Why schools should expect to move away from free MS licencing.
There’s little doubt that one of the attractions of the Office 365 for Education A1 (O365 A1) licence is the price.
For no cost at all schools receive hosted mailboxes, a generous amount of cloud storage, office web apps and a user directory for an unlimited number of users that supports Single Sign On.
So with the ever increasing facilities offered by Office 365 it might seem like a plan to ditch the servers and the local licensing, operate entirely from the cloud and pay Microsoft nothing at all. Unfortunately as schools and businesses start to understand the requirements of Microsoft's Modern Management strategy that idea is a non-starter for a number of reasons.
Windows 10.
Without onsite servers schools will be relying on Microsoft InTune for device management and that requires a licence that’s not covered by O365 A1. It’s quite possible to register devices with Azure AD without incurring a licence and this gives you a certain amount of control around device security but this is best suited to BYOD deployments. It’s also possible to join Windows 10 devices to Azure AD in a similar way to adding a device to an on-premise Active Directory but this is not a full management package. Without enrolment into InTune you have no control over the way users access and share information and, more importantly you are unable to deploy and authenticate applications.
Therefore licensing in a serverless solution will need at least Office 365 A1 + InTune for each user.
Azure AD.
The cloud directory service that you get bundled with O365 A1 is the Office365 Apps version which was previously called Basic. As the name suggests a few key features are missing from this package and one of the most important is auto-enrolment. This allows users to use a school account to join devices to Azure Active Directory while automatically enrolling into InTune.
Combining auto-enrolment with Auto-pilot it’s possible to ship devices directly to the user from the supplier and be assured that the device will exit the OOBE with a secure work profile and an approved application set installed.
Auto-enrolment is closely related to Dynamic Groups which is another capability missing from the Office365 Apps version. Dynamic Groups allows a user or device security group to be defined on the basis of a user property. Because groups are the primary method of controlling the allocation of policy and access rights (Azure AD does not use an directory OU structure like on-premise AD) dynamic groups are pretty much essential in an environment where users and not admins are adding devices to the directory.
Going forward you are also going to need Conditional Access, the ability to manage access to data and systems based on user groups, locations, device platform and client application. Another key requirement is Enterprise State Roaming which performs a similar function to roaming profiles providing users with a unified experience across their Windows devices.
Basically the Office 365 Apps version of Azure AD doesn't meet the requirements of a Window 10 deployment which means an upgrade to Azure AD Premium P1 as a minimum.
So you now need Office 365 A1 + InTune + Azure AD Premium P1.
Microsoft Office.
To activate and manage the Office desktop apps deployed through Microsoft Intune you need an Office 365 ProPlus licence allocated to each user. So long as the user holds a licence the apps can be installed on multiple devices including Macs, iOS and Android platforms.
If you are keeping track the lists now reads Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus.
Azure Information Protection.
For most schools and businesses Azure Information Protection (AIP) is probably seen as a nice-to-have or even more likely, a complete unknown.
AIP helps an organisation to classify and protect its documents and emails by applying labels. Labels can be applied automatically by administrators which are then used to drive rules and conditions that control how that data might be shared and used within an organization and importantly external to the workplace. Once you adopt a strategy based on mobility and collaboration the security framework provided by the share permissions tied to a fixed storage location only goes so far. Both business and schools need to adopt a new security model based on zero trust networking and move away from the historic perimeter method which is no longer effective.
With AIP the access permissions rest with the document itself regardless of its location and this allows far tighter control and visibility over where the sensitive data is and who can see it. As ever tighter regulation is placed on schools to demonstrate a robust data management policy, AIP will become a necessity.
Although rarely implemented in schools the O365 A1 Education licence includes some of the data protection capabilities of the Azure Information Protection platform. This feature is referred to as Azure Information Protection for Office 365. The full package extends data protection across non-Microsoft Office file formats as well as providing manual, default and mandatory document classification and for that you require a minimum of Azure Information Protection P1.
So now you need Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus + Azure Information Protection P1.
The list is starting to grow but you are unlikely to upgrade your Office 365 A1 licence by purchasing each additional element separately because Microsoft offers some licence bundles to make life easier.
The obvious one is Enterprise Mobility + Security E3. This includes Azure Active Directory Premium P1, Microsoft Intune and Azure Information Protection P1 in a single licence so it gets you most of the way but without Office Pro Plus.
Previously, the easiest way to get a Office Pro Plus licence was to simply upgrade to Office 365 A3 which was essentially an Office 365 A1 licence with larger storage allocations and the ability to install the local Office apps. Putting both Office 365 E3 and Enterprise Mobility + Security E3 together gets you what you need but there is an easier way.
In the future Microsoft expects you to purchase the Microsoft 365 A3 licence which is the union of Office 365 A3 plus Enterprise Mobility + Security E3. In many respects this is the end game - a single user licence that delivers Microsoft as a Service as a yearly subscription.
The pressure to move to this new licensing model comes from a number of directions. First, Microsoft's strategy is now fully focused on cloud services such as Teams and Desktop Analytics. In fact any new feature on the server platform is normally prefaced by the word "hybrid" which is generally a hint that a move to the cloud is imminent. When you see this, pack your bags.
Second, education has always been dependent on the ‘student use benefit’ which grants students free use of licences if the teaching team is fully licenced. Few schools would be able to afford the licencing bill without this scheme. However only the larger licence bundles are covered in any practical way. Purchasing an individual licence for InTune or Office Pro Plus allows you to licence 15 students while the larger Microsoft 365 A3 bundle gives you 40. Trying to save money by targeting specific groups with individual licence packs will cost more in the long run because you need to cover the shortfall for students.
So what would be the cost of licencing a ‘serverless’ Microsoft school in the UK.
Let's say the annual subscription to A3 for education is £5.00 user/month which equates to £60 per year. Therefore a school with 70 staff will be paying £4,200 a year (60 X 70) with the rights to licence a further 2800 student accounts (70 x 40) under a student benefit agreement.
That seems like a scandal! One minute you’re paying nothing for Microsoft cloud services and the next you’re being scalped for just over four grand a year - but that's not the whole picture.
Running Office 365 A1 with local infrastructure has a range of hidden costs once you take into account the obvious requirement for local server licences and user CALS. Servers and storage cost money to power up and cool down and represent a large initial investment that needs refreshing every five years. There’s an IT maintenance contract or internal staff costs to consider, backup hardware and software and a disaster recovery plan (maybe).
Also factor in the money used to provide end-point security such as anti-virus and drive encryption especially after you consider support contracts and upgrades. Remember to include the the annual renewal for the fashionable learning platform that promised to deliver collaborative workflow and remote learning but was never widely adopted.
In conclusion, schools pay indirectly for Office 365 A1 through the ancillary services but without having much idea of what the overall cost is. Well now you do.
In our example and using Microsoft A3 it’s just under £1.50 a year for each of the 2870 staff and student members but only if you ditch those servers and embrace the new normal.
No comments:
Post a Comment