Skip links
Contact ADAS
ADAS Ltd
Published in: Guidance

Protecting Your Nonprofit After Microsoft’s 2025 Business Premium License Changes

Author
Published on:

A curve ball is heading for nonprofits in the coming months as Microsoft announces the removal of the free MS365 Business Premium licenses from their charitable offerings. This change will change the shape of nonprofit infrastructure from underneath their feet, and it’s something that needs to be met with some strategic decision making about what happens next. We wanted to sit down and put together our thoughts on the subject, and outline how we’re positioned to help if you’ve found your team in this situation.

This seemingly small change carries significant cybersecurity implications for organisations that have built their digital infrastructure around these tools. The formal changes are that Microsoft is transitioning from providing ten free Business Premium licenses to offering up to 300 Microsoft 365 Business Basic licenses with discounts of up to 75 percent on other Microsoft 365 services.

The shift is jarring for many nonprofits, especially those operating on tight budgets who now face unexpected costs. Google has made similar changes to their nonprofit offerings, leaving charities caught between unwelcome cost increases from both major cloud providers.

Loss of Intune and Device Management: The Big Gap

Perhaps the most significant security concern we’ve identified in this transition is the loss of Intune – Microsoft’s mobile device management solution.

Business Basic lacks this crucial tool that many organisations (Ourselves included!) rely on to ensure laptops and computers remain secure. Without Intune, nonprofits lose the native ability to:

  • Enforce security policies across all devices
  • Track and manage software installations
  • Push critical security updates remotely
  • Remotely wipe lost or stolen devices
  • Monitor device compliance and security status

This creates an immediate and creeping security gap for nonprofits that have built their device security strategy around Intune’s capabilities. The absence of centralised management means organisations must quickly identify alternative approaches to maintain device security or face accepting increased risk.

Risk Assessment: Your First Priority

Before making any hasty decisions, nonprofits should conduct a thorough risk assessment to understand exactly what security capabilities they’re losing and how this impacts their overall security posture.

Get your decision makers in a room with a technical subject matter expert and start by asking:

  • Which specific security features are we losing that protect our most sensitive data, and the devices we use every day?
  • What is going to happen when this shift takes place? Do staff and decision makers understand what will materially change?
  • How does this change affect our compliance requirements?
  • What alternatives exist that might better suit our organisation’s size and budget?

A proper risk assessment allows us to prioritise our response rather than simply reacting to the change. This methodical approach ensures that limited resources are directed to the most crucial security needs first, and also that any changes happen in a planned manner.

Training Requirements: The Human Factor

When technical controls change, human behaviour becomes even more critical. Business Basic’s shift to web-based applications creates training requirements that nonprofits must address promptly.

Staff accustomed to desktop Office applications may need guidance or support on:

  • Day-to-day workflows and operations
  • Safe document sharing and collaboration
  • Managing access controls without centralised oversight
  • Recognising security threats when shifting to browser-based applications – such as phishing or malicious websites that may impersonate office applications.

Investing in staff awareness can dramatically reduce the risk of security incidents during this transition period, and ensure that the strategic awareness of this change effectively integrates with the day-to-day operations of your teams. Get communications out to staff nice and early so they can start the mental preparation for any changes, or contribute effectively to the conversation.

Cybersecurity Fundraising and Collective Advocacy

The financial impact of these changes can’t be understated. Even with Microsoft’s 75 percent discount, nonprofits face new costs that weren’t budgeted for – a particular challenge for organisations where every penny matters.

This reality calls for two parallel approaches:

First, cybersecurity-specific fundraising may become necessary. Donors understand the importance of data security, especially for organisations handling sensitive information about vulnerable populations. Creating targeted campaigns that clearly explain how these funds protect your mission can be effective.

Second, consider collective advocacy and organising when looking at IT and security providers. While individual charities have limited leverage or limited information, coordinated efforts from multiple organisations or sector bodies working together can sometimes influence decisions or secure better nonprofit terms.

For example, at ADAS – we happily work with nonprofits who share our time with their network and friends, inviting cross-organisational knowledge when it comes to strategic consulting, vulnerability management, or security training. This resource sharing can more than half the cost of access to valuable consultancy, as most smaller consultancies charge on time – not access by headcount. The same benefits can be negotiated when looking for your MSP provider! As with most things in life, when we support each other to collectively overcome hurdles, we all benefit.

Dedicated Cybersecurity Resources: A New Necessity

Many nonprofits have relied on Microsoft’s comprehensive security features to compensate for limited in-house security expertise. With those features now requiring additional investment, organisations should consider whether dedicated cybersecurity resources – either internal or contracted – have become a better investment.

This might take the form of:

  • A part-time security specialist focused solely on informing risk owners on the state of your digital defences. Remember that this could also be the upskilling or training of an existing staff member who may want to pivot into the information security space.
  • Shared security resources or access to experience across multiple small nonprofits.
  • Contracted support from specialist firms with nonprofit experience.
  • Ring-fencing funding specifically for security needs, so your core security function stays robust regardless of funding fluctuations.

The cost of such resources must be weighed against the risk of security incidents and the potential damage to your organisation’s mission and reputation. Frustratingly, it is still often an option to just brave the landscape with sub-par protection, as the cost can still be out of reach for smaller teams.

The TL;DR…

If you’re a nonprofit facing this transition, here are the actions:

  1. Conduct a gap analysis of what security capabilities you’re losing and their importance to your operations
  2. Develop a transition timeline that prioritises security of your most sensitive systems
  3. Create a security training plan for staff to compensate for reduced technical controls
  4. Review your budget to determine what Microsoft services justify continued investment at the discounted rate

Now for the self-promotion…. If you’ve found yourself affected, The ADAS team are well positioned to help you out. If you’ve found this article helpful – get in touch with us to chat further.

How ADAS Can Help

At ADAS, we specialise in providing practical, affordable cybersecurity solutions for organisations of all sizes – with particular experience supporting those in the nonprofit sector.

Our services are specifically designed to help nonprofits maintain strong security postures regardless of changes in vendor offerings:

  • Vendor-independent vulnerability management on a per-device basis using Qualys agents, keeping a clear line of sight on the vulnerabilities on each and every computer, without being tied to specific licensing models. We start this coverage for £10 per month plus 25p per device – and there’s no minimum term, so you really can get a vulnerability scan done for your entire estate at a reasonable price now.
  • Cyber Essentials Plus assessments that validate your technical controls, ensuring protection against malware delivery and proper MFA configuration – amongst other things!
  • Penetration testing for deep assurance of your network security and all the benefits that come from getting CREST and CHECK accredited testers to get hands-on with your network, website, or cloud infrastructure.
  • Policy development and review to gap analyse and suggest improvements that increase resilience to landscape changes, and ensure you have a ready response in place for disruptions.
  • Culture building and training – vital for ensuring teams understand shifts to their platform or adapting security responsibilities when top-down controls change. Our holistic approach to training ensures staff understand your policy posture perfectly as an integral part of the training.

We understand the nonprofit landscape intimately through years of experience in the not-for-profit and public sector space. We focus on practical solutions that respect both your mission and your budget constraints.

Let’s Start the Conversation

Microsoft’s changes may create challenges, but they also offer an opportunity to build a more resilient, independent security strategy for your organisation that’s resilient against vendor supplied challenges.

Get in touch today for a no-obligation discovery call to discuss your specific situation and needs. You’ll speak directly with the consultant who would support you – not a sales team – ensuring practical advice from the moment we say hello.

Have a great Tuesday folks.

Leave a comment

Explore
Drag