The Confusing World of Microsoft 365 Security and Compliance Licensing
Software Licensing as Clear as Muck
Microsoft software licensing is an obscure science. The licensing professionals, for that’s what they are seeing they dedicate their working life to the subject, are no doubt fluent in the topic, but the rest of us are driven to despair when we try to figure out exactly what licenses are needed to cover the functionality used by an Office 365 tenant.
That despair doesn’t cover branding inanity, like the silliness of renaming Office 365 ProPlus to Microsoft 365 Apps for Enterprise. That’s just another example of Microsoft’s habit of trying to rebrand well-known names for their own purposes (and confuse customers). Trying to make Outlook Web App (OWA) into Outlook on the web is another example.
Licensing Advanced Compliance and Data Governance
What I’m really concerned about is the licensing of compliance and data governance features. These features usually involve something like machine learning, automation, or an advanced implementation of a standard feature, like eDiscovery.
Two issues worry me: First, many of the advanced features don’t include code to check if a user has the necessary license to use the feature. Second, the lack of clarity on exact what license (or license combination) is needed to use some features. To be fair to Microsoft, I see more references to their licensing page for security and compliance (see below) appearing in pages describing new features.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Microsoft Rules for Licensing Security and Compliance
Microsoft’s licensing guidance for security and compliance covers the licensing requirements for many features accessed through the Microsoft 365 Security and Microsoft 365 Compliance portals such as:
- Office 365 Cloud App Security.
- Information Protection.
- Information Governance.
- Records Management.
- Data Loss Prevention for Teams.
- Communications Compliance.
The page warns that “although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service.” In other words, it is the responsibility of tenant administrators to make sure that those who use a service have a license for that service, even if the service doesn’t check for a license.
Microsoft says: “Some tenant services are not currently capable of limiting benefits to specific users. Efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption to your organization once targeting capabilities are available.”
Microsoft is within its rights to demand payment (through licenses) for its services, but the nagging doubt exists in my mind that some Office 365 tenants might be inadvertently using services today that they haven’t licensed.
If Microsoft builds license checking code (aka “targeting capabilities”) into applications, the best case is that those tenants will lose access to functionality that they use today. The worse case is that they’ll also receive a demand from Microsoft for payment for licenses consumed in the past.
The Need to Know Your Licensing
I don’t think Microsoft will come looking for backdated licenses, but the fact remains that it’s all too easy for people to use technology without being aware that they also accrue a potential liability. This underlines the need for tenant administrators to know what functionality is used and by whom. The licenses an organization bought when they began using Office 365 might not reflect the reality of today.
The same page includes a link to a PDF called the “Detailed Microsoft 365 E5 Licensing Comparison,” an eyechart of a document (Figure 1) that probably needs to be printed out on an A1 page to gain full visibility of the content. In a nutshell, the idea being conveyed is that a Microsoft 365 E5 license is the path to licensing happiness for the full spectrum of advanced security and compliance features.
New Compliance Licenses
On April 1, Microsoft repackaged its cloud compliance products by:
- Adding some new features to the Microsoft 365 E5 Compliance plan, like Advanced Audit (including the famous MailItemsAccessed high-value mailbox audit event), Insider Risk Management, Information Barriers, Records management, Rules-based automatic classification, and Communications Compliance. Some features are still in preview.
- Increasing the price from $10 user/month to $12/user month. Microsoft says this reflects the increase in value of the features covered by the license. [Update: In an update released to partners on April 6, Microsoft said “given the difficult economic situation and current health crisis, we are no longer moving forward with this price increase. The… retail price… will remain $10 per user per month”]
- Adding three add-on products that are sub-sets of the full Microsoft 365 Compliance plan. These add-ons allow customers to license only the functionality they need. The three sub-sets are:
- Microsoft 365 E5 eDiscovery and Audit ($6 user/month)
- Microsoft 365 Insider Risk Management ($6 user/month)
- Microsoft 365 Information Protection and Governance ($7 user/month)
In other words, if you’re interested in two of the three sub-sets, you’re better off buying the full Microsoft 365 E5 Compliance plan.
Microsoft hopes that the new offerings are easier to understand. Although it’s massive, the eyechart is a good checklist to understand where your tenant stands. Some Cloud Service Partners have already started to spread the news and explain how things work to their customers.
An Extra Two Bucks Isn’t Much (or Is It?)
Whether tenants consider the extra functionality to be worth an additional $2 user/month remains to be seen, especially as they need to start paying for licenses to test and understand the new functionality. Or maybe not, if the targeted capabilities for license checks don’t yet exist in those features.