Oct 03 2018 08:34 AM
M365 Business does not include the ability to create conditional access rules. We are wondering if there was any specific reasons it was not included such as cost, complexity or MS felt for SMBs the risk was not the same. The price point of this product, $20/seat, is perfect so I would not want to see it go up but having 2-3 basic conditional access rules available would be ideal. These might be allow only authenticated devices, allow only from within North America and allow only from listed IP address ranges.
Mark Benton
Oct 07 2018 09:05 PM
Conditional access is a full Premium Azure AD feature because of the ongoing compute time needed to process and apply these rules, every time an access event is triggered. You could add Azure AD P1 licenses to only the users you want to protect with conditional access, if your use case justifies identifying a subset of users for this extra level of protection.
Oct 07 2018 09:54 PM
Oct 08 2018 08:08 AM
Hi Sonia,
Since M3655B is the premium product offer for SMB, it already includes several Azure AD P1 features. I think it is for this reason that customers and partners expect basic conditional access rules such as restricting access to enrolled devices.
If an Office 365 BP customer purchases Azure AD P1; they get expected incremental security value.
If an M365B customer purchases Azure AD P1; they get less then expected incremental value because several P1 features are included in the M365B subscription. Essentially, having customers purchase AAD P1 on top of M365B results in redundant feature acquisitions. I think if this is the approach going forward, we need a subscription that up levels M365B to include full AAD P1.
I think the most important reason to bundle or add CA to M365B is to prevent credential theft. I think SMB customers are particularly vulnerable to this type of cyber risk. Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole.
David
Oct 08 2018 06:08 PM
David,
Remember that there's also a price difference between O365 BP & M365B, so you are already paying extra for those AAD P1 features you're getting with M365. So the total price between your two scenarios is different.
I agree that conditional access addresses a big need in SMBs, who are more likely to be at risk than Enterprise, for various reasons. Your feedback is valuable (and I don't just roll that out as a flippant term) for us to pass on to the product team.
I'm going to throw in a controversial question here: would you accept a price increase in the M365 Business licenses if it also included conditional access and other P1 features? Note: I am not foretelling anything here, I'm just curious. I don't work for that product team and I don't get to make those kinds of decisions :)
-Sonia
Oct 09 2018 08:20 AM
I think my users would be open to a "plus CA" additional cost but it depends what that cost is? $1/$2? Would every user need the add-on?
Oct 09 2018 11:04 AM
Hi Sonia,
Putting my former business owner hat on...I've owned a couple SMBs in the past. For my last company, we used O365 E5 for every employee (all 6 of us) and I didn't have a problem with the price. My business partner would grumble a bit because he was always looking to minimize recurring spending...but it was easy for me to demonstrate the value because we were using the primary workloads extensively.
I agree O365 BP & M365B are different. The real issue at hand is that Microsoft is telling customers that M365B is the only SKU needed for SMB productivity and security. That's almost true because most of EMS E3 is packaged in there....except for a few AAD P1 features. But the security benefits are diminished substantially because CA is excluded from M365B. So, it's not just about missing CA as a single feature. Parts of MFA and Intune are not going to work as designed without the ability to create some key CA policies and I worry more about credential theft, ransomware, etc without CA. Ideally, these policies would be created automatically for M365B customers so they don't need to engage with an identity expert to get an appropriate baseline policy in place for the SKU they bought (Similarly to how the device policies are created in the configuration wizard...that's really nice)
I'm not concerned so much about the price as long as the product I'm buying meets my business requirements. If a product or service I'm evaluating is overpriced, and a competitor has a better offer...then I'm going to shop around. In this case, I think M365B has excellent value and I wouldn't be adverse to a reasonable price change. I'm not sure CA alone justifies it...but I'm not close enough to the product to really make an informed decision. If I were still a business owner and I was facing a modest increase, I don't think I'd balk at it.
What I'm really advocating for here is clarity. I believe Microsoft intends M365B to be the premium SKU for customers with less than 300 seats and does not intend to push or require mainstream customers to buy add-ons for productivity and security. If that is the case, CA needs to be included regardless if it increases the price or not. If I'm wrong and the recommended approach is to require customers who want full productivity and security to buy M365B + AAD P1 then please update the marketing accordingly so partners can get ahead of this and position the two SKUs correctly.
Oct 11 2018 04:21 PM
@David Bjurman-Birr Can you please talk with every other SMB owner? :)
Appreciate your great feedback - this has some Microsoft eyes on it.
-Sonia
Oct 17 2018 11:28 AM
Hi All,
As one of the Product Architects of Microsoft 365 Business, I want to chime in and assure everyone that we are actively reviewing all feedback. So please continue to give us feedback, especially focusing on what scenarios you would need Conditional Access for from an SMB perspective. Customer examples will help greatly in building the case
Thanks!
Ashanka
Oct 22 2018 05:13 PM
hey Mark, what basic conditional access rules are you looking to set? could you give me your list?
Jan 18 2019 10:49 PM
Jan 21 2019 06:46 AM
Agree with many of the points. My thoughts:
For SMBs , we need to focus on simplicity . So we have :
1. Business Premium as a Premium Productivity Offering
2. M 365 Business as a Premium Productivity plus Security Offering
As a Security Offering , it should be a No Compromise SKU. So it should have everything which a SMB would essentially need to address Security needs . I would look at a complete EMS E3 bundle to be included . It makes sense to tell Customer that he will get :
O 365 Business Premium plus Complete EMS E3 plus Windows 10 Upgrade
Jan 29 2019 09:09 PM
The other CA piece that is becoming more important is the browser condition option in client apps. A large portion of non-MS SaaS apps customers are using are browser only on PC so being able to control the non-app apps the same way that we can control other conditions would be welcome.
Feb 05 2019 08:48 AM - edited Feb 05 2019 08:50 AM
David you can do this by purchasing business premium and then adding an E3 EMS license to the user, comes out to around $1 more.
Feb 26 2019 09:53 AM
Mar 14 2019 01:12 PM
Adding my thought on this. I agree for SMB it need to be simple and easy. What my customers asks for is not that complicated really. The need a user baseline policy (like we have for admins) that allows them to do the basics.
1. A policy to BLOCK basic auth. That SMB's are not able to block basic auth today is big risk
2. A policy to require Managed Device or Managed App or MFA
If we could have these 2 policies that would cover more than 99% of the requests I get.
Note: I do know that SMB's can use authentication polices in ExO to block basic auth, and that they can block basic auth on Sharepoint/Onedrive. But that is by a method that is to complex for a SMB customer.
@Sonia Cuff @Ashanka Iddya
Mar 25 2019 03:02 PM - edited Mar 26 2019 01:32 PM
As @David Bjurman-Birr crystal clear explains:
"Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole."
Application protection policies will be useless. Am I wrong?
Mar 28 2019 08:02 AM
Mar 28 2019 08:06 AM
Mar 28 2019 08:09 AM