M365 Business and Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-266359%22%20slang%3D%22en-US%22%3EM365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266359%22%20slang%3D%22en-US%22%3E%3CP%3EM365%20Business%20does%20not%20include%20the%20ability%20to%20create%20conditional%20access%20rules.%26nbsp%3B%20We%20are%20wondering%20if%20there%20was%20any%20specific%20reasons%20it%20was%20not%20included%20such%20as%20cost%2C%20complexity%20or%20MS%20felt%20for%20SMBs%20the%20risk%20was%20not%20the%20same.%26nbsp%3B%20The%20price%20point%20of%20this%20product%2C%20%2420%2Fseat%2C%20is%20perfect%20so%20I%20would%20not%20want%20to%20see%20it%20go%20up%20but%20having%202-3%20basic%20conditional%20access%20rules%20available%20would%20be%20ideal.%20These%20might%20be%20allow%20only%20authenticated%20devices%2C%20allow%20only%20from%20within%20North%20America%20and%20allow%20only%20from%20listed%20IP%20address%20ranges.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMark%20Benton%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390207%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390207%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17492%22%20target%3D%22_blank%22%3E%40Jan%20Ketil%20Skanke%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answers.%3C%2FP%3E%3CP%3EWhat%20I%20really%20mean%20with%20%22useless%22%20is%20that%20to%20protect%20mail%20with%20MAM%2C%20I%20should%20%26nbsp%3Bforce%20to%20use%20protected%20apps.%3C%2FP%3E%3CP%3EIf%20I%20create%20an%20app%20protection%20policy%20and%20I%20cannot%20apply%20a%20conditional%20access%20policy%2C%20then%20the%20user%20can%20use%20nativa%20email%20apps%20to%20bypass%20my%20protection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390163%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390163%22%20slang%3D%22en-US%22%3Epolicies%20will%20still%20apply%20to%20the%20Office%20Mobile%20apps%20like%20Onedrive%2C%20Teams%2C%20Word%20and%20so%20on.%20So%20i%20would%20not%20say%20useless.%20But%20I%20would%20also%20not%20call%20it%20a%20security%20feature%20at%20that%20stage.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390160%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17492%22%20target%3D%22_blank%22%3E%40Jan%20Ketil%20Skanke%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20the%20winner%20issss%3A%3C%2FP%3E%3CP%3EAm%20I%20wrong%20or%20not%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390156%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390156%22%20slang%3D%22en-US%22%3EYou%20can%20block%20Basic%20Auth%20on%20the%20service%20level%20and%20only%20allow%20Modern%20Auth%20on%20ExO.%20That%20will%20help%20a%20bit.%20%3CBR%20%2F%3EBut%20iOS%20supports%20Modern%20Auth.%20And%20Nine%20for%20Android%20does.%20So%20it%20is%20not%20good%20enough.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-387865%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-387865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143016%22%20target%3D%22_blank%22%3E%40Ashanka%20Iddya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9188%22%20target%3D%22_blank%22%3E%40David%20Bjurman-Birr%3C%2FA%3E%20crystal%20clear%20explains%3A%3C%2FP%3E%3CP%3E%22Additionally%2C%20the%20security%20and%20compliance%20protections%20in%20Intune%20can%20be%20bypassed%20if%20a%20user%20is%20allowed%20to%20connect%20to%20the%20services%20with%20a%20native%20app.%20CA%20is%20necessary%20to%20prevent%20this%20security%20loophole.%22%3C%2FP%3E%3CP%3EApplication%20protection%20policies%20will%20be%20useless.%20Am%20I%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369751%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369751%22%20slang%3D%22en-US%22%3E%3CP%3EAdding%20my%20thought%20on%20this.%20I%20agree%20for%20SMB%20it%20need%20to%20be%20simple%20and%20easy.%20What%20my%20customers%20asks%20for%20is%20not%20that%20complicated%20really.%20The%20need%20a%20user%20baseline%20policy%20(like%20we%20have%20for%20admins)%20that%20allows%20them%20to%20do%20the%20basics.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20A%20policy%20to%20BLOCK%20basic%20auth.%20That%20SMB's%20are%20not%20able%20to%20block%20basic%20auth%20today%20is%20big%20risk%3C%2FP%3E%0A%3CP%3E2.%20A%20policy%20to%20require%20Managed%20Device%20or%20Managed%20App%20or%20MFA%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20could%20have%20these%202%20policies%20that%20would%20cover%20more%20than%2099%25%20of%20the%20requests%20I%20get.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%3A%20I%20do%20know%20that%20SMB's%20can%20use%20authentication%20polices%20in%20ExO%20to%20block%20basic%20auth%2C%20and%20that%20they%20can%20block%20basic%20auth%20on%20Sharepoint%2FOnedrive.%20But%20that%20is%20by%20a%20method%20that%20is%20to%20complex%20for%20a%20SMB%20customer.%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170596%22%20target%3D%22_blank%22%3E%40Sonia%20Cuff%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143016%22%20target%3D%22_blank%22%3E%40Ashanka%20Iddya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357074%22%20slang%3D%22en-US%22%3ERE%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357074%22%20slang%3D%22en-US%22%3EI%20would%20like%20to%20allow%20activesync%20on%20only%20mdm%20devices%20(corp)%20and%20block%20on%20all%20mam%20ones%20(byod)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331125%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331125%22%20slang%3D%22en-US%22%3E%3CP%3EDavid%20you%20can%20do%20this%20by%20purchasing%20business%20premium%20and%20then%20adding%20an%20E3%20EMS%20license%20to%20the%20user%2C%20comes%20out%20to%20around%20%241%20more.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327736%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327736%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20other%20CA%20piece%20that%20is%20becoming%20more%20important%20is%20the%20browser%20condition%20option%20in%20client%20apps.%20A%20large%20portion%20of%20non-MS%20SaaS%20apps%20customers%20are%20using%20are%20browser%20only%20on%20PC%20so%20being%20able%20to%20control%20the%20non-app%20apps%20the%20same%20way%20that%20we%20can%20control%20other%20conditions%20would%20be%20welcome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-321597%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321597%22%20slang%3D%22en-US%22%3E%3CP%3EAgree%20with%20many%20of%20the%20points.%20My%20thoughts%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20SMBs%20%2C%20we%20need%20to%20focus%20on%20simplicity%20.%20So%20we%20have%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Business%20Premium%20as%20a%20Premium%20Productivity%20Offering%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20M%20365%20Business%20as%20a%20Premium%20Productivity%20plus%20Security%20Offering%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20Security%20Offering%20%2C%20it%20should%20be%20a%20No%20Compromise%20SKU.%20So%20it%20should%20have%20everything%20which%20a%20SMB%20would%20essentially%20need%20to%20address%20Security%20needs%20.%26nbsp%3B%20I%20would%20look%20at%20a%20complete%20EMS%20E3%20bundle%20to%20be%20included%20.%20It%20makes%20sense%20to%20tell%20Customer%20that%20he%20will%20get%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EO%20365%20Business%20Premium%20plus%20Complete%20EMS%20E3%20plus%20Windows%2010%20Upgrade%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-321141%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321141%22%20slang%3D%22en-US%22%3EI'd%20really%20like%20to%20see%20conditional%20access%20included%20with%20the%20M365%20Business.%20It's%20a%20deal%20breaker%20with%20a%20lot%20of%20my%20clients%20because%20they%20have%20compliance%20requirements%20that%20can't%20be%20met%20without%20it.%20They%20are%20still%20small%20business%20(as%20little%20as%2010%20users)%20so%20M365%20E3%2F5%20is%20not%20something%20they%20would%20consider.%20So%20they%20continue%20on%20with%20on%20prem%20networks.%3CBR%20%2F%3EI%20really%20wish%20Microsoft%20would%20get%20rid%20of%20the%20notion%20that%20SMB%20doesn't%20need%20a%20similar%20level%20of%20security%20as%20enterprise.%20They%20need%20it%20just%20as%20much%20if%20not%20more.%20I'd%20like%20to%20see%20M365%20E5%20at%20all%20my%20clients%20regardless%20of%20size%20but%20the%20price%20is%20just%20too%20high.%20Why%20do%20you%20need%20to%20be%20enterprise%20to%20enjoy%20the%20benefits%20of%20Defender%20ATP%3F%20Everyone%20should%20have%20that%20because%20that's%20what%20it%20takes%20to%20adequately%20secure%20a%20Windows%20computer.%20SMB%20might%20not%20use%20every%20feature%20they%20get%20in%20that%20sku%20but%20that's%20OK.%20It%20just%20means%20less%20cost%20to%20Microsoft%20to%20provide%20it.%3CBR%20%2F%3EMicrosoft%20needs%20to%20eliminate%20the%20barriers%20to%20the%20high%20quality%20products%20available%20in%20the%20enterprise%20SKUs%20and%20make%20them%20available%20to%20everybody.%3CBR%20%2F%3EAs%20it%20stands%20right%20now%20I%20can't%20sell%20M365%20Business%20to%20anybody%20because%20it's%20too%20crippled.%20It's%20close%20but%20just%20doesn't%20strike%20the%20right%20balance.%20Maybe%20have%20a%20M365%20Business%20Plus%20that%20is%20just%20M365%20E5%20with%20a%20300%20seat%20limit.%20Throw%20PowerApps%20P1%20in%20with%20it%20and%20you'd%20have%20the%20perfect%20complete%20product%20for%20SMB.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276599%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276599%22%20slang%3D%22en-US%22%3E%3CP%3Ehey%20Mark%2C%20what%20basic%20conditional%20access%20rules%20are%20you%20looking%20to%20set%3F%20could%20you%20give%20me%20your%20list%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-274704%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-274704%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20one%20of%20the%20Product%20Architects%20of%20Microsoft%20365%20Business%2C%20I%20want%20to%20chime%20in%20and%20assure%20everyone%20that%20we%20are%20actively%20reviewing%20all%20feedback.%20So%20please%20continue%20to%20give%20us%20feedback%2C%20especially%20focusing%20on%20what%20scenarios%20you%20would%20need%20Conditional%20Access%20for%20from%20an%20SMB%20perspective.%20Customer%20examples%20will%20help%20greatly%20in%20building%20the%20case%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3EAshanka%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270226%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270226%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39495%22%20target%3D%22_blank%22%3E%40David%20Bjurman-Birr%3C%2FA%3E%20Can%20you%20please%20talk%20with%20every%20other%20SMB%20owner%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EAppreciate%26nbsp%3Byour%20great%20feedback%20-%20this%20has%20some%20Microsoft%20eyes%20on%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Sonia%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268935%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268935%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sonia%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPutting%20my%20former%20business%20owner%20hat%20on...I've%20owned%20a%20couple%20SMBs%20in%20the%20past.%26nbsp%3B%20For%20my%20last%20company%2C%20we%20used%20O365%20E5%20for%20every%20employee%20(all%206%20of%20us)%20and%20I%20didn't%20have%20a%20problem%20with%20the%20price.%26nbsp%3B%20My%20business%20partner%20would%20grumble%20a%20bit%20because%20he%20was%20always%20looking%20to%20minimize%20recurring%20spending...but%20it%20was%20easy%20for%20me%20to%20demonstrate%20the%20value%20because%20we%20were%20using%20the%20primary%20workloads%20extensively.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20agree%20O365%20BP%20%26amp%3B%20M365B%20are%20different.%26nbsp%3B%20The%20real%20issue%20at%20hand%20is%20that%20Microsoft%20is%20telling%20customers%20that%20M365B%20is%20the%20only%20SKU%20needed%20for%20SMB%20productivity%20and%20security.%26nbsp%3B%20That's%20almost%20true%20because%20most%20of%20EMS%20E3%20is%20packaged%20in%20there....except%20for%20a%20few%20AAD%20P1%20features.%26nbsp%3B%20But%20the%20security%20benefits%20are%20diminished%20substantially%20because%26nbsp%3BCA%20is%20excluded%20from%20M365B.%26nbsp%3B%20So%2C%20it's%20not%20just%20about%20missing%20CA%20as%20a%20single%20feature.%26nbsp%3B%20Parts%20of%20MFA%20and%20Intune%20are%20not%20going%20to%20work%20as%20designed%20without%20the%20ability%20to%20create%20some%20key%20CA%20policies%20and%20I%26nbsp%3Bworry%20more%20about%20credential%20theft%2C%20ransomware%2C%20etc%20without%20CA.%26nbsp%3B%20Ideally%2C%20these%20policies%20would%20be%20created%20automatically%20for%20M365B%20customers%20so%20they%20don't%20need%20to%20engage%20with%20an%26nbsp%3Bidentity%20expert%20to%20get%20an%20appropriate%20baseline%20policy%20in%20place%20for%20the%20SKU%20they%20bought%20(Similarly%20to%20how%20the%20device%20policies%20are%20created%20in%20the%20configuration%20wizard...that's%20really%20nice)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20concerned%20so%20much%20about%20the%20price%20as%20long%20as%20the%20product%20I'm%20buying%20meets%20my%20business%20requirements.%26nbsp%3B%20If%20a%20product%20or%20service%20I'm%20evaluating%20is%20overpriced%2C%20and%20a%20competitor%20has%20a%20better%20offer...then%20I'm%20going%20to%20shop%20around.%26nbsp%3B%20In%20this%20case%2C%20I%20think%20M365B%20has%20excellent%20value%20and%20I%20wouldn't%20be%20adverse%20to%20a%20reasonable%20price%20change.%26nbsp%3B%20I'm%20not%20sure%20CA%20alone%20justifies%20it...but%20I'm%20not%20close%20enough%20to%20the%20product%20to%20really%20make%20an%20informed%20decision.%26nbsp%3B%20If%20I%26nbsp%3Bwere%20still%20a%20business%20owner%20and%26nbsp%3BI%20was%20facing%26nbsp%3Ba%20modest%20increase%2C%20I%20don't%20think%20I'd%20balk%20at%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I'm%20really%20advocating%20for%20here%20is%20clarity.%26nbsp%3B%20I%20believe%20Microsoft%20intends%20M365B%20to%20be%20the%20premium%20SKU%20for%26nbsp%3Bcustomers%20with%20less%20than%20300%20seats%20and%20does%20not%20intend%20to%20push%20or%20require%20mainstream%20customers%20to%20buy%20add-ons%20for%20productivity%20and%20security.%26nbsp%3B%20If%20that%20is%20the%20case%2C%20CA%20needs%20to%20be%20included%20regardless%20if%20it%20increases%20the%20price%20or%20not.%26nbsp%3B%20If%20I'm%20wrong%20and%20the%20recommended%20approach%20is%20to%20require%20customers%20who%20want%20full%20productivity%26nbsp%3Band%20security%20to%20buy%20M365B%20%2B%20AAD%20P1%20then%20please%20update%20the%20marketing%20accordingly%20so%20partners%20can%20get%20ahead%20of%20this%20and%20position%20the%20two%20SKUs%20correctly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268843%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268843%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20my%20users%20would%20be%20open%20to%20a%20%22plus%20CA%22%20additional%20cost%20but%20it%20depends%20what%20that%20cost%20is%3F%26nbsp%3B%20%241%2F%242%3F%26nbsp%3B%20Would%20every%20user%20need%20the%20add-on%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268545%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268545%22%20slang%3D%22en-US%22%3E%3CP%3EDavid%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemember%20that%20there's%20also%20a%20price%20difference%20between%20O365%20BP%20%26amp%3B%20M365B%2C%20so%20you%20are%20already%20paying%20extra%20for%20those%20AAD%20P1%20features%20you're%20getting%20with%20M365.%20So%20the%20total%20price%20between%20your%20two%20scenarios%20is%20different.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20agree%20that%20conditional%20access%20addresses%20a%20big%20need%20in%20SMBs%2C%20who%20are%20more%20likely%20to%20be%20at%20risk%20than%20Enterprise%2C%20for%20various%20reasons.%20Your%20feedback%20is%20valuable%20(and%20I%20don't%20just%20roll%20that%20out%20as%20a%20flippant%20term)%20for%20us%20to%20pass%20on%20to%20the%20product%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20going%20to%20throw%20in%20a%20controversial%20question%20here%3A%20would%20you%20accept%20a%20price%20increase%20in%20the%20M365%20Business%20licenses%20if%20it%20also%20included%20conditional%20access%20and%20other%20P1%20features%3F%20Note%3A%20I%20am%20not%20foretelling%20anything%20here%2C%20I'm%20just%20curious.%20I%20don't%20work%20for%20that%20product%20team%20and%20I%20don't%20get%20to%20make%20those%20kinds%20of%20decisions%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Sonia%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268282%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268282%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sonia%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20M3655B%20is%20the%20premium%20product%20offer%20for%20SMB%2C%20it%20already%20includes%20several%20Azure%20AD%20P1%20features.%26nbsp%3B%20I%20think%20it%20is%20for%20this%20reason%20that%20customers%20and%20partners%20expect%20basic%20conditional%20access%20rules%20such%20as%20restricting%20access%20to%20enrolled%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20an%20Office%20365%20BP%20customer%20purchases%20Azure%20AD%20P1%3B%20they%20get%20expected%20incremental%20security%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20an%20M365B%20customer%20purchases%20Azure%20AD%20P1%3B%20they%20get%20less%20then%20expected%20incremental%20value%20because%20several%20P1%20features%20are%20included%20in%20the%20M365B%20subscription.%26nbsp%3B%20Essentially%2C%20having%20customers%20purchase%20AAD%20P1%20on%20top%20of%20M365B%20results%20in%20redundant%26nbsp%3Bfeature%20acquisitions.%26nbsp%3B%20I%20think%20if%20this%20is%20the%20approach%20going%20forward%2C%20we%20need%20a%20subscription%20that%20up%20levels%26nbsp%3BM365B%20to%20include%20full%20AAD%20P1.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20the%20most%20important%20reason%20to%20bundle%20or%20add%20CA%20to%26nbsp%3BM365B%20is%20to%20prevent%20credential%20theft.%26nbsp%3B%20I%20think%20SMB%20customers%20are%20particularly%20vulnerable%20to%20this%20type%20of%20cyber%20risk.%26nbsp%3B%20Additionally%2C%20the%20security%20and%20compliance%20protections%20in%20Intune%20can%20be%20bypassed%20if%20a%20user%20is%20allowed%20to%20connect%20to%20the%20services%20with%20a%20native%20app.%26nbsp%3B%20CA%20is%20necessary%20to%20prevent%20this%20security%20loophole.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDavid%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268058%22%20slang%3D%22en-US%22%3ERE%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268058%22%20slang%3D%22en-US%22%3EHi%20Mark%20-%20looping%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143016%22%20target%3D%22_blank%22%3E%40Ashanka%20Iddya%3C%2FA%3E%20to%20make%20sure%20she%20sees%20the%20questions%2Fcomments%20on%20AAD%20P1%20features%2C%20it%20was%20one%20of%20the%20top%20areas%20of%20questions%20after%20the%20Ignite%20sessions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268047%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268047%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20access%20is%20a%20full%20Premium%20Azure%20AD%20feature%20because%20of%20the%20ongoing%20compute%20time%20needed%20to%20process%20and%20apply%20these%20rules%2C%20every%20time%20an%20access%20event%20is%20triggered.%20You%20could%20add%20Azure%20AD%20P1%20licenses%20to%20only%20the%20users%20you%20want%20to%20protect%20with%20conditional%20access%2C%20if%20your%20use%20case%20justifies%20identifying%20a%20subset%20of%20users%20for%20this%20extra%20level%20of%20protection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-407996%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-407996%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F184321%22%20target%3D%22_blank%22%3E%40Mark%20Benton%3C%2FA%3EReplying%20to%20the%20opening%20because%20I%20think%20this%20is%20a%20unique%20ask.%3C%2FP%3E%3CP%3EIf%20I%20don't%20have%20conditional%20Access%2C%20then%20how%20do%20I%20block%20non-compliant%20mobile%20devices%20from%20accessing%20company%20data%20and%20services%3F%20Doesn't%20this%20nullify%20everything%20you're%20doing%20in%20Intune%20Compliance%20Policies%20if%20you%20can't%20do%20anything%20about%20a%20non-compliant%20device%3F%20I%20must%20be%20missing%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-414859%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-414859%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F184321%22%20target%3D%22_blank%22%3E%40Mark%20Benton%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20I%20am%20a%20small%20business%20owner%20and%20I%20would%20like%20to%20say%20that%20it%20is%20hard%20to%20understand%20that%20CA%20has%20been%20left%20out%20of%20M365.%20We%20currently%20have%20Office%20365%20BP%20and%20subscribe%20to%20mobile%20security%20%2B%20E3%20and%20one%20of%20the%20major%20reasons%20is%20to%20have%20access%20to%20Conditional%20Access.%20We%20have%20a%20number%20of%20contractors%20and%20staff%20we%20apply%20CA%20to%2C%20to%20satisfy%20our%20(sorry%20my)%20security%20paranoia.%20I%20have%20been%20looking%20at%20M365%20and%20would%20like%20to%20get%20it%20but%20the%20cost%20of%20M365%20%2B%20AAD%20P1%20just%20does%20not%20stack%20up%20to%20me%20given%20the%20multiple%20double%20up%20of%20services.%20I%20understand%20bundling%20to%20upsize%20the%20sale%2C%20but%20it%20does%20not%20usually%20include%20so%20many%20redundant%20costs%20such%20as%20you%20would%20incur%20if%20you%20took%20M365%20and%20AAD%20P1.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-463072%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-463072%22%20slang%3D%22en-US%22%3EIn%20case%20this%20thread%20is%20still%20being%20monitored%2C%20I%20wanted%20to%20add%20my%20input%20to%20this%20request%20also.%20CA%20is%20really%20non%20negotiable%20for%20any%20SMB%20serious%20about%20security%20today%20(and%20that%20is%20getting%20to%20be%20more%20of%20them%20than%20not).%20I%20have%20some%20specific%20use%20cases%20outlined%20here%2C%20that%20I%20would%20be%20glad%20for%20you%20to%20review%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.itpromentor.com%2Fconditional-access-faves%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.itpromentor.com%2Fconditional-access-faves%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-536020%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-536020%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143016%22%20target%3D%22_blank%22%3E%40Ashanka%20Iddya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20users%20on%20Office%20365%20Bus.%20Premium%20and%20were%20blocking%20access%20to%20users%20without%20a%20device%20password%20using%20the%20basic%20Office%20365%20MDM.%20We%20recently%20upgraded%20all%20users%20to%20Microsoft%20365%20Business%20and%20need%20to%20move%20our%20users%20to%20Intune%20(for%20some%20other%20functionality).%20We%20were%20unable%20to%20replicate%20the%20basic%20password%20enforcement%20policy%20we%20had%20on%20Office%20365%20MDM.%20We%20called%20support%20who%20said%20we%20needed%20to%20purchase%20either%20an%20Azure%20AD%20Premium%20or%20EMS%20license%20just%20to%20get%20the%20same%20functionality%20(via%20conditional%20access).%20Seems%20unreasonable%20to%20have%20to%20buy%20two%20licenses%20(Intune%20%2B%20AAD%2FEMS)%20just%20to%20replicate%20a%20basic%20MDM%20enforcement%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539261%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F335650%22%20target%3D%22_blank%22%3E%40HTageldin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20do%20what%20you%20say%3A%26nbsp%3B%20put%20all%20of%20your%20customers%20on%20M365%20Business%20and%20Azure%20AD%20P1.%26nbsp%3B%20You%20don't%20need%20EMS.%26nbsp%3B%20You%20get%20all%20of%20the%20tools%20you%20need%20to%20lock%20your%20tenant%20down.%26nbsp%3B%20It%20sucks%20that%20we%20have%20to%20pay%20for%20Azure%20AD%20P1%20but%20conditional%20access%20makes%20it%20worth%20it.%26nbsp%3B%20Hopefully%20they%20add%20it%20to%20M365B%20--%20then%20all%20small%20businesses%20have%20the%20tools%20to%20protect%20themselves%20provided%20they%20know%20how%20to%20configure%20it%20properly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688380%22%20slang%3D%22en-US%22%3ERE%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688380%22%20slang%3D%22en-US%22%3EConditional%20Access%20is%20now%20included%20in%20M365%20Business%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688420%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688420%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143016%22%20target%3D%22_blank%22%3E%40Ashanka%20Iddya%3C%2FA%3E%26nbsp%3BThank%20you%20..%20this%20is%20proof%20that%20Microsoft%20listens%20to%20feedback%20for%20sure%3A%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-365-Business-Blog%2FConditional-Access-is-now-part-of-Microsoft-365-Business%2Fba-p%2F684063%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-365-Business-Blog%2FConditional-Access-is-now-part-of-Microsoft-365-Business%2Fba-p%2F684063%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFinally%20we%20can%20have%20awesome%20security%20for%20SMB%20customers%20as%20well!!%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688480%22%20slang%3D%22en-US%22%3ERe%3A%20M365%20Business%20and%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688480%22%20slang%3D%22en-US%22%3EAshanka%2C%20you%20are%20my%20hero%20today.%20Thank%20you%20for%20going%20to%20bat%20for%20us%20on%20this%20request%2C%20so%20nice%20to%20have%20Conditional%20Access%20included%2C%20and%20glad%20that%20MS%20is%20listening.%20As%20regards%20security%20obviously%20this%20is%20huge%20step%20forward%20for%20us%20and%20I%20am%20greateful.%20I%20have%20one%20other%20thing%20to%20bring%20to%20the%20team%E2%80%99s%20attention%20with%20regard%20to%20the%20security%20features%20included%2C%20however%2C%20which%20is%20summarized%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.itpromentor.com%2Fassume-breach%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.itpromentor.com%2Fassume-breach%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20again%20for%20your%20hard%20work.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

M365 Business does not include the ability to create conditional access rules.  We are wondering if there was any specific reasons it was not included such as cost, complexity or MS felt for SMBs the risk was not the same.  The price point of this product, $20/seat, is perfect so I would not want to see it go up but having 2-3 basic conditional access rules available would be ideal. These might be allow only authenticated devices, allow only from within North America and allow only from listed IP address ranges.

 

Mark Benton

28 Replies
Highlighted

Conditional access is a full Premium Azure AD feature because of the ongoing compute time needed to process and apply these rules, every time an access event is triggered. You could add Azure AD P1 licenses to only the users you want to protect with conditional access, if your use case justifies identifying a subset of users for this extra level of protection.

Highlighted
Hi Mark - looping in @Ashanka Iddya to make sure she sees the questions/comments on AAD P1 features, it was one of the top areas of questions after the Ignite sessions.
Highlighted

Hi Sonia,

 

Since M3655B is the premium product offer for SMB, it already includes several Azure AD P1 features.  I think it is for this reason that customers and partners expect basic conditional access rules such as restricting access to enrolled devices.

 

If an Office 365 BP customer purchases Azure AD P1; they get expected incremental security value.

 

If an M365B customer purchases Azure AD P1; they get less then expected incremental value because several P1 features are included in the M365B subscription.  Essentially, having customers purchase AAD P1 on top of M365B results in redundant feature acquisitions.  I think if this is the approach going forward, we need a subscription that up levels M365B to include full AAD P1.

 

I think the most important reason to bundle or add CA to M365B is to prevent credential theft.  I think SMB customers are particularly vulnerable to this type of cyber risk.  Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app.  CA is necessary to prevent this security loophole.

 

David

 

Highlighted

David, 

Remember that there's also a price difference between O365 BP & M365B, so you are already paying extra for those AAD P1 features you're getting with M365. So the total price between your two scenarios is different.

 

I agree that conditional access addresses a big need in SMBs, who are more likely to be at risk than Enterprise, for various reasons. Your feedback is valuable (and I don't just roll that out as a flippant term) for us to pass on to the product team.

 

I'm going to throw in a controversial question here: would you accept a price increase in the M365 Business licenses if it also included conditional access and other P1 features? Note: I am not foretelling anything here, I'm just curious. I don't work for that product team and I don't get to make those kinds of decisions :)

 

-Sonia

Highlighted

I think my users would be open to a "plus CA" additional cost but it depends what that cost is?  $1/$2?  Would every user need the add-on?

Highlighted

Hi Sonia,

 

Putting my former business owner hat on...I've owned a couple SMBs in the past.  For my last company, we used O365 E5 for every employee (all 6 of us) and I didn't have a problem with the price.  My business partner would grumble a bit because he was always looking to minimize recurring spending...but it was easy for me to demonstrate the value because we were using the primary workloads extensively.

 

I agree O365 BP & M365B are different.  The real issue at hand is that Microsoft is telling customers that M365B is the only SKU needed for SMB productivity and security.  That's almost true because most of EMS E3 is packaged in there....except for a few AAD P1 features.  But the security benefits are diminished substantially because CA is excluded from M365B.  So, it's not just about missing CA as a single feature.  Parts of MFA and Intune are not going to work as designed without the ability to create some key CA policies and I worry more about credential theft, ransomware, etc without CA.  Ideally, these policies would be created automatically for M365B customers so they don't need to engage with an identity expert to get an appropriate baseline policy in place for the SKU they bought (Similarly to how the device policies are created in the configuration wizard...that's really nice)

 

I'm not concerned so much about the price as long as the product I'm buying meets my business requirements.  If a product or service I'm evaluating is overpriced, and a competitor has a better offer...then I'm going to shop around.  In this case, I think M365B has excellent value and I wouldn't be adverse to a reasonable price change.  I'm not sure CA alone justifies it...but I'm not close enough to the product to really make an informed decision.  If I were still a business owner and I was facing a modest increase, I don't think I'd balk at it.

 

What I'm really advocating for here is clarity.  I believe Microsoft intends M365B to be the premium SKU for customers with less than 300 seats and does not intend to push or require mainstream customers to buy add-ons for productivity and security.  If that is the case, CA needs to be included regardless if it increases the price or not.  If I'm wrong and the recommended approach is to require customers who want full productivity and security to buy M365B + AAD P1 then please update the marketing accordingly so partners can get ahead of this and position the two SKUs correctly.

Highlighted

@David Bjurman-Birr Can you please talk with every other SMB owner? :)

Appreciate your great feedback - this has some Microsoft eyes on it.

 

-Sonia

Highlighted

Hi All,

 

As one of the Product Architects of Microsoft 365 Business, I want to chime in and assure everyone that we are actively reviewing all feedback. So please continue to give us feedback, especially focusing on what scenarios you would need Conditional Access for from an SMB perspective. Customer examples will help greatly in building the case

 

Thanks!

Ashanka

Highlighted

hey Mark, what basic conditional access rules are you looking to set? could you give me your list?

Highlighted
I'd really like to see conditional access included with the M365 Business. It's a deal breaker with a lot of my clients because they have compliance requirements that can't be met without it. They are still small business (as little as 10 users) so M365 E3/5 is not something they would consider. So they continue on with on prem networks.
I really wish Microsoft would get rid of the notion that SMB doesn't need a similar level of security as enterprise. They need it just as much if not more. I'd like to see M365 E5 at all my clients regardless of size but the price is just too high. Why do you need to be enterprise to enjoy the benefits of Defender ATP? Everyone should have that because that's what it takes to adequately secure a Windows computer. SMB might not use every feature they get in that sku but that's OK. It just means less cost to Microsoft to provide it.
Microsoft needs to eliminate the barriers to the high quality products available in the enterprise SKUs and make them available to everybody.
As it stands right now I can't sell M365 Business to anybody because it's too crippled. It's close but just doesn't strike the right balance. Maybe have a M365 Business Plus that is just M365 E5 with a 300 seat limit. Throw PowerApps P1 in with it and you'd have the perfect complete product for SMB.
Highlighted

Agree with many of the points. My thoughts:

 

For SMBs , we need to focus on simplicity . So we have :

 

1.  Business Premium as a Premium Productivity Offering

2.  M 365 Business as a Premium Productivity plus Security Offering

 

As a Security Offering , it should be a No Compromise SKU. So it should have everything which a SMB would essentially need to address Security needs .  I would look at a complete EMS E3 bundle to be included . It makes sense to tell Customer that he will get :

 

O 365 Business Premium plus Complete EMS E3 plus Windows 10 Upgrade 

 

 

Highlighted

The other CA piece that is becoming more important is the browser condition option in client apps. A large portion of non-MS SaaS apps customers are using are browser only on PC so being able to control the non-app apps the same way that we can control other conditions would be welcome.

Highlighted

David you can do this by purchasing business premium and then adding an E3 EMS license to the user, comes out to around $1 more.

Highlighted
I would like to allow activesync on only mdm devices (corp) and block on all mam ones (byod)
Highlighted

Adding my thought on this. I agree for SMB it need to be simple and easy. What my customers asks for is not that complicated really. The need a user baseline policy (like we have for admins) that allows them to do the basics. 

 

1. A policy to BLOCK basic auth. That SMB's are not able to block basic auth today is big risk

2. A policy to require Managed Device or Managed App or MFA  

 

If we could have these 2 policies that would cover more than 99% of the requests I get. 

 

Note: I do know that SMB's can use authentication polices in ExO to block basic auth, and that they can block basic auth on Sharepoint/Onedrive. But that is by a method that is to complex for a SMB customer. 
@Sonia Cuff @Ashanka Iddya 

Highlighted

@Ashanka Iddya 

As @David Bjurman-Birr crystal clear explains:

"Additionally, the security and compliance protections in Intune can be bypassed if a user is allowed to connect to the services with a native app. CA is necessary to prevent this security loophole."

Application protection policies will be useless. Am I wrong?

Highlighted
You can block Basic Auth on the service level and only allow Modern Auth on ExO. That will help a bit.
But iOS supports Modern Auth. And Nine for Android does. So it is not good enough.
Highlighted

@Jan Ketil Skanke 

And the winner issss:

Am I wrong or not?

Highlighted
policies will still apply to the Office Mobile apps like Onedrive, Teams, Word and so on. So i would not say useless. But I would also not call it a security feature at that stage.
Highlighted

@Jan Ketil Skanke 

Thank you for your answers.

What I really mean with "useless" is that to protect mail with MAM, I should  force to use protected apps.

If I create an app protection policy and I cannot apply a conditional access policy, then the user can use nativa email apps to bypass my protection.

Highlighted

@Mark BentonReplying to the opening because I think this is a unique ask.

If I don't have conditional Access, then how do I block non-compliant mobile devices from accessing company data and services? Doesn't this nullify everything you're doing in Intune Compliance Policies if you can't do anything about a non-compliant device? I must be missing something.

Highlighted

@Mark Benton 

Hi I am a small business owner and I would like to say that it is hard to understand that CA has been left out of M365. We currently have Office 365 BP and subscribe to mobile security + E3 and one of the major reasons is to have access to Conditional Access. We have a number of contractors and staff we apply CA to, to satisfy our (sorry my) security paranoia. I have been looking at M365 and would like to get it but the cost of M365 + AAD P1 just does not stack up to me given the multiple double up of services. I understand bundling to upsize the sale, but it does not usually include so many redundant costs such as you would incur if you took M365 and AAD P1.  

Highlighted
In case this thread is still being monitored, I wanted to add my input to this request also. CA is really non negotiable for any SMB serious about security today (and that is getting to be more of them than not). I have some specific use cases outlined here, that I would be glad for you to review: https://www.itpromentor.com/conditional-access-faves/

Highlighted

@Ashanka Iddya 

 

We had users on Office 365 Bus. Premium and were blocking access to users without a device password using the basic Office 365 MDM. We recently upgraded all users to Microsoft 365 Business and need to move our users to Intune (for some other functionality). We were unable to replicate the basic password enforcement policy we had on Office 365 MDM. We called support who said we needed to purchase either an Azure AD Premium or EMS license just to get the same functionality (via conditional access). Seems unreasonable to have to buy two licenses (Intune + AAD/EMS) just to replicate a basic MDM enforcement policy.

Highlighted

@HTageldin 

 

If you want to do what you say:  put all of your customers on M365 Business and Azure AD P1.  You don't need EMS.  You get all of the tools you need to lock your tenant down.  It sucks that we have to pay for Azure AD P1 but conditional access makes it worth it.  Hopefully they add it to M365B -- then all small businesses have the tools to protect themselves provided they know how to configure it properly.

Highlighted
Conditional Access is now included in M365 Business :)
Highlighted

@Ashanka Iddya Thank you .. this is proof that Microsoft listens to feedback for sure: 

https://techcommunity.microsoft.com/t5/Microsoft-365-Business-Blog/Conditional-Access-is-now-part-of...

 

Finally we can have awesome security for SMB customers as well!! 

Highlighted
Ashanka, you are my hero today. Thank you for going to bat for us on this request, so nice to have Conditional Access included, and glad that MS is listening. As regards security obviously this is huge step forward for us and I am greateful. I have one other thing to bring to the team’s attention with regard to the security features included, however, which is summarized here: https://www.itpromentor.com/assume-breach/

Thanks again for your hard work.