When securing workers, especially those who primarily use their mobile devices for work without a company-provided computer, it's essential to balance cost and security needs. This guide outlines the most suitable Microsoft 365 security options for different scenarios, focusing on identity protection, device management, and email security.
1. Basic Mobile-First Workers: Exchange Online P1 + Defender for Office 365 P1
For workers who primarily use their mobile devices for email communication, the following setup is cost-effective:
- Exchange Online P1: This license provides secure email, calendar, and contacts. It is the most affordable way to manage users who need access to email but no additional collaboration tools like SharePoint or Teams.
- Cost: ~$4 per user/month.
- Defender for Office 365 P1: For email security, this plan includes protection against phishing, malware, and other advanced threats.
- Cost: ~$2 per user/month.
This combination is ideal for users who don't need access to the full Microsoft 365 suite but require email security. It ensures emails are protected while keeping costs low.
2. Enhanced Identity Protection: Entra ID (Azure AD) P1 or MFA
If your users primarily need basic identity protection for secure access to email, consider the following:
- Per User MFA: If you only need Multi-Factor Authentication (MFA) without a full Azure AD license, you can enable MFA at no extra cost for all Microsoft 365 users. However, this option doesn’t offer advanced identity protection features like conditional access or monitoring.
- Cost: Free for all Microsoft 365 users.
- Entra ID (Azure AD) P1: For organizations that want conditional access, SSO, and self-service password reset, Azure AD P1 is a good option.
- Cost: ~$6 per user/month.
This configuration is ideal for workers who require extra layers of identity protection beyond MFA but do not need advanced risk-based authentication.
3. Contractors Without Company Devices: Entra ID P1 or P2
For contractors using personal devices, the focus is on securing access to company data and apps:
- Entra ID (Azure AD) P1: Provides essential identity management features like SSO, conditional access, and basic MFA. This is sufficient for users accessing general business apps.
- Cost: ~$6 per user/month.
- Entra ID (Azure AD) P2: For users accessing sensitive apps or data, Azure AD P2 adds risk-based authentication, Identity Protection, and Privileged Identity Management (PIM) to protect against identity threats.
- Cost: ~$9 per user/month.
This setup is recommended for contractors who access critical data or applications, providing an extra layer of security through risk-based conditional access.
4. Managed Devices: Enterprise Mobility + Security E3 (EMS E3)
For users whose devices can be managed, Enterprise Mobility + Security (EMS) E3 offers a comprehensive solution for both identity management and device management:
- EMS E3 includes:
- Azure AD P1: For identity management, including SSO and conditional access.
- Microsoft Intune: For mobile device management (MDM), allowing you to control device security, deploy policies, and remotely wipe lost or stolen devices.
- Data Loss Prevention (DLP): Protects sensitive data from being leaked or shared inappropriately.
- Azure Information Protection P1: For basic data classification and protection.
- Cost: ~$8.80 per user/month.
This solution is ideal for organizations that need to manage both user identities and devices securely, ensuring corporate data is protected, even on mobile devices.
5. For Higher Security: Enterprise Mobility + Security E5 (EMS E5)
If you need to protect both devices and identities at a higher level, consider EMS E5:
- EMS E5 includes:
- Azure AD P2: For risk-based conditional access and Identity Protection.
- Advanced Threat Analytics and Cloud App Security: For detecting and responding to advanced identity-based threats.
- Microsoft Defender for Identity: Protects against identity-related attacks.
- Advanced Information Protection: Automated classification and protection of sensitive data.
- Cost: ~$14.80 per user/month.
EMS E5 is best for organizations handling sensitive data or operating in highly regulated industries, where advanced identity and data protection are crucial.
6. Alternative Collaboration Platforms (e.g., Google Workspace)
If your organization uses a different collaboration platform like Google Workspace and doesn't need Microsoft Exchange, OneDrive, SharePoint, or Teams, consider using EMS E3 and Azure AD P1 purely for security and identity management:
- EMS E3 provides all the necessary features for managing identities and devices without requiring Microsoft 365 apps like Exchange or OneDrive.
- Azure AD P1 gives you SSO, conditional access, and MFA for managing access to Google Workspace and other apps.
- Cost: ~$8.80 per user/month (EMS E3).
7. Defender for Endpoint for Managed Devices
If your users have managed devices and you want enhanced endpoint security, consider adding Microsoft Defender for Endpoint P2:
- Defender for Endpoint P2 provides advanced threat detection, investigation, and automated response for managed devices.
- Cost: ~$5.20 per user/month.
This option is essential for organizations looking to secure mobile and desktop devices against modern threats like ransomware and targeted malware attacks.
Conclusion
For workers who primarily use their devices for email, the Exchange Online P1 + Defender for Office 365 P1 combination provides affordable security. If additional identity protection is needed, Azure AD P1 or Per User MFA can be added at minimal cost.
For contractors and users accessing sensitive apps, upgrading to Azure AD P2 or implementing EMS E3 for managed devices will provide robust security without over-investing in unnecessary licenses. If device management and endpoint protection are critical, including Defender for Endpoint P2 ensures comprehensive coverage.
By carefully selecting the right combination of Microsoft 365 licenses, organizations can provide robust security without overspending.