Welcome to the first post of our blog! Across New Zealand there are various bundles of licensing used, from Business Basic all the way through to M365 E5. A pricing sweet spot for security features is the Business Pre…
Welcome to the first post of our blog!
Across New Zealand there are various bundles of licensing used, from Business Basic all the way through to M365 E5. A pricing sweet spot for security features is the Business Premium SKU. This includes a range of security features which can be used to help protect your organisation. This post is here to shine some light on the security features within Business Premium, and how they can be used to bolster your cyber security defences.
Microsoft 365 has various licensing options for smaller businesses, many of which utilise the Microsoft Business plans such as Business Standard or Business Premium.
Both Business Standard and Business Premium include:
- Exchange Online
- SharePoint Online
- OneDrive
- Microsoft Teams
- Microsoft Office (Desktop apps)
The Business plans are suitable for organisations with up to 300 users and are commonly used by New Zealand organisations due to their low pricing. One key difference between Standardand Premium is Business Premium also includes a range of cyber security offerings.
What additional Security Features are included with Business Premium?
It includes:
- Entra ID Plan 1
- Intune (Business)
- Microsoft Defender for Business
- Microsoft Defender for Office Plan 1
- Microsoft Purview Information Protection
We’ll dive into each of these below.
Entra P1
Entra ID (formerly known as Azure Active Directory) is the core identity engine behind the M365 services. Entra ID P1 builds on top of the Entra ID Free SKU and includes several security features, with the key ones being:
Conditional access allows you to build policy around how your users access your corporate resources. Microsoft provides templates which can be used to build the foundational policies for your organisation. These templates aim to apply controls to different groups of users based on attributes on their accounts (e.g. administrative roles) or actions they make take (e.g registering their security information). Conditional access can also be used to block older forms of authentication which are considered insecure and cant have multifactor authentication applied.
Microsoft recommends the following policies as the foundation policies:
- Require multifactor authentication for admins
- Securing security info registration
- Block legacy authentication
- Require multifactor authentication for admins accessing Microsoft admin portals
- Require multifactor authentication for all users
- Require multifactor authentication for Azure management
- Require compliant or Microsoft Entra hybrid joined device or multifactor authentication for all users
Self Service Password Reset provides your users with the ability to change or reset their own passwords, without the involvement of a help desk. It is configurable to define who is allowed to reset their own password as well as what authentication methods are used to reset the password (e.g Mobile notification, Email, Phone Call etc).
Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr
Intune
While Intune isn’t strictly a security feature, it does provide a way to manage the security posture of your endpoints and mobile devices.
Devices can be automatically enrolled in Intune and then configuration profiles are applied to them.
Some common use cases are:
- Automatic enrolment of devices into Microsoft Defender for Business
- Deployment of Security Baselines
- Deployment of BitLocker Disk Encryption
- Deployment of Windows LAPS
- Configuration of Microsoft Defender
- Configuration of Attack Surface Reduction Rules
- Configuration of Windows Updates
- Deployment of Applications
- Deployment of Application Configuration on mobile devices
Microsoft Defender for Business
Defender for Business is the antivirus\endpoint detection tool to run on your laptops and desktops (also supports mobile devices). We have commonly seen customers paying for a separate anti-virus solution as they weren’t aware that defender for business is included in Business premium.
Defender for Business sits between Defender for Endpoint Plan 1 and Plan 2, it contains the core features from Plan 2 without providing some of the more advanced features & capabilities. Defender for Business is aimed at organizations below 300 users whereas Defender for Endpoint P2 is generally aimed towards larger enterprises.
Some of the key features from Defender for Business include:
- Enterprise grade protection for devices
- Next Generation antivirus protection
- Endpoint Detection and Response (EDR) capabilities
- Automation Investigation and Response (AIR)
- Secure Score for Devices
- Threat and Vulnerability Management
Customers have a few methods to onboard devices into Defender for Business, generally these are via Intune or Group Policy.
Servers can also be onboarded, however they will require a license to be purchased for each server (approximately $5/device/month).
Microsoft Defender for Office
Defender for Office is Microsoft’s email filtering solution, it adds an additional layer of protection to email and collaboration tools against the likes of Phishing, Business Email Compromise and Malware Attacks.
Some of the key features from Defender for Office P1 Include:
- Safe Attachments
- Safe Links
- Safe Links in Teams
- Report Message Add-in
- Protection for SharePoint, OneDrive and Microsoft Teams
Microsoft Purview Information Protection
Information Protection offers organisations a way to secure and protect their data, the most common ways we see this achieved within organisations is to start applying sensitivity labels to data (such as Personal, Public, General, Confidential). You would then apply protection actions based on the sensitivity of that data.
Protection actions can include the likes of applying Data Loss Protection (DLP) policies so it can’t leave the organisation or encrypting the data.
There is no one size fits all approach for Information Protection, and it needs to be designed based on what’s important to your organisation and how you would like to protect that information.
Security Ecosystem
One benefit of using all the products within Business Premium and the Microsoft Defender ecosystem is that they have a lot of integration between themselves. One feature you can use to track your adoption and configuration of these Features is Secure Score, this will show you how well you have adopted each feature and how secure their configuration is against Microsoft’s recommendations.
In Summary
Having learnt the difference between Business Standard and Business Premium, you can now see the enhanced security features Premium has to offer. Fenrir Security have deployed, managed, reviewed, and remediated many Microsoft 365 tenants over the years. If you are looking for some help adopting some of the features mentioned in this post or would like to gain an understanding of what the state of security in your M365 tenant is then please reach out us via info@fenrir.nz for a chat.
We also offer a managed security offering which manages and maintains the security of the tenant, as well as dealing with any of the alerts generated by these solutions.
