azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
347b2d30a9a1a7b0f7882ccf5ce5920e277a3d62
claudetools/clients/cascades-tucson/reports/2026-04-21-defender-license-audit.md
Howard Enos 347b2d30a9 sync: auto-sync from HOWARD-HOME at 2026-04-21 18:50:48 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 18:50:48
2026-04-21 18:50:52 -07:00

4.3 KiB
Raw Blame History

Cascades of Tucson — Defender Licensing Audit

Date: 2026-04-21 (UTC) Tenant: cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498) Requested by: Howard Enos Question: Is Cascades paying for Defender via their existing license SKUs?

TL;DR

Yes — but it's not reaching any end users. Cascades has purchased 34 seats of Microsoft 365 Business Premium (SPB) which bundles Defender for Business (MDE_SMB) + Defender for Office 365 Plan 1 (ATP_ENTERPRISE). Only 1 of those 34 seats is assigned, and it's on a service account (MDMS@). The other 32 real users are still pinned to the older Business Standard subscription, which is now in warning/grace state (expiring) and includes no Defender at all.

This looks like a stalled/forgotten license migration. The purchase order covered the whole org; the assignment step never happened.

Subscribed SKUs (what Cascades is paying for)

Part Number Friendly Name Seats (enabled) Consumed State Notes
SPB Microsoft 365 Business Premium 34 1 Enabled Includes MDE_SMB (Defender for Business) + ATP_ENTERPRISE (Defender for O365 P1)
O365_BUSINESS_PREMIUM Microsoft 365 Business Standard (legacy name) 0 (warning: 34) 32 Warning / grace No Defender. Past-due subscription, ~30-day grace window
EXCHANGE_S_ESSENTIALS Exchange Essentials 0 (suspended: 24) 6 Suspended Old — 6 stale assignments
AAD_PREMIUM_P2 Entra ID P2 1 0 Enabled Paid for, nobody assigned
FLOW_FREE Power Automate Free 10000 3 Enabled Free — not billed
STREAM Stream 1000000 0 Enabled Free — not billed

Defender service plans inside SPB

Verified via Graph /subscribedSkus service plan list:

  • MDE_SMB — Defender for Business (endpoint AV/EDR) — provisioning: Success
  • ATP_ENTERPRISE — Defender for Office 365 Plan 1 (Safe Links / Safe Attachments / anti-phish) — provisioning: Success

Business Standard (O365_BUSINESS_PREMIUM) contains zero Defender service plans.

License assignments

SPB (Business Premium — includes Defender): 1 assignee

  • MDMS@cascadestucson.com (MDMS Service Account — created 2026-04-19 by Howard for MDM)

Business Standard (NO Defender, expiring): 32 active users

  • All 32 real end-users (Meredith Kuhn, John Trozzi, Accounting, Front Desk, HR, etc.)

Entra ID P2: 0 assignees (paid seat sitting unused)

What this means

  1. Cascades already owns enough Business Premium seats (34) for their whole user base. No new purchase needed to give every user Defender.
  2. The Business Standard subscription is in warning state — it's past due and will suspend, then deprovision. When it does, those 32 users lose mail, Office, Teams, everything — not just the missing Defender.
  3. Action is urgent regardless of the Defender question: the right move is to migrate the 32 users off the expiring Business Standard onto the Business Premium seats that are already paid for and sitting idle. That simultaneously:
    • Prevents loss of service when Business Standard drops
    • Activates Defender for Business + MDO P1 across the org
    • Gets Intune/Conditional Access coverage (also in SPB)
  4. Entra ID P2 seat (1) — recommend assigning to an admin account (sysadmin@ or similar) so Identity Protection / PIM features are usable.

Recommended next steps (not executed — read-only audit)

  • Migrate 32 active users from Business Standard → Business Premium via CIPP or admin center
  • Verify Business Standard subscription renewal state with Meredith — is the grace state intentional (cutover) or missed renewal?
  • Assign the idle Entra P2 seat to an admin account
  • Clean up 6 Exchange Essentials stale assignments (suspended subscription)
  • Once SPB is broadly assigned, enable Defender for Business onboarding (MDE_SMB) + confirm MDO P1 anti-phish policies are pointed at all users

Data source

  • Graph API /subscribedSkus and /users?$select=assignedLicenses via the legacy claude-msp-access-graph-api app (client fabb3421-...).
  • Raw JSON artifacts: /tmp/cascades-licenses/skus.json, /tmp/cascades-licenses/users.json.
  • Note: the newer tiered investigator app is not yet wired into the SOPS vault (see separate note to Mike).
Reference in New Issue View Git Blame Copy Permalink