Helping a company that has just upgraded some of it's core users from Business Standard to Business Premium. Half of the team are part timers that are on Business Basic licenses. I'm a Defender for M365 noob trying to get my head around Conditional Access but all the guides I've found tend to concentrate on enterprise scenarios where most people are in an office on corporate-owned devices. The business is in serviced offices so don't have its own network, therefore, all the on-prem stuff is irrelevant.
Does anyone know of any resources on Defender for M365 that focuses on small business/Business Premium licenses?
Here's the situation we're in.
The full-time staff have Business Premium licenses. Most are on company-owned devices but we've allowed a couple of them to use their Macs (bosses will be bosses). We also want to allow full-time staff to use their personal PCs (Windows or Mac) for emails and Teams. Not sure but there's a chance one or two of them might be on Windows Home devices so that wrinkle may need to be dealt with.
We also have a lot of part-timers, interns, contractors, board members, and other people with company email addresses on Business Basic Accounts. These people just need access to emails and maybe Teams. If you imagine them as being students in an education scenario, that would be closer to the mark in terms of access.
I've got the job of making this as secure as possible without significantly messing with the workflow. I thought it being a small company it would be an easy project to get my teeth into Defender for M365 but it seems there are more wrinkles than cloth here.
I've been looking at Conditional Access but it seems to be very 'user' based.
What I want to do is the following.
Automatically determine which users are on Premium licenses and set up some sort of lock/block/whatever for those on Basic so they can't use any Premium feature (is this step even necessary?) Can I even set up a condition based on the license used?
Detect whether the device of the premium user is using an Azure AD join and set up a policy for that.
Detect whether the device of the premium user is a personal Windows device (Azure AD Registered, not joined) and set up a policy for that.
Detect whether the device of the Premium user is using a Mac and set up a policy for that.
a) Is creating a CAP necessary to separate Basic from Premium licenses?
b) Am I taking the right approach here
c) Can I auto detect the type of device/login method being used or do I need to manually set everything up?
d) How do I manage those Premium users with both corporate and personal Windows devices? I want different policies depending on the device used rather than the user. Is there a conditional setting I can use to say something like (if AzADjoined, do this, if AzADregistered, do that?)
I'm not necessarily looking for specific answers (though that would be awesome), just some good places to go to learn about using Defender in a small business setting.
