Why Microsoft 365 Business should include Azure AD PremiumAlex Fields
I have written at length about this product; for the most part, I really love it for the SMB. But there is one thing that I wish Microsoft would have included in this bundle, even if it meant increasing the price point a little bit. And that one thing is: Azure AD Premium.
First of all: the whole concept behind Microsoft 365 is to combine the Office 365 and EMS sku’s under a single umbrella, along with Windows 10, creating an end-to-end productivity and operating platform in one, with security and device management built right in. Productivity. Security. Operating System. Brilliant! But in the Business edition of this product, they mysteriously neuter the Security category, leaving out their premium identity management product. Why?!!
Conditional Access is critical
The fact that Intune is included but Azure AD Premium is not, is completely maddening. For example, the Microsoft 365 admin center has those easy-to-deploy Mobile Application Management (MAM) policies. Awesome. But guess what? Without Azure AD Premium, you cannot compel users into the Intune-managed applications–that requires Conditional Access. So these protections only apply if the user happens to opt themselves out of third-party apps such as native mail for iOS and Android. Any guess on the percentage of general users likely to do so? I will ruin the surprise for you: The percentage is low. It is very low.
Another major function of Conditional Access is requiring devices to register themselves with Azure AD & Intune. Just look at any major security framework. Look at CIS, look at NIST. What do they all have in common? Building and maintaining an accurate and complete inventory of devices is crucial. It is the footing upon which all other security controls are built. How can you protect devices when you don’t even know what you have?
Conditional access solves an important piece of this puzzle in two ways:
- Forcing the device into your inventory, giving you instant visibility and granting you some level of control over it
- Requiring certain basic conditions to be met by the device before access is granted
Microsoft: How could you neglect to include this feature? HOW?!!
Incomplete hybrid support
Next up, we address the April 2018 updates. Don’t get me wrong, the changes that came to the subscription this year were AWESOME. Previously, the subscription was very clearly delineated for “cloud-first” / “cloud-only” businesses, with no official support for Azure AD Connect, or Hybrid Azure AD Joined devices. That changed in April, along with some other cool additions such as ATP, etc.
Now the product has a way better value proposition, with a much wider audience and potential customer base, since hybrid organizations are now included and even expected to hop on this bandwagon. And that makes a lot of sense, since most organizations that are coming from a traditional premises-based server environment cannot go “all cloud” overnight, at least, not usually.
Some organizations will even be maintaining a hybrid environment for quite a while, especially if they have reliance on line of business apps that have no satisfactory SaaS alternative.
Customers with the full EMS SKU can enjoy many more hybrid benefits such as Password Write-Back with Self Service Password Reset (SSPR). Too bad, so sad for Microsoft 365 Business seats, however. Sure, you may be able to turn on Azure AD Connect with password hash synchronization, but you cannot self-service reset passwords without that sweet, sweet Azure AD Premium subscription.
Update: Microsoft 365 Business now supports SSPR and password write-back
Multifactor for every app, everywhere
Multifactor authentication (MFA) is available in the Microsoft 365 Business subscription, but only for the Office 365 applications. If you want the full version of Azure MFA, including support for third party and premises-based applications–things like VPN, RDS, and so forth, then you will require, again, Azure AD Premium.
This is crucial too, when we look toward non-premises based applications. Many small businesses will want to tie other SaaS products into Azure AD for authentication. And Azure AD Premium will give you the best and widest support for applications and features, including SAML and MFA.
Especially for small businesses that have apps which do not appear in the Azure AD gallery, it is non-negotiable: they need Azure AD Premium to get “custom” app support. If you implement this solution often, you will soon run into customers who must add this subscription to their tenant just to support a single custom application.
I think I’ve made a pretty good case for this. I mean, it is a glaring omission. Intune AND Azure Information Protection are the other major pillars from the original EMS subscription, and they both show up in this subscription. I don’t even mind the ATA piece being left out here–but Azure AD Premium is a huge deal, in my opinion.
Maybe the $20.00 price point was just too low for them to stomach including both Intune and Azure Premium P1, but I wouldn’t even mind if this price were just a little bit higher. I would rather pay just a bit more and have a single SKU, than pay more anyway, and manage two SKU’s. Customers, especially in the SMB, are really attracted to that one single SKU that does it all–except that this one doesn’t (but it comes awfully close).