SOLVED

Licensing Cloud App Security

Copper Contributor

I have a question regarding licenses in Office 365 and especially the special services Microsoft offers (for example Office 365 Cloud App Security). 

 

Do I need to license only users who use the Cloud App Security admin portal, or do I need to license every user actively using one of the Office 365 services. 


Also I am wondering what happens if i don't license a user properly in the second case, will his actions not be logged and used by Cloud App Security or am I violating the license terms and will the product still function. 

 

Any help or links to resources about licensing will be much appreciated.

8 Replies
best response confirmed by Toine Lambalk (Copper Contributor)
Solution

Like some features in Office 365, and many features in Azure Active Directory or the Enterprise Mobility+Security suite of services, you need to license every user that will benefit from the use of the services. It's a common misconception that you only need to license administrators for Office 365 E5 to cover the use of this functionality, but that is not the case.

 

There are, unfortunately, no technical gates in the product to assist you with license compliance or to prevent non-compliance.

Thank you very much for your response.

So if I understand you correctly, the product (in this case Cloud App Security) will function for every user even if you don't license them properly, but you will be non-compliant and violating the terms if you do so (which is probably even worse).

Unfortunately, that is correct.

"Microsoft Cloud App Security is licensed per user per month. All the users who are protected and covered with the Cloud App Security service, need to be licensed for full compliance."

 

From the comments by a Microsft employee - What is Microsoft Cloud App Security

 

By the way, make sure to check out - What are the differences between Microsoft Cloud App Security and Office 365 Cloud App Security?

 

Just to confuse matters, Office 365 Cloud App Security is part of Office 365 Enterprise E5 or an add-on, while the full-featured version, Microsoft Cloud App Security is part of Enterprise Mobility + Security E5 or as an add-on.

 

If I have a some administrators with Enterprise Mobility + Security E5, but the majority of users are Enterprise Mobility + Security E3, as I have now enabled MCAS rather then just using OCAS. Would all users need to be Enterprise Mobility + Security E5 to be correctly licensed, or do the E3 users just used to OCAS functionlity.

As it exists today, you would need all of those E3 users to either be upgraded to EMS E5, or purchase a standalone MCAS add-on license, assuming they're all licensed for EMS E3 (Office 365 user SL doesn't matter - different suite).

 

It's a fair amount of work - but you might also be able to use scoped deployment now to isolate the use of MCAS just to your administrators and users that you want covered. 

https://docs.microsoft.com/en-us/cloud-app-security/scoped-deployment

 

Thanks Wes, this is a great help. Is there a Microsoft document that explains this requirement, when you have a mixed E5 E3 licensing situation. It's something I've not been able to find.
Intermingling Office editions like that is, unfortunately, not well documented, and not something Microsoft does much to point out. At my employer, (Directions on Microsoft), we’ve written extensively on the topic of intermingling EMS and Office editions like this, and have had several reviews by and conversations with, Microsoft. In the case of AAD, it’s easy. They say “anyone who benefits from...”, which basically means if you turn on tenancy-wide features, everyone benefits, and you owe licensing for everyone. Office isn’t as straightforward, but all we’ve been able to extract says it works the same - and effectively all of the security features in Office 365 E5 are tenancy-wide - so if they’re on, licensing is required for everyone.
1 best response

Accepted Solutions
best response confirmed by Toine Lambalk (Copper Contributor)
Solution

Like some features in Office 365, and many features in Azure Active Directory or the Enterprise Mobility+Security suite of services, you need to license every user that will benefit from the use of the services. It's a common misconception that you only need to license administrators for Office 365 E5 to cover the use of this functionality, but that is not the case.

 

There are, unfortunately, no technical gates in the product to assist you with license compliance or to prevent non-compliance.

View solution in original post