M365 Workspace — System Configuration
Document Number: ISMS-CONF-M365-01
Classification: System Configuration
Version: 0.1.0
Effective Date: March 3, 2026
Author: Lucas Shin — Security Director
Parent Policy: M365 Workspace & Access Policy (ISMS-POL-M365-01)
1. Purpose & Scope
This System Configuration document provides the detailed licence-service matrices, file access case definitions, and security control reference tables for the M365 workspace governed by M365 Workspace & Access Policy (ISMS-POL-M365-01).
Document positioning:
- ISMS 관리체계 내 시스템 구성 문서 — ISMS-CONF-* 접두어, ISMS Document Register에 등록
- 정책서 보완 문서 — ISMS-POL-M365-01이 원칙/구조를 정의하고, 이 문서가 상세 참조 테이블을 제공
2. Licence & Access Reference Tables
2.1 Licence Tier — Service Access Matrix
The following matrix defines the service entitlements for each licence tier available in Cybercraft's M365 tenant.
| Service | Exchange Only ($4) | Teams Essentials ($4) | Email + Teams ($8) | M365 Basic ($7) | M365 Standard ($14) | M365 Premium ($22) |
|---|---|---|---|---|---|---|
| Email (Exchange) | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Teams (chat/meetings) | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Teams Desktop App | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| SharePoint / OneDrive for Business | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Office Web Apps (Business) | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Office Desktop Apps | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Entra ID P1 (Conditional Access) | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Intune (MAM / ADUE) | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Defender for Business | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
Note on Email+Teams ($8): Combining Exchange Online ($4) + Teams Essentials ($4) costs $8 but provides fewer features than M365 Basic ($7). This combination is not recommended — use M365 Basic instead.
2.2 Teams File Access — Case-by-Case Matrix
File access behaviour differs depending on access path and licence. The following matrix defines each case.
| Access Case | Exchange Only | Teams Essentials | Email + Teams | M365 Basic | M365 Standard | M365 Premium |
|---|---|---|---|---|---|---|
| Teams team member registration | — | ✅ | ✅ | ✅ | ✅ | ✅ |
| Teams Files tab — view | — | ✅ | ✅ | ✅ | ✅ | ✅ |
| Teams Files tab — edit | — | ⚠️ Limited | ⚠️ Limited | ✅ Web | ✅ Desktop + Web | ✅ Desktop + Web |
| SharePoint site — direct access (if permission granted) | Guest access possible | Guest access possible | Guest access possible | ✅ | ✅ | ✅ |
| SharePoint file — full edit (direct access) | ❌ | ❌ | ❌ | ✅ Web | ✅ Desktop + Web | ✅ Desktop + Web |
| Private Channel access | — | If added as member | If added as member | If added as member | If added as member | If added as member |
Important distinction: SharePoint site access (viewing) can be granted to Guest accounts regardless of licence via Entra ID. However, SharePoint licence features (file editing, OneDrive, version control, DLP) require Basic or above. Licence controls what you can do; site permissions control what you can see.
3. Security Control Architecture
3.1 Security Controls by SKU — Quick Reference
The following table summarises how each approved SKU translates to security controls across platforms. Business Standard is prohibited (see ISMS-POL-M365-01 §4.2).
| Business Premium ($22) | Business Basic + P1 ($14) | Exchange Online P1 ($4) | |
|---|---|---|---|
| User Type | Level 1 — Internal (Employees) | Level 2 — Trusted Guest (External Personnel) | Email-only account |
| Office Desktop Apps | ✅ Included in licence | ❌ Not licensed | ❌ |
| CA (Conditional Access) | ✅ Bundled (Entra ID P1) | ✅ Add-on (Entra ID P1) | ❌ |
| SPO/ODB Direct Access | ✅ Full access (compliant device) | SPO site permissions (= Teams membership) scope + Session Control (download/sync/print blocked on unmanaged) | ❌ N/A |
| macOS BYOD | ADUE + VPP + CA — Native apps in Managed Volume (APP not supported on macOS) | CA only — Teams UI + web apps | — |
| Windows BYOD | Edge MAM + CA — Web apps only (desktop apps blocked by CA) | CA only — Teams UI + web apps | — |
| Windows + Desktop Apps | Entra Join + Full MDM required (BYOD Full MDM Exception — BYOD Security Policy §3.3) | ❌ No path (not licensed) | ❌ |
| Intune / Defender | ✅ Bundled | ❌ | ❌ |
Key principle: No desktop apps needed → Basic + P1. Desktop apps needed → Premium. There is no middle ground (Standard prohibited).
3.2 Premium Application Protection by Platform
Premium licence includes Entra ID P1 (Conditional Access) + Intune + Defender as a bundle.
| Platform | Protection Method | Scope |
|---|---|---|
| iOS / Android | MAM — App Protection Policy (APP) | All M365 apps: copy/paste block, save-as restriction, screenshot block (Android), data isolation within managed apps. No device enrolment required. |
| Windows | Windows MAM (Edge only) | Edge browser: org data protection, Windows Security Center integration, health checks. Only Edge is protected — other apps/browsers are not MAM-managed. |
| macOS | ADUE — Account Driven User Enrollment | Separate APFS managed volume for work data. OS-level isolation between personal and work. Limited MDM (work volume only). Personal data inaccessible to admin. |
Defender for Business:
- Endpoint threat protection on enrolled devices
- Anti-malware, web filtering, vulnerability management
4. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-03-03 | Lucas Shin | Initial release — Technical reference tables extracted from ISMS-POL-M365-01 (v0.2.1). Licence-service matrix (§4.1), file access matrix (§4.4), SKU security control matrix (§6), platform APP table (§6.1). |
Review Schedule
- Annually: Full review as part of ISMS management review cycle, licence tier pricing update
- Ad-hoc: Upon Microsoft licensing changes, new SKU introduction, or security architecture changes
[End of System Configuration]