I remember a time where hosted/cloud offerings were whispered to be the solution to the SAM challenges of the average IT worker. I remember people saying that the ‘cloud’ would even render SAM tools and services obsolete. What wishful thinking that was. When industries leant towards cloud-based solutions and products, what they did was provide us with a whole new arena of compliance to navigate ourselves around. Added to that the fact that ‘the cloud’ is often still used in collaboration with other platforms, that have their own set of compliance rules and regulations that the ‘IT crowd’ still have to stay on top of.
But fear not fellow knights of this noble cause (that is SAM if you haven’t already guessed), I am going to today go through some of the key areas that you need to keep in mind when considering maintaining compliance in your Microsoft/Office 365 kingdoms.
As most of you know, Microsoft retired the Kiosk workers concept some time ago now and replaced it with the new Firstline Worker packages. Firstline Workers are typically employees that are usually customer-facing and don’t need the same software/access requirements as ‘office workers’. Which is why organizations often make use of this SKU (Stock-Keeping-Unit) where they can. Please find below some examples of these type of workers, compliments of Microsoft:
What you probably didn’t know is that you are only compliant here if these workers:
‘….use a primary device with a single screen smaller than 10.1″, or share their primary work device with other licensed Firstline Workers’.
Anything outside of the above is considered a breach of contract and non-compliance.
Microsoft 365 Tenant-Level Services:
So, what are Tenant-Level Services and why are they included in my list of compliance ‘gotchas’. Well, in Microsoft’s words they:
‘…are online services that when purchased for any user on the tenant (standalone or as part of Office/Microsoft 365 plans) are activated in part or in full for all users on the tenant. While in these cases some unlicensed users may be able to access the service technically, a license is required for any user that you intend to benefit from the service. Note: Some tenant services currently do not have the capability to limit benefits to specific users, over time those capabilities will be included in the services. Efforts should be taken to limit the service benefits to licensed users to avoid disruption to your organization when targeting capabilities are employed.’
Now Microsoft provide a pretty nifty guide to licensing these tenant-level services that can be found here. There is quite a lot of information to digest here though, so to make your lives easier, I’ve included below the two tenant-level services that you would get under a typical Microsoft 365 E3 offering:
1. Azure Information Protection
How can the service be applied to only users in the tenant that are licensed for the service? Azure Information Protection feature policies (save for the scanner feature) can be scoped to specific groups or users; registries can be edited to prevent unlicensed users from running Azure Information Protection classification or labelling features. Follow the instructions here for scoping Azure Information Protection deployments: Configuring the Azure Information Protection policy.
2. Data Loss Prevention for Exchange Online, SharePoint Online and OneDrive for Business
How can the service be applied to only users in the tenant that are licensed for the service? Admins can customize locations (workloads), included users, and excluded users in the Office 365 Security & Compliance Center, under Data loss prevention > Locations.
Over-deployment of Microsoft/Office 365 Apps
Microsoft are usually quite generous when it comes to how many devices you can deploy your Office365 applications to. And you might have asked yourself before today, how they can possibly police this restriction. You might have thought they had no visibility to this, but they have! Below is a screenshot of information per user pulled from a customer’s tenant using the Smarter365 technology that EasySAM partner with on all our Office365 projects.
As you can see, it is likely that this customer is non-compliant in terms of deployment and these cases should be investigated.
The responsibility is STILL yours
I’m sure I have discussed this topic in my other blogs but wanted to remind you that this is still the case for hosted platforms as many people do outsource the management of their Office365 tenant to third parties. Even if you have a third-party managing your tenant, the legal ownership still belongs to you (the company). The outsourcer can’t be held accountable for any liabilities raised by the poor management of the tenant or the legal penalties that a manufacturer may impart. It is therefore my advice that your Microsoft/Office 365 environment be vigilantly monitored by a champion within your organization regardless of their involvement in the actual day-to-day running of the platform.
If this has raised any eyebrows or perhaps caused a few cold sweats, please do not hesitate to reach out to me to further these conversations. Other areas I can shed some light on is your Office 365 component adoption and as a result whether you are on the right package for your needs. ‘Til next time….