Noncompliance in O365 or M365 With Microsoft Is as Easy as Counting From One to Three
There is a common myth surrounding Microsoft licensing in the cloud that license compliance becomes an issue of the past. Unfortunately, it’s not that simple.
As organizations purchase or renew into O365, there can often be two or more user licensing profiles. Multiple profiles can optimize both cost and functionality for the organization. Organizations can choose from Firstline (F1, F3), O365 (E1, E3, E5), or M365 (F3/E3/E5). Add-on security products can also be cause for concern.
While some functionality can be easily managed and controlled on a per-user basis, other features, according to Microsoft, “are not currently capable of limiting benefits to specific users.” These are controlled on a tenant basis and if enabled could cause serious compliance concerns moving forward. While Microsoft hasn’t currently audited for cloud functionality, it could start to do so once we return to normal, post Covid-19. This would enable it to recuperate the large amount of revenue that was left on the table due to additional discounts, promos, or free trial licenses for Teams.
If you are wondering how we have gotten to this point, Microsoft seems to have taken a page out of Oracle’s licensing book. Oracle has been known to not use license keys, as it would slow down an organization’s ability to deploy and use software. Similarly, Microsoft’s verbiage around functionality limitations now reads, “This will help avoid potential service disruption to your organization once targeting capabilities are available.”
Those looking to understand the level a particular product is provisioned/deployed at, can find further information found here. For organizations looking to develop an action plan, Microsoft has a section for each product named “How can the service be applied only to users in the tenant who are licensed for the service?” Most solutions listed are to configure by groups, and others by policies or role-based access. There are still, however, a number that do not have workarounds and are provisioned/deployed at a tenant level. These are the ones to be the most careful with, as they will be the first Microsoft will look at in an audit.
The following 22 products are being provisioned/deployed at a tenant level and should be reviewed:
- Azure Active Directory Identity Protection
- Azure Advanced Threat Protection
- Office 365 Advanced Threat Protection
- Office 365 Cloud App Security
- Microsoft Cloud App Security
- Microsoft Defender ATP
- Information Protection
- Information Governance
- Records Management
- eDiscovery
- Office 365 Customer Key
- Office 365 Customer Lockbox
- Privileged access management in Office 365
- Office 365 data loss prevention for Exchange Online, SharePoint Online, and OneDrive for Business
- Communication Data Loss Prevention for Teams
- Information barriers
- Office 365 Message Encryption
- Office 365 Advanced Message Encryption
- Communication Compliance
- Insider Risk Management
- Conditional Access policies
- Advanced Audit
Our Take
- Examine your environment sooner rather than later for functionality that is currently being used at a tenant level and could pose a risk.
- Build an action plan for functionality that can be changed from tenant level, through policies, role-based access, or groups.
- Determine whether the organization will assume the risk on tenant level products that remain unchanged.
- If you are adding functionality or licensing to the environment at renewal time, be sure to check how the product is provisioned/deployed.