# Cascades of Tucson — Defender Licensing Audit **Date:** 2026-04-21 (UTC) **Tenant:** cascadestucson.com (`207fa277-e9d8-4eb7-ada1-1064d2221498`) **Requested by:** Howard Enos **Question:** Is Cascades paying for Defender via their existing license SKUs? --- ## TL;DR **Yes — but it's not reaching any end users.** Cascades has purchased **34 seats of Microsoft 365 Business Premium (SPB)** which bundles Defender for Business (MDE_SMB) + Defender for Office 365 Plan 1 (ATP_ENTERPRISE). **Only 1 of those 34 seats is assigned**, and it's on a service account (`MDMS@`). The other 32 real users are still pinned to the older **Business Standard** subscription, which is now in **warning/grace state** (expiring) and includes **no Defender at all**. This looks like a stalled/forgotten license migration. The purchase order covered the whole org; the assignment step never happened. --- ## Subscribed SKUs (what Cascades is paying for) | Part Number | Friendly Name | Seats (enabled) | Consumed | State | Notes | |---|---|---|---|---|---| | **SPB** | Microsoft 365 Business Premium | **34** | **1** | Enabled | Includes **MDE_SMB** (Defender for Business) + **ATP_ENTERPRISE** (Defender for O365 P1) | | **O365_BUSINESS_PREMIUM** | Microsoft 365 Business Standard (legacy name) | 0 (warning: 34) | 32 | **Warning / grace** | **No Defender.** Past-due subscription, ~30-day grace window | | **EXCHANGE_S_ESSENTIALS** | Exchange Essentials | 0 (suspended: 24) | 6 | **Suspended** | Old — 6 stale assignments | | **AAD_PREMIUM_P2** | Entra ID P2 | 1 | 0 | Enabled | Paid for, nobody assigned | | **FLOW_FREE** | Power Automate Free | 10000 | 3 | Enabled | Free — not billed | | **STREAM** | Stream | 1000000 | 0 | Enabled | Free — not billed | ## Defender service plans inside SPB Verified via Graph `/subscribedSkus` service plan list: - `MDE_SMB` — Defender for Business (endpoint AV/EDR) — provisioning: Success - `ATP_ENTERPRISE` — Defender for Office 365 Plan 1 (Safe Links / Safe Attachments / anti-phish) — provisioning: Success Business Standard (`O365_BUSINESS_PREMIUM`) contains **zero** Defender service plans. ## License assignments **SPB (Business Premium — includes Defender):** 1 assignee - `MDMS@cascadestucson.com` (MDMS Service Account — created 2026-04-19 by Howard for MDM) **Business Standard (NO Defender, expiring):** 32 active users - All 32 real end-users (Meredith Kuhn, John Trozzi, Accounting, Front Desk, HR, etc.) **Entra ID P2:** 0 assignees (paid seat sitting unused) ## What this means 1. **Cascades already owns enough Business Premium seats (34) for their whole user base.** No new purchase needed to give every user Defender. 2. **The Business Standard subscription is in `warning` state — it's past due and will suspend, then deprovision.** When it does, those 32 users lose mail, Office, Teams, everything — not just the missing Defender. 3. **Action is urgent regardless of the Defender question**: the right move is to migrate the 32 users off the expiring Business Standard onto the Business Premium seats that are already paid for and sitting idle. That simultaneously: - Prevents loss of service when Business Standard drops - Activates Defender for Business + MDO P1 across the org - Gets Intune/Conditional Access coverage (also in SPB) 4. **Entra ID P2 seat (1)** — recommend assigning to an admin account (sysadmin@ or similar) so Identity Protection / PIM features are usable. ## Recommended next steps (not executed — read-only audit) - [ ] Migrate 32 active users from Business Standard → Business Premium via CIPP or admin center - [ ] Verify Business Standard subscription renewal state with Meredith — is the grace state intentional (cutover) or missed renewal? - [ ] Assign the idle Entra P2 seat to an admin account - [ ] Clean up 6 Exchange Essentials stale assignments (suspended subscription) - [ ] Once SPB is broadly assigned, enable Defender for Business onboarding (MDE_SMB) + confirm MDO P1 anti-phish policies are pointed at all users ## Data source - Graph API `/subscribedSkus` and `/users?$select=assignedLicenses` via the legacy `claude-msp-access-graph-api` app (client `fabb3421-...`). - Raw JSON artifacts: `/tmp/cascades-licenses/skus.json`, `/tmp/cascades-licenses/users.json`. - Note: the newer tiered `investigator` app is not yet wired into the SOPS vault (see separate note to Mike).