Baseline Business Premium Security Without PowerShell

The fastest route into a Business Premium tenant's real security posture is not a script, and the baseline you produce matters more as a commercial artefact than a technical one.

If you run managed services for organisations under 300 users, you already know the drill. A client asks the simple question, "are we secure?", or a prospect lands and you need to understand what you are about to inherit. There is no single screen that answers it. So you open the Defender portal, then the Purview portal, then Entra, then Intune, then the Microsoft 365 admin centre, then Secure Score in another tab. You run a handful of PowerShell commands, or lean on a community module, to pull the configuration the portals will not surface cleanly. Then you sit with the output and reconcile it by hand against what the tenant is actually licensed for. By the time you have a picture, the picture has moved, because Microsoft shipped something on Tuesday.

This is the daily tax of SMB managed services, and most of it is avoidable. The short version of how you baseline a Business Premium tenant's security without scripts or PowerShell: connect to the tenant through the Microsoft Graph with secure read-only access, read the activation state of every relevant Defender and Purview service plan down to feature level, and map what you find to a recognised framework. No scripts, no admin portals, no exports.

Business Premium is the SKU that actually matters

For the sub-300-user market, Microsoft 365 Business Premium is the SKU you meet again and again. At roughly $22 per user per month and capped at 300 users, it is the default security and productivity bundle for the SMB, and it is the one Microsoft has spent the last year turning into a far more serious 'foundational' security platform than its price suggests.

Out of the box, Microsoft 365 Business Premium already carries a meaningful security and compliance baseline: Microsoft Entra ID P1 with Conditional Access, Microsoft Defender for Business, Microsoft Defender for Office 365 Plan 1, Microsoft Intune Plan 1, Exchange Online Protection, and foundational Microsoft Purview controls including Data Loss Prevention and Information Protection.

For eligible Business Premium tenants, the Microsoft Defender Suite for Business Premium and Microsoft Purview Suite for Business Premium add-ons extend that baseline with selected "E5 tier" capabilities, without requiring a full move to Microsoft 365 E5.

The point is not simply the feature list. The point is that a substantial amount of identity, endpoint, email security, device management, data protection, and compliance capability already sits inside a common SMB licence. The add-ons extend that position further, and much of this capability is not obvious from the high-level licence name shown in the Microsoft 365 admin centre.

The point is not the feature list. The point is that there is now a substantial amount of security capability sitting inside the most common SMB licence suite, the add-ons extend it well beyond what most people assume Business Premium can do, and almost none of this is visible from the licence column in the admin centre. Entitlement tells you a tenant could be well protected. It says nothing about whether it is.

Licensed is not the same as activated

Microsoft 365 SKUs are not a single switch. It is a bundle of service plans, each of which can be enabled or disabled in the tenant, and each of which does nothing useful until the policies behind it are configured and effective.

Holding the licence tells you what the tenant is entitled to use. It does not tell you whether the control is active, configured, enforced, or protecting users and devices.

A tenant can be paying for Microsoft 365 Business Premium and still operate close to a Microsoft 365 Business Standard security posture if the Business Premium controls have not been implemented. Microsoft Entra ID P1 only improves access security when Conditional Access policies are designed and enforced. Microsoft Intune Plan 1 only improves device control when devices are enrolled and governed by compliance and configuration policies. Microsoft Defender for Business only protects endpoints once devices are onboarded and policies are applied. Microsoft Purview Data Loss Prevention and Microsoft Purview Information Protection only reduce data risk once labels, policies, and user workflows are configured.

There are licensing traps as well. Microsoft Defender for Business and Microsoft Defender for Endpoint Plan 2 should not be read as a simple mixed per-user model. If a tenant holds both entitlements, the endpoint protection experience and active licensing mode must be verified in the Microsoft Defender portal. Entitlement alone can lead to the wrong conclusion about what is actually protecting the endpoints.

The right assessment question is therefore not “does the tenant own the licence?” It is “is the control active, correctly scoped, enforced, monitored, and producing evidence?”

The script-and-portal tax does not scale

A single tenant, assessed by a competent engineer with enough tabs open, can be understood. The problem is that this does not survive contact with a tenant fleet. The workflow is brittle, it is slow, and it produces nothing reusable. Every assessment starts from scratch, every output lives in someone's head or a spreadsheet, and the moment a Microsoft change lands, or there is tenant drift, the work is stale.

It is also expensive in the one resource an SMB MSP cannot spare. The person reconciling portal output against a licence list is usually your most senior engineer, and reconciliation is precisely the part of the job that adds less value to the client. It is plumbing. The spreadsheet and the portal-hopping habit got the industry this far, but neither can keep pace with Microsoft's change cadence or the sheer number of feature-level checks a proper baseline now requires. A baseline that takes a week to assemble and is not updated, is not a baseline. It is a snapshot of a moment that has already passed.

A licensing-aware baseline in effectively "one click"

This is the problem we built at softspend to solve for the SMB segment. The platform connects to a client's tenant through the Microsoft APIs, read-only access, and in effectively one click it returns the activation state of the Business Premium security stack across Defender and Purview, down to feature level, mapped to a recognised framework.

The framework matters, because "secure" is not a defensible threshold and one consultant's opinion does not scale across a fleet. For example, aligning the read to the CIS Microsoft 365 Foundations Benchmark, with its Level 1 and Level 2 profiles, gives you a standardised yardstick. A great deal of Level 1 is addressable on the Business Premium base, and the add-on suites are what bring the higher controls within reach. That alignment turns a subjective judgement into a repeatable assessment you can run identically across every tenant you manage.

What you see is a clean read for each control. No scripting, no community module, no console tab hopping, and no spreadsheet. The 'yes, no, yes, no' work that used to take a senior engineer a week becomes 1 minute of work, and it produces an artefact you can hand to a client and repeatable foundation for the next QBR.

To be clear, this does not remove the expert. It scales them. The engineer stops spending their time stitching portals together and spends it on the part a machine cannot do, which is understanding the business and advising it.

Why a security tool and a licensing tool are not the same tool

The SMB segment has been poorly served here, and the reason is structural. The tools have lived in two separate worlds. Security posture tools will tell you what is misconfigured, but they say nothing about what the client already owns to fix it, or what closing the gap would cost. Licensing tools will tell you what the client is paying for, but they ignore whether the security capability inside those licences is switched on.

So the SMB MSP has been forced to run two separate exercises, a security review and a licensing review, and reconcile the two by hand.

That reconciliation is exactly the gap. Closing it is the difference between a finding and a recommendation. Knowing that Conditional Access is in report-only mode is a security finding. Knowing that it is in report-only mode, that the client already pays for the licence that delivers it, and that switching it on costs nothing but configuration time, is a recommendation a client can act on this week. A licensing-aware baseline collapses the two exercises into one read, and that is the whole proposition for this segment.

From baseline to a commercial conversation

Here is the reframe that matters. The baseline is not the deliverable. It is the foundation for a commercial conversation, and it points in three directions at once.

Optimise what they already own. This is where the immediate trust is won. Defender for Business policies sitting unconfigured, Conditional Access never moved out of report-only, DLP scoped to nothing, audit unverified. You are not selling the client anything new. You are turning on the capability they already paid for, and that is the fastest way to demonstrate value to a sceptical SMB.

• Establish where they really are. The honest posture today, stated against a framework rather than a feeling. Often the finding is uncomfortable and useful in equal measure: the client is nominally on Business Premium but effectively running Business Standard-level protection, because the security stack was never activated.

• Map the path forward. Where there is a genuine capability gap, the route is defensible because it is tied to the framework, not to a quota. If the client needs Defender for Identity, Defender for Endpoint Plan 2, or insider risk management, that is the add-on suites, a modest per-user step up rather than a wholesale migration. If they are approaching the 300-user ceiling or need E5-grade controls, that is a different conversation, and now you have the evidence to have it.

There is a world of difference between telling a client "you should upgrade" and telling them "here is the framework maturity tier your organisation needs, here is the gap against where you are today, and here is what you already own to close part of it." The second is advice. The first is a sales pitch, and SMB owners can smell the difference.

This is also what shifting the conversation earlier looks like in practice "FinOps Shift Left for Microsoft 365". When the baseline reveals what is activated, what is not, and what is missing, you are advising on what to buy and what to switch on before the client commits, grounded in their actual state rather than a generic recommendation. That is a fundamentally different relationship from arriving after the fact to clean up.

Copilot is being folded into the suite

This stopped being a niche concern the moment Microsoft put it at the centre of how partners sell to the SMB. From 1 July 2026, Microsoft 365 Business Standard with Copilot and Business Premium with Copilot become permanent SKUs rather than short-term promotions, and Microsoft is encouraging partners to lead with them as integrated offerings for productivity, AI and security. The base plans remain available standalone for customers who prefer to buy Copilot separately, but the direction is unambiguous. Copilot is being folded into the core Business Premium experience, and the motion is built to carry it into every renewal.

There are now four ways Microsoft sells Copilot into the SMB, and reading them together tells you what the pricing is really doing.

ERP is estimated retail price, on annual commitment. Partner net pricing differs.

Three moves are hiding in that list. The first is that the bundle is the cheapest way to buy Copilot at all: inside the combined SKUs the effective Copilot uplift is around $10 per user per month, against $18 to $21 to buy it on its own. The second is that the climb up the stack has been engineered to feel almost free. Stepping from Business Basic with Copilot at $21 to Business Standard with Copilot at $23.50 is $2.50, and on the same date the base plans rise, Business Basic from $6 to $7 and Business Standard from $12.50 to $14, while Business Premium holds at $22. The Standard to Premium gap narrows from $9.50 to $8, and the whole SMB base is gently pulled up the ladder. The third is that the one thing that has reliably stalled Copilot in smaller organisations, data governance, is being priced to clear. The Defender Suite and Purview Suite for Business Premium are $10 per user per month each, or $15 combined, and there is currently 50% off the Purview Suite when it is paired with Copilot, running to 1 July 2026. The add-on that resolves the Copilot governance blocker is, for the moment, half price.

The net effect of all three is the same. Average revenue per user goes up. This is the early, SMB-facing phase of the same shift I have written about before, the move from average revenue per user towards average revenue per agent. Microsoft gets customers up the stack and onto Copilot first, and the agents, with the revenue attached to them, come later.

It is tempting to read this as lock-in. It is more accurate to read it as positioning. Microsoft has made the with-Copilot SKU the default the channel leads with, but nothing moves a client onto Copilot on its own. Which clients should be there, and whether a given tenant can carry Copilot safely, is the partner's call, and Microsoft's own guidance on that call is worth reading twice. It tells partners to deploy Copilot on a strong foundation of identity, data protection and compliance, using the same Defender, Entra and Purview the tenant already relies on, and to attach both Business Premium security suites so that AI adoption is secure and compliant from day one. The Copilot sale and the security foundation are one conversation, not two.

This is where the baseline earns its place. Copilot inherits the security posture of the identity that invokes it, so a Business Premium with Copilot deployment is only ever as safe as the Defender, Purview and Entra configuration beneath it, and that configuration has to be activated, not merely licensed. Switching Copilot on over a tenant without a baseline is how you ship oversharing at machine speed.

Every SMB renewal between now and July is an advisory call

The calendar creates urgency, and the temptation is to treat it as a discount scramble. The better response is advisory, and the dates make the case.

• 1 July 2026. The base plans rise and the gap up to Business Premium narrows, as above. An annual renewal completed before that date locks current pricing for the following twelve months, so every renewal between now and July is a decision point in disguise: lock the rate, settle the Copilot question, and settle the security attach, in a single conversation.

• 31 December 2026. The Copilot Business promotions, 15% off the standalone and 25% off the Basic bundle, now run to year end rather than expiring in June. That extra runway is the difference between doing this properly, assessment-led, and reaching for a discount at the deadline.

• Microsoft incentive funding. Microsoft's MCI Copilot funding is up YoY and we expect that to continue into FY27. A well-scoped advisory engagement can be largely self-funding, and when the assessment beneath it is automated rather than hand-built, the economics improve again.

The argument then closes back on itself. The renewal decision, the Copilot go or no-go, the security attach, the funded engagement: all of it rests on one thing, knowing the tenant's real activation state. The baseline is what makes the advisory call credible rather than speculative, and repeatable across a fleet rather than heroic on a single tenant. It is quick enough to run on every renewal in the window, and it turns a price rise the client was dreading into a structured conversation you can lead, fund and scale.

The segment is wide open

The under-300-user market is underserved precisely because the tooling has sat in separate silos, and the MSPs serving it have been left to bridge the gap with scripts, browser tabs, and senior-engineer hours. The partner who can read both posture and licensing in a single pass, at fleet scale, aligned to a recognised framework, turns a recurring chore into recurring revenue and a defensible advisory position that is hard to compete with on price alone.

The baseline was always going to be table stakes. What you do with it, and how quickly you can produce it, is where the value sits. Get the read right, and the commercial conversation writes itself.

Hope this helps.

-softspend team

References

• https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/m365b-security-overview

  https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/add-defender-suite-business-premium

  https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/m365bp-security-faq

  https://techcommunity.microsoft.com/blog/microsoft-365blog/introducing-new-security-and-compliance-add-ons-for-microsoft-365-business/4212051

  https://partner.microsoft.com/en-gb/blog/article/partner-led-smb-m365-copilot

  https://learn.microsoft.com/en-us/partner-center/announcements/2026-june

  https://www.microsoft.com/en-us/microsoft-365/blog/2025/12/04/advancing-microsoft-365-new-capabilities-and-pricing-update/

  https://www.cisecurity.org/benchmark/microsoft_365

  https://learn.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark
  
  

#Microsoft365 #BusinessPremium #Copilot #CopilotReadiness #SMBSecurity #MSP #Defender #Purview #MSpartners #SecurityBaseline #ZeroTrust #softspend

This analysis is based on publicly available product information, industry research, and direct market experience.

Copyright (2026). softspend limited. All rights reserved.

Published by softspend.com. Microsoft 365 licensing intelligence for partners.

Key Takeaways

This article by Tony Mackelworth, CEO of Softspend, argues that the right way for SMB-focused MSPs to baseline a Microsoft 365 Business Premium tenant's security is not through PowerShell scripts and console-by-console reconciliation, but through a single, licensing-aware read of activation state. Business Premium is the dominant SKU for organisations under 300 users, and its Defender Suite and Purview Suite add-ons now bring E5-grade capability to the SMB price point, yet almost none of that capability is visible from the licence list. The piece sets out a four-level chain, licensed, service plan activated, configured, and effective, to show that holding a licence says nothing about whether a control is switched on or doing anything. It explains why security posture tools and licensing tools have historically sat in separate silos, forcing MSPs to run two reviews and reconcile them by hand, and how Softspend collapses both into one Microsoft Graph read aligned to the CIS Microsoft 365 Foundations Benchmark. The central reframe is commercial: the baseline is not a security audit but the foundation for a commercial conversation, pointing at once to what a client can optimise, where they really stand, and a framework-led path forward. The article ties this to Microsoft's partner-led SMB motion: with Microsoft 365 Business Premium with Copilot becoming a permanent SKU on 1 July 2026, and Microsoft itself advising partners to build Copilot on a strong Defender, Entra and Purview foundation and to attach the Business Premium security suites, the baseline becomes the readiness gate that makes a Business Premium with Copilot deployment secure and turns it into a defensible commercial and renewal conversation. The piece reads the SMB price list closely: the with-Copilot SKUs become permanent on 1 July 2026 (Business Premium with Copilot at a $32 estimated retail price), the base plans rise while Business Premium holds at $22 and the step up to it narrows from $9.50 to $8, the Purview Suite is half price when paired with Copilot, and Copilot Business promotions now run to 31 December 2026. The conclusion for partners is timing-driven: every SMB renewal before 1 July is an advisory call, renewing beforehand locks pricing for twelve months, Microsoft MCI Copilot funding (up around 50% year on year for FY26) can make the engagement largely self-funding, and the activation baseline is the engine that makes that conversation credible and repeatable at fleet scale.

Key Facts

• Microsoft 365 Business Premium has a list price of roughly $22 per user per month and is capped at 300 users, making it the dominant security SKU for SMBs.
• Business Premium includes Microsoft Entra ID P1 with Conditional Access, Microsoft Defender for Business, Microsoft Defender for Office 365 Plan 1, Microsoft Intune Plan 1, and Microsoft Purview Data Loss Prevention and Information Protection.
• The Microsoft Defender Suite for Business Premium add-on adds Entra ID P2, Defender for Endpoint Plan 2, Defender for Identity, Defender for Cloud Apps, and Defender for Office 365 Plan 2.
• The Microsoft Purview Suite for Business Premium add-on adds Insider Risk Management, Communication Compliance, eDiscovery (Premium), Audit (Premium), Customer Key, and records and data lifecycle management.
• Microsoft introduced the Defender and Purview add-on suites for Business Premium in 2025, extending E5-grade security capability to the SMB price point.
• The Defender Suite and Purview Suite for Business Premium are priced at $10 per user per month each, or $15 per user per month combined, on annual commitment for up to 300 seats.
• Microsoft is currently offering 50% off the Purview Suite for Business Premium when it is paired with Copilot, running to 1 July 2026.
• Microsoft 365 Copilot Business reached general availability for SMBs in December 2025, built for organisations with fewer than 300 users.
• From 1 July 2026, Microsoft 365 Business Standard with Copilot (estimated retail price $23.50 per user per month, reduced from $35) and Business Premium with Copilot ($32 per user per month, reduced from $43) become permanent SKUs, transitioning from promotional offers as part of a partner-led SMB motion.
• Microsoft 365 Copilot Business is available standalone at $18 per user per month after a 15% promotion, and Business Basic with Copilot Business at $21 after a 25% promotion, both extended to 31 December 2026.
• Inside the combined Business with Copilot SKUs, the effective Copilot uplift is around $10 per user per month, against $18 to $21 to buy Copilot Business standalone.
• Microsoft advises partners to deploy Copilot on a strong foundation of identity, data protection and compliance using Microsoft Defender, Microsoft Entra and Microsoft Purview, and to attach both Business Premium security add-on suites for secure, compliant AI adoption.
• A Microsoft 365 SKU is a bundle of service plans, each of which can be enabled or disabled in the tenant, so holding a licence does not mean the underlying control is activated.
• Security readiness can be assessed across four distinct states: licensed, service plan activated, configured, and effective.
• Microsoft Defender for Business does not support mixed licensing; a tenant holding both Defender for Business and Defender for Endpoint Plan 2 defaults to the Defender for Business experience for all users.
• The CIS Microsoft 365 Foundations Benchmark provides Level 1 and Level 2 hardening profiles and is a recognised, vendor-neutral baseline standard.
• On 1 July 2026, Microsoft 365 Business Basic rises from $6 to $7 and Business Standard from $12.50 to $14 per user per month, while Business Premium holds at $22, narrowing the Standard-to-Premium gap from $9.50 to $8.
• Annual Microsoft 365 renewals completed before 1 July 2026 lock current pricing for the following twelve-month term.
• Microsoft's MCI Copilot partner funding is up approximately 50% year on year for FY26, allowing a well-scoped advisory engagement to be largely self-funding.
• Softspend connects to a tenant through the Microsoft Graph with delegated read-only access and returns licensed-versus-activated state across Defender and Purview at feature level in effectively one click, without scripting.

Sources

• https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/m365b-security-overview
• https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/add-defender-suite-business-premium
• https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/m365bp-security-faq
• https://techcommunity.microsoft.com/blog/microsoft-365blog/introducing-new-security-and-compliance-add-ons-for-microsoft-365-business/4212051
• https://partner.microsoft.com/en-gb/blog/article/partner-led-smb-m365-copilot
• https://learn.microsoft.com/en-us/partner-center/announcements/2026-june
• https://www.microsoft.com/en-us/microsoft-365/blog/2025/12/04/advancing-microsoft-365-new-capabilities-and-pricing-update/
• https://www.cisecurity.org/benchmark/microsoft_365
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark