The security you already pay for inside M365

Picture the spreadsheet you keep for the things you mean to get to. Somewhere on it, between the printer that needs a firmware update and the offboarding script you keep almost finishing, is a line that says "turn on Conditional Access." It has been there for a while. You know it matters. You also know that the day it lands on your desk is the day three other fires are burning, and Conditional Access is the one that will not page you tonight if you skip it.

So you skip it. Again. And the strange part is that you already paid for it. The license renewal went through last quarter, the invoice cleared, and bundled inside that subscription is a set of security features that a mid-sized company would have spent real money assembling from separate vendors a few years ago. You own them. They are sitting in the admin center, switched off, waiting for someone to have a free afternoon that never comes.

This is the quiet truth about most small environments: the tools are already there. What is missing is not budget. It is the person with the time and the context to turn them on, watch them, and keep them tuned. Here is what you are sitting on.

Microsoft 365 Business Premium is built for companies up to 300 users, and it bundles a security set that goes well past email and file storage. According to Microsoft's own Business Premium comparison, the plan includes Microsoft Defender for Business and Microsoft Defender for Office 365 Plan 1 on top of the productivity apps.

In practical terms, the box you already bought contains:

• Microsoft Entra ID P1, which is what makes Conditional Access available to you, per Microsoft's Business Premium security FAQ.
• Microsoft Defender for Business, the endpoint protection layer with next-generation antivirus, threat and vulnerability management, and automated investigation, described in Microsoft's small business Zero Trust guidance.
• Defender for Office 365 Plan 1, which is where Safe Links and Safe Attachments live, also covered in that same Zero Trust guidance.

None of that is an upsell. It came with the seats you are already paying for every month. The question worth asking at renewal is not "what should we buy." It is "what did we already buy and never switch on."

A few of these are genuinely off until someone enables them. Others are technically on but set so gently that they barely count.

Multifactor authentication is the friendly example. Security Defaults are on by default in Microsoft 365 for business, and that turns on MFA for everyone, which is real protection out of the gate (Microsoft 365 for business security overview). Microsoft states that requiring MFA reduces the risk of account compromise by more than 99 percent (Microsoft-managed Conditional Access policies). That is the single highest-return switch in the building, and it is already flipped for most tenants.

The soft ones are where the gap hides:

• Conditional Access is available with your P1 license, but it does nothing until you write policies for it: block legacy sign-in, require a compliant device, fence off admin portals.
• Safe Links and Safe Attachments are part of your Defender for Office 365 plan, applied through preset security policies that someone has to scope and turn on (Microsoft 365 Business Premium trial guide).
• Defender for Business provisions when an admin walks through setup; the antivirus and vulnerability data are only as useful as the person reading the alerts.

The pattern repeats. The capability is licensed. The configuration, and the attention afterward, is not.

We run M365 environments, so here is the part the marketing pages skip. Not everything you might want is in the Business Premium box. Privileged Identity Management, the feature that turns standing Global Admin into just-in-time access with approvals, requires Entra ID P2 or Entra ID Governance, which is not included in Business Premium (Microsoft Entra ID Governance licensing). Risk-based Conditional Access has the same P2 requirement (Conditional Access licensing).

That matters because the goal is not to pretend the included tier covers a regulated enterprise. It does not, and saying so is more useful than overselling it. What the included tier does cover is most of the real risk for a company under a few hundred people, once someone configures it. The honest line is that you probably do not need to buy more tomorrow. You need the time and the hands to run what you have.

Walk back to that spreadsheet line. "Turn on Conditional Access" never got done because turning it on safely is operational work: scope a policy, test it in report-only mode, watch for the user who travels and the service account that uses legacy sign-in, then promote it and keep watching. A product cannot do that for you. A person has to own it.

That is the whole shape of the problem for a small team. The security features inside M365 are good, and you already pay for them. The constraint is not the catalog. It is that the one person who could enable and tend them is also rebuilding the offboarding script and chasing the printer firmware. Buying another license does not add an hour to that person's week.

So before the next renewal, here is the question to sit with: if the tools you need are already switched off in a console you own, what would it change to have someone whose actual job is keeping them on?