Microsoft 365 Licenses: understanding security levels

To strengthen and improve the security approach of the Microsoft 365 suite and its applications, security and administration teams must be able to identify the native capabilities as well as the limitations of the tools and features provided by the vendor.

Microsoft offers several levels of licenses with varying degrees of security and compliance features.
The highest level is the Microsoft 365 E5 license, which offers comprehensive coverage and advanced analytics and data visualization capabilities for compliance and security risk assessment.
For budgetary reasons, most companies reserve this level of license for a sensitive, VIP population (executive committee members, security administrator, etc.). Other intermediate license levels, such as the Microsoft 365 E3 license, are typically chosen for the remaining users.
Finally, for users with more limited usage needs, the Microsoft 365 E1 license may be sufficient in terms of protection (occasional use, just access to the email service).

Given the absolute priority of securing data and collaboration tools, especially on M365, it is necessary to establish an initial inventory of what these E3 and E5 licenses include, in order to consider completing or strengthening them with complementary solutions for Microsoft 365.

We have identified 3 use cases to focus on in order to detail and compare the native functions, Microsoft’s limitations and the IDECSI response : 

• Audit of permissions by administrators
• Monitoring and alerts on access to sensitive data
• Access review on Microsoft 365
  
  
  

Audit of permissions by administrators

What does Microsoft offer for permission auditing?

Microsoft E3 License

The E3 license does not offer any control over permissions for administrators and users.

Microsoft E5 License

The E5 license includes Microsoft Defender for Cloud Apps (formerly MCAS).
Microsoft Defender allows you to:

• Search by link type, sensitivity level, owner
  Here, the creator of the document is the owner.
• Apply remediation on permissions

However, there are some limitations:

• No splitting of security groups

All administrators will have the same level of information, it is not possible to set up a segregation of duties between entities. It is therefore necessary to appoint a central compliance team.

• Visibility only on access – No overview of users’ permissions

Note: investigation will only be possible only into internal users (except guests).

Audit of data permissions: the IDECSI solution

In addition to what Microsoft provides, IDECSI offers an analysis tool for administrators. It is possible to assign a granularity to the role of administrators according to their scope.

This tool, Permission Explorer, provides:

• An overview of permissions, delegations of a file, of a folder of a specific resource and access history in the form of lists
• Easy search on all data (cloud and on-premises) or fine-tuned search by type of links, level of sensitivity
• Search by user for “who has permission on?”
• Analysis of permissions and their structure: inherited or direct permission? Who has access?

Integrated with the MyDataSecurity user platform, admin teams can ask users, via recertification campaigns, to validate permissions or access to their data.

Monitoring and alerts on access to sensitive data

What does Microsoft plan to do about monitoring sensitive data?

Microsoft E3 License

In Microsoft Purview, administrators can search the unified audit log to view user and administrator activity. These logs are available for 90 days.

They can do an audit manually to find out, for example:

• Who has accessed a sensitive file
• Activities on a confidential file (sharing, deleting, etc.)

Depending on the internal classification policy, users can encrypt sensitive content and restrict access with Purview Information Protection (MIP) labels.

Microsoft E5 license

With an E5 license, logs are available for one year (instead of 90 days on E3).

Administrators also have the Defender for Cloud Apps tool, which can restore permission inheritance (remove unique permissions and recover those of the parent folder or site).
Via Defender for Cloud Apps it is possible to set up a workflow to alert the owner of a document or a resource about deviating behavior (e.g. anonymous sharing).

Administrators can receive alerts when:

• An user shares sensitive data with the outside world
• An user shares sensitive data without respecting the company’s security policy
• Abnormal behavior is performed by an user

By default the user is not alerted but this can be programmed by workflows.

Monitoring of sensitive data: IDECSI a complementary solution

IDECSI leverages information from Microsoft Purview’s sensitivity tags to enhance the monitoring and protection of sensitive data.

Administrators can control sensitive data. They have a mapping of the data to sensitivity labels and their exposure.
They have access to the history of all configuration changes (including permissions) and log retention.
Alerts can be customized, to be aware of a policy change, a change in labeling actions, or sensitive shared data.

IDECSI also involves users and offers advanced monitoring with:

• Visibility over classified data thanks to a “Focal point” section and filters on the classification levels
• Real-time notifications to the data owner (user) in case of modification of permissions, new accesses, and abnormal behavior
• The owner can validate the modification or access, or delete the end users.

Access review on Microsoft 365

The review of access is an important step in data protection.

It involves ensuring that user access at the data level are consistent with an organization’s Microsoft 365 security policy and the user’s activity.
Read the article on the M365 collaboration tools access review

Review of access according to license level

Microsoft E3 License

Administrators do not have a specific mechanism for launching overarching access review campaigns.

As for users, they can perform reviews but they will have to go to each application and manually remove, after several clicks, the permissions given on each file or group.

Microsoft E5 License

Via the Azure AD Access Reviews feature, offered in the Azure AD P2 license (included in E5), Azure AD administrators can manually track and recertify internal groups and run user campaigns.

Note:
- Only one license needed to review guests
- Review possible either on all groups including guests, or group by group (which requires to select them manually or by an API)

Recertification campaigns can be launched on Microsoft 365 groups: Teams or modern SharePoint.
The access review will apply to group members only. Permissions or sharing links made outside of a Teams team (on SharePoint for example) will not be part of the recertification campaign.

Azure AD Access Reviews allows users to be involved in access reviews.
Following the launch of the campaign, the owners of the Teams / SharePoint groups will receive an email with the group to be verified. The verification will only be carried out at the member level and will not affect shared channels.

Regarding the review of the permissions of other applications (OneDrive, Exchange for example), the approach will be the same as on the E3 license, i.e. manual through going on each one given permission.

IDECSI makes it easy to review permissions and sharing in Microsoft 365

IDECSI has developed a recertification tool, MyDataSecurity, which solves the constraints of volume and complexity in the access review process, allowing data security to be maintained over time.

Administrators have a platform to plan recertification campaigns. The setup is simplified to determine:

• Targeting on global or specific resources
• Duration, periodicity
• Automatic reminders
• Customization of emails and notifications

Reports on access review campaigns are available to track user validations and any troubleshooting initiated.
The user has a security dashboard to set up governance over his data and a review of access, sharing and configuration from a single portal, named MyDataSecurity.
In the context of a campaign, users will also receive a notification to recertify all permissions and will be able to apply automatic troubleshooting.

IDECSI strengthens the security level of Microsoft 365 licenses

The Microsoft E5 license includes many security and compliance features and tools, but it represents a significant IT budget.

The IDECSI for M365 solution complements Microsoft’s security offering and increases the security of data both on-premises and on Microsoft 365. The platform offers 5 key features for a comprehensive data security approach: collection and traceability, user access review, admin control and audit, alerts and investigation, and consolidated reports.

Microsoft and IDECSI teams have been working on a mapping of the key security features of Microsoft 365. This document gives companies a better overview of the construction of a global and optimized system.