Why Microsoft 365 Business should include Azure AD Premium
I have written at length about this product; for the most part, I really love it for the SMB. But there is one thing that I wish Microsoft would have included in this bundle, even if it meant increasing the price point a little bit. And that one thing is: Azure AD Premium.
First of all: the whole concept behind Microsoft 365 is to combine the Office 365 and EMS sku’s under a single umbrella, along with Windows 10, creating an end-to-end productivity and operating platform in one, with security and device management built right in. Productivity. Security. Operating System. Brilliant! But in the Business edition of this product, they mysteriously neuter the Security category, leaving out their premium identity management product. Why?!!
Conditional Access is critical
The fact that Intune is included but Azure AD Premium is not, is completely maddening. For example, the Microsoft 365 admin center has those easy-to-deploy Mobile Application Management (MAM) policies. Awesome. But guess what? Without Azure AD Premium, you cannot compel users into the Intune-managed applications–that requires Conditional Access. So these protections only apply if the user happens to opt themselves out of third-party apps such as native mail for iOS and Android. Any guess on the percentage of general users likely to do so? I will ruin the surprise for you: The percentage is low. It is very low.
Another major function of Conditional Access is requiring devices to register themselves with Azure AD & Intune. Just look at any major security framework. Look at CIS, look at NIST. What do they all have in common? Building and maintaining an accurate and complete inventory of devices is crucial. It is the footing upon which all other security controls are built. How can you protect devices when you don’t even know what you have?
Conditional access solves an important piece of this puzzle in two ways:
- Forcing the device into your inventory, giving you instant visibility and granting you some level of control over it
- Requiring certain basic conditions to be met by the device before access is granted
Microsoft: How could you neglect to include this feature? HOW?!!
Incomplete hybrid support
Next up, we address the April 2018 updates. Don’t get me wrong, the changes that came to the subscription this year were AWESOME. Previously, the subscription was very clearly delineated for “cloud-first” / “cloud-only” businesses, with no official support for Azure AD Connect, or Hybrid Azure AD Joined devices. That changed in April, along with some other cool additions such as ATP, etc.
Now the product has a way better value proposition, with a much wider audience and potential customer base, since hybrid organizations are now included and even expected to hop on this bandwagon. And that makes a lot of sense, since most organizations that are coming from a traditional premises-based server environment cannot go “all cloud” overnight, at least, not usually.
Some organizations will even be maintaining a hybrid environment for quite a while, especially if they have reliance on line of business apps that have no satisfactory SaaS alternative.
Customers with the full EMS SKU can enjoy many more hybrid benefits such as Password Write-Back with Self Service Password Reset (SSPR). Too bad, so sad for Microsoft 365 Business seats, however. Sure, you may be able to turn on Azure AD Connect with password hash synchronization, but you cannot self-service reset passwords without that sweet, sweet Azure AD Premium subscription.
Update: Microsoft 365 Business now supports SSPR and password write-back
Multifactor for every app, everywhere
Multifactor authentication (MFA) is available in the Microsoft 365 Business subscription, but only for the Office 365 applications. If you want the full version of Azure MFA, including support for third party and premises-based applications–things like VPN, RDS, and so forth, then you will require, again, Azure AD Premium.
This is crucial too, when we look toward non-premises based applications. Many small businesses will want to tie other SaaS products into Azure AD for authentication. And Azure AD Premium will give you the best and widest support for applications and features, including SAML and MFA.
Especially for small businesses that have apps which do not appear in the Azure AD gallery, it is non-negotiable: they need Azure AD Premium to get “custom” app support. If you implement this solution often, you will soon run into customers who must add this subscription to their tenant just to support a single custom application.
Q.E.D.
I think I’ve made a pretty good case for this. I mean, it is a glaring omission. Intune AND Azure Information Protection are the other major pillars from the original EMS subscription, and they both show up in this subscription. I don’t even mind the ATA piece being left out here–but Azure AD Premium is a huge deal, in my opinion.
Maybe the $20.00 price point was just too low for them to stomach including both Intune and Azure Premium P1, but I wouldn’t even mind if this price were just a little bit higher. I would rather pay just a bit more and have a single SKU, than pay more anyway, and manage two SKU’s. Customers, especially in the SMB, are really attracted to that one single SKU that does it all–except that this one doesn’t (but it comes awfully close).
Comments (13)
Completely agree! Would love to see MS include this in the 365 Business SKU!
Another great article Alex. Given most MSPs that are managing SMBs already have an endpoint RMM tool place, I think a bundle that includes Azure AD Premium instead of Intune would have more success with MSPs.
I would go even further: In the current security environment, it is absolutely critical to include Conditional Access Policies in all versions of Azure AD. A few times over the past year we have had to go back to the trough or eat the license cost for Azure AD Premium in the midst of a breach remediation, for the good of the client.
There is good news on the horizon here, we think. Rumor has it that new baseline conditional access policies will be deployed to every subscription, which apply to user accounts and not only admins. Today there is the MFA policy for admins but the user one may even include risk based challenges and the requirement to register for MFA for all users. So the rumor goes…
Interesting, let’s hope the rumors are correct!
I agree, it’d be great to see.
I may be missing something, but O365 Business Premium & EM+S E3 gets you pretty much on M365 Business, but with AAD Premium included – at the same (roughly) price point.
Sure you miss out on the upgrade from Win7/8 to Win10, but does that really matter that much anymore?
Do you lose anything else?
Yes, you do lose some things. The full Microsoft 365 Business subscription adds DLP, Archiving, Advanced Threat Protection, etc. Also, the Windows 10 licensing is not just an upgrade but also “lights up” certain management features of Windows 10 from Device management. Granted on the Business subscription these are pretty small advantages–it doesn’t light up stuff like Credential Guard or Windows Defender ATP like you can find on the Enterprise side. But still, a non-subscription based Windows 10 just isn’t going to have the same bells and whistles long term, as are available whenever they decide to release features into the subscription versions.
Goods points, DLP and archiving can be very valuable.
The problem is that they’ve put out an all encompassing SKU and it isn’t all encompassing, so there’s a need to mix and match stuff somewhere. If it was included, even at an adjusted price, I totally agree, it’d be a better overall proposition.
Thanks for the insights!
Truth!
Great article and saved me a lot of pain – Microsoft’s marketing is very poor at outlining exactly what is included.
We have a client who wants a directory based login, SSO to an existing Dropbox Business environment, and BitLocker management. They currently have Business Premium O365, my process took me from Azure AD P1 to EMS E3 – I almost went to M365 but reading your article saw it doesn’t include Azure AD P1 (or higher) which seems madness given the whole premise of M365 is a complete solution for the SMB!
Totally agree, this sounds like it would make a ton of sense.
Great article. I’m in the same position right now – for the price MS 365 Business works well for £15 pu/pm but I want that ‘Sign In’ data on the AD blade. I need it – probably more than I need archiving and DLP. If I get a pair of E3’s its going to cost me about £25 pu/pm – which is an extra £10 for the sign in data!!!! I could tack on a P1 for £4.72… MS – JUST INCREASE THE BUSINESS LICENSE and get me that audit trail back.
Agreed, this is a big miss. I still don’t understand why we don’t just have AAD P1 in its full glory as part of this SKU.