Microsoft 365 Business Premium Security Stack: A Complete Guide for Berlin SMBs
Microsoft 365 Business Premium is widely recognised as one of the most security-dense licences available to small businesses. For around €20 per user per month, it includes capabilities that enterprise organisations pay multiples more for. The problem is that most SMBs activate a small fraction of what they’re paying for — primarily because the full scope of the security stack is not immediately obvious from the admin console.
This post maps every security component in the Business Premium stack, explains what it protects, and provides a deployment priority order.
The Complete Security Stack
| Component | What It Protects | Admin Portal |
|---|---|---|
| Microsoft Defender for Business | Endpoints (Windows, macOS, iOS, Android) | security.microsoft.com |
| Microsoft Defender for Office 365 Plan 1 | Email, SharePoint, Teams, OneDrive | security.microsoft.com |
| Microsoft Entra ID P1 | Identity, Conditional Access, SSPR | entra.microsoft.com |
| Microsoft Entra ID P2 (via BP) | PIM, Identity Protection, Access Reviews | entra.microsoft.com |
| Microsoft Intune | Device management, compliance policies, MAM | intune.microsoft.com |
| Azure Information Protection P1 | Document and email classification | compliance.microsoft.com |
| Microsoft Purview (compliance features) | DLP, audit logs, eDiscovery | compliance.microsoft.com |
| Microsoft Defender for Cloud Apps | Shadow IT, SaaS app control, session policies | security.microsoft.com |
| Microsoft Defender for Identity | On-premises Active Directory | security.microsoft.com |
| Microsoft Sentinel (add-on) | SIEM/SOAR — not included, but integrates with all above | portal.azure.com |
Deployment Priority Order
Not all components have equal risk reduction impact. Deploy in this order to maximise security value per hour of configuration effort:
- MFA for all users (Entra ID) — single highest-impact action, blocks 99% of credential attacks
- Conditional Access (Entra ID P1) — enforce MFA contextually, block legacy auth protocols
- Defender for Business — deploy sensor on all endpoints, enable tamper protection
- Intune compliance policies — require BitLocker, Defender active, minimum OS version
- Defender for Office 365 — enable Safe Links and Safe Attachments for email and SharePoint
- Intune app protection policies — MAM for BYOD devices not enrolled in MDM
- Azure AD Password Protection — ban common and company-specific passwords
- Microsoft Secure Score review — use as an ongoing improvement dashboard
- Entra PIM — convert all admin accounts to eligible assignments
- Sensitivity labels — classify and protect confidential documents and emails
- Purview DLP — enforce data loss prevention based on label classification
- Defender for Identity — deploy MDI sensor on domain controllers if hybrid
- Defender for Cloud Apps — discover shadow IT, enforce session controls
- Entra ID Governance Lifecycle Workflows — automate joiner/leaver if HR data is in Entra
What Requires Additional Licensing
Business Premium includes Entra ID P1 and — as of the latest licensing update — Entra ID P2 features. However, some components require additional licensing even with Business Premium:
- Microsoft Sentinel: Not included. Requires an Azure subscription and per-GB ingestion cost.
- Entra ID Governance (Lifecycle Workflows): Not included in Business Premium despite P2 being included. Requires the Governance add-on.
- Microsoft 365 Backup: Not included. Separate per-user add-on.
The Business Case
A fully configured Business Premium tenant provides coverage across the five main attack surfaces for SMBs: email-borne threats, compromised credentials, unmanaged endpoints, data exfiltration, and identity abuse. Most SMB ransomware incidents exploit one or more of these surfaces — typically unpatched endpoints combined with weak credential policies. Business Premium, properly configured, closes all of them without requiring additional security products.
Need help auditing which components of your Business Premium licence are active and configured correctly? Contact us for a free assessment.