M365 Workspace & Access Policy
Document Number: ISMS-POL-M365-01
Classification: L1 — Policy (Domain)
Version: 0.3.0
Effective Date: March 1, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
1. Purpose
This policy defines the access control, data classification, and security control structure for Cybercraft within the Microsoft 365 environment.
It establishes how the M365 platform structure — specifically licence tiers, Teams team/channel membership, and Entra ID configuration — serves as the primary mechanism for implementing information security controls.
1.1 Design Principle: Platform = Policy
This policy is built on the principle established in the Information Security Policy (L1 Master):
The Microsoft 365 platform structure itself is the implementation of security policy. Data classification is determined by where data resides (channel structure), not by user judgement. Access control is enforced through licence tier assignment and Teams membership, not through separate systems.
2. Scope
2.1 Applicable Systems
- Microsoft 365 tenant operated by Cybercraft
- All Teams teams, channels, and SharePoint sites within the tenant
- Entra ID identity and access management
- Cross-tenant relationships with Techtype and HVT
2.2 Applicable Users
- All Cybercraft personnel (employees, contractors, trusted guests)
- All users with a Cybercraft Entra ID account, regardless of licence tier
- External collaboration partners (Level 3 — guest accounts)
2.3 Out of Scope
- Client tenant configurations (covered by consulting engagement deliverables)
- Non-M365 SaaS tools (covered under P5 Supplier & Third-Party Security Policy (ISMS-POL-STP-01))
3. Data Classification
3.1 Classification Scheme — Two Levels
Cybercraft adopts a two-level data classification scheme. This is a deliberate design decision based on the principle that classification must be enforceable by platform structure, not dependent on user judgement.
| Classification | Definition | Location | Examples |
|---|---|---|---|
| Confidential | Data whose unauthorised disclosure would cause serious harm to Cybercraft, its clients, or partners | Team type dependent — see §5.3. Internal Only teams: Standard Channel. Internal Mixed teams: Private Channel. External teams: not placed (use Confidential External Sharing procedure) | Client engagement data, contracts, audit materials, financial records, internal strategy, credentials |
| General | All other business data | Standard Channels | Meeting notes, general work documents, internal communications, marketing materials, published content |
3.2 Classification Principles
- "Where it is" = "What it is" — Data classification is determined by its location in the Teams channel structure. The applicable rule depends on team type (see §5.3): in Internal Only teams, all Standard Channel data may be Confidential; in Internal Mixed teams, Private Channel = Confidential, Standard Channel = General.
- No user-level classification decisions — Users are not required to assess or label individual documents. The channel structure enforces classification automatically.
- No Sensitivity Labels — Microsoft Purview Sensitivity Labels are not deployed. For a 3–5 person SMB, label-based classification creates user burden without proportionate benefit. This decision will be reviewed if Cybercraft exceeds 10 personnel or if client contracts require it.
- Confidential data placement follows team type rules — In Internal Mixed or External Collaboration teams, Confidential data shall not be placed in Standard Channels. In Internal Only teams (all Level 1), Standard Channels may contain Confidential data. Violation of the applicable rule constitutes a security incident.
3.3 External Sharing
SPO/ODB external sharing is set to "Only people in your organization." External sharing links cannot be created by any user. External file sharing is only possible via email attachment or Teams Guest channel.
- General data: Can be shared externally via email attachment or by inviting the recipient as a Guest to a Teams channel (Security Director approval required for Guest invitation — see §5.4)
- Confidential data: External sharing requires the Confidential External Sharing Procedure (see §5.4 and M365 Operations Procedure ISMS-PROC-M365-01). Security Director approval mandatory
- No SPO sharing links: "Specific People" and "Anyone" sharing link types are disabled by the tenant-level external sharing setting. This eliminates the risk of uncontrolled external sharing link creation
- Review trigger: If business requirements change, this setting can be relaxed to "Existing guests only" with CISO approval and documented risk acceptance
4. Licence Tier Structure
4.1 Licence Tiers — Service Access Matrix
Six licence tiers are available (Exchange Only, Teams Essentials, Email+Teams, M365 Basic, M365 Standard, M365 Premium), each providing a different combination of Exchange, Teams, SharePoint/OneDrive, Office apps, and security controls (CA, Intune, Defender). Security-relevant features (CA, Intune, Defender) are Premium-only.
Full licence-service matrix: See ISMS-CONF-M365-01 §2.1. Note: Email+Teams ($8) is not recommended — use M365 Basic ($7) instead.
4.2 Prohibited SKU: Business Standard
Business Standard is prohibited for all Cybercraft users. If desktop Office apps are required, assign Business Premium instead.
Security rationale: Standard includes desktop Office app licences but does not include Entra ID P1 (Conditional Access). This means desktop app sign-in cannot be controlled by CA — creating an unmanaged access path that bypasses the "Platform = Policy" data control model.
Cost rationale: Standard ($14) + Entra ID P1 add-on ($7) = $21/user/month — only $1 less than Premium ($22), which additionally includes Intune, Defender for Business, and the full security stack.
Design principle: Users who do not need desktop apps → Business Basic + P1. Users who need desktop apps → Business Premium. Standard occupies a middle ground that only creates a security gap.
4.3 Licence Assignment Principle
Security classification determines licence assignment, and licence assignment determines available services and security controls. There is no middle ground — either a user requires Premium-level technical controls, or policy-level controls are sufficient.
Add-on guidance:
- Entra ID P1 add-on ($7/user) with Business Basic is the standard configuration for Level 2 users (Basic $7 + P1 $7 = $14/user/month). This is required for CA-based data control (see §6.3).
- Combining add-ons with Business Standard is not recommended: Standard ($14) + Intune ($8) = $22 vs Premium ($22) = identical cost, but Premium additionally includes Defender and the full security stack.
- If full technical controls are needed beyond CA, Premium is the only cost-effective option.
4.4 Teams File Access — Case-by-Case Definition
File access behaviour differs depending on access path and licence. The following matrix defines each case:
File access behaviour differs by access path (Teams Files tab, SharePoint direct access, Private Channel) and licence tier. Key distinctions: Teams Essentials/Email+Teams have limited edit capability; SharePoint licence features (full editing, OneDrive, DLP) require Basic or above; Private Channel access is member-controlled across all tiers.
Full file access case matrix: See ISMS-CONF-M365-01 §2.2
5. Teams Structure & Access Control
5.1 Access Control Tiers — Based on Trust Model
Cybercraft's Teams access control follows a three-tier trust model:
| Level | Definition | Entra ID Status | Information Access | Recommended Licence |
|---|---|---|---|---|
| Level 1 — Internal | Cybercraft directors and employees. Full trust. Devices managed by ADUE (macOS) or MAM/Full MDM (Windows). | Member | Full Access — all teams and channels (including Private Channels as assigned). SPO/ODB direct access permitted (compliant device). | Premium |
| Level 2 — Trusted Guest | Trusted external personnel with ongoing business relationship (e.g., CISO, contracted specialists). Bring own device. Attest to minimum viable controls. | Member | Channel-Scoped — multiple teams and channels as required by role. SPO access limited to Teams membership scope. Session Control restricts download/sync/print on unmanaged devices. | Basic + P1 |
| Level 3 — Collaboration Partner | External parties with limited engagement scope (clients, suppliers, project-based collaborators). | External Guest (#EXT#) | Guest — dedicated external collaboration team only. MFA required (CA-Permit-Guest-MFA). Access scoped to channel membership within the dedicated team. | No Cybercraft licence (Guest) |
5.2 Channel Types and Guardrail Principles
Cybercraft adopts a guardrail approach to Teams channel governance: the policy defines channel type principles and data classification rules; specific channel structures are determined by Team Owners based on business need.
Channel Type Definitions
| Channel Type | Data Classification | Membership | Guest Access | SharePoint |
|---|---|---|---|---|
| Private | Confidential + Internal | Owner-controlled — only explicitly added members can access | ❌ Not permitted | Separate SharePoint site (auto-created) |
| Standard | Team type dependent (see §5.3) | All team members (including Guests if present in the team) | Visible to Guests if they are team members | Team default SharePoint site |
| Shared | — | B2B Direct Connect | N/A (no Guest account created) | Separate SharePoint site |
Shared Channels: Currently not in use at Cybercraft (B2B Direct Connect not configured). Reserved as a future option for cross-tenant collaboration without Guest account creation.
Channel Governance Principles
- Channel type = data classification guardrail. The channel type determines what data classification is permitted within it. Users follow channel-type rules rather than making per-file classification decisions.
- Team Owners control channel structure. Owners create channels based on business need within the guardrail framework. Security Director provides guidance; prescriptive channel lists are not mandated.
- Team and channel creation restricted. Team creation requires Security Director approval. Channel creation is restricted to Team Owner role.
- Guest invitation authority. Only Security Director holds the Guest Inviter role in Entra ID. General members cannot invite Guests.
- File sync is prohibited by default. OneDrive sync to local devices is not permitted for unmanaged devices (enforced by
CA-Restrict-SPO-UnmanagedSession Control). ADUE-managed devices (macOS Premium) may sync within the Managed Volume.
5.3 Team Operational Model
Channel type rules vary based on the team's composition and purpose:
| Team Type | Guest | Private Channel | Standard Channel Classification | Confidential Data Location |
|---|---|---|---|---|
| Internal Only (all members are Level 1 leadership — current Cybercraft) | ❌ | ❌ Not required | Up to Confidential | Standard Channel |
| Internal Mixed (Level 1 + Level 2 members) | ❌ | ✅ Primary work channel | Internal / General | Private Channel |
| External Collaboration (Guest members present) | ✅ | Optional (for internal-only discussions) | General only | Not placed in this team |
| Confidential External Sharing (per-engagement) | ✅ | ❌ | Confidential (via procedure) | Standard Channel (controlled via M365 Operations Procedure ISMS-PROC-M365-01) |
Current state: Cybercraft is currently an Internal Only team (3 members: CEO, Security Director, CISO — all Level 1). Private Channels are not required at this stage. When general members (Level 2) join, the team transitions to Internal Mixed, and Private Channels become the primary location for Confidential data.
Owner Structure
- Current Owners: Farah Herbert (CEO), Lucas Shin (Security Director), Richard Williams (CISO)
- SMB initial scale — 3-person Owner structure is appropriate. ISO 27001 A.5.3 segregation of duties compensated by audit logging.
- Expansion rules: External Guests = Member only (never Owner). General employees = Member by default. Owner promotion requires Security Director or CISO approval.
5.4 Guest Governance and External Sharing
Guest Access Principles
- Guest invitation: Security Director only (Entra ID Guest Inviter role). General members cannot invite Guests.
- Guest CA policy:
CA-Permit-Guest-MFA— MFA required. Native app access permitted (Teams, Outlook). Access scoped to teams/channels where Guest is a member. - Guest lifecycle: External collaboration teams are created per engagement or per client. Guests are removed and teams archived upon engagement completion. Quarterly Guest review mandatory.
- Guest deletion verification: Before deleting a Guest account, check Entra ID Assignments tab + SharePoint Admin Guest Access Report to confirm no residual access dependencies.
SPO/ODB External Sharing Policy
SPO and ODB external sharing: "Only people in your organization" — no external sharing links can be created. External file sharing is only possible via email attachment or Teams Guest channel (Owner-controlled).
- This setting eliminates the risk of external sharing link creation by any user
- If business requirements change, this can be relaxed to "Existing guests only" with CISO approval
- Current 3-person team: no immediate operational impact. Setting takes effect when general members join
Confidential External Sharing
When Confidential data must be shared with external parties, the Confidential External Sharing Procedure (defined in M365 Operations Procedure ISMS-PROC-M365-01) must be followed. This involves creating a dedicated per-engagement team with controlled Guest access. Direct SPO link sharing is not available due to the "Only people in your organization" setting.
6. Security Controls by Licence Tier
Security Control Architecture — Quick Reference
Three approved SKU configurations map to specific security control sets across platforms. Business Standard is prohibited (see §4.2).
Full SKU-to-control mapping table: See ISMS-CONF-M365-01 §3.1
Key principle: No desktop apps needed → Basic + P1. Desktop apps needed → Premium. There is no middle ground (Standard prohibited).
SKU decision flowchart: See Annex A, Figure 1.
CA Access Control Overview
The 3-policy CA structure evaluates access requests in the following logical flow — see Annex A, Figure 2.
상세 흐름도 (플랫폼별 분기, 기술적 조건 포함)는 Access Control & Data Protection Procedure (ISMS-PROC-BYOD-03) §2.3 참조.
6.1 Premium Users — Technical Controls
Premium licence includes Entra ID P1 (Conditional Access) + Intune + Defender as a bundle.
Conditional Access (CA) — 3-Policy Structure:
CA-Require-AllApps-CompliantOrAPP— Require Compliant Device OR Require APP (macOS: ADUE compliant; Windows: Edge APP)CA-Restrict-SPO-Unmanaged— Session Control for SPO/ODB: download/sync/print blocked on unmanaged devicesCA-Permit-Guest-MFA— External Guests (#EXT#): MFA required, access scoped to channel membership
Application Protection — by Platform: iOS/Android (MAM APP — full DLP including copy/paste block), Windows (MAM Edge only — org data protection), macOS (ADUE — OS-level Managed Volume isolation, no APP).
Defender for Business: Endpoint threat protection, anti-malware, web filtering, vulnerability management on enrolled devices.
Detailed platform protection matrix: See ISMS-CONF-M365-01 §3.2
6.2 Level 2 — Trusted Guest Controls (Basic + P1)
Level 2 users are assigned Business Basic + Entra ID P1 add-on ($14/user/month). This provides Conditional Access for data control but does not include Intune, MAM, ADUE, or Defender.
Technical control — Conditional Access (via P1 add-on):
CA-Require-AllApps-CompliantOrAPP— Level 2 users without Intune enrolment or APP cannot satisfy the compliant/APP grant → access restricted to basic browser sessionsCA-Restrict-SPO-Unmanaged— Session Control blocks download/sync/print on unmanaged devices → browser-only viewing- SPO site permissions (= Teams membership) — automatically limits which SharePoint sites a user can access; non-members denied even with direct URL
- Security Defaults — MFA enforced for all sign-ins
- CA is the sole technical enforcement mechanism for Level 2; without it, the "Platform = Policy" data control model cannot function for these users
No device-level technical controls:
- No MAM (App Protection Policy) — no app-level data isolation on any platform
- No ADUE — no managed volume separation on macOS
- No Intune enrolment — no device compliance enforcement
- No Defender for Business — no endpoint threat protection
Compensating policy controls:
| Control | Method | |
|---|---|---|
| Data access scope | Teams membership management — users only access channels they are added to | |
| Data handling obligation | Information handling policy + NDA + disciplinary consequences for violation | |
| Minimum Viable Controls attestation | Device meets minimum security standards (OS updated, screen lock, no jailbreak/root). Attested annually or on personnel change. | |
| Access monitoring | Entra ID sign-in logs — anomaly alerts + weekly/monthly review reports |
Level 2 security relies on CA (Compliant/APP requirement + Session Control) + SPO site permissions (= Teams membership) + policy controls. There is no device-level work/personal separation or app-level data leakage prevention. Teams membership scope, CA-enforced session restrictions, and policy obligations are the primary controls.
Exchange Online Plan 1 accounts ($4/user/month): Email-only accounts with no Teams, SharePoint, or OneDrive access. These fall outside the scope of Teams-based data controls. Security Defaults (MFA) apply. No CA, as these accounts do not access data subject to the "Platform = Policy" model.
6.3 Conditional Access — Prerequisite for "Platform = Policy"
Conditional Access is not optional — it is a mandatory prerequisite for the Teams-based data control model to function.
The "Platform = Policy" model (Section 1.1) relies on the following enforcement layers:
- Data resides in SharePoint/OneDrive — Teams channel files are stored in SharePoint behind the scenes
- SPO site permissions = Teams membership — users can only access SharePoint sites for teams they are a member of, even via direct URL navigation (
sharepoint.com). Non-members are denied access regardless of authentication. This is the primary access scope limiter - CA enforces device/app compliance —
CA-Require-AllApps-CompliantOrAPPensures only compliant (ADUE) or APP-protected (Edge) sessions access M365 services. Unmanaged/non-compliant sessions are blocked - Session Control restricts unmanaged devices —
CA-Restrict-SPO-Unmanagedblocks download/sync/print for non-compliant devices, limiting unmanaged sessions to browser-only viewing - CA requires Entra ID P1 — therefore, even Level 2 users (Basic) need P1 to be subject to CA policies
Why Level 2 users need P1 (Business Basic + P1):
- Business Basic alone includes Entra ID Free, which has no Conditional Access
- Without CA: (1) Session Control cannot operate → unmanaged devices can download/sync SPO files freely, (2) Windows BYOD Teams Desktop app login is not blocked → bypasses the Edge-only restriction
- P1 enables two critical controls: Session Control for SPO/ODB action restriction + CA app compliance requirement for Windows BYOD Edge-only enforcement
CA Architecture — 3-Policy Structure:
| Policy | Target | Grant / Session | Effect |
|---|---|---|---|
CA-Require-AllApps-CompliantOrAPP | All users, all cloud apps | Require Compliant Device OR Require APP | macOS: ADUE compliant ✅ / Windows Edge: APP ✅ / Unmanaged: blocked |
CA-Restrict-SPO-Unmanaged | All users, SPO + ODB | Session: "Use app enforced restrictions" | Unmanaged devices: download/sync/print blocked (browser-only view) |
CA-Permit-Guest-MFA | External Guests (#EXT#) | Require MFA | Guest access with MFA; scope limited to channel membership |
6.4 Why No Middle Ground
Combining security add-ons with Business Standard is not cost-effective:
- CA alone ($7/user): While CA is mandatory for the data control model (see §6.3), purchasing it as a standalone add-on only makes sense with Business Basic ($7 + $7 = $14). Pairing it with Standard is irrational (see §4.2).
- Intune alone ($8/user): M365 Standard + Intune = $22 vs Premium = $22 — identical cost but Premium includes Defender and the full security stack
- Conclusion: Non-Premium → Basic + P1 (CA for data control). Full technical controls → Premium. No other combination is justified.
7. Administration & Roles
7.1 Administrative Roles
| Role | Person | Responsibilities | Account |
|---|---|---|---|
| CEO | Farah | Executive sponsor of ISMS. Final authority on business risk acceptance and resource allocation for security initiatives. | Premium user account |
| Systems Administrator | Lucas Shin | M365 admin console: user management, licence assignment, Entra ID, Intune/CA configuration, Teams policy settings | Admin account (admin.lucas) — separate from user account |
| CISO | Richard | Policy approval, risk acceptance, exception approval, annual review | Standard user account |
| Team Manager | Designated per team | Channel membership management, file management within assigned teams. Cannot create teams or channels. | Standard user account |
7.2 Admin Account Separation
- Administrative actions on M365 console must use a dedicated admin account, not the user's standard account
- Admin account requires a separate licence (minimum Standard)
- Admin sessions should be performed in an isolated environment (e.g., separate browser profile, VM, or secondary device) to avoid disrupting the user's active sessions
7.3 Teams Governance
- Team creation: Restricted to Systems Administrator only (all other users' team creation rights are disabled in Teams policy)
- Channel creation: Restricted to Team Owner role (assigned by Systems Administrator)
- Guest invitations: Security Director holds Entra ID Guest Inviter role — Level 3 external guests are invited via Entra ID and assigned to a dedicated external collaboration team (see §5.4)
8. Monitoring & Audit Evidence
All structures defined in this policy must be demonstrably operational for audit purposes.
8.1 Ongoing Monitoring
| Activity | Frequency | Owner | Evidence |
|---|---|---|---|
| Entra ID sign-in log review | Weekly | Security Director | Log export / anomaly report |
| Teams membership review | Monthly | Security Director + Team Managers | Membership list snapshot per team/channel |
| Licence assignment review | Quarterly | Security Director | M365 admin centre licence report |
| Level 2 Minimum Viable Controls attestation | Annually (or on personnel change) | Security Director | Signed attestation forms |
| Intune compliance status (Premium users) | Weekly | Security Director | Intune compliance dashboard export |
8.2 Audit Evidence Mapping
When an auditor asks:
| Auditor Question | Evidence Location |
|---|---|
| "How do you classify data?" | Section 3 — Two-level classification (Confidential/General) enforced by channel structure |
| "How do you control access?" | Section 4 (licence matrix) + Section 5 (Teams trust model + membership) |
| "What security controls are applied?" | Section 6 — Premium: technical controls / Non-Premium: policy controls |
| "Who administers the system?" | Section 7 — Admin roles, account separation, Teams governance |
| "How do you monitor compliance?" | Section 8.1 — Monitoring schedule with evidence types |
| "Show me the access control structure" | Section 5.1 (L1/L2/L3 trust model) + Teams membership snapshots |
9. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.1 | Policies for information security | This policy + Information Security Policy (L1 Master) |
| A.5.10 | Acceptable use of information and assets | Section 3.2 (classification principles) + Section 5.2 (channel structure) |
| A.5.12 | Classification of information | Section 3 (two-level classification scheme) |
| A.5.13 | Labelling of information | Section 3.2 — channel location replaces labelling (documented rationale for no Sensitivity Labels) |
| A.5.15 | Access control | Section 4 (licence matrix) + Section 5 (Teams trust model) |
| A.5.16 | Identity management | Section 5.1 (Entra ID status per level) + Section 7 (admin accounts) |
| A.5.17 | Authentication information | Section 6 — Security Defaults (MFA) for all; CA for Premium |
| A.5.18 | Access rights | Section 5 (membership management) + Section 7.3 (Teams governance) |
| A.8.2 | Privileged access rights | Section 7 (admin account separation, role definition) |
| A.8.3 | Information access restriction | Section 5.3 (team operational model — data placement by team type) + Section 5.4 (Guest governance and external sharing) |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — licence-access matrix, Teams trust model (L1/L2/L3), data classification (2-level), security controls by tier, audit evidence mapping |
| 0.1.1 | 2026-02-20 | Lucas Shin | Document number changed from ISMS-POL-M365-01 to ISMS-POL-M365-01 (L2 policy reordering). Updated all cross-reference document numbers. |
| 0.1.2 | 2026-02-20 | Lucas Shin | Added §4.2 Prohibited SKU: Business Standard. Added §6.3 Conditional Access prerequisite. Added §6 Quick Reference table and SKU decision flowchart. |
| 0.1.3 | 2026-02-20 | Lucas Shin | Updated §5.1 Level 2 recommended licence: "Basic / Standard" → "Basic + P1". |
| 0.1.4 | 2026-02-20 | Lucas Shin | Updated all SKU pricing to Microsoft 2026.7.1 scheduled increases: Basic $6→$7, Standard $12.50→$14, Entra P1 $6→$7. Updated §4.3 cost comparison (Standard + Intune now identical to Premium at $22). |
| 0.1.5 | 2026-02-20 | Lucas Shin | Removed BYOL references from §5.1. Restructured §6.2: "Non-Premium Users" → "Level 2 — Trusted Guest Controls (Basic + P1)" with CA as applied technical control. Added Exchange Online Plan 1 scope note. Clarified §4.3 and §6.4 add-on guidance (P1 add-on with Basic is standard configuration). |
| 0.2.0 | 2026-03-01 | Lucas Shin | Phase 2-1~2-4 ISMS mapping (major revision). (1) Error #37 correction: Replaced "CA Default Block / Allow Policy" with 3-policy CA architecture (CA-Require-AllApps-CompliantOrAPP, CA-Restrict-SPO-Unmanaged, CA-Permit-Guest-MFA) throughout §6. (2) §5 restructured: Teams channel guardrail model (§5.2), 4 team types (§5.3), Guest governance + SPO external sharing policy (§5.4). (3) §3 updated: Data classification location now team-type-dependent; §3.3 External Sharing updated to "Only people in your organization". (4) macOS references corrected: "ADUE + MAM" → "ADUE + VPP" (APP not supported on macOS). (5) Procedural content to be moved to M365 Operations Procedure (ISMS-PROC-M365-01, new document). |
| 0.2.1 | 2026-03-01 | Lucas Shin | Added CA Access Control Overview diagram (간략 개요도) to §6 — logical flow visualization of 3-policy structure (Assignment → Grant → Session Control). Cross-reference to ISMS-PROC-BYOD-03 §2.3 for detailed platform-specific flowchart. |
| 0.3.0 | 2026-03-03 | Lucas Shin | Phase 4 슬림화: §4.1 licence-service matrix, §4.4 file access matrix, §6 SKU control matrix, §6.1 APP platform table → ISMS-CONF-M365-01로 추출. §6 Mermaid 다이어그램 2개 → Annex A로 이동. 정책서에는 요약 + 참조 유지. |
Review Schedule
- Quarterly: Teams membership review, licence assignment check
- Annually: Full policy review, trust model reassessment, licence tier pricing update
- Ad-hoc: Upon personnel changes, new client engagements, Microsoft licensing changes, or security incidents
Annex A — Diagrams
Figure 1 — SKU Decision Flowchart
flowchart TD
Start["Does the user need\nOffice desktop apps?"] -->|No| Basic["Business Basic + P1\n\$14/user/month"]
Start -->|Yes| NeedMAM["Is BYOD sufficient?\n(Edge web apps only on Windows)"]
NeedMAM -->|"Yes (macOS or web-only)"| Premium["Business Premium\n\$22/user/month"]
NeedMAM -->|"Need Windows desktop apps"| Join["Business Premium\n+ Entra Join + Full MDM"]
Basic --> BasicControl["SPO site permissions scope\n+ Session Control\nNo MAM/Intune"]
Premium --> PremiumControl["macOS: ADUE + VPP + CA\nWindows: Edge APP + CA"]
Join --> JoinControl["Full MDM + Compliance\n= BYOD Full MDM Exception"]
style Start fill:#f9f,stroke:#333
style Basic fill:#4CAF50,color:#fff
style Premium fill:#2196F3,color:#fff
style Join fill:#FF9800,color:#fffFigure 2 — CA Access Control Overview
flowchart LR
A["사용자 접근 시도"] --> B{"Assignment<br>누구인가?"}
B -->|"Break-glass"| C["✅ Exclude<br>무제한"]
B -->|"Guest"| D["MFA 요구<br>(CA-Permit-Guest-MFA)"]
B -->|"내부 사용자"| E{"Grant 평가<br>Compliant OR APP?"}
E -->|"충족"| F{"SPO/ODB?"}
E -->|"미충족"| G["❌ 차단"]
F -->|"No"| H["✅ 접근 허용"]
F -->|"Yes"| I{"Session Control<br>디바이스 상태?"}
I -->|"Managed"| J["✅ 전체 기능"]
I -->|"Unmanaged"| K["⚠️ 제한 접근"]
style C fill:#51cf66,color:#fff
style D fill:#74c0fc,color:#fff
style G fill:#ff6b6b,color:#fff
style H fill:#51cf66,color:#fff
style J fill:#51cf66,color:#fff
style K fill:#ffd43b,color:#333[End of Policy Document]