Microsoft Cloud App Security-July 2020
Microsoft Cloud App Security is a user-based subscription service. Each license is a per user, per month license. Cloud App Security can be licensed as a standalone product or as part of several different licensing plans, listed below. When we refer to “the complete CASB offering”, we are referring to an offering that includes all Cloud App Security capabilities, Office 365 Cloud App Security and Cloud App Discovery.
Microsoft 365 E5
This is Microsoft’s most comprehensive Modern Workplace offering and includes the highest tier offerings of Enterprise Mobility + Security, Office 365, and Windows. This licensing plan allows you to enable the integration of Microsoft Cloud App Security and Microsoft Defender Advanced Threat Protection to enable machine-based Discovery on and beyond the corporate network. For details, refer to the technical documentation. For additional licensing information of M365 E5, please visit this page.
Microsoft 365 E5 Security
This licensing plan unifies our security value across Office 365, Windows and Enterprise Mobility & Security (EMS). It includes Office 365 ATP Plan 2, Microsoft Cloud App Security, Azure Advanced Threat Protection (Azure ATP), Azure AD Premium 2 (P2) and Microsoft Defender Advanced Threat Protection (MDATP). Via this SKU customers can leverage the complete CASB offering.
Microsoft 365 E5 Compliance
This offer includes Information Protection & Governance, Insider Risk Management and eDiscovery & Audit solutions. Via this SKU customers get the complete CASB offering. For more information, visit this site.
Enterprise Mobility & Security E5 (EMS E5)
EMS E5 includes all CASB capabilities. EMS E5 furthermore adds automatic data classification and labelling, as well as mobile device management and mobile app management to protect corporate apps and data on any device and for any first and third-party app in our solution for data loss prevention (DLP). For additional licensing information of M365 E5, please visit this page.
Licensing plan: Microsoft Cloud App Security + Enterprise Mobility & Security E3 (EMS E3)
This combination of product licenses extends the capabilities of Cloud App Security to include Conditional Access App Control (Reverse proxy capabilities) for real-time session controls, and automatic data classification and labeling. Conditional Access enables you to determine when to send users via the Cloud App Security reverse proxy and define what risk means in your organization or use the built in “User Risk” feature. Automatic data classification and labeling helps enable you to protect sensitive information in corporate applications for any first- and third-party solutions, therefore assisting in data loss prevention. This licensing plan provides customers with the complete range of capabilities of Microsoft’s CASB offering. Additional details on EMS E3 licensing.
Microsoft Cloud App Security (standalone license)
This is a standalone license that includes all CASB functionality for first and third-party applications. This per-user license includes an unlimited number of apps to be connected and protected for each user.
Microsoft 365 Education A3
The education edition of Office 365 A3 includes Office 365 Cloud App Security. This licensing plan is available to educational institutions and includes Microsoft Cloud App Security. Additional details can be found here.
Microsoft 365 Education A5
This licensing plan is available to educational institutions and includes Microsoft Cloud App Security.
Office 365 E5
This licensing plan includes Office 365 Cloud App Security, which is a subset of Microsoft Cloud App Security capabilities. The subset includes Discovery and Risk assessment capabilities, as well as all other Microsoft Cloud App Security functionality, but limited to the use of Office 365, i.e. no 3rdparty applications can be connected and managed with this license. Please see additional documentation here for more details.
Azure Active Directory Premium 1 / Azure AD Premium 2
AADP P1/P2 includes the Cloud App Security Discovery and Risk Assessment capabilities only. AADP P1/P2 does not include the reverse proxy/session control aspects of Conditional Access. In order to utilize the interoperability of AAD Premium Conditional Access and MCAS reverse/session proxy, both MCAS and AADP P1 licenses are required.
For additional Cloud App Security feature details, please see documentation found here. For information on AAD licensing, refer to this site.
US Government Licensing
The following is a description of services available for our US Government customers. Broadly, Microsoft provides three licensing plans, Government Community Cloud (GCC), Government Community Cloud – High (GCC High), and Department of Defense (DoD). Each of these environments has specific compliance capabilities. You can learn more about US Government EMS service descriptions here and the compliance attributes for Microsoft Cloud App Security here.
Cloud: GCC
These licensing plans are offered in the Azure Commercial environment and are covered by Azure Commercial’s FedRAMP High Authorization to Operate (ATO), but may not meet other GCC compliance attributes, such as CJIS background screening, (IRS 1075, CJIS) and access to customer content being restricted to US government screened personnel. A list of compliance offerings for Microsoft products and services can be found on the Microsoft Trust Center. For information on where Microsoft stores customer data at rest for Microsoft Cloud App Security, please review the Online Services Terms and the product documentation.
Please see the different licensing plans below available for the GCC Cloud. There will be a ‘-‘ where the product is not expected to be part of that licensing plan.
*The EMS E5 Licenses in GCC does not include Cloud App Security or Azure Advanced Threat Protection. In order for the GCC customers to gain access to these products, customers have the option to utilize a commercial instance of this service that meets commercial cloud compliance standards with the purchase of an EMS E5 GCC SKU and the $0 add-on as referenced above. Further details about Microsoft Cloud App Security as an add-on to EMS can be found here.
Cloud: GCC High
Cloud App Security offering for GCC High is built on Microsoft Azure Government cloud and designed to inter-operate with the Office 365 GCC High environment. Please see the different licensing plans below available for the GCC High Cloud. There will be a ‘-‘ where the product is not expected to be part of that licensing plan.
Cloud: DoD
As of July 2020, there is no availability for Cloud App Security in DoD environments. Refer to the Microsoft service roadmap for an update on any availability for this cloud service.
Frequently Asked Questions
What is the price of Microsoft Cloud App Security?
The price for commercial licenses for Cloud App Security varies by program, region and agreement type. In the Direct channel, there are ERP standalone list prices. Please see details on the pricing configurations here.
Additionally, if customers want to use the Conditional Access App Control feature of Microsoft Cloud App Security, they must also have at least an Azure Active Directory Premium P1 (AAD P1) license for all users they intend to enable for this feature.
Licensing plans available to US government customers that include Microsoft Cloud App Security are described in the licensing tables below. Additional details can be found in our licensing and pricing descriptions:
Office 365 US Government
Microsoft 365 Government
Enterprise Mobility + Security for US Government
Who needs to be licensed for Microsoft Cloud App Security?
Each user must be licensed for Microsoft Cloud App Security to use or benefit from it. For customers who license a subset of users, services enforced at the tenant level are not licensed for the other users. They are not entitled to use or benefit from the service, regardless of whether the service is technically accessible. To be compliant, customers must license any user that they intend to benefit from the service.
Which license do I need if I want O365 CAS only?
Customers only need to purchase O365 E5 if the only cloud app security model they intend to deploy is that of O365.
How do I acquire only the Discovery capabilities of Microsoft Cloud App Security? What are the licensing plans?
The Microsoft Cloud App Security Discovery feature is included in various licensing plans. If your customer has any of the below licenses, they will be able to access the Discovery capabilities within Cloud App Security:
– Microsoft Cloud App Security
– Azure Active Directory P1
– Enterprise Mobility + Security E3, which includes AAD P1 license
– Office 365 E5 – discovery for Office products only
All prices are per user/ per month. There is no standalone SKU available for “Discovery-only”
capabilities. For a detailed overview of all discovery capabilities please refer to the “Discovery” section on this site. Please contact your Microsoft reseller or representative for a price quote specific to you.
Note that Microsoft does not determine pricing or payment terms for licenses acquired through resellers.
What is the difference between Discovery capabilities in Azure AD P1 and Microsoft Cloud App Security?
All Discovery capabilities are equally available in Azure AD Premium P1 and Cloud App Security except for anomaly detection alerts. For a detailed overview of all discovery capabilities please refer to the “Cloud Discovery” list of features in the context of this datasheet.When customers configure Conditional Access App Control to implement real-time controls and have
guest users in their network via the free guest licenses in Azure AD, they do not require Microsoft Cloud App Security licenses for the external users that will be leveraging the reverse proxy infrastructure.
What is the difference between Discovery capabilities in Office 365 Cloud App Security and Microsoft Cloud App Security?
For a detailed overview of all discovery capabilities please refer to the “Cloud Discovery” list of features in the context of this datasheet.
When using Conditional Access App Control (reverse proxy) capabilities via Azure AD, do external users need to be licensed?
When customers configure Conditional Access App Control to implement real-time controls and have guest users in their network via the free guest licenses in Azure AD, they do not require Cloud App Security licenses for the external users that will be leveraging the reverse proxy infrastructure.
Licensing Purchase
Cloud App Security is available in Enterprise Agreement (EA), Open Program, Cloud Solution Provider (CSP), and Direct channels.. Each user must be licensed for Cloud App Security to use or benefit from it. For customers who license a subset of users, services enforced at the tenant level are not licensed for the other users. They are not entitled to use or benefit from the service, regardless of whether the service is technically accessible.
Please contact your Microsoft reseller or representative for a price quote specific to you. Note that Microsoft does not determine pricing or payment terms for licenses acquired through resellers.
Download the document:
(© Microsoft Corporation. All rights reserved.)