Microsoft is one of the biggest beneficiaries of the 2020 shift to remote work as thousands of businesses adopted its Microsoft 365 (M365) platform to keep employees productive and engaged. However, in the world of cloud and SaaS, many CIOs and IT directors for companies with 5,000+ employees find themselves facing what I call the “single tenant problem.” While having a single M365 tenant creates a uniform “known” environment for an organization and promotes easy management, collaboration, and information sharing – all critical benefits for the remote workplace. However, running off of a large single tenant also adds significant complexity and a lack of visibility into the network, particularly for enterprises with people working in multiple geographies and departments with disparate needs.
As with most things in IT, complexity increases with size. With just a few hundred users, a single M365 administrator can handle the workload. However, as the tenant gets larger and employees more distributed, the administration likely requires multiple IT staffers, a help desk, and proactive configuration over email and cloud storage. Add Teams to the mix, and now there are additional parts to the M365 tenant that require IT and security teams’ attention. Enterprises typically struggle with large M365 in three critical areas: efficiency, security, and ROI. Ultimately, visibility – or rather, a lack of visibility – is at the heart of each. Here are some specific areas that CIOs and their teams can focus on to ensure their M365 environment is secure, automated, and delivering significant value to the business.
The great M365 time sink: managing permissions
Because M365 is composed of multiple services, permissions are stored in numerous places. As a result, administrators *MUST* know where each permission is for Teams, OneDrive, Exchange, Active Directory, and any other services the business is using. M365’s limited number (and broad scope) of admin roles also means that it’s difficult to lock down admin permissions to specific tasks.
For large tenants, many businesses opt to write PowerShell scripts to automate the permissions process. However, scripting becomes much more difficult as the environment scales up and requires in-house experience to keep up. If an admin needs to assign permissions for a single user and service, it’s easy to do individually. Still, multiple users and services will require some form of automation to avoid being too demanding.
Managing permissions also apply to onboarding and offboarding employees from the corporate M365 tenant. It would be easy if users only used a single application or service, but that is a rare occurrence. The difficultly comes in with how users are created and initially provisioned across services. Offboarding is particularly challenging because it requires additional tasks like converting the outgoing users’ mailbox to a shared mailbox. PowerShell scripts would ordinarily be a good solution for admins but, due to the elevated permissions required to run them, only a select group of senior-level IT staff can run them.
So much attack surface, so little time
The larger the tenant, the larger the attack surface. As a result, there are several security items to consider with Microsoft 365. Fortunately, the Center for Internet Security (CIS) has published security benchmarks for Microsoft 365 (Office) to help CISOs and admins.
One of the easiest ways to reduce risk is to limit the number of Global Administrators in M365. As organizations grow, they often end up with multiple global administrators, even though Microsoft recommends no more than four for any size tenant. In addition, because M365 comprises many different services, it can be much more challenging to understand who has access to critical data and apps. Insider threats aren’t the only worry here; cybercriminals that can steal credentials from one of these IT workers would instantly gain the “keys to the kingdom.”
Shadow IT is also a significant risk for large M365 tenants. Each new application presents a vulnerability, especially if it’s not tied to the approved corporate systems and security policies. Sharing information outside the company can be controlled in M365, not so much in applications used by a department or individuals. IT and security teams must have insights into every application connected to the corporate M365 tenant, or else they create a backdoor that cybercriminals could potentially exploit.
The ‘Goldilocks’ licensing challenge
License management is a common area that can diminish the ROI on a corporation’s M365 tenant. There are two issues at play:
- assigning employees the correct license for their job functions’ needs, and
- minimizing the number of inactive licenses.
The first issue is straightforward. Many organizations purchase the E5 licenses for employees, the “Cadillac” of M365 licenses, and call it a day. However, that license provides more apps and services for many employees than they need to complete their day-to-day tasks. IT admins would be better-served provisioning E3 or even E1 to manage their license costs. Looking at license usage over time is very difficult to do using native MS tools, especially as the size of the tenant increases.
Managing an enterprises’ M365 license pool requires significant visibility. Unfortunately, many businesses get into the bad habit of simply purchasing new licenses as new employees are onboarded. The problem is that M365 admins can assign new employees these unused or inactive licenses at no additional cost to the organization. If offboarding processes don’t include removing licenses, a business can build a horde of “zombie licenses” that rack up costs but don’t add value.
By the sheer size of its customer pool, Microsoft designs its applications, reporting, and services for smaller businesses, creating challenges for enterprises. However, companies can overcome this challenge by gaining visibility into their tenant. CIOs and M365 admins that understand their license pool, which of their employees have access to critical data, and what apps are operating within their tenant are in a great position to maximize the value of their investment.