Microsoft on May 1 gave advance notice that it’s planning to turn on certain Microsoft Threat Protection capabilities next month for eligible customers that “visit” or use the Microsoft 365 Security Center portal.
The specific Microsoft Threat Protection features that will get activated for these users, starting on June 1, 2020, include:
- A correlation of alerts from Microsoft 365 security products into “Incidents” within the Security Center portal
- “Centralized incident response capabilities that self-heal assets,” accessible in Security Center
- “Proactive threat hunting capabilities and behavior-based custom detection rules” that can be accessed in Security Center
Microsoft Threat Protection is Microsoft’s top-of-the-line security product, consisting of four main security products. It includes Microsoft Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection and Microsoft Cloud App Security, per this Microsoft document description.
However, Microsoft’s original announcement had suggested that it’ll turn on those Microsoft Threat Protection capabilities on June 1 even for organizations subscribed to a subset of the Microsoft Threat Protection suite, such as just having an Office 365 Advanced Threat Protection subscription.
The May 1 announcement was updated, adding greater clarity on how the activation of those Microsoft Threat Protection capabilities might occur given varying customer licensing scenarios. Essentially, the added functionality won’t be there on June 1 if organizations don’t already have the licensing in place to use it.
When asked if organizations subscribed to a subset of Microsoft Threat Protection services might have to worry about incurring software licensing violations because they could activate an Advanced Threat Protection feature that they’re not licensed to use, a Microsoft spokesperson suggested that would not be the case.
“None of the listed Microsoft 365 security products are automatically deployed or licensed,” the spokesperson said via e-mail. “When turned on, Microsoft Threat Protection consolidates data from products that are already in use and licensed.”
In essence, organizations must have E5 licensing in place to get the Microsoft Threat Protection capabilities on June 1.
“Access to Microsoft Threat Protection is governed at the tenant level in the same way access to the specific E5 product experiences is managed today (e.g. Office 365 ATP) — a tenant needs to have valid E5 licenses attached to it to access Microsoft Threat Protection features in Microsoft 365 security center,” the spokesperson explained.
The initial impression of Microsoft licensing expert Wes Miller, an analyst with Kirkland, Wash.-based independent consultancy Directions on Microsoft, was positive but wary.
“It sounds like a positive move in the sense of offering customers one vantage point for security incidents across their organization,” Miller wrote in an e-mail. “But my immediate concern then is how well it handles license compliance for customers who are only partially licensed for the services it is enlightening.”
That question seems mostly addressed in the updated May 1 announcement, where it’s clarified that organizations will need E5 licensing to get the Microsoft Threat Protection capabilities. They presumably don’t get those capabilities if part of their tenancy uses E3 licensing.
Directions on Microsoft has previously advised caution when mixing Microsoft 365 subscription plans, such as E3 and E5, because of possible software licensing compliance issues.