Index ¦ Archives ¦ Atom

Does Microsoft's Office 365 licensing model encourage poor security practices?

I've recently survived a migration to Office 365 with relatively few scars and coming out only slightly more cynical, bitter and twisted than I was when I when I started1.

I remember speaking to a Microsoft sales rep at some conference or other, they said that in Office 365 you only need to buy one license per users. That's it, and a user was unofficially defined as a living breathing bag of meat that has an Office 365 account.

  • No more worrying about buying CALs for printers and photocopiers
  • No need to buy an extra license for users who had a regular account and an administrative account
  • No extra CALs because someone wants their emails on their phone and their laptop at the same time
  • No need to license accounts used by system scripts and scheduled tasks.
  • No worries about Per-Core vs Per-CPU licensing
  • No need to license unused CPU cores because a VM could potentially be migrated in a failover situation.
  • No weird definition of "User"2

Just one license per person. Simple. I was quite surprised.

It turns out that's not quite correct, while you don't have to license MFDs. In practice, if you want your photocopiers and scanners to be able to authenticate and send email using Office 365 they are going to need an account.

There is a work around for this, I could setup a shared account scanner@example.com, shared accounts don't need a license. I could give my account Michael.VanDelft@example.com 'Send As' permission. Then I can then setup the photocopiers to authenticate with my credentials and send email as scanner@example.com. While that's totally ok from an Office 365 licensing perspective I'm left with my username and password stored in a bunch of poorly secured photocopiers and I can't change my password without breaking the scan to email function on all our photocopiers.

There are some other work arrounds for this, but they either involve direct send or running an SMTP relay and neither option is great.

We have a plethora of things which send email, not just photocopiers but system monitoring tools, our backup software sends reports, several system scripts, our financial system, even our firewall emails alerts occasionally.

If we want these all these things to send emails through Office 365 so we get DMARC, TLS, Authentication and all that other goodness that comes with a well-configured mail server we need to license them.


  1. Although it's possible that I've almost reached peak cynical saturation and simply couldn't have got any more bitter and twisted even if it had been a migration to Oracle's god-awful "Oracle Communications Messaging Server". 

  2. We were once looking at Microsoft SQL server and we were told that if we had some software (e.g. accounting software) that used a single account to connect to the database, anyone who used that software was a "user" of the database, even if we only had one account setup in SQL server. Fair enough, I guess. But then they extrapolated that to say that if we used a CMS like WordPress with Microsoft SQL server as the back end, then we would need a license for everyone who viewed or commented on our website as they too would be a "user" of our database. Needless to say, we went with Per-Core licensing rather than per user. I've since been told that this is not correct by a number of "Microsoft Licensing Experts" however it's what we were told at the time by our reseller who was a "Microsoft Gold Certified Partner". 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.