Auto-apply labels in Security and Compliance Center

Copper Contributor

Tell me, why can a tenant with an E3 license subscription create a policy to Auto-Apply a label in the Security and Compliance center when auto-applying labels is only a feature available to E5 tenants?  Now I have a tenant who thought they would be able to find out how much PCI/PII data is being stored on OneDrive and SharePoint, when in fact they cannot because they don't have E5 licenses.  They have A3 (E3 for educators essentially) licenses.  The auto-apply policy could be created and deployed, but it's not doing a darn thing useful.

8 Replies

@Raechel Moermond,

 

This is something you see from time to time fairly commonly.

 

I will give you my own thoughts on it, please keep in mind I am not affiliated with Microsoft in anyway, but rather just someone who has heavily used O365 for the last 5 years.

 

I think it is ultimately two factors that lead to this.

1. It was coded that way in development: When the product was being put together/built, the focus is on getting the technology and the features to work and apply correctly. That is where the original effort gets put in. Limitations, specifically licensing ones are not in the original phases of development, but are added in later as the service/feature is built on.

 

Microsoft has a long history of this. Some other examples: There was no auditing on flow runs forever, even though limiting O365 Group creation was a premium feature you could still create it, Other premium group features were accessible to everyone through Azure AD regardless of your licensing, etc etc.

 

They develop the technology and get it to work, but dont provide the limitations around it (either in effect, or in your case by disclaimers/limitations to the admin functionality). Luckily they eventually get around to adding stuff like this normally. However I guarantee you will see more of it in the future.

 

2. They kind of want to show your clients this feature. Lets be honest, this is how allot of the security and compliance center has been since it became the security and compliance center. They show you all the bells and whistles, and what you can do, as they want clients to explore and see the power of them, but they do limit them behind licenses. They are a subscription based service. They want you client to know about labels, and that they can do powerful things like PCI compliance reporting. Now your client has that knowledge they did not before, and it is a business decision on their side if they make it or not.

 

Think about something like the secure score, that thing is FULL of e5 features and advanced options that are additional licensing.

 

Kind of annoying as a consultant I know, but I dont necessarily see them changing away from this anytime soon.

 

Adam

@Adam Ochs

Thanks for the reply Adam.  I understand wanting to showcase the bells and whistles and such.  I also think that if they are going to display these features regardless of what license is actually in a Tenant, some warning around it wouldn't be amiss.  For instance, when an admin clicks on auto-apply, a small pop-up that says "this feature requires an E5 license, do you want to continue" wouldn't be terribly challenging.  And it could pop up regardless of the license in the Tenant (so even if you have an E5, you would see the pop-up - then it's less logic around the pop-up).  If you're going to showcase the bells and whistles, let users know what they are actually capable of using.

 

Just my two cents - and it's not worth much more than that.

Microsoft is usually not enforcing licensing requirements for features, and yes, it's annoying at times. Even more annoying is that some features get enabled by default even when they depend on the license/SKU, but despite how many times we have brought this up, we haven't seen any results.

So you're saying it could work even with an E3 license because it may not be enforced?  That's almost worse.

I'm speaking in general terms here, but yes, there are many examples of functionalities that will work even when you have not applied the corresponding license. A basic example is being able to access SPO without a license - everyone in the organization can do so (unless restricted by the site permissions). What's worse is that you can still be flagged for license violations...

Based on my experience some features can get stuck in your tenant if you tried trial of higher plan. E.g. at some point we had E5 trial. It ended and we only had E3 licenses then. But safe links menu still was showing and allowed to create policies. Only when we had problems with safe links and i have filed a support request i was told we are not covered by our license. Although support specialist at first tried to fix our issue, but as nothing helped, just decided to disable safe links for our tenent as we shouldn't have it. We haven't received any note on violation or anything. 

@wroot- this tenant never had an E5 trial.  and another tenant I configured auto-labels on also never had an E5 trial.  It's just available to admins to create and it apparently may or may not work.  DLP for Exchange is supposed to require an Exchange Online Plan 2 license...but I have a tenant with a Business license (not Enterprise...Business) and they can create and use DLPs in the Security and Compliance Center.  Hell, there was one automatically created when we set up the tenant, and it applies to Exchange Online.  So it appears that license restrictions are a figment of the imagination.  Except, of course Exchange ATP - you don't see that unless you've actually been licensed for it.

Hey @Raechel Moermond,

 

That is something I have seen often too, they will add in the visibility and sometimes even functionality to everyone.

 

Like i said in in my first post often times this is corrected/fixed later (at least the functionality part is), but it does seem to be a common trend. Its frustrating at times, I know. In my job I have always been a consultant and having clients find something and then get upset when they don't have it is never the best experience. 

 

I learned ultimately to turn it into a positive. You are not the one making those decisions (on what to show), and I guarantee this will not be something you will always know about. First, educate the client that "this is often just how Microsoft roles out features, they want you (meaning your client) to see the new stuff in case you dont stay up to date on the press releases and announcements." You can use the opportunity to talk to your client about the feature set and what is possible. Maybe even offer to demo it out for them if they are interested in, take it as you doing your job as a partner and consultant to make them informed on what is out there, how its implemented and what the costs are. At that point you have done your job and its up to them to decide if they want to spend the money.

 

Once they accept that this is a thing Microsoft may (and does) do, you have provided real value, and shown why you will continue to do so for them. Man..... they could have been in a real bad place had they just blindly turn this on and expected it to work, and it had not, or even worse, it work for a month or two and then stop because they now have effective auditing. 

 

That is how I approach these things now, and why I have clients that dont like how this is handled by Microsoft, after a discussion (and maybe this is something you casually bring up during intros now), they understand that it is a thing, and value my eyes, expertise, and experience all the more for it.

 

Adam