10-03-2018 08:34 AM
10-03-2018 08:34 AM
M365 Business does not include the ability to create conditional access rules. We are wondering if there was any specific reasons it was not included such as cost, complexity or MS felt for SMBs the risk was not the same. The price point of this product, $20/seat, is perfect so I would not want to see it go up but having 2-3 basic conditional access rules available would be ideal. These might be allow only authenticated devices, allow only from within North America and allow only from listed IP address ranges.
10-07-2018 09:05 PM
Conditional access is a full Premium Azure AD feature because of the ongoing compute time needed to process and apply these rules, every time an access event is triggered. You could add Azure AD P1 licenses to only the users you want to protect with conditional access, if your use case justifies identifying a subset of users for this extra level of protection.
10-08-2018 08:08 AM
Since M3655B is the premium product offer for SMB, it already includes several Azure AD P1 features. I think it is for this reason that customers and partners expect basic conditional access rules such as restricting access to enrolled devices.
If an Office 365 BP customer purchases Azure AD P1; they get expected incremental security value.
If an M365B customer purchases Azure AD P1; they get less then expected incremental value because several P1 features are included in the M365B subscription. Essentially, having customers purchase AAD P1 on top of M365B results in redundant feature acquisitions. I think if this is the approach going forward, we need a subscription that up levels M365B to include full AAD P1.
I think the most important reason to bundle or add CA to M365B is to prevent credential theft. I think SMB customers are particularly vulnerable to this type of cyber risk. Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole.
10-08-2018 06:08 PM
Remember that there's also a price difference between O365 BP & M365B, so you are already paying extra for those AAD P1 features you're getting with M365. So the total price between your two scenarios is different.
I agree that conditional access addresses a big need in SMBs, who are more likely to be at risk than Enterprise, for various reasons. Your feedback is valuable (and I don't just roll that out as a flippant term) for us to pass on to the product team.
I'm going to throw in a controversial question here: would you accept a price increase in the M365 Business licenses if it also included conditional access and other P1 features? Note: I am not foretelling anything here, I'm just curious. I don't work for that product team and I don't get to make those kinds of decisions :)
10-09-2018 08:20 AM
I think my users would be open to a "plus CA" additional cost but it depends what that cost is? $1/$2? Would every user need the add-on?
10-09-2018 11:04 AM
Putting my former business owner hat on...I've owned a couple SMBs in the past. For my last company, we used O365 E5 for every employee (all 6 of us) and I didn't have a problem with the price. My business partner would grumble a bit because he was always looking to minimize recurring spending...but it was easy for me to demonstrate the value because we were using the primary workloads extensively.
I agree O365 BP & M365B are different. The real issue at hand is that Microsoft is telling customers that M365B is the only SKU needed for SMB productivity and security. That's almost true because most of EMS E3 is packaged in there....except for a few AAD P1 features. But the security benefits are diminished substantially because CA is excluded from M365B. So, it's not just about missing CA as a single feature. Parts of MFA and Intune are not going to work as designed without the ability to create some key CA policies and I worry more about credential theft, ransomware, etc without CA. Ideally, these policies would be created automatically for M365B customers so they don't need to engage with an identity expert to get an appropriate baseline policy in place for the SKU they bought (Similarly to how the device policies are created in the configuration wizard...that's really nice)
I'm not concerned so much about the price as long as the product I'm buying meets my business requirements. If a product or service I'm evaluating is overpriced, and a competitor has a better offer...then I'm going to shop around. In this case, I think M365B has excellent value and I wouldn't be adverse to a reasonable price change. I'm not sure CA alone justifies it...but I'm not close enough to the product to really make an informed decision. If I were still a business owner and I was facing a modest increase, I don't think I'd balk at it.
What I'm really advocating for here is clarity. I believe Microsoft intends M365B to be the premium SKU for customers with less than 300 seats and does not intend to push or require mainstream customers to buy add-ons for productivity and security. If that is the case, CA needs to be included regardless if it increases the price or not. If I'm wrong and the recommended approach is to require customers who want full productivity and security to buy M365B + AAD P1 then please update the marketing accordingly so partners can get ahead of this and position the two SKUs correctly.
10-17-2018 11:28 AM
As one of the Product Architects of Microsoft 365 Business, I want to chime in and assure everyone that we are actively reviewing all feedback. So please continue to give us feedback, especially focusing on what scenarios you would need Conditional Access for from an SMB perspective. Customer examples will help greatly in building the case
01-18-2019 10:49 PM
01-21-2019 06:46 AM
Agree with many of the points. My thoughts:
For SMBs , we need to focus on simplicity . So we have :
1. Business Premium as a Premium Productivity Offering
2. M 365 Business as a Premium Productivity plus Security Offering
As a Security Offering , it should be a No Compromise SKU. So it should have everything which a SMB would essentially need to address Security needs . I would look at a complete EMS E3 bundle to be included . It makes sense to tell Customer that he will get :
O 365 Business Premium plus Complete EMS E3 plus Windows 10 Upgrade
01-29-2019 09:09 PM
The other CA piece that is becoming more important is the browser condition option in client apps. A large portion of non-MS SaaS apps customers are using are browser only on PC so being able to control the non-app apps the same way that we can control other conditions would be welcome.
02-05-2019 08:48 AM - edited 02-05-2019 08:50 AM
David you can do this by purchasing business premium and then adding an E3 EMS license to the user, comes out to around $1 more.
03-14-2019 01:12 PM
Adding my thought on this. I agree for SMB it need to be simple and easy. What my customers asks for is not that complicated really. The need a user baseline policy (like we have for admins) that allows them to do the basics.
1. A policy to BLOCK basic auth. That SMB's are not able to block basic auth today is big risk
2. A policy to require Managed Device or Managed App or MFA
If we could have these 2 policies that would cover more than 99% of the requests I get.
Note: I do know that SMB's can use authentication polices in ExO to block basic auth, and that they can block basic auth on Sharepoint/Onedrive. But that is by a method that is to complex for a SMB customer.
@Sonia Cuff @Ashanka Iddya
03-25-2019 03:02 PM - edited 03-26-2019 01:32 PM
As @David Bjurman-Birr crystal clear explains:
"Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole."
Application protection policies will be useless. Am I wrong?
03-28-2019 08:02 AM
03-28-2019 08:09 AM
03-28-2019 09:07 AM - edited 03-28-2019 09:34 AM
Thank you for your answers.
What I really mean with "useless" is that to protect mail with MAM, I should force to use protected apps.
If I create an app protection policy and I cannot apply a conditional access policy, then the user can use nativa email apps to bypass my protection.
04-08-2019 08:24 AM
@Mark BentonReplying to the opening because I think this is a unique ask.
If I don't have conditional Access, then how do I block non-compliant mobile devices from accessing company data and services? Doesn't this nullify everything you're doing in Intune Compliance Policies if you can't do anything about a non-compliant device? I must be missing something.
04-09-2019 01:29 AM
Hi I am a small business owner and I would like to say that it is hard to understand that CA has been left out of M365. We currently have Office 365 BP and subscribe to mobile security + E3 and one of the major reasons is to have access to Conditional Access. We have a number of contractors and staff we apply CA to, to satisfy our (sorry my) security paranoia. I have been looking at M365 and would like to get it but the cost of M365 + AAD P1 just does not stack up to me given the multiple double up of services. I understand bundling to upsize the sale, but it does not usually include so many redundant costs such as you would incur if you took M365 and AAD P1.
04-16-2019 01:44 PM
05-06-2019 11:18 AM
We had users on Office 365 Bus. Premium and were blocking access to users without a device password using the basic Office 365 MDM. We recently upgraded all users to Microsoft 365 Business and need to move our users to Intune (for some other functionality). We were unable to replicate the basic password enforcement policy we had on Office 365 MDM. We called support who said we needed to purchase either an Azure AD Premium or EMS license just to get the same functionality (via conditional access). Seems unreasonable to have to buy two licenses (Intune + AAD/EMS) just to replicate a basic MDM enforcement policy.
05-06-2019 11:25 PM
If you want to do what you say: put all of your customers on M365 Business and Azure AD P1. You don't need EMS. You get all of the tools you need to lock your tenant down. It sucks that we have to pay for Azure AD P1 but conditional access makes it worth it. Hopefully they add it to M365B -- then all small businesses have the tools to protect themselves provided they know how to configure it properly.
06-12-2019 12:14 PM
@Ashanka Iddya Thank you .. this is proof that Microsoft listens to feedback for sure:
Finally we can have awesome security for SMB customers as well!!
06-12-2019 12:40 PM