint, Teams
  • OneDrive for Business, Microsoft Loop
  • Intune MDM/MAM & Windows Autopilot
  • Microsoft Viva & Power Platform
  • Microsoft 365 Copilot
  • Defender XDR & Microsoft Purview
  • E1/E3/E5, Business Premium, F3 licensing
  • Focus: business productivity layer

AZ-900 — Azure Fundamentals

  • Azure Compute (VMs, Containers, Functions)
  • Azure Storage (Blob, Files, Queues)
  • Azure Networking (VNets, Load Balancer)
  • Azure AD / Entra ID identity
  • Azure Monitor & Cost Management
  • Azure Policy & Resource Manager
  • Azure pricing calculator & SLAs
  • Focus: cloud infrastructure layer

Related Certifications

AZ-900
Azure Fundamentals
Beginner · Microsoft
SC-900
Security & Compliance
Beginner · Microsoft
AZ-104
Azure Administrator
Intermediate · Microsoft
AZ-500
Azure Security Engineer
Advanced · Microsoft
Start practicing →