fix: Correct M365 E3 licensing capabilities across playbooks

E3 includes Entra ID P1 (conditional access, SSPR) and Defender for
Endpoint P1 (AV, device control, ASR audit mode), not just 'Free'/'AV only'.

Key corrections:
- m365-e3-hardening.md: Entra ID P1 with conditional access is now
  correctly listed as included; Intune is full not 'basic'; ASR audit
  mode is available in P1; risk-based gap reframed as 'No Entra ID P2'
- zero-budget-hardening.md: E3 comparison table now shows Entra ID P1
  and Defender for Endpoint P1 correctly; pitch text updated
- modular-engagements.md: MFA description now reflects conditional
  access availability in E3
- m365-antifragile-project.md: Conditional Access heading now correctly
  notes E3 includes P1; E3 baseline mentions conditional access
- endpoint-management-entry-vector.md: Intune described as full MDM/MAM

antifragile-consulting/playbooks/endpoint-management-entry-vector.md

@@ -173,7 +173,7 @@ This builds **trust and political capital** for the harder conversations that fo
 - BYOD vs. corporate-owned: define the boundary clearly
 - Privacy regulations: employee monitoring on personal devices requires legal review
 - Network security: home Wi-Fi is untrusted; DNS security and VPN policies critical
-- Licensing: Intune is included in E3; no additional purchase required for basic MDM
+- Licensing: Intune is included in E3; no additional purchase required for MDM/MAM
 
 ### Archetype 3: The Compliance-Driven Client
 

antifragile-consulting/playbooks/m365-antifragile-project.md

@@ -54,8 +54,8 @@ Antifragile M365 projects optimize for:
 - **Break-glass accounts**: 2-3 global admins, excluded from conditional access, complex passwords managed offline
 - **Initial admin roles**: No standing global admins for daily work; delegated admin roles (Exchange admin, SharePoint admin, User admin)
 - **Security defaults or conditional access baseline**:
-  - E3: Per-user MFA for all admins; block legacy authentication
-  - E5: Conditional access requiring MFA for all users, compliant devices for admins, block legacy auth, risky sign-in policies
+  - E3: Conditional access requiring MFA for all users, block legacy authentication, compliant devices for admins; no risk-based policies
+  - E5: Risk-based conditional access, PIM for privileged roles, identity protection, impossible-travel blocking
 
 **Data Governance Foundation**
 
@@ -94,7 +94,7 @@ Antifragile M365 projects optimize for:
 
 ### Phase 3: Hardening and Governance (Week 7-10)
 
-**Conditional Access (E5 or Entra ID P1/P2)**
+**Conditional Access (E3 includes Entra ID P1; E5 adds risk-based policies and PIM)**
 
 - Require MFA for all users
 - Require compliant or hybrid Azure AD joined device for sensitive apps
@@ -190,7 +190,7 @@ Get-MgOAuth2PermissionGrant -All | Export-Csv oauth-grants.csv
 - Remove excessive admin roles
 - Revoke stale OAuth consents
 - Enable PIM for all privileged roles (if licensed)
-- Enforce MFA for all users (per-user MFA for E3; conditional access for E5)
+- Enforce MFA for all users (conditional access for E3; risk-based policies for E5)
 
 **External Access Lockdown**
 

antifragile-consulting/playbooks/m365-e3-hardening.md

@@ -13,10 +13,10 @@ E3 provides the foundation. The gaps are real but manageable. This document show
 | Capability | E3 Inclusion | Notes |
 |-----------|-------------|-------|
 | Exchange Online Protection (EOP) | Yes | Anti-malware, anti-spam, basic anti-phishing |
-| Azure AD Free / Entra ID Free | Yes | Basic identity, no conditional access, no PIM |
-| Microsoft Defender Antivirus | Yes | Client-side AV, no EDR, no ASR |
+| Entra ID P1 | Yes | Conditional access, per-user MFA, SSPR; no PIM, no risk-based policies |
+| Microsoft Defender for Endpoint P1 | Yes | Next-gen AV, device control, ASR audit mode; no EDR, no automated investigation |
 | Office 365 Audit Logging | Yes | Must be manually enabled |
-| Basic Mobile Device Management (MDM) | Yes | Via Microsoft Intune limited enrollment |
+| Microsoft Intune | Yes | Full MDM/MAM, device compliance, configuration policies |
 | Self-Service Password Reset (SSPR) | Yes | Requires Azure AD Basic configuration |
 | Teams, SharePoint, OneDrive | Yes | Data governance limited without Purview |
 
@@ -25,7 +25,7 @@ E3 provides the foundation. The gaps are real but manageable. This document show
 | Capability | Missing in E3 | Business Impact |
 |-----------|---------------|-----------------|
 | Microsoft Defender for Endpoint P2 | No | No EDR, no ASR rules, no threat analytics, no automated investigation |
-| Entra ID P2 / P1 Conditional Access | No | No risk-based policies, no device compliance gating, no location-based rules |
+| Entra ID P2 (Identity Protection) | No | No PIM, no risk-based conditional access, no identity protection, no automated remediation |
 | Entra ID PIM | No | No just-in-time admin elevation |
 | Microsoft Defender for Office 365 P2 | No | No Safe Links, no Safe Attachments, no advanced anti-phishing |
 | Microsoft Purview | No | No DLP, no sensitivity labels, no insider risk management |
@@ -49,14 +49,14 @@ We operate in three layers:
 
 **Enable MFA for All Users**
 
-E3 includes MFA via Azure AD Free/Entra ID Free, but it is **per-user MFA** (less flexible than conditional access). This is still mandatory.
+E3 includes **Entra ID P1**, which supports both **per-user MFA** and **conditional access-based MFA**. Conditional access is the preferred approach because it provides more granular control.
 
 - Navigate to Microsoft Entra admin center → Users → Per-user MFA
 - Enable MFA for all administrative accounts first
 - Roll out to all users within 14 days
 - Enroll at least one backup method per user (authenticator app + phone)
 
-**Document the Gap**: Per-user MFA cannot enforce risk-based step-up, device compliance, or location-based blocking. Document this as a risk for steering committee.
+**Document the Gap**: E3 conditional access cannot enforce risk-based step-up or impossible-travel blocking (these require Entra ID P2). Document risk-based policies as a gap for steering committee.
 
 **Disable Legacy Authentication**
 
@@ -149,9 +149,9 @@ Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true
 
 ## Phase 2: Augment E3 (Week 3-4)
 
-### Close the EDR Gap (No Defender for Endpoint P2)
+### Close the EDR Gap (Defender for Endpoint P1, Not P2)
 
-E3 includes Microsoft Defender Antivirus but **not** EDR. You need visibility.
+E3 includes **Microsoft Defender for Endpoint P1** (next-gen AV, device control, ASR rules in audit mode, network protection in audit mode). It does **not** include full EDR, automated investigation, or threat analytics. You need visibility beyond what P1 provides.
 
 | Option | Cost | Effort | When to Use |
 |--------|------|--------|-------------|
@@ -167,24 +167,25 @@ E3 includes Microsoft Defender Antivirus but **not** EDR. You need visibility.
 3. Upgrade **only privileged users** to Microsoft Defender for Endpoint P2 via add-on or E5 Security
 4. This gives you EDR coverage where it matters most at ~10% of full E5 cost
 
-### Close the Conditional Access Gap (No Entra ID P1/P2)
+### Close the Risk-Based Identity Gap (No Entra ID P2)
 
-Without conditional access, you cannot enforce:
-- Device compliance gating
-- Location-based blocking
-- Risk-based step-up
-- Block legacy auth per-protocol
+E3 includes **Entra ID P1**, which provides robust conditional access: device compliance gating, location-based blocking, and per-protocol legacy auth blocking are all available. What E3 lacks is **risk-based intelligence**:
+
+- Risk-based step-up (e.g., require MFA when sign-in risk is elevated)
+- Impossible travel detection and blocking
+- Identity protection and automated remediation
+- PIM for just-in-time admin elevation
 
 **Mitigations within E3**:
 
-- **Per-user MFA**: Enforce for 100% of users (already covered above)
-- **Block legacy auth tenant-wide**: Already covered above
-- **Intune MDM enrollment**: E3 includes basic Intune; enroll all corporate devices
-- **Third-party MFA with policy engine**: Duo, Okta (additional cost, but cheaper than full E5)
+- **Conditional access policies**: Enforce MFA for all users, block legacy auth, require compliant devices for sensitive apps, and restrict by location—all with Entra ID P1
+- **Intune MDM enrollment**: E3 includes full Intune; enroll all corporate devices to make them conditional access signals
+- **Per-user MFA**: As a fallback if conditional access deployment is phased
+- **Manual risk review**: Export sign-in logs weekly; flag anomalous locations, failed MFA attempts, and unknown devices
 
 **The Strategic Conversation**:
 
-> *"E3 gives us strong authentication but weak authorization. We can enforce MFA, but we cannot say 'only from a managed device in the Czech Republic.' If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P1 for conditional access, not a full E5 jump."*
+> *"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."*
 
 ### Close the Email Security Gap (No Defender for Office 365 P2)
 
@@ -282,7 +283,7 @@ There will come a point where E3 augmentation is no longer cost-effective. Frame
 | E5 Capability | What It Solves | When to Recommend |
 |--------------|----------------|-------------------|
 | Defender for Endpoint P2 | EDR, ASR, threat analytics | Client has had malware incident or is in regulated industry |
-| Entra ID P2 | Conditional access, PIM, identity protection | Client has admin compromise or needs device/location gating |
+| Entra ID P2 | Risk-based conditional access, PIM, identity protection | Client has admin compromise or needs risk-based/impossible-travel blocking |
 | Defender for Office 365 P2 | Safe Links, Safe Attachments, automated investigation | Client has had phishing-driven incident |
 | Purview | DLP, sensitivity labels, insider risk | Client handles customer PII, financial data, or trade secrets |
 | Sentinel | SIEM, SOAR, threat hunting | Client has dedicated SOC or regulatory SIEM requirements |

antifragile-consulting/playbooks/zero-budget-hardening.md

@@ -18,9 +18,9 @@ Before proposing any new tool, conduct this audit. It typically reveals that the
 
 | Capability | What E5 Includes | What E3 Includes | What Is Often Unused | Activation Effort |
 |-----------|------------------|------------------|---------------------|-------------------|
-| Endpoint Detection | Defender for Endpoint P2 (EDR, ASR) | Defender Antivirus only (no EDR) | Real-time protection, network protection | Low |
+| Endpoint Detection | Defender for Endpoint P2 (EDR, ASR enforce) | Defender for Endpoint P1 (AV, device control, ASR audit mode; no EDR) | Real-time protection, network protection | Low |
 | SIEM / Log Analytics | Microsoft Sentinel | Log Analytics only (no Sentinel) | Basic KQL queries, log forwarding | Medium |
-| Identity Protection | Entra ID P2 (PIM, conditional access, risk) | Entra ID Free (per-user MFA only) | Per-user MFA, basic audit | Low |
+| Identity Protection | Entra ID P2 (PIM, risk-based conditional access) | Entra ID P1 (conditional access, per-user MFA, SSPR; no PIM, no risk policies) | Conditional access MFA, device compliance, location blocking | Low |
 | Email Security | Defender for Office 365 P2 (Safe Links, Safe Attachments) | EOP only (basic anti-phishing) | Anti-malware, anti-spam tuning | Low |
 | Data Protection | Microsoft Purview (DLP, labels) | None | N/A | N/A |
 | Cloud Security | Microsoft Defender for Cloud | Basic Defender for Cloud (limited) | Secure score review | Low |
@@ -30,7 +30,7 @@ Before proposing any new tool, conduct this audit. It typically reveals that the
 
 **The Pitch (E3 Clients)**:
 
-> *"You own E3, not E5. That means we do not have EDR, conditional access, or advanced email filtering out of the box. But we do have solid foundations: antivirus, basic MFA, audit logging, and EOP. Our first job is to turn every E3 knob to maximum, then close the most dangerous gaps with free tools like Sysmon and Wazuh. If gaps remain that threaten your specific risk profile, we will size a selective upgrade—not a blanket one."*
+> *"You own E3, not E5. That means we do not have EDR, risk-based conditional access, or advanced email filtering out of the box. But we do have solid foundations: conditional access with device and location gating, per-user MFA, audit logging, EOP, and Intune. Our first job is to turn every E3 knob to maximum, then close the most dangerous gaps with free tools like Sysmon and Wazuh. If gaps remain that threaten your specific risk profile, we will size a selective upgrade—not a blanket one."*
 
 ### Multi-Cloud / Heterogeneous Environments
 
@@ -67,7 +67,7 @@ This sprint assumes the client has a typical Microsoft-centric environment with
 
 ### Week 1: Turn On What You Own
 
-> **Note for E3 clients**: Skip the ASR and advanced EDR steps below. E3 includes Defender Antivirus only. See [M365 E3 Hardening](m365-e3-hardening.md) for the E3-specific week 1 plan. The steps below assume E5 or Defender for Endpoint P2.
+> **Note for E3 clients**: Skip the advanced EDR and ASR enforcement steps below. E3 includes Defender for Endpoint P1 (AV, device control, ASR audit mode), but not P2 EDR or automated investigation. See [M365 E3 Hardening](m365-e3-hardening.md) for the E3-specific week 1 plan. The steps below assume E5 or Defender for Endpoint P2.
 
 **Day 1-2: Microsoft Defender for Endpoint (E5 Only)**
 
@@ -89,10 +89,11 @@ This sprint assumes the client has a typical Microsoft-centric environment with
   - Block legacy authentication
   - Require compliant or hybrid Azure AD joined device for admin roles
   - Enable PIM for Global Administrator and other privileged roles
-- **E3 clients**: Enable per-user MFA for all users (no conditional access available)
-  - Block legacy authentication tenant-wide
-  - Review and reduce standing admin assignments manually
-  - Document conditional access as a gap for steering committee
+- **E3 clients**: Deploy conditional access policies with Entra ID P1:
+  - Require MFA for all users, all cloud apps
+  - Block legacy authentication
+  - Require compliant or hybrid Azure AD joined device for admin roles
+  - Document risk-based conditional access and PIM as gaps for steering committee
 
 **Day 5: Email Security**