M365 Business and Conditional Access

Brass Contributor

M365 Business does not include the ability to create conditional access rules.  We are wondering if there was any specific reasons it was not included such as cost, complexity or MS felt for SMBs the risk was not the same.  The price point of this product, $20/seat, is perfect so I would not want to see it go up but having 2-3 basic conditional access rules available would be ideal. These might be allow only authenticated devices, allow only from within North America and allow only from listed IP address ranges.

 

Mark Benton

28 Replies

Conditional access is a full Premium Azure AD feature because of the ongoing compute time needed to process and apply these rules, every time an access event is triggered. You could add Azure AD P1 licenses to only the users you want to protect with conditional access, if your use case justifies identifying a subset of users for this extra level of protection.

Hi Mark - looping in @Ashanka Iddya to make sure she sees the questions/comments on AAD P1 features, it was one of the top areas of questions after the Ignite sessions.

Hi Sonia,

 

Since M3655B is the premium product offer for SMB, it already includes several Azure AD P1 features.  I think it is for this reason that customers and partners expect basic conditional access rules such as restricting access to enrolled devices.

 

If an Office 365 BP customer purchases Azure AD P1; they get expected incremental security value.

 

If an M365B customer purchases Azure AD P1; they get less then expected incremental value because several P1 features are included in the M365B subscription.  Essentially, having customers purchase AAD P1 on top of M365B results in redundant feature acquisitions.  I think if this is the approach going forward, we need a subscription that up levels M365B to include full AAD P1.

 

I think the most important reason to bundle or add CA to M365B is to prevent credential theft.  I think SMB customers are particularly vulnerable to this type of cyber risk.  Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app.  CA is necessary to prevent this security loophole.

 

David

 

David, 

Remember that there's also a price difference between O365 BP & M365B, so you are already paying extra for those AAD P1 features you're getting with M365. So the total price between your two scenarios is different.

 

I agree that conditional access addresses a big need in SMBs, who are more likely to be at risk than Enterprise, for various reasons. Your feedback is valuable (and I don't just roll that out as a flippant term) for us to pass on to the product team.

 

I'm going to throw in a controversial question here: would you accept a price increase in the M365 Business licenses if it also included conditional access and other P1 features? Note: I am not foretelling anything here, I'm just curious. I don't work for that product team and I don't get to make those kinds of decisions :)

 

-Sonia

I think my users would be open to a "plus CA" additional cost but it depends what that cost is?  $1/$2?  Would every user need the add-on?

Hi Sonia,

 

Putting my former business owner hat on...I've owned a couple SMBs in the past.  For my last company, we used O365 E5 for every employee (all 6 of us) and I didn't have a problem with the price.  My business partner would grumble a bit because he was always looking to minimize recurring spending...but it was easy for me to demonstrate the value because we were using the primary workloads extensively.

 

I agree O365 BP & M365B are different.  The real issue at hand is that Microsoft is telling customers that M365B is the only SKU needed for SMB productivity and security.  That's almost true because most of EMS E3 is packaged in there....except for a few AAD P1 features.  But the security benefits are diminished substantially because CA is excluded from M365B.  So, it's not just about missing CA as a single feature.  Parts of MFA and Intune are not going to work as designed without the ability to create some key CA policies and I worry more about credential theft, ransomware, etc without CA.  Ideally, these policies would be created automatically for M365B customers so they don't need to engage with an identity expert to get an appropriate baseline policy in place for the SKU they bought (Similarly to how the device policies are created in the configuration wizard...that's really nice)

 

I'm not concerned so much about the price as long as the product I'm buying meets my business requirements.  If a product or service I'm evaluating is overpriced, and a competitor has a better offer...then I'm going to shop around.  In this case, I think M365B has excellent value and I wouldn't be adverse to a reasonable price change.  I'm not sure CA alone justifies it...but I'm not close enough to the product to really make an informed decision.  If I were still a business owner and I was facing a modest increase, I don't think I'd balk at it.

 

What I'm really advocating for here is clarity.  I believe Microsoft intends M365B to be the premium SKU for customers with less than 300 seats and does not intend to push or require mainstream customers to buy add-ons for productivity and security.  If that is the case, CA needs to be included regardless if it increases the price or not.  If I'm wrong and the recommended approach is to require customers who want full productivity and security to buy M365B + AAD P1 then please update the marketing accordingly so partners can get ahead of this and position the two SKUs correctly.

@David Bjurman-Birr Can you please talk with every other SMB owner? :)

Appreciate your great feedback - this has some Microsoft eyes on it.

 

-Sonia

Hi All,

 

As one of the Product Architects of Microsoft 365 Business, I want to chime in and assure everyone that we are actively reviewing all feedback. So please continue to give us feedback, especially focusing on what scenarios you would need Conditional Access for from an SMB perspective. Customer examples will help greatly in building the case

 

Thanks!

Ashanka

hey Mark, what basic conditional access rules are you looking to set? could you give me your list?

I'd really like to see conditional access included with the M365 Business. It's a deal breaker with a lot of my clients because they have compliance requirements that can't be met without it. They are still small business (as little as 10 users) so M365 E3/5 is not something they would consider. So they continue on with on prem networks.
I really wish Microsoft would get rid of the notion that SMB doesn't need a similar level of security as enterprise. They need it just as much if not more. I'd like to see M365 E5 at all my clients regardless of size but the price is just too high. Why do you need to be enterprise to enjoy the benefits of Defender ATP? Everyone should have that because that's what it takes to adequately secure a Windows computer. SMB might not use every feature they get in that sku but that's OK. It just means less cost to Microsoft to provide it.
Microsoft needs to eliminate the barriers to the high quality products available in the enterprise SKUs and make them available to everybody.
As it stands right now I can't sell M365 Business to anybody because it's too crippled. It's close but just doesn't strike the right balance. Maybe have a M365 Business Plus that is just M365 E5 with a 300 seat limit. Throw PowerApps P1 in with it and you'd have the perfect complete product for SMB.

Agree with many of the points. My thoughts:

 

For SMBs , we need to focus on simplicity . So we have :

 

1.  Business Premium as a Premium Productivity Offering

2.  M 365 Business as a Premium Productivity plus Security Offering

 

As a Security Offering , it should be a No Compromise SKU. So it should have everything which a SMB would essentially need to address Security needs .  I would look at a complete EMS E3 bundle to be included . It makes sense to tell Customer that he will get :

 

O 365 Business Premium plus Complete EMS E3 plus Windows 10 Upgrade 

 

 

The other CA piece that is becoming more important is the browser condition option in client apps. A large portion of non-MS SaaS apps customers are using are browser only on PC so being able to control the non-app apps the same way that we can control other conditions would be welcome.

David you can do this by purchasing business premium and then adding an E3 EMS license to the user, comes out to around $1 more.

I would like to allow activesync on only mdm devices (corp) and block on all mam ones (byod)

Adding my thought on this. I agree for SMB it need to be simple and easy. What my customers asks for is not that complicated really. The need a user baseline policy (like we have for admins) that allows them to do the basics. 

 

1. A policy to BLOCK basic auth. That SMB's are not able to block basic auth today is big risk

2. A policy to require Managed Device or Managed App or MFA  

 

If we could have these 2 policies that would cover more than 99% of the requests I get. 

 

Note: I do know that SMB's can use authentication polices in ExO to block basic auth, and that they can block basic auth on Sharepoint/Onedrive. But that is by a method that is to complex for a SMB customer. 
@Sonia Cuff @Ashanka Iddya 

@Ashanka Iddya 

As @David Bjurman-Birr crystal clear explains:

"Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole."

Application protection policies will be useless. Am I wrong?

You can block Basic Auth on the service level and only allow Modern Auth on ExO. That will help a bit.
But iOS supports Modern Auth. And Nine for Android does. So it is not good enough.

@Jan Ketil Skanke 

And the winner issss:

Am I wrong or not?

policies will still apply to the Office Mobile apps like Onedrive, Teams, Word and so on. So i would not say useless. But I would also not call it a security feature at that stage.