The m365-inactiveusers-get.ps1 script is a comprehensive PowerShell tool designed to analyze user activity within Microsoft 365 tenants. It identifies inactive users, tracks license assignments, monitors external/guest user access, and generates detailed reports to help administrators maintain security and optimize license usage.
Another article generated by Copilot Research agent using Claude.
——————————————————–
Executive Summary
Microsoft Entra ID P2 Access Reviews are sophisticated identity governance tools designed primarily for enterprise scenarios. While they offer robust capabilities for managing user access at scale, their practical value for Australian SMBs is limited and often doesn’t justify the additional AU$13.50 per user per month cost beyond Microsoft 365 Business Premium. [1][2]
Most SMBs can achieve adequate security and governance through simpler, more cost-effective methods unless they face specific regulatory compliance requirements or manage highly sensitive data. The complexity and cost of implementation typically outweigh the benefits for businesses with fewer than 100 users.
What Are Entra ID P2 Access Reviews?
Core Functionality
Access Reviews in Microsoft Entra ID enable organisations to efficiently manage group memberships, access to enterprise applications, and role assignments through regular certification processes. [1] The feature allows businesses to:
Schedule regular reviews of who has access to specific resources
Delegate review responsibilities to appropriate stakeholders (managers, resource owners, or users themselves)
Automate access removal based on review outcomes
Generate compliance reports for audit purposes
Implement time-limited access with automatic expiration
Key Components
Access Reviews operate through several integrated components:
Review Scope: Define which users and resources to review [3]
Reviewers: Designated individuals who approve or deny access
Review Frequency: Weekly, monthly, quarterly, or annual cycles
Automated Actions: Remove access for denied users automatically
Smart Recommendations: AI-driven suggestions based on user activity patterns
Step-by-Step Setup Guide for Small Businesses
Prerequisites
Before implementing Access Reviews, SMBs must ensure:
Licensing: Microsoft Entra ID P2 or Entra ID Governance licenses [4][5]
Administrative Access: Identity Governance Administrator role minimum
Application Integration: Resources must be integrated with Entra ID
Implementation Process
Detailed Setup Steps:
Sign in to Microsoft Entra admin centre as an Identity Governance Administrator [3]
Reviewers also need P2 licenses, not just administrators [5]
Entitlement Management: Overkill for Most SMBs?
What Is Entitlement Management?
Entitlement management enables organisations to manage identity and access lifecycle at scale through access packages – bundles of resources users need for specific roles or projects. [9]
The SMB Verdict on Entitlement Management
Entitlement management is almost certainly overkill for SMBs under 100 users. Here’s why: [9]
Designed for Scale: The feature addresses problems that emerge at enterprise scale – hundreds or thousands of users across multiple departments
Overhead vs Value:
Requires significant upfront design and configuration
Ongoing maintenance of access packages
Complex approval chains unnecessary in flat SMB structures
Manual onboarding/offboarding manageable at small scale
Real-World SMB Scenarios:
10-20 employees: Owner knows everyone; manual management works fine
20-50 employees: Simple group-based access with quarterly manual reviews
50-100 employees: Consider basic automation but full entitlement management rarely justified
Pricing Analysis for Australian SMBs
Cost Breakdown
Microsoft 365 Business Premium (approximately AU$39.60/user/month) includes: [10]
Entra ID P1 (formerly Azure AD Premium P1)
Conditional Access
Multi-factor authentication
Self-service password reset
Basic identity protection
To get Access Reviews, you need Entra ID P2 at AU$13.50/user/month additional, which includes: [2]
Everything in P1
Access Reviews
Privileged Identity Management (PIM)
Identity Protection with risk-based policies
Entitlement management
Total Cost Comparison (Annual, excluding GST)
Users
Business Premium Only
Business Premium + P2
Additional Cost
10
AU$4,752
AU$6,372
AU$1,620
20
AU$9,504
AU$12,744
AU$3,240
50
AU$23,760
AU$31,860
AU$8,100
100
AU$47,520
AU$63,720
AU$16,200
Note: Prices shown do not include GST. Add 10% for GST-inclusive pricing.
Practical Recommendations for SMBs
When Access Reviews Make Sense
Alternative Approaches for Most SMBs
Instead of Access Reviews, consider these more practical approaches: [8]
Quarterly Manual Reviews:
Export user lists from Microsoft 365 admin centre
Review with department heads
Document decisions in SharePoint/Excel
Cost: Staff time only
Leverage Business Premium Features:
Use Conditional Access for location/device-based controls
Implement MFA for all users
Configure automatic account disabling for inactive users
Monitor sign-in logs regularly
Simple Governance Process:
Standardise onboarding/offboarding checklists
Use Microsoft Forms for access requests
Power Automate for basic approval workflows
Regular security awareness training
Focus on Fundamentals:
Strong password policies
Least privilege principle
Regular security updates
Data loss prevention policies
Email security (already included in Business Premium)
The Bottom Line for Australian SMBs
Key Takeaways
Access Reviews and entitlement management are powerful enterprise features that rarely justify their cost and complexity for SMBs under 100 users. The additional AU$13.50 per user per month represents a 34% increase over Microsoft 365 Business Premium pricing, which already includes substantial security features.
Final Verdict
For the vast majority of Australian SMBs, Entra ID P2 Access Reviews represent an expensive solution to problems they don’t actually have. The features are well-designed and powerful, but they address enterprise-scale challenges around distributed governance, compliance automation, and managing thousands of access relationships.
Small businesses are better served by:
Maximising the value from Microsoft 365 Business Premium’s included features
Focusing security investments on user training and basic controls
Considering P2 only when specific compliance requirements demand it
The money saved by avoiding unnecessary P2 licensing could be better invested in security awareness training, backup solutions, or managed security services that provide more tangible benefits for small business risk profiles.
In this video, I walk you through how to enable Anthropic’s powerful AI models—like Claude—inside Microsoft Copilot. I’ll show you exactly where to find the settings, how to activate new AI providers, and what features you unlock in Researcher and Copilot Studio. Plus, I share an important compliance warning you need to know before turning this on, so you can make informed decisions for your organization. If you want to supercharge your Copilot experience and stay ahead with the latest AI integrations, this guide is for you!
Something I have been waiting on for a while with Entra ID Global Secure Access (GSA) has been the availability of the Internet traffic profile on iOS.
When I check the latest version of Defender on my iDevices I found that this has now been enabled, provided better protection and advanced filtering like I have on other devices.
When I also updated my Windows devices I found that there is a nice new admin console available as well.
Microsoft Entra ID Global Secure Access helps small businesses protect their data and simplify IT by combining secure sign-in, app access, and network protection in one solution. It uses a modern “Zero Trust” approach, which means every user and device is verified before getting access, reducing the risk of cyberattacks. Instead of juggling multiple tools or complex VPNs, you get a single, easy-to-manage system that works for office, remote, and mobile workers. It improves employee experience with one login for all apps, supports flexible work without slowing things down, and scales as your business grows—all while saving costs by replacing multiple security products with one integrated service.
This guide will provide a comprehensive, production-safe approach using both the Microsoft 365 Defender portal and Exchange Online PowerShell. We will start with a baseline of security and then layer on advanced protections. The core strategy involves keeping the default EOP anti-malware policy as a foundational safety net while creating a higher-priority, custom policy for sensitive users, such as executives and finance teams. This ensures critical assets have the most aggressive, up-to-date protection without disrupting the entire organisation. We’ll also cover essential features like the Common Attachment Filter, Safe Attachments, Safe Links, and the Zero-hour Auto Purge (ZAP) engine to defend against a wide array of evolving threats, from zero-day malware to sophisticated phishing attacks.
1. Prerequisites & Licensing Checks
Before you begin, it’s crucial to understand your licensing model.
Exchange Online Protection (EOP): This is the baseline email security included with all Microsoft 365 subscriptions (e.g., Business Basic, Standard, E3). It provides fundamental anti-malware and anti-spam protection.
Microsoft Defender for Office 365 (MDO): This is an add-on or an included feature in higher-tier plans (e.g., Microsoft 365 Business Premium, E5). MDO Plan 1 adds Safe Attachments and Safe Links, while MDO Plan 2 adds advanced hunting, investigation, and automation features (e.g., Threat Explorer, Automated Investigation and Response). This guide assumes you may have an MDO licence and will detail the optional add-ons.
2. Policy Inventory & Strategic Approach
Best Practice: Do not modify the Default anti-malware policy. This ensures a consistent baseline of protection across all users who aren’t covered by a custom policy. Instead, create new, more restrictive policies for targeted, high-risk groups. Policies are processed by priority (0 being the highest), so a new custom policy with priority 0 will apply to its users, and the default policy will catch everyone else.
GUI Method: Inventory Existing Policies
Navigate to the Microsoft Defender portal at https://security.microsoft.com.
Go to Email & collaboration → Policies & rules → Threat policies.
Under the Policies section, click on Anti-malware. You will see the default policy and any custom ones you have created.
PowerShell Method: Inventory Existing Policies
First, connect to Exchange Online.
PowerShell
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName <your-admin-email> -ShowProgress:$true
Then, view the current policies.
PowerShell
# Get all malware filter policies and their associated rules
Get-MalwareFilterPolicy
Get-MalwareFilterRule
3. Recommended Anti-malware Settings
This section details the recommended settings for your new custom anti-malware policy.
GUI Method: Creating a New Policy
In the Microsoft Defender portal, go to the Anti-malware page from the previous step.
Click Create a policy.
Give the policy a descriptive Name (e.g., High-Risk Users - Anti-malware Policy) and a Description. Click Next.
On the Users and domains page, choose the users, groups, or domains you want to protect. For our example, select Groups and search for ExecutiveTeam. Click Next.
On the Protection settings page, configure the following:
Protection settings
Enable zero-hour auto purge for malware: This is a service-side feature that, when enabled, automatically removes previously delivered malicious messages from user mailboxes. It’s a key part of EOP and is highly recommended.
Quarantine policy: Use the default AdminOnlyAccessPolicy. The rationale is simple: end-users should not be able to release malware. This prevents them from accidentally or maliciously releasing a dangerous file.
Common attachments filter
Check Enable common attachments filter. This is a powerful, extension-based block list that is a fantastic first line of defence. The list of file types has been expanded by Microsoft, but you should periodically review it.
Click Customize file types and ensure a robust list of high-risk file types is selected. The list should include: exe, dll, js, jse, vbs, vbe, ps1, com, cmd, bat, jar, scr, reg, lnk, msi, msix, iso, img, 7z, zipx. You can also add other file types that are not needed in your environment, such as wsf, wsh, url.
Notifications
Admin notifications: Check Notify an admin about undelivered messages from internal senders and Notify an admin about undelivered messages from external senders. Use your security mailbox for this (e.g., security@contoso.com).
Sender notifications:Do not enable Notify internal sender or Notify external sender. Notifying external senders can validate their address for future spam, and an internal sender’s mailbox might be compromised, which could alert the attacker.
PowerShell Method: Creating and Configuring the Policy
This script is idempotent (you can run it multiple times without errors) and will create or update the policies as needed.
PowerShell
# --- PowerShell Script to Configure Exchange Online Anti-malware Policies ---
# Define variables for your tenant
$tenantDomain = "contoso.com"
$highRiskGroupName = "ExecutiveTeam"
$adminNotificationMailbox = "security@contoso.com"
$policyName = "High-Risk Users - Anti-malware Policy"
$ruleName = "High-Risk Users - Anti-malware Rule"
# Define the common attachment filter file types
$fileTypes = @(
'ade','adp','ani','app','bas','bat','chm','cmd','com','cpl',
'crt','csh','dll','exe','fxp','hlp','hta','inf','ins','isp',
'jar','js','jse','ksh','lnk','mda','mdb','mde','mdt','mdw',
'mdz','msc','msi','msix','msp','mst','pcd','pif','prg','ps1',
'reg','scr','sct','shb','shs','url','vb','vbe','vbs','wsc',
'wsf','wsh','xnk','iso','img','7z','zipx','docm','xlsm'
)
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName $adminNotificationMailbox -ShowProgress:$true
# Check if the policy exists
$policy = Get-MalwareFilterPolicy -Identity $policyName -ErrorAction SilentlyContinue
if ($null -ne $policy) {
Write-Host "Policy '$policyName' already exists. Updating settings..." -ForegroundColor Yellow
Set-MalwareFilterPolicy -Identity $policyName `
-Action DeleteMessage `
-EnableFileFilter:$true `
-FileTypes $fileTypes `
-EnableInternalSenderAdminNotifications:$true `
-EnableExternalSenderAdminNotifications:$true `
-AdminDisplayName "Custom policy for high-risk users."
} else {
Write-Host "Policy '$policyName' not found. Creating a new one..." -ForegroundColor Green
New-MalwareFilterPolicy -Name $policyName `
-Action DeleteMessage `
-EnableFileFilter:$true `
-FileTypes $fileTypes `
-EnableInternalSenderAdminNotifications:$true `
-EnableExternalSenderAdminNotifications:$true `
-AdminDisplayName "Custom policy for high-risk users."
}
# Check if the rule exists
$rule = Get-MalwareFilterRule -Identity $ruleName -ErrorAction SilentlyContinue
if ($null -ne $rule) {
Write-Host "Rule '$ruleName' already exists. Updating settings..." -ForegroundColor Yellow
Set-MalwareFilterRule -Identity $ruleName `
-MalwareFilterPolicy $policyName `
-Comments "Applies to high-risk group." `
-SentToMemberOf $highRiskGroupName `
-Priority 0
} else {
Write-Host "Rule '$ruleName' not found. Creating a new one..." -ForegroundColor Green
New-MalwareFilterRule -Name $ruleName `
-MalwareFilterPolicy $policyName `
-Comments "Applies to high-risk group." `
-SentToMemberOf $highRiskGroupName `
-Priority 0
}
Write-Host "Configuration complete. Run 'Get-MalwareFilterPolicy' and 'Get-MalwareFilterRule' to verify." -ForegroundColor Green
4. Defender for Office 365 Add-ons (If Licensed)
These advanced policies provide an additional layer of protection.
Safe Attachments: This sandboxing technology “detonates” email attachments in a virtual environment to detect zero-day malware.
Block: The most secure option. Messages with attachments are held while being scanned. If a threat is found, the message is blocked and quarantined. This can introduce a short delay (minutes) for emails with attachments.
Dynamic Delivery: A balance between security and user experience. The email body is delivered immediately with a placeholder for the attachment. The attachment is delivered once the scan is complete. Use this for users who can tolerate a minor delay on the attachment itself but need the email content right away. For a high-risk user group, Block is often the recommended setting.
Safe Links: This feature scans URLs at the time of the click, not just upon arrival. If a URL is later determined to be malicious, it will be blocked even if it was safe when the email was first received.
Zero-hour Auto Purge (ZAP): ZAP for malware is included in EOP and is enabled by default. MDO adds ZAP for high-confidence phishing and spam. This is a powerful, service-side feature that removes messages that have already been delivered to a user’s inbox if new threat intelligence indicates they are malicious. There is no per-policy PowerShell switch for this; its behaviour is managed by the service and the policy’s action on detection.
5. Quarantine Policies
Quarantine policies control what users can do with messages held in quarantine.
The default quarantine policy for malware (AdminOnlyAccessPolicy) prevents end-users from releasing messages. This is the recommended setting. You can create a new policy and enable notifications or release requests for other threat types (e.g., spam), but for malware, keep it locked down.
You can set up quarantine notifications (digests) for users, which provide a summary of messages in their quarantine.
6. Testing & Validation
Once your policies are configured, you must validate them.
The EICAR Test
Use a safe, legal test file to validate your policies. The EICAR (European Institute for Computer Antivirus Research) test file is a non-malicious file that all major anti-malware programs will detect.
To test the Common Attachment Filter, create a plain text file, rename it to eicar.zip, and place the EICAR string X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* inside it.
To test Safe Attachments, send a test email with the EICAR file attached (as a .zip or other container) to a user in your test group.
Verifying with Message Trace
In the Microsoft Defender portal, go to Email & collaboration → Exchange message trace.
Search for the test message.
Click on the message to view details. The Event field should show a Fail status with the reason Malware.
Header Analysis: You can also check the message headers. Look for the X-Forefront-Antispam-Report header and the SCL (Spam Confidence Level) and PCL (Phishing Confidence Level) values. A message blocked by an anti-malware policy will have a CAT (Category) entry indicating malware.
7. Ongoing Monitoring & Tuning
Threat Explorer (MDO P2) / Reports (EOP): Regularly review the Threat Explorer (or Reports for EOP) in the Microsoft Defender portal to see what threats are being blocked. This helps you identify trends, attack vectors, and potential false positives.
Configuration Analyzer: Located under Email & collaboration → Policies & rules → Threat policies → Configuration analyzer, this tool compares your custom policies to Microsoft’s recommended Standard and Strict preset security policies. Use it to find and fix settings that are less secure than the recommended baselines.
ORCA Module: The Office 365 Recommended Configuration Analyzer (ORCA) is a community-developed PowerShell module that provides a comprehensive report of your M365 security posture. While not an official Microsoft tool, it’s an excellent resource for a deeper dive.
False Positive/Negative Submissions: If a legitimate message is blocked (false positive) or a malicious message gets through (false negative), you must submit it to Microsoft for analysis to improve their detection engines. The submission workflow is found under Actions & submissions → Submissions in the Microsoft Defender portal.
8. Change Control & Rollback
Documentation: Always document any changes made to a policy, including the date, reason, and the specific settings changed.
Phased Rollout: When creating a new policy, first apply it to a small test group before rolling it out to production users.
Rollback: If you encounter issues, you can disable the custom policy in the GUI by toggling its status to Off or with PowerShell using Set-MalwareFilterRule -Identity "Rule Name" -State Disabled. You can also decrease its priority to ensure it no longer applies.
9. Final Checklist
Use this checklist to ensure all best practices have been implemented.
[ ] Prerequisites: Confirm M365 Business Premium or Defender for Office 365 licensing for advanced features.
[ ] Policy Strategy: Leave the default anti-malware policy untouched as a safety net.
[ ] New Policy: Create a new custom anti-malware policy for high-risk users/groups (e.g., ExecutiveTeam).
[ ] Action: Set the action for malware detection to Quarantine the message.
[ ] Common Attachment Filter: Enable and verify a comprehensive list of high-risk file extensions.
[ ] Admin Notifications: Configure admin notifications for malware detections.
[ ] Sender Notifications: Disable notifications for both internal and external senders.
[ ] Safe Attachments (if licensed): Configure a new policy and set the action to Block for high-risk users.
[ ] Safe Links (if licensed): Configure a new policy to scan URLs in emails at the time of click.
[ ] Quarantine Policies: Confirm the quarantine policy for malware is set to AdminOnlyAccessPolicy to prevent user releases.
[ ] Testing: Send a test email with a containerised EICAR file to a user in the new policy’s scope.
[ ] Validation: Use Message Trace to confirm the message was blocked, and review the headers for malware detection results.
[ ] Monitoring: Schedule a regular review of threat reports and submissions.
[ ] Tuning: Address false positives/negatives by submitting them to Microsoft.
[ ] Change Control: Document all changes and have a rollback plan in place.
[ ] Configuration Analyser: Run the Configuration Analyser and compare your policies to Microsoft’s recommended settings.
For more information, refer to these authoritative resources:
Small and medium businesses (SMBs) with remote employees have shifted from a single “office network” model to a Zero Trust model. Microsoft 365 Business Premium (BPP) already includes extensive security layers – identity protection, device management, email scanning, and endpoint defenselearn.microsoft.comlearn.microsoft.com. With those controls fully configured, the traditional on-premises network perimeter (and thus an expensive firewall appliance) becomes far less critical. In practice, a standard router/NAT firewall combined with Windows/macOS built‑in firewalls and M365’s cloud protections can cost‑effectively secure a remote SMB. We explain how M365 BPP’s features cover typical firewall functions, and when a dedicated firewall (beyond a basic one) may not be needed.
Built-In Security in Microsoft 365 Business Premium
Microsoft 365 Business Premium bundles multiple security layers: endpoint protection, identity/access controls, device management, and more. Key built‑in features include:
Endpoint Security – Microsoft Defender for Business (included) provides next‑gen antivirus, threat detection/response and a host firewall on each devicelearn.microsoft.comlearn.microsoft.com. Devices (Windows, macOS, iOS, Android) get managed protection against ransomware, malware and network attacks.
Email and App Protection – Defender for Office 365 Plan 1 (included) scans email attachments and links for malware and phishing. Safe Links/Safe Attachments help stop threats before they reach userslearn.microsoft.com.
Identity and Access (Zero Trust) – Azure AD Premium P1 (included) enables Conditional Access policies and mandatory multi-factor authenticationmicrosoft.comlearn.microsoft.com. Only compliant, enrolled devices can access company resources, and admins/devices are always re‑authenticated.
Device Management – Microsoft Intune can enforce security policies on all devices: requiring device encryption (BitLocker), patching, endpoint firewalls, and even configuring VPN or Wi‑Fi profileslearn.microsoft.comlearn.microsoft.com. In short, Intune ensures every device meets the company’s security baseline before it connects.
Secure Remote Access – Azure AD Application Proxy (via Azure AD P1) publishes any on‑premises app through Azure AD, so remote users can reach internal resources without opening inbound firewall portssherweb.com. This often replaces a VPN or on‑site reverse proxy, making remote access simpler and safer.
These built-in layers cover most attack vectors. For example, M365 BPP’s Defender for Business includes a managed host-based firewall and web filtering, so each laptop is protected on any networklearn.microsoft.com. And Conditional Access can block sign-ins from unsecured locations or unregistered devices, effectively extending the network perimeter to only trusted endpoints.
Zero Trust and Remote Work
In a modern SMB, employees “can work anywhere,” so the old model of trusting the office LAN no longer applies. As Microsoft describes, traditional protections rely on firewalls and VPNs at fixed locations, whereas Zero Trust assumes no network is inherently safelearn.microsoft.com. Every sign-in is verified (via Azure AD) and every device is checked (via Intune) no matter where the user is.
In this diagram, a corporate firewall on the left no longer suffices when employees roam (right side)learn.microsoft.com. With Business Premium, identity and device policies take over: multifactor authentication and Conditional Access ensure only known users on compliant devices connectlearn.microsoft.commicrosoft.com. In effect, the organization’s “perimeter” is the cloud. Remote workers authenticate directly to Azure/Office 365 and receive Microsoft’s protection (e.g. encrypted tunnels, safe browser checks), rather than passing first through an on‑site firewall.
Host-Based Firewalls and Device Security
Even without a hardware firewall, devices must protect themselves on untrusted networks. All common operating systems include a built‑in firewall. Enabling these host firewalls is free and highly effective – many MSP guides advise turning on Windows Defender Firewall (and macOS’s) on every device before even buying a hardware applianceguardianangelit.com. Microsoft Defender for Business not only installs antivirus but can manage each device’s firewall settings: for instance, Intune can push a profile that blocks all inbound traffic except essential serviceslearn.microsoft.com.
By treating each endpoint as its own secured “network edge,” an SMB covers the user’s connection in coffee shops or home Wi‑Fi. For example, if a user’s laptop is on public Wi‑Fi, the Windows firewall (enforced by Defender policies) stops inbound attacks, while Defender’s web protection filters malicious sites. This layered endpoint approach (antivirus+EDR + host firewall + encrypted disk) significantly shrinks the need for a central firewall inspecting all traffic.
Network Perimeter and When to Use Firewalls
If an SMB still maintains an office or data closet, some firewall or router will normally be used for basic perimeter functions (NAT, DHCP, segmentation of guest networks, etc.). However, the level of firewall needed is typically minimal. A basic managed router or inexpensive UTM is often enough to separate IoT/guest Wi-Fi from internal staff, and to enforce outbound rules. Beyond that, heavy enterprise firewalls yield little benefit in a predominantly cloud-centric setup.
For remote-heavy SMBs, many experts suggest zero-trust access (e.g. VPN, ZTNA) instead of relying on office hardware. ControlD’s SMB security checklist, for instance, recommends ensuring VPN or Zero-Trust Network Access for remote employees, rather than expecting them to route through the office firewallcontrold.com. In other words, with cloud apps and M365-managed devices, the on‑site firewall sees only its local subnet – almost all work and threats are already handled by Microsoft’s cloud services and endpoint defenses.
Configuring M365 Business Premium as Your “Firewall”
A Business Premium tenant can be tuned to cover typical firewall functions:
Enroll and Update All Devices: Use Intune (part of BPP) to enroll every company device (Windows, Mac, mobile) and onboard them to Defender for Businesslearn.microsoft.comlearn.microsoft.com. Ensure full disk encryption (BitLocker/FileVault), automatic OS updates, and Defender real‑time protection are all enabled.
Enforce Host Firewalls: Create an Intune endpoint security policy that turns on Windows Defender Firewall for all profiles (Domain/Private/Public) and disables unnecessary inbound rulesguardianangelit.comlearn.microsoft.com. Similarly, enable the macOS firewall via Intune configuration. This ensures devices block unwanted network traffic by default.
Enable Multi-Factor Authentication & Conditional Access: Turn on Azure AD security defaults or define Conditional Access policies so that every login requires MFA and checks device compliancelearn.microsoft.commicrosoft.com. You can restrict access by device state or location, preventing unknown devices from even reaching company apps.
Protect Email and Apps: Activate Defender for Office 365 (Plan 1) to scan all incoming email and Teams messages. Safe Links/Attachments in Office documents serve as an additional layer that no firewall can providelearn.microsoft.com.
Use Application Proxy for Internal Apps: If you have any on-premises servers, install the Azure AD Application Proxy connector. This publishes apps (e.g. intranet, CRM) through Azure without punching holes in your firewallsherweb.com. Remote users then access the app via Azure AD login, with no need to maintain a VPN or open router ports.
Monitor and Respond: Use Microsoft 365 Defender’s security portal (included) to monitor alerts. Its threat analytics will flag unusual traffic or sign-ins. Automated investigation and remediation in Defender for Business can contain a threat on a device before it spreads.
Network-Level Protections (Optional): For extra DNS- or web-filtering, an SMB might add services like Microsoft Defender SmartScreen (built into Edge/Windows) or a cloud DNS filter. These complement – but don’t replace – the firewall; they block malicious domains at the device level.
In this configuration, each device and identity becomes a control point. The M365 stack effectively sits in front of your data, rather than hardware at the network perimeter.
Cost vs. Benefit of Dedicated Firewalls
Without regulatory mandates, a high-end firewall appliance is often not cost-justified for an SMB fully on M365. The hardware itself and ongoing subscriptions (threat feeds, VPN licenses, maintenance) add significant cost. Given that M365 Business Premium already provides next-generation protection on endpoints and enforces secure access, the marginal security gain from a $2k+ firewall is small for remote-centric SMBs.
That said, a simple firewall/router is still recommended for the office LAN. It can provide:
Basic NAT/segmentation: Separating staff devices from guest or IoT VLANs.
VPN termination (if needed): A site‑to‑site VPN or point‑to‑site gateway for branch offices or legacy systems (though Azure VPN with Azure AD is an alternative).
On‑prem device connectivity: If on-premises servers exist, the firewall can regulate incoming traffic.
For example, installing Azure AD Application Proxy (no cost beyond BPP license) often removes the need to expose an on‑site port for remote accesssherweb.com. Similarly, if home users connect via secure VPN with M365 credentials, the corporate firewall is bypassed by design.
In contrast, host-based security and cloud controls cover most threats: phishing and remote intrusion are handled by Defender and MFA, malware is stopped at the device, and data exfiltration is controlled by identity and DLP settings. As one MSP guide notes, for small businesses the built-in OS firewalls should be used before investing in hardware firewallsguardianangelit.com. In practice, the total protective overlap from Intune+Defender+Conditional Access can eliminate many risks that a hardware firewall is meant to address.
Conclusion
For a typical SMB with Microsoft 365 Business Premium fully enabled, the need for an expensive dedicated firewall is greatly reduced. M365 BPP delivers comprehensive security – endpoint protection, email filters, and zero-trust access – that, when properly configured, cover most attack vectorslearn.microsoft.comlearn.microsoft.com. A basic network firewall (even the one built into a router) is useful for simple segmentation, but beyond that most protections are handled by Microsoft’s cloud services and host firewalls. In short, by leveraging Business Premium’s features (Defender, Intune, Azure AD P1, etc.), an SMB can safely rely on default and cloud-managed defenses rather than purchasing a high-end firewall applianceguardianangelit.comsherweb.com.
Here are 10 tailored prompts you can use with your ASD Secure Cloud Blueprint agent to address common Microsoft 365 Business Premium security concerns for SMBs, with a focus on automated implementation using PowerShell:
🔐 Identity & Access Management
“What are the ASD Blueprint recommendations for securing user identities in M365 Business Premium, and how can I enforce MFA using PowerShell?”
“How does the ASD Blueprint suggest managing admin roles in M365 Business Premium, and what PowerShell scripts can I use to audit and restrict global admin access?”
📁 Data Protection & Information Governance
“What ASD Blueprint controls apply to protecting sensitive data in M365 Business Premium, and how can I automate DLP policy deployment with PowerShell?”
“How can I implement ASD Blueprint-compliant retention policies in Exchange and SharePoint using PowerShell for M365 Business Premium tenants?”
🛡️ Threat Protection
“What are the ASD Blueprint recommendations for Defender for Office 365 in Business Premium, and how can I configure anti-phishing and safe links policies via PowerShell?”
“How can I automate the deployment of Microsoft Defender Antivirus settings across endpoints in line with ASD Blueprint guidance using PowerShell?”
🔍 Auditing & Monitoring
“What audit logging standards does the ASD Blueprint recommend for M365 Business Premium, and how can I enable and export unified audit logs using PowerShell?”
“How can I use PowerShell to monitor mailbox access and detect suspicious activity in accordance with ASD Blueprint security controls?”
🔧 Configuration & Hardening
“What baseline security configurations for Exchange Online and SharePoint Online are recommended by the ASD Blueprint, and how can I apply them using PowerShell?”
“How can I automate the disabling of legacy authentication protocols in M365 Business Premium to meet ASD Blueprint standards using PowerShell?”
Here are 10 ready-to-use prompts you can ask your ASD-aligned security agent to tackle the most common SMB security issues in Microsoft 365 Business Premium tenants. Each prompt is engineered to:
Align with the ASD Secure Cloud Blueprint / Essential Eight and ACSC guidance
Use only features available in M365 Business Premium
Produce clear, step-by-step outcomes you can apply immediately
Avoid E5-only capabilities (e.g., Entra ID P2, Defender for Cloud Apps, Insider Risk, Auto-labelling P2, PIM)
Tip for your agent: For each prompt, request outputs in this structure: (a) Current state → (b) Gaps vs ASD control → (c) Recommended configuration (Business Premium–only) → (d) Click-path + PowerShell → (e) Validation tests & KPIs → (f) Exceptions & rollback.
Prompt: “Assess our tenant’s MFA and sign-in posture against ASD/ACSC guidance using only Microsoft 365 Business Premium features. Return: (1) Conditional Access policies to enforce MFA for all users, admins, and high-risk scenarios (without Entra ID P2); (2) exact assignments, conditions, grant/ session controls; (3) block legacy authentication; (4) break-glass account pattern; (5) click-paths in Entra admin portal and Exchange admin centre; (6) PowerShell for disabling per-user MFA legacy and enabling CA-based MFA; (7) how to validate via Sign-in logs and audit; (8) exceptions for service accounts and safe rollback.”
Prompt: “Create Intune compliance and configuration baselines for Windows/macOS/iOS/Android aligned to ASD/ACSC using Business Premium. Include: (1) Windows BitLocker and macOS FileVault enforcement; (2) OS version minimums, secure boot, tamper protection, firewall, Defender AV; (3) jailbreak/root detection; (4) role-based scope (admins stricter); (5) conditional access ‘require compliant device’ for admins; (6) click-paths and JSON/OMA-URI where needed; (7) validation using device compliance reports and Security baselines; (8) exceptions for servers/VDI and rollback.”
4) BYOD Data Protection (App Protection / MAM-WE)
Prompt: “Design BYOD app protection for iOS/Android using Intune App Protection Policies (without enrollment), aligned to ASD data protection guidance. Deliver: (1) policy sets for Outlook/Teams/OneDrive/Office mobile; (2) cut/copy/save restrictions, PIN/biometrics, encryption-at-rest, wipe on sign-out; (3) Conditional Access ‘require approved client app’ and ‘require app protection policy’; (4) blocking downloads to unmanaged locations; (5) step-by-step in Intune & Entra; (6) user experience notes; (7) validation and KPIs (unenrolled device access, selective wipe success).”
5) Endpoint Security with Defender for Business (EDR/NGAV/ASR)
Prompt: “Harden endpoints using Microsoft Defender for Business (included in Business Premium) to meet ASD controls. Return: (1) Onboarding method (Intune) and coverage; (2) Next-Gen AV, cloud-delivered protection, network protection; (3) Attack Surface Reduction rules profile (Business Premium-supported), Controlled Folder Access; (4) EDR enablement and Automated Investigation & Response scope; (5) threat & vulnerability management (TVM) priorities; (6) validation via MDE portal; (7) KPIs (exposure score, ASR rule hits, mean time to remediate).”
6) Patch & Update Strategy (ASD: Patch Apps/OS)
Prompt: “Produce a Windows Update for Business and Microsoft 365 Apps update strategy aligned to ASD Essential Eight for SMB. Include: (1) Intune update rings and deadlines; (2) quality vs feature update cadence, deferrals, safeguards; (3) Microsoft 365 Apps channel selection (e.g., Monthly Enterprise); (4) TVM-aligned prioritisation for CVEs; (5) rollout waves and piloting; (6) click-paths, policies, and sample assignments; (7) validation dashboards and KPIs (patch latency, update compliance, CVE closure time).”
7) External Sharing, DLP & Sensitivity Labels (ASD: Data Protection)
Prompt: “Lock down external sharing and implement Data Loss Prevention using Business Premium (no auto-labelling P2), aligned to ASD guidance. Deliver: (1) SharePoint/OneDrive external sharing defaults, link types, expiration; (2) guest access policies for Teams; (3) Purview DLP for Exchange/SharePoint/OneDrive—PII templates, alerting thresholds; (4) user-driven sensitivity labels (manual) for email/files with recommended taxonomy; (5) transport rules for sensitive emails to external recipients; (6) step-by-step portals; (7) validation & KPIs (external sharing volume, DLP matches, label adoption).”
8) Least Privilege Admin & Tenant Hygiene (ASD: Restrict Admin)
Prompt: “Review and remediate admin privileges and app consent using Business Premium-only controls. Provide: (1) role-by-role least privilege mapping (Global Admin, Exchange Admin, Helpdesk, etc.); (2) emergency access (‘break-glass’) accounts with exclusions and monitoring; (3) enforcement of user consent settings and admin consent workflow; (4) risky legacy protocols and SMTP AUTH usage review; (5) audit logging and alert policies; (6) step-by-step remediation; (7) validation and KPIs (admin count, app consents, unused privileged roles).”
9) Secure Score → ASD Gap Analysis & Roadmap
Prompt: “Map Microsoft Secure Score controls to ASD Essential Eight and generate a 90‑day remediation plan for Business Premium. Return: (1) Top risk-reducing actions feasible with Business Premium; (2) control-to-ASD mapping; (3) effort vs impact matrix; (4) owner, dependency, and rollout sequence; (5) expected Secure Score lift; (6) weekly KPIs and reporting pack (including recommended dashboards). Avoid recommending E5-only features—offer Business Premium alternatives.”
10) Detection & Response Playbooks (SMB-ready)
Prompt: “Create incident response playbooks using Defender for Business and Defender for Office 365 for common SMB threats (phishing, BEC, ransomware). Include: (1) alert sources and severities; (2) triage steps, evidence to collect, where to click; (3) auto-investigation actions available in Business Premium; (4) rapid containment (isolate device, revoke sessions, reset tokens, mailbox rules sweep); (5) user comms templates and legal/escalation paths; (6) post-incident hardening steps; (7) validation drills and success criteria.”
Optional meta‑prompt you can prepend to any of the above
“You are my ASD Secure Cloud Blueprint agent. Only recommend configurations available in Microsoft 365 Business Premium. If a control typically needs E5/P2, propose a Business Premium‑compatible alternative and flag the limitation. Return exact portal click-paths, policy names, JSON samples/PowerShell, validation steps, and KPIs suitable for SMBs.”
CIAOPS 