News

Microsoft Online Services and Compliance Risks: Some Tips, Tricks and Directions

• By Kurt Mackie
• 07/28/2017

Organizations with Enterprise Agreements (EA) should consider negotiating protections or special discounts up front to avoid compliance issues likely associated with Microsoft's cloud services.

That's the gist of a talk by Rob Horwitz, cofounder of Directions on Microsoft, an independent consultancy based in Kirkland, Wash. The Thursday public Web presentation, "Microsoft Cloud Compliance Risk," was described as "speculative," and "some of it could be wrong." However, it's based on how Microsoft's current audit practices are applied to premises-installed software, and how those practices could affect organizations that use Microsoft's services. Horwitz said that the talk represented Directions on Microsoft's "early thinking on the issue."

Directions on Microsoft specializes on Microsoft software issues, with a focus on licensing. It offers advice, publications and runs a series of Microsoft Licensing Boot Camps, as described here.

Currently, Microsoft doesn't build compliance warnings into its software and services. Horwitz, who, along with other Directions on Microsoft analysts, formerly worked at Microsoft, said that there are many reasons why compliance checks for customers aren't built into Microsoft's software. License compliance is not Microsoft's first priority, and the company doesn't want to raise alarms. In addition, packaging and licensing issues can get decided late in the game, which doesn't give the technical people enough time to address it. Lastly, the licensing is handled by different folks from the technical people, he said.

Horwitz noted that Office Professional Plus and SQL Server are examples of products that have no internal compliance checks. Microsoft decides when their use complies with the rules via audits. A high percentage of the time, auditors find compliance violations. This approach turns out to be a revenue generator for Microsoft, both directly and indirectly. It helps move customers in the right direction from Microsoft's perspective, which is toward subscription-based licensing associated with its services, which provides Microsoft with a constant annuity stream. Compliance shortfalls are used by Microsoft as leverage. For example, if a customer is reconsidering an EA renewal, Microsoft can negotiate based on the customer's compliance record.

Four Compliance Risks
Horwitz then proceeded to classify four kinds of risks that organizations face should they tap Microsoft's services, even in the slightest way. The risks include:

• Mixing levels of the same service
• Hybrid deployments, where some users have subscriptions to services but some don't
• "Multiplexing" or indirect access
• The use of Azure Virtual Machines

On the first compliance risk, mixing levels of the same service, Horwitz said that having a subscription to one high-end SKU or product could break the rules for others in an organization. One example is the Azure Active Directory service, which Horwitz described as "a good poster child for cloud license compliance issues." It has Basic, Premium Plan 1 and Premium Plan 2 subscriptions, but Microsoft Online Services documentation is often obscure about the consequences if premium features get turned on for just some users.

One example of subscription mixing is the use of Azure AD Identity Protection, which is a service that detects anomalies indicating compromise, such as two log-in attempts from different geographic locations. Azure AD Identity Protection is a feature exclusive to Azure AD Premium Plan 2. If an organization has a subset of users on it, the feature is automatically turned on tenancy wide, and non-Premium Plan 2 users will be accessing the service as well. Another potential risk for getting a subscription mixing violation is the use of Office 365 Advanced Threat Protection (ATP), which works with Exchange Online Protection to detect previously unknown malware. The Office 365 ATP service requires the use of Office 356 Enterprise E5 or standalone user software licensing.

Hybrid deployments, the second risk factor described by Horwitz, entail risks for organizations when some users have subscriptions to Microsoft Online Services but others don't. For instance, if only a subset of users in an organization have subscriptions to Azure AD, then the users without Azure AD subscriptions can still log onto the Azure AD subscription portal. If they do, then they are accessing that feature in Microsoft's eyes and thus are noncompliant. Horwitz also pointed to the Exchange Online Protection service, which is licensed via an Exchange Online subscription and Exchange Server Enterprise Client Access Licenses with Software Assurance. All mailboxes can benefit from Exchange Online Protection, but not all users might be licensed.

The third issue, multiplexing or indirect access, is more obscure. No Microsoft document defines what it means, Horwitz explained. He defined it as a user that experiences any effect when a product is shut off. He pointed to Power BI as an example. It pulls data and may access Project Online or Dynamics 365 indirectly, and that requires licensing.

"I've seen some situations when multiplexing issues have hit customers hard," Horwitz said.

Lastly, organizations face compliance risks using Azure Virtual Machines, which run hosted instances of Windows Server or Linux. Horwitz said that it's easy for organizations to spin up an Azure Virtual Machine but neglect to license the application software that was spun up. He added that SQL Server may be the most overlooked application in such cases. Windows Server could prove a compliance nightmare for organizations using the Internet of Things. They could have thousands or even millions of interconnections, and if Azure Virtual Machines are used, those devices could be indirectly accessing on-premises Windows Server instances.

Compliance Strategies
Horwitz laid out three basic strategies for organizations to mitigate compliance risks.

First, organizations could avoid using Microsoft Online Services altogether. It's possible, but Horwitz commented that it was "akin to paddling upstream." A second strategy is, "Don't worry, be happy." The idea behind that strategy is that maybe Microsoft will leave an organization alone if it buys enough products. Lastly, organizations can try to roll their own compliance efforts, or maybe find a partner to provide that kind of support.

Horwitz's practical advice to organizations is to negotiate compliance protections as part of their next EA renewal. They should specify contract amendments or special discounts, or insist on a "no adverse changes clause."

For instance, if a Premium feature was accessible by non-Premium users, then that's the way it will be per a negotiated no adverse changes clause. Alternatively, there could be a cap on remedies for Online Services compliance shortfalls specified via a contract amendment.

The addition of discounts is another approach to try. An organization indicates that to comply with all of Microsoft's rules, it will buy a particular SKU, but a really big discount will be required. It's possible to negotiate a "special use right grant" for a SKU as well.

Horwitz noted that Microsoft today uses its partners for compliance checks. The company could build compliance into its software, but he wasn't sure what Microsoft might do in the future to reign in noncompliance.