Microsoft's power play

Microsoft is leveraging the dominant position of Office 365 to influence enterprise computing decisions outside its productivity suite. This impacts customers of Unified Endpoint Management (UEM) solutions, limiting their vendor choice and increasing Microsoft lock-in.

In this blog, I will lay out:

  • A view of Microsoft’s overall strategy.
  • Two examples (app protection and conditional access) of Microsoft using the dominance of Office 365 to try to force adoption of its own UEM solution.
  • What to do next to convince Microsoft to open up conditional access for integration with the UEM ecosystem.

Microsoft’s strategy

Microsoft has a dominant position in the enterprise productivity and identity categories. Almost all MobileIron enterprise customers used Exchange, Microsoft Office, and Active Directory on-premises and are now in the process of moving to Office 365 and Azure Active Directory (Azure AD). Office 365 has been a tremendous success for Microsoft, and there is no feasible alternative for most enterprise customers.

However, Microsoft is also using Office 365 to try to force customers to use other Microsoft products over best-in-class solutions.

In the UEM industry, Microsoft is telling customers that they must use Microsoft’s UEM solution, Intune, if they want to access certain important features of Office 365 and Azure AD. Since most large enterprises have already chosen a best-in-class UEM solution, Microsoft is trying to deprive them of UEM choice and force them to migrate to Intune by blocking them if they don’t.

App protection and conditional access for Office 365 are two examples, described below, of Microsoft’s block-and-lock strategy. Microsoft eventually opened up app protection to the UEM ecosystem but has not done so for conditional access.

App protection for Office 365

Around 2015, Microsoft released a set of proprietary security controls for Office 365 mobile apps, such as disabling copy/paste. These controls were set through a UEM policy. However, Microsoft only made these controls available to its own UEM solution, Intune.

Microsoft then told customers they needed to switch from their chosen UEM solution to Intune in order to secure Office apps. Microsoft was trying to force adoption of Intune by blocking other UEM solutions from accessing the Office 365 app protection controls.

Microsoft’s strategy was outlined in a March 31, 2015 Infoworld article (see here) titled “Office 365’s hidden agenda: Dump your MDM provider for Microsoft.“MDM” stands for “mobile device management,” the original name for the industry that later evolved to enterprise mobility management (EMM), and now to unified endpoint management (UEM).

The Infoworld article described Microsoft’s “explicit strategy to tie Office management to Intune” and asked “Will Office hegemony replace Microsoft's Windows hegemony?

It concluded that these actions were “actually a ploy by Microsoft to get you to abandon your existing MDM provider in favor of Microsoft's own Intune. In essence, Office is being used as a weapon to eliminate Microsoft's MDM competitors.”

Customers did not like Microsoft’s approach. They understood that this was a block-and-lock strategy to reduce their UEM choice, and they demanded that Microsoft open up to the UEM ecosystem.

After substantial market pressure and likely recognizing exposure from its anticompetitive practice, Microsoft finally changed its strategy and opened up these Office 365 app protection interfaces in January 2017 as beta and then in January 2018 as production.

Conditional access for Office 365

Microsoft is following the same block-and-lock strategy today with conditional access for Office 365. Azure AD has a “flag” that a UEM solution can set to indicate whether a device is compliant. If the device is not compliant, Microsoft blocks Office 365 services to that device.

Any UEM solution can set this flag for Windows 10 devices. But Microsoft only lets its own UEM solution, Intune, set this flag for Android, iOS, and macOS devices. Microsoft’s message to the customer is that if you want conditional access for Office 365 through Azure AD, you must give up your chosen UEM solution and instead use Microsoft.

Microsoft’s purported justification is that conditional access is an “inner loop” service that will not be opened to the UEM ecosystem because it would compromise user experience and Microsoft’s own telemetry. Ironically, conditional access is actually open to the UEM ecosystem for Windows 10 and was also open for other operating systems until Microsoft closed it for what it claimed were security reasons in late 2018.

This closed approach to conditional access increases customers’ Microsoft lock-in, reduces their UEM choice, and forces them to spend money on unnecessary migration projects. It also forces them to sacrifice best-in-class UEM capabilities.

What to do next

Customers want Microsoft to change its strategy. They ask us how they should communicate their requirements to the right people.

Who: Customer communications should go to the executive vice president (EVP) and corporate vice president (CVP) levels in the Experiences and Devices division of Microsoft, plus to the company’s CEO.

What: Microsoft should open up the conditional access capability of Azure AD to the UEM ecosystem across all operating systems. UEM solutions should be able to trigger Microsoft’s conditional access when a device is not compliant.

Why: Customers want to choose the best-in-class UEM solution for their needs. Their choice should not be limited by closed Office 365 and Azure AD interfaces. Opening up these interfaces to the UEM ecosystem will also speed deployment of Microsoft services and adoption of Microsoft’s conditional access framework. It’s a win for customers, Microsoft, and the UEM ecosystem.

Enterprise customers are demanding this openness. UEM providers like MobileIron are willing to invest the resources to support this integration. The industry needs Microsoft to take an open approach to conditional access. Microsoft should not use the dominant position of Office 365 to force adoption of other Microsoft services.  

Customer pressure helped persuade Microsoft to open up Office 365 app protection. We hope the same will happen for conditional access and that Microsoft will commit to supporting customer choice instead of trying to block the UEM ecosystem.