Why you should take a real hard look at upgrading from Office 365 to Microsoft 365 this year
Readers of this blog are probably already familiar with the differences between Office 365 and Microsoft 365 plans. But I still run into plenty of folks out there who think these are the same thing, or who believe this is for “cloud only” customers, and there are still others who do not yet grasp the importance of migrating to the more comprehensive “Microsoft” bundle.
I personally cannot recommend a standalone Office 365 subscription anymore. It doesn’t matter if you are still hybrid or heading toward cloud-only–the advice remains the same. Why?
Because we already live in the reality of a post-perimeter world. Therefore, you need a modern management platform that addresses the needs for a post-perimeter security model. The featured graphic for this post is a bit simplified since there remain other vectors as well, such as social engineering, physical loss or theft, and so on. But it still illustrates a good point: Most organizations do not have adequate coverage across the entire attack kill chain, and are woefully under-prepared for a breach event.
Now if organizations do not start moving toward the new management stack that is included in the Microsoft 365 bundle, they are going to have to answer the same concerns some other way–i.e. with third party tools.
Building a post-perimeter infrastructure
Beyond the perimeter, we have several considerations that we must take into account when we are erecting our new information systems (many of which are likely to be based in the cloud).
Protection from advanced and zero-day threats is built-in with Office 365 Advanced Threat Protection, and covers web links, email attachments and anti-spoofing /anti-phishing detection. You would need third-party services to cover this if you didn’t get it natively through a Microsoft plan such as Microsoft 365 Business or E5.
Modern identity management with strong authentication including MFA and Conditional Access is baked into every Microsoft 365 plan. Ideally an alternative solution that you’re comparing with also allows you to connect all your apps via SAML for single sign-on (you don’t want to be managing umpteen different identities for each user).
Endpoint management so that you can enforce device compliance and security policies, push applications and updates, and more–whether the device is in the office or not. Microsoft Endpoint Manager does the job nicely, but otherwise you’d have to find an alternative MDM.
Management for unmanaged / personal devices: Microsoft has somewhat of an unfair advantage in this space since they own the productivity apps, and this allows us to manage at the application layer, creating boundary lines between corporate and non-corporate data on unmanaged endpoints.
Information protection & rights management is provided by Azure Information Protection, and this enables Office 365 Message Encryption for Email as well as Sensitivity labels for messages and files. The idea here is that you can wrap your security boundary around individual pieces of data, rather than requiring that data to live in a protected “container.” Old world security was based on containers and perimeters, but in this paradigm we can label content and know that it is protected whether it lives on our cloud or on some other, whether on corporate or non-corporate devices.
Not to mention other governance must-haves like Data Loss Prevention and Retention–again, these are all included with Microsoft 365, and they integrate nicely into places like Microsoft Cloud App Security: a Cloud Access Security Broker or CASB solution that can help you get more granular with your security & compliance policies, to automate incident response, and to bring the same level of security and compliance that you enjoy with Microsoft to other third-party cloud apps.
If you are attempting to cover all these same bases with third parties, I think you will quickly end up with more complexity and more cost in your new architecture, than if you just moved up from an Office 365 to a Microsoft 365 plan (especially since you still need your Office productivity suite at the end of the day, and a place to host your files and email besides).
For more details on the migration path from traditional infrastructures, such as Windows Server Active Directory, check out my recent migration guide.
Comments (8)
Perfect timing – we are just looking to add Intune and moving from Office 365 E3 to Microsoft 365 E3 should be perfect – especially since our non-profit pricing means the Microsoft E3 costs only a fraction more than the Office E3 :-) actually, $0.52 more to be exact.
But…
– Is there anything we lose by changing from Office E3 to Microsoft E3?
– Will our users notice anything – prompts, notifications in Windows 10, MacOS, iOS, Android – after we change the licence?
– and where does “Microsoft Defender Advanced Threat Protection” fit into this licencing?
See my licensing guide–Defender ATP is only an E5 feature, along with MCAS, Azure ATP, and Office 365 ATP; however you can get an add-on for E3 called Microsoft 365 E5 Security that contains all the nicer security goodies. Your users won’t notice anything if you move from Office E3 to Microsoft E3.
Thanks Alex! Is that Microsoft E5 or should Enterprise Mobility + Security E5 also include Defender ATP?
Microsoft Defender ATP is not included in EM+S, but rather it is a part of Windows 10 E5, which is part of Microsoft 365 E5. However, the “Microsoft 365 E5 Security” SKU pulls security features across Office, EM+S and Windows E5 plans into an add-on that you can staple on top of E3 (normal for-profit customers pay 12.00 USD/user for that–unsure for non-profit).
Hmm, that SKU might not be available yet in my market (Sweden). I was actually also interested in the Microsoft Defender Advanced Threat Protection for Mac, which has a prerequisite of “A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal” – neither of which I have been able to add or access yet :-) Our organization is about 25% OSX devices, so some endpoint control with security would be nice.
It might show up under its old name: Identity & Threat Protection. Now it is called Microsoft 365 E5 Security.
Great article Alex! For my customers that are on O365 Premium I have them on Malwarebytes Endpoint Protection. This protects them by blocking PUPs and PUAs as well as Web Protection for when they accidently misspell typing a website address. Does Microsoft 365 provide these protections?
Yes. Microsoft 365 Business edition has a number of protections built-in such as Network protection, attack surface reduction (part of Exploit Guard), as well as Application Guard, Defender SmartScreen, and Potentially Unwanted Application (PUA) detection, built into Defender Antivirus capabilities. However, the big thing they are missing right now is twofold:
1. a management portal where we can review the threats and issues in the environment, and
2. just a minimum level of EDR capabilities (we don’t need everything that is included in Defender ATP–e.g. the SMB will never fully realize the benefit of advanced threat hunting, but some basic endpoint protection where we get alerted to the potentially threatening issues so we can have our designated admins respond would be nice)
That is my opinion of the “state of the state” with the Microsoft Defender capabilities. I will probably need to write a more detailed article on the same, and try to get some MSFT eyes on it… thanks for the comment!