Scoring the Stack

In this episode of Scoring the Stack, we will be talking raising the bar, licensing wins and woes and basically how licensing can affect the features and recommendations available in Microsoft Secure Score and how secure score can be used to talk to your customers about upgrading from your existing business standard or business basic estate to business premium. Quick hello from me. My name is Milo. I'm a Microsoft 365 solutions architect here at Inforcer. My background is in MSPs. I spent the last 8 years in a technical role starting at the help desk. Most of that time was spent delivering Microsoft modern work projects focused around enter ID in tune conditional access sharepoint migrations things of those nature. I used to do a little bit of Azure as well. Focused mostly on Azure virtual desktop once co made that pretty popular. But now my job is really helping our partner success and sales teams talking technical with MSPs and making sure what we're talking about at Inforcer makes sense in the real world for MSPs.

So licensing is a bit of a minefield really and it's probably as technical professionals probably our least favorite thing to talk about. But here are some of the sort of license tiers that we're typically working with right business basic business standard and we're seeing more of a shift to business premium now as that's becoming a a pretty attractive skew for a lot of a lot of SMBs and MSPs delivering Microsoft services to SMBs. you might be using some E3 E5 type enterprise licensing though for those extended feature sets or if you have you know tenants with 300 and above users but Microsoft is making this making some of those features available in the enterprise SKS a little bit more available for the business SK now with some of those add-on licenses. things like Defender Suite, Purview Suite, you know, having those bundled up as well in a in a nice attractive $15 bundle there as well. Really shows that Microsoft starting to pay a bit more attention to the small to medium business space and offer some of those technologies that they that they have you know configured and working really well in their environments now available not just for enterprise customers.

So what see well I mean what does this mean for secure score and how does the the sort of features within all of these licenses get impacted? Well we've got different features across some of the different license right entry ID defender purview in tune you know if you're on that business basic business standard license maybe you've had to add on a few of those things to be able to get those features. saying enter ID plan one for conditional access you know defender for office 365 to get that sort of mail and and teams protection there but but yeah different licenses have different impacts in what things show up in secure score so the different recommendations we get and it's not as cut and dry as you think it's not if you have that license you're going to see those secure score recommendations we'll look at it a little bit more in the demo but just because you have a license doesn't necessarily mean those recommendations are going to show up straight away even if you've assigned the licenses sometimes and so look as we move on here let's think about some of the licensing gaps that we see that are common in the sort of MSP space I've seen in my sort of you know relatively short tenure as a as an MSP professional, most of those things come around enter ID right you know conditional access is something that we're, you know, told to use more and more as MSPs, right, to help secure secure our identities and make sure we're keeping on top of identity security using things like conditional access for our customers. But one of the things a lot of people miss here and it's often overlooked is that a single license that includes an entry id plan one license for you know things like conditional access actually enables the features across the board right so you're going to have access as soon as you have a single license in there those features get lit up right and this can cause a lot of problems you know compliance issues for MSPs where you know those features can be it have users scoped in that aren't licensed for them. And you can get in trouble with the Microsoft licensing police if you have those those users in scope of those policies and and we've not licensed them correctly. So something just to watch out for there.
And you know another example of this is signing risk and user risk in CA policies, right? That's actually an entry ID plan 2 feature. Again, only need one license for that to be available in the conditional access policy. but could very quickly become a problem. when you're putting users in scope of those those policies that they're not licensed for.

Another risk there is you know defender for office 365 right it's a great great platform for securing our communications with email and also teams as well and again as soon as a license is added there and the policies provisioned lights up all the features across the board right and actually kind of you know includes it for most of the users by default if you're following a sort of best practice configuration there so not having all of your licenses and that can include things like shared mailboxes. you know, if they're not licensed properly with the with the correct licensing there, whether it's included in business premium or whether you've bolted it on as an add-on, again, potential trouble for the Microsoft police there if you get an audit. Now, granted, the Microsoft audits don't happen very often, but you or your customers wouldn't want to be caught short in a situation if it does happen to you.

Looking further then at things like, you know, perview. you know, we've got some great perview features now available in business premium and certainly some extended features with the new perview suite license that we can add on bringing some of those enterprise features down into business premium. But again, there's some common gotchas, right? So, for things like the the standard set of perview features we get in business premium, which is sensitivity labels and data loss prevention policies, there's still some nuances about what you have available. So for example, autoleabeling on the server side for sensitivity labels, right? You know, we want to be able to label our data, especially in the wake of you know, sort of AI being a big buzz right now and customers wanting to see how they can use AI to make them more efficient in their day-to-day. We want to use things like sensitivity labels to be able to help customers get control of their data governance. But being able to automatically label all their existing data, that's a feature that's actually reserved for for a higher tier license Q. So, either the E5, you know, security and compliance type add-on, or the new, perview Suite add-on there. So, again, just a just a few things to watch out for.
So look, how does this sort of translate and what can we see in in secure school and in the different Microsoft portals and how those things show up? Let's let's jump over to an example here and we can and we can have a look at what's going on. So this is my demo tenant that we looked at beforehand. and you'll see we've got a couple of different recommendations here and particularly I'm looking at this sort of product area here. so look defender straight off the bat right we can see we've got defender for office policies showing up here because we've got some licenses for that. Those are showing up in here. But you'll notice even though we've got business premium which includes defender for business, right? I'm not seeing any sort of device recommendations for you know defender for defender for endpoint here. and you know this sort of presents a bit of a problem right? You know why am I not seeing these? I'm licensed for them. Why can't I see them?
well if I look down here let me let me take a look at my sort of endpoint section here. and let's go to maybe device configuration here. In fact, I'm going to just have a look in here and look at my device assets in the security portal. Right. right. Not seeing anything here right now. I haven't actually onboarded any devices. Right. and if I go down here and then look to like device configuration. there's a couple of other things that I need to do to actually get Defender for Business on boarders to be able to to be able to use these features and to get them to actually light up some of the features in the back end for the secure score recommendations to show up. So you can see although I've pushed out some policies here, I've not actually necessarily configured this correctly. And these are some of the intune configurations for Defender. Again, just because I've got some of these rules in here doesn't mean that Defender is actually, you know, sort of configured correctly to be able to see those things.

So if I'm just looking at the overview of my security dashboard here in the in the Defender for the Defender portal here, I can see this endpoint's got a a sort of zero here, right? And if I actually drill further into that, I can see, look, here's here's some of these recommendations that I want to see in secure score. But you can see we've got this little sort of unplugged icon here, and it's saying there's not enough data to support this metric. You need to onboard a workload to activate this metric, right? So, until I've actually on boarded some devices, those those those recommendations aren't going to show up. And what will this look like once they have shown up, right? You know, once I've on boarded some devices, what can I expect to see? Well, this is a sort of example here. you know, I once I've got some devices on boarded into Defender for Endpoint, I'll start to see that category of device showing up here. And here's some of those those recommendations showing up in their associated score. So, one thing to watch out for there, just one of those situations where just because you've got the license doesn't necessarily mean all the features in the back end have been lit up, right?
let's go back to Secure Score here and let's have a little look at some other recommendations I've got. So, I've also got some one down here for information protection, right? Okay, I've got a license for that. And it's actually showing, some of those recommendations already. So, that's fantastic. So I could come in here and click manage. And that's going to take me to the, perview portal. Let me pop the one that I logged into earlier. so you can see here as I come into the perview portal it it's going to have taken me to the area where I need to be in which would be information protection and then sensitivity labels. Right. One thing to note when you've using perview for the first time you will often see a little little bar here saying setting things up for the first time. Right? again if you've not gone into the Perview portal before and it's not done that initial setup you may not see those secure score recommendations show up at all. Now, I've been in here before, which is why I can see these recommendations now. But that takes a few minutes to set up from the off and you might see it in a little notification here saying setting things up for the first time. Gets you to wait a few minutes and then those will become available for you. But you can see I've got some sensitivity labels that I've created in here. And also I've got the ability to create things like data loss prevention policies. So I'm licensed for this because I have business premium. I've got some of those policies created. those things are showing up for me in the secure score recommendation. So what this is what's this one asking me to do? Right. Send sensitivity variables to Microsoft purview data map. All right. Okay. So I've got some implementation steps needed here. All right. So actually for this particular one I need an E5 license. Something I don't have. Maybe that could be included in a in a different licensing set. So, again, just because I've got, a license and I've on boarded it has given me recommendations for something that I don't have a license for. So, depending on which service you're using, you know, there's there's sort of nuances. There's no rhyme or reason as to which ones show up and which ones don't. Kind of just depends the way the Microsoft has configured things there in. So, keep an eye out for those things. Always read the Microsoft learn documentation. They quite often have little messages in there to say, you know, look, you need to make sure that this particular workload is onboarded before you do it. So, if you think you should be seeing a recommendation and you're not, have a look at the documentation. If you're seeing a recommendation, don't always just assume that you can onboard it. Have a look at the have a look at that licensing prerequisite and make sure that's enabled before you just go ahead and start putting users in scope of the policies.
we talked a little bit about you know business premium as well before and how that measures up against things like you know E3 and how you might be using those different licenses. A common sort of case I see is that people use E3 licenses to give users bigger mailboxes right you know it comes with a 100 gig mailbox rather than a 50 gig one. It's a pretty inefficient way of doing things. A lot of the time you can actually just add on an exchange online plan 2 license to a business pre to a business standard or a business premium license to give you a little bit of extra mailbox usage there without having to fork out for that more expensive license. And actually if we look at a sort of comparison of the two sometimes E3 is actually missing some of the features that business premium has. So you can see E3's got some basic defender for endpoint plan one coverage here. But actually business premium includes some of the defender for endpoint plan two in their sort of defender for business skew that they call it. So we get things like EDR threat analytics right some automated investigations that we're not getting in E3. So even though it's a more expensive license can be some things that are you know more important to MSPs that are being sort of missed out in those SKUs there. E3 has got some, you know, sort of more love in recent in recent times. I know they've recently added some extra things like, you know, remote help and in tune plan, too. But it's still worth watching out for those sort of subtle differences here. You don't want to drop them down to a what you think is a higher tier license, but then sort of miss out on some features that you want to use. This is M365 maps. If you ever worked with Microsoft licensing, very useful to come and compare all the different features from all the different SKUs. So, definitely recommend this one. 365mmaps.com.
So, you know, we've talked about licensing and you know, the sort of way that the different features can show different things up in Microsoft Secure Score and affect our recommendations and how we can implement them. But how can we use secure score to actually help up help upsell our customers from you know maybe a business standard or a basic license to business premium right gives us some of these extra features and what we can do is you know using business premium we're able to you know start standardizing on on tool sets for for our customers right so you know typically I see a lot at the moment MSPs are using business standard or business basic in some instances as their sort go-to licensing ske and they're filling the gaps for the other areas with third party tools. So, you know, for for things like manageable MFA, we might be seeing they're using Opta as almost like a whole separate identity solution that they're syncing with Entra or maybe using something like Duo to provide more centrally managed MFA. you know, other other areas I see, you know, Mcast and Proof Point you still use quite a lot. and these are good products, right? But you know if I've already got customers that are either paying for business premium or I'm looking to move them up to business premium anyway to give me some extra features like in tune and conditional access it brings so much extra functionality there that you could maybe look at starting reducing the cost of some of those extra tool sets. Another example endpoint protection we get Microsoft Defender for Business with Business Premium. And we may already be using, you know, tools like Sentinel One or Bit Defender or Huntress or you know, Web Routt if you're still using that sort of older technology there. you know, if I can if I can, you know, reduce the cost of some of those tools and use business premium to offer that as as a solution, you know, it makes it e easier to manage, right? Because I'm standardizing on on a Microsoft ecosystem. there's much better integration with all the different services, right? You'll start to see the services talking to to to each other a little better. So getting cross referencing from, you know, Defender for Endpoint, Defender for Office 365 and Intune and other sort of cross functional bits there. it makes it easy to consolidate your training as well as you're training your, you know, your staff, your technicians. they're able to focus on the Microsoft sort of training certifications and not sort of be distributed across loads of different platforms and having to learn different you know acronyms for for the way different vendors are talking about things. And again just a cost reduction across the board. Some some of your customers might already be paying for business premium. And so if I can start to you know reduce so reduce the tool sets consolidate the tool sets it makes it a lot easier for for me to be efficient in the surface that I'm offering and be competitive and price still. One thing I see quite often happening as well is MSPs will still be you know putting some of these services down as you know line items where they'll put Mcast or Proof Point or Bit Defender as a line item on the invoice. and you're just putting it like cost plus margin and not necessarily remembering that there's actually quite a lot of management time that goes into that as well for keep upkeeping those those products. So thinking about how I can bring some of these you know services and generalize and things like you know mail protection and endpoint protection and identity protection and build them into whether it's a a separate service with a you know management sort of wraparound time with some time built in there or whether I'm you know including that as part of my core service I can start to start moving away from naming those specific tools and offering more of a a service rather than just being a reseller of licenses. We all know that there's not much margin in making in selling Microsoft licenses, right? We had 10 15% at best. So, you know, being able to offer a proper service wrap around for that is really where MSPs are going to win with with Microsoft.
and what things are we missing out on when we're not using you know things like enter IDP1 I mean things like business premium right well conditional access is one of the biggest thing right you know being able to granularly manage my signins and really control who's got access to what from where from what device we get so much you know finer grain control better flexibility when when managing our identities in the cloud what else we missing I mean you Defender for Office 365, right? That is one of the best the best m not just mail protection platforms out there now. But also a Teams protection platform, right? You know, we get things like safe attachments and safe links that cover Microsoft Teams, which you know, Mcast and Proof Point often often don't cover. Teams is such a big part of our day-to-day sort of working lives now. you know, we're sharing files in there, we're sharing links, so you know, not having protection there is kind of a kind of a big security gap, right? you know, by default, I could probably go to most of, most, of your customers, teams, teams addresses right now and send them a message as an external party. You know, that that external communication is enabled by default and I could start, you know, talking with them, sharing malicious links, sharing malicious files. So, you know, having that protection there is is really important from Defender for Office 365.
So look, you can start to use some of these recommendations you get in Secure Score and the fact that your some of your customers may have a lower Secure Score to help you in those upsell conversations to business premium while at the same time reducing your costs and still offering a fantastic service. Just gives you a bit more flexibility to you know, chop and change what tools you're using. you know there might be a new Microsoft tool that you need to use in the future or or maybe it's not Microsoft maybe there's a bigger player in the space you know 10 years down the line you know we can still offer the same name service and we've got the flexibility to choose our tooling without having to communicate that to our customers each time we want to make a change there.
So some questions to you scrolls on the doors what what what license skew are you currently offering to your customers? Do you offer different licenses based on which package they're buying or are you trying to standardize across the board? is this licensing choice, you know, holding back your customers secure score? You know, are you not able to offer them that sort of, you know, closer to 100% secure score? Are they still sat at that sort of default 45% and no real way of of moving them? U, leave a comment. I'll be really interested to understand what licenses you're currently using maybe in your own business and for your customers. And yeah, I'd love to continue the discussion down in the comments. Next episode will be score wars. We'll be taking a look at a closer look at the different services feeding secure score. you know, probably focusing around specifically around entry ID to start with where that lowhanging fruit and how we can start to configure some of those you know, real high scoring recommendations to get some quick wins to get your secure score up.
Quick shout out to our YouTube channel. We're releasing more and more videos over the last few weeks here. We've got some fantastic videos from my colleague Tim who's been talking about how you can defend, govern, and improve security and data governance and compliance within your Microsoft 365 environments. So definitely check that one out. We've got some more from Nathan there who's from our Australian office talking about some market specific stuff there but also has some you know sort of common misconfigurations in Microsoft 365 which be useful to any any MSP looking to do more with Microsoft 365. And down at the bottom there, you can see we've got Lewis as well talking about the wonders of business premium. Probably echoing a lot of the things I've talked about today. And really letting you know how you can make the most out of that fantastic skew from Microsoft there.
If you want to learn more about Inforcer, you can find us at inforcer.com. Check us out on LinkedIn. Or if you want to contact me directly to talk Microsoft secure score, Microsoft 365 in general or anything to do with inforcer you can reach me at my email address on the screen. Thanks very much.