fix: Correct M365 E3 licensing capabilities across playbooks

E3 includes Entra ID P1 (conditional access, SSPR) and Defender for
Endpoint P1 (AV, device control, ASR audit mode), not just 'Free'/'AV only'.

Key corrections:
- m365-e3-hardening.md: Entra ID P1 with conditional access is now
  correctly listed as included; Intune is full not 'basic'; ASR audit
  mode is available in P1; risk-based gap reframed as 'No Entra ID P2'
- zero-budget-hardening.md: E3 comparison table now shows Entra ID P1
  and Defender for Endpoint P1 correctly; pitch text updated
- modular-engagements.md: MFA description now reflects conditional
  access availability in E3
- m365-antifragile-project.md: Conditional Access heading now correctly
  notes E3 includes P1; E3 baseline mentions conditional access
- endpoint-management-entry-vector.md: Intune described as full MDM/MAM

antifragile-consulting/playbooks/m365-e3-hardening.md

@@ -13,10 +13,10 @@ E3 provides the foundation. The gaps are real but manageable. This document show
 | Capability | E3 Inclusion | Notes |
 |-----------|-------------|-------|
 | Exchange Online Protection (EOP) | Yes | Anti-malware, anti-spam, basic anti-phishing |
-| Azure AD Free / Entra ID Free | Yes | Basic identity, no conditional access, no PIM |
-| Microsoft Defender Antivirus | Yes | Client-side AV, no EDR, no ASR |
+| Entra ID P1 | Yes | Conditional access, per-user MFA, SSPR; no PIM, no risk-based policies |
+| Microsoft Defender for Endpoint P1 | Yes | Next-gen AV, device control, ASR audit mode; no EDR, no automated investigation |
 | Office 365 Audit Logging | Yes | Must be manually enabled |
-| Basic Mobile Device Management (MDM) | Yes | Via Microsoft Intune limited enrollment |
+| Microsoft Intune | Yes | Full MDM/MAM, device compliance, configuration policies |
 | Self-Service Password Reset (SSPR) | Yes | Requires Azure AD Basic configuration |
 | Teams, SharePoint, OneDrive | Yes | Data governance limited without Purview |
 
@@ -25,7 +25,7 @@ E3 provides the foundation. The gaps are real but manageable. This document show
 | Capability | Missing in E3 | Business Impact |
 |-----------|---------------|-----------------|
 | Microsoft Defender for Endpoint P2 | No | No EDR, no ASR rules, no threat analytics, no automated investigation |
-| Entra ID P2 / P1 Conditional Access | No | No risk-based policies, no device compliance gating, no location-based rules |
+| Entra ID P2 (Identity Protection) | No | No PIM, no risk-based conditional access, no identity protection, no automated remediation |
 | Entra ID PIM | No | No just-in-time admin elevation |
 | Microsoft Defender for Office 365 P2 | No | No Safe Links, no Safe Attachments, no advanced anti-phishing |
 | Microsoft Purview | No | No DLP, no sensitivity labels, no insider risk management |
@@ -49,14 +49,14 @@ We operate in three layers:
 
 **Enable MFA for All Users**
 
-E3 includes MFA via Azure AD Free/Entra ID Free, but it is **per-user MFA** (less flexible than conditional access). This is still mandatory.
+E3 includes **Entra ID P1**, which supports both **per-user MFA** and **conditional access-based MFA**. Conditional access is the preferred approach because it provides more granular control.
 
 - Navigate to Microsoft Entra admin center → Users → Per-user MFA
 - Enable MFA for all administrative accounts first
 - Roll out to all users within 14 days
 - Enroll at least one backup method per user (authenticator app + phone)
 
-**Document the Gap**: Per-user MFA cannot enforce risk-based step-up, device compliance, or location-based blocking. Document this as a risk for steering committee.
+**Document the Gap**: E3 conditional access cannot enforce risk-based step-up or impossible-travel blocking (these require Entra ID P2). Document risk-based policies as a gap for steering committee.
 
 **Disable Legacy Authentication**
 
@@ -149,9 +149,9 @@ Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true
 
 ## Phase 2: Augment E3 (Week 3-4)
 
-### Close the EDR Gap (No Defender for Endpoint P2)
+### Close the EDR Gap (Defender for Endpoint P1, Not P2)
 
-E3 includes Microsoft Defender Antivirus but **not** EDR. You need visibility.
+E3 includes **Microsoft Defender for Endpoint P1** (next-gen AV, device control, ASR rules in audit mode, network protection in audit mode). It does **not** include full EDR, automated investigation, or threat analytics. You need visibility beyond what P1 provides.
 
 | Option | Cost | Effort | When to Use |
 |--------|------|--------|-------------|
@@ -167,24 +167,25 @@ E3 includes Microsoft Defender Antivirus but **not** EDR. You need visibility.
 3. Upgrade **only privileged users** to Microsoft Defender for Endpoint P2 via add-on or E5 Security
 4. This gives you EDR coverage where it matters most at ~10% of full E5 cost
 
-### Close the Conditional Access Gap (No Entra ID P1/P2)
+### Close the Risk-Based Identity Gap (No Entra ID P2)
 
-Without conditional access, you cannot enforce:
-- Device compliance gating
-- Location-based blocking
-- Risk-based step-up
-- Block legacy auth per-protocol
+E3 includes **Entra ID P1**, which provides robust conditional access: device compliance gating, location-based blocking, and per-protocol legacy auth blocking are all available. What E3 lacks is **risk-based intelligence**:
+
+- Risk-based step-up (e.g., require MFA when sign-in risk is elevated)
+- Impossible travel detection and blocking
+- Identity protection and automated remediation
+- PIM for just-in-time admin elevation
 
 **Mitigations within E3**:
 
-- **Per-user MFA**: Enforce for 100% of users (already covered above)
-- **Block legacy auth tenant-wide**: Already covered above
-- **Intune MDM enrollment**: E3 includes basic Intune; enroll all corporate devices
-- **Third-party MFA with policy engine**: Duo, Okta (additional cost, but cheaper than full E5)
+- **Conditional access policies**: Enforce MFA for all users, block legacy auth, require compliant devices for sensitive apps, and restrict by location—all with Entra ID P1
+- **Intune MDM enrollment**: E3 includes full Intune; enroll all corporate devices to make them conditional access signals
+- **Per-user MFA**: As a fallback if conditional access deployment is phased
+- **Manual risk review**: Export sign-in logs weekly; flag anomalous locations, failed MFA attempts, and unknown devices
 
 **The Strategic Conversation**:
 
-> *"E3 gives us strong authentication but weak authorization. We can enforce MFA, but we cannot say 'only from a managed device in the Czech Republic.' If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P1 for conditional access, not a full E5 jump."*
+> *"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."*
 
 ### Close the Email Security Gap (No Defender for Office 365 P2)
 
@@ -282,7 +283,7 @@ There will come a point where E3 augmentation is no longer cost-effective. Frame
 | E5 Capability | What It Solves | When to Recommend |
 |--------------|----------------|-------------------|
 | Defender for Endpoint P2 | EDR, ASR, threat analytics | Client has had malware incident or is in regulated industry |
-| Entra ID P2 | Conditional access, PIM, identity protection | Client has admin compromise or needs device/location gating |
+| Entra ID P2 | Risk-based conditional access, PIM, identity protection | Client has admin compromise or needs risk-based/impossible-travel blocking |
 | Defender for Office 365 P2 | Safe Links, Safe Attachments, automated investigation | Client has had phishing-driven incident |
 | Purview | DLP, sensitivity labels, insider risk | Client handles customer PII, financial data, or trade secrets |
 | Sentinel | SIEM, SOAR, threat hunting | Client has dedicated SOC or regulatory SIEM requirements |