Be aware of Microsoft 365 “hidden” non-compliance

You may think that if you’re purchasing cloud-based Microsoft applications, you can lean back and relax as you cannot become non-compliant on these products. It is quite the contrary!

TIP #56 - September 2020:Is your organisation compliant on Microsoft products? Or is there perhaps hidden non-compliance? Find out!


Microsoft cloud licenses need as much attention as any other Microsoft license entitlement. Why? Take a look at the following Microsoft 365 example.

Hidden non-compliance
Most organisations consist of different kinds of employees, that all require a different kind of toolset to perform their daily work. As such, organisations can decide to purchase a mix of cloud-based Microsoft products like Microsoft 365 F3, Microsoft 365 E3 and/or Microsoft 365 E5 plans.

However, a number of (security and compliance) services included within the Microsoft 365 plans can only be enabled at the tenant-level. This means that when the service is turned on, it’s activated for all users within the tenant. And this is where it gets interesting and a potential non-compliance risk.

Take for example Azure Advanced Threat Protection (ATP), a service included in the Microsoft 365 E5 license. By default, the Azure ATP features are enabled at the tenant-level for all users within the tenant, although only a subset of users is probably licensed to use this specific service. While a license is required for any user that you intend to benefit from the service, it currently isn’t possible to limit these kind of capabilities to specific users.

Nonetheless, Microsoft notes that “efforts should be taken to limit the service benefits to licensed users as this will help avoid potential services disruption to your organization once targeting capabilities are available”. You need to be aware that Microsoft may audit you for this usage.

What can be done
For some services Microsoft provides measures on how to limit access to users, with policies or the configuration of user groups¹. It is most likely that different departments of your organisation will be involved with the deployment and management of services like the one mentioned above. As such, it is important to identify all stakeholders involved, so all essential information required to manage these products can be gathered, and to ensure that the applied restrictions in place will be monitored continuously. In the end, the goal should be to set up a plan, mitigate risks and be in control of these possible situations.