Let`s start off with the EMS E3 package and that will give you access and user rights to use Azure AD Premium P1 features.
So do you need it?
Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).
And one more important feature which is one of the most powerfull regarding securing your cloud services is “Conditional Access”. Yes we have “Security Defaults” witch is a free service but if you need to do some exclutions you need to upgrade to Azure AD Premium P1 to gain “Conditional Access” features.
Over to EMS E5 – that gives you several additions to the P1 license with all the Azure AD P2 features.
Those features are at the time “Azure Identity Protection” and “Priviledged Identity Management”
When going to P2 i will say that PIM is the feature you want to configure right the way as this gives you access management in a whole new level. Users who have been givven additional roles within your AzureAD does not have the role active at all time lowering the attack vector for users. When users need to use their priviledge roles they have to activate it and by adding a second factor to the activation your priviledge roles are more secure! Hey, you can also add approvers to roles so that a second person need to approve the request.
Many options on this part as you see!
As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”
S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security