Tag: Security

Use AI to provide better spam protection and detection with exchange online

image

Let’s break down how AI enhances spam and phishing protection within Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO), along with configuration examples.

How AI Powers Spam/Phishing Protection in Exchange Online

Instead of just relying on static rules (like blocking specific keywords or known bad IPs), AI (specifically Machine Learning models) introduces several powerful capabilities:

  1. Advanced Pattern Recognition: AI models analyze vast amounts of global email data (billions of messages daily) from Microsoft’s network. They identify subtle and evolving patterns associated with spam, phishing, malware, and impersonation attempts that rule-based systems would miss. This includes:

    • Linguistic Analysis: Understanding the nuances of language, tone, urgency cues, grammatical errors common in phishing, and topic shifts often used to bypass simple filters.

    • Structural Analysis: Examining message headers, sending infrastructure reputation, URL structures, attachment types, and email formatting anomalies.

    • Behavioural Analysis: Learning normal communication patterns for your organization and flagging deviations (e.g., a sudden email from the “CEO” asking for gift cards, which is out of character).

  2. Adaptive Learning: Spammers constantly change tactics. AI models continuously learn and adapt to these new threats in near real-time, significantly reducing the window of vulnerability compared to waiting for manual rule updates. When new spam campaigns emerge, the models retrain based on newly classified samples.

  3. Contextual Understanding: AI helps differentiate between legitimate and malicious use of similar content. For example, an “invoice” email from a known supplier vs. a generic “invoice” from an unknown sender with a suspicious link. AI considers sender reputation, recipient history, link destinations, etc.

  4. Impersonation Detection (MDO): This is heavily AI-driven.

    • User Impersonation: Mailbox Intelligence learns the frequent contacts and communication style of protected users (e.g., executives). It flags emails claiming to be from that user but originating externally or exhibiting unusual patterns.

    • Domain Impersonation: AI detects attempts to use domains that look very similar to your own (e.g., yourc0mpany.com instead of yourcompany.com) or legitimate external domains (e.g., spoofing a well-known supplier).

  5. Enhanced Heuristics & Reputation: AI refines the calculation of Spam Confidence Levels (SCL) and Bulk Complaint Levels (BCL) by incorporating more complex signals than just IP/domain blocklists. It considers the “neighborhood” of sending IPs, historical sending behavior, and feedback loops (user submissions, junk reports).

  6. Zero-Hour Auto Purge (ZAP): Even if a malicious email initially bypasses filters and lands in an inbox, AI continues analyzing signals. If the message is later identified as spam or phishing (often through updated AI models or user reports), ZAP can automatically pull it from user mailboxes.

Specific Configuration Examples (Using the Microsoft 365 Defender Portal)

Most AI capabilities are inherently part of the features. You don’t toggle “AI On/Off,” but you configure the policies that leverage AI.

Prerequisites:

  • Access to the Microsoft 365 Defender portal (https://security.microsoft.com).

  • Appropriate permissions (e.g., Security Administrator, Global Administrator).

  • Note: Some advanced features (like Impersonation, Safe Links, Safe Attachments) require Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses, beyond the basic EOP included with Exchange Online.

Example 1: Tuning Anti-Spam Inbound Policy (Leverages AI for SCL)

AI determines the SCL score based on numerous factors. You configure the actions based on those AI-determined scores.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam.

  2. Select the Anti-spam inbound policy (Default) or click Create policy > Inbound for a custom policy.

  3. In the policy settings, locate the Bulk email threshold & spam properties section and click Edit actions.

  4. Spam Confidence Level (SCL) Actions:
    • Spam: Action: Move message to Junk Email folder (Recommended Default). SCL levels typically 5, 6.

    • High confidence spam: Action: Quarantine message (Recommended). SCL levels typically 7, 8, 9. You could choose Redirect message to email address, Delete message, or Move message to Junk Email folder. Quarantine is generally safest.

    • AI Impact: The determination of which message gets an SCL of 5 vs. 7 vs. 9 is heavily AI-driven based on content, sender, structure, etc.
  5. Bulk Complaint Level (BCL) Threshold: Set a threshold (e.g., 6 or 7). Messages exceeding this BCL (often unwanted marketing mail) will take the specified action (e.g., Move message to Junk Email folder). AI helps differentiate bulk from true spam.

  6. Zero-hour auto purge (ZAP): Ensure “Enable for spam messages” and “Enable for phishing messages” are turned On. This allows AI to retroactively remove messages.

  7. Save the changes.

Example 2: Configuring Anti-Phishing Policy (Leverages AI for Impersonation & Spoofing)

Requires MDO licenses for advanced features.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing.

  2. Click Create to make a new policy (recommended) or edit the Default policy.

  3. Phishing threshold & protection:
    • Enable spoof intelligence: Ensure this is On. AI helps identify and classify spoofing attempts (legitimate vs. malicious). You can review/override its findings later under “Spoof intelligence insight”.

    • Impersonation Protection (Key AI Area):
      • Click Edit next to Users to protect. Click Manage sender(s) and add email addresses of key personnel (CEO, CFO, HR Managers, up to 350). AI (Mailbox Intelligence) learns their communication patterns.

      • Click Edit next to Domains to protect. Add your own company domains and consider adding custom domains that are visually similar or frequently targeted. AI flags emails spoofing these domains or using lookalike domains.
      • Enable Mailbox Intelligence: Ensure this is On. This activates the AI learning for the protected users’ contact graphs and communication patterns.

      • Enable intelligence for impersonation protection: Ensure this is On. Uses AI to improve detection based on learned senders/patterns.
    • Actions: Configure actions for detected impersonation (User/Domain) and spoofing. Recommended actions often include Quarantine the message or Redirect message to administrator address and displaying safety tips.
  4. Advanced phishing thresholds: Set the level (e.g., 2: Aggressive, 3: More aggressive, 4: Most aggressive). Higher levels use more sensitive AI/ML models but might increase false positives. Start with 1: Standard or 2: Aggressive and monitor.

  5. Assign the policy to specific users, groups, or the entire domain.

  6. Save the policy.

Example 3: Enabling Safe Links & Safe Attachments (Leverages AI for Analysis)

Requires MDO licenses. These features use sandboxing (detonation) and URL reputation checks, heavily augmented by AI analysis.

  1. Safe Attachments:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Attachments.

    • Click Create or edit an existing policy.

    • Choose an action like Block (blocks email with detected malware) or Dynamic Delivery (delivers email body immediately, attaches placeholder until attachment scan completes – often preferred for user experience).

    • Enable Redirect messages with detected attachments and specify an admin mailbox for review if desired.

    • Apply the policy to users/groups/domains.

    • AI Impact: AI models perform static analysis before detonation and analyze the behavior of the file during detonation in the sandbox to identify novel/zero-day malware.

  2. Safe Links:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Links.

    • Click Create or edit an existing policy.

    • Ensure On: Safe Links checks a list of known, malicious links when users click links in email is selected under URL & click protection settings.

    • Enable Apply Safe Links to email messages.

    • Enable Apply real-time URL scanning for suspicious links and links that point to files. (This uses AI and other heuristics).

    • Configure Wait for URL scanning to complete before delivering the message (more secure, slight delay) or leave it off (less secure, no delay).

    • Choose actions for malicious URLs within Microsoft Teams and Office 365 Apps if applicable.

    • Configure Do not rewrite the following URLs for any trusted internal/external sites that break due to rewriting (use sparingly).

    • Apply the policy to users/groups/domains.

    • AI Impact: AI powers the reputation lookups and real-time scanning analysis of URLs, identifying phishing sites, malware hosts, and command-and-control servers even if they aren’t on a static blocklist yet.

Key Takeaways:

  • AI is Integrated: You configure features like Anti-Spam, Anti-Phishing, Safe Links/Attachments, and AI works behind the scenes within those features.

  • MDO is Crucial: The most advanced AI-driven protections (impersonation, advanced phishing detection, Safe Links/Attachments) require Microsoft Defender for Office 365 licenses.

  • Configuration is Tuning: You adjust thresholds (SCL, BCL), enable specific protections (Impersonation), and define actions (Quarantine, Junk, Delete).

  • Monitor & Adapt: Regularly review quarantine, user submissions (use the Report Message Add-in!), and threat reports in the Defender portal to fine-tune policies and understand how AI is performing in your environment. Feedback helps the AI models learn.

By leveraging these AI-powered features and configuring them appropriately, you can significantly improve your organization’s defense against increasingly sophisticated spam and phishing attacks in Exchange Online.

Governing AI usage with Microsoft 365 Business Premium

image

Here’s the best way to leverage M365 Business Premium for AI governance, covering both Microsoft’s AI (like Copilot) and third-party services:

Core Principle: Governance relies on controlling Access, protecting Data, managing Endpoints, and Monitoring activity, layered with clear Policies and user Training.

1. Establish Clear AI Usage Policies & Training (Foundation)

  • What: Define acceptable use policies for AI. Specify:

    • Which AI tools are approved (if any beyond Microsoft’s).

    • What types of company data (if any) are permissible to input into any AI tool (especially public/third-party ones). Prohibit inputting sensitive, confidential, or PII data into non-approved or public AI.

    • Guidelines for verifying AI output accuracy and avoiding plagiarism.

    • Ethical considerations and bias awareness.

    • Consequences for policy violations.
  • How (M365 Support):
    • Use SharePoint to host and distribute the official AI policy documents.

    • Use Microsoft Teams channels for discussion, Q&A, and announcements regarding AI policies.

    • Utilize tools like Microsoft Forms or integrate with Learning Management Systems (LMS) for tracking policy acknowledgment and training completion.

2. Control Access to AI Services

  • Microsoft AI (Copilot for Microsoft 365):
    • What: Control who gets access to Copilot features within M365 apps.

    • How:
      • Licensing: Copilot for M365 is an add-on license. Assign licenses only to approved users or groups via the Microsoft 365 Admin Center or Microsoft Entra ID (formerly Azure AD) group-based licensing. This is your primary control gate.
  • Third-Party AI Services (e.g., ChatGPT, Midjourney, niche AI tools):
    • What: Limit or block access to unapproved external AI websites and applications.

    • How (M365 BP Tools):
      • Microsoft Defender for Business: Use its Web Content Filtering capabilities. Create policies to block categories (like “Artificial Intelligence” if available) or specific URLs of unapproved AI services accessed via web browsers on managed devices.

      • Microsoft Intune:
        • For company-managed devices (MDM): You can configure browser policies or potentially deploy endpoint protection configurations that restrict access to certain sites.

        • If third-party AI tools have installable applications, use Intune to block their installation on managed devices.
      • Microsoft Entra Conditional Access (Requires Entra ID P1 – included in M365 BP):
        • If a third-party AI service integrates with Entra ID for Single Sign-On (SSO), you can create Conditional Access policies to block or limit access based on user, group, device compliance, location, etc.

        • Limitation: This primarily works for AI services using Entra ID for authentication. It won’t block access to public web AI services that don’t require organizational login.

3. Protect Data Used With or Generated By AI

  • What: Prevent sensitive company data from being leaked into AI models (especially public ones) and ensure data handled by approved AI (like Copilot) remains secure.

  • How (M365 BP Tools):
    • Microsoft Purview Information Protection (Sensitivity Labels):
      • Classify Data: Implement sensitivity labels (e.g., Public, General, Confidential, Highly Confidential). Train users to apply labels correctly to documents and emails.

      • Apply Protection: Configure labels to apply encryption and access restrictions. Encrypted content generally cannot be processed by external AI tools if pasted. Copilot for M365 respects these labels and permissions.
    • Microsoft Purview Data Loss Prevention (DLP):
      • Define Policies: Create DLP policies to detect sensitive information types (credit card numbers, PII, custom sensitive data based on keywords or patterns) within M365 services (Exchange, SharePoint, OneDrive, Teams) and on endpoints.

      • Endpoint DLP (Crucial for Third-Party AI): Configure Endpoint DLP policies to monitor and block actions like copying sensitive content to USB drives, network shares, cloud services, or pasting into web browsers accessing specific non-allowed domains (like public AI websites). You can set policies to block, warn, or just audit.

      • Copilot Context: Copilot for M365 operates within your M365 tenant boundary and respects existing DLP policies and permissions. Data isn’t used to train public models.
    • Microsoft Intune App Protection Policies (MAM – for Mobile/BYOD):
      • Control Data Flow: If users access M365 data on personal devices (BYOD), use Intune MAM policies to prevent copy/pasting data from managed apps (like Outlook, OneDrive) into unmanaged apps (like a personal browser accessing a public AI tool).

4. Manage Endpoints

  • What: Ensure devices accessing company data and potentially AI tools are secure and compliant.

  • How (M365 BP Tools):
    • Microsoft Intune (MDM/MAM): Enroll devices (Windows, macOS, iOS, Android) for management. Enforce security baselines, require endpoint protection (Defender), encryption, and patching. Non-compliant devices can be blocked from accessing corporate resources via Conditional Access.

    • Microsoft Defender for Business: Provides endpoint security (Antivirus, Attack Surface Reduction, Endpoint Detection & Response). Helps protect against malware or compromised endpoints that could exfiltrate data used with AI.

5. Monitor and Audit AI-Related Activity

  • What: Track usage patterns, potential policy violations, and data access related to AI.

  • How (M365 BP Tools):
    • Microsoft Purview Audit Log: Search for activities related to file access, sensitivity label application/changes, and DLP policy matches (including Endpoint DLP events showing attempts to paste sensitive data into blocked sites). While it won’t show what was typed into an external AI, it shows attempts to move sensitive data towards it.

    • Microsoft Defender for Business Reports: Review web filtering reports to see attempts to access blocked AI sites.

    • Entra ID Sign-in Logs: Monitor logins to any Entra ID-integrated AI applications.

    • Copilot Usage Reports (via M365 Admin Center): Track adoption and usage patterns for Microsoft Copilot across different apps.

Summary: The “Best Way” using M365 Business Premium

  1. Foundation: Start with clear Policies and Training. This is non-negotiable.

  2. Control Access: Use Licensing for Copilot. Use Defender Web Filtering and potentially Intune/Conditional Access to restrict access to unapproved third-party AI.

  3. Protect Data: Implement Sensitivity Labels to classify and protect data at rest. Use Endpoint DLP aggressively to block sensitive data from being pasted into browsers/unapproved apps. Use Intune MAM for BYOD data leakage prevention.

  4. Secure Endpoints: Ensure devices are managed and secured via Intune and Defender for Business.

  5. Monitor: Regularly review Purview Audit Logs, DLP Reports, and Defender Reports for policy violations and risky behavior.

Limitations to Consider:

  • No foolproof blocking: Highly determined users might find ways around web filtering (e.g., personal devices not managed, VPNs not routed through corporate controls).

  • Limited insight into third-party AI: M365 tools can block access and prevent data input but cannot see what users do inside an allowed third-party AI tool or analyze its output directly.

  • Requires Configuration: These tools are powerful but require proper setup, configuration, and ongoing management.

By implementing these layers using the tools within Microsoft 365 Business Premium, you can establish robust governance over AI usage, balancing productivity benefits with security and compliance needs.

Microsoft Global Secure Access and M365 Business Premium

image

What is Microsoft Global Secure Access (GSA)?

Microsoft Global Secure Access is Microsoft’s Security Service Edge (SSE) solution. Think of it as a modern, cloud-native security perimeter that helps organizations secure access to any application or resource, regardless of where the user or the resource is located. It’s part of the broader Microsoft Entra product family (which also includes Entra ID, formerly Azure AD).

GSA converges networking and security capabilities, moving away from traditional perimeter-based security (like on-premises firewalls and VPNs) towards a model centered on identity and delivered from Microsoft’s global network edge.

It primarily consists of two core services:

  1. Microsoft Entra Internet Access: Secures access to the public internet, SaaS applications, and Microsoft 365 apps. It acts like a cloud-based Secure Web Gateway (SWG), filtering traffic, applying security policies, and protecting users from web threats.

  2. Microsoft Entra Private Access: Provides secure, Zero Trust Network Access (ZTNA) to private corporate resources (applications hosted on-premises or in IaaS environments) without needing traditional VPNs.

Benefits of Microsoft Global Secure Access:

GSA offers significant advantages, especially for organizations embracing hybrid work and cloud adoption:

  1. Enhanced Security Posture (Zero Trust Alignment):

    • Granular Access Control: Moves beyond simple network access (like VPNs grant) to application-level access based on strong identity verification (user, device health, location) enforced by Microsoft Entra Conditional Access.

    • Reduced Attack Surface: Eliminates the need to expose private applications directly to the internet or grant broad network access via VPNs. Users only get access to the specific resources they are authorized for.

    • Consistent Policy Enforcement: Apply unified security policies (like requiring MFA, compliant devices, etc.) across M365 apps, SaaS apps, internet browsing, and private resources.

    • Threat Protection: Entra Internet Access provides security features like web content filtering, malicious site blocking, and integration with Microsoft’s threat intelligence to protect users browsing the web.

  2. Improved User Experience:

    • Faster & More Direct Access: Leverages Microsoft’s vast global network. Traffic is routed optimally to the nearest Microsoft Point of Presence (PoP) and then directly to the resource (M365, SaaS, internet, or private app via connector), often resulting in lower latency than backhauling traffic through a central VPN concentrator.

    • Seamless Connectivity: Users connect automatically via the GSA client without the often clunky manual connection process of traditional VPNs.

    • Works Anywhere: Provides consistent security and access experience whether the user is in the office, at home, or traveling.

  3. Simplified Management & Operations:

    • Unified Console: Managed directly within the Microsoft Entra admin center alongside identity and other security settings.

    • Reduced Infrastructure Complexity: Eliminates or reduces the need to manage complex on-premises VPN concentrators, firewalls, and web proxies.

    • Cloud-Native Scalability: Scales automatically with your needs without requiring hardware upgrades.

    • Integrated Logging & Reporting: Provides centralized visibility into access patterns and security events across different resource types.

  4. Cost Savings (Potential):

    • Consolidation: Can potentially replace multiple point solutions (VPN, SWG, ZTNA products) with a single integrated platform.

    • Reduced Infrastructure Costs: Lower operational overhead associated with managing on-premises security appliances.

  5. Better Integration with Microsoft Ecosystem:

    • Deep Conditional Access Integration: GSA network conditions (like “compliant network”) can be used as signals within Conditional Access policies for richer context-aware authorization.

    • Leverages Entra ID: Builds directly on your existing identity foundation in Microsoft Entra ID.

Enabling Global Secure Access with M365 Business Premium License:

This is where it gets a bit nuanced, as licensing for GSA features has evolved. Here’s the breakdown relevant to M365 Business Premium:

  1. Prerequisite – Microsoft Entra ID P1: M365 Business Premium includes Microsoft Entra ID P1. This is the foundational requirement for using Global Secure Access features.

  2. Included Functionality (as of recent updates):

    • Microsoft Entra Internet Access for Microsoft 365 Traffic: A significant update (announced around May 2024) is that the capability to secure Microsoft 365 traffic (SharePoint Online, Exchange Online, Teams) through GSA, and use the source IP restoration feature, is now included with all Microsoft Entra ID licenses (Free, P1, P2). This means your M365 Business Premium license covers securing your M365 traffic via GSA and applying Conditional Access policies based on GSA signals for M365 apps.

  3. Functionality Requiring Additional Licenses:

    • Microsoft Entra Internet Access for All Internet Traffic: To secure all outbound internet and SaaS app traffic (beyond just M365), you generally need a specific Microsoft Entra Internet Access license (available as P1 or P2 standalone add-ons). This provides the full SWG capabilities like web content filtering across all sites.

    • Microsoft Entra Private Access: To secure access to your private, on-premises, or IaaS-hosted applications, you need a Microsoft Entra Private Access license (available as P1 or P2 standalone add-ons).

    • Bundles: These GSA licenses are often bundled within higher-tier licenses like Microsoft 365 E3 or E5, or available for purchase separately.

    In summary for M365 Business Premium: You get the Entra ID P1 prerequisite and the ability to secure M365 traffic via GSA included. For full internet traffic protection or private app access, you typically need to purchase GSA-specific add-on licenses.

How to Enable and Configure (Assuming Necessary Licenses):

The enablement process happens within the Microsoft Entra admin center (entra.microsoft.com):

  1. Prerequisites Check:

    • Ensure you have the necessary licenses (M365 Business Premium for the base + potentially GSA add-ons depending on your goals).

    • You need appropriate administrative roles (e.g., Global Administrator, Security Administrator, or the specific Global Secure Access Administrator roles).

  2. Activate Global Secure Access:

    • Navigate to the Microsoft Entra admin center.

    • Go to Global Secure Access (Preview) in the left-hand navigation pane. (Note: It might still be labeled “Preview” even as features GA).

    • If it’s your first time, you might see an activation screen. Click Activate to enable the GSA features for your tenant.

  3. Configure Traffic Forwarding Profiles:

    • Under Global Secure Access, go to Connect > Traffic forwarding.

    • Here you manage how client traffic gets sent to the GSA service. You’ll see profiles like:

      • Microsoft 365 profile: This is likely enabled by default if you have the appropriate license (like M365 BP). It directs M365 traffic through GSA.

      • Internet access profile: You need to explicitly enable this if you want all internet traffic forwarded (requires the Entra Internet Access license).

      • Private access profile: Enable this if you want to route traffic to private resources (requires the Entra Private Access license).

  4. Deploy the Global Secure Access Client:

    • Under Global Secure Access, go to Connect > Client download.

    • Download the GSA client for Windows.

    • Deploy this client to your end-user devices (e.g., via Intune, included in M365 Business Premium). The client automatically captures traffic based on the enabled forwarding profiles and sends it to the GSA service edge.

  5. Configure Internet Access Policies (If Licensed for Full Internet Access):

    • Navigate to Global Secure Access > Secure.

    • Web content filtering policies: Create policies to block specific categories of websites.

    • Security profiles: Link Conditional Access policies to enforce security requirements for internet access.

  6. Configure Private Access (If Licensed):

    • This is more involved:

      • Install Connectors: Go to Connect > Connectors. Download and install the lightweight Entra Private Access Connector agent on a server(s) within your private network that has access to the target applications.

      • Configure Connector Groups: Organize your connectors.

      • Define Enterprise Applications: Go to Applications > Enterprise applications in Entra ID. Create/configure representations of your private apps.

      • Configure Quick Access or Global Secure Access Apps: Under Global Secure Access > Applications > Quick Access (for simple setup) or Global Secure Access Apps (for per-app configuration), define which private apps should be accessible via GSA and link them to the appropriate connector groups. Assign users/groups to these apps.

  7. Integrate with Conditional Access:

    • Go to Protection > Conditional Access in the Entra admin center.

    • When creating or editing policies, under Conditions > Locations, you can now configure it to include “All Compliant Network locations“. This represents traffic coming through GSA.

    • You can create policies like “Require MFA if accessing App X unless connecting from a Compliant Network (GSA)”.

  8. Monitor and Report:

    • Use the Monitor section within Global Secure Access to view traffic logs, connectivity health, and reports.

Important Considerations:

  • Licensing is Key: Double-check the latest Microsoft licensing documentation or consult with a Microsoft partner/representative. Licensing details, especially for newer services like GSA, can change. What’s included in M365 Business Premium today regarding GSA might evolve.

  • Preview Status: Some GSA components might still be in public preview, meaning they are subject to change and might not have full support SLAs yet.

  • Client Deployment: Plan your rollout of the GSA client to end-user devices.

  • Network Configuration: Ensure firewalls allow outbound traffic from the GSA client (port 443) and from the Private Access connectors (outbound 443).

By leveraging Global Secure Access, even with just the M365 traffic protection included in Business Premium, you start aligning with Zero Trust principles and enhance security for your Microsoft 365 environment. Adding the full Internet and Private Access capabilities provides a comprehensive SSE solution.

Passkeys in Microsoft Entra ID (formerly Azure Active Directory)

image

What are Passkeys?


At their core, Passkeys are a modern, highly secure, and user-friendly replacement for passwords. They are built upon the WebAuthn (Web Authentication) standard and the FIDO Alliance’s Client to Authenticator Protocol (CTAP).


Think of them as the next evolution of FIDO2 security keys, but designed for broader usability and syncing across devices.


Instead of a user remembering a secret (password), a Passkey relies on public-key cryptography:

Key Pair Generation:



  • Private Key: Stored securely on your device within a secure element. The private key never leaves your device.


  • Public Key: Sent to and stored by the service (Entra ID) and associated with your user account.


Authentication:



  • Entra ID sends a challenge to your browser/OS.


  • Your browser/OS prompts you to use your Passkey.


  • You unlock the private key using your device’s screen lock method (e.g., Face ID, Windows Hello).


  • The device signs the challenge.


  • The signed challenge is sent to Entra ID, which verifies it using the stored public key.


How Passkeys Work Specifically in Entra ID


Enablement (Admin Task):


Admins must enable FIDO2 security keys / Passkeys in the Entra ID portal (Authentication Methods Policy).

User Registration:



  • Visit https://aka.ms/mysecurityinfo


  • Choose “Add sign-in method” and select “Passkey (preview)” or “Security key”


  • Choose where to save the Passkey:


    • Synced Passkey: Uses phone/laptop and syncs via iCloud, Google, etc.


    • Device-Bound Passkey: Uses a physical hardware key like a YubiKey.




  • Authenticate to your device to generate the key pair and register with Entra ID.


User Authentication:



  • Visit a Microsoft sign-in page.


  • Enter username and choose “Sign in with a passkey”.


  • Authenticate with your Passkey using biometrics or PIN.


  • Entra ID sends a challenge; your device signs it and sends it back.


  • Entra ID verifies the signature and grants access.


Benefits of Passkeys Over Traditional Passwordless Methods





















Feature Passkeys (Synced/Discoverable) Traditional FIDO2 Keys (Device-Bound) Windows Hello for Business (WHfB) Authenticator App (Passwordless Phone Sign-in)
Phishing Resistance Highest Highest High High
Usability/Convenience Very High Moderate Very High High
Cross-Device Sync Yes No No Yes
Cross-Platform Yes Yes No Yes
Need Separate Item? No Yes No No
Backup/Recovery Managed by Platform Difficult Difficult Good
Standardization High High Moderate Lower
Attack Surface Relies on device/platform security Isolated TPM-backed Phone/app security

Key Advantages Summarized:



  • Ultimate Phishing Resistance: Passkeys are tied to the website’s origin, blocking phishing attacks.


  • Superior User Experience: Device unlock methods are faster than typing passwords or using codes.


  • Cross-Device Availability: Passkeys sync across devices via platforms like iCloud or Google.


  • No Shared Secret: No password or hash is stored server-side — only the public key.


  • Reduced Friction: No more password resets, complexity rules, or rotation policies.


  • Strong Standardization: Based on open standards for broad compatibility.


In essence: Passkeys combine FIDO2-level security with a streamlined user experience, cross-device syncing, and deep platform integration — making them ideal for secure, passwordless authentication in Entra ID and beyond.

Microsoft 365 E5 versus Business Premium with E5 Security Add-on: A Comparative Analysis for Small Businesses

image

The digital landscape presents an ever-increasing array of sophisticated cyber threats targeting businesses of all sizes. For small to medium-sized enterprises (SMBs) in Australia, the need for robust cybersecurity measures has never been more critical. The consequences of a cyberattack can range from significant financial losses and operational disruptions to reputational damage and even business closure. Recent data indicates a substantial threat landscape in Australia, with ransomware, supply chain attacks, Business Email Compromise (BEC), and phishing being particularly prevalent . These threats are becoming more advanced, leveraging technologies like artificial intelligence, and exploiting the interconnectedness of businesses through supply chains .

In response to these growing challenges, Microsoft offers a suite of solutions designed to enhance productivity and security. Among these, Microsoft 365 E5 and Microsoft 365 Business Premium with the recently announced E5 security add-on stand out as options for SMBs seeking to bolster their defenses . This report aims to provide a detailed comparative analysis of these two offerings, focusing on their features, security capabilities, cost-effectiveness, and overall value proposition for a security-conscious small businesses. The goal is to assist business owners and IT managers in making an informed decision that aligns with their security needs and budget.

Understanding the Cybersecurity Needs of Small Businesses in Australia

Small businesses in Australia face a multitude of cyber threats that can significantly impact their operations and viability. Ransomware, a type of malicious software that encrypts a business’s files and demands a ransom for their release, is a consistently highlighted threat . The potential for operational paralysis and financial extortion makes this a primary concern for SMBs . Supply chain attacks, where attackers compromise a less secure vendor to gain access to larger organizations, also pose a significant risk, especially given the reliance of Australian businesses on global supply chains . Furthermore, Business Email Compromise (BEC), a sophisticated email scam targeting employees to fraudulently transfer money or sensitive information, is another major financially damaging threat . Phishing attacks, which attempt to deceive individuals into revealing sensitive information through fraudulent emails or messages, remain a common entry point for various cyber threats . The increasing sophistication of these attacks, including the use of AI to craft more convincing scams, underscores the need for advanced security solutions .

Implementing robust cybersecurity presents unique challenges for SMBs. Limited budgets often constrain their ability to invest in comprehensive security measures or dedicated IT teams . Many small business owners and employees lack the technical expertise required to effectively configure and manage complex security systems . Overworked teams with limited resources may struggle to prioritize and maintain a strong security posture . Additionally, the rapid evolution of cyber threats makes it difficult for SMBs to stay informed and adapt their defenses accordingly . Therefore, cost-effectiveness and ease of management are critical factors for SMBs when evaluating security solutions. Solutions that offer enterprise-grade security without requiring extensive in-house expertise or a substantial financial investment are highly desirable .

Beyond the immediate threats, small businesses in Australia must also navigate a landscape of evolving data privacy and cybersecurity regulations . The Privacy Act 1988 and the Australian Privacy Principles (APPs) govern the handling of personal information, imposing legal obligations on many SMBs, particularly those with an annual turnover exceeding $3 million or those operating in the health sector . The Notifiable Data Breaches (NDB) scheme mandates reporting data breaches that are likely to cause serious harm . Furthermore, the Cyber Security Act 2024 introduces new requirements, including mandatory reporting of ransomware payments and the establishment of security standards for smart devices . Compliance with these regulations is not only a legal imperative but also essential for building customer trust and avoiding potential penalties . Consequently, the chosen Microsoft 365 plan should ideally support a small business’s ability to meet these regulatory requirements .

Microsoft 365 E5 Overview

Microsoft 365 E5 is a comprehensive suite designed for enterprises, offering a wide array of productivity applications and advanced capabilities, including robust security features . For a small business considering this option, understanding the key components is crucial .

The core productivity applications included in Microsoft 365 E5 are fundamental for day-to-day operations and align with the needs of most businesses . These typically encompass familiar tools such as Word, Excel, PowerPoint, Outlook, OneNote, SharePoint, and OneDrive . Microsoft Teams, a unified communication and collaboration platform, is also generally included .

Unlike the Business Premium plan, Microsoft 365 E5, being an enterprise offering, typically does not impose a user limit . While a small business might currently have a limited number of employees, the absence of a cap provides significant scalability for future growth beyond the 300-user threshold of Business Premium . This ensures that as the business expands, the chosen platform can accommodate its growing workforce without requiring a potentially disruptive migration to a different plan .

The inherent security capabilities within Microsoft 365 E5 are extensive and designed to provide enterprise-grade protection . These advanced features include Microsoft Defender for Endpoint Plan 2, which offers comprehensive endpoint security with advanced threat detection, analysis, and response . Microsoft Defender for Office 365 Plan 2 provides enhanced email and collaboration security, protecting against sophisticated phishing attacks, malware, and other threats . Microsoft Defender for Identity focuses on securing user identities by detecting and responding to identity-based attacks . Microsoft Defender for Cloud Apps provides visibility and control over cloud application usage, helping to manage shadow IT and secure SaaS applications . Additionally, Microsoft 365 E5 includes Microsoft Entra ID Plan 2 (formerly Azure AD Premium P2), which offers advanced identity and access management features such as risk-based conditional access and identity governance . Beyond these, E5 also incorporates advanced compliance tools to assist organizations in meeting regulatory requirements . Features like BitLocker for data encryption, Credential Guard to protect domain credentials, and Device Guard to prevent malicious code execution further enhance the security posture .

Microsoft 365 Business Premium Overview

Microsoft 365 Business Premium is specifically tailored for small to medium-sized businesses, offering a balance of productivity tools and security features . Understanding its core components is essential for a comprehensive comparison .

Similar to E5, Microsoft 365 Business Premium includes the core suite of productivity applications that are vital for most business operations . These applications typically include Word, Excel, PowerPoint, Outlook, OneNote, SharePoint, OneDrive, and Microsoft Teams, providing a comprehensive set of tools for document creation, data management, presentations, communication, and collaboration .

A key difference from E5 lies in the user limit. Microsoft 365 Business Premium is designed for businesses with up to 300 users . This limitation is generally sufficient for most small businesses but could pose a constraint for organizations anticipating significant growth beyond this number . In such cases, a future migration to an enterprise plan like E5 might become necessary .

The base subscription of Microsoft 365 Business Premium includes a foundational set of security offerings designed to protect SMBs . These features include Microsoft Defender for Business, which provides endpoint protection against malware and other threats . Microsoft Entra ID Plan 1 is included for identity and access management . Microsoft Defender for Office 365 Plan 1 offers email and file protection against viruses, spam, and phishing attacks . Microsoft Purview Information Protection helps to classify and protect sensitive data . The plan also includes basic mobility and security features to manage and secure devices, along with device management capabilities through Microsoft Intune Plan 1 . Additionally, Azure Information Protection is often part of the offering, providing further data security measures . While these features offer a solid security foundation, they are generally less advanced than the Plan 2 versions and broader capabilities found in Microsoft 365 E5 .

The Microsoft 365 E5 Security Add-on for Business Premium

Recognizing the increasing need for advanced security among SMBs, Microsoft has introduced the E5 security add-on for Microsoft 365 Business Premium . This add-on significantly enhances the security posture of the Business Premium plan by incorporating several key components from the enterprise-grade E5 security suite .

The core of this add-on comprises Microsoft Entra ID Plan 2, Microsoft Defender for Identity, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Office 365 Plan 2, and Microsoft Defender for Cloud Apps . These are the same advanced security solutions that form a cornerstone of Microsoft 365 E5, effectively bringing “E5-level” security capabilities to the Business Premium plan .

A key enhancement is in identity and access controls, with the upgrade to Microsoft Entra ID Plan 2 . This provides risk-based conditional access, leveraging machine learning to analyze user behavior and sign-in patterns to dynamically adjust access requirements based on the perceived risk . This proactive approach helps to block suspicious login attempts in real-time and automate security responses, offering a more sophisticated defense against identity-based threats, which are a significant vulnerability for many SMBs . Furthermore, Entra ID Plan 2 includes identity protection and identity governance features, enhancing the overall security and management of user identities and access rights .

The add-on also introduces Extended Detection and Response (XDR) capabilities through the integration of the advanced Defender products . This delivers a unified and efficient approach to incident-level visibility across the entire attack lifecycle, consolidating security information from endpoints, email, and cloud applications . This centralized view enables better threat hunting, more comprehensive forensic analysis, and faster incident response—capabilities that were traditionally reserved for larger enterprises with dedicated security teams .

The E5 security add-on significantly enhances threat protection across various attack vectors . Microsoft Defender for Endpoint Plan 2 builds upon the capabilities of Defender for Business by adding features like advanced threat hunting, live response, six months of data retention on the device, and endpoint security for IoT devices . Microsoft Defender for Office 365 Plan 2 strengthens email and collaboration security with automated investigation and response capabilities, attack simulation training to educate employees about phishing attempts, threat trackers, advanced hunting, and a comprehensive threat explorer . Lastly, Microsoft Defender for Cloud Apps provides crucial Software as a Service (SaaS) security by enabling IT teams to identify and manage shadow IT, ensure that only approved applications are used, and protect against sophisticated SaaS-based attacks .

Feature Comparison Tables

To provide a clearer comparison, the following tables outline the core features and security capabilities of Microsoft 365 E5 and Microsoft 365 Business Premium with the E5 security add-on.

Table 1: Core Feature Comparison

Table 1: Core Feature Comparison
Feature Microsoft 365 E5 Microsoft 365 Business Premium
Included Applications Word, Excel, PowerPoint, Outlook, OneNote, SharePoint, OneDrive, Teams Word, Excel, PowerPoint, Outlook, OneNote, SharePoint, OneDrive, Teams
User Limit Unlimited Up to 300
Base Subscription Cost (AUD) ~$81.90 per user/month (excl. GST) AU$32.90 per user/month (excl. GST)

Table 2: Security Feature Comparison

Table 2: Security Feature Comparison
Security Area Microsoft 365 E5 Microsoft 365 Business Premium (with E5 Security add-on)
Threat Protection Microsoft Defender for Endpoint Plan 2 Microsoft Defender for Endpoint Plan 2
Microsoft Defender for Office 365 Plan 2 Microsoft Defender for Office 365 Plan 2
Microsoft Defender for Identity Microsoft Defender for Identity
Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps
Information Protection Microsoft Purview (Advanced DLP) Microsoft Purview (Basic DLP – *needs verification if add-on upgrades*)
Sensitivity Labels Sensitivity Labels
Compliance Advanced eDiscovery, Insider Risk Management, Compliance Manager Basic Auditing (*needs verification if add-on upgrades*)
Identity and Access Management Microsoft Entra ID Plan 2, Risk-based Conditional Access, Identity Protection, Identity Governance, MFA Microsoft Entra ID Plan 2, Risk-based Conditional Access, Identity Protection, Identity Governance, MFA

*Note: Pricing and specific feature levels may vary. Further verification is recommended based on the latest Microsoft offerings in the Australian market.*

Pricing and Value Analysis

Analyzing the pricing for both Microsoft 365 E5 and Business Premium with the E5 security add-on in Australia is crucial for determining the best value for a small businesses. Based on the available information, Microsoft 365 E5 appears to range from approximately AU$81.90 per user per month, excluding GST . It’s important to note that the specific price can depend on the type of licensing agreement . Nonprofit organizations may have access to significantly lower pricing .

Microsoft 365 Business Premium has a listed price of AU$32.90 per user per month, excluding GST . Nonprofit pricing is available at a much lower rate .

The Microsoft 365 E5 Security add-on for Business Premium is listed at approximately AU$23.76 per user per month including GST for a monthly commitment, or AU$237.60 per user per year including GST . This pricing suggests that for a small business, the cost of adding E5-level security features to a Business Premium subscription is considerably less than opting for the full Microsoft 365 E5 plan .

Considering a hypothetical small business with 20 employees, the potential cost comparison becomes clearer. If E5 is priced at around AU$81.90 per user per month (excluding GST), the total monthly cost would be approximately AU$1638 (excluding GST). If Business Premium is AU$32.90 per user per month (excluding GST), the total monthly cost would be approximately AU$658 (excluding GST). Adding the E5 security add-on at AU$23.76 per user per month (including GST) would bring the total monthly cost for Business Premium with enhanced security to around AU$1133.20 (including GST).

This preliminary cost analysis suggests that for a small business primarily focused on enhancing security, the combination of Microsoft 365 Business Premium with the E5 security add-on offers a significantly more cost-effective solution compared to the full Microsoft 365 E5 suite . The add-on provides access to near-equivalent advanced security features at a considerably lower overall expense, making it a compelling value proposition for security-conscious SMBs operating within budget constraints .

Limitations and Requirements of the E5 Security Add-on

While the E5 security add-on offers significant security enhancements for Microsoft 365 Business Premium users, there are certain limitations and requirements that small businesses need to consider . One notable limitation is the lack of support for mixed licensing in the context of endpoint security . If a business has a mix of users with Business Premium (which includes Defender for Business) and users with the E5 security add-on (which includes Defender for Endpoint Plan 2), the entire tenant will default to the Defender for Business experience . To fully leverage the advanced features of Defender for Endpoint Plan 2 for any user, all users in the tenant must be licensed for it, either through the E5 security add-on or as part of a full E5 subscription . This means that a phased rollout or pilot program with a subset of users might not yield the intended benefits unless a tenant-wide upgrade is implemented .

Another point to consider is the absence of the E5 Compliance add-on for Business Premium . Businesses with stringent compliance requirements that necessitate the advanced compliance features found in the full E5 suite might find the Business Premium plan with the security add-on insufficient in this regard . Additionally, there is a mention that an E3 subscription might be a prerequisite for some features of the E5 security add-on . This requires further clarification from Microsoft to understand if it impacts the functionality available to Business Premium users with the add-on .

From a management perspective, while Microsoft 365 Business Premium is generally designed for ease of use, even for IT generalists , the advanced security features introduced by the E5 add-on might require a higher level of technical expertise for effective configuration and ongoing management . Small businesses with limited or no dedicated IT staff might need to factor in the cost of external IT support or invest in training to fully utilize these advanced security capabilities . However, the availability of a trial version of the add-on could allow businesses to assess the management overhead before committing to a full purchase .

Conclusion and Recommendation

In conclusion, both Microsoft 365 E5 and Microsoft 365 Business Premium with the E5 security add-on offer compelling solutions for enhancing the security posture of small businesses. Microsoft 365 E5 provides a comprehensive suite of enterprise-grade productivity and security features, along with unlimited user scalability . However, it comes at a significantly higher cost, which might be prohibitive for many SMBs .

On the other hand, Microsoft 365 Business Premium offers a robust set of productivity tools and a foundational level of security at a more affordable price point, albeit with a 300-user limit . The introduction of the E5 security add-on significantly elevates the security capabilities of Business Premium to a level that closely mirrors the advanced threat protection, identity management, and cloud security features found in Microsoft 365 E5 .

For a security-conscious small businesses, where budget constraints and potentially a user base under 300 are likely factors, Microsoft 365 Business Premium with the E5 security add-on generally offers the best value . It provides access to critical enterprise-level security features at a considerably lower total cost of ownership compared to a full E5 subscription . While there are limitations to consider, such as the mixed licensing constraint and the potential need for specialized expertise to manage the advanced security features, the significant cost savings and the substantial security enhancements make this a highly attractive option .

As next steps, the business owner or IT manager should explore the trial version of the E5 security add-on to gain hands-on experience with its features and management interface . Contacting a Microsoft partner for a personalized consultation and accurate pricing based on their specific business size and needs is also recommended . Finally, conducting a thorough assessment of the organization’s current and anticipated security and productivity requirements will help in making the most informed decision.

Need to Know podcast–Episode 342

Join me for this episode with all the latest news and update from Microsoft as well as my take on the importance of logging as a security basic that many overlook. Plenty of security news in this episode especially around the latest exploits of MSHTA.EXE that you should be prepared for. Listen for all the information.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-342-logs/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

CIAOPS Brief

CIAOPSLabs

Support CIAOPS

Comparing Copilot Chat included with Microsoft 365 to a paid Copilot license

Adobe and Microsoft Empower Marketers with AI Agents in Microsoft 365 Copilot

Introducing Copilot in the Microsoft 365 admin centers

Jailbreaking is (mostly) simpler than you think

Level up your defense: protect against attacks using stale user accounts

Defender XDR – Monthly news – March 2025

AI innovation requires AI security: Hear what’s new at Microsoft Secure

Microsoft Technical Takeoff: Windows + Intune

Continuing with Microsoft Entra: Advanced Identity Management

Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware

Take Flight with Microsoft Security Copilot Flight School

Securing Your Nonprofit Environment (Part 1) – Enabling Security Defaults

Securing Your Nonprofit Environment (Part 2): Best Practices to Secure Your Admin Accounts

How to infect your PC in three easy steps

ASD Configuration policy templates for Intune

image

The Australian Signals Directorate (ASD) has produced a number of recommended configuration policies for Intune as part of their Secure Cloud initiative. You can find them here:

ASD Configuration policies

Edge hardening guidelines

All Macros disabled

Macros enabled for trusted publishers

Office Hardening guidelines

Windows hardening guidelines

User rights assignments

Theses policies are in TXT format but are effectively just JSON files.

I have therefore takes these TXT files, renamed to JSON files and uploaded into my best practices repository here:

CIAOPS Best Practice Repo – ASD recommended policies

It would have been good if the ASD had placed in their own repo so they could easily be monitored for updates. Alas, maybe in the future.

So for now you can import these files directly from my repo into your Intune and I’ll try and do my best to keep them current with what the ASD does.