-->

1. M365 E3 License
2. M365 E3 Windows 10 Enterprise
3. M365 E3 Features

Follow the steps in this article to deploy Microsoft 365 Apps to client computers from a shared folder on your network by using the Office Deployment Tool (ODT).

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. Microsoft 365 for enterprise is designed for large organizations, but it can also be used for medium-sized and small businesses that need. Protection across the attack kill chain. This slide shows the real value of Microsoft 365 E5.

Before you begin

1. Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. Microsoft 365 for enterprise is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities.
2. Office 365 E1 vs E3. Do you want to know when Office 365 E1 is sufficient and what the differences are with Office 365 E3? Check out this article where we go into the differences between the two. Microsoft 365 Business Premium vs Office E3. They look almost the same, but there is a huge price difference between these two plans.

Make sure your users have local admin privileges on their client devices. If that is not the case, then you should use your organization's standard deployment tools and processes to install Office.

If you haven't already, complete the assessment and planning phases for your Office deployment.

This article is intended for administrators in enterprise environments working with hundreds or thousands of computers. Ite. If you want to install Office on a single device or small number of devices, we recommend reviewing Download and install or reinstall Microsoft 365 or Office 2019 on a PC or Mac or Use the Office offline installer.

Best practices

The steps in this article are based on the following best practices, if you've chosen to deploy Semi-Annual Enterprise Channel:

• Manage updates to Office automatically, without any administrative overhead. For more details, see Choose how to manage updates. (If you want to manage updates from a local source, you need to change the configuration files. For more details, see configuring updates).
• Build two Office installation packages: One package uses Semi-Annual Enterprise Channel for 64-bit and the other uses Semi-Annual Enterprise Channel (Preview) for 64-bit. Each installation package includes all the core Office apps. If you want to deploy the 32-bit version of Office instead, you can select that option when creating the installation package. To deploy both versions, you create additional installation packages. For more details, see Define your source files.
• Deploy to two deployment groups: a pilot group that receives Semi-Annual Enterprise Channel (Preview) and a broad group that receives Semi-Annual Enterprise Channel. For more details, see Choose your update channels.

You can customize these options to match the requirements for your organization, including deploying to more than two groups, changing update channels, and deploying Visio and Project. For more details, see Customize your deployment.

Step 1: Create shared folders for Office installation files

Because you're deploying Microsoft 365 Apps from a local source, you have to create folders to store the Office installation files. You'll create one parent folder and two child folders, one for the pilot group, with the version of Office from Semi-Annual Enterprise Channel (Preview), and one for the broad group, with version of Office from Semi-Annual Enterprise Channel. This structure is similar to the one that the Office Content Delivery Network (CDN) uses.

1. Create the following folders:

   • ServerShareM365: Stores the ODT and the configuration files that define how to download and deploy Office.
   • ServerShareM365SECP: Stores the Microsoft 365 Apps installation files from Semi-Annual Enterprise Channel (Preview).
   • ServerShareM365SEC: Stores the Microsoft 365 Apps installation files from Semi-Annual Enterprise Channel.

These folders will include all the Office installation files you need to deploy.

M365 E3 License

2. Assign Read permissions for your users. Installing Office from a shared folder requires only that the user have Read permission for that folder, so you should assign Read permission to everyone. For details about how to create shared folders and assign permissions, see Shared Folders

Note

In this article, we have just one shared folder on the network, but many organizations make the Office installation files available from multiple locations. Using multiple locations can help improve availability and minimize the effect on network bandwidth. For example, if some of your users are located in a branch office, you can create a shared folder in the branch office. Those users can then install Office from the local network. You can use the Distributed File System (DFS) role service in Windows Server to create a network share that is replicated to multiple locations. For more information, see DFS Management.

Step 2: Download the Office Deployment Tool

Download the ODT from the Microsoft Download Center to ServerShareM365. If you've already downloaded the ODT, make sure you have the latest version.

After downloading the file, run the self-extracting executable file, which contains the ODT executable (setup.exe) and a sample configuration file (configuration.xml).

Step 3: Create a configuration file for the pilot group

To download and deploy Microsoft 365 Apps to the pilot group, you use a configuration file with the ODT. To create the configuration file, we recommend using the Office Customization Tool.

1. Go to Office Customization Tool and configure the desired settings for your Microsoft 365 Apps installation. We recommend the following options:

• Products: Microsoft 365 Apps. You can also include Visio and Project if you plan to deploy those apps.
• Update channel: Choose Semi-Annual Enterprise Channel (Preview) for the installation package for the pilot group
• Language: Include all the language packs you plan to deploy. We recommend selecting Match operating system to automatically install the same languages that are in use by the operating system and any user on the client device. We also recommend selecting Fallback to the CDN to use the Office CDN as a backup source for language packs.
• Installation: Select Local source, and type 'ServerShareM365SECP' for the source path. Office will be downloaded to and then installed from servershareM365SECP on your network
• Updates: To update your client devices automatically, choose CDN and Automatically check for updates.
• Upgrades: Choose to automatically remove all previous MSI versions of Office. You can also choose to install the same language as any removed MSI versions of Office, but make sure to include those languages in your installation package.
• Additional properties: To silently install Office for your users, choose Off for the Display level and On for the Automatically accept the EULA.
• Application preferences: Define any Office settings you want to enable, including VBA macro notifications, default file locations, and default file formats

2. When you complete the configuration, click Export in the upper right of the page, and then save the file as config-pilot-SECP.xml in the ServerShareM365 folder.

For more details on how to use the Office Customization Tool, see Overview of the Office Customization Tool. For more information about the configuration options, see Configuration options for the Office Deployment Tool.

Note that the Office installation files and Office updates will come from Semi-Annual Enterprise Channel (Preview). For more details on the most recent version of Office based on the different update channels, see Release information for updates to Microsoft 365 Apps.

Step 4: Create a configuration file for the broad group

Using the Office Customization Tool, create the configuration file for the broad group.

1. Go to Office Customization Tool and configure the desired settings for your Microsoft 365 Apps installation. We recommend matching the same options as the pilot group in Step 3, except for the following changes:

• Update channel: Choose Semi-Annual Enterprise Channel for the installation package for the pilot group
• Installation: Select Local source, and type 'ServerShareM365SEC' for the source path. Office will be downloaded to and then installed from servershareM365SEC on your network

2. When you complete the configuration, click Export in the upper right of the page, and then save the file as config-broad-SEC.xml in the ServerShareM365 folder.

This configuration file is used to download Office installation files and then deploy them to the broad group. The settings are exactly the same as the first configuration file, except the source path points to a different folder (SAC), and the update channel is set to Semi-Annual Enterprise Channel.

Step 5: Download the Office installation package for the pilot group

From a command prompt, run the ODT executable in download mode and with a reference to the configuration file for the pilot group:

servershareM365setup.exe /download servershareM365config-pilot-SECP.xml

The files should begin downloading immediately. After running the command, go to servershareM365SECP and look for an Office folder with the appropriate files in it.

Note that when you download Office to a folder that already contains that version of Office, the ODT will conserve your network bandwidth by downloading only the missing files. For example, if you use the ODT to download Office in English and German to a folder that already contains Office in English, only the German language pack will be downloaded.

If you run into problems, make sure you have the newest version of the ODT and make sure your configuration file and command reference the correct location. You can also troubleshoot issues by reviewing the log file in the %temp% folder.

Step 6: Download the Office installation package for the broad group

From a command prompt, run the ODT executable in download mode and with a reference to the configuration file for the broad group:

servershareM365setup.exe /download servershareM365config-broad-SEC.xml

The files should begin downloading immediately. After running the command, go to servershareM365SEC and look for an Office folder with the appropriate files in it.

Step 7: Deploy Office to the pilot group

To deploy Office, we'll provide commands that users can run from their client computers. The commands run the ODT in configure mode and with a reference to the appropriate configuration file, which defines which version of Office to install on the client computer. Users who run these commands must have local admin privileges on their computer and must have read permissions to the share (servershareM365).

From the client computers for the pilot group, run the following command from a command prompt with admin privileges:

ServerShareM365setup.exe /configure ServerShareM365config-pilot-SECP.xml

Note

Most organizations will use this command as part of a batch file, script, or other process that automates the deployment. In those cases, you can run the script under elevated permissions, so the users will not need to have admin privileges on their computers.

Download natalie dylan update free. After running the command, the Office installation should start immediately. If you run into problems, make sure you have the newest version of the ODT and make sure your configuration file and command reference the correct location. You can also troubleshoot issues by reviewing the log file in the %temp% folder.

After Office has deployed to the pilot group, test Office in your environment, particularly with your hardware and device drivers. For more details, see Choose your update channels.

Step 8: Deploy Office to the broad group

After you've finished testing Office with the pilot group, you can deploy it to the broad group. To do so, run the following command from a command prompt with admin privileges:

ServerShareM365setup.exe /configure ServerShareM365config-broad-SEC.xml

This command is the same as the pilot group, except that it references the configuration file for the broad group.

After running the command, the Office installation should start immediately.

Customize your deployment

The steps in this article cover the standard best practice recommendations from Microsoft, if you've chosen to deploy Semi-Annual Enterprise Channel. This section covers the most common customizations to these best practices.

Build and deploy multiple packages to multiple deployment groups

If you want to deploy both the 32-bit and the 64-bit version of Office, you can create additional installation packages. (Two different architectures cannot be included in the same package.) For more details, see Define your source files.

Use different update channels for Office

With Microsoft 365 Apps, you can control how frequently your users receive feature updates to their Office applications. To do so, you choose an update channel for your users. For more information, see Overview of update channels for Microsoft 365 Apps.

In this article, we're using Semi-Annual Enterprise Channel (Preview) for your pilot group and Semi-Annual Enterprise Channel for the rest of your organization. You can, however, choose to deploy Current Channel, which provides users with the newest features of Office as soon as they're ready. In that scenario, you'd deploy Current Channel (Preview) to your pilot group.

A single Office installation package can only include one type of update channel, so each new update channel requires an additional package.

Deploy Visio and Project alongside the core Office apps

To deploy Visio and Project with Microsoft 365 Apps, you can include them as part of the Office application when building it in Configuration Manager. For more details on licensing and system requirements, see Deployment guide for Visio and Deployment guide for Project.

M365 E3 Windows 10 Enterprise

Related topics

-->

To protect user accounts in your organization, multi-factor authentication should be used. This feature is especially important for accounts that have privileged access to resources. Basic multi-factor authentication features are available to Microsoft 365 and Azure Active Directory (Azure AD) administrators for no extra cost. If you want to upgrade the features for your admins or extend multi-factor authentication to the rest of your users, you can purchase Azure AD Multi-Factor Authentication in several ways.

Important

This article details the different ways that Azure AD Multi-Factor Authentication can be licensed and used. For specific details about pricing and billing, see the Azure AD Multi-Factor Authentication pricing page.

Available versions of Azure AD Multi-Factor Authentication

Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization's needs. You may already be entitled to use Azure AD Multi-Factor Authentication depending on the Azure AD, EMS, or Microsoft 365 license you currently have. The following table details the different ways to get Azure AD Multi-Factor Authentication and some of the features and use cases for each.

M365 E3 Features

If you're a user of	Capabilities and use cases
Microsoft 365 Business Premium and EMS or Microsoft 365 E3 and E5	EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium includes Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users.
Azure AD Premium P1	You can use Azure AD Conditional Access to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements.
Azure AD Premium P2	Provides the strongest security position and improved user experience. Adds risk-based Conditional Access to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts.
All Microsoft 365 plans	Azure AD Multi-Factor Authentication can be enabled on a per-user basis, or enabled or disabled for all users using security defaults. Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see secure Microsoft 365 resources with multi-factor authentication.
Azure AD free	You can use security defaults to enable multi-factor authentication for all users. You don't have granular control of enabled users or scenarios, but it does provide that additional security step. Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the Azure AD Global Administrator role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication.

Feature comparison of versions

The following table provides a list of the features that are available in the various versions of Azure AD Multi-Factor Authentication. Plan out your needs for securing user authentication, then determine which approach meets those requirements. For example, although Azure AD Free provides security defaults that provide Azure AD Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, not a phone call or SMS. This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device.

Feature	Azure AD Free - Security defaults	Azure AD Free - Azure AD Global Administrators	Microsoft 365 apps	Azure AD Premium P1 or P2
Protect Azure AD tenant admin accounts with MFA	●	● (Azure AD Global Administrator accounts only)	●	●
Mobile app as a second factor	●	●	●	●
Phone call as a second factor	●	●	●
SMS as a second factor	●	●	●
Admin control over verification methods	●	●	●
Fraud alert	●
MFA Reports	●
Custom greetings for phone calls	●
Custom caller ID for phone calls	●
Trusted IPs	●
Remember MFA for trusted devices	●	●	●
MFA for on-premises applications	●

Purchase and enable Azure AD Multi-Factor Authentication

To use Azure AD Multi-Factor Authentication, register for or purchase an eligible Azure AD tier. Azure AD comes in four editions — Free, Microsoft 365 apps, Premium P1, and Premium P2.

The Free edition is included with an Azure subscription. See the section below for information on how to use security defaults or protect accounts with the Azure AD Global Administrator role.

The Azure AD Premium editions are available through your Microsoft representative, the Open Volume License Program, and the Cloud Solution Providers program. Azure and Microsoft 365 subscribers can also buy Azure Active Directory Premium P1 and P2 online. Sign in to purchase.

After you have purchased the required Azure AD tier, plan and deploy Azure AD Multi-Factor Authentication.

Azure AD Free tier

All users in an Azure AD Free tenant can use Azure AD Multi-Factor Authentication through the use of security defaults. The mobile authentication app is the only method that can be used for Azure AD Multi-Factor Authentication when using Azure AD Free security defaults.

If you don't want to enable Azure AD Multi-Factor Authentication for all users, you can instead choose to only protect user accounts with the Azure AD Global Administrator role. This approach provides additional authentication prompts for critical administrator accounts. You enable Azure AD Multi-Factor Authentication in one of the following ways, depending on the type of account you use:

• If you use a Microsoft Account, register for multi-factor authentication.
• If you aren't using a Microsoft Account, turn on multi-factor authentication for a user or group in Azure AD.

Next steps

• For more information on costs, see Azure AD Multi-Factor Authentication pricing.