In the previous blog posts, we covered how deploying customers to Copilot is not the flip of a switch, but rather a journey. We talked through why partners tell us they segment customers into three groups in order to manage each customer’s journey to Copilot adoption. Read the prior blog.
This blog’s focus will be on the second group, “Deploying Basic Security Readiness.”
As a reminder, here are the three groups that partners commonly segment their customers into:
Drive Microsoft 365 Adoption – Copilot needs data to ground its answers in. The path to Copilot begins with assessing if each customer has sufficient data in M365 for Copilot to be useful
Deploy Basic Security Readiness – Making sure the customer’s tenant has basic security in place before unleashing
Investigate Risk and Resilience – Adding the next layer of security including security framework compliance requirements
Partners also mention that these stages don’t have to be run in isolation, but in fact deployment of Basic Security and Investigating Risk & Resilience can be run in parallel while the customer is driving their Microsoft adoption.
Deploying Basic Security Readiness across all customers
M365 Security is important, regardless of a customer’s interest in Copilot. But due to the power and creative use cases enabled by Copilot, security is even more important for users of Copilot.
These customers should definitely have basic security in place and are more than likely looking at you the partner to accomplish this.
The first step is to get an understanding of a customer’s current security standing, and potentially how this might align to current compliance frameworks they may need to adhere to. This could be as simple as the Microsoft Secure Score but might be something more industry-focused like ISO27001 or NIST 2.
Partners are using a workflow within SkyKick Security Manager to do just that.
Below is the Get Microsoft 365 Security Baselines Report workflow within Security Manager. This workflow gives partners the power to see which baselines are in place for each customer across Microsoft’s 200 security baselines. Additionally, it allows you to select additional security compliance frameworks to focus on the most important baselines for each customer.
On the right-hand side of the screen, simply select the framework you want to check against and any additional frameworks, also be sure to select both “Report Types.” After a short while, this will produce two reports, one for you (Detailed) and one you might share with your customer (Basic).
Partners tell us that the Detailed Microsoft 365 Baselines Report is particularly useful for their internal use as an MSP, as it includes a level of detail that’s useful for them but perhaps too detailed or technical for the customer. However, we all know some customers like to get more detailed too. These reports can be scheduled and emailed to any audience you choose.
Here are some highlights about the Detailed M365 Baselines Report:
- The overall security percentage score at the top of the report displays how many of the required/recommended settings are configured in accordance with the compliance framework
- Each of the settings include:
- Short and more detailed description of the setting being checked
- Strategic rationale & context behind why each recommended setting should be configured. Great for aligning with customers, especially if an improvement impacts end users…
- End-User impact – Proactively discussing these change management details with your customer – from their perspective – demonstrates the quality of your service, and can help them make confident decisions more quickly
- Manual audit steps using Microsoft portals – Where you would normally check this setting in the portal
- Compliance standards mapping table – Even if your customer has never heard of compliance standards, show them where they stand with the one recommended for their industry. It could just be a great future long-term project. (NIST Cyber Security Framework v2 in above example)
- Security Manager remediation solutions – This is a link to fast-track finding the exact workflow to address the security setting in 1 click
- Tick/Cross/Information bubble — Displays whether an item is compliant/non-compliant and eligible, versus not licensed and therefore not compliant
You and your team now have a detailed assessment and strategic information to formulate a plan to get a customer compliant. But maybe you need something to share with the customer to get them aligned?
The Brief Microsoft 365 Security Baseline Report simply gives your customer an overall percentage score (how far are they from being compliant) and a simply Yes/No/Not Licensed indicator for each item. Partners say that the context this report gives on licensing versus security often resolves M365 licensing conversations which have been ongoing for too long.
Many partners I speak to share the Brief Report with their customers when checking against ISO27001 and then use the other Detailed Report internally to decide more granularly how they will address each of the items.
Once partners have run and absorbed the information in these reports, they’re ready to work on the customer’s tenant to increase their compliance score in two phases, starting with the Apply Microsoft 365 Security Baselines command show below. Based on many conversations with partners, here are a few of the settings you might apply with minimal customer conversation, delivering low-friction value quickly to the customer:
- Defender Anti-Spam – Set action to take on high confidence spam detection
- Office365/Exchange Online – Ensure ‘External sharing’ of calendars is not available
- Office365/Exchange Online – Ensure the customer lockbox feature is enabled
Implementing these changes through the command in the Copilot workflow allows you to roll this out to customers in a scalable and repeatable manner.
When they have covered the basic security settings, partners usually then go back to the customer to engage them in more detailed conversation around the higher user impact or high implementation cost items. From conversations with partners, I see the following for four additional offerings
But why is M365 security so important for users with Copilot?
Put simply, Copilot enables customers to use and share data in unprecedented ways. Thus, ensuring Microsoft’s recommended baseline settings are in place is more important than ever.
As your customers start to increase their usage of the M365 features in preparation for Copilot, they increase their chances of accidentally exposing data they shouldn’t either internally or externally.
And whenever you create a new tenant for a newer customer, although some basic security is deployed out of the box by Microsoft as part of the tenant provisioning, other settings are left to the partner.
Customers are starting to ask for Copilot. For MSPs, the conversation should pivot early to enhanced security as a pre-requisite. Security Manager’s workflows discussed above enable you to manage the security project, which leads to more conversations with the customer around who needs to access to what data, sharing permissions, and if any extra data governance or compliance needs to be considered.
All of this need to be done before you switch on Copilot for Microsoft 365.
We will continue that part of the conversation, and the workflow, in the next blog post.
Already a Security Manager subscriber? Use the workflow now