Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Need some resources to help me with very SMB type questions about Conditional Access.

Copper Contributor

Helping a company that has just upgraded some of it's core users from Business Standard to Business Premium. Half of the team are part timers that are on Business Basic licenses. I'm a Defender for M365 noob trying to get my head around Conditional Access but all the guides I've found tend to concentrate on enterprise scenarios where most people are in an office on corporate-owned devices.  The business is in serviced offices so don't have its own network, therefore, all the on-prem stuff is irrelevant. 

Does anyone know of any resources on Defender for M365 that focuses on small business/Business Premium licenses?

Here's the situation we're in.
The full-time staff have Business Premium licenses. Most are on company-owned devices but we've allowed a couple of them to use their Macs (bosses will be bosses). We also want to allow full-time staff to use their personal PCs (Windows or Mac) for emails and Teams. Not sure but there's a chance one or two of them might be on Windows Home devices so that wrinkle may need to be dealt with. 
We also have a lot of part-timers, interns, contractors, board members, and other people with company email addresses on Business Basic Accounts. These people just need access to emails and maybe Teams.  If you imagine them as being students in an education scenario, that would be closer to the mark in terms of access.

I've got the job of making this as secure as possible without significantly messing with the workflow. I thought it being a small company it would be an easy project to get my teeth into Defender for M365 but it seems there are more wrinkles than cloth here. 

I've been looking at Conditional Access but it seems to be very 'user' based.

What I want to do is the following.
Automatically determine which users are on Premium licenses and set up some sort of lock/block/whatever for those on Basic so they can't use any Premium feature (is this step even necessary?) Can I even set up a condition based on the license used?
Detect whether the device of the premium user is using an Azure AD join and set up a policy for that.
Detect whether the device of the premium user is a personal Windows device (Azure AD Registered, not joined) and set up a policy for that.
Detect whether the device of the Premium user is using a Mac and set up a policy for that.

a) Is creating a CAP necessary to separate Basic from Premium licenses?
b) Am I taking the right approach here

c) Can I auto detect the type of device/login method being used or do I need to manually set everything up?

d) How do I manage those Premium users with both corporate and personal Windows devices? I want different policies depending on the device used rather than the user. Is there a conditional setting I can use to say something like (if AzADjoined, do this, if AzADregistered, do that?)

I'm not necessarily looking for specific answers (though that would be awesome), just some good places to go to learn about using Defender in a small business setting. 

1 Reply
Hi Daelos,

It's worth looking into Microsoft Defender for Business, which is basically enterprise-security for SMB (up to 300 seats). Furthermore you can do the following:

A: turn off services you don't want your users to use, you can do this from the m365 admin portal. E.g. turn off power automate and only use Teams & Exchange (be aware that Teams uses other services that might need to be enabled for it to function as expected)
B: I think you should only look at how the device is managed (unmanaged/managed) and use Intune to create specific protection policies for registered devices
C: Auto detect in Azure AD, see below response
D: You can use (hybrid) azure ad join as a condition to grant access to one or several apps for specific users (might use group-based licensing to seperate business standard and premium users)

This might be a useful resource as well: