A “SHORT” GUIDE TO THE JUNGLE OF MICROSOFT 365 SECURITY AND COMPLIANCE LICENSING – PART 2
Who hasn’t already felt lost looking for information on Office 365 licensing? In this article, I will help you decipher the existing plans, as well as provide a few tips and reminders on recent announcements from the publisher.
In today’s modern workplace, it is essential for security and compliance teams to know the native capabilities of collaboration and communication platforms. This knowledge will enable them to define a coherent strategy that takes into account data protection needs as well as regulations, the urbanization of the information system and the unavoidable subject of user experience.
For companies using the highest licensing plan, Microsoft 365 E5, there is no problem: all functionalities are available. For others, the subject is much more complex.
This article is oriented for companies with more than 300 employees. For other organizations (education, associations, small and medium enterprises) the license plans are slightly different, but the information below is still applicable for most of them.
Part 1 of this article is available here.
2/ Appropriating the licensing logic
For those unfamiliar with Microsoft licensing, there are three principles governing the allocation of licenses according to the population concerned:
- An internal user of a service or benefiting indirectly from the product (e.g. dynamic group, classification of a SharePoint site, sharing of Power BI dashboards) must have the required license;
- Most administration roles require the license of the managed service to access the administration portal or associated PowerShell commands;
- External users or guest users do not need a specific license to collaborate on Office 365 content. This is made possible by the free capabilities of Azure AD. However, if a guest user is subject to Azure AD Premium features (P1 or P2), a sufficient number of licenses must be available (1 license purchased for 5 guest users).
Licenses are nominative and are per user and per month.
Please note that the same product may be available with more or less advanced functionalities depending on the level of licenses chosen. A recurrent example concerns the unified audit logs: these logs are kept for 90 days with Office E1 or E3 licenses, whereas with Office E5 licenses the duration is 365 days.
3/ Unlocking the mystery of licensing plans
As a reminder, the Microsoft licensing model consists of the following elements:
- Licensing plan: A plan that defines the services available to the publisher in the tenant. Most of the time, a license plan will be a collaborative bundle (Office 365), a security bundle (EMS) or a package (Microsoft 365);
- License: To be considered as active, and thus be able to connect to the holder, a user must at least have a;
- Service: A service is a Microsoft 365 product, feature or capability that requires a license. This license can come from several different license plans: for example Office 365 E1 provides SharePoint Online Plan 1 while Ofice 365 E3 and E5 provide SharePoint Online Plan 2;
- SKU: In Microsoft language, this term from inventory management refers to the implementation of a license that can be assigned to a user.
Office 365 collaborative bundles: natively included data protection and compliance capabilities
Collaborative licensing plans, also known as Office 365 bundles, are the basis of Microsoft 365 licensing. These plans natively incorporate increasing compliance features. Security options, however, are quite limited and must be purchased independently.
The first plan is Office 365 E1. This plan integrates all office automation services in web mode only. The compliance and security products are the bare minimum of what can be expected from an enterprise SaaS service today: Security Defaults (basic MFA), Audit Logs, Content Search and Retention Tags.
Office 365 E3 adds the thick clients of the Office Suite (now called Microsoft 365 Apps), as well as data protection features (Information Protection for Office 365 and Office DLP), Core eDiscovery and default retention policies. This licensing plan is the preferred licensing plan for standard users in today’s enterprises.
Finally, Office 365 E5 is designed for special office populations with telephony, Power BI Pro and statistics on the use of the Office 365 suite. It also integrates automatic classification (outside machine learning), compliance options for populations subject to regulations (Records Management, Customer Key, Customer Lockbox, Information Barriers, Communications Compliance) and advanced investigation options (Advanced eDiscovery and Data Investigations), as well as Office ATP and Office CAS.
Two important points to note:
- Office DLP and AIP P1 can be purchased as additional licenses for Office E1 users, in order to have data protection features similar to Office E3;
- The Multi-Geo option is an additional license, regardless of the license plan chosen.
Security bundles: additional security features
Introduced in 2014, the EMS security bundle (Enterprise Mobility Suite, then Enterprise Mobility + Security) integrates various security products. These products are designed to control identities, mobile devices and applications accessing Office 365 data.
- EMS E3: Intune, Azure AD P1, AIP 1, Advanced Threat Analytics;
- EMS E5: Azure AD P2, AIP P2, Azure ATP and Microsoft Cloud App Security.
Today, EMS E3 is a must-have for organizations that choose to go with a “Full Microsoft” strategy. Intune and Azure AD P1 provide a consistent strategy for managing access to the Office 365 platform. On the other hand, few organizations have chosen to generalize EMS E5, a bundle rather oriented for sensitive populations or administrators, due to a lack of consistency between the different security products included.
Microsoft 365 packages: a complete but expensive offer
Announced in 2017, Microsoft 365 is now the flagship product of the Redmond-based publisher. This licensing plan combines the functionalities of Office 365, the EMS suite and Windows 10:
- Microsoft 365 E3 = Office 365 E3 + EMS E3 + Windows 10 E3;
- Microsoft 365 E5 = Office 365 E5 + EMS E5 + Windows 10 E5.
Contrary to popular belief, and despite the various name changes introduced in 2020 (Office 365 Groups to Microsoft 365 Groups, Office Pro Plus to Microsoft 365 Apps), the Office 365 brand has not disappeared.
We should note that Microsoft 365 E5 is the only office automation subscription that includes Trainable Classifiers (classification via Machine Learning), Insider Risk Management or Safe Documents (extension of Windows Defender ATP to scan open documents in protected mode).
Microsoft 365 E5 Compliance and Security: A Turning Point in Security and Compliance License Management
Microsoft 365 E5 Compliance and Microsoft 365 Security were introduced in early 2020 to simplify security and compliance licensing by grouping products under consistent licensing plans. This was good news, as the situation between EMS products and legacy compliance products (e.g. Advanced Data Governance and Advanced Data Compliance) had become increasingly complex
Microsoft 365 E5 Compliance combines the full range of information protection, governance and investigation capabilities. Depending on requirements, three sub-bundles can be considered:
- Microsoft 365 E5 Information Protection & Governance: AIP P2, Microsoft Cloud App Security, Advanced Retention Policies, Records Management, Advanced Office DLP and Advanced OME, Customer Key and Trainable Classifiers;
- Microsoft 365 E5 Insider Risk Management: Insider Risk Management, Communications Compliance, Information Barriers, Customer Lockbox and PAM;
- Microsoft 365 E5 eDiscovery & Audit: Advanced eDiscovery, Advanced Auditing and Data Investigations.
Officially presented as extensions to Microsoft 365 E3, the documentation suggests that the licensing requirements would be lower. The Information Protection & Governance extension would “only” require AIP P1 and Plans 2 for Exchange Online and SharePoint Online (i.e. Office 365 E3).
Microsoft 365 E5 Security combines Azure AD P2, the Advanced Threat Protection suite (Azure ATP, Office ATP, Windows Defender ATP) and Cloud App Security. This bundle will be interesting for organizations that are not large enough to manage many security tools (MFA, EDR, AD Monitoring, Mail Gateway, CASB).
Firstline Workers focus
The Office 365 F3 and Microsoft 365 F1 and F3 licensing plans are intended for Firstline Workers:
- Microsoft 365 F1 is a licensing plan that includes EMS E3, Teams and SharePoint (content sharing and consumption only);
- Microsoft 365 F3 combines EMS E3, Windows 10 E3 and Office 365 F3;
- Office 365 F3 is a lighter version of Office 365 E1, with similar functionality (mainly Exchange, SharePoint, OneDrive, Teams and Power Platform) but much more limited storage for OneDrive and Exchange.
Microsoft defines this population as “users without a dedicated terminal, with occasional use.” Concretely, a dedicated terminal is a computer equipment with a screen of more than 10.1 inches, used by an employee for more than 60% of his working time. Examples can be medical populations, salespeople in a store, or workers in a factory.
Therefore, Fx licenses cannot be used to optimize licensing costs for populations with no advanced needs.
4/ Getting the right tools to find relevant information
There is no official roadmap that makes it easy to find one’s way between products and license levels (E1, E3, E5, F1, F3, etc.), and it seems that everything is done to steer companies towards the most expensive licenses. Therefore, it is not surprising to see companies specializing in the very specific Microsoft licensing segment (optimization consulting or management solution publishers).
How to find out what exists (official sources)
For licenses related to compliance and security products, the most comprehensive reference is the documentation “Microsoft 365 Compliance & Security Licensing Guidance“. Unfortunately, this official documentation is not exhaustive. For example, it is missing:
- Products concerned by private or public pre-versions. For example, the new Endpoint DLP requires a Microsoft 365 E5 Compliance or Microsoft 365 E5 Information Protection & Governance license;
- Details about some compliance products. For example, Office DLP is available with an additional license;
- Information related to Azure Active Directory Premium P1 or P2 features and information related to Intune.
Note that a fairly complete table, available in .pdf and .xlsx, provides a cross-reference of use cases and compliance licenses. Beware, this table can be scary!
There is not yet an equivalent official summary for security licenses. Product documentation (e.g. Intune) and licensing information pages (e.g. Azure Active Directory) remain the best sources of information.
Important point: most official sources specify that they do not constitute a sufficient contractual commitment. Only an exchange with the Microsoft TAM will confirm the availability of a specific license and the associated price.
How to find out what exists (unofficial sources)
Apart from the official documentation, I use two rather interesting sources when talking about Microsoft 365 licensing:
- Unofficial mapping of Microsoft 365 products, by Aaron Dinnage (Microsoft): this is the most complete document available on the subject;
- Details and public pricing (in dollars) of the various Microsoft 365 licensing plans, by Dan Chemistruck (Infused Innovation).
How to find out what’s available in the holder
There are three possibilities to master the licenses (unit licenses, bundles, or packages) and products acquired in an Office 365 holder.
The first and simplest is simply to use the information available in the Office 365 or Azure administration portals. However, these portals only offer basic functionalities: no actions for a large number of users, a global dashboard (licenses acquired, used and non-compliant) without granularity by country or entity, etc.
The second option is to acquire a license management or optimization tool (e.g., ManageEngine, QuadroTech, CoreView). This type of solution is more suited to SMBs than large corporations, which prefer the third option because of economies of scale.
The last option is to develop a licensing tool (based on PowerShell scripts and Microsoft Graph APIs) and a dashboard (usually on Power BI). This choice will make it possible not only to overcome the limitations of native tools, but also to delegate the control of licenses to the various IT localities in a decentralized context.
Focus on development: how to find your way among the names
The development itself is not particularly complex. On the other hand, a common problem appears very quickly – the names of the services obtained by PowerShell and Graph API are simply incomprehensible. These names often come from buyouts or internal Microsoft project names (e.g. ADALLOM for MCAS, RIGHTSMANAGEMENT for AIP P1 or SPE_E3 for Microsoft 365 E3).
By experience, it is then essential to keep an up-to-date list of correspondences between the SKU names obtained by scripting and the official names:
– The official Microsoft list is unfortunately far from being exhaustive and is not regularly updated;
– Several unofficial lists are maintained and available on the Internet.
5/ Seven tips to define your security and compliance licensing strategy
- Identify your needs in terms of security (identity, threats, terminals, etc.) and compliance (data protection, regulatory compliance, etc.) for Office 365;
- Formalize an inventory of all the security and compliance tools related to the Digital Workplace available in the enterprise (including mail gateway, EDR, classification, DLP, etc.);
- Formalize a roadmap for security and compliance tools, consistent with the modern workplace (rationalization, native security without agents, zero trust);
- Define a licensing model with different user profiles, in conjunction with the architectural and workplace teams. It can be interesting to favor bundles by considering medium- and long-term needs. The acquisition of unit licenses (or add-on) without global negotiation would be expensive;
- Anticipate product targeting capabilities. Some products (such as the functionalities of Azure Active Directory or MCAS) are difficult to adapt to a complicated licensing model in an international multi-entity context;
- Activate what is available on opportunity in the acquired bundles, avoiding duplication with existing tools in order to not interfere with the signals;
- Keep watch. The functionalities associated with a license may evolve as a result of a development or purchase of a third-party solution. In some instances, although very rare,Microsoft will embed premium features in basic plans. The message center of the administration portal and the Security and Compliance blogs are indispensable here.
To go further, find in this article the different subjects to be dealt with during the preparation of the Microsoft 365 adventure.