Question about Business Premium, would you suggest each person in the office have that even if they would not be taking part in any of the Office apps or need email accounts?
Essentially, a good portion of the employees would only be using the Patterson Dental software and just need the login benefits/Windows Defender that Business Premium brings but not Word, Excel, OneDrive, or an email account. Many of the employees would be using the same computers throughout the day.
Is there a lower tier that would allow something like this?
Depends...
If Entra ID is serving as your central directory, then all users will need a login there. Those users, however, would only potentially require Entra ID P1 if all they need is a Conditional Access–protected login from the cloud directory.
If you want full endpoint management, the best way to go is
M365 F3 + F5 Security.
M365 F3 includes a kiosk mailbox, Entra ID P1, Intune P1, Windows 10/11 Enterprise basically everything you need to manage endpoint devices, whether they’re Windows, Android, or iOS. That’s $8/user/month.
Then there’s M365 F5 Security. This is M365 E5 Security for frontline workers: Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps
everything Defender. This license is also $8. So for $16/user/month, you get full enterprise-grade security for users who need a cloud-managed endpoint. If you require compliance, the F5 Security and Compliance bundle is $13. That brings you to $21/user/month still below Business Premium pricing, but in many ways is even more power than Premium Provides!
I use this combo as much as I can, because the environments that need the full stack are otherwise up against M365 E5 (no Teams) + Teams Enterprise, which runs about $60/user/month. Cutting that to a third makes a real difference.
Your bare-minimum setup Entra ID login + Intune + Defender for Endpoint P2 would be Enterprise Mobility + Security E3 ($11.13) + Defender for Endpoint P2 ($5.46), totaling $16.59/user/month. The reason I don’t recommend that combo is the lack of a CASB (Cloud Access Security Broker).
But did you see the other reason? I go with F3 + F5 Security? It’s
cheaper by $0.59 / user and does much more.
Use and abuse the F-series SKUs wherever possible.
The F-series combo also includes Defender for Cloud Apps, which really needs to be paired with M365 Business Premium. On its own, Defender for Cloud Apps is $4.20/user/month. Defender for Cloud Apps is IMHO the best security investment any org can make after identity itself.
Why do this? If you’re going to use Entra, then you need to
use Entra. That means all those web apps your customer depends on? They get SSO integrated with Entra logins. Once that’s in place, you layer on Defender for Cloud Apps and—bam—every one of those apps now has a firewall in front of it. Conditional Access extends over the top.
You can do powerful things like: “Want to log in to Dentrix? OK—but only from the office.”
This is real security coverage. Real risk reduction. But it means not just deploying Business Premium—it means actually using all the features it brings to the table. That’s hard. That’s a ton of work. And that's also where most providers fall short. The SMB has so much power in their hands with Business Premium, but we arne't selling it, and they aren't buying it, because they don't realize the return. Do M365 correctly, and it makes everyone buckets of money, there is simply no competition. Do it wrong, and your customer will run off to anywhere else, just to get away.