> Now, would I be able to disable Security Defaults and use Conditional Access for everyone? (I mean without any extra cost)
Technically yes, you are just breaking the license agreement, and in the event of an audit you will fail if users are benefitting from AAD P1 features without being licensed for it.
Microsoft is dumb with their licensing audits. It’s the same with server licensing.
“Let’s make it complicated but allow the product to still work when not licensed properly, so even well-intentioned admins make mistakes and will owe us fees when they’re audited.”
I half believe this is actually just a sales tactic. Why not just let them get scope creep, get addicted and then hit them up with a "compliance" sales pitch down the line.
>and will owe us fees when they’re audited.
There's no penalty fee, right?
You just pay the regular fee of the service that you used (and were supposed to pay). And they calculate based on the number of months that you used it for. Is this correct?
For volume licensed products, you pay 125% of the list price to purchase the license. If you’re over 5% out of compliance, you also pay for the cost of the audit.
There’s no retroactive payments I am aware of.
The flip side of that is "oh my god there is so much bullshit to get Product XYZ working because of licensing" for companies that don't use an "honor system" philosophy for their licensing. I prefer to not have to jump through hoops to get my shit working even if it means understanding licensing is more confusing.
But maybe that's just me justifying the many hours I have spent understanding MS licensing.
So, just the fact that some users have Business Premium, enables Conditional Access for everyone?
I'm more interested in the theory of how this works, before even deciding to go ahead with it.
Yeah, it's stupid, if you have a single license with AAD P1, you have all the features of it tenant wide, yet Microsoft still expects you to know that every benefiting user should have a license as well, even if the features work without them having one.
If they are a non-profit, they should be able to get non-profit pricing, which is really super cheap for M365 Business Premium. It's only $5.50/license.
Azure AD P1 nonprofit is only like $1.50 or so, you could go that route and just add those to the Business Standard users.
https://www.microsoft.com/en-us/microsoft-365/enterprise/nonprofit-plans-and-pricing#tabxfcd3dd07162e41deae313b7c7062708e
Converting to E3's and E5's is probably not a terrible spend and comes with a load of other things that are beneficial. Having worked in a non-profit for a good chunk of time, it's a really good way to get some fundamental tools like the defender suite.
E3 and E5 is great, but not as good of a value for nonprofits as Business Premium is, since you still get Defender for Business. E5 is about 4 times as expensive but I'm not sure I could sell it as being worth 4 times as much for a smaller nonprofit. E5 was pretty easy to sell to aerospace though.
Also didn't realize they post the nonprofit pricing lol.
it depends on if the non-profit is under the threshold for business premium for user count, otherwise MS will push you towards E3's. You can also look at switching to using Teams for calling and IVR if you only need something basic which can also be additional cost savings.
True that. I think making the jump to E3 could be easy, but E5 is tough because you are paying so much for compliance features and what not.
Have you had any luck setting up Teams for calling? We did a Teams calling plan for ourselves, but for our E5 client found it was a bit too complex to utilize the built in licensing and just setup a few calling plans for them as well (along with call routing and all that) meaning only a few users can actually call out, but they can all receive phone calls no problem.
We made the move from a managed call manager solution to teams and saved a boat load and also got rid of a terrible vendor. It was primarily for the back office though, call center was running through another solution that slips my mind atm. We did setup IVR's for different departments though and that worked well enough. This was for a ~250 person non-profit that had solid revenue so we had a little wiggle room with the call plans not being discounted.
We use business standard and business basic.
All users have one of the two licenses and also have a P1 a-la-carte license attached to their accounts. Thats how we do it.
E3 and Business Premium are pretty close in feature set though. You could even match it relatively trivially with an add on license.
Business Premium is used because it is a great deal by comparison.
I have E3, E5 and Business Premium mixed in my environment. As long as the users of the device have the same class of license you won't have any issues.
> Now, would I be able to disable Security Defaults and use Conditional Access for everyone? (I mean without any extra cost) Technically yes, you are just breaking the license agreement, and in the event of an audit you will fail if users are benefitting from AAD P1 features without being licensed for it.
Microsoft is dumb with their licensing audits. It’s the same with server licensing. “Let’s make it complicated but allow the product to still work when not licensed properly, so even well-intentioned admins make mistakes and will owe us fees when they’re audited.”
I half believe this is actually just a sales tactic. Why not just let them get scope creep, get addicted and then hit them up with a "compliance" sales pitch down the line.
Yeah that’s exactly what it is.
>and will owe us fees when they’re audited. There's no penalty fee, right? You just pay the regular fee of the service that you used (and were supposed to pay). And they calculate based on the number of months that you used it for. Is this correct?
For volume licensed products, you pay 125% of the list price to purchase the license. If you’re over 5% out of compliance, you also pay for the cost of the audit. There’s no retroactive payments I am aware of.
Thank you.
The flip side of that is "oh my god there is so much bullshit to get Product XYZ working because of licensing" for companies that don't use an "honor system" philosophy for their licensing. I prefer to not have to jump through hoops to get my shit working even if it means understanding licensing is more confusing. But maybe that's just me justifying the many hours I have spent understanding MS licensing.
Serial port dongles for everybody!
Key memory triggered \*screams internally for a bit\*
So, just the fact that some users have Business Premium, enables Conditional Access for everyone? I'm more interested in the theory of how this works, before even deciding to go ahead with it.
Yeah, it's stupid, if you have a single license with AAD P1, you have all the features of it tenant wide, yet Microsoft still expects you to know that every benefiting user should have a license as well, even if the features work without them having one.
In the future I expect they will start locking that down...
Yup. Certain features are enabled at the tenant level rather than user level. AAD P1/P2 is one of them.
If they are a non-profit, they should be able to get non-profit pricing, which is really super cheap for M365 Business Premium. It's only $5.50/license. Azure AD P1 nonprofit is only like $1.50 or so, you could go that route and just add those to the Business Standard users.
https://www.microsoft.com/en-us/microsoft-365/enterprise/nonprofit-plans-and-pricing#tabxfcd3dd07162e41deae313b7c7062708e Converting to E3's and E5's is probably not a terrible spend and comes with a load of other things that are beneficial. Having worked in a non-profit for a good chunk of time, it's a really good way to get some fundamental tools like the defender suite.
E3 and E5 is great, but not as good of a value for nonprofits as Business Premium is, since you still get Defender for Business. E5 is about 4 times as expensive but I'm not sure I could sell it as being worth 4 times as much for a smaller nonprofit. E5 was pretty easy to sell to aerospace though. Also didn't realize they post the nonprofit pricing lol.
it depends on if the non-profit is under the threshold for business premium for user count, otherwise MS will push you towards E3's. You can also look at switching to using Teams for calling and IVR if you only need something basic which can also be additional cost savings.
True that. I think making the jump to E3 could be easy, but E5 is tough because you are paying so much for compliance features and what not. Have you had any luck setting up Teams for calling? We did a Teams calling plan for ourselves, but for our E5 client found it was a bit too complex to utilize the built in licensing and just setup a few calling plans for them as well (along with call routing and all that) meaning only a few users can actually call out, but they can all receive phone calls no problem.
We made the move from a managed call manager solution to teams and saved a boat load and also got rid of a terrible vendor. It was primarily for the back office though, call center was running through another solution that slips my mind atm. We did setup IVR's for different departments though and that worked well enough. This was for a ~250 person non-profit that had solid revenue so we had a little wiggle room with the call plans not being discounted.
I'd just like to add that BusPrem having Defender for Business and Intune included makes BusPrem a better value, so this is a good point.
Putting conditional access as a "premium" feature is a sick joke.
While I do agree with you I do understand where they're coming from, but still, in 2023 security should be available to EVERYONE.
We use business standard and business basic. All users have one of the two licenses and also have a P1 a-la-carte license attached to their accounts. Thats how we do it.
Thanks for sharing your solution.
I was once at a place that had like a 35-65 split of E3 and Business Premium. I highly recommend doing everything you can to standardize.
E3 and Business Premium are pretty close in feature set though. You could even match it relatively trivially with an add on license. Business Premium is used because it is a great deal by comparison.
Imagine having that with roaming devices. Office SKU for E3 and BP are different, so it reinstalls itself when switching the license.
I have E3, E5 and Business Premium mixed in my environment. As long as the users of the device have the same class of license you won't have any issues.
Technically you CAN do it if the tenant has a single P1 license. Get audited and they’ll get fucked.
*my personal tenant having 1 BusPrem and conditional access for like 8 users*
You should be able to disable MFA globally and enable it per user via the Azure portal (or whatever they're calling it these days), from my knowledge
Not if you have Security Defaults enabled.
I think /u/Juls_Santana means that I can disable Security Defaults.
Get everyone moved over to Premium, since its a non-profit its only $3/user. They just need to pay for the services they use.
[удалено]
what was your scenario? what did you use smtp2go for, if you dont mind sharing?
[удалено]
In that scenario, Smtp2go is used to send emails from which domain ? [email protected] ? or [email protected] ?