Still waiting for full Azure AD Premium P1 in Microsoft 365 Business…and other Christmas wish list items.Alex Fields
Update March 2020: Spotted today in the message center:
I had written on this topic a while ago, and many of the components that we were looking to get from Azure AD Premium P1 have in fact arrived since that time (such as password write-back and Conditional Access). But honestly, why doesn’t the Microsoft 365 Business SKU just include Azure AD Premium P1? That’s how it should have been from Day 1.
We’ve seen most of this opened up over the last few months, but as of today I still need to add the P1 license to an M365B tenant to fill out the capabilities that we need to have. I will pick on a couple of them now.
Sign-ins activity log
Don’t get me started here. I think this should be available in ALL 365 subscriptions, but it absolutely needs to be in Microsoft 365 Business–this is supposed to be the flagship product for SMB, not to mention the fact that all the marketing pushing this thing forward is focused around security.
So, is it just me? Am I missing something? Wouldn’t we expect to be able to review the sign-in log without purchasing another security-related add-on?? I also view this as “my data” already, and something I should just have access to without paying an extra toll. Ludicrous.
Some key features around groups are missing. For example, the Groups Expiration policy is not included.
As well, we cannot target security groups when assigning applications to users in Azure AD.
Both of those issues are cleared up as soon as you add even a single Azure AD Premium P1 license to the tenant.
According to the service description, Dynamic groups are not supported either (e.g. creating a group membership based on some kind of property like devices that are iOS or users that belong to the Marketing department). Interesting enough we are not prevented from actually creating these, however their use in stuff like Intune policies or app assignments is not officially supported without the proper license.
Conditional access doesn’t all the way work…
You can, from the Azure AD admin center, create CA policies with Microsoft 365 Business. Which is great. But there are a couple of other places stuff does not work. One of them is the Graph–I can GET (read) but not POST (write) Conditional access policies using the Graph. Granted, this is still in beta–I am assuming it is a bug in the current build that will be worked out in time.
Also, when you go to the SharePoint admin center and attempt to use the access controls for unmanaged devices (which just auto-deploys Conditional access policies depending on the selection you make)–this also is broken. I guess SharePoint admin center didn’t get the memo about the licensing change when Conditional access went live in M365B.
Again, adding a P1 license to the tenant, or even just a trial license, will fix this in a split second. I am sure the fact that it doesn’t work is just an oversight, and it’s silly that we have to jump through an extra hoop to get access to a feature we’re already supposed to have.
The SKU is too complex right now
Even Microsoft can’t keep up with the nuances of this product, as evidenced by the fact that not everything that is supposed to work does just yet. As well, I have had to explain to MS support on numerous occaisions that a particular feature is indeed supported with this SKU, and show them the article as proof before they would continue to work with me. Insane.
Not to mention, having to explain what is and is not included from AAD Premium P1 just muddies the waters when customers are shopping around. If Microsoft wants this product to be a slam dunk then this mess needs to be cleared up.
Microsoft 365 =
- Office 365
- Enterprise Mobility + Security
- Windows 10
But what we have in the Business edition is a complicated amalgam of features from Enterprise mashed up in one Bastard SKU–with a neutered version of EM+S that is difficult to understand for the average customer (and even partner) unless you are really dialed into the happenings within this product. I probably have done better with this than anybody, Microsoft included (as mentioned, I take them to school often).
Now what I would really love to be able to say is that M365B is essentially the same thing as M365E3, but with a small & mid-sized business focus (e.g. 300 user limit), and by the way Mr./Mrs. Customer, ATP P1 is included also (normally only found in E5)! I think that would make the product much more appealing, easier to sell, and less confusion for all parties involved.
Aaaannnd…. the post-breach stuff
Now that’s just to take care of the easy, low-hanging fruit: get Azure AD Premium P1 added, and make life simpler for us.
The other issue that we have with this SKU, which I have written about before, is that we lack any post-breach detection and response software such as MCAS and MDATP. The result is I still have to add other products, or go to third-parties to round out my offering as a partner with managed security services attached.
One potential solution to this second problem is to have a B3 and B5 that essentially mirrors the E3 and E5 offerings (with that 300 user limit of course). However, another solution may be possible…
If the Microsoft 365 Business SKU were brought up to par with the E3 offering (to include Azure AD Premium P1) then in theory it would open up the option to add-on Microsoft 365 E5 Security, which includes Azure AD Premium P2, MDATP, MCAS and so on–all the security goodness from Microsoft 365 E5, just segmented out into its own SKU (priced at USD 12.00/user/month).
Unfortunately, at the time of this writing, we cannot add Microsoft 365 E5 Security to Microsoft 365 Business–because certain components are not officially supported on Business (I’m looking at you, MDATP). Not to mention: we need Azure AD Premium P1 as a pre-req to use this add-on.
However, if we could get it to a point where MDATP is fully supported and compatible with the Business edition, and AAD Premium P1 is just included with M365B out of the gate, then we’re off to the races. An MSP or MSSP could construct two offerings:
- “Standard” protection = Microsoft 365 Business–good baseline for most SMB’s looking to better protect their organization and improve security posture
- “Advanced” protection = add on Microsoft 365 E5 Security–this of course is required to move into detection and response territory (post-breach stuff)
Combining both of these SKU’s would still work out to USD 32.00/user/month–a fantastic price (the same as M365E3 in fact). As of today, if I want to sell an “advanced” security service, I essentially have to sell products from third party vendors to cover items like EDR, SIEM, advanced detection and alerting, etc.
I would LOVE to get this all from Microsoft, as I could reduce the number of agents and complexity of deployment (plus they are doing a great job with their security offerings), but we’re just not quite there yet for the SMB.
Final ask: Multi-tenant
The last piece that would bring everything home for partners is of course the multi-tenant view across services. I know Microsoft has started working on this, which is great news.
Now Day 1, this service should provide visibility (which we don’t have today) into both the tenant licensing AND service configurations. For instance, I want to know whether Office 365 ATP is present, enabled and configured properly with the baseline that I put in place. Or, to know (and not guess) that the unified audit log is enabled.
I can put down some baseline configs today but how do we know they are still in place tomorrow? Or the next day? Or the day after that? If I were an attacker or rogue admin the first thing I’d do is disable the audit log so that nobody can see what it is that I’m about to do. Aside from that concern, just managing configuration drift and configuration versioning is very tedious right now.
Later down the road the “nice to have” features would be the ability to create scripts, policies or standard configs and push them across all tenants centrally (without having to run a script against each tenant separately). But Day 1 just having visibility is the key.
All that having been said, Microsoft 365 Business is still, dollar for dollar, the best value out there. I am critical only because I love this product, and when you love something you tend to hold it to a higher standard. Or at least I do. We are still waiting for this to get REALLY good, MSFT. Let’s make it happen.