Episode 178 – Securing remote work using M365

Episode 178 – Securing remote work using M365

In Episode 178, Ben and Scott dive into what you should think about when securing Microsoft 365 at a high level and run down the areas you’ll want to focus on first.

- [Ben] Welcome to Episode 178 of the Microsoft Cloud IT pro podcast, recorded live on May 15 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users. Where we discuss the topic or recent news and how it relates to you. Is this episode Scott and Ben take a high level approach and rundown what you should consider when securing your Microsoft 365 environment, based on recently published recommendations from Microsoft.

- [Scott] Mic check one, two, three.

- [Ben] Mic sir?

- [Scott] Sure.

- [Ben] Are we checking for Mic?

- [Scott] Why not, let's do it.

- [Ben] We're gonna get zoom bombed by mic.

- [Scott] That's how your weeks gone huh? I say my, I say mic check and you're gonna make mic jokes.

- [Ben] I'm gonna make mic jokes. You know what I got a lot of sleep last night after not sleeping the night before. So that may affect my sense of humor.

- [Scott] So either way you would have been grogging out of it. Love it.

- [Ben] Yeah, pretty much. However, I did make an upgrade to our home network today.

- [Scott] Oh, yeah?

- [Ben] Yes, I now have.

- [Scott] You renamed the WiFi from FBI surveillance fan to stay away there's COVID

- [Ben] No, but that would be kind of funny. I now have redundant internet coming to our house. It was even more nerdy than renaming the WiFi.

- [Scott] Oh, cool. So you run everything into a router that's gonna support that failover for you then?

- [Ben] Yep, I have a unifi USG, and it has a LAN. Well, so it has a LAN and WAN, and then a LAN slash WAN. So you can use it for whatever you want to. So right now it is set up as two LANs and I have a AT&T going into one way LAN, Comcast going into another LAN. And if one of them drops, it automatically fails over.

- [Scott] Perfect, can you bond those connections together and use them both at the same time? Or is just one strictly there for failover.

- [Ben] So technically, I could.

- [Scott] Technically.

- [Ben] Technically I could do.

- [Scott] I could have even more bandwidth. Like I can see you like the Infinity Gauntlet in your hand, you're just squeezing.

- [Ben] Yeah, I could do lots of things. So I did test it, I actually like reached over and just turned off my Comcast modem. And AT&T picked right up and turned it back on, it flipped over, I could see it in all the logs where it switches your primary way in connection, however, what I think I'm going to do. So Dan Patrick, over at CES Alliance wrote an article about this on the Build Five Nines site. And he and I were actually talking about this and trying to figure out some of the routing, I think I'm going to stick a bunch of my family and streaming devices on one way in connection, and keep the other one for work stuff now as all of that- [Scott] Gotcha.

- [Ben] All right?

- [Scott] Well, yeah, you might wanna just like separate them and keep them all on one and potentially do the failover thing, right? 'Cause then if you put one on one and one on the other, if one goes down then stuff.

- [Ben] So I think and I need to go through Dan's article and probably talk to him a little bit more about how he did it, is you can do both, where it still works as a failover. And you can have them on both VNet. So it's essentially like two VNets that, you can do policy based routing, but then it still will fail over when it fails over. I need to dig through all of it a little more.

- [Scott] Gotcha. Yeah, it's a little bit of a setup to do what he was doing. 'Cause yes, he was doing a couple things with like policy based routing on his USG user.

- [Ben] Yes, exactly. So I'm gonna go through that. I may try to do that because it would also help with my other problem is that Xfinity limits you to so much bandwidth a month.

- [Scott] Not right now, they don't.

- [Ben] Not right now they don't. But when they do go back, so I've been paying for extra because I have a tendency to go over my allocated bandwidth.

- [Scott] I do the same thing you do. Yeah, we're limited to one terabyte and. everybody says, how do you go through a terabyte? Well try having two kids at home who are streaming everything all the time? My job requires streaming like, what was I doing today? Oh, yeah, just doing some deployments and trying to test them locally meant downloading, not just a bunch of ISOs and doing installs, but full VHDs for environments. So those really don't like zip up and compress very well. So it's easy to blow through, 20 gigs in a small download. And then you kind of do that every day a couple times. And it adds up quick.

- [Ben] Yeah. So see, what you can do is you can get redundant internet. Because now you're paying almost the exact same amount. And it's like five or $10 more to have a second internet connection. Technically, now, instead of paying $50 for unlimited, I just have two of them, and I have a two terabytes which I don't know that I've ever gone over two terabytes.

- [Scott] Only if you split your traffic the right way.

- [Ben] Right, so that comes back into some of those policy based, if I can split all my streaming over one, and all my work over another, I might be able to get away with dropping my unlimited internet and putting that money towards my redundant internet.

- [Scott] Interesting. I guess that works if you live in one of those magical places, so people internationally are laughing at us 'cause they're like, what do you mean magical place? Well, one of those magical places where you can have two internet providers. The neighborhood I live in is one of those magical places where it is Comcast or Bust.

- [Ben] I'm sorry.

- [Scott] Oh, well, I could get AT&T like DSL, but it's really, really, really slow. It's not worth it. I miss my days at firehouse, let's put it that way.

- [Ben] Fair enough. I like my Comcast, so I have the Comcast one gig. That's my plain one. And that also helps you go over your internet in a hurry when you can transfer data at a gigabit per second. You can blow through a terabyte really quickly. And then my AT&T is like 50 Megs, so that is most definitely my backup. And I don't know if it'll work for streaming we'll have to see. But that is my non Cloud related not news for the week.

- [Scott] Good for you. I'm glad You're geeking out in all the right ways over there.

- [Ben] Yes, I do. Outlook add-ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the add-ins you'll ever need. The Save as PDF add-in is a best seller, and is great for project backups legal discovery and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry Software's unparalleled Customer service is always ready to help. Download a free trial at SperrySoftware.com, S-P-E-R-R-Y-S-O-F-T-W-A-R-E.com, and see for yourself how great Save as PDF is. Listeners can get 20% off their order today by entering the code, Cloud IT. That's Cloud IT, C-L-O-U-D-I-T, all one word at checkout. Sperry Software work in email, not on email. So should we get on to our topic or do you have any not news you wanna talk about? Any Build sessions we should pay attention to now that schedules out?

- [Scott] So I haven't looked at the schedule for Build, but I did go through my Build attendee box and hang my lanyard up with all my other lanyards. I think there's gonna be in general, I think Build will be a little bit more developer oriented this year. It looks like it has less kind of market texture sessions. Like certainly there's the keynote and things in the beginning. But there's a pretty wide variety of sessions out there, wait, I think I saw in the catalog, they even have a couple of sessions on, like, dedicated to Rust. They're going in a certain way. If you are signed up for build, awesome, go take a look at the catalog. If you are not signed up for Build, go register and put that in and or go view any of the videos or things afterwards. It looks like they're limiting session registrations. So some sessions are filling up, which I find funny.

- [Ben] You know what I just realized, Build's gonna be over by the time people hear this, I think.

- [Scott] Yeah, well, well they can go watch the video soon.

- [Ben] Go watch the videos.

- [Scott] They will all be recorded.

- [Ben] Yes, if you're listening to this sorry you missed Build go find videos.

- [Scott] It'll come back around again. It'll be there someday.

- [Ben] Yes exactly. I did not get a Build box, I was not on the, I was not quick enough, I was too slow. Because it looks like they only sent those out to like the first few thousand attendees. I don't know how many the first few thousand is, but I was most definitely not in the box list. And I think I've seen some others that were not in the box list as well.

- [Scott] Gotcha. Yeah, I was so it was a, what was it? It was like a bamboo lunch box. It was some stickers, some socks, a lanyard and kind of a welcome to, oh welcome to Build card so.

- [Ben] Got it.

- [Scott] So it was a nice thing to get. But it's not like you're missing out on a free surface go or something like that.

- [Ben] Well, I kind of wanted the socks. But other than that, I'm fine. However, if you are listening to this, and you missed out on the Build bikes and you want swag, let us know via Twitter or Facebook or some way, go to the podcast, leave a comment. Because we have a ton of stickers that we don't have anywhere to give out because life has been canceled. And we will send you stickers because I have like 500 of them in my office and nowhere to go with them. So it does not Build swag, but we have swag, if you want it, let us know we'll send it to you. Shameless self promotion of the podcast and our stickers.

- [Scott] Gotta do what you got to do.

- [Ben] Hey, it is what it is. All right, so our topic today, we previewed this topic last week. We said we would talk about it, so we probably should.

- [Scott] Okay.

- [Scott] Let's do it.

- [Ben] It's Friday afternoon. It's been a lot of time inside our practical guide. So this is all coming from one article that you sent me that I have not read yet because I am way behind on my RSS blog reading, or I just didn't see this. But this is a practical guide to securing remote work using Microsoft 365 business premium. So last week, we had kind of talked about, hey, Microsoft 365 business premium is not as bad as those business plans used to be, it's probably worth going out looking into, definitely a better service than it used to be with some of the changes, improvements, services they've added. And now there's this practical guide that gives you a whole bunch of recommendations, configurations, things to do to help secure that, especially in this world of remote work. So we said, we'll kind of talk through this if you wanna go out and buy Microsoft 365 business premium, you have under 300 users, and you wanna know the best way to secure it. Here is some practical guidance from an article and from the mouths of Scott and Ben, and we'll see if we agree with this whole article. You know, I think guidance is good. You always have to pick what you're going to implement there. I see a lot of folks who get very frustrated when service providers like Microsoft come in, and not sometimes only say, here's some guidance for you, but they potentially implement that guidance automatically. So maybe like turning on MFA for your accounts or things like that.

- [Ben] Or security defaults.

- [Scott] Or security defaults, what used to be baselines, yes, all those kinds of things. I think it's nice. Well, it's easy to fall into the trap of saying they keep turning this stuff on. So I'm just gonna ignore it and kind of go to the side, versus hey, they keep turning this stuff on, do I need to use all of it? Or should I maybe actually be using just some of it? Like, let me take a look at some of the things they're doing and see what needs to happen along the way, because your situation is gonna be different than mine. So when we break down some of the features, it's very much and it depends, or situational kind of choice for us to see where we wanna land out.

- [Ben] Right. So this article kind of walks you through, and this article does that a little bit too. It helps you think through some of it. So the first part has some these steps and actually enabling it. There's seven steps that it walks through in terms of, like setting up your tenant identity protection, email protection, information protection, Team security devices and remote access. But then as you go down, it also says so as you go through these phases, different companies, different SMBs, in this case, because we're gonna be primarily looking at under 300 users due to the license constraints. Fallen to typically two common scenarios, although there's probably people that fall somewhere in the middle of this, they want certain features, they don't want others maybe compliance. But they have a normal scenario, which they consider a typical business that wants to enable secure, remote work, balance, kind of ease of use with security, and then a high risk for somebody that is really trying to maximize security, maybe they have HIPAA compliance needs or other regulatory requirements, that cause them to need to be significantly more secure, than they are, normally or than they are by default. So it gives different settings and different things to think about in these two different scenarios. And like you said, you could fall somewhere in the middle, you don't necessarily need all of these, it's gonna guide you through what Microsoft might think you need, given one of those two scenarios.

- [Scott] And these aren't the only two scenarios that are out there. So I would also encourage anyone who's interested in security guidance for Office 365, or Microsoft 365. Maybe you're listening to this and saying, well, it's great that they enable these features for Microsoft 365 business premium, but I might not have all these features just with my Office 365 E3 or E1 or F1, whatever it is. They actually do publish way, they publish deeper guidance, and I wanna say it's way better. But it's much deeper guidance out there, for different types of organizations. So one of the ones that I like to go to for security guidance is one that's for political campaigns. So if you think about political campaigns, they're typically going to have not the most computer savvy types of folks who are gonna be your most high risk targets. Their job isn't to use computers, their job is to be politicians. And, you know, hopefully, most forward a little bit.

- [Ben] The ways we could go with this discussion right now.

- [Scott] I understand that, but I look at things like that. Like, it doesn't matter if you're a politician, or you are someone who works in the HR department at your organization, like you're probably not a computing expert there either. And especially with the tools that we give you with email, and SharePoint, and Exchange, and Teams on the back end, and Yammer and all these other things. So I think a lot of those guides are super helpful as well, so I'll make sure I put a link to, to that guidance out there. Like I think everybody should look at the one that's guidance for political campaigns and non-profits. Like take those two and and go through them and take a look at what's in there. And I bet no matter what your organization is, even if you're not a political campaign, like if you are an enterprise, a small business, a medium business, you will find some actionable guidance in there.

- [Ben] Yeah, well, I think that's a boat, a lot of SMBs find themselves in. And I've had some clients too, that are not the 300. But their five, 10, 15 employees, kind of like you said, they're not all computer savvy. They're not necessarily focused on security. Some of them may even be dealing with HIPAA stuff, you think about like a small dentist office or doctor's office or something like that, that these are gonna be really good guides for them to go through or to have someone sit down and go through with them, to really help secure their Office 365 environment, especially given the current state of things with everybody working remotely working from home, maybe working on their own devices at home, there's a lot of things to still think about and consider for those types of companies.

- [Scott] Just a few.

- [Ben] So should we start working their way kind of through this article and talk through some of the things that they recommend?

- [Scott] Yeah, let's do it.

- [Ben] All right, so the first area, setting up your tenant, most people have probably already gone through this, they have one set up, if they don't, these are things you can think about setting up, or settings that if you do have it, you may wanna go in and think about going in Configure. So these are gonna be tasks that you're typically done, when you set up a new tenant, things that you think about them. Again, you might go through and change them. So this one when it comes to recommended settings for normal versus high risk, there actually is no difference. All of these sections are going to give you a table, and at the top, they have the task, and then a column for normal and high and then underneath they have explanation of what you should do. So setting up the tenant, at least when it comes to just that initial setup, it talks about deciding between like hybrid and Cloud only. This one is really gonna depend not so much on if you should set it up or not. But if you have on Prem AD or not. I would argue, no matter who you are, if you have on Prem ID, or on Prem AD, you should be setting up hybrid, you should be using Azure AD Connect in sinking your tenant or your users up there. If you don't have a current AD on Prem environment, and you don't ever have plans for one or need one. There's no reason to do hybrid. So this one essentially says do hybrid, do Azure AD Connect. Yeah, as long as you have an on Prem AD controller, do it, do a password hash synchronization, enable Single Sign On, use your user principal name for your primary attribute, set up password right back, so you can do your password resets in the Cloud. If you're gonna migrate email, you can think about that. And then set up your DNS based on what you're gonna use it for. That one is pretty straightforward in terms of setting up your time. And I think I don't have a whole lot on that, that I would say, think about other than do you have an on Prem domain controller or not?

- [Scott] Yeah, I think one consideration there is lots of people tend to read Microsoft's documentation, and especially in areas like hybrid identity. So you'll walk down that path, you'll say, great, I have on Prem AD, I'm gonna do AD Connect. And I'm never gonna do Cloud Identities for anything. Just make sure you leave yourself that Cloud Identity for a break class account, or like emergency access to your environment. So don't lock yourself all the way out of your tenant, by doing something crazy along the way. But most of it's pretty straightforward. And AD Connect is about as next, next, next of an implementation that you can get these days. So especially if you just need it in its default state to get you up and go, and get your on Prem identity, into Azure Active Directory, and then being able to consume those entities, so those users and groups directly within your M365 services or your Azure services, or other services.

- [Ben] And the other thing I would say is, so this gets kind of goofy. I don't know if this gets outside of SMB or not. But as you get further down through this article, it does talk about like Windows Virtual Desktop, for doing remote access RDP into those terminals using the virtual desktop. If you think you're going to go that route, which is like way down in the document, you may actually want to set up an AD Controller , or an AD server in Azure. So just because you may be Cloud only, doesn't mean you don't want that Domain controller up in Azure, especially if you are going to do Windows Virtual Desktop because right now some type of domain controller either Azure AD Domain Services, or a standard domain controller is required. Truth be told, a standard AD controller is cheaper and it was. And is required.

- [Ben] And is required, while you can do it with Azure AD Directory services. But that one gets more expensive. And it's not quite as straightforward when it comes to setting things up, in my opinion as, just throw up a domain controller and sync. Through domain controller, cheap VM and Azure, sync it up to Azure AD with Azure AD Connect. And then you could do Windows, Virtual Desktop and some other things as well.

- [Scott] Yeah, your possibilities certainly start to open up.

- [Ben] Yeah, I actually have that running in my environment.

- [Scott] Once you give yourself some of that flexibility.

- [Ben] I'm just one person and I have it set up so I can play with stuff, test stuff out, use it for different things. So kind of once you have that setup it taught goes through some of the identity protection. This gets into what you said planned for admin access, who's that admin gonna be? Like you said, do a Cloud account. Don't do all synced accounts. Set up some dedicated admin accounts. Don't make all your users admins. The one difference they have here is going security defaults versus conditional access for normal versus high risk. I would do conditional access for everybody. I don't like security defaults and 100% transparency.

- [Scott] If you're licensed for conditional access, it's going to give you the most flexibility. And flexibility in this case is gonna be really, really key to getting getting you going. And kind of being agile as you approach your implementation of zero trust and identity security within there.

- [Ben] And if you're talking Microsoft 365 premium, you're gonna have conditional access, because it's now included with all your Microsoft 365 business premium subscriptions. So I've seen people saying, hey, I wanna do MFA. Why is it only letting me do the app? And a lot of people didn't realize or didn't catch that when security defaults became the new default, that doesn't allow MFA with anything except the authenticator app from Microsoft. So that in itself is a reason to go to conditional access because how many times does the app network, you're in a spot where your phone's not giving you a push notification, if you just wanna be able to log in with a text message, or you need to give somebody else the text message, for some reason to be able to log in as you and take a look at something. Not a best security practice, but let's face it, it happens where you need to give somebody the code so they can log in with your account for whatever reason, they're getting a text message, you wanna be able to pull a code off their phone, all of that you can do with conditional access security defaults, you're locked into that app.

- [Scott] Yeah, we'll just leave it as friends don't let friends do security defaults, if they have better options.

- [Ben] Yes, absolutely.

- [Scott] I think the thing there is really you're talking about kind of a range of functionality and the options that are in front of you. So depending on your licensing, should you wanna put yourself in a better posture, there is an option out there for you. It's just, it's like everything else. It has constraints and considerations. So are those gonna drive the right behaviors, or allow you to continue to do business the way you wanna do business? If the answer is no, then don't implement.

- [Ben] Yep, absolutely.

- [Scott] That's part about Cloud. Being really straightforward and self aware as you assess features.

- [Ben] Did you just use Cloud and straightforward in the same sentence?

- [Scott] I did.

- [Ben] It used to be.

- [Scott] Oh, come on, it still is.

- [Ben] Once upon a time. Okay, so what about email protection? Any thoughts on this one?

- [Scott] I think for most customers, like if you're looking at M365, hopefully you're looking at migrating the majority of your email traffic and mailboxes, and underlying workloads that are supported by those up to Exchange Online. I think you get everything into Exchange Online and it just makes your life easier. Whether it's storage, having access to potentially EOP or other types of filtering technologies that are up there. You can do like Native Office 365 quarantined, you can still use other third party quarantine services if you want to, like if proof points your thing, then go ahead and do that. It's still super flexible for you. But I think it just gives you a lot more agility when it comes to kind of if anything, even outside the security just mailbox management, 'cause you're not managing those on Prem exchange environments anymore and worrying about how much space did I consume? I'm I backing everything up the right way? Did we actually test our backups and restore, and all that just kind of falls to Microsoft, which gives you some more time in your day to do the important things. You just have to be aware again, of kind of like quirks of Office 365. And maybe the way like Microsoft automatically trusts other Office 365 tenants. So you might see weird spam and weird places, maybe you've got to configure some additional transport rules, but that's all pretty doable, and really, honestly well baked and well known at this point.

- [Ben] Yeah, and this one does have a lot of different settings that they have different recommendations for based on your normal and high risk. Some of their normal ones, I would take the high risk approach when it comes to some, some of those things like your DKIM and your SPF. I like my email secure. I feel like when you talk to different companies, that's the way most people get in, whether it's ransomware or getting user information or getting bank accounts. It is usually not because they guess your password. Well, that does happen. It is usually somehow through email that I feel like you hear about these breaches starting or that's where the information initially comes out. So my opinion when it comes to email is, I would probably go with some of the high risk scenario settings or all of the high risk scenario settings no matter what boat you're in, because that does tend to be a point of data leakage.

- [Scott] I think one thing to consider there is, lots of people look at maybe some defaults that are here. So like enable a transport rule to block auto forwarded email. Like, all right, that gets you a little bit of the way there. But let's be honest, transport rules are way more powerful than that. I recommend if you're looking, Microsoft doesn't give like great recommendations for default transport rules or like things you should think about implementing on top of that. Thankfully, we have fun folks on the internet, like SwiftOnSecurity, who have authored like GitHub repos that are full of just really awesome anti-phishing exchange transport rules, that you can go and implement. And you do that plus quarantine. And you're in just an awesome place for kind of cutting down on all the noise that comes through in your life and hopefully making everything better for those users along the way. Right, the more that you can filter out and be sure that it's gone, the less you need to be in front of your users all the time going don't get phished.

- [Ben] Yep absolutely. Yeah, there's spend a lot of time on the email security is kind of what would come out of that. We'll put some links to some of that in the show notes as well. As IT professionals in the Cloud era, sometimes that feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or teams Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex mess of metadata, in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast, lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, Team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com slash IT Pro. So the other area that's kind of along the same lines with email security is your information governance, especially if you're starting to put documents up in SharePoint, you have documents in your Team's files, which newsflash is also SharePoint, if people have missed that. So if you have files in SharePoint, even through emails, that information governance policies, some of the recommendations here, apply to all of the content. Some of its applies to Teams conversations, to, like we said files, data in SharePoint, emails going out. This is when you're gonna start looking at setting up some of that data loss prevention. And they do have recommended default policies for data loss prevention. And if you do need to go to that other level where you need to start putting things like HIPAA in place, or GLBA, or CCPA, although CCPA doesn't really apply to data loss prevention. PII, all of that type of stuff. There are a lot of pre-configured data classification types that are out there in Office 365, that you can configure to help that data from leaking out. So this isn't about a hacker getting in, or somebody sending you a hacking email as much as it is making sure you're not compromising information that you hold, whether it be on employees, or patients or anybody else. But protecting that with some of the data loss prevention, you have email encryption, so you can send encrypted email based on subject lines, based on auto detected information using something like sensitivity labels in Office 365. There's retention policies that can get put in place if you're in one of those companies where a law office or CPA where certain data has to be retained for seven years, or if you as a company didn't retain your financial data for seven years, and you wanna put those retention policies on data, you can set up retention policies, sensitivity labels, again, to classify data as a certain type of information, whether using some of that default sensitivity labels or creating your own, to really help categorize content that's within your Office 365 environment. And then apply policies to it to help ensure that, that data is being handled properly.

- [Scott] There's way more to dig into on that one. I always think some of the compliance features that come up along the way, with, particularly once you get into like Microsoft information protection, it looks just like a race car zooming off into the distance, and you're kind of standing there going like, whoa, I can't see any, I can't see it anymore. And it's also an area that's rapidly changing. So the one thing I think, like when it comes to Information Governance, it's always a good idea to just do the kiss thing. Like, really keep it simple. Start small, and if you see something you don't understand or you don't know about, or you don't think it's helpful, like, just skip that for now. That's okay. Not a problem. Easy enough, you can always come back and do it later, or you can wait until there's more guidance out there. I think today, if you went and read, like the documentation for how to implement, like auto classification with sensitivity labels, you go cross eyed and just banging your head against the desk for a while. And good luck if you can actually get it done.

- [Ben] Yeah, and maybe it's my background. But even going through this, I would consider this one of all of their recommendations. The most complex and the most time consuming to properly set up and configure. Like if I had to go implement this for a company, this would probably be the first one of all of these, that I would go look for somebody that's an expert in information, government and or information governance, taxonomies, content management to help me with, because this is, this topic if you like more than other tends to involve different things with legal departments, with HR departments, understanding laws and regulations, and all of that. This is not a simple topic, in my mind, or as simple as all of the other security topics discussed. And like you said, just if you're gonna do it, definitely start simple and keep it simple. Even if it's just starting by encrypting email and giving users the option to throw something into the subject, confidential, whatever, and encrypt email with a certain information in it.

- [Scott] Yeah, I think it's a hard area to get into. Like I said, like the guidance there is rough in the Docs. And if you think about a customer implementation thing for just about all these other areas, we could say, hey, if you have enough seats, go and do fast track or something like that, like there would be somebody at Microsoft who could help you even from a first party vendor perspective, for all the time that MIP and information protection and all these features have been out, Microsoft still has not GA'd a compliance offering within FastTrack. Like they're getting ready to do it now. But it's been out for a few years, like in the field as a feature. So I think even from that side, you know, finding something outside of Docs or actual information, you're gonna be stuck with either blogs or consultants. And if that's not your thing, then just wait a while. It'll come eventually. Hopefully.

- [Ben] And if you love it.

- [Scott] I'm just hoping it will.

- [Ben] If you wanna get a little bit more of a complete story, I would say it is by no means a in depth, but we did have that podcast interview we did back at Ignite September, where we kind of talked through, kind of the roadmap 'cause this product has changed names. Its functionality has evolved. We have a whole podcast just on the whole AIP, MIP, whatever the first letter is, IP, roadmap story where this is all going, how it's all evolved. And a few more details about some of this stuff. So we'll link to that one in the show notes as well. As article keeps going, Scott. Well, there's a lot more there. you still got Teams, you got Device Management, you've got access to other apps.

- [Ben] Access to other apps, we should at least do Teams and Device Management, we're gonna lose our reputation for a nice 30 minute podcast. But security is important. Configuring team security. So some of this ties into your information governance, because you're gonna have the DLP and it ties into SharePoint security. But there's also different things you want to think about with Team security. And there's a couple I wanna call out on this list in particular, or one is that, third party Cloud Storage. This is one a lot of people don't realize is that, by default in your Team's environment, if users go to files and add storage, they can add Google Drive box, Dropbox, and Citrix ShareFile. And I think I saw ignite is coming, not ignite the conference, but ignite like e.g. NYT I think.

- [Scott] Yes yep, that's gonna be a new one.

- [Ben] Those are all coming. And anybody in your organization by default can add those to a Team sign up with an account. And all of a sudden, you could start ending up with files in one of these third party services. And not necessarily be aware of it, mic stuff does give you the option to go in and turn all of these third party Cloud Storage options solutions off within your Team's environment so users can't add them. That is one that they're recommended settings for a normal scenario is to leave it as default let people do that. I would argue that that one should maybe even be off by default, because now all of a sudden you start having that information, data leakage into other services, especially if you're trying to get into the whole Office 365 ecosystem, do the DLP, setup the security, that's a big one in my opinion, in this list of recommendations.

- [Scott] I'm with you there, I don't think you enable that one by default, especially if you don't understand what Cloud Storage Services are being used with in your organization. Now if there is any question where you can't walk in and say, yes, people are using Dropbox or Google Drive, or anything else, then you don't wanna just let them arbitrarily add that to Teams, and then have that option there where they can easily have ex filtration of your company's data out to those services. It's not that you still can't have that because obviously, they can open a web browser, they can drag and drop into Google Drive for whatever it is, but you're at least making them go through the extra hurdle of doing that until you can implement some of those other solutions, maybe like a cas-bee, or something like that.

- [Ben] Yep, couple other ones you may wanna think about is Guest Access, if you're gonna allow, allow your users to invite guests into your Team's environment. Teams environments to users, are users allowed to create teams on their own. If you're doing Office or Microsoft 365 business premium, you're gonna have the MS, which means you have AD premium, which means you can go limit group creation, which would in turn limit Team's creation, so not anybody could do that. External chat if you're gonna allow users to chat with other Teams users, external users, external Skype commercial users. And then you do have a bunch of policies, you can go configure as well around what people are allowed to do in Teams, in terms of what types of messages they can use, what types of ad-inns they're allowed to use. Different settings there, but I think some of the users create Teams, third party Cloud Storage, and possibly external chat are some of the bigger ones there that you probably wanna think about going in and configure when you're getting going.

- [Scott] Yeah, I think they're the most light touch too. When you get into the messaging policies, there's so many of them. And I think it's easy to get lost in kind of the sea of configuration options that's available to you. And then once you go down the path of customizing messaging policies and meeting policies and settings and things like that around them. All of a sudden, you're off the beaten path. So you might not get Microsoft's defaults in the future. You have to pay attention when new defaults come, or those features that you want, don't want, which accounts do you apply them to? It's a lot more operational overhead for you.

- [Ben] Exactly. And then if you are using Teams, and there's involved with files, there's the whole SharePoint, to think about too, with the files in SharePoint. Device security, this one is also can be very complicated depending on what you wanna do with devices. I think there's some simpler things you can do there, especially with some of the main policies that we've talked about before. It's been a while, but there's a lot of things you can do around managing devices, without, sounds funny, managing devices without actually managing devices, and more managing the data and the apps that are on those devices.

- [Scott] Yeah, well, I mean, we've talked about that in past, I think it's all about your posture and, are you BYOD like, it was like how do you view that for your organization? And where do you wanna be, heavy handed or not heavy handed within there?

- [Ben] Yep, sorry. And it's not MAM anymore. If you don't look for MAM, look for app protection policies. And if you want the acronym for app protection policies, that's app.

- [Scott] Yes, why would it be called the same thing that all the other vendors call it? That would be too easy?

- [Ben] Yeah, I mean, you do have Intune. So if you do wanna do the whole full blown Device Management, you can use Intune. You can do Device Management. Most of the time, like we said, that app protection policies and conditional access, combined can do a lot to really help secure your data when it comes to different devices, mobile devices, that type of stuff. So that's always where I start with clients. When I start looking at that is that app, those app protection policies and conditional access?

- [Scott] Yeah, I mean, they're easy to get going with, like they're nice, they're consumable, and to a certain degree, you can like next, next, next, your way through a lot of those?

- [Ben] Yep, absolutely. And then the last step they have in here is securing access to other apps. I would say this one also gets a little bit more complex, they start talking about split tunneling your VPN, setting up single sign on with third party apps, standing up Windows, virtual desktop. These are gonna be a little bit more complicated. Some things may be a little bit more costly, something like Windows Virtual Desktop, while the licenses are free for Windows and the apps, you still gonna have to go start setting up Azure, paying for VMs, that type of stuff. I will say though, that Windows Virtual Desktop in terms of a configuration and standard up, is relatively simple. I've done it in about four or five hours. I actually have one set up right now that I was gonna use for a demo that I have like, five different test users, they can all log in, they can get into different desktops, use Office 365, use Teams. It's a nice solution if you're a small business looking for a VDI type solution.

- [Scott] Yeah I mean it's turnkey, and if you're getting into it today, you're getting into the new version of it, so you don't have to migrate, which is nice.

- [Ben] Yes, if you can actually like configure it in the UI, instead of having stuff that's only visible within PowerShell.

- [Scott] Well isn't that nice.

- [Ben] I like night gooeys. But yeah the Azure AD Single sign-on with those small business plans, you're going to have that option. You're gonna start, there's usually some configuration that goes in there, and sometimes it's also how you're licensed with those third-party apps, and if those third-party apps support Azure AD single sign-on, a lot of them do, I think there's over 3,000 Cloud apps or other apps that are listed in Azure that support Single sign-on, but some of those you do have to like upgrade to higher licensing levels for those other Cloud apps in order for them to support Single sign-on. So it's not just I have Azure Ad Single sign-on capability, so I can go do this with all the other apps, it's do those other apps support it, I'm I licensed for it in those other apps as well.

- [Scott] Yes, yeah it's a little bit of a rabbit hole for that one.

- [Ben] Yep, So that hits all of the topics in this article, again definitely go check it out if you're looking to enhance your security posture, you wanna know are you following some of the recommendations, let us know if you have any questions about us, 'cause that was a high level overview of all of them. And with that, we didn't do too bad Scott?

- [Scott] No you did good. I don't know how I did. But you did great.

- [Ben] You did fine. I don't think I have anything else. We can rap it up at 45-ish minutes.

- [Scott] Excellent. Thanks Ben.

- [Ben] All right. Thank you Scott, go enjoy your day, enjoy your weekend. As always stay healthy, and we'll talk to you next week.

- [Scott] Have a good one.

- [Ben] If you enjoyed the podcast, go leave us a 5-star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening, and have a great day.

(more…)

Episode 177 – Friends Should Let Friends Buy Microsoft 365 Business Premium

Episode 177 – Friends Should Let Friends Buy Microsoft 365 Business Premium

In Episode 177, Ben and Scott break down the changes in Microsoft 365 Business Premium and how it compares against Office 365 Enterprise Plans including the Office 365 E3.

- [Ben] Welcome to episode 177 of the Microsoft cloud IT pro podcast recorded live on May eight 2020. This is a show about Microsoft 365 with Azure from the perspective of IT pros and its users where we discuss the topic or recent news and how it relates to you. In this episode, Scott and Ben take a more detailed look at the recently renamed and improved Microsoft 365 business plans and discuss with these updates, should friends now let friends by business? Everybody now his kids and dogs and all sorts of things or people or animals making noise in the background to their meetings.

- [Scot] Yeah, I think we're all getting better at it though, so maybe for those who haven't been doing the remote thing now that they've had a couple of weeks to not necessarily settle in to it, but experience it and recognizing that for some of us it's going to be coming for a long time. I think especially for technology companies, I mean Facebook announced that through the rest of 2020 just go for it.

- [Ben] Really, I missed that.

- [Scot] Yep, yep, go forth and do it. Amazon is at least October, Microsoft still has their campus effectively shut down. So it's gonna be a thing for a while and I think for us, like in this segment and this area, we're going to continue to experience it.

- [Ben] Yeah, although to be fair, I've been experiencing it for like 10 years now.

- [Scot] Yes.

- [Ben] My kids literally don't know what it's like for me to have to leave the house for work. They get upset when I have to leave to go to work. They're like, "Why do you have to leave?" Some people do these everyday guys.

- [Scot] You've done it again.

- [Ben] Yes. They just don't know what it's like to have daddy actually leave every day to go to work.

- [Scot] Man, you know, they'll have to figure out their own lives at some point, you know, let them grow up in flutter and all those things.

- [Ben] What it is. Yes, they'll realize it. Maybe, who knows? Maybe everybody will work for home for the rest of their lives. I think you are gonna see a lot more people or companies staying open to remote work 'cause this is forced everybody to figure it out. I know there's some people I've talked to that they're like, "This just does not work for us. "We're not as productive." All of that, we need to be at the same spot. But I think there's a lot of companies that are also realizing, "Hey, this isn't as unproductive "or as bad or as prohibitive to our daily activities "as we thought it was."

- [Scot] Yeah, interestingly, I also think lots of folks are gonna have to figure out the burnout factor and really starting it and mass in this time is a different thing then all of a sudden a company you phasing into remote work or just easing your way into it and figuring out what that balance is for, what is productivity at home? I think a lot of folks who are potentially looking at their teams and saying, "Well, we can't work remotely," oh, that's not attitude 'cause you're gonna have to figure out a way to do that in a lot of cases. And also by saying you can't, you're automatically throwing up a barrier to being successful there, but being able to align those times and boundaries between work and home life and recognizing that, yeah, this other thing is going on in the outside.

- [Ben] Yeah, it's interesting and there's definitely a difference between being forced to work remotely and like you said, having that gradual roll and have it being an option. I would say there's more challenges with the way it happened this way. Well, it has opened up a lot of eyes. It also is a lot more challenging when you do it this way. Than if it, like you said, it's a gradual roll in a gradual rollout, you start with options and just do it a little bit at a time. Doing it this way definitely has brought a whole set of challenges.

- [Scot] So one of the little things that gets me, is I have an established place to do work every day. I have my desk, it has my monitors, there's a nice warning ring on the desk where my coffee cup goes. There's a place for the keyboard, a place for my mouse, microphone, all those kinds of things. And my wife potentially transitioning to a remote role as a teacher. She's kind of settled on just one or two different places in the house to work in. And I've offered, like last night she's been working on an extra class and trying to do all these recordings for her students and things so she can put them up. So she came into the office and was sitting at my desk, which I'm normally on a laptop, but then it's just in clamshell plugged into all these monitors and she brought her laptop stand-in. She brought her keyboard in, brought her mouse in and she sat, stood up, it's a standing desk. So she stood up at the desk and I said all we gotta do is pull that little USBC cable out of my laptop and we can put it into yours and you could at least have the keyboard. And if you don't want the keyboard, keep using your keyboard 'cause that's all Bluetooth, that's fine. I get, you don't wanna use somebody else's mouse 'cause everybody's kind of partial to things like that, but you can totally use your keyboard and just all of a sudden have these screens like go ahead, have the 34-inch monitor and things like that. And she looked at me like I was crazy just like I couldn't be productive like that. I'm like, I couldn't be productive on a single screen.

- [Ben] Yeah, it's everybody figuring out how they work best. As IT professionals in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Teams Azure costs, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and complex massive metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend. ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real-world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business-friendly way of tracking Azure infrastructure costs and it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro. So we have an interesting topic. This topic today, speaking of working came up probably about a month ago now. I think this has been out and I saw some articles about it and we kind of put some notes together and were like, "We should record this at some point in time." So today is your lucky day Scot.

- [Scot] Every day is my lucky day when I get to talk to you, Ben.

- [Ben] Aw, that's so sweet. That was a little weird. Now you got me all thrown off. It's been a long week. So we recorded an episode a while back. I don't even remember which episode it was where we said, "Friends do not let friends by business "when it comes to office 365," and we had a whole list of reasons why. About a month ago, Microsoft made some announcements that we talked about, about renaming the business 365 skews. And as a part of that, one of the, I would say new skews with some added features to it is you can now get Microsoft 365 business premium, which includes Windows 10, office 365... well no, that'd be Microsoft 365 business standard, I believe it's one of the Microsoft 365 business skews as well as essentially EMS. You're getting Azure active directory premium. So you get all three of those for $20 a month, which is the exact same price as a office 365 E3 plan. So a lot of people have been asking, "Why would I buy office 365 E3 for $20 "when I can get Microsoft 365 E3 "or Microsoft 365 business premium for $20 a month?" Why would I not get that one with all these other features, Windows 10, Azure active directory premium, it's essentially all the EMS stuff. Although we're gonna talk about, it's not all of that. So do friends still not let friends buy business or have they changed this enough that Microsoft 365 business premium is actually a very solid option now where you're not quite as handicapped as maybe you were before. So we figured we'd dive in, discuss that. There was also a blog article that came out around securing remote work, tying into our intro to using Microsoft 365 business premium.

- [Scot] And then that article really piggybacks and the concepts there piggyback kinda whole cons the licensing construct where they added Azure AD premium P1 to those licenses. So having access to conditional access I think ups the game and changes it a little bit. 'Cause that's one of those differentiators between those two skews.

- [Ben] It really is. And before it was always an Add-on and now all of a sudden it has come bundled. So we decided this episode, we're just gonna talk about Microsoft 365 business premium and where it actually does make some sense now. I think my opinion, we'll see what Scott thinks. As well as scenarios where frankly it still doesn't make sense even though there's more features to it as opposed to like the E3 plan.

- [Scot] Yeah, let's get into it.

- [Ben] Alright, so where do you wanna kick it off? How do you wanna kick it off?

- [Scot] So I tend to look at it from one of those clear differentiators between those business plans and the enterprise plans is the number of users that you can bring into those skews. So having a hard cap on the number of users, like if I was gonna build out a decision tree to say, should I even look at this product, is it for me? How many people do I need to license? Is it more than or less than 300? Because if I have more than 300 users who are gonna require these features, then it's still not the thing for me. I'm gonna have to go build a licensing bundle or hopefully find a suite of products like any three or any five that has it all built-in or I can do the base bundle, the SKU pack plus the Add-ons, things like that. So like I said, if I was gonna build the tree, that's where I would start, number of users regardless of functionality they need or anything else. That's your biggest probably upfront question that you need to answer.

- [Ben] Yup, I would agree. That's always my first question and well there are some feature differences that is that hard line in the sand of which way do you go, is gonna be your user account. If you're less than 300 you have a choice to make. If you're more than 300 there's like not a decision there. You just have to go with one of the E plans.

- [Scot] Yeah, you're just gonna go another way. And then from there, you might try to rationalize down cost or Add-ons or things like that as you go ahead and standing up the service. And I think what you could do is then maybe you could get into that feature comparison of if I'm into the whole office 365 E3 versus Microsoft 365 business premium. Then you might wanna decide what features are important to bring over for you along the way.

- [Ben] Yup and I think one of those, and I mentioned EMS at the beginning and that is not, it is just Azure AD premium plan one that's included in business. So for me, I think that's the next decision tree probably that plays into effect, although there's a couple here but one of his is going to be, do I need that full EMS suite where it comes to like the mobile application management, the Intune with the mobile device management, some of those extra features that are in the EMS suite that are licensed as EMS but aren't licensed as part of Azure AD premium P1 because Microsoft 365 business premium is only going to be Azure AD P1, not the rest of those EMS features that are included in office 365 E3 or in Microsoft 365 E3. I think that's probably the next biggest one in my opinion. I say probably, because it could come down to a few other ones.

- [Scot] So now that comes to another weird decision of do you need full-blown MDM? Like do you need full Intune for your devices? Like what does that look like for you? Or are you doing like Knox or something like that today or AirWatch and you wanna look to going to Intune or do you need MDM light and can you leverage built-in MDM capabilities? So there's always... 'Cause that exists as well. There's full-blown MDM with Intune and then there's, it used to be what they used to call it, it used to be called office 365 mobile device management. But now I think it's all just mobile device management for Microsoft 365 which is inclusive of some of the office 365 stuff where you get MDM light in it today anyway until potentially they go ahead and take that away.

- [Ben] Yeah.

- [Scot] So I think that's something to think about there too. 'Cause especially if I'm just doing maybe, I've always thought MDMs is a weird conversation to have, do you need MDM or you do you need MAM? So is it the data in the application that's really important or is it the whole device and kind of the surrounding ecosystem that's important. And certainly, if you're looking potentially, I think at that small business segment, like if you're looking at the 365 business premium, you're less than 300 users, I would bet for lots of folks that not having access to Intune isn't the end of the world 'cause I can still do my conditional access 'cause P1 is giving me access to that in Azure AD premium P1 and I can still do device management light and particularly application management. So being able to still have those application controls where I can have you come in, I can't ensure that you can only sign in to your device with your corporate identity. But I can make sure that you can only sign into outlook with your corporate identity and when you sign into outlook that you can't take any screenshots and that you can't be out on a jailbroken device. So have I protected your data there or not? It's always weird line to walk. But I think if you're a smaller business, like if you're in that 365 business premium skew, you're probably not looking for full-blown MDM anyway. You might want the features, but I guarantee you don't want the operational overhead of keeping it up.

- [Ben] Right, although you can't do my licensing matrix is failing me. You can't do the mobile application management with just Azure AD premium P one can you, isn't that still part of EMS? You can do conditional access, but not actually like the mayhem, selective wipe stuff or don't allow copy and paste between applications, that type of stuff.

- [Scot] Right, yeah. I think you're right there, but if I can stop you from logging into the app if you're on a, like an unregistered device or whatever it is.

- [Ben] Right, that goes a long ways.

- [Scot] You've got to weigh that out and decide where that's important to you organizationally.

- [Ben] Yeah, so yeah, figuring out where that is and truth be told, even the mobile application management versus the mobile device management, I'm shocked how many people like conditional access in some of that mobile application management. If you do that right, you really don't need a lot of the mobile device management as much. Even bigger companies, I'm surprised how many people just do the MAM and it's way easier to manage. So another one that comes out, especially if you're a small business when you are weighing Microsoft 365 business premium versus office 365 is Windows 10 pro and licensing that. If you've already bought a bunch of faxed copies of Windows 10 pro, you don't care about licensing Windows 10 pro, the office 365 E3 is gonna be fine. But one of the nice things about business is it does have a Windows 10 pro license. So if you want to do all of your cloud licensing, if you want to even look a little bit at like I think the Windows virtual desktop is included now in the Microsoft 365 business premium. if you be... Tripping over my own words that, but as well as, and this was when I learned the other day, is the licensing office applications, so Word, Excel, PowerPoint, desktop on a virtual desktop interface. I can't remember. Is that the CSA license or SCA? The shared, essentially the shared application license.

- [Scot] Yeah, whatever acronym they have going for it these days.

- [Ben] Yes, that is the only business plan that's included in this that Microsoft 365 business premium. So even though office applications are included in some of the lower business 365 plans, the only one that includes the shared application access is gonna be that business premium. So if you are looking for that virtual desktop interface, maybe looking at Windows virtual desktop, you want the shared applications, there's a lot of that. The Windows 10 for even desktop devices, all of that's in that Microsoft 365 business plan too. So if you need all of that, you're under 300 users, you don't need EMS. In that scenario Microsoft 365 business is a solid option as well.

- [Scot] Yeah, it starts to become more and more compelling. It does.

- [Ben] And I have one more compelling feature that they snuck out there. You can now add voice. This also used to be a big one. I heard this be a differentiating factor for one of my clients at one point in time was you used to not be able to do Skype or Cloud Voice, the whole cloud PBX, PSTN calling, all of that on a business plan that was only available on enterprise plans. Voice can now be added to Microsoft 365 business premium and I believe even some of the lower skews. So if you are a small business and you want to do voice calling, you can just license business plans as well now and not worry about the enterprise plan just to get voice.

- [Scot] So is that voice plan, is that different than business voice? 'Cause they've renamed all this stuff, right? Where say you have Microsoft 365 business voice, which is that's in the office 365 E3, the F1, it's in the Microsoft 365 E3, the Microsoft 365 business but not business premium.

- [Ben] I did not realize they renamed that one.

- [Scot] Well, I will make sure to put the article to, what is Microsoft 365 business voice.

- [Ben] Business voice that is, I was just looking up phone system, call trends for multilevel auto attendance call queues includes, okay, so Microsoft 365 business voice, they combined two plans into this. Microsoft 365 business voices is $20 a user a month. What you used to have, and you may still have, you may still be able to buy these separately because certain plans include certain features already. Cloud Voice, which was all of the auto-attendant, call queues, call transfer, voicemail, all of that. That was an $8 a month Add-on to just get the Cloud Voice functionality and then for $12 a user a month, you got those domestic calling plans or you could do domestic and international for 24 but it started $12 a month domestic calling plans. So you have your $12 a month for domestic calling. You had $8 a month for Cloud Voice. to get the features and the PSTN calling they took these and Microsoft 365 business voice now combines is $20 a month, which is your eight and 12 for your Cloud Voice and your domestic calling. And it includes both of those in one bundle.

- [Scot] Not confusing at all.

- [Ben] Not confusing at all. And I'd have to look into this 'cause I again, I missed this one. But when you get into the office 365 set of things like your Microsoft 365 E5 in your office 365 E5 already include the $8 a month Cloud Voice Add-on or all those entitlements. So if you're on one of those business E5 plans, you only need to license domestic calling.

- [Scot] Yeah, it's getting weird. And now you can't even search for Cloud Voice anymore 'cause it's all been subsumed by business voice. So you gotta be like, go search for the old phone system stuff and then hope you land on the right article. Although, but it's weird.

- [Ben] So are you looking at the business voice article?

- [Scot] Yeah.

- [Ben] It says down at the bottom, business voice requires the Microsoft 365 and that includes Teams. It's an Add-on subscription for up to 300 users that cannot be used standalone business voice, blah blah, blah, blah.

- [Scot] Yeah, yeah. It still aligns to those licensing limitations with those skews.

- [Ben] It aligns to the small business ones. But that means Cloud Voice should still exist for those enterprise skews.

- [Scot] Good luck figuring out where that's all written down now.

- [Ben] So as you're going, this is what happens when we stumble across random articles in the middle of the podcast. Oh, see options for enterprise. There's a little link. It's hiding. Voice and video calling with Microsoft Teams.

- [Scot] Yeah, it takes you into all the Teams stuff and 'cause now calling plans and all the documentation for phone system and calling plans and set up falls under Teams.

- [Ben] Oh, it's phone system. So it's not Cloud Voice. So if you're looking for the enterprise stuff, look for phone system for $8 and then calling plan pricing for your domestic and international. Outlook ends are a great way to improve productivity and save time in the workplace. And Sperry software has all the Add-ons you'll ever need. The save as PDF Add-on is a best seller. And it is great for project backups, legal discovery, and more. This add-in saves the email and attachments as PDF files. It's easy to download, easy to install, and Sperry software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com. S-P-E-R-R-Y S-O-F-T-W-A-R-E.com. and see for yourself how great save as PDF is. Listeners can get 20% off their order today by entering the code "cloudIT." That's cloud IT, C-L-O-U-D I-T, all one word at checkout. Sperry software work in email, not on email. So we all got that straight now, right? Microsoft 365 phones system is only for business plans. Office 365 requires a phone system and a calling plan. Did I say that right?

- No.

- No.

- [Scot] 365 business voice?

- [Ben] Yes.

- [Scot] Is for Microsoft--

- [Ben] Only for business plans.

- [Scot] Microsoft 365 business plans. Well, but not just the business plans 'cause you can also do it with office 365 E3s and F1s. So thanks Microsoft. Even though it still has that licensing limitation at 300 I don't know how that works.

- [Ben] That's bizarre.

- [Scot] It's clearly called out in the licensing. If your organization has fewer than 300 people and you have office 365 E1, E3 or F1, you can also do it. You can also do it with the A1 and A3. So you can do it with the education plans.

- [Ben] Which I mean it does kind of make sense because reality is the pricing didn't change. If you go buy that for $20 or if you go buy phone system and domestic calling for $8 and $12 respectively. Either way, at least they kept that consistent. You're gonna be paying $20 a month to add some type of phone capability and to anything lower than a business or enterprise E5 plan.

- [Scot] There you go. The documentation might not be consistent, but the pricing is, oh, wow.

- [Ben] So that is another, again, that used to be a differentiator between the two and a reason not to go buy business is if you ever looking at phone systems now or shortly, what was the date on that? You can put them onto both. I know they announced it was coming. I think it's already there.

- [Scot] I mean it looks like it's already there. I haven't spot up a business tenant in a couple of weeks, but maybe that'll be the thing to do. We'll go spin up a business tenant and see if it can be added.

- [Ben] Yeah, it looks like it's all there. The data I saw was around pricing. So pricing includes or pricing includes required communication and taxes and fees until June 30th, 2021. I don't know if that means your prices are gonna go up a little bit for taxes and fees on June 30th. I don't know if there's something that's being waived because of COVID right now and that's why those prices include taxes and fees until June 30th. Not exactly sure what's going on there. But yeah, June 30th will appear as a separate charge only in the US starting on June 30th. So there's some goofiness going on there, but that shouldn't be too much.

- [Scot] Alright, cool. So there's some things that are similar and there's some things that are more than similar. Almost to the same between them. But when you're going through that rationalization exercise of saying, so I've got less users, I'm within that 300 boundary. So now I've gone down this difficult road of trying figure it out. What is business actually missing when you compare it to like an office 365 E3?

- [Ben] So there are a couple things that it is missing in terms of just like functional specs when it comes to certain services. So exchange online is one of the biggest ones that you're gonna notice some differences. An argument could be made whether you actually need this or not, but smaller exchange mailboxes. So your business 365 plans are essentially running exchange online plan one where your enterprise plans are gonna be exchange online plan two at least when it comes to like E3 and E5. So that means that you have a 50 gig mailbox instead of a hundred gig mailbox for business premium versus office 365 E3. However, archiving the business 365 premium does appear to include like a 100-gigabyte expanding archive. So as you archive it'll grow. So there could be an argument made for why do we need a hundred gigabytes if I can just archive everything, 50 gigabytes and archiving more frequently is probably adequate.

- [Scot] That depends on how you access that mailbox and what it looks like. Like do I access that from mobile devices? How hard is it for me to work with the archive from mobile? Like there're weird limitations there and then I believe you probably know better than me, but the office 365 enterprise archives, those are still billed as unlimited archives, right? Ever-expanding?

- [Ben] Yeah. But they all start. So I think there's similar to the business ones because they all start at a hundred gigs and the business premium ones based on what I think I saw was those ever expand to, it's still an unlimited.

- [Scot] Gotcha.

- [Ben] At least up at that premium level. And then some of the e-Discovery. So when I started looking through like a feature by feature breakdown using service descriptions, O365sd.com.

- [Scot] There actually is a great one out there 'cause they do have, so one of the things they didn't used to do was have to plan options or it was never always a great way to do it to get the business plans and the E-plans all together on the same page.

- [Ben] Yep.

- [Scot] And now they do. So again, this is another link I'll put in the show notes. You can go to office 365 plan options and it breaks down the whole family. So it's inclusive of everything in business. So Microsoft 365 business basic, apps for business, business standard and then all of the office 365 enterprise as well as education skews, which is super awesome to see.

- [Ben] Perfect, yeah. So things like advanced e-Discovery are only in those enterprise plans. There's probably some small businesses that would use it. Do you think like lawyer, some law firms that are probably, there's a lot of law firms that are probably less than 300 users that may have a need for advanced e-Discovery just due to their line of work. Some of that stuff isn't going to get included with your office 365 plans or your business premium plans, so I can't remember. The other one I was gonna look at was... Do you have that chart in front of you? Data loss prevention is one that also tends to... No, that when I did look at. That one as included in everything. Data lost prevention is, e-Discovery is not or advanced e-Discovery. The business premium plans do include in-place holds and in place e-Discovery just not some of those more advanced features. So really go take a look at those service descriptions. Don't look at this at a super high level, but.

- [Scot] Yeah, you have to avoid the marketing and the pricing pages and do all of that at a lower level. They actually used to provide Excel spreadsheets for these where you could do kind of pivots and filters and sorts. I've always found it helpful to go and make my own for those. So it is possible to still copy and paste the tables and things just directly out of the HTML or the markdown, the on rendered markdown that's so free and get hub and put that into Excel and be able to do those pivots based on how you want them. 'Cause there's gonna be a lot of noise in there that you can just kind of cut the noise out and get it to be what it needs to be.

- [Ben] Right, so the first thing I do, I copy and paste all those into Excel and I create a table and then I filter on the skew I'm looking for all the nos. So just show me everything under business premium that is set to "no" because that means that's not included and then it makes it a lot easier to start from there when you're comparing what's a no in that column versus a yes in one of my enterprise columns.

- [Scot] Yup, just go ahead and delete the skews you don't want and you get to where you need to be.

- [Ben] Exactly.

- [Scot] It's a little rough, right? I think you're in a potentially a little bit of a handicap position may be coming in as a small business and somebody like you or I saying, well your best bet is to copy and paste from HTML site into a spreadsheet and figure it out. Versus being an enterprise where you know if you're buying thousands and thousands of seats, you're gonna have a salesperson at Microsoft who's very keen to sell those to you and they're helping you figure that out.

- [Ben] Or you have a finance guy that really likes Excel and if you say, "Hey, "can you go build me some really fancy Excel spreadsheet?" They'll like go hide in their cubicle for hours to create an incredible Excel spreadsheet for you.

- [Scot] No more cubicle Ben.

- [Ben] No offense to anybody that's in finance and really likes their Excel spreadsheets. But yeah, we didn't even get into our last blog article about securing everything. Your practical guide to securing remote work.

- [Scot] I think securities, maybe that's when we can hold off on and have as a conversation at another time 'cause it does, I think it goes out a little outside the boundaries of what I put it in there about what we were originally gonna talk about. 'Cause we'll get into kind of specifics thereof some things that you may or may not want to consider turning on. Like what are must-haves versus not must-haves. If you have access to these types of features. Like if you've got the licensing, you're definitely gonna want to turn some things on. Like full stop, they should just be on by default. Microsoft might not turn them on by default for you but they'll certainly be very vocal and I think you and I would be too about, "Hey let's light up the things that really makes sense."

- [Ben] Yes, absolutely. So, to be continued next week 'cause we don't have a topic pick for next week yet, we will talk about securing in which features you should turn on and off and how you can take advantage of these new skews. And the security offerings they're in.

- [Scot] Yeah, perfect, absolutely.

- [Ben] All right, well, let us go enjoy the rest of the sunny day from the confines of our house.

- [Scot] Yes, this is the way.

- [Ben] We will talk to you next week about that security article.

- [Scot] Thanks, Ben.

- [Ben] All right, thanks, Scott. If you enjoyed the podcast, go leave us a five-star rating in iTunes. It helps to get the word out so more IT pros can learn about office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

(more…)