Forum Discussion
Licensing Cloud App Security
Like some features in Office 365, and many features in Azure Active Directory or the Enterprise Mobility+Security suite of services, you need to license every user that will benefit from the use of the services. It's a common misconception that you only need to license administrators for Office 365 E5 to cover the use of this functionality, but that is not the case.
There are, unfortunately, no technical gates in the product to assist you with license compliance or to prevent non-compliance.
"Microsoft Cloud App Security is licensed per user per month. All the users who are protected and covered with the Cloud App Security service, need to be licensed for full compliance."
From the comments by a Microsft employee - https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
By the way, make sure to check out - https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365
Just to confuse matters, Office 365 Cloud App Security is part of Office 365 Enterprise E5 or an add-on, while the full-featured version, Microsoft Cloud App Security is part of Enterprise Mobility + Security E5 or as an add-on.
If I have a some administrators with Enterprise Mobility + Security E5, but the majority of users are Enterprise Mobility + Security E3, as I have now enabled MCAS rather then just using OCAS. Would all users need to be Enterprise Mobility + Security E5 to be correctly licensed, or do the E3 users just used to OCAS functionlity.
As it exists today, you would need all of those E3 users to either be upgraded to EMS E5, or purchase a standalone MCAS add-on license, assuming they're all licensed for EMS E3 (Office 365 user SL doesn't matter - different suite).
It's a fair amount of work - but you might also be able to use scoped deployment now to isolate the use of MCAS just to your administrators and users that you want covered.
https://docs.microsoft.com/en-us/cloud-app-security/scoped-deployment
- Thanks Wes, this is a great help. Is there a Microsoft document that explains this requirement, when you have a mixed E5 E3 licensing situation. It's something I've not been able to find.
- Intermingling Office editions like that is, unfortunately, not well documented, and not something Microsoft does much to point out. At my employer, (Directions on Microsoft), we’ve written extensively on the topic of intermingling EMS and Office editions like this, and have had several reviews by and conversations with, Microsoft. In the case of AAD, it’s easy. They say “anyone who benefits from...”, which basically means if you turn on tenancy-wide features, everyone benefits, and you owe licensing for everyone. Office isn’t as straightforward, but all we’ve been able to extract says it works the same - and effectively all of the security features in Office 365 E5 are tenancy-wide - so if they’re on, licensing is required for everyone.