How to become non-compliant with Microsoft 365

Microsoft

How to become non-compliant with Microsoft 365

The general rule is that it’s difficult to become under-licensed for SaaS applications, so you’ll be pleased to know that Microsoft have found a way when it comes to Microsoft 365 license compliance!

What’s the deal?

There are a significant number of Microsoft 365 security and compliance services that, in Microsoft’s words, “are not currently capable of limiting benefits to specific users”. What this means is, when you turn on one of these services – it turns on for ALL users on that tenant, whether they’ve got a license or not.

Microsoft’s (slightly passive-aggressive) note goes on to say that actions to prevent this “…will help avoid potential service disruption to your organization once targeting capabilities are available” – a clear indication that they’re working towards auditing organisations for this type of usage. I’ve been saying for a while that there are several cloud-based Microsoft licensing non-compliance issues on the horizon and that it’s a case of when – not if – Microsoft start auditing customers for them.

There are 22 products listed on the Microsoft Docs page that explores this topic, including:

• Advanced Threat Protection – both Azure & Office 365
• Microsoft Defender Advanced Threat Protection
• Office 365 Cloud App Security
• Insider Risk Management

Where do the problems lie?

There are 3 main questions you need to be able to answer to identify and maintain/rectify your compliance position:

• Are these services available to me?
• Have they been turned on?
• What exactly is included?

Are these services available to me?

Many of these products are available only within the various bundles and suites that are now available, making it hard to know if you’re even licensed for them. For example, Information Protection features are included within:

• Microsoft 365 E5/A5/G5
• Microsoft 365 E3/A3/G3
• Microsoft 365 F1/F3
• Microsoft 365 Business
• EMS E3/E5/F3
• Office 365 E5/A5
• Office 365 E3/A3
• Office 365 F3
• Azure Information Protection (AIP) Plan 1
• Azure Information Protection (AIP) Plan 2

Even if you have only 1 of the above licenses, the service can be activated for all your users.

Licensing of Microsoft’s security products is far from straightforward – partly because they have a lot of separate products and services but also because of the way they’re packaged. There have been several changes to the line-up over the last couple of years (with another just last month) and some of them are bundles which contain other bundles – “licensinception” if you will. Throw in a few name changes and voila – a perfect mix to create confusion!

Have they been turned on

This isn’t something ITAM can find out on their own – this will be the remit of another team…possibly multiple other teams. The services listed deal with a variety of areas including:

• Cloud security
• Desktop security
• Records management
• Email
• SharePoint
• Information Protection

And so, depending on the size of your organisation, it’s not unlikely that there’ll be a few different teams involved in deploying and managing related services. You’ll need to identify those teams and work to build a relationship with each one so they can provide you with the information you need.

What exactly is included?

Referring back to the Information Protection example, although all those different licenses include Information Protection features – it’s not quite that straight forward! There is a differentiation between manual & automatic sensitivity labelling, with the latter option only being available in a subset of the previously mentioned licenses:

• Microsoft 365 E5/A5/G5
• Microsoft 365 E5/A5/G5 Compliance
• Microsoft 365 E5/A5 Information Protection & Governance
• Office 365 E5
• Office 365 Advanced Compliance
• EMS E5
• AIP Plan 2

Meaning you are required to identify quite specific usage in order to ensure that you’re fully compliant. That isn’t something that ITAM can do, nor should they be expected to – this is another case for inter-departmental co-operation.

Preventing the problem

Microsoft detail that these services can all be restricted via a range of technical measures – configuring groups, policies and/or role-based access to include just the appropriately licensed users. As above, this will require a collaborative effort both to set the appropriate restrictions initially and to ensure the policies continue to be maintained and applied correctly on a regular basis. The appropriate measures are listed against each of the products here.

Conclusion

As buying higher level licenses for a subset of users is common practice it’s likely most organisations will face this potential problem with Microsoft 365 license compliance – so look at your Microsoft licensing position and start identifying the internal teams you will need to work alongside. Then add “correctly configured Microsoft 365 user policies” to your risk register as something to review every 3-6 months and work on the processes to ensure smooth operation.

One point to consider is that Microsoft will have visibility of your usage within the cloud tenant so while they might audit you in August and find non-compliant usage, who’s to say they won’t backdate that to the start of the financial/calendar year? Where vendors have more visibility of your usage than you do, speed is of the essence.

Microsoft 365 license compliance: Further Reading

Microsoft Docs page
Microsoft detailed PDF
Microsoft detailed Excel sheet

Can’t find what you’re looking for?