Are native tools enough for proper Office 365 security and effective hybrid management?

“Batteries not included.” Is there a sadder phrase, even now that you’re an adult? You open the coolest present in the world, and then you suddenly discover that you need something more to get it to actually work for you.

Of course, this principle is not limited to toys and gadgets. Many useful things in life need a little something extra to reach their full potential. Consider Microsoft Office 365. It’s the premier cloud platform for just about everything a business needs. Depending on the package you choose, you get an impressive suite of enterprise-quality messaging, collaboration and productivity tools — Office 365, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Skype for Business and more. It’s no wonder that more than 135 million people use Office 365 every month.

But are the batteries included? If you turn the platform over and peek inside, does Office 365 provide the tools you need to keep your data secure and manage your complex hybrid environment properly? Let’s dig in and see how it fares in four key areas: visibility into threats, advanced threat detection, hybrid management, and compliance with external regulations and internal policies.

Visibility into threats

To help you establish and maintain Office 365 security, Microsoft offers threat management functionality in the Security & Compliance Center. There’s some useful stuff there, including ways to help filter out spam, protect against viruses and other malware, detect malicious attachments, and prevent users from following links in emails or Office documents that point to known bad websites.

However, the various threat reports in the Security & Compliance Center are focused on specific types of attacks, so they provide only a piecemeal view of the data security threats facing your organization. In order to get the bigger picture across malware and non-malware-based attacks, administrators have to manually correlate bits and pieces of data about malware and non-malware attack vectors from different reports. Naturally, this task is both time consuming and error prone, and limits your IT staff to a reactive rather than a proactive security strategy. To get the single-pane visibility across the environment that you need to effectively spot and block threats to your systems and data — in other words, threats to your business — you need to look to third-party Microsoft platform migration, security and management solutions.

Advanced security threat detection

If you pay extra, you can get Microsoft’s Advanced Threat Protection (ATP). Available only in the E5 Office 365 plan or as a standalone service, ATP offers some protection against advanced threats hidden in URLs, phishing messages and documents. But it does have some significant limitations. In particular, not all content is actively scanned in place for embedded threats, and ATP’s scanning of email attachments can delay delivery, which can impact user productivity. Organizations are wise to consider whether ATP is worth the additional cost, or whether third-party threat detection services and solutions deliver more bang for the buck.

Hybrid management

Most organizations that are using Office 365 also have on-premises systems, data and applications — in other words, they have a hybrid IT environment. While some plan to eventually move completely to the cloud, some expect to maintain a hybrid configuration for the long term. Hybrid environments introduce management and administration complexities that can wipe out many of the benefits of the Office 365 implementation. For example, having multiple disconnected interfaces on-premises and in the cloud can make day-to-day management and automation more difficult. Moreover, the native process of synchronizing identities from your on-premises Active Directory to Azure AD can leave critical gaps, including lack of proper backup and recovery of cloud-only accounts. As a result, your organization incurs both unexpected costs and increased risk. The wise strategy is to invest in third-party solutions for hybrid Active Directory security and governance.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.


For Office 365 subscribers with Enterprise E3 or below, the Office 365 audit log retains audit events for only 90 days; there is no way to increase this time frame. (The exception is audit log entries for Exchange Online, where an administrator can change the default from 90 days for Exchange audit log entries only.) Even the Office 365 Enterprise Plan E5 provides only one year of storage. However, many organizations are subject to regulatory mandates that require retention of this data for much longer periods — often seven to ten years. Even internal policies based on best practices require long-term storage of the audit trail.

This limitation means the native audit log can do nothing for an organization trying to track down an issue that occurred outside of the last three months. That’s significant, especially given that the mean time to identify (MTTI) an attack is more than double that — 197 days — according to the Ponemon Institute’s 2018 breach study. Fortunately, third-party security, governance and compliance solutions enable you to store your audit for years — while also facilitating forensic investigations and streamlining compliance audits.


Based on these four factors alone, it’s clear that organizations need more robust tools than Microsoft provides natively in order to properly secure and efficiently manage Office 365. But there’s an upside: Using third-party Microsoft platform migration, security and management solutions often enables an organization to opt for a less expensive Office 365 plan — resulting in both a lower total cost of ownership and improved security and management capabilities.

I wish I could say I’ve covered all the drawbacks of the native tools here, but, alas, that’s not the case by a long shot. There are also limitations in Office 365 storage, data loss prevention (DLP), encryption, eDiscovery, archiving, authentication and more. It’s essential to fully understand these issues so you can seek out third-party Office 365 solutions that deliver the comprehensive functionality you need. To learn more about the limitations of native tools, check out the new Osterman Research report sponsored by Quest, “Why your company needs third-party solutions for Office 365.”

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles