cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Correct M365 E3 licensing capabilities across playbooks

Browse Source 
E3 includes Entra ID P1 (conditional access, SSPR) and Defender for
Endpoint P1 (AV, device control, ASR audit mode), not just 'Free'/'AV only'.

Key corrections:
- m365-e3-hardening.md: Entra ID P1 with conditional access is now
  correctly listed as included; Intune is full not 'basic'; ASR audit
  mode is available in P1; risk-based gap reframed as 'No Entra ID P2'
- zero-budget-hardening.md: E3 comparison table now shows Entra ID P1
  and Defender for Endpoint P1 correctly; pitch text updated
- modular-engagements.md: MFA description now reflects conditional
  access availability in E3
- m365-antifragile-project.md: Conditional Access heading now correctly
  notes E3 includes P1; E3 baseline mentions conditional access
- endpoint-management-entry-vector.md: Intune described as full MDM/MAM
This commit is contained in:
Tomas Kracmar
2026-05-09 16:58:36 +02:00
parent 763da003d3
commit 3569cd7c45
5 changed files with 36 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
antifragile-consulting/playbooks/m365-antifragile-project.md
View File

@@ -54,8 +54,8 @@ Antifragile M365 projects optimize for:
- **Break-glass accounts**: 2-3 global admins, excluded from conditional access, complex passwords managed offline
- **Initial admin roles**: No standing global admins for daily work; delegated admin roles (Exchange admin, SharePoint admin, User admin)
- **Security defaults or conditional access baseline**:
- E3: Per-user MFA for all admins; block legacy authentication
- E5: Conditional access requiring MFA for all users, compliant devices for admins, block legacy auth, risky sign-in policies
- E3: Conditional access requiring MFA for all users, block legacy authentication, compliant devices for admins; no risk-based policies
- E5: Risk-based conditional access, PIM for privileged roles, identity protection, impossible-travel blocking
**Data Governance Foundation**
@@ -94,7 +94,7 @@ Antifragile M365 projects optimize for:
### Phase 3: Hardening and Governance (Week 7-10)
**Conditional Access (E5 or Entra ID P1/P2)**
**Conditional Access (E3 includes Entra ID P1; E5 adds risk-based policies and PIM)**
- Require MFA for all users
- Require compliant or hybrid Azure AD joined device for sensitive apps
@@ -190,7 +190,7 @@ Get-MgOAuth2PermissionGrant -All | Export-Csv oauth-grants.csv
- Remove excessive admin roles
- Revoke stale OAuth consents
- Enable PIM for all privileged roles (if licensed)
- Enforce MFA for all users (per-user MFA for E3; conditional access for E5)
- Enforce MFA for all users (conditional access for E3; risk-based policies for E5)
**External Access Lockdown**