HomeMy WebLinkAbout25984AGREEMENT INFORMATION
AGREEMENT NUMBER
25984
NAME/TYPE OF AGREEMENT
MICROSOFT
DESCRIPTION
MASTER SERVICES AGREEMENT/UNIFIED SUPPORT
SERVICES/MATTER ID: 26-53
EFFECTIVE DATE
ATTESTED BY
TODD B. HANNON
ATTESTED DATE
2/20/2026
DATE RECEIVED FROM ISSUING
DEPT.
2/24/2026
NOTE
DOCUSIGN AGREEMENT BY EMAIL
CITY OF MIAMI
DOCUMENT ROUTING FORM
ORIGINATING DEPARTMENT: Department of Innovation & Technology (DolT)
DEPT. CONTACT PERSON: Arturo Duque EXT. 1018 / MS Team
NAME OF CONTRACTUAL PARTY/ENTITY:
IS THIS AGREEMENT TO BE EXPEDITED/RUSH
TOTAL CONTRACT AMOUNT: $ 498,726.84 FUNDING INVOLVED? DYES ONO
TYPE OF AGREEMENT:
❑ MANAGEMENT AGREEMENT
❑ PROFESSIONAL SERVICES AGREEMENT
❑ GRANT AGREEMENT
❑ EXPERT CONSULTANT AGREEMENT
❑ LICENSE AGREEMENT
OTHER: (PLEASE SPECIFY:
❑■ YES NO
❑ PUBLIC WORKS AGREEMENT
❑ MAINTENANCE AGREEMENT
❑ INTER -LOCAL AGREEMENT
❑ LEASE AGREEMENT
❑ PURCHASE OR SALE AGREEMENT
PURPOSE OF ITEM (DETAILED SUMMARY/ADD ADDITIONAL PAGES IF NECESSARY)
To review the FY25-2026 Microsoft Unified Support Services Agreement. This is submitted every year for
approval. LSR # 03548 [26-53].
COMMISSION APPROVAL DATE: / /
FILE ID: 03548[26-5:. ENACTMENT NO:
IF THIS DOES NOT REQUIRE COMMISSION APPROVAL, PLEASE EXPLAIN:
ROUTING INFORMATION
Date
PLEASE PRINT AND SIGN
APPROVAL BY DEPARTMENTAL DIRECTOR
2/4/2026
PRINT: ARTURO DUQUE
moo s,g. ae„
SIGNATURE: Qv}uro Oulu-
.— EFL._
SUBMITTED TO RISK MANAGEMENT
2/4/26
PRINT: DAVID RUIZ
—oocs,9.ed by
SIGNATURE: zrwnl G81"1")
SUBMITTED TO CITY ATTORNEY
2/9/2026
PRINT: GEORGE K. WYSONG III
moo s9.aer
SIGNATURE: G,oroc, U9ot,.1 III
‘-8877eHFE88248B..
ID No.
03548 [26-53]
APPROVAL BY ASSISTANT CITY MANAGER
2/17/26
PRINT: BARBARA HERNANDEZ
SIGNATURE boufigo a (kwua d-v)
APPROVAL BY DEPUTY CITY MANAGER
02/19/26
PRINT: NATASHA COLEBROOK-WILLIAMS
moo s9. aer
SIGNATURE: Nei coe -Watt .,,.4
84870.75D EAn,8_.
RECEIVED BY CITY MANAGER
02/20/26
PRINT: JAMES REYES
W
Signed b
SIGNATURE:
SUBMITTED TO THE CITY CLERK
PRINT: TODD B. HANNON
SIGNATURE: r,L:_-____ _,
PLEASE ATTACH THIS ROUTING FORM TO ALL DOCUMENTS THAT REQUIRE
EXECUTION BY THE CITY MANAGER
Microsoft Enterprise Services Work Order
Work Order Number
(Microsoft Affiliate to complete)
11 Microsoft
GVS02601-1035145-1035145
This Work Order consists of the terms and conditions below, and the provisions of the Microsoft
Master Services Agreement reference U5222173 , effective as of 1/13/2017 (the "Agreement"),
the provisions of the Description of Services applicable to the Professional Services identified in
this Work Order, and any attachments or exhibits referenced in this Work Order, all of which are
incorporated herein by this reference. In this Work Order "Customer," "you," or "your" means the
undersigned customer or its affiliate and "Microsoft", "we," "us," or "our" means the undersigned
Microsoft affiliate.
By signing below the parties acknowledge and agree to be bound to the terms of this Work Order,
the Agreement and all other provisions incorporated in them. This Work Order is effective as of
the date that Microsoft signs this Work Order. Regardless of any terms and conditions contained
in a purchase order, if any, the terms of this Work Order apply.
ATTEST:
DocuSigned by:
BY: F46D7560FIC F1459
Todd B. Hannon
City Clerk
Signed by:
THE CITY OF MIAMI, A MUNICIPAL
CORPORATION OF THE STATE OF
FLORIDA
Signed by:
C
BY: AFRC:256F2C6A47R
James Reyes
City Manager
APPROVED AS TO LEGAL FORM AND APPROVED AS TO INSURANCE
CORRECTNESS:
DocuSigned by:
[l L sain.� I l l
BY: 8R776F9FFRR248P,
George K. Wysong III
City Attorney
REQUIREMENTS:
,-DocuSigned by:
BY: \--27395C6318214E7...
David Ruiz
Interim Director of Risk Management
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 1 of 12
11 Microsoft
Customer
Name of Customer (please print)
City of Miami, Florida
Signature
Signed by:
CA68C256F2C6A478...
Name of person signing (please print)
James Reyes
Title of person signing (please print)
City Manager
Signature date
February 20, 2026 1 14:55:07 EST
Name of Customer or its Affiliate that executed the Agreement (if different from
Customer above)
Microsoft Affiliate
Name
Microsoft Corporation
Signature
Signed by:
a,Vu j, 6/A1 t has
4D1 A38D248EC4FC..
Name of person signing (please print)
David Karalekas
Title of person signing (please print)
Account Executive
Signature date (effective date)
February 4, 2026 1 13:18:30 CST
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Ju12022)
Page 2 of 12
NE Microsoft
Does Customer issue or require a Customer purchase order for the payment of Microsoft
Services? [X] Yes or ❑No
If "No" is selected above, Customer represents and warrants that it does not require purchase
order(s) be submitted to Microsoft for payment of the Microsoft Services Fees listed herein.
Customer will not withhold payment of Microsoft's invoice due to the absence of a purchase
order reference.
If no purchase order is required, Customer must complete "Customer invoice information"
below and ensure it is accurate or revised in a timely manner. Further, the below "Customer
invoice information" must be completed prior to: (a) Customer signing this Work Order; and (b)
Microsoft invoicing Customer.
Customer invoice information
Name of Customer
City of Miami - Finance - General
Accounting
Contact Name (Receives invoices under this Work Order)
Arturo Duque
Street Address
444 SW 2nd Ave 6th Floor
Contact E-Mail Address
aduque@miamigov.com
payables@miamigov.com
City
MIAMI
State/Province
Florida
Phone
Country
United States
Postal Code
33130-1910
Fax
Support Services and Fees
Term.
Microsoft Enterprise Support Services will commence on 1/13/2026 (the "Support
Commencement Date") and will expire on 1/12/2027 (the "Support Expiration Date").
Description of Services.
Please refer to the current Unified Support Services Description ("USSD") which will be
incorporated by reference and is published by Microsoft from time to time at
www.microsoft.com/unified-support-services-description. Microsoft may update the support
services you purchase under this agreement from time to time, provided that the level of support
services you purchase will not materially decrease during the current Term.
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 3 of 12
L. Microsoft
services ay Support
Location:
Unified Enterprise
1 /12/2027
Quantity
Support - 2026-27 USA - SLG - Enterprise East
Service
1/13/2026 -
Service Type
Included
Enterprise Advisory Support Hours As -needed
Advisory Services
Included
Enterprise Azure Problem Resolution Hours As-
needed
Problem Resolution
Support
Included
Enterprise On -demand Assessment
On -Demand Assessment
Included
Enterprise On -Demand Education
On -Demand Education
Included
Enterprise Online Support Portal
Administrative
Included
Enterprise Problem Resolution Hours As -needed
Problem Resolution
Support
Included
Enterprise Reactive Support Management
Service Delivery
Management
Included
Enterprise Service Delivery Management
Service Delivery
Management
Included
Enterprise Webcasts As -Needed
Webcast
Included
Reactive Enabled Contacts
Problem Resolution
Support
1 ea
On -Demand Assessment - Setup and Config
Service As -needed
On -Demand Assessment
Remote
Enhanced Designated Engineering 1 Security EDE - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service
Service Type
200 hr
Enhanced Designated Engineering Security Zero
Trust
Designated Support
Engineering
Included
Service Delivery Management Extended
Service Delivery
Management
Enhanced Security 1 Cybersecurity Incident Response - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service
Service Type
Included
Service Delivery Management Extended
Service Delivery
Management
150 hr
Cybersecurity Incident Response Service
Security Services
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022)
Page 4 of 12
L. Microsoft
Enhanced Designated Engineering I Copilot for Microsoft 365 - 2026-27
Enterprise East 1/13/2026 - 1/12/2027
Quantity Service
USA -SLG-
Service Type
200 hr
Enhanced Designated Engineering Copilot for
Microsoft 365
Designated Support
Engineering
Included
Service Delivery Management Extended
Service Delivery
Management
Proactive Credit Add -On - 2026-27 USA - SLG - Enterprise East 1/13/2026 -
1 /12/2027
Quantity Service Service Type
400 ea I Proactive Credits
IProactive Credits
Enhanced Designated Engineering I Azure IaaS - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service
Service Type
Included
Service Delivery Management Extended
Service Delivery
Management
200 hr
Enhanced Designated Engineering Azure IaaS
Designated Support
Engineering
Support Services Fees.
The items listed in the table above represent the services that Customer has pre -purchased for
use during the term of this Work Order, and applicable fees are shown in the table below.
Microsoft Support Services are a non-refundable, prepaid service.
Before Microsoft commences or continues provision of Microsoft Support Services, Microsoft
must receive a signed copy of this Work Order and Customer's payment, purchase order or, if
applicable, completed Customer invoice information above. Microsoft will invoice Customer, and
Customer agrees to pay Microsoft within 45 calendar days of the date of Microsoft invoice.
Microsoft reserves the right to adjust Microsoft fees prior to entering into any changes to the
Microsoft Support Services ordered herein.
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 5 of 12
L. Microsoft
Services Summary
Unified Enterprise Support - 2026-27
Billing Date
(M/d/yyyy)
1/13/2026
Fee USD
IL
280,806.86
Enhanced Designated Engineering I Security EDE -
2026-27
1/13/2026
77,020.00
Enhanced Security I Cybersecurity Incident
Response - 2026-27
1/13/2026
94,515.00
Enhanced Designated Engineering I Copilot for
Microsoft 365 - 2026-27
1/13/2026
77,020.00
Proactive Credit Add -On - 2026-27
1/13/2026
40,000.00
Enhanced Designated Engineering I Azure laaS -
2026-27
1/13/2026
77,020.00
Subtotal
646,381.86
Other Adjustments
(91,493.65)
Flex Allowance
(56,161.37)
Total Fees (excluding taxes)
$498,726.84
Bng Schedule
Billing Date Fee USD
(M/d/yyyy)
Payment
Total Fees (excluding taxes)
1/13/2026
498,726.84
$498,726.84
Cybersecurity Incident Response Services Fees.
The Cybersecurity Incident Response Services hours listed in the table below are the services that
Customer agrees to pay up front for use during the term of the Cybersecurity Incident Response
Services. Accordingly, Customer agrees to pay up front in full the Total Estimated Fees shown in
the table below for the Cybersecurity Incident Response Services. All fees paid up front are non-
refundable. Any Cybersecurity Incident Response Services hours not consumed prior to the
Cybersecurity Incident Response Services Expiration Date will be forfeited. The Total Estimated
Fees do not include fees for Products. Customer will pay Microsoft within 45 calendar days of the
date of Microsoft invoice.
Service Delivery Management Hours
Cybersecurity Incident Response Service
15 hr
150 hr
1/13/2026
1/13/2026
$4, 515.00
$90,000.00
Total Fees (excluding taxes)
$94,515.00
Cybersecurity Incident Response Services Fees will not exceed the Total Estimated Fees indicated
in the table above without prior approval from Customer and a mutually acceptable amendment
to this Work Order. In the event that such approval must be sought, but is not provided,
notwithstanding anything to the contrary, Customer acknowledges and agrees that Microsoft has
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 6 of 12
NE Microsoft
no further obligation to continue providing Cybersecurity Incident Response Services.
Support for Microsoft Products
Microsoft will provide support for Customer's licensed, commercially released, and generally
available Microsoft products, and cloud services subscriptions purchased by Customer or
Customer's Affiliate: i) under the licensing enrollments and agreements, as indicated in Appendix
A; and ii) during the Term of this Work Order. Such products and subscriptions exclude those
purchased by any party that is not Customer's Affiliate as of the Support Commencement Date.
Customer Named Contact(s).
Any changes to the named contacts should be submitted to Microsoft Contact.
Name of Customer Support Service Administrator
Arturo Duque
Street Address
Contact E-Mail Address
444 SW 2nd Ave
aduque@miamigov.com
City
State/Province
Phone
MIAMI
FL
305 416-1701
Country
Postal Code
Fax
United States
33130
Unforeseen Circumstances. In the event of unforeseen circumstances resulting from causes
beyond Microsoft's commercially reasonable control, Microsoft will not be responsible for any
delay or inability to perform Cybersecurity Incident Response Services.
Public Statements. Customer is not permitted to make any public statements identifying or
regarding Microsoft, its Affiliates, or its contractors/subcontractors in relation to the Event or the
services, findings, Services Deliverables, or other information provided under this Work Order
without its express prior written consent.
Use, ownership, restrictions and rights.
Products.
"Product" means all products identified in the Product Terms, such as all Software, Online Services
and other web -based services, including pre-release or beta versions. Product availability may
vary by region. "Product Terms" means the information about Microsoft Products and Professional
Services available through volume licensing. The Product Terms are published on the Volume
Licensing Site and is updated from time to time. "Volume Licensing Site" means
http://www.microsoft.com/licensing/contracts or a successor site.
All products and related solutions provided under this Work Order will be licensed according to
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 7 of 12
EN Microsoft
the terms of the license agreement packaged with or otherwise applicable to such product.
Customer is responsible for paying any licensing fees associated with Products.
Fixes.
"Fixes" means Product fixes, modifications, enhancements, or their derivatives, that Microsoft
either releases generally (such as service packs), or that Microsoft provides to Customer when
performing Professional Services (all support, planning, consulting and other professional services
or advice, including any resulting deliverables provided to Customer under this Work Order, to
address a specific issue. "Professional Services" means Product support services and Microsoft
consulting services provided to Customer under this Work Order. "Professional Services" or
"services" does not include Online Services, unless specifically noted.
Fixes are licensed according to the license terms applicable to the Product to which those Fixes
relate. If the Fixes are not provided for a specific Product, any other use terms Microsoft provides
with the Fixes will apply.
Pre-existing Work.
"Pre-existing Work" means any computer code or other written materials developed or otherwise
obtained independent of this Work Order.
All rights in Pre-existing Work shall remain the sole property of the party providing the Pre-
existing Work. Each party may use, reproduce and modify the other party's Pre-existing Work only
as needed to perform obligations related to Professional Services.
Services Deliverables.
"Services Deliverables" means any computer code or materials, other than Products or Fixes that
Microsoft leaves with Customer at the conclusion of Microsoft's performance of Professional
Services. Upon payment in full for the Professional Services, Microsoft grants Customer a non-
exclusive, non -transferable perpetual, fully paid -up license to reproduce, use and modify the
Services Deliverable, solely in the form delivered to Customer and solely for Customer's internal
business purposes, subject to the terms and conditions of this Work Order.
Non -Microsoft software and technology.
Customer is solely responsible for any non -Microsoft software or technology that it installs or uses
with the Products, Fixes, or Services Deliverables.
Affiliates' rights
"Affiliate" means any legal entity that controls, is controlled by, or that is under common control
with a party. "Control" means ownership of more than a 50% interest of voting securities in an
entity or the power to direct the management and policies of an entity.
Customer may sublicense the rights contained in this section relating to Services Deliverables to
its Affiliates, but Customer's Affiliates may not sublicense these rights and Customer's Affiliates'
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 8 of 12
El Microsoft
use must be consistent with the license terms contained in this Work Order.
Restrictions on use.
Customer must not (and is not licensed to) (1) reverse engineer, decompile or disassemble any
Product, Fix, or Services Deliverable; (2) install or use non -Microsoft software or technology in any
way that would subject Microsoft's intellectual property or technology to any other license terms;
or (3) work around any technical limitations in a Product, Fix or Services Deliverable or restrictions
in Product documentation. Except as expressly permitted in this Work Order or Product
documentation, Customer must not (and is not licensed to) (1) separate and run parts of a Product
or Fix on more than one device, upgrade or downgrade parts of a Product or Fix at different times,
or transfer parts of a Product or Fix separately; or (2) distribute, sublicense, rent, lease, lend any
Products, Fixes, or Services Deliverables, in whole or in part, or use them to offer hosting services
to a third party.
Reservation of rights.
Products, Fixes, and Services Deliverables are protected by copyright and other intellectual
property rights laws and international treaties. Microsoft reserves all rights not expressly granted
in this agreement. No rights will be granted or implied by waiver or estoppel. Rights to access or
use Software on a device do not give Customer any right to implement Microsoft patents or other
Microsoft intellectual property in the device itself or in any other software or devices.
Microsoft Professional Services Data Protection Addendum and
Confidentiality.
"Professional Services Data" means all data, including all text, sound, video, image files, or
software, that are provided to Microsoft by, or on behalf of, Customer (or that Customer
authorizes Microsoft to obtain from an Online Service) or otherwise obtained or processed by or
on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services.
The data protection terms applying to Professional Services in effect on the effective date of this
Work Order and available at https://aka.ms/eswodpa are incorporated herein by this reference.
For liability arising out of either party's confidentiality obligations relating to Professional Services
Data provided under this Work Order, each party's maximum, aggregate liability to the other is
limited to direct damages finally awarded in an amount not to exceed the amounts Customer paid
for the applicable Professional Services under this Work Order.
Confidentiality and Privacy.
The Parties recognize that this Agreement is a binding agreement and a public contract, subject
to all applicable State of Florida public records laws, to include but not limited to Chapter 119,
Florida Statutes; provided, however, should Microsoft believe that a specific exemption applies
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 9 of 12
LE Microsoft
to any information provided by Microsoft to the City of Miami as Customer, then Microsoft at
its option and at no costs to the City, may proceed to court in the U.S. District Court for the
Southern District of Florida, Miami Division, to obtain declaratory judgment regarding the
applicability of said specific exemption from public records laws. All Parties to this Agreement
will agree to protect clearly marked Confidential Information of one another in a reasonable
and appropriate manner, and will use clearly marked Confidential Information only to perform
its obligations under this Agreement and for no other purpose. This will not apply to
information which is publicly known, already known to the recipient, lawfully disclosed by a
third party, independently developed, disclosed pursuant to legal requirement or order, or
items that are subject to public records access laws.
IF MICROSOFT HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119,
FLORIDA STATUTES, TO ANY DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS
AGREEMENT AS A PUBLIC CONTRACT, PLEASE CONTACT THE CITY'S CUSTODIAN OF
PUBLIC RECORDS AT TELEPHONE NUMBER 305-416-1800, EMAIL:
PUBLICRECORDS@MIAMIGOV.COM, AND MAILING ADDRESS: PUBLIC RECORDS C/O
OFFICE OF THE CITY ATTORNEY, 9TH FLOOR, MIAMI RIVERSIDE CENTER, 444 S.W. 2ND
AVENUE, MIAMI, FLORIDA 33130 OR THE CITY'S CONTACT REPRESENTATIVE AS
CUSTODIAN OF RECORDS FOR THIS AGREEMENT AT TELEPHONE NUMBER 305-416-
1701, EMAIL GCHOW@MIAMIGOV.COM AND MAILING ADDRESS MIAMI RIVERSIDE
CENTER, 444 S.W. 2ND AVENUE, 5TH FLOOR, MIAMI, FLORIDA 33130.
Counterparts; Electronic Signatures.
This Agreement and any amendments hereto may be executed in several counterparts, and all
or any of such counterparts taken together shall be deemed to constitute one and the same
instrument. An executed facsimile or electronic scanned copy of this Agreement shall have the
same force and effect as an original. The Parties shall be entitled to sign and transmit an
electronic signature on this Agreement (whether by facsimile, PDF, or other email transmission),
which signature shall be binding on the Party whose name is contained therein. Any Party
providing an electronic signature agrees to promptly execute and deliver to the other Party an
original signed Agreement upon written request.
Attachments.
The following documents are attached at the execution of this Work Order:
0 Exhibit: UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025).docx
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 10 of 12
Microsoft Contact
Customer contact for questions and notices about this Work Order.
Microsoft Contact Name
David Karalekas
Phone
Contact E-Mail Address
r Microsoft
David.Karalekas@microsoft.com
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 11 of 12
mu Microsoft
Appendix A
As of the Support Commencement Date, below is a list of your declared licensing enrollments
and agreements for which Microsoft will provide support services as defined within this Work
Order.
Customer Name
Licensing Program
Licensing Enrollment/Agreement
Number/Billing Account ID
CITY OF MIAMI POLICE
Enterprise 6
57150184
CITY OF MIAMI POLICE-
57150184-COM POLICE
AZURE MAC
Enterprise 6
6832951
CITY OF MIAMI, FL-58306110-
CITY OF MIAMI POLICE
Enterprise 6
6959310
CITY OF MIAMI, FL
Enterprise 6
58306110
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(JuI2022) Page 12 of 12
Microsoft Support Services Exhibit
Cybersecurity Incident Response Services
Enterprise Services Work Order
GV502601-1035145-1035145
This Exhibit is made pursuant to the Microsoft Enterprise Services Work Order identified above
("Work Order"). The terms of the Unified Support Services Description ("USSD") and Work Order
are incorporated herein by this reference. Any terms not otherwise defined herein will assume the
meanings set forth in the USSD and Work Order.
The term of the Cybersecurity Incident Response Services will commence on 1/13/2026
("Cybersecurity Incident Response Services Start Date") and will expire on 1/12/2027
("Cybersecurity Incident Response Services Expiration Date")
1 Overview and scope of coverage
Customer is entitled to the below specialized cybersecurity-related assistance with the purchase
of Microsoft Cybersecurity Incident Response ("MSCIR").
1.1 Onboarding
MSCIR services will be provided by a team of Microsoft support resources that may include:
A Unified Support Customer Support Account Manager ("CSAM").
Microsoft support engineers with security expertise.
Microsoft engineers from the Microsoft Incident Response ("MSIR") team with deep
knowledge of cybersecurity incident response.
Microsoft Security Cloud Solution Architects ("CSA"s) with specialized skills to augment the
MSIR team.
Additional Microsoft security experts, at the discretion of the MSIR team.
How to Engage for a Cyber-attack incident:
• Open a reactive support case, as outlined in the USSD, noting a potential
security incident. Initial investigation will be performed, and the MSIR team will be
engaged when deeper investigation and/or containment measures are warranted.
• Standard expected response times apply for all reactive support cases.
How to Engage for pre -incident MSCIR services:
• Contact the CSAM to scope and schedule pre -incident MSCIR services.
1.2 Incident Response Services
Services Within Scope
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 1 of 7
Pre -Incident Services
Areas within scope
Description
• Threat Briefing
• Tabletop Enhanced (Premium)
• Proactive Identity Assessment
• Proactive Identity Hardening
• Compromise Assessment
Highly specialized Microsoft Security
researchers provide tailored threat intelligence
advisory services, enhancing defense strategy
with customized threat intelligence informed
by industry -specific threats.
Helps identify potential gaps in incident
response plan and improves collective
decision -making during incidents. Customer's
team will walk through security events,
providing evidence to Microsoft engineers
who will guide and help evaluate Customer's
ability to identify and respond to each
scenario. Includes collaborative exercise
guiding participants through simulated
incident scenarios.
Helps to protect from targeted attacks by
sophisticated adversaries and criminal
organizations, offering a thorough evaluation
of Control Plane, pinpointing critical security
risks and providing actionable
recommendations.
Utilizes automation to deploy Secure
Keyboard, including Conditional Access
Policies, required Groups, Break Glass
Accounts, Intune Policies and AutoPilot.
Includes the continued deployment of the
tiering model, onboarding one workload to
Tier 1. Optional security assessment of Entra
ID, discussions on recommended practices for
MDE, MDI and MDC. Also initiates Laps
implementation.
Highly specialized Microsoft resources
providing remote analysis, effectively serving
as an incident response prior to an actual
emergency. Assessment will provide the
findings that identify systems that may be
compromised or vulnerable, along with
recommendations to guide Customer on
taking proactive measures to improve security
posture.
On -Premises System Investigation
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025)
Page 2 of 7
Areas within scope
Description
• Investigation of Windows environments,
including:
o Workstations
o Member servers
o Domain controllers
• Investigation of Linux environments within the
supported distributions/versions.
• Microsoft Entra ID & 0365 Investigation:
o Microsoft will assist with assessment of
Microsoft Entra ID/Office 365 environments,
including:
■ 0365 tenant(s)
■ Microsoft Entra ID (AAD)
• The assessment provides:
o Threat hunt and forensic analysis of
machines of interest.
o Reverse engineering of suspicious files.
o Security configuration assessment of
Active Directory/Microsoft Entra ID.
o Analysis /remediation of supported
endpoints
• Linux endpoints may be in scope for
cybersecurity Incident Response
engagements, but in a limited format. In -
scope, non -Windows operating systems
may include, but are not limited to:
o Red Hat —Red Hat Enterprise Linux
(RHEL), Fedora, Cent0S, Alma Linux,
and Oracle Linux.
o Debian—Debian, Ubuntu, Mint OS,
and Kali.
o SUSE—openSUSE, SUSE Linux
enterprise desktop (SLED), and SUSE
Linux Enterprise Server (SLES).
Investigation of MacOS systems, where
Defender for Endpoint (MDE) can be
deployed
Note that compatibility with Microsoft security
technologies may be dependent on kernel
version. Previous kernel versions may be
supported on a commercially reasonable effort
basis.
• Out -of -scope operating systems include
(but are not limited to):
o Custom Linux kernels
o BSD
• Assessment provides:
o Investigation of suspected identities
and potentially compromised accounts
o Investigation of key data points across
0365 services
o Security components assessment of
0365 Architecture
o Risk management recommendations
to protect 0365 services
o Custom threat profile of high -risk
users
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025)
Page 3 of 7
• Tactical Recovery & Containment: • Includes support for.
o Assistance in containing and recovering o Restoration and hardening of critical
from a security incident. Tier 0 assets, such as Microsoft Entra
ID, HyperV, Windows Server Update
Services (WSUS), Active Directory
Federation Services (AD FS), and Active
Directory Certificate Services (AD CS).
o Hardening of key cloud services
related to the protection of attack
paths frequently used by Threat Actors
in products such as Exchange Online
Protection (EOP), Defender for Office
365 (MDO), Microsoft Entra ID and it's
associated sub -services.
o Regain control of the Customer's
Microsoft identity by disrupting the
attacker's activity. This may be
achieved through a combination of
actions including: close the Command -
and -Control (C2) channels, harden
identity, endpoints, and servers, isolate
and rebuild planning and support or
guidance of compromised systems.
1.3 Services Out of Scope — Incident Response
Anything not explicitly listed in "Areas Within Scope/Description" is out of scope for this service,
including but not limited to the following:
• Analysis of Networking equipment
• Comprehensive analysis of endpoints running legacy (unsupported) operating systems
• Data migration activities
• Provision of formal training
• Decryption support for encrypted files or hosts
• Investigation, validation, or remediation of individual security alerts or indicators of
compromise outside of active incident response engagement
• Constant, or continuous, security monitoring after the engagement has concluded
and/or monitoring outside of standard business hours
• Providing decryptors for encrypted systems
• Ransomware negotiation
• Any work that is required to meet evidentiary standards for legal admissibility in a court
of law
• Preparation of systems run books, playbooks, or operational manuals
• Project management of individual projects
• Asset discovery and inventory
• Denial of Service (DoS) attack
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 4 of 7
2 Assumptions
MSCIR services delivered under this Exhibit are based on the following prerequisites and
assumptions:
• This Exhibit is considered the baseline scope
document outlining Microsoft's responsibilities for assistance.
• This
Exhibit is generated based upon currently known information deemed to be accurate an
d correct.
• All MSCIR service resources will have the appropriate level of security access and access
to relevant data required to complete project -related efforts.
• All work is delivered during normal business hours unless otherwise mutually agreed.
• MSCIR is typically staffed by a shared cybersecurity incident responder resource pool.
• Only currently supported Microsoft operating systems are guaranteed to be in -scope.
Non -supported Microsoft
operating systems may be deprecated from analysis at any time.
• Written deliverables are available in English language only.
• Services may be delivered remotely or onsite at customer location based on the
agreement of the parties.
• Notwithstanding the USSD, a previously scheduled paid additional service may not be
canceled or rescheduled and is non-refundable unless both the Customer and Microsoft
mutually agree otherwise in writing.
3 Customer's responsibilities
• Provide accurate and complete information, as needed, including identification of
systems of interest, overviews of IT infrastructure/topology, and findings from relevant
investigation(s).
• Provide subject matter specialists and systems administrators, as necessary, so that
proper access to system(s) may be obtained.
• Provide timely decisions and approvals by management, as needed.
• Grant full empowerment for MSCIR responders to fully perform the forensic investigative
processes and procedures it employs as part of its standard protocols, free of
encumbrances created by third parties, such as other incident response vendors. Any
failure by Customer, or its representatives or agents, to fully empower Microsoft to
perform its work may result in delays of service or inadequate outcomes.
4 Customer system requirements
• An operational solution to remotely deploy the required tools for the MSCIR
engagement (e.g., SCCM, Active Directory GPO, or other).
• Provide Microsoft Entra ID accounts with Global Administrator permissions, as needed
• Deployment of specialized analytics tools indicated and provided by the MSCIR delivery
team. Tools required for analysis may include the following, among a range of
potentially required analytics tools:
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 5 of 7
o Fennec: Fennec is a Microsoft proprietary tool, which will be provided by Microsoft
directly to the Customer when ready to deploy. Fennec is an "agentless", one-time
scanning tool that provides an investigative snapshot of scanned machines.
o Linux Forensic Examination Tool ("LIFE"): LIFE is a proprietary tool, which will be
provided by Microsoft directly to the Customer when ready to deploy. LIFE gathers a
snapshot of information about files, programs, processes, and users on Linux
machines throughout their organization to augment the Incident Response
investigation.
o FoX: FoX is a proprietary forensics tool deployed to machines if particular interest or
where deeper additional information is required.
o Arctic : Arctic is a tactical identity forensics tool that enumerates aspects of Active
Directory Domain Services to allow for identification of adversary persistence
o Cosmic: COSMIC is an Azure cloud forensics tool that enumerates aspects of Entra
ID to allow for identification of adversary persistence.
o Microsoft Defender for Endpoint:
Microsoft's endpoint detection and response (EDR)
solution provides continuous monitoring for additional adversary activity. An agent
is required for in -scope, non -Windows 10/11 machines.
o Microsoft Defender for Identity: Defender for Identity analyzes authentication traffic
on Customer's Domain Controllers to identify suspicious activity and identity -
based attacks. Solution requires an agent to be deployed to each Domain
Controller, Active Directory Certificate Services (ADCS) and Active Directory
Federation services (ADFS) where applicable.
5 Access required for analysis
• Global Administrator access in Microsoft Entra ID is required for successful completion of
the engagement.
• Microsoft may leverage access into your Azure and Office 365 environment to perform
analysis and investigation.
Note: Microsoft will notify Customer if additional tools are required based on initial findings and
understanding of the specific scenario.
6 Deliverables
Deliverables for MSCIR engagements may include:
Deliverable
Description
Outbrief Report
An "outbrief" document in Microsoft PowerPoint format, prepared by the delivery
team, summarizing key investigative findings, which may include assessment of risk
and/or recommendations for remediation
Outbrief
Presentation
An outbrief presentation to Customer verbally to communicate the findings
described in the outbrief document
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025)
Page 6of7
Timeline Report
If technically feasible and supporting data exists, a timeline document in Microsoft
Excel identifying and documenting the location of relevant supporting data and files
analyzed during the course of the engagement
Power BI
Dashboard
A Microsoft Power BI Dashboard showing technical information concerning the
findings from the Fennec scanner, except in rare circumstances when it cannot be
generated for technical reasons
Deliverables (as defined above) will be delivered within the ten (10) calendar days following the
conclusion of the MSCIR engagement, unless Customer chooses not to receive the Deliverables.
The Customer's choice not to receive the Deliverables is no fault of Microsoft under any
circumstances, and any obligation of Microsoft to deliver said Deliverable(s) expires ten (10)
calendar days after the final day of the engagement, unless otherwise mutually agreed by
Microsoft and Customer.
MSCIR deliverables may provide the following:
• Identity of systems that may be compromised
• Identity of systems that may be vulnerable (e.g., machines missing critical patches and/or
antivirus definitions and identification of commonly exploited applications)
• Results of forensic analysis of hosts of interest
• Results of reverse engineering of suspicious files
• Guidance for a customer to take proactive steps to improve their security posture
MSCIR deliverables do not provide the following:
• Attribution of attacker including the identity, motives or origin
• Chain of custody of evidence (e.g., IOCs)
Compliance assessment with any standard or framework, e.g., security or privacy standards
• Remediation efforts
• Source code review
• Organizational change management
• Technical and/or architectural IT systems design
• Detailed analysis or risk assessments of existing security controls and
how they are implemented
Customers who seek findings pertaining to compliance and regulations should be conducted
separately by professional services firms that specialize in audit and assurance. Customers
should independently validate whether a cyber-attack incident is covered by their insurance
policy, if applicable.
7 Fees
Fees associated with this Exhibit will be detailed in the Work Order.
UnifiedCybersecuritylncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 7 of 7
Olivera, Rosemary
From: Britos, Nina
Sent: Tuesday, February 24, 2026 11:23 AM
To: Olivera, Rosemary
Cc: Duque, Arturo; Pico, Hector; Trogner, Kaira
Subject: RE: FY 2026 Microsoft Unified Support Services Agreement- Innovation and
Technology Dept.
Attachments: For_Signature_FY_2026_Microsoft_Unified_Supp.pdf
Good morning Rosemary,
Certainly, please find attached as one single document.
Thank you,
Nina Britos, MBA
Assistant to the Director
Department of Innovation and Technology
444 SW 2nd Avenue, 5th Floor, Miami, FL 33130
Tel: (305) 416-1659
Email: NBritos@miamigov.com
From: Olivera, Rosemary <ROlivera@miamigov.com>
Sent: Monday, February 23, 2026 5:42 PM
To: Britos, Nina <NBritos@miamigov.com>
Cc: Duque, Arturo <ADuque@miamigov.com>; Pico, Hector <hpico@miamigov.com>; Trogner, Kaira
<Ktrogner@miamigov.com>
Subject: RE: FY 2026 Microsoft Unified Support Services Agreement- Innovation and Technology Dept.
Importance: High
Good afternoon Nina,
Please resend the document as one single document for our records. Thank you.
From: Britos, Nina <NBritos@miamigov.com>
Sent: Monday, February 23, 2026 2:50 PM
To: Olivera, Rosemary <ROlivera@miamigov.com>
Cc: Duque, Arturo <ADuque@miamigov.com>; Pico, Hector <hpico@miamigov.com>; Trogner, Kaira
<Ktrogner@miamigov.com>
Subject: FY 2026 Microsoft Unified Support Services Agreement- Innovation and Technology Dept.
Good afternoon Rosemary,
For your records, please find attached a signed agreement, "FY 2026 Microsoft Unified Support Services
Agreement" for the Department of Innovation and Technology.
1
Please let us know if there is anything else needed.
Thank you kindly,
Nina Britos, MBA
Assistant to the Director
Department of Innovation and Technology
444 SW 2"d Avenue, 5th Floor, Miami, FL 33130
Tel: (305) 416-1659
Email: NBritos@miamigov.com
2