Microsoft 365 is Causing Confusion: Here’s What You Need to Know

By Phil Koster
Jul 22, 2024

Microsoft 365 might be one of the most misunderstood things in the SMB space right now. There are two primary reasons for this, and these problems can lead to substantial business risks:

1	Microsoft 365 isn’t a service
2	The customer is still responsible for the security of the tenant

Microsoft 365 Isn’t a Service

You may be thinking to yourself, “Microsoft 365 isn’t a service? What is it then?”. The answer is, it is a set of product families, and the Microsoft 365 plans are subscription bundles of some of those products. In fact, Microsoft 365 has over 25 independent product families, most delivered as a cloud-based service, and many have multiple levels of licensing. Some of those services included in the Microsoft 365 plans are some of the 200+ services under the Microsoft Azure umbrella of services. As you might expect, the Microsoft 365 Roadmap site has released or updated 118 features in the past month with an additional 67 in “rolling out” status and 244 in active development. Even if I chose just the OneDrive product, there were 2 new or changed features launched in the past month, 1 rolling out, and 7 in development.

The Customer Is Still Responsible for The Security of The Tenant

You also may have thought to yourself, “What do you mean the customer is responsible for security? These are cloud services. Doesn’t Microsoft protect them?”. The answer to that is yes, they do, but only to a point. Google, Amazon, and every other cloud service your organization does or could use are operating under the same model. It is an industry standard known as the “Shared Responsibility Model”. To overly simplify it, the customer is always responsible for:

User account security
Accuracy of the data within the environment
Proper configuration of the available features

The type of cloud service and the vendor providing it determines how much more responsibility the customer has. The Cloud Security Alliance has a detailed blog post explaining it. Microsoft has a version that is more easily digestible with a summarized responsibility matrix you can review here. According to the 2023 Verizon Data Breach Investigation Report,

about 4% of all compromises were
configuration errors and publishing errors.

Cloud services default to a lower level of security to make it easier for the customer to get into the environment initially and begin to configure the features as needed. The defaults are not considered secure and that is intentional. This is especially important to understand for businesses with compliance or certification needs (e.g. HIPAA, PCI, FTC Safeguards rule, ISO, SOC, FERPA, CMMC, NERC CIP, GLBA, SEC 17a-4). Microsoft has a documentation hub for compliance with links to their compliance documentation. This framework specific documentation helps explain exactly what Microsoft does and doesn’t do.

What Does This Mean for You?

The combination of products, licensed features, and frequent product updates makes it a challenging problem to ensure your environment is properly configured and secured. If you don’t have someone on your staff that understands Microsoft 365 and the services that you have, then you need to rely on a Managed Services Provider. Most Managed Service Providers, including Vista IT Group, are not proactively checking your Microsoft 365 environment as part of the normal Managed Services offerings. Most that are doing those proactive checks are only checking your Microsoft Secure Score, which is a basic, minimum baseline.