Ntiva Live: Cybersecurity for the Rest of Us

Microsoft 365 Licensing and Your Business Cybersecurity Environment

Episode Overview: Microsoft 365 Licensing and Cybersecurity

In today's episode, Frank and Ted Brown, Ntiva's Director of Product Management, discuss Microsoft 365 licensing and how the various levels (Business, E1, etc.) affect your business's cybersecurity vulnerability levels.

Sign Up Today

Complete the form to register for the "Cybersecurity for the Rest of Us" series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

Microsoft 365 Licensing and Cybersecurity: Episode Transcript

As last few people are coming through the gateway, we'll go ahead and get started. Thanks for taking time out from your lunch hour or late breakfast snack, depending on which time zone you might be in. This'll be our second time that we're in fact doing the cybersecurity for the rest of us. This is very informal. Feel free to drop your questions into the Q&A if you have any as we go.

 

Frank Smith:

Today, we are going to talk about Microsoft 365 licensing and how that affects your security choices. And then also really what it does to you downstream if you have an incident and need to pull some data out of it. This is neither intended to be an attack on Microsoft saying, look how complicated this is. This is just too hard.

Why are we doing this? Or to in fact tell you, you should go spend a lot of money as a sales pitch from us, because it's neither of those things, but I think both of those will probably come out, and you'll just have to make some decisions as you go and say, is it important enough for me to try to do that? Can I live with the lower level licenses? Do I need to do these extra things?

This will not be death by PowerPoint, but I will show you one thing before we actually get started. I mentioned briefly the choice of plan has a huge difference in what your security choices are. Obviously it affects your costs. This is the latest version of Microsoft's work plan comparison chart. I apologize ahead of time, but this isn't my chart, this is Microsoft's. 

Now this is five pages, and I'll just scroll through this very briefly. You've got the various options. The optional plans like EMS. See all these little dots, this says what's included, what's not included. I didn't go through and count it. Probably half of those things in there are in fact some type of security related things. I'm going to be joined today by Ted Brown. Let's see if we can promote him. There you go. Ted, that should do the trick.

 

Ted Brown:

Good afternoon everyone.

 

Frank Smith:

Hey Ted, thanks for jumping in. I just showed the plan comparison, not in any detail, but just to in fact show all those different dots that are up there. I guess the takeaway, what's included in every plan is complex, to say the least. It's not just an issue about, do I get a 50 gig mailbox versus 100 gig mailbox?

And Ted is infinitely more familiar with all the licensing and the options. He certifies weekly in it. I probably try monthly. We say that kind of tongue in cheek. And then on top of all of that, and Ted feel free to chime in on this too. Most everybody probably is out that you've got commercial licenses. It's what typically everybody has. But Microsoft has educational licensing, nonprofit licensing, government licensing. They kind of follow the same things.

I've noticed what I call a risk element on the nonprofit side, because the cost on some of those licenses is zero. And what I've noticed when I worked with clients that have licenses that don't cost them any money, they don't do a very good job of cleaning up after themselves.

 

Ted Brown:

Yeah. They come with the E1 license, I think, is what the nonprofit one starts with for free. And then to get to the paid one, you go to the E3 for non-profit. Those costs X couple of dollars but does add in a little bit more security to the mailbox. Basically, we're talking licensing here. You can go from free all the way up to ... And I think the going rate for a commercially five right now is like $57?

 

Ted Brown:

Correct. Especially on the M365 over the O365 licensing which throws another ... Taken all the communications out there of understanding, what's the difference between the M and the O?

 

Frank Smith

Same basic security settings though, right? They didn't...

 

Ted Brown:

Yeah. The M365 does a job of actually throwing in the Microsoft Windows licensing skews in there. The ability to put in the Microsoft Windows licensing skews in there, so you had the ability to license your operating system on your computer. And it's also great when you look at potentially you virtualize your instances and can go to like a WVD model or AVD, or the M365 will include the Windows operating system as well as RDP licensing.

 

Frank Smith:

Got it. So in the middle of all those dots that are on that chart, there's a couple of things that I want to draw attention to. There's a license type, and this has nothing to do with E3 or E5, but it's called EMS E3 and EMS E5, and those are enterprise mobile security. Now, that layers in a bunch of security options.

You can pair those with any other license I believe. It doesn't make sense sometimes to add it to any other licenses, but it is an add on to your basic office licensing. There's also Microsoft Azure Plan One and Azure Plan Two, and that's included in some of the other licenses as well. I know a lot of companies use the Business Standard license as an option to the Business Premium. But, Ted, I believe Business Premium includes Azure P1.

 

Ted Brown:

It does. I mean, the M365 Business Premium is actually a really skew, especially if you are underneath 300 users, because it does do the Azure Plan One, AD Plan One. It does the Intune as well in there. And it used to be called Advanced Star Protection Plan One, now it's the Defender.

 

Frank Smith:

O356 Defender.

 

Ted Brown:

So it adds those extra three layers at the same price you typically get the O365 E3. So you really don't lose much going to the M365 Business Premium if you're underneath 300 users and adds the extra three other available security features in there. The gotcha though, which I find people sometimes forget, if you go to the M365 E3, it includes the Intune but it does not include the Defender for your anti-spam. You actually have to add that in there. I don't know why that one was left out.

 

Frank Smith:

Interesting. So, if you were able to follow that and pick up all the acronyms and things that we threw around in there, what used to be ATP, advanced threat protection, is now called O365 Defender. Now, your basic O365 environment includes some minimal filtering and spam protection and stuff like that, but it's the basic. It's looking for all the obvious stuff and Microsoft will filter that out.

ATP gives you a lot more capability and it gives you some additional preventions against business email compromise. These options and these extra little policies that are built in there do have to be set up and configured. It's not like they're going to work for you exactly out of the box. We're recommending, and Ted, you can throw your two cents on this too, this is what I say is typical Microsoft, a year ago, ATP was, "Eh, it's okay." Is it worth a few extra bucks a month? Maybe. But I don't know, right now it seems like it's a pretty good package.

 

Ted Brown:

Yeah, I think so. I mean, it's up there with the big guys out there for the anti-spam solutions. It does a great job of it doing a Casper protection link protection, and it also has the extra capabilities. Because it's built inside of Microsoft so if we investigate your OneDrive and your SharePoint and your team, it goes throughout all the options within Microsoft 365. Not just your exchange solution.

 

Frank Smith:

Okay. And then this is a great segue into some of the other options, and Ted already mentioned Intune, a lot of companies, and especially since COVID, we're seeing this all the time, companies that had been in a hybrid or had an on-premise active directory really as part of their overall cloud migration strategy, and in some cases it's because we're giving up the office, there won't be a return to the office because we figured out we don't need a physical space.

Azure AD and Intune is a great option for identity and access management if you want to move away from on-premise active directory if you already are in the cloud but don't have some centralized identity and access management, and that means a centralized place for users above and beyond just creating their mail account.

 

Frank Smith:

This is a little bit more level of complexity. You want people to log into their computers. You want the computer to belong to an Azure domain, Azure AD and Intune is a great way to go ahead and implement that. Now, again, you're not going to turn it on and it's going to work out of the box. It's got to be set up and configured. The extended Azure AD is included now with all the extended licenses, all the upper licenses, the Intune with a lot of them. But I think you can add that option, I think, to any license, right?

 

Ted Brown:

To add the Intune license into them?

 

Frank Smith:

Yeah.

 

Ted Brown:

Yeah. Intune is a separate package that can be added if it's not included. And one of the other pieces of Intune that is actually really nice, and unfortunately, like Frank said, you have to configure it, it doesn't all work out of the box. But one of the pieces that's actually exciting for me is with the autopilot. We can actually start working with it.

You can set up policies for when new computers are actually provisioned when you're buying from Dell. They can be added right into the autopilot so it will be set up for the user immediately. A white gloved hand off. We can actually have the device shipped straight to the end user, they type in their credentials, and the credentials are actually will provision the actual computer exactly how it was meant to be set up. So it actually doesn't have to hand off to a teach to get it configured. So it's pretty powerful.

 

Frank Smith:

Yeah. So number one, that's a good idea. You have a baseline setup on a computer. It's centrally set up. Here's the applications that you're allowed to put on it. Here's your default install. Typical users do not get local administrative rights as a result of that. That's a good idea just out of the get-go. So everybody should do that.

 

Ted Brown:

Well, even the simplicity of just being able to hand the device to somebody else. So, say, employee X leaves, you need to reprovision the device for someone else, you can just hit the Reprovision button. It puts it actually right back to the default settings. You hand it off to the next user. They sign in with their credit and it sets it back up just to them so you don't have to worry about this whole erase the computer, bring it back to your tech, it's handed out. It can just be a flawless couple of clicks of a button and go.

 

Frank Smith:

Ah man, that almost sounds too good to be true.

 

Ted Brown:

But the thing is, again, just like you said, it all comes down to how you want to configure it, how you want it set up. It's just basically almost like how SharePoint is. SharePoint is this wonderful application you can use, but you have to configure it what makes sense for you and the customer. And so that's just the point of actually just going through the steps of getting it where it works for you, and each person is different and each company is different in making sure the applications are correct.

 

Frank Smith:

So if you don't accept the fact that it's a good idea to do that, if you have any type of compliance standards, so you're trying to meet a HiTrust or a NIST or a CMMC, anything that has a basic framework that says you have to comply with, within those frameworks, ISO 27001, that's not even a mandatory one, but I know a lot of companies comply with it, the most basic types of things that you need to do include baselining configurations, monitoring the configurations, using the concept of least privilege, which means typically if somebody doesn't absolutely need some type of administrative access, you don't give it to them.

 

Frank Smith:

We need some type of administrative access. You don't give it to them. And that's also, by the way, a way of helping prevent malware, ransomware, and things like that from spreading. But the autopilot is an outstanding way to help you meet those compliance requirements. You do that with Intune, because you're going to have some type of an identity and access management piece. You've got these baseline configurations you need to do.

Great solution out of the box. Not going to tell you, you have to have an E5 license to get any of that done. You've got to look at the licensing that makes sense for your company. Get the one that you think is the best deal. You've got to have a licensing expert probably sit down with you and say, "Okay, what are we trying to accomplish?"

 

Ted Brown:

Yes. And the key part to that is also what license works for one user might not be the best for the next user. So you can use the mix and matches. For the most part, if all clients meet a certain category, you can get away with doing the M365 business premium.

But say you have a couple of high level executives that need to have a larger mailbox, then maybe it makes sense to have those go up to the E3 license. So you can do this mix and match, because it's really nice how they set up that they have Microsoft licenses called the bucket fashion, or as long as they have a license that meets the particular aspect you're trying to use in that bucket, it works so you don't have to have everyone be on the same platform.

 

Frank Smith:

So that is a great segue into a point that I'm going to make that is not intentionally disagreeing with you that says get the license that makes sense. I'm going to put a caveat on that that says, try to minimize the number of license types you have in your organization. And there's a couple reasons for that.

So many of you are probably already customers of Ntiva. You send us a ticket via email and say, "I have a new user starting Monday, please set up his account." If you have seven different types of licensing within your environment, you've got to then say, "Specify which licenses get added to which users." Then we have to say, "Okay, well, we're going to have to add licensing for this license type," and you might have extra licenses of something else, depending on how you got them and everything else.

 

Frank Smith:

The KISS model applies here. The other reason for that is that, when you start getting into these licensed add-ons, and I'm not talking about somebody that needs Project or Vizio or anything like that, but if you've got groups and say you've got EMS E3s and some EMS E5s, it gets really complicated when you try to figure out, "I want this group of users to have E3s plus EMS E5, but these users should have VMS E5 on top of their E5s, And these guys are exchange only," it just gets complex to try and keep a track of it. It also opens up the environment for errors. "I meant for this person to have that and I forgot to say, 'Apply that license'."

 

Ted Brown:

Yeah, I agree with that. And just in case there's a need to go down that path, you can start taking a look at potentially using groups for licensing. So you can actually say, "I want this specific subset of users to always have this set of licensing," so you can license per role function and say, "I want to make sure that the role function for accounting," always gets this subset of licensing, and boom, anyone added to that group gets that.

So, there's ways to make sure if you get to a large scale deployment that you can try to minimize the actual burden of making sure to remember exactly which license to add instead the correct one as a template and you can go from there.

 

Frank Smith:

So I'm going to steer us over to Multi-Factor Authentication, and I'll apologize in advance because I'll get preachy and say, "Please have MFA enabled on all your Microsoft accounts, period." I just can't even tell you the number of times I see some type of a compromise, somebody got into an O365 tenant and MFA was not enabled. MFA is not 100%. No solution is. 

A concerted actor, mainly the nation state actors that you've been reading about in the newspaper and stuff, they are able to find ways to circumvent MFA. But for your typical environment where somebody is trying to come in and they're going to try to do some fake invoices, fake ACH information, stuff like that, they come in, they've picked up compromised credentials or they get you on a password spray attack, they get into your tenant, if they get prompted for MFA, they're going to move on to the next tenant. They're not going to waste the time to do it. Please enable it. It's free with every single account.

 

Frank Smith:

Now there are degrees of MFA and it changes a little bit, and we're not going to get into that today. But if you've got any of these other licenses, you've got the Business Premium, you've got the Azure MFA, extra capabilities, things that are built into it, please enable that. I just can't stress that enough. If you have the right licensing, and this is where it gets a little dicey again, Azure P1 gives you the ability to have conditional access policies. Conditional access policies are superior to enabling MFA on a per user basis.

We won't get into it, make a note, talk to your account manager and say, "Do I have conditional access policies available to me? And what will it take to get that turned on?" That is a superior way to enforce multi-factor authentication. You can do some other things with it too. I mean, you can do some geographical restrictions. There's all kinds of things you can do there. But at a bare minimum, use conditional access policies to enforce multi-factor authentication. Ted, do you want to chime in on just what all that is?

 

Ted Brown:

Yeah. The conditional accessing piece, it's definitely the way to go if you have the capability of getting there, and really, we mentioned these to you a couple of times. In 365, Business Premium includes it. One of the misnomers I see out there in the industry is, once you add one as your ADP 1 to a tenant, it allows you to use conditional access.

What I've seen some companies do is they'll just add one in there but they have an actual 50 users and try to get away with just having that one be the one applied to all. That's a big no-no with Microsoft and when they come to audit you, which will happen eventually, it will be a fine and, of course, pay the 15% to 20% over what you would have paid for it for the lifecycle. So I've seen that a couple of times out in their blogs suggesting a way to get around that extra fee. Please don't go down that route.

 

Ted Brown:

It's best just get the right skew with what you're able to do with it. And the conditional access does a great job of making sure it forces the entire company to be set up for 365. New user, it's provisioned. You don't have to worry about, hey, was it actually added to it or not? Because the enforcement level of condition access will force them through the process and potentially even to help them get through and set up the enrollment of the device.

I always hear the back and forth, "Well, I don't want to take the extra time to go do the multi-factor authentication." At the end of the day, so it's so easy now on devices. It's really just, if you have a device that has biometrics, I just touch my finger on it and it lets me right on through. It really doesn't slow down the process at all.

 

Ted Brown:

I mean, I've seen customers come to us because they have cyber insurance needs. They're requiring MFAs across the back. So if you have any needs to have cyber insurance, which most customers are going to have, you have to have MFA enforced. It's required now to actually get those policies.

 

Frank Smith:

Yeah. I helped the client about two weeks ago with a cyber application. And they had actually created, the insurance company that is, had created a rider, a three page addendum questionnaire, which was, do you use this and do you have MFA? Do you use this and do you have MFA? And if you answered no to any of the questions they considered you uninsurable.

 

Ted Brown:

Yeah.

 

Frank Smith:

Just flat out, they were just not going to insure you. Ted, in our final five minutes, let's talk just real briefly. If I have an incident, the different licensing and what does it help me do? What I've seen in the last year is that people find things out, a tenant was compromised, there was an email hack, whatever it was, somebody says, "Oh, employee X left and I need some data about what maybe they accessed on the SharePoint in their last month." There is some differences in logging. You spend more money on a licensing and it gives you more logs. What can you share there?

 

Ted Brown:

Yeah, I feel unfortunate. I feel it's actually a miss on Microsoft side. I really think the logging should be a year, regardless of what license you have just because of everything that's happening out there in the wild. The E5 licensing, M365 E5, the O65 E5, they give you the one year and above retention policy.

Really, if you have an E1, E3 business premium, you have capability to go up to 90 days. There's is a trick to actually get to go to a year, but it's not necessarily a easy path to go down to actually get there. There's some blogs out there to actually see how you can do it, but really it's the 90 days. Then anything else below that is about a month long. If you have just exchange plan one, if you have any other type of [inaudible 00:28:31] Microsoft 365 business standard or essential, it doesn't quite get the same level of logging.

 

Ted Brown:

Now, you could go to the other side of it and say, "Hey, maybe I want to have a SIEM in there, another log system that's outside of 365 to pull in and ingest that information, that way you don't have to worry about the retention on 365, which is probably a good way to go. It's, again, an extra fee, that's not included with your licensing. It's always best to try to take advantage as much you can of what license you have and just to [inaudible 00:29:03] back on something else just before we get [inaudible 00:29:05] of the logging.

That's just another thing I recommend is just saying, "Hey, just because you're using a 365 license doesn't mean you're getting the most out of it." It's always best to take a look, to see what else can you combine? Like email encryption. I see people not using email encryption where it's included in your E3 licensing, Microsoft 365 business premium, where you're able to send encrypted emails back and forth to each other, which contain PII or something and it's already at your fingertips to use, just might not be enabled.

 

Frank Smith:

Okay. In our final couple of minutes, I'll say one other thing that you get, and I think it requires an E5. Microsoft has done great things with the security and compliance center in the last year. Some of it is some things moving around, but there's been a lot of capability added to it.

One of the things that I get questions on all the time is on assessment templates, where client says, "Can somebody give me an assessment of what the configuration of my O365, my M365 is?" There's, I don't even know how many templates, but there's a ton of them. Unfortunately, to access some of the templates requires E5 licensing. For those of you out there that are Govcon, that have NIST 800, that have CMMC, those are the ones I get asked the most about it. The templates for those are considered premium templates, and they do require E5 licensing.

 

Frank Smith:

Take a look. I'd say, certainly ask periodically. Check with your account manager, check with your Microsoft reps, depending on how you're licensed. Ask us. We're happy to chime in and throw some thoughts out at there, but as Ted said, definitely take advantage of what you're already paying for.

Before you start paying some for something else, look at what you've got to make sure that it's being implemented correctly and completely, and that you're taking advantage of all the things in there. We're happy to help you take a look at those licenses. It's a non-trivial thing, and I'll be the first to admit that I can't keep up with it. I think even Ted, you probably feel overwhelmed sometimes trying to keep up with it.

 

Ted Brown:

It's too fluid. They change it all the time. Keep you on your toes. I guess maybe it keeps you learning, so it's definitely good. What's there today might change tomorrow, even with the templates, but it's always best [inaudible 00:31:47] just like you said because I really feel at some point, this is going to go down the chain and come down to the lower level of subscriptions just because the need out there.

 

Frank Smith:

Back after the SolarWinds problem in December when the heads of Microsoft FireEye and SolarWinds were testifying on the hill, I believe it was the chairman of the committee that was doing the questioning, said, "Why is security a profit center at Microsoft?" The president of Microsoft said, "Well, Microsoft is in the business of making a profit," but we're hoping that some of these things will in fact find their way down into the other licensing schemes. From your standpoint, take a look at it. 

If it means upgrading licenses, some of that is going to be cost of doing business and other businesses are going to be doing the same thing. It's not necessarily going to place you at a competitive disadvantage. Losing a couple of hundred thousand dollars in an email attack with some bad ACH information, that's going to affect you more than any license changes are. Ted, that takes us right up to 12:30. Thank you for giving up your lunch half hour. I don't see any questions in the queue, so we will wrap it up for this time. If you need anything, please reach out to us and thanks for joining us today.

 

Ted Brown:

Pleasure joining you. Enjoy your day.

About the Ntiva Cybersecurity for the Rest of Us Livestream

Ntiva’s Frank Smith hosts the Cybersecurity for the Rest of Us livestream every other Thursday from 12:00 to 12:30pm ET. These live events, presented by the Ntiva team of cybersecurity experts, are sharply focused, easily digestible, and cover topics surrounding cyber security in today's modern workplace. We take questions from the audience and share what's working for us and others in the industry.

VIEW MORE LIVESTREAMS