It’s probably safe to assume that your business is already using Microsoft 365 to some extent to support your connected workforce.  There are, after all, about 258 million paid Office 365 seats.

What we find surprising though is how few organizations have focused on securing or optimizing their MS365 investment.

So, we invited Shane, our MS lead at Present to a Teams meeting to pick his brain on what he is seeing within our client base and in the industry when it comes to opportunities that businesses are missing out on and risks that they are not addressing with MS365.

Interviewer: Hi Shane, what would you say is the biggest element that clients are missing out on when it comes to optimizing their MS365 investment?

Shane: I think the main thing is a lot of clients are using packaged licenses, like a M365 Business Standard or Business Basic but all they're using is the office suite or Exchange.  They're not leveraging things like OneDrive, SharePoint or Teams to create better collaboration for their users. An simple example would be OneDrive, each user has one terabyte of storage included, so why not leverage it, enable the backup, and your documents, photos and such are synched to the cloud. If ever your computer is down, you can use a different computer and access your documents from anywhere. 

Also, when we talk about enterprise licensing, there are ways to optimize costs by knowing how the licensing works and matching the right license to your needs. For example, we see a lot of clients are paying for an E3 license, that maybe was required for RDS or terminal server licensing in the past, but Microsoft has changed their licensing and use rights. Now if you have M365 Business Premium, you have use rights for RDS and so you could change your E3 license to a Microsoft 365 business premium for basically the same price. I think it's 10 or 20 cents difference.

With that license, you also get Intune and Defender 365 , so you can now enable better security using Defender 365 Plan 1, protect against malware and phishing across all the O365 services, and with Intune, or Endpoint Manager now, you can enable MDM and desktop management, to help secure your endpoints.  You also have Azure AD Premium included so you can enhance your access policies and streamline things like MFA, allow for better user experiences and ensure you are better protected.  No one likes inconveniences, so by having policies that are more user friendly you can improve the adoption and use of tools like MFA.   

There are lots of other features in the package too, Windows update rights, which now is interesting because of the release of Windows 11.  So sometimes right sizing a license can open a lot of benefits for a client.

Interviewer: Let’s talk about security now. What’s one thing people need to know about security on MS365?

Shane: I think many people are under the impression that their emails are backed up.  I know nobody reads them, but the terms and conditions agreements say very clearly that Microsoft does not provide backup services.  Microsoft has retention and that’s what people mistake for a backup because they’re under the impression that because Microsoft lets you set this retention for 10 years that you are covered. I’ve had this conversation with both SMBs and large businesses like major financial institutions. You can recover a simple document or email, but you won’t recover the entire structure. So, although the documents are retained and maintained and kept within the system for 10 years, the recovery of that document is very difficult. You need to know exactly what item you're recovering.

With a backup solution you will be able to recover a folder very easily. We use SkyKick and there is no limit on storage. Using a third-party backup like SkyKick is going to be easy and simple to recover lost data and will help you not consume additional storage like retention can.

Interviewer: Still on the topic of security, what about all the phishing attacks and ransomware we are continuously hearing about. How can companies protect themselves?

Shane: MFA is definitely something every business needs and for some reason a lot of companies still don’t use it. Microsoft, now by default, turns on MFA so when you create a new tenant, MFA is set up by default, but a lot of companies have been using MS365 for years and might not have it activated. For example, I had a client today who told me he wasn’t sure if he should turn on MFA for his warehouse workers. I told him that if they have an account, they should absolutely have MFA. From a security standpoint everyone needs MFA, I don’t care if they’re the janitor or the president they should all have MFA because you’re talking about an application that’s publicly available worldwide and as soon as there is a user out there, their account can be exploited to infiltrate your environment and any user is a potential vulnerability so everyone should have MFA on by default.

And in terms of phishing, Defender should be utilized to give you enhanced spam filtering. It also gives you virus and malware protection, as well as safe links and better reporting and if you got to plan 2 you get attack simulations and tests you can run on your users.

Then you have conditional access with the capability to put in place simple rules like allowing access from a single geography, or more complex ones that factor in what device you are on, is the device up to date, is it a mobile device etc. 

As an example of how conditional access works, right now, I'm using my corporate laptop, which is enrolled in Intune or Endpoint. So, my laptop is managed by the company, the laptop communicates with Endpoint manager, and it is seen as compliant with our requirements, which are being patched, having the firewall active, active virus protection, and disk encryption is on.  Since the device I am using is in Canada, and is managed by the company and compliant, I am not required to use MFA.  If my device falls out of compliance, I would be required to use MFA immediately and validate my identity using a second method like the authenticator app. 

A conditional access policy allows us to maintain that higher security, yet not be as intrusive to the user, we also use Azure AD Premium Plan 2, so I can have policies that react to risk based events, like an impossible travel, and this then triggers a MFA requirement, or I can lock the account. 

Interviewer: You spoke about your laptop being managed by your company with end point manager, can you elaborate a bit more?:

Shane: End point manager, formerly Intune, is for mobile and desktop devices. We use Endpoint manager for our corporate laptops to make sure that our devices are updated, and we are compliant.  We can also deploy apps and other policies to the devices as well.  Like many companies, we allow BYOD for mobile though, so we use Endpoint manger for creating a protected workspace on mobile devices.   This allows us to set work approved apps and policies to restrict work data to those apps only, so we create a kind of bubble of authorized and approved apps, that are encrypted on the user’s device. These types of policies allow us to ensure that work data is secured no matter what device the employee is using.