HomeMy WebLinkAbout25984AGREEMENT INFORMATION
AGREEMENT NUMBER 25984
NAME/TYPE OF AGREEMENT MICROSOFT
DESCRIPTION MASTER SERVICES AGREEMENT/UNIFIED SUPPORT
SERVICES/MATTER ID: 26-53
EFFECTIVE DATE
ATTESTED BY TODD B. HANNON
ATTESTED DATE 2/20/2026
DATE RECEIVED FROM ISSUING 2/24/2026
DEPT.
NOTE
DOCUSIGN AGREEMENT BY EMAIL
CITY OF MIAMI
DOCUMENTROUTING FORM
EfqbsunfoupgJoopwbujpo'Ufdiopmphz)EpJU*
ORIGINATING DEPARTMENT: __________________________________________________________
BsuvspEvrvf21290NTUfbnt
DEPT. CONTACT PERSON:__________________________________________EXT._______________
NAME OFCONTRACTUAL PARTY/ENTITY: _____________________________________________
o
IS THIS AGREEMENTTO BE EXPEDITED/RUSH YES NO
5:9-837/95
o
TOTAL CONTRACT AMOUNT: $__________________________FUNDING INVOLVED?YES NO
TYPE OF AGREEMENT:
MANAGEMENT AGREEMENTPUBLIC WORKS AGREEMENT
PROFESSIONAL SERVICES AGREEMENTMAINTENANCE AGREEMENT
GRANT AGREEMENTINTER-LOCAL AGREEMENT
EXPERT CONSULTANT AGREEMENTLEASE AGREEMENT
LICENSE AGREEMENTPURCHASE OR SALE AGREEMENT
OTHER: (PLEASE SPECIFY: _____________________________________________________________________
PURPOSE OF ITEM (DETAILEDSUMMARY/ADD ADDITIONAL PAGES IF NECESSARY) _____________
UpsfwjfxuifGZ36.3137NjdsptpguVojgjfeTvqqpsuTfswjdftBhsffnfou/Uijtjttvcnjuufefwfszzfbsgps
________________________________________________________________________________________________
bqqspwbm/MTS$14659\\37.64^/
________________________________________________________________________________________________
________________________________________________________________________________________________
14659\\37.64^
COMMISSION APPROVAL DATE: ____/_____/____FILE ID: ___________ ENACTMENTNO: _______
IF THIS DOES NOT REQUIRE COMMISSION APPROVAL, PLEASE EXPLAIN: _______________________
________________________________________________________________________________________________
ROUTING INFORMATIONDatePLEASE PRINT AND SIGN
APPROVAL BY DEPARTMENTAL DIRECTOR PRINT:ARTURO DUQUE
SIGNATURE:
SUBMITTED TO RISK MANAGEMENT PRINT:DAVID RUIZ
SIGNATURE:
PRINT: GEORGE K. WYSONG III
SUBMITTED TO CITY ATTORNEY
SIGNATURE:
PRINT:BARBARA HERNANDEZ
APPROVAL BY ASSISTANT CITY MANAGER
SIGNATURE
PRINT: NATASHA COLEBROOK-WILLIAMS
APPROVAL BY DEPUTY CITY MANAGER
SIGNATURE:
PRINT:JAMES REYES
RECEIVED BY CITY MANAGER
SIGNATURE:
PRINT:TODD B. HANNON
SUBMITTED TO THECITY CLERK
SIGNATURE:
PLEASE ATTACH THIS ROUTING FORM TO ALL DOCUMENTS THAT REQUIRE
EXECUTION BY THE CITY MANAGER
MicrosoftEnterpriseServicesWorkOrder
WorkOrderNumber
GVS02601-1035145-1035145
(MicrosoftAffiliatetocomplete)
This Work Order consistsof thetermsand conditions below, and theprovisions of the Microsoft
Master Services Agreement reference U5222173 , effective as of1/13/2017 (the "Agreement"),
the provisions of the Description of Services applicable to the Professional Services identified in
this Work Order, and any attachments or exhibits referenced in this Work Order, all of which are
incorporatedhereinbythisreference. InthisWorkOrderormeansthe
undersignedcustomeroritsaffiliateand"Microsoft",theundersigned
Microsoft affiliate.
BysigningbelowthepartiesacknowledgeandagreetobeboundtothetermsofthisWorkOrder,
the Agreement and all other provisions incorporated in them. This Work Order is effective as of
thedatethatMicrosoftsignsthisWorkOrder.Regardlessofany termsandconditionscontained
in a purchase order, if any, the terms of this Work Order apply.
THE CITY OF MIAMI, A MUNICIPAL
CORPORATION OF THE STATE OF
ATTEST:FLORIDA
BY:_____________________________________BY:_____________________________________
Todd B. Hannon James Reyes
City Clerk City Manager
APPROVED AS TO LEGAL FORM AND APPROVED AS TO INSURANCE
CORRECTNESS:REQUIREMENTS:
BY:_____________________________________BY:_____________________________________
George K. Wysong III David Ruiz
City Attorney Interim Director of Risk Management
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022)Page1of12
Customer
Name of Customer (please print)
City of Miami, Florida
Signature
Name of person signing (please print)
Title of person signing (please print)
Signature date
Name of Customer or its Affiliate that executed the Agreement (if different from
Customer above)
Microsoft Affiliate
Name
Microsoft Corporation
Signature
Name of person signing (please print)
Title of person signing (please print)
Signature date (effective date)
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 2 of 12
Does Customer issue or require a Customer purchase order for the payment of Microsoft
Services? \[X\] Yes or No
If is selected above, Customer represents and warrants that it does not require purchase
order(s) be submitted to Microsoft for payment of the Microsoft Services Fees listed herein.
Customer will not withhold payment of invoice due to the absence of a purchase
order reference.
If no purchase order is required, Customer must complete "Customer invoice information"
below and ensure it is accurate or revised in a timely manner. Further, the below
invoice must be completed prior to: (a) Customer signing this Work Order; and (b)
Microsoft invoicing Customer.
Customer invoice information
Contact Name (Receives invoices under this Work Order)
Name of Customer
City of Miami - Finance - General
Arturo Duque
Accounting
Street Address Contact E-Mail Address
aduque@miamigov.com
444 SW 2nd Ave 6th Floor
payables@miamigov.com
City State/Province Phone
MIAMI Florida
Country Postal Code Fax
United States 33130-1910
Support Services and Fees
Term.
Description of Services.
incorporated by reference and is published by Microsoft from time to time at
www.microsoft.com/unified-support-services-description. Microsoft may update the support
services you purchase under this agreement from time to time, provided that the level of support
services you purchase will not materially decrease during the current Term.
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 3 of 12
Services by Support Location:
Unified Enterprise Support - 2026-27 USA - SLG - Enterprise East 1/13/2026 -
1/12/2027
Quantity Service Service Type
Included Enterprise Advisory Support Hours As-needed Advisory Services
Included Enterprise Azure Problem Resolution Hours As- Problem Resolution
needed Support
Included Enterprise On-demand Assessment On-Demand Assessment
Included Enterprise On-Demand Education On-Demand Education
Included Enterprise Online Support Portal Administrative
Included Enterprise Problem Resolution Hours As-needed Problem Resolution
Support
Included Enterprise Reactive Support Management Service Delivery
Management
Included Enterprise Service Delivery Management Service Delivery
Management
Included Enterprise Webcasts As-Needed Webcast
Included Reactive Enabled Contacts Problem Resolution
Support
1 ea On-Demand Assessment - Setup and Config On-Demand Assessment
Service As-needed Remote
Enhanced Designated Engineering | Security EDE - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service Service Type
200 hr Enhanced Designated Engineering Security Zero Designated Support
Trust Engineering
Included Service Delivery Management Extended Service Delivery
Management
Enhanced Security | Cybersecurity Incident Response - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service Service Type
Included Service Delivery Management Extended Service Delivery
Management
150 hr Cybersecurity Incident Response Service Security Services
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 4 of 12
Enhanced Designated Engineering | Copilot for Microsoft 365 - 2026-27 USA - SLG -
Enterprise East 1/13/2026 - 1/12/2027
Quantity Service Service Type
200 hr Enhanced Designated Engineering Copilot for Designated Support
Microsoft 365 Engineering
Included Service Delivery Management Extended Service Delivery
Management
Proactive Credit Add-On - 2026-27 USA - SLG - Enterprise East 1/13/2026 -
1/12/2027
Quantity Service Service Type
400 ea Proactive Credits Proactive Credits
Enhanced Designated Engineering | Azure IaaS - 2026-27 USA - SLG - Enterprise
East 1/13/2026 - 1/12/2027
Quantity Service Service Type
Included Service Delivery Management Extended Service Delivery
Management
200 hr Enhanced Designated Engineering Azure IaaS Designated Support
Engineering
Support Services Fees.
The items listed in the table above represent the services that Customer has pre-purchased for
use during the term of this Work Order, and applicable fees are shown in the table below.
Microsoft Support Services are a non-refundable, prepaid service.
Before Microsoft commences or continues provision of Microsoft Support Services, Microsoft
applicable, completed Customer invoice information above. Microsoft will invoice Customer, and
Customer agrees to pay Microsoft within 45 calendar days of the date of Microsoft invoice.
Microsoft reserves the right to adjust Microsoft fees prior to entering into any changes to the
Microsoft Support Services ordered herein.
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 5 of 12
Services Summary Billing Date Fee USD
(M/d/yyyy)
Unified Enterprise Support - 2026-27 1/13/2026 280,806.86
Enhanced Designated Engineering | Security EDE - 1/13/2026 77,020.00
2026-27
Enhanced Security | Cybersecurity Incident 1/13/2026 94,515.00
Response - 2026-27
Enhanced Designated Engineering | Copilot for 1/13/2026 77,020.00
Microsoft 365 - 2026-27
Proactive Credit Add-On - 2026-27 1/13/2026 40,000.00
Enhanced Designated Engineering | Azure IaaS -
1/13/2026 77,020.00
2026-27
Subtotal 646,381.86
Other Adjustments (91,493.65)
Flex Allowance (56,161.37)
Total Fees (excluding taxes) $498,726.84
Billing Date
Billing Schedule Fee USD
(M/d/yyyy)
Payment 1/13/2026 498,726.84
Total Fees (excluding taxes) $498,726.84
Cybersecurity Incident Response Services Fees.
The Cybersecurity Incident Response Services hours listed in the table below are the services that
Customer agrees to pay up front for use during the term of the Cybersecurity Incident Response
Services. Accordingly, Customer agrees to pay up front in full the Total Estimated Fees shown in
the table below for the Cybersecurity Incident Response Services. All fees paid up front are non-
refundable. Any Cybersecurity Incident Response Services hours not consumed prior to the
Cybersecurity Incident Response Services Expiration Date will be forfeited. The Total Estimated
Fees do not include fees for Products. Customer will pay Microsoft within 45 calendar days of the
date of Microsoft invoice.
Billing
Services Summary Hours Fee USD
Date
Service Delivery Management Hours 15 hr 1/13/2026 $4,515.00
Cybersecurity Incident Response Service 150 hr 1/13/2026 $90,000.00
Total Fees (excluding taxes)
$94,515.00
Cybersecurity Incident Response Services Fees will not exceed the Total Estimated Fees indicated
in the table above without prior approval from Customer and a mutually acceptable amendment
to this Work Order. In the event that such approval must be sought, but is not provided,
notwithstanding anything to the contrary, Customer acknowledges and agrees that Microsoft has
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 6 of 12
no further obligation to continue providing Cybersecurity Incident Response Services.
Support for Microsoft Products
available Microsoft products, and cloud services subscriptions purchased by Customer or
Affiliate: i) under the licensing enrollments and agreements, as indicated in Appendix
A; and ii) during the Term of this Work Order. Such products and subscriptions exclude those
Customer Named Contact(s).
Any changes to the named contacts should be submitted to Microsoft Contact.
Name of Customer Support Service Administrator
Arturo Duque
Street Address Contact E-Mail Address
444 SW 2nd Ave aduque@miamigov.com
City State/Province Phone
MIAMI FL 305 416-1701
Country Postal Code
Fax
United States 33130
Unforeseen Circumstances. In the event of unforeseen circumstances resulting from causes
beyond commercially reasonable control, Microsoft will not be responsible for any
delay or inability to perform Cybersecurity Incident Response Services.
Public Statements. Customer is not permitted to make any public statements identifying or
regarding Microsoft, its Affiliates, or its contractors/subcontractors in relation to the Event or the
services, findings, Services Deliverables, or other information provided under this Work Order
without its express prior written consent.
Use, ownership, restrictions and rights.
Products.
means all products identified in the Product Terms, such as all Software, Online Services
and other web-based services, including pre-release or beta versions. Product availability may
vary by region. means the information about Microsoft Products and Professional
Services available through volume licensing. The Product Terms are published on the Volume
http://www.microsoft.com/licensing/contracts or a successor site.
All products and related solutions provided under this Work Order will be licensed according to
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 7 of 12
the terms of the license agreement packaged with or otherwise applicable to such product.
Customer is responsible for paying any licensing fees associated with Products.
Fixes.
either releases generally (such as service packs), or that Microsoft provides to Customer when
performing Professional Services (all support, planning, consulting and other professional services
or advice, including any resulting deliverables provided to Customer under this Work Order, to
Fixes are licensed according to the license terms applicable to the Product to which those Fixes
relate. If the Fixes are not provided for a specific Product, any other use terms Microsoft provides
with the Fixes will apply.
Pre-existing Work.
"Pre-existing Work" means any computer code or other written materials developed or otherwise
obtained independent of this Work Order.
All rights in Pre-existing Work shall remain the sole property of the party providing the Pre-
existing Work. Each party may use, reproduce and modify the other party's Pre-existing Work only
as needed to perform obligations related to Professional Services.
Services Deliverables.
Services. Upon payment in full for the Professional Services, Microsoft grants Customer a non-
exclusive, non-transferable perpetual, fully paid-up license to reproduce, use and modify the
business purposes, subject to the terms and conditions of this Work Order.
Non-Microsoft software and technology.
Customer is solely responsible for any non-Microsoft software or technology that it installs or uses
with the Products, Fixes, or Services Deliverables.
rights
controlled by, or that is under common control
entity or the power to direct the management and policies of an entity.
Customer may sublicense the rights contained in this section relating to Services Deliverables to
its Affiliates, but Customer's Affiliates may not sublicense these rights and Customer's Affiliates'
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 8 of 12
use must be consistent with the license terms contained in this Work Order.
Restrictions on use.
Customer must not (and is not licensed to) (1) reverse engineer, decompile or disassemble any
Product, Fix, or Services Deliverable; (2) install or use non-Microsoft software or technology in any
way that would subject Microsoft's intellectual property or technology to any other license terms;
or (3) work around any technical limitations in a Product, Fix or Services Deliverable or restrictions
in Product documentation. Except as expressly permitted in this Work Order or Product
documentation, Customer must not (and is not licensed to) (1) separate and run parts of a Product
or Fix on more than one device, upgrade or downgrade parts of a Product or Fix at different times,
or transfer parts of a Product or Fix separately; or (2) distribute, sublicense, rent, lease, lend any
Products, Fixes, or Services Deliverables, in whole or in part, or use them to offer hosting services
to a third party.
Reservation of rights.
Products, Fixes, and Services Deliverables are protected by copyright and other intellectual
property rights laws and international treaties. Microsoft reserves all rights not expressly granted
in this agreement. No rights will be granted or implied by waiver or estoppel. Rights to access or
use Software on a device do not give Customer any right to implement Microsoft patents or other
Microsoft intellectual property in the device itself or in any other software or devices.
Microsoft Professional Services Data Protection Addendum and
Confidentiality.
software, that are provided to Microsoft by, or on behalf of, Customer (or that Customer
authorizes Microsoft to obtain from an Online Service) or otherwise obtained or processed by or
on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services.
The data protection terms applying to Professional Services in effect on the effective date of this
Work Order and available at https://aka.ms/eswodpa are incorporated herein by this reference.
For liability arising out of either confidentiality obligations relating to Professional Services
limited to direct damages finally awarded in an amount not to exceed the amounts Customer paid
for the applicable Professional Services under this Work Order.
Confidentiality and Privacy.
The Parties recognize that this Agreement is a binding agreement and a public contract, subject
to all applicable State of Florida public records laws, to include but not limited to Chapter 119,
Florida Statutes; provided, however, should Microsoft believe that a specific exemption applies
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 9 of 12
to any information provided by Microsoft to the City of Miami as Customer, then Microsoft at
its option and at no costs to the City, may proceed to court in the U.S. District Court for the
Southern District of Florida, Miami Division, to obtain declaratory judgment regarding the
applicability of said specific exemption from public records laws. All Parties to this Agreement
will agree to protect clearly marked Confidential Information of one another in a reasonable
and appropriate manner, and will use clearly marked Confidential Information only to perform
its obligations under this Agreement and for no other purpose. This will not apply to
information which is publicly known, already known to the recipient, lawfully disclosed by a
third party, independently developed, disclosed pursuant to legal requirement or order, or
items that are subject to public records access laws.
IF MICROSOFT HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119,
FLORIDA STATUTES, TO ANY DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS
PUBLIC RECORDS AT TELEPHONE NUMBER 305-416-1800, EMAIL:
PUBLICRECORDS@MIAMIGOV.COM, AND MAILING ADDRESS: PUBLIC RECORDS C/O
OFFICE OF THE CITY ATTORNEY, 9TH FLOOR, MIAMI RIVERSIDE CENTER, 444 S.W. 2ND
CUSTODIAN OF RECORDS FOR THIS AGREEMENT AT TELEPHONE NUMBER 305-416-
1701, EMAIL GCHOW@MIAMIGOV.COM AND MAILING ADDRESS MIAMI RIVERSIDE
CENTER, 444 S.W. 2ND AVENUE, 5TH FLOOR, MIAMI, FLORIDA 33130.
Counterparts; Electronic Signatures.
This Agreement and any amendments hereto may be executed in several counterparts, and all
or any of such counterparts taken together shall be deemed to constitute one and the same
instrument. An executed facsimile or electronic scanned copy of this Agreement shall have the
same force and effect as an original. The Parties shall be entitled to sign and transmit an
electronic signature on this Agreement (whether by facsimile, PDF, or other email transmission),
which signature shall be binding on the Party whose name is contained therein. Any Party
providing an electronic signature agrees to promptly execute and deliver to the other Party an
original signed Agreement upon written request.
Attachments.
The following documents are attached at the execution of this Work Order:
Exhibit: UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025).docx
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 10 of 12
Microsoft Contact
Customer contact for questions and notices about this Work Order.
Microsoft Contact Name
David Karalekas
Phone Contact E-Mail Address
David.Karalekas@microsoft.com
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 11 of 12
Appendix A
As of the Support Commencement Date, below is a list of your declared licensing enrollments
and agreements for which Microsoft will provide support services as defined within this Work
Order.
Customer Name Licensing Program Licensing Enrollment/Agreement
Number/Billing Account ID
57150184
CITY OF MIAMI POLICE Enterprise 6
6832951
Enterprise 6
CITY OF MIAMI POLICE-
57150184-COM POLICE
AZURE MAC
6959310
CITY OF MIAMI, FL-58306110-Enterprise 6
CITY OF MIAMI POLICE
58306110
CITY OF MIAMI, FL Enterprise 6
EnterpriseServicesWorkOrderv9.0(WW)(ENG)(Jul2022) Page 12 of 12
Microsoft Support Services Exhibit
Cybersecurity Incident Response Services
Enterprise Services Work Order GVS02601-1035145-1035145
This Exhibit is made pursuant to the Microsoft Enterprise Services Work Order identified above
are incorporated herein by this reference. Any terms not otherwise defined herein will assume the
meanings set forth in the USSD and Work Order.
The term of the Cybersecurity Incident Response Services will commence on 1/13/2026
1/12/2027
1 Overview and scope of coverage
Customer is entitled to the below specialized cybersecurity-related assistance with the purchase
of Microsoft Cybersecurity Incident Response
1.1 Onboarding
MSCIR services will be provided by a team of Microsoft support resources that may include:
Microsoft support engineers with security expertise.
Microsoft engineers from the Microsoft Incident Response team with deep
knowledge of cybersecurity incident response.
Microsoft Security Cloud Solution Architects with specialized skills to augment the
MSIR team.
Additional Microsoft security experts, at the discretion of the MSIR team.
How to Engage for a Cyber-attack incident:
Open a reactive support case, as outlined in the USSD, noting a potential
security incident. Initial investigation will be performed, and the MSIR team will be
engaged when deeper investigation and/or containment measures are warranted.
Standard expected response times apply for all reactive support cases.
How to Engage for pre-incident MSCIR services:
Contact the CSAM to scope and schedule pre-incident MSCIR services.
1.2 Incident Response Services
Services Within Scope
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 1 of 7
Pre-Incident Services
Areas within scope Description
Threat Briefing Highly specialized Microsoft Security
researchers provide tailored threat intelligence
advisory services, enhancing defense strategy
with customized threat intelligence informed
by industry-specific threats.
Tabletop Enhanced (Premium) Helps identify potential gaps in incident
response plan and improves collective
decision-making during incidents.
team will walk through security events,
providing evidence to Microsoft engineers
who will guide and help evaluate
ability to identify and respond to each
scenario. Includes collaborative exercise
guiding participants through simulated
incident scenarios.
Proactive Identity Assessment Helps to protect from targeted attacks by
sophisticated adversaries and criminal
organizations, offering a thorough evaluation
of Control Plane, pinpointing critical security
risks and providing actionable
recommendations.
Proactive Identity Hardening Utilizes automation to deploy Secure
Keyboard, including Conditional Access
Policies, required Groups, Break Glass
Accounts, Intune Policies and AutoPilot.
Includes the continued deployment of the
tiering model, onboarding one workload to
Tier 1. Optional security assessment of Entra
ID, discussions on recommended practices for
MDE, MDI and MDC. Also initiates Laps
implementation.
Compromise Assessment Highly specialized Microsoft resources
providing remote analysis, effectively serving
as an incident response prior to an actual
emergency. Assessment will provide the
findings that identify systems that may be
compromised or vulnerable, along with
recommendations to guide Customer on
taking proactive measures to improve security
posture.
On-Premises System Investigation
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 2 of 7
Areas within scope Description
Investigation of Windows environments, The assessment provides:
including:
o Threat hunt and forensic analysis of
machines of interest.
o Workstations
o Reverse engineering of suspicious files.
o Member servers
o Security configuration assessment of
o Domain controllers
Active Directory/Microsoft Entra ID.
Investigation of Linux environments within the
o Analysis /remediation of supported
supported distributions/versions.
endpoints
Linux endpoints may be in scope for
cybersecurity Incident Response
engagements, but in a limited format. In-
scope, non-Windows operating systems
may include, but are not limited to:
o Red HatRed Hat Enterprise Linux
(RHEL), Fedora, CentOS, AlmaLinux,
and Oracle Linux.
o DebianDebian, Ubuntu, Mint OS,
and Kali.
o SUSEopenSUSE, SUSE Linux
enterprise desktop (SLED), and SUSE
Linux Enterprise Server (SLES).
Investigation of MacOS systems, where
Defender for Endpoint (MDE) can be
deployed
Note that compatibility with Microsoft security
technologies may be dependent on kernel
version. Previous kernel versions may be
supported on a commercially reasonable effort
basis.
Out-of-scope operating systems include
(but are not limited to):
o Custom Linux kernels
o BSD
Microsoft Entra ID & O365 Investigation: Assessment provides:
o Microsoft will assist with assessment of o Investigation of suspected identities
and potentially compromised accounts
Microsoft Entra ID/Office 365 environments,
o Investigation of key data points across
including:
O365 services
O365 tenant(s)
o Security components assessment of
Microsoft Entra ID (AAD)
O365 Architecture
o Risk management recommendations
to protect O365 services
o Custom threat profile of high-risk
users
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 3 of 7
Tactical Recovery & Containment: Includes support for:
o Restoration and hardening of critical
o Assistance in containing and recovering
from a security incident.
Tier 0 assets, such as Microsoft Entra
ID, HyperV, Windows Server Update
Services (WSUS), Active Directory
Federation Services (AD FS), and Active
Directory Certificate Services (AD CS).
o Hardening of key cloud services
related to the protection of attack
paths frequently used by Threat Actors
in products such as Exchange Online
Protection (EOP), Defender for Office
365 (MDO), Microsoft Entra ID and it's
associated sub-services.
o
Microsoft identity by disrupting the
achieved through a combination of
actions including: close the Command-
and-Control (C2) channels, harden
identity, endpoints, and servers, isolate
and rebuild planning and support or
guidance of compromised systems.
1.3 Services Out of Scope Incident Response
Anything not explicitly listed in Within is out of scope for this service,
including but not limited to the following:
Analysis of Networking equipment
Comprehensive analysis of endpoints running legacy (unsupported) operating systems
Data migration activities
Provision of formal training
Decryption support for encrypted files or hosts
Investigation, validation, or remediation of individual security alerts or indicators of
compromise outside of active incident response engagement
Constant, or continuous, security monitoring after the engagement has concluded
and/or monitoring outside of standard business hours
Providing decryptors for encrypted systems
Ransomware negotiation
Any work that is required to meet evidentiary standards for legal admissibility in a court
of law
Preparation of systems run books, playbooks, or operational manuals
Project management of individual projects
Asset discovery and inventory
Denial of Service (DoS) attack
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 4 of 7
2 Assumptions
MSCIR services delivered under this Exhibit are based on the following prerequisites and
assumptions:
This Exhibit is considered the baseline scope
document outlining responsibilities for assistance.
This
Exhibit is generated based upon currently known information deemed to be accurate an
d correct.
All MSCIR service resources will have the appropriate level of security access and access
to relevant data required to complete project-related efforts.
All work is delivered during normal business hours unless otherwise mutually agreed.
MSCIR is typically staffed by a shared cybersecurity incident responder resource pool.
Only currently supported Microsoft operating systems are guaranteed to be in-scope.
Non-supported Microsoft
operating systems may be deprecated from analysis at any time.
Written deliverables are available in English language only.
Services may be delivered remotely or onsite at customer location based on the
agreement of the parties.
Notwithstanding the USSD, a previously scheduled paid additional service may not be
canceled or rescheduled and is non-refundable unless both the Customer and Microsoft
mutually agree otherwise in writing.
3 responsibilities
Provide accurate and complete information, as needed, including identification of
systems of interest, overviews of IT infrastructure/topology, and findings from relevant
investigation(s).
Provide subject matter specialists and systems administrators, as necessary, so that
proper access to system(s) may be obtained.
Provide timely decisions and approvals by management, as needed.
Grant full empowerment for MSCIR responders to fully perform the forensic investigative
processes and procedures it employs as part of its standard protocols, free of
encumbrances created by third parties, such as other incident response vendors. Any
failure by Customer, or its representatives or agents, to fully empower Microsoft to
perform its work may result in delays of service or inadequate outcomes.
4 Customer system requirements
An operational solution to remotely deploy the required tools for the MSCIR
engagement (e.g., SCCM, Active Directory GPO, or other).
Provide Microsoft Entra ID accounts with Global Administrator permissions, as needed.
Deployment of specialized analytics tools indicated and provided by the MSCIR delivery
team. Tools required for analysis may include the following, among a range of
potentially required analytics tools:
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 5 of 7
o Fennec: Fennec is a Microsoft proprietary tool, which will be provided by Microsoft
-time
scanning tool that provides an investigative snapshot of scanned machines.
o LIFE is a proprietary tool, which will be
provided by Microsoft directly to the Customer when ready to deploy. LIFE gathers a
snapshot of information about files, programs, processes, and users on Linux
machines throughout their organization to augment the Incident Response
investigation.
o FoX: FoX is a proprietary forensics tool deployed to machines if particular interest or
where deeper additional information is required.
o Arctic : Arctic is a tactical identity forensics tool that enumerates aspects of Active
Directory Domain Services to allow for identification of adversary persistence
o Cosmic: COSMIC is an Azure cloud forensics tool that enumerates aspects of Entra
ID to allow for identification of adversary persistence.
o Microsoft Defender for Endpoint:
endpoint detection and response (EDR)
solution provides continuous monitoring for additional adversary activity. An agent
is required for in-scope, non-Windows 10/11 machines.
o Microsoft Defender for Identity: Defender for Identity analyzes authentication traffic
identity-
based attacks. Solution requires an agent to be deployed to each Domain
Controller, Active Directory Certificate Services (ADCS) and Active Directory
Federation services (ADFS) where applicable.
5 Access required for analysis
Global Administrator access in Microsoft Entra ID is required for successful completion of
the engagement.
Microsoft may leverage access into your Azure and Office 365 environment to perform
analysis and investigation.
Note: Microsoft will notify Customer if additional tools are required based on initial findings and
understanding of the specific scenario.
6 Deliverables
Deliverables for MSCIR engagements may include:
Deliverable Description
Outbrief Report
team, summarizing key investigative findings, which may include assessment of risk
and/or recommendations for remediation
Outbrief An outbrief presentation to Customer verbally to communicate the findings
Presentation described in the outbrief document
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 6 of 7
If technically feasible and supporting data exists, a timeline document in Microsoft
Timeline Report
Excel identifying and documenting the location of relevant supporting data and files
analyzed during the course of the engagement
Power BI A Microsoft Power BI Dashboard showing technical information concerning the
findings from the Fennec scanner, except in rare circumstances when it cannot be
Dashboard
generated for technical reasons
Deliverables (as defined above) will be delivered within the ten (10) calendar days following the
conclusion of the MSCIR engagement, unless Customer chooses not to receive the Deliverables.
circumstances, and any obligation of Microsoft to deliver said Deliverable(s) expires ten (10)
calendar days after the final day of the engagement, unless otherwise mutually agreed by
Microsoft and Customer.
MSCIR deliverables may provide the following:
Identity of systems that may be compromised
Identity of systems that may be vulnerable (e.g., machines missing critical patches and/or
antivirus definitions and identification of commonly exploited applications)
Results of forensic analysis of hosts of interest
Results of reverse engineering of suspicious files
Guidance for a customer to take proactive steps to improve their security posture
MSCIR deliverables do not provide the following:
Attribution of attacker including the identity, motives or origin
Chain of custody of evidence (e.g., IOCs)
Compliance assessment with any standard or framework, e.g., security or privacy standards
Remediation efforts
Source code review
Organizational change management
Technical and/or architectural IT systems design
Detailed analysis or risk assessments of existing security controls and
how they are implemented
Customers who seek findings pertaining to compliance and regulations should be conducted
separately by professional services firms that specialize in audit and assurance. Customers
should independently validate whether a cyber-attack incident is covered by their insurance
policy, if applicable.
7 Fees
Fees associated with this Exhibit will be detailed in the Work Order.
UnifiedCybersecurityIncidentResponseExhibitv2.1(WW)(English)(Sep2025) Page 7 of 7
Olivera, Rosemary
From:Britos, Nina
Sent:Tuesday, February 24, 2026 11:23 AM
To:Olivera, Rosemary
Cc:Duque, Arturo; Pico, Hector; Trogner, Kaira
Subject:RE: FY 2026 Microsoft Unified Support Services Agreement- Innovation and
Technology Dept.
Attachments:For_Signature_FY_2026_Microsoft_Unified_Supp.pdf
Good morning Rosemary,
Certainly, please find attached as one single document.
Thank you,
Nina Britos, MBA
Assistant to the Director
Department of Innovation and Technology
ndth
444 SW 2 Avenue, 5 Floor, Miami, FL 33130
Tel: (305) 416-1659
Email: NBritos@miamigov.com
From: Olivera, Rosemary <ROlivera@miamigov.com>
Sent: Monday, February 23, 2026 5:42 PM
To: Britos, Nina <NBritos@miamigov.com>
Cc: Duque, Arturo <ADuque@miamigov.com>; Pico, Hector <hpico@miamigov.com>; Trogner, Kaira
<Ktrogner@miamigov.com>
Subject: RE: FY 2026 Microsoft Unified Support Services Agreement- Innovation and Technology Dept.
Importance: High
Good a?ernoon Nina,
Please resend the document as one single document for our records. Thank you.
From: Britos, Nina <NBritos@miamigov.com>
Sent: Monday, February 23, 2026 2:50 PM
To: Olivera, Rosemary <ROlivera@miamigov.com>
Cc: Duque, Arturo <ADuque@miamigov.com>; Pico, Hector <hpico@miamigov.com>; Trogner, Kaira
<Ktrogner@miamigov.com>
Subject: FY 2026 Microsoft Unified Support Services Agreement- Innovation and Technology Dept.
Good afternoon Rosemary,
For your records, please find attached a signed agreement, “FY 2026 Microsoft Unified Support Services
Agreement” for the Department of Innovation and Technology.
1
Please let us know if there is anything else needed.
Thank you kindly,
Nina Britos, MBA
Assistant to the Director
Department of Innovation and Technology
ndth
444 SW 2 Avenue, 5 Floor, Miami, FL 33130
Tel: (305) 416-1659
Email: NBritos@miamigov.com
2