Hello everyone,

I am working in an "old school" - environment. Most things runs on prem (Fileserver, ActiveDirectory, bunch of programs and services) except for exchange mail server. We do use currently microsoft 365 with the business standard plan.

Since we are hybrid environment because of exchange and SAML with some apps with the free entra plan, I am thinking about the benefits of switching to M365 Business Premium.
I do like the idea of having more control over MFA and user identity which is included in M365 business premium.

But I do not understand what I can do with "intune" part of M365 business premium. We currently have a patch management and software distribution running on-prem (Endpoint Central). It does come with an integration to intune. As far as I understand intune can provide apps and software updates? Why can't it replace our current patch management then?

And what is ConfigMgr? Is that running on-prem or does it run in cloud?

Someone here can please help me understand the capabilities of intune / config mgr (sccm?)?

This installment dives into external identity management—because secure collaboration starts with getting access right.

Whether you're dealing with partners, vendors, or other internal tenants, managing their identities shouldn’t be guesswork.

🛠 What’s inside:
• Clear explanation of Guest vs Member users
• How to configure Cross-Tenant Access with trust settings
• Using Entra User Flows for seamless onboarding
• When to use Cross-Tenant Sync
• And how to handle Microsoft Partner access with GDAP

📚 If you're securing a Business Premium environment, this is an essential guide.

🔗 Read it now:
https://www.chanceofsecurity.com/post/securing-microsoft-business-premium-part-05-external-identity-management

Finally, the compliance add-ons are live and the combo add-on is launched.

Microsoft just introduced new security and compliance add-ons designed to bring enterprise-grade protection to small and mid-sized businesses, without the enterprise price tag.

𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐒𝐮𝐢𝐭𝐞 ~ $10

𝐏𝐮𝐫𝐯𝐢𝐞𝐰 𝐒𝐮𝐢𝐭𝐞~ $10

𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 + 𝐏𝐮𝐫𝐯𝐢𝐞𝐰 𝐒𝐮𝐢𝐭𝐞 ~ $15

Available as add-ons to Business Premium starting September 2025.
This is a huge step forward in helping SMBs defend smarter, stay compliant, and scale securely.

Link - https://techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-new-security-and-compliance-add-ons-for-microsoft-365-business-premi/4449297

Hi Folks,

I’m currently on Microsoft 365 Business Standard and considering an upgrade to Business Premium. From what I understand, the main jump isn’t so much about productivity apps (Word, Excel, Teams, etc. are the same), but around security and device management.

Here are the key differences I’ve found so far:

• Mobile Device Management (MDM) Business Premium includes Intune, which lets you enforce security policies on company devices (Windows, macOS, iOS, Android). This means I could require PINs, control app access, and wipe lost/stolen devices remotely.

• Advanced Security Premium has Azure AD Premium P1 features like conditional access, which adds another layer of login protection (e.g., block sign-ins from outside certain regions). It also includes Defender for Business, which brings enterprise-grade endpoint protection and threat detection to small/medium businesses.

• Data Protection With Premium, I’d get Information Protection & DLP (Data Loss Prevention). That means I could label and protect sensitive docs (financials, customer data) and prevent accidental sharing outside the org.

• User Control Centralized control over identity and access management, including MFA (multi-factor authentication) enforcement.

For those of you who made the switch — was it worth the extra cost? Did MDM and security features in Business Premium actually make a difference in day-to-day operations for your SMB?

https://docs.microsoft.com/en-us/microsoft-365/business/support/microsoft-365-business-faqs

We have been trialling and testing Microsoft 365 Business and I have had a support request open for a couple of days to find out why certain settings were not applying when set through the full Intune console.

According to the support representative the only supported settings for Intune are the simplified ones available through portal.office.com - if you are delving into the full Intune console then certain things just will randomly not work and they will not support.

Why put this on their site then? " Features not available in the simplified management console in Microsoft 365 Business, like 3rd party app management and configuration of things like WiFi profiles, VPN certificates, etc., can be managed in full Intune console. "

EDIT: https://i.imgur.com/3SlNc6K.png as an example, ones marked red don't work, ones marked green do.

Do you know any course to learn implement, hardening, manage m365 business premium? Especially intune and defender.

I have a potential client with around 50 users (50% are employees, 50% volunteers) some work on company devices (employees) the rest work on personal devices (volunteers). The plan is to do a standard mail / file migration into M365 and then look at setting up policies for users working on personal devices to help protect the data.

Each user will have M365 Business Standard although we will likely opt for Business Premium for the employees using company devices so we can enrol laptops, apply user policies to laptops, monitor compliance, etc.

My query is around the volunteers on M365 Business Standard license, is this sufficent for the users working on personal devices? Does it allow suitable remote working policies to protect data or is it better going down the Business Premium route for all users?

All my previous setups I have used Bus Premium with Intune for managing the devices and works great, in there Ive set policies for managed & unmanaged device but I understand I will not have Intune for Bus Standard accounts and wondered whats the alternatives?

We have Microsoft 365 Business Premium. We are unclear on whether we need to purchase additional licensing to use proactive remediation or if it is available with what we already have.

I work at a company with around 50 employees. Only around 30 of them are office employees, the other ones only access Microsoft products with provided Android phones.

I am the only IT guy in the company. Our boss wanted to secure and micro-manage all the phones/computers as well as distribute private apps to such devices.

We currently have a mix of MS365 Basic and Standard licenses. The thing is that to use InTune we need MS365 Premium for every user in the organization, including the ones with mobile devices.

This seems way too expensive (Over 11K without VAT). I have seen there are some other licenses (F1, E3...) but none of them seem to fit my needs.

Is Intune really worth it for that price? Is there any other Intune licensing model that is more affordable?

I know that a breakdown and tutorial exist on how to configure every aspect of every feature of Intune and Defender, but is there a breakdown from the opposite approach - by license type? Even though the M365 comparison chart contrasts licenses and features, the features are referenced by English descriptions rather than by product feature names.

I would like to know and see a list of all the intune and Defender features that could(/should) be implemented if you have your users licensed for M365 Business Premium. The only way I am aware to do this now is to research each feature and then check the licensing requirements to see what license is needed. I just want to make sure I am not missing anything. Even the feature of the M365 Business Premium license has a checkbox to enable and disable features at the license level, these too are usually not proper feature names. Anyone ever try and figure out what "Windows 10/11 Business" is from that license feature description?

Trying to get clarification from my supplier for this but it's taking too long. Correct me if I'm wrong in any of the below.

Basically I want to remotely manage a couple Windows 11 and Windows 10 laptops using Intune. From what I'm being told I can apply "group policies" to these machines without using an on-prem server. I understand that gpedit.msc isn't directly available but something similar via https://intune.microsoft.com/ is. I believe this is called Mobile Device Management.

This tenant is currently using Entra ID Free and about 10 users are already set up using either Microsoft 365 Business Basic or Exchange Online Plan 2.

If I assign Microsoft 365 Business Premium to the users using these laptops, according to (https://m365maps.com/matrix.htm), I should have access to Intune device management licenses for the laptops and parts of Defender for Endpoint plans 1 & 2?

My next and most important question is do I need any additional licenses for Intune to work?

I'd also like to be able to manage Windows Defender remotely.

I've found this but I'm unsure of what the top line means exactly (https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses#licensing-for-configuration-manager-managed-devices-in-intune).

I have been going around in circles with Microsoft support on this issue for nearly 3 weeks. The TLDR is: What features does the "Windows 10/11 Business" service control?

Backstory:

145/150 users working fully remote, Business Premium licensing. According to my InfoSec officer, I need to disable Copilot on all systems. After some research, it was decided to use the TurnOffWindowsCopilot Custom OMI-URI (https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot). Oops... 150 devices report errors.

Through error searching and troubleshooting we learned that there's now simple template in the Settings Catalog that does this. "Maybe the custom OMI-URI doesn't work." Enable the setting the alternate way, still 150 devices reporting errors. "Policy is rejected by licensing". Contact Support, more troubleshooting...

Like I mentioned above, 3 weeks ago I contacted support and, after some back and forth, they told me that the Business "SKU" wasn't supported (See above link for "supported" versions). Intune reports EVERY system as Windows Pro with the correct build version numbers, but the systems themselves all report that their version is "Windows Business".

We finally found that by removing the Windows 10/11 Business Service from the individual user licenses that, eventually, systems reclassify themselves as Windows Pro, and apply the configuration.

Now before we go and apply the change to all 150 user licenses, InfoSec wants to know "What settings/configurations are we adding or losing by making this change?"

The only thing I can find and Microsoft support are telling me is "Windows for business includes Windows 10 Pro, Windows 10 Pro for Workstations, Windows 11 Pro, and Windows 11 Pro for Workstations. These operating systems include cloud services and device management capabilities that enable the centralized management and security controls of Microsoft 365 Business Premium." Which is a straight copy/paste out of their site. https://learn.microsoft.com/en-au/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-for-business

I think the "...enable the centralized management and security controls of Microsoft 365 Business Premium." is what's freaking out my ISO. Does ANYONE know what that one little bitty checkbox controls, it has ruled my life for the last 20 days.

Hi,

What happens on Windows devices that are running Windows Enterprise - when licenses are changed to Business Premium?

Will Windows change to Pro or?

Cant seem to find any info regarding downgrade - and Windows devices??

Hi there,

I am new to this side of things and was wondering what is required for the overall.

So a client was asking how they could [securely] access their system remotely and I was told that maybe it was Company Portal for this (it could have been renamed since or is part of Intune etc.). This all using a Microsoft Business Premium licence.

My searches are failing me on this so would be apprecative of a nudge in the right direction.

Maybe it is just not possible as a standalone environment and they need to part of Active Directory for login on the PC etc.; this would bring with it it's own problems for the client and use.

Am I way off base here?

A VPN and Windows Pro would have been my go to previously at least.

Hey everyone,

We're a small MSP venturing into Intune projects, but we lack experience in handling them end to end. In the past, we've only completed one client setup with Intune (which wasn't perfect). Currently, we're managing Intune setups for 2 to 5 clients.

We're encountering a challenge in closing deals for Intune projects. When gathering information, we struggle to determine the best license for our clients.

Could you please help us understand, in simple terms, the differences between Microsoft 365 Business Premium, Microsoft 365 E3, and Microsoft 365 E5?

Does anyone have a checklist or comparison table that breaks down the Intune policies included in each Microsoft 365 plan (Business Premium, E3, and E5)? This would be super helpful!

We've checked out https://m365maps.com/ but still need help explaining these plans to our clients.

Thanks in advance!

Comparing Microsoft 365 Business Standard vs. Premium, the main difference is Standard does not include Azure AD, Intune, Azure MFA, and a few other things. Does this mean that a user licensed with Standard cannot join their PC to Azure AD at all? Can a Standard user not enable MFA on their account? What exactly are the limitations here?

Hi ,

I’m currently the solo IT person at a small biotech company with around 15-20 employees, and we're planning some major upgrades to our IT environment. We're using a mix of Windows 7 and Windows 10 machines, and most of our software is outdated (Microsoft Office 2007). We're looking at upgrading to Windows 10 and moving to Microsoft 365 Business Premium, but I could use some advice on whether this is the right move.

Current Setup:

• OS: Mixed usage of Windows 7 and Windows 10.

• Software: Some computers use Microsoft Office 2007.

• Storage: NAT storage device and Dropbox for cloud storage.

• Hardware: Some older machines that will need replacement to support newer OS versions.

Planned Upgrades:

1. Windows 10: Upgrading all systems to Windows 10 to ensure support and security.

2. GoDaddy MS 365 Online Business Essential Plan → Microsoft 365 Business Premium:

Why We're Considering the Upgrade:

• We need better security, given the vulnerabilities of unsupported systems and outdated software.

• We require more scalable solutions to support our growth.

Questions:

• Are there any significant downsides to moving to Microsoft 365 Business Premium that I should be aware of?

• Given our setup and needs, does this seem like the right move, or should we consider other options?

• Any advice on managing this transition smoothly, especially with hardware replacements and potential software compatibility issues?

• For Cyber security, Is Microsoft Defender for Business enough for our size of company or need additional antivirus software such as Norton, Bitdefender..?

Thanks in advance for your insights!

Hello,

A client is migrating from Google workspace to MS365 and I'm confused with the kind of license they need. They will need Defender EDR, Intune, and conditional access primarily. Would Business premium work?