The paradox of the licensing bundle

Once upon a time a Microsoft licensing specialist (job title)-with certificates, plaques (licensing expert!), the whole 9 yard, I find myself dumbfounded.

Not because #microsoft did something wrong. Not because Microsoft’s intentions have swayed from customer value. In fact, Microsoft’s focus on assisting customers deploy all the products and features they possibly can seems to prevail today too.

But herein lies the problem. Is the fact that your #enterprise agreement commitment, or your online subscription agreement, includes a product a valid reason to deploy it? Sure, you paid for it. But is this the value you sought.

The analogy to food is good. Always is.

A few years ago I decided to offer my mum the chance -hum hum, the privilege (!) to become my neighbour to avoid seeing her growing old and frail 3000 kms away. I now regularly demonstrate love as a son can do. You know that means brunch. Fixed price, all inclusive, eat as much as you can. Mama likes it.

The people love it too. Wave after wave. If you have not seen #thewalkingdead , don’t. Save yourselves 8104 minutes. Go to brunch. It looks and for the most part sounds the same.

Now, part-way through my first serving I realized that the bread was a little dry. The salmon has a colour I did not entirely like. The eggs were very possibly too warm. My mushrooms and courgette had stayed in oil too long. And the coffee was unmistakably 星巴克 . I paid for all this, remember? Twice 33 Euros. That is 66 Euros for the mathematicians out there.?

Here is the moment I will be testing your attention. Did I go again for a second serving and third serving like the other zombies? Did I rupture my intestines or caused my liver agony by eating too much? Did I seek poisoning by eating more suspicious fish? Or attempt to give myself an ulcer with a 3rd cup of coffee?

No, I did not. Because I recognize that the components baked into that overall value-proposition where -individually, not representative of the standards I strive for [not because I am a posh narcissist but €33 for b’fast is a lot, even in Germany!]

Now you ask? What about #Microsoft #licensing ? Is this blog post going to help me optimize my licensing spend? Is this an asset for my #softwareassetmanagement (no pun intended) endeavours? The answer is no. I have been out the game too long. But this may be breadcrumbs to follow as you invest in your Microsoft estate and strive for the best #security posture. We’ll focus on #authentication in particular.

I would like to call the #microsoft365 Business plans to the stand first.

Ranging from business basic to business premium, they are meant for companies with up to about 300 which is the upper limit for the optional defender subscription.

Having worked with a lot of our mid-size companies in Europe I am confident that the Microsoft 365 Business Basic plan offers everything users will ever need for the price of an excellent Costa Coffee per month per user. It even includes the Microsoft Authenticator which delivers a somewhat effective protection against brute-force-attacks.?It is included. You should deploy it. It is paid for already. Right?

But what does that mean? Is it really that simple?

Deploying the paid-for authenticator tool kindly provided by Microsoft introduced a dependency on something called #azuread where your digital identities are created or synced if you have Active Directory on-premise. AzureAD a.k.a AAD is also kindly provided at no cost to you. It’s included, and it must be used to use Microsoft 365.

With that, you can enforce MFA for all users using a mix of push authentication (via the app), SMS and phone-calls as second factor of authentication in addition to poor old password.

And already you must be fidgeting. Let me replay some Q&A we got for you here:

Q: “what can I do if my users do not have company smartphones?”

A: “ See that they have access to feature phones or landlines to receive SMS & phone-calls”

Q: “The Cybersecurity and Infrastructure Security Agency (land of the free) degraded push and SMS as not secure. What about phone-calls?

A: “We have not seen guidance or appraisals for receiving one-time codes over a phone-line”

Q: “We only have 20 users, it may be easier for us to buy smartphones. What else do you need?”

A: “ A Business Premium plan”.

And this means that either you find a way to leverage the devices you have already like your PCs, your MACs and handhelds to perform MFA or you’ll find yourselves with partial MFA roll-outs with varying user journeys and security levels for different groups of users. Or you can suck it up and buy smartphones to every one of your users.

You could also decide not to use what you have already with your equipment, not buy smartphones and acquire, manage and continuously replace USB key or tokens. But why...?

The long and short of it is that MFA is hard to achieve for most.

The €13 per user per month upgrade to Business Premium

Assuming your regular users aren’t doing great publishing work or database development, you’ll be paying about about €5 per user per month for Microsoft Business Basic.

By equipping your users with second devices such as smartphones [still assuming you did not opt for intensive USB/tokens logistics] in addition to their work provided desktops, laptops or tablets you are introducing a terrible challenge for the security and confidentiality of your data. Your attack surface doubled.

There are way to mitigate this challenge. A recommended course of action would be to deploy a Mobile Device Management solution or #mdm. With this you can bring non-intrusive controls to what happens to your business apps on second devices. With an attack surface that has now doubled you may also want to consider a better defence with something like Microsoft defender. Anti-virus, threat detection etc allow you to add a lot of complexity to your daily work. You are now likely looking for a junior IT security analyst. You only wanted 20 smartphones. Get the T-shirt.

Microsoft markets an incredibly well-priced bundle for this scenario called Microsoft Business Premium. There are multiple advantages to choosing this edition. Everything is included. Eat as much as like. It’s all paid-for.

Great content in GERMAN here for our German friends, courtesy of Sylbek Cloud Support.

It includes MDM, complex and adaptive threat prevention as well as advanced features for multi-factor authentication with the AzureAD P2 premium plan. These features including risk-based access (included in AAD P1) and the elevated AAD P2 conditional access functions. They are great-add ons if you are sized meaning staffed for it. With great planning required, you can customize rules to allow MFA prompting in some scenarios, blocking authentication in others or getting your admins involved. They have time...

This does not impact the strength of the authentication though or how likely you are to be phished but it will diminish again the chances of a successful brute-force attack. They are great controls and find a natural place in the customer’s ecosystem. The deployment of these features is highly recommended by Microsoft, its distributors and #microsoftpartners . Rightly so.

The upper limit for companies whishing to adopt the Business Premium plan is 300 users. Thereafter come the so-called enterprise plans.

?

The enterprise plans

The larger Microsoft customers can choose to subscribe to Microsoft 365 via the Microsoft 365 E3 and Microsoft E5 plans whereas the Microsoft 365 F3 is a less comprehensive bundle for lighter or part-time users. The latter is here not in focus.

Microsoft has created very compelling offers in this 300+ users space too with a one-stop shop approach to a very rich set of enterprise requirements ranging from productivity to MDM and security. Whether customers want to entrust Microsoft -or any other outsourcing partner, with all this is out-of-scope but one can only ponder as to the trust models applicable to such a relationship. #zerotrustsecurity it could not ever be because #zerotrust cannot be reduced to always verifying. Right?

Similar to how SMEs can choose the “eat as much as you can” model of the Business Premium license, can enterprises do the same with the E5 plan. With the same paradox of how much over-encumbrance one can create for the wider IT function. But all of that being paid for and with a team of Microsoft professionals compensated for what you deploy it may seem inevitable. Just like heart-burns after brunch.

Financially, the gap in subscription costs in between the well-furnished E3 plan and the E5 suite is substantial with a whooping €18 per user per year. With a focus on authentication in particular this all becomes very expensive with a starting point of about €70 per user per year (get your own costs here)for the costs of passwords alone before AAD P1 and AADP2.

In fact, working with our insurance partners we know that the difficulty and the cost of deploying MFA -even the "free" ones, remain challenges for most companies, small and big.

The MS(S)P opportunity

The #msp (Managed Service Provider) and #mssp ( Managed Security Service Provider) community is central to how customers can adopt new solutions. By being both the carer and protector of the said solutions, MS(S)Ps often times bundle various solutions to offer alternative offerings too.

It is not rare for example to see MS(S)Ps work with ingenious components from best-of-breed 3rd party vendors (i.e not MSFT) to offer a Business Premium or E5 breadth of service all the while delivering greater efficacy and better protection.

Conversely, MSPs are also able to directly benefit from the enlargement of their portfolio to 3rd party vendors. Once a customer has subscribed to a premium or E5 plan, there is very little scope for additional value. It’s all paid for already! There is nothing else to sell that does not require a (long) project. And not all clients will do CRM, BI, AI and whatever else on Microsoft. Few MS(S)Ps have appetite for this type of work either.

But any MS(S)P can have appetite for MFA from IDEE. AuthN from IDEE is the MFA that can be rolled-out almost instantly, does not require any second devices and eliminates user passwords. It is fully compatible with AAD P1 and P2 features and does not require the MS(S)P or their customers to change IAM processes. Because of this AuthN by IDEE is a simple way to generate double-digit growth for the MS(S)Ps while generating the potential for even deeper client-side cost savings. Everyone wins.

Now, if you are a MS(S)P reading this and think about how this can help your clients win too, you’d be right. Please get in touch and see how you can help your clients save a lot of time, frustration and money by adding MFA from IDEE to your service provision.

If you are a customer, ask us to recommend one of our existing MS(S)Ps and see how much money you can save by enabling phish-proof authentication for your Microsoft estate (on-prem too).

If you are Microsoft reading this, please ask us for a channel only OEM license to protect all your customers globally.

If it is you mum reading this, we should do brunch again!

The views expressed here are my own and this article is not guaranteed free of errors. Feedback welcome.