How to bundle even more security into your Office 365 subscription

In a previous post, I covered some of the most common SKU’s that are frequently purchased by small businesses, who are migrating to the Office 365 platform. In a nutshell, by FAR the most common of those are Office 365 Business Premium and Office 365 Enterprise E3–and the latter of these has a few security/compliance features that many enterprises (small and large alike) will benefit from–like Information Protection (e.g. includes message encryption for Email), Data Loss Prevention (DLP), and so on.

While every Office 365 SKU will allow you to do some basic Mobile Device Management (MDM) and Multifactor Authentication (MFA), some businesses need to up their security game even further, and for that, Microsoft’s cloud has a lot to offer. I want to cover quickly the basic features of the “Enterprise Mobility & Security” packages; a lot of people still find all of this stuff super confusing. Don’t feel bad–it IS confusing.

Why look at Enterprise Mobility & Security (EMS)?

One of the more important considerations here for many businesses, is that the “EMS” packages are designed to protect cloud AND traditional/premises-based assets.  For example, these licenses also include Windows Server CAL’s. This is an important distinction to make–all the security features which are baked into your other Office 365’s SKU’s will generally be aimed at protecting “365-hosted” content only.

Take for instance Multifactor Authentication: it is included with all of the Office 365 Business and Enterprise bundles, but you can only enable it for signing into Office 365 apps, specifically. Now, there is a separate Multifactor Authentication subscription available which allows you to do things like protect on-premises applications, sometimes requiring the Azure MFA Server to be installed on-prem (depending on what you need to protect). These more “advanced” MFA setups will usually require you to purchase additional licensing–and one way of getting this feature is through Azure AD Premium, which is bundled into the EMS suite of services.

However, that is not to say that an organization who is 100% cloud-based could not benefit from EMS, just because they have no need of protecting premises-based assets. For example, the MFA subscription that is included with Azure AD Premium also allows you to extend protection to third-party cloud apps (which means they must be setup for Single Sign-On or SSO). So there are some pretty great features even for entirely cloud-based businesses.

EMS E3 Summary

Each of the two EMS subscriptions enables a multi-layered security approach to protecting your assets, regardless of whether they live in-cloud or on-premises. Let’s start with describing E3 ($8.74 USD /user/mo at the time of this writing).

• Identity management & sign-in protections via Azure AD Premium P1
  • Advanced Multifactor authentication options (discussed above)
  • Enables password write-back and self-service password reset (SSPR) for on-premises based users who are “synced” via Azure AD Connect (Note: cloud-only users will already have the ability to reset their own passwords without an additional subscription).
  • Configure Single Sign-On (SSO) across on-prem AND cloud-based resources, including “Custom” apps (apps not found in the Azure AD app gallery–this requires SAML support by the third party vendor)–more people are starting to ask for this feature!
  • Conditional access based on things like geo-location or IP address, etc.
  • More detailed security reports
• Device management & endpoint protection features via Intune
  • Advanced MDM features like application management–push & update apps, restrict copy/paste of content between apps, etc.
  • Manage Windows PC’s too (Note: not a replacement for Group Policy or Managed Services agents), and get detailed hardware & software inventory reports
  • Conditional access based on the type of device being used
• Encryption of data and email messages using Azure Information Protection P1*
  • Encrypt email messages and attachments with Office Message Encryption (OME)
  • Encrypt and restrict content on Office documents
  • Track usage of shared documents and revoke access to ones previously shared
• Advanced Threat Analytics (ATA)
  • This is an on-premises solution designed to help detect possible breach events (I have yet to use this, but it is on my to-do list in the lab)

*Note: per requirements, this is usually paired with an Office 365 Pro Plus edition (and in fact Office 365 E3 already includes Azure Information Protection)

EMS E5 Summary

We also have an E5 variety these days, which of course includes all of the above, and adds further functionality to Azure Active Directory Premium and Azure Information Protection (the “P2” versions of these plans), as well as introduces some other services on top of that:

• Azure Active Directory Premium P2
  • Adds “Risk-based” conditional access, meaning that machine learning is leveraged to auto-magically block or challenge access when risk is detected
  • Azure Identity Protection flags suspicious logon events for admin investigation, and even allows you to configure risk-based policies to mitigate these types of incidents
• Intune: Same as above
• Azure Information Protection P2
  • Adds intelligent data classification and labeling, meaning that data can be automatically categorized and encrypted (you are doing this manually with P1)
• Advanced Threat Analytics: Same as above
• Cloud App Security
  • Adds the ability to detect cloud-based SaaS apps that are in use in your environment, and then to bring them under corporate visibility & control
  • Can be integrated with existing SIEM products
  • I have not personally used/implemented this before, but it looks pretty cool
• Azure Advanced Threat Protection
  • Detect and alert on suspicious user behavior across cloud AND on-premises resources/assets, in real time
  • It can produce a nice timeline of attacks, etc. so you can see how a breach event unfolded
  • Again, haven’t used this, but read some good things.

This graphic summarizes it nicely (image credit: ITProMentor.com):

I don’t usually find that many customers interested in E5, at least in the SMB market today (which is understandable when it retails at $14.80 USD /user/mo at the time of this writing). The most common features people in our market tend to go after are already included in EMS E3.  And interestingly, Office 365 E3 already includes Azure Information Protection, and covers most of what many small enterprises need (especially if the on-premises footprint is minimized). Therefore, many times customers simply settle on Office 365 E3 or Office 365 E3 plus Azure AD Premium (which is $6 USD /user/mo at the time of this writing). Very rarely are we looking beyond that to these EMS bundles–but your needs/requirements may justify stepping up your investment in these cloud-based protections. It is also worth noting that non-profits get EMS E3 for a ridiculously low price, so it is often worth it to just add-on anyway, even if you don’t need all the features right away.

In an upcoming post, I will also take a closer look at the Microsoft 365 SKUs which are available (not to be confused with Office 365)–and these SKUs are perhaps best described as a bundle of bundles. More on that later. Stay tuned.