Still waiting for full Azure AD Premium P1 in Microsoft 365 Business…and other Christmas wish list items.Alex Fields
Update March 2020: Spotted today in the message center:
I had written on this topic a while ago, and many of the components that we were looking to get from Azure AD Premium P1 have in fact arrived since that time (such as password write-back and Conditional Access). But honestly, why doesn’t the Microsoft 365 Business SKU just include Azure AD Premium P1? That’s how it should have been from Day 1.
We’ve seen most of this opened up over the last few months, but as of today I still need to add the P1 license to an M365B tenant to fill out the capabilities that we need to have. I will pick on a couple of them now.
Sign-ins activity log
Don’t get me started here. I think this should be available in ALL 365 subscriptions, but it absolutely needs to be in Microsoft 365 Business–this is supposed to be the flagship product for SMB, not to mention the fact that all the marketing pushing this thing forward is focused around security.
So, is it just me? Am I missing something? Wouldn’t we expect to be able to review the sign-in log without purchasing another security-related add-on?? I also view this as “my data” already, and something I should just have access to without paying an extra toll. Ludicrous.
Some key features around groups are missing. For example, the Groups Expiration policy is not included.
As well, we cannot target security groups when assigning applications to users in Azure AD.
Both of those issues are cleared up as soon as you add even a single Azure AD Premium P1 license to the tenant.
According to the service description, Dynamic groups are not supported either (e.g. creating a group membership based on some kind of property like devices that are iOS or users that belong to the Marketing department). Interesting enough we are not prevented from actually creating these, however their use in stuff like Intune policies or app assignments is not officially supported without the proper license.
Conditional access doesn’t all the way work…
You can, from the Azure AD admin center, create CA policies with Microsoft 365 Business. Which is great. But there are a couple of other places stuff does not work. One of them is the Graph–I can GET (read) but not POST (write) Conditional access policies using the Graph. Granted, this is still in beta–I am assuming it is a bug in the current build that will be worked out in time.
Also, when you go to the SharePoint admin center and attempt to use the access controls for unmanaged devices (which just auto-deploys Conditional access policies depending on the selection you make)–this also is broken. I guess SharePoint admin center didn’t get the memo about the licensing change when Conditional access went live in M365B.
Again, adding a P1 license to the tenant, or even just a trial license, will fix this in a split second. I am sure the fact that it doesn’t work is just an oversight, and it’s silly that we have to jump through an extra hoop to get access to a feature we’re already supposed to have.
The SKU is too complex right now
Even Microsoft can’t keep up with the nuances of this product, as evidenced by the fact that not everything that is supposed to work does just yet. As well, I have had to explain to MS support on numerous occaisions that a particular feature is indeed supported with this SKU, and show them the article as proof before they would continue to work with me. Insane.
Not to mention, having to explain what is and is not included from AAD Premium P1 just muddies the waters when customers are shopping around. If Microsoft wants this product to be a slam dunk then this mess needs to be cleared up.
Microsoft 365 =
- Office 365
- Enterprise Mobility + Security
- Windows 10
But what we have in the Business edition is a complicated amalgam of features from Enterprise mashed up in one Bastard SKU–with a neutered version of EM+S that is difficult to understand for the average customer (and even partner) unless you are really dialed into the happenings within this product. I probably have done better with this than anybody, Microsoft included (as mentioned, I take them to school often).
Now what I would really love to be able to say is that M365B is essentially the same thing as M365E3, but with a small & mid-sized business focus (e.g. 300 user limit), and by the way Mr./Mrs. Customer, ATP P1 is included also (normally only found in E5)! I think that would make the product much more appealing, easier to sell, and less confusion for all parties involved.
Aaaannnd…. the post-breach stuff
Now that’s just to take care of the easy, low-hanging fruit: get Azure AD Premium P1 added, and make life simpler for us.
The other issue that we have with this SKU, which I have written about before, is that we lack any post-breach detection and response software such as MCAS and MDATP. The result is I still have to add other products, or go to third-parties to round out my offering as a partner with managed security services attached.
One potential solution to this second problem is to have a B3 and B5 that essentially mirrors the E3 and E5 offerings (with that 300 user limit of course). However, another solution may be possible…
If the Microsoft 365 Business SKU were brought up to par with the E3 offering (to include Azure AD Premium P1) then in theory it would open up the option to add-on Microsoft 365 E5 Security, which includes Azure AD Premium P2, MDATP, MCAS and so on–all the security goodness from Microsoft 365 E5, just segmented out into its own SKU (priced at USD 12.00/user/month).
Unfortunately, at the time of this writing, we cannot add Microsoft 365 E5 Security to Microsoft 365 Business–because certain components are not officially supported on Business (I’m looking at you, MDATP). Not to mention: we need Azure AD Premium P1 as a pre-req to use this add-on.
However, if we could get it to a point where MDATP is fully supported and compatible with the Business edition, and AAD Premium P1 is just included with M365B out of the gate, then we’re off to the races. An MSP or MSSP could construct two offerings:
- “Standard” protection = Microsoft 365 Business–good baseline for most SMB’s looking to better protect their organization and improve security posture
- “Advanced” protection = add on Microsoft 365 E5 Security–this of course is required to move into detection and response territory (post-breach stuff)
Combining both of these SKU’s would still work out to USD 32.00/user/month–a fantastic price (the same as M365E3 in fact). As of today, if I want to sell an “advanced” security service, I essentially have to sell products from third party vendors to cover items like EDR, SIEM, advanced detection and alerting, etc.
I would LOVE to get this all from Microsoft, as I could reduce the number of agents and complexity of deployment (plus they are doing a great job with their security offerings), but we’re just not quite there yet for the SMB.
Final ask: Multi-tenant
The last piece that would bring everything home for partners is of course the multi-tenant view across services. I know Microsoft has started working on this, which is great news.
Now Day 1, this service should provide visibility (which we don’t have today) into both the tenant licensing AND service configurations. For instance, I want to know whether Office 365 ATP is present, enabled and configured properly with the baseline that I put in place. Or, to know (and not guess) that the unified audit log is enabled.
I can put down some baseline configs today but how do we know they are still in place tomorrow? Or the next day? Or the day after that? If I were an attacker or rogue admin the first thing I’d do is disable the audit log so that nobody can see what it is that I’m about to do. Aside from that concern, just managing configuration drift and configuration versioning is very tedious right now.
Later down the road the “nice to have” features would be the ability to create scripts, policies or standard configs and push them across all tenants centrally (without having to run a script against each tenant separately). But Day 1 just having visibility is the key.
All that having been said, Microsoft 365 Business is still, dollar for dollar, the best value out there. I am critical only because I love this product, and when you love something you tend to hold it to a higher standard. Or at least I do. We are still waiting for this to get REALLY good, MSFT. Let’s make it happen.
Hey Alex, this post couldn’t have come at a better time. I’m just in the process of my post-Ignite presentation writeup and my recommendation to move to M365 Business (from O365 Business Premium + AzureP1+ O365ATP) has been quite difficult because making sure M365B came with everything we currently have is almost impossible. Sure it’s great if you want to compare high level features of O365 and M365 but digging into the nitty gritty on WHAT features of Azure or EM+S you actually get or the fact that E3 doesn’t come with Office ATP (wtf?) and whatever else I might be missing is pretty futile. I have a spreadsheet with about 10 tabs of various product and bundle offerings trying to match up what goes where. The way I see it is very similar to how you see it. Office 365 Business = Office products. M365 Business (oh hey same name), add on EMS and Windows 10. Oh but wait it’s not 10 Enterprise, it’s 10 Business… wtf is 10 Business? It’s like Pro… only wearing a suit and tie…
I think I’ve finally settled on M365 + Azure P1 to keep things the same and add on Endpoint management and Windows 10. Going to E3 (and adding on features to bring it to par) is way too much for our 120 user shop.
Rumor has it that AAD Premium P1 is on the horizon here for M365B–but I don’t necessarily believe it till I see it. I want to keep nudging MSFT in the right direction. So hopefully, once that happens, you’d be able to cancel an extra subscription.
I’m in a similar situation. It’s crazy out just adding one license gives all users the missing features. I added a custom SAML app and after a lot of searching, I believe Azure AD P1 is needed to support it. Anyway, I think I’ll be going with M365B and AD P1 as well.
One other thing not mentioned is how they advertise Phone System requiring E3 or E5 which means M365B users can’t use Phone System. In my experience, it works anyway, even on O365 Business Premium plan. However, it looks like there is a new product coming for small business plans including M365 business and it’s called business voice. I wonder what features it’ll be missing…
With regard to voice, it shouldn’t be missing anything–as you mentioned it “works” but what the business product is going to include is more “SMB-friendly” / wizard-driven set up experiences to simplify management and deployment. That is my understanding. Hopefully they get those right, unlike the setup wizards we have today for stuff like Device and app management.
I can see that we’re all on the same line/wishes.
Some “custom” products from MS that aren’t really easy to explain to a customer.. The price change but the features aren’t clearly defined what can/can’t you do with M365B vs M365B + ADP1 as some features are partially locked.
I’ve done my research and I’ve learned that Microsoft 365 Business(8e317199-8161-441b-9f1e-168a3a78ed16) includes the 4th type of Azure AD (AAD_SMB) This type of azure ad includes SSPR with writeback and some other features.
Previously there were only AAD_BASIC, AAD_PREMIUM, AAD_PREMIUM_P2
. Even MS support were not very well documented on this.
Correct there are many features included from P1, but we really need the whole thing.
What do you think of a combination of O365 Business Premium and Enterprise Mobility + Security E3
without the benefits of Windows 10 Business and Azure ATP.
I think is a good option for businesses that need’s office 365 with EM+S.
I still think M365B is better deal, honestly. And not because of the Win 10 stuff. There are certain features being added from the enterprise track to make it essentially the same as E3, plus ATP. And it’s less money. So shared computer activation, legal hold / EOA, retention polices, etc. The value cannot be beat by any other combination of licensing. I’ve tried.
In Message Center now!
“We’re thrilled to announce the availability of Azure Active Directory Premium P1 for Microsoft 365 Business subscribers.
We’ll be gradually rolling this out in early April and expect to complete the roll-out by the end of June.
How does this impact me?
Once this update is complete, you will see a new service plan called “Azure Active Directory Premium P1” in the list of plans included with your subscription.”
The Business Voice SKU is now available in the United States:
Microsoft 365 Business Voice – Cloud-based VOIP phone system
Yeah–I know that I should probably take a weekend and go through all these old articles updating them… but so many other things to do.