cqrenet/antifragile
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Correct M365 E3 licensing capabilities across playbooks

Browse Source 
E3 includes Entra ID P1 (conditional access, SSPR) and Defender for
Endpoint P1 (AV, device control, ASR audit mode), not just 'Free'/'AV only'.

Key corrections:
- m365-e3-hardening.md: Entra ID P1 with conditional access is now
  correctly listed as included; Intune is full not 'basic'; ASR audit
  mode is available in P1; risk-based gap reframed as 'No Entra ID P2'
- zero-budget-hardening.md: E3 comparison table now shows Entra ID P1
  and Defender for Endpoint P1 correctly; pitch text updated
- modular-engagements.md: MFA description now reflects conditional
  access availability in E3
- m365-antifragile-project.md: Conditional Access heading now correctly
  notes E3 includes P1; E3 baseline mentions conditional access
- endpoint-management-entry-vector.md: Intune described as full MDM/MAM
This commit is contained in:
Tomas Kracmar
2026-05-09 16:58:36 +02:00
parent 763da003d3
commit 3569cd7c45
5 changed files with 36 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
antifragile-consulting/playbooks/zero-budget-hardening.md
View File

@@ -18,9 +18,9 @@ Before proposing any new tool, conduct this audit. It typically reveals that the
| Capability | What E5 Includes | What E3 Includes | What Is Often Unused | Activation Effort |
|-----------|------------------|------------------|---------------------|-------------------|
| Endpoint Detection | Defender for Endpoint P2 (EDR, ASR) | Defender Antivirus only (no EDR) | Real-time protection, network protection | Low |
| Endpoint Detection | Defender for Endpoint P2 (EDR, ASR enforce) | Defender for Endpoint P1 (AV, device control, ASR audit mode; no EDR) | Real-time protection, network protection | Low |
| SIEM / Log Analytics | Microsoft Sentinel | Log Analytics only (no Sentinel) | Basic KQL queries, log forwarding | Medium |
| Identity Protection | Entra ID P2 (PIM, conditional access, risk) | Entra ID Free (per-user MFA only) | Per-user MFA, basic audit | Low |
| Identity Protection | Entra ID P2 (PIM, risk-based conditional access) | Entra ID P1 (conditional access, per-user MFA, SSPR; no PIM, no risk policies) | Conditional access MFA, device compliance, location blocking | Low |
| Email Security | Defender for Office 365 P2 (Safe Links, Safe Attachments) | EOP only (basic anti-phishing) | Anti-malware, anti-spam tuning | Low |
| Data Protection | Microsoft Purview (DLP, labels) | None | N/A | N/A |
| Cloud Security | Microsoft Defender for Cloud | Basic Defender for Cloud (limited) | Secure score review | Low |
@@ -30,7 +30,7 @@ Before proposing any new tool, conduct this audit. It typically reveals that the
**The Pitch (E3 Clients)**:
> *"You own E3, not E5. That means we do not have EDR, conditional access, or advanced email filtering out of the box. But we do have solid foundations: antivirus, basic MFA, audit logging, and EOP. Our first job is to turn every E3 knob to maximum, then close the most dangerous gaps with free tools like Sysmon and Wazuh. If gaps remain that threaten your specific risk profile, we will size a selective upgrade—not a blanket one."*
> *"You own E3, not E5. That means we do not have EDR, risk-based conditional access, or advanced email filtering out of the box. But we do have solid foundations: conditional access with device and location gating, per-user MFA, audit logging, EOP, and Intune. Our first job is to turn every E3 knob to maximum, then close the most dangerous gaps with free tools like Sysmon and Wazuh. If gaps remain that threaten your specific risk profile, we will size a selective upgrade—not a blanket one."*
### Multi-Cloud / Heterogeneous Environments
@@ -67,7 +67,7 @@ This sprint assumes the client has a typical Microsoft-centric environment with
### Week 1: Turn On What You Own
> **Note for E3 clients**: Skip the ASR and advanced EDR steps below. E3 includes Defender Antivirus only. See [M365 E3 Hardening](m365-e3-hardening.md) for the E3-specific week 1 plan. The steps below assume E5 or Defender for Endpoint P2.
> **Note for E3 clients**: Skip the advanced EDR and ASR enforcement steps below. E3 includes Defender for Endpoint P1 (AV, device control, ASR audit mode), but not P2 EDR or automated investigation. See [M365 E3 Hardening](m365-e3-hardening.md) for the E3-specific week 1 plan. The steps below assume E5 or Defender for Endpoint P2.
**Day 1-2: Microsoft Defender for Endpoint (E5 Only)**
@@ -89,10 +89,11 @@ This sprint assumes the client has a typical Microsoft-centric environment with
- Block legacy authentication
- Require compliant or hybrid Azure AD joined device for admin roles
- Enable PIM for Global Administrator and other privileged roles
- **E3 clients**: Enable per-user MFA for all users (no conditional access available)
- Block legacy authentication tenant-wide
- Review and reduce standing admin assignments manually
- Document conditional access as a gap for steering committee
- **E3 clients**: Deploy conditional access policies with Entra ID P1:
- Require MFA for all users, all cloud apps
- Block legacy authentication
- Require compliant or hybrid Azure AD joined device for admin roles
- Document risk-based conditional access and PIM as gaps for steering committee
**Day 5: Email Security**