Microsoft Security and Compliance Solutions

If you’ve ever had to handle Microsoft renewals or purchases for your company, I’m sure you are aware that Microsoft has been continually refining their offerings.  Over the years, different productivity, connectivity, and security capabilities have been added to Office 365 and Microsoft 365 bundles.  As part of this, new editions or tiers of these solutions have been added, such as E5.

Even before Microsoft has an official offering for certain security capabilities, they are expanding through acquisitions such as ReFirm Labs (IoT security) and RiskIQ (cybersecurity).  These will inevitably become part of the Microsoft ecosystem, whether it be through security add-ons or enhancements to capabilities in existing bundles, or perhaps even new bundled offerings downstream.

By putting a focus on security, Microsoft is able to have conversations regarding their future vision, which will likely include a roadmap with commitment and adoption of their latest security solutions.  Expect Microsoft to circumnavigate communication channels in your organization and approach IT leaders directly (such as the CISO in this case) to probe into future vision, get buy-in that Microsoft is the right and only solution to meet their needs, and uncover sales opportunities.

Microsoft Bundled Solutions

Currently Microsoft 365 E5 is the most robust productivity user bundle that they are looking to get customers to adopt.  As of this writing, only a small percentage of organizations have made the move to go all-in with E5, with many organizations still using E3 or even lower editions.  In fact, the last time Microsoft reported this information publicly during their FY21 Q4 earnings call in July 2021, Microsoft’s CFO Amy Hood noted that only 8% of the Office 365 commercial installed base was on E5.

Microsoft would likely admit, if forced to do so, that they have not been able to motivate their enterprise customers to adopt and roll-out E5 capabilities at the pace they had planned for.  Beyond the programmatic price increases in March, the enhanced security capabilities are one of the main drivers that Microsoft uses to motivate E5 adoption.

E5 for Enhanced Security?

Did you know that you don’t have to jump to E5 to obtain enhanced security features?  Microsoft likely hasn’t led with these options but there are add-on SKUs covering certain capabilities that can be added a la-carte (e.g., Defender for Endpoint, O365 Data Loss Prevention, and Exchange Archiving).  Did you know that there are also add-on bundles that cover many security and compliance capabilities?  We are starting to see add-on bundles such as E5 Security and E5 Compliance that include subsets of E5 capabilities that organizations may need.

Microsoft is also focused on adoption of bundles for firstline or “deskless” workers.  While many of these types of users require less capabilities given their day-to-day roles and responsibilities (Microsoft 365 F1 or F3 editions may be more appropriate than E3 or E5), in today’s ever-expanding digital world these workers need advanced security and compliance capabilities as well.  For these user profiles, there are F5 Security, F5 Compliance and F5 Security & Compliance add-on bundles that may cover an organization’s needs.  As we have covered in the past, these firstline and “deskless” workers are a very important user set for Microsoft given Google’s ever-increasing focus to get these same users using their Google Workspace solution (formerly G Suite).

Having a clear understanding of what your organization actually needs, what is available in terms of product SKUs and the different ways to license the functionality you need, is invaluable.  You likely do not need all the bells and whistles that come with Office 365 E5 or M365 E5.

Key Takeaways for Your Negotiation

Is Microsoft pushing your organization to adopt E5 or the all-in Microsoft 365 E5 cloud bundle?  Are they approaching your IT and security teams to evaluate more robust capabilities and features?  Are they telling you that you can actually save by terminating incumbent solutions (e.g., Okta, Symantec, Cisco, McAfee, Proofpoint, CrowdStrike, Netskope, Mimecast, VMWare, etc.) by using Microsoft security capabilities?

Microsoft is adept at dividing and conquering within organizations to gain commitments and adoption of the solutions they want to sell.  They often approach the organization with a calculated and well thought out plan of attack that comes from all angles and at different levels within your organization.  It is critically important that companies are proactively working to develop a roadmap at the granular feature level and that it is a unified approach between all groups:  IT, Procurement, Vendor Management, Line of Business, Legal, etc.  Having a complete understanding of your organization’s needs and wants will allow for more focused and productive conversations with Microsoft.

Having an understanding of Microsoft’s capabilities that will not be of value for your organization is important too.  This will allow you to have more poignant conversations where you can steer Microsoft, versus the inverse, which is what they are used to.  Showing Microsoft what will not be of value forces them to make a decision.  Do they want to still present the proposed option that includes what they have been told is not going to be of value?  Unfortunately, Microsoft sometimes makes the wrong decision when it comes to this, and it often does not land well.

Conversations around granular needs can be a significant first step in keeping your go-forward conversations with Microsoft focused on requirements versus what Microsoft is looking to sell.  Make sure that you are prepared and you give yourself enough time to prepare appropriately.  Remember, Microsoft has likely been developing their plan before the ink was dry on your last renewal.

Leave a comment below, follow me on Twitter @ITsourcingGURU, find my other UpperEdge blogs and follow UpperEdge on Twitter and LinkedIn.