If you’re doing it right, Microsoft 365 is your best and most practical and cost-effective ($20/user/month) IT security and management system.
Table of Contents
Microsoft 365 Disaster Recovery and Business Continuity
Traditional Ways:
- Weak/untested or nothing.
- 3rd Party Service
Microsoft 365:
- Microsoft 365 is 100% cloud
- Disaster recovery is free
- Business continuity is free
- Managed by Microsoft
- Geographically redundant datacenters
- 99.9% uptime SLA
Phone System Business Continuity
Traditional Ways:
- On-premise phone system
- 3rd party hosted non-integrated phone system
Microsoft 365:
-
- The Microsoft Teams Phone System
- Complete business continuity
- The Microsoft Teams Phone System
-
-
- Managed by Microsoft
- Geographically redundant datacenters
- 99.9% uptime SLA
-
Microsoft 365 Computer Setups and Group Policies | Microsoft Endpoint Manager (formerly Microsoft Intune) configuration procedures
Traditional Ways:
- Manual end-user computer configuration
- Image-based end-user computer configuration
- Windows Server AD Group Policies.
Microsoft 365:
- Microsoft Endpoint Manager (Intune)
- Configuration profiles
Microsoft Endpoint Manager Advanced: Security Baselines
Optimized modernization of Endpoint Manager:
Microsoft Defender Antivirus
Traditional Ways:
Microsoft 365 Feature:
- Microsoft Defender Antivirus-Included with Windows 10
Microsoft Defender for Endpoint (Advanced Antivirus)
Microsoft 365:
- Microsoft Defender for Endpoints-Behavior-based monitoring, prevention, and control
- A best practice is available from the Microsoft Baseline template.
Microsoft 365 Lost or Stolen Computer Protection | BitLocker Disk Encryption | Remote wipe | Remote lock
Microsoft 365:
- Microsoft Bitlocker is included with Win10+
- Azure AD BitLocker Recovery Key Sync (Azure AD P1)
- Microsoft Endpoint Manager Remote Wipe
Microsoft 365 Web Browsing Protection | Web threat protection | Web Content Filtering
Microsoft 365 Include
- Microsoft 365 Defender for Endpoint
- Web Threat Protection
- Web Content Filtering
Web Threat Protection: Advanced | Microsoft Edge Authentication | Microsoft Endpoint Manager Security Defaults for Microsoft Edge
Traditional Ways:
- Any web browser the user wants
- There are no web browsing security controls
Microsoft 365:
- Authenticate in Microsoft Edge
- Web App Virtual Containers
- Microsoft Defender for Endpoint
- Microsoft Endpoint Manager Security Defaults for Microsoft Edge (Baseline Template)
Legacy Server Backup and Security with Microsoft Azure | Blue Backup | Azure Defender
Usually includes MS SQL Server.
Traditional Ways:
- On-premise virtual or physical servers
- Server backup and disaster recovery
- No antivirus or 3rd party antivirus
Switch to Microsoft 365:
- Virtual servers in Azure Virtual Network
- Azure Backup
- Azure Defender
- Disaster recovery is included for free
- 99.9% uptime SLA
- Accessed by
- VPN
Microsoft 365 VPN
Traditional Ways:
- On-premise firewall appliance hosting vpn
Modernized ways with Microsoft 365
- No VPN required.
- Data is 100% in the Microsoft 365 cloud.
- All data is encrypted in transit and at rest.
- Azure Active Directory: My Firewall (Identity Protection)
- Only consider your endpoint device encryption, enable/configure conditional access.
Microsoft 365 Firewall
Traditional Ways:
- An expensive on-premise firewall appliance
- 1-3 year license/support renewals
- 5 year hardware refresh
Modernized ways with Microsoft 365
- Primary NAT Firewall or ISP router
- Your IT services are 100% cloud
- Cybercriminals don’t know about your LAN
- Azure Active Directory My Firewall (Identity Protection)
Microsoft 365 hardware refreshes
Traditional Ways:
- 5-year hardware refresh cycles.
- 6th-year warranty extension
Modernized ways with Microsoft 365
- The hardware is never refreshed.
- Only the precinct remains.
- A basic firewall
- switches
- Wireless access points
- Network printers
Microsoft 365 Security Extras
The following features are considered additional.
Control company data on employees’ personal devices | Microsoft Endpoint Manager app protection policies
Traditional Ways:
- Company emails and files are synced to employees’ personal cell phones.
- No control over where company email and files are copied.
- No data loss prevention control
Modernized ways with Microsoft 365
- Microsoft Endpoint Manager app protection policies
- Control security with a mobile app, not an employee’s personal cell phone.
- Control copy/sync/share in mobile app.
- Remote wipe
- Automatic wipe
Microsoft 365 single sign on
Traditional Ways:
-
- Employees are juggling multiple login accounts.
-
- Neelavarna AD
- Windows Server AD
- Financial Web App
- Sales Web APP
- Activities web APP
- Accounts use company email addresses and the same or similar passwords.
- A security risk
Modernized ways with Microsoft 365
- Azure Active Directory Single Sign-On
- An Azure AD account is used as a single identity to access all company cloud systems.
- An identity to create when an employee starts
- An identification to cease when an employee quits
Secure files and emails anywhere in the world | Microsoft 365 Sensitivity Labels
Traditional Ways:
- Folder-based security controls
- Security is applied at the folder level.
- File/email is no longer protected after being removed from the folder.
Modernized ways with Microsoft 365
- Microsoft 365 Sensitivity Labels
- The ability to apply a security group directly to a file or email
- Security stays with the file or email no matter where it goes or with whom.
Microsoft 365 Device Compliance Policies
Traditional Ways:
- Connect to Microsoft 365 regardless of device security.
Modernized ways with Microsoft 365
- Microsoft Endpoint Manager is a
- Device Compliance Policies: Users’ devices must comply with our security requirements.
Managing Microsoft 365 cloud services
Traditional Ways:
- The IT Manager/Director manages hardware and software updates.
- Log into servers to check and correct IT systems.
- If the system is running, can you call it good?
Modernized ways with Microsoft 365
- Microsoft maintains hardware and software updates.
- You log into the portals to check and correct the IT system.
- You configure processes around alerts and auto-remediation.
Microsoft 365 Secure Score
Traditional Ways:
- There is no objective IT security scoring metric.
- There is no guided path.
- There is no checklist of industry best practices.
Modernized ways with Microsoft 365
-
- Microsoft 365 Secure Score
- A scoring metric for your entire Microsoft 365 tenant
- Current score and score trending
- Provides a priority technical checklist
- Microsoft 365 Secure Score
Microsoft 365 Compliance Manager | Data protection baselines
Traditional Ways:
- Compliance is a vague goal that no one on your team has real experience with
- Compliance requirements seem ridiculously bureaucratic.
- No industry best practices, NIST, ISO, Fedramp, GDPR
- No guidance or integration with Microsoft 365
Modernized ways with Microsoft 365
- Microsoft 365 Compliance Manager
- Data protection baselines
- It comes with all versions of Microsoft 365.
- Beyond technical implementation in M365 Secure Score
- Documentation, Policies, and Procedures
- Microsoft best practices combined with industry compliance (NIST, ISO, Fedramp, GDPR
- It provides a prioritized checklist.
- Current score and score trend
- Data protection baselines
Subscriptions and pricing
General Microsoft 365 setup:
Microsoft 365 Business Premium: $20/user/month (300 users) -> Enterprise version ($32/user/month)
+Microsoft 365 E5 Security Add-on: $12/user/month (ID protection, behavioral AI learning protection)
+Microsoft Phone System: $20/user/month
Total = $52/user/month (300 user limit).