# M365 E3 Hardening Playbook > *"Most of your clients own E3, not E5. That is not a handicap. It is a constraint that forces precision."* This playbook is designed for consulting engagements where the client's primary environment is **Microsoft 365 with E3 licensing**. It provides a pragmatic hardening roadmap that respects the E3 feature boundary while closing critical security gaps through configuration, process, and low-cost augmentation. E3 provides the foundation. The gaps are real but manageable. This document shows you exactly what E3 gives you, what it does not, and how to close the gaps without immediately pushing an E5 upgrade. --- ## What E3 Actually Includes (Security-Relevant) | Capability | E3 Inclusion | Notes | |-----------|-------------|-------| | Exchange Online Protection (EOP) | Yes | Anti-malware, anti-spam, basic anti-phishing | | Entra ID P1 | Yes | Conditional access, per-user MFA, SSPR; no PIM, no risk-based policies | | Microsoft Defender for Endpoint P1 | Yes | Next-gen AV, device control, ASR audit mode; no EDR, no automated investigation | | Office 365 Audit Logging | Yes | Must be manually enabled | | Microsoft Intune | Yes | Full MDM/MAM, device compliance, configuration policies | | Self-Service Password Reset (SSPR) | Yes | Requires Azure AD Basic configuration | | Teams, SharePoint, OneDrive | Yes | Data governance limited without Purview | ## What E3 Does NOT Include (The Gaps) | Capability | Missing in E3 | Business Impact | |-----------|---------------|-----------------| | Microsoft Defender for Endpoint P2 | No | No EDR, no ASR rules, no threat analytics, no automated investigation | | Entra ID P2 (Identity Protection) | No | No PIM, no risk-based conditional access, no identity protection, no automated remediation | | Entra ID PIM | No | No just-in-time admin elevation | | Microsoft Defender for Office 365 P2 | No | No Safe Links, no Safe Attachments, no advanced anti-phishing | | Microsoft Purview | No | No DLP, no sensitivity labels, no insider risk management | | Microsoft Sentinel | No | No native SIEM; logs go to Log Analytics only with additional cost | --- ## The E3 Hardening Strategy We operate in three layers: 1. **Maximize E3** — Every configuration, every policy, every log that E3 can produce 2. **Augment E3** — Open-source and low-cost tools that close the most dangerous gaps 3. **Justify E5 selectively** — Use E3 gaps as evidence for strategic E5 upgrades, not blanket licensing --- ## Phase 1: E3 Foundation (Week 1-2) ### Identity and Access **Enable MFA for All Users** E3 includes **Entra ID P1**, which supports both **per-user MFA** and **conditional access-based MFA**. Conditional access is the preferred approach because it provides more granular control. - Navigate to Microsoft Entra admin center → Users → Per-user MFA - Enable MFA for all administrative accounts first - Roll out to all users within 14 days - Enroll at least one backup method per user (authenticator app + phone) **Document the Gap**: E3 conditional access cannot enforce risk-based step-up or impossible-travel blocking (these require Entra ID P2). Document risk-based policies as a gap for steering committee. **Disable Legacy Authentication** - Microsoft 365 admin center → Settings → Org settings → Modern authentication - Verify legacy auth is disabled tenant-wide - If specific protocols are required (e.g., IMAP for legacy devices), document exceptions with expiration dates **Audit and Cleanse Identities** - Export all users: `Get-MsolUser -All | Export-Csv` - Export all guest users: `Get-MsolUser -All -UnlicensedUsersOnly` (guests often hidden) - Export all service principals / enterprise apps: `Get-MsolServicePrincipal` - Disable unused accounts (> 90 days inactive) - Review and revoke excessive OAuth consents **Secure Break-Glass Accounts** - Create 2-3 Global Admin accounts that are excluded from MFA (for emergency access) - Use non-personal, complex passwords (20+ characters, managed offline) - Log every use; review quarterly ### Email Security (EOP-Only) **Harden Anti-Phishing in EOP** EOP anti-phishing is basic but not useless. Configure it aggressively: - Exchange admin center → Protection → Anti-phishing - Enable impersonation protection for: - Domain (your own domains) - Users (CEO, CFO, board members) - Enable mailbox intelligence (learns sender patterns) - Set action for impersonated users: **Quarantine** - Set action for impersonated domains: **Quarantine** **Configure Anti-Malware** - Exchange admin center → Protection → Anti-malware - Enable common attachment filter (block executable content) - Notify internal senders if malware detected - Notify administrators with full message details **Anti-Spam Tuning** - Exchange admin center → Protection → Anti-spam - Set bulk email threshold to 6 or 7 (aggressive) - Enable SPF hard fail evaluation - Configure outbound spam notifications ### Audit Logging **Enable Unified Audit Log** This is **not enabled by default** in many tenants and is the most underutilized E3 feature. ```powershell # Verify status Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled # Enable if false Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true ``` - Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations - Export for analysis: `Search-UnifiedAuditLog` or use Microsoft Purview Audit (Standard) if available - **AOC integration**: For clients with AOC deployed, unified audit logs are ingested automatically and correlated with Entra ID sign-in events to surface anomalous admin behaviour without manual PowerShell queries **Enable Mailbox Auditing** ```powershell # Enable for all mailboxes Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true ``` ### SharePoint and OneDrive **External Sharing Lockdown** - SharePoint admin center → Policies → Sharing - Default: **Only people in your organization** - Override per site only with documented business justification - Disable "Anyone" links (anonymous sharing) **OneDrive Retention** - OneDrive admin center → Storage - Set retention for deleted users: 30 days minimum - Document data ownership transfer process --- ## Phase 2: Augment E3 (Week 3-4) ### Close the EDR Gap (Defender for Endpoint P1, Not P2) E3 includes **Microsoft Defender for Endpoint P1** (next-gen AV, device control, ASR rules in audit mode, network protection in audit mode). It does **not** include full EDR, automated investigation, or threat analytics. You need visibility beyond what P1 provides. | Option | Cost | Effort | When to Use | |--------|------|--------|-------------| | **Wazuh** (open-source) | Free | Medium | Need centralized EDR-like visibility without purchase | | **Sysmon + free log forwarding** | Free | Medium | Need detailed Windows endpoint telemetry | | **Upgrade select users to E5 Security** | ~$10/user/month | Low | Critical users only (admins, executives, finance) | | **Microsoft Defender for Business** | ~$3/user/month | Low | Small business clients; includes EDR-lite | **Recommended Hybrid Approach for E3 Clients**: 1. Deploy **Sysmon** (free) on all Windows endpoints with the SwiftOnSecurity config 2. Forward Sysmon logs to **Wazuh** (free) or existing syslog/SIEM 3. Upgrade **only privileged users** to Microsoft Defender for Endpoint P2 via add-on or E5 Security 4. This gives you EDR coverage where it matters most at ~10% of full E5 cost ### Close the Risk-Based Identity Gap (No Entra ID P2) E3 includes **Entra ID P1**, which provides robust conditional access: device compliance gating, location-based blocking, and per-protocol legacy auth blocking are all available. What E3 lacks is **risk-based intelligence**: - Risk-based step-up (e.g., require MFA when sign-in risk is elevated) - Impossible travel detection and blocking - Identity protection and automated remediation - PIM for just-in-time admin elevation **Mitigations within E3**: - **Conditional access policies**: Enforce MFA for all users, block legacy auth, require compliant devices for sensitive apps, and restrict by location—all with Entra ID P1 - **Intune MDM enrollment**: E3 includes full Intune; enroll all corporate devices to make them conditional access signals - **Per-user MFA**: As a fallback if conditional access deployment is phased - **Manual risk review**: Export sign-in logs weekly; flag anomalous locations, failed MFA attempts, and unknown devices **The Strategic Conversation**: > *"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."* ### Configuration Immunity (ASTRAL) E3 tenants accumulate hundreds of configuration objects—conditional access policies, Intune profiles, compliance policies, and Exchange transport rules—with no version control. A single accidental deletion or unauthorised change can break authentication or expose data. **Mitigations within E3**: - **ASTRAL baseline capture**: Record the state of every M365 configuration object at engagement start - **Drift detection**: Alert within minutes when policies are created, modified, or deleted outside change windows - **One-click rollback**: Restore deleted or misconfigured policies without rebuilding from memory - **Change attribution**: Link every configuration change to the specific admin account and session **The Strategic Conversation**: > *"Your M365 tenant has 400 configuration objects and no version control. When an admin accidentally deletes a conditional access policy at 2 AM, you discover it 6 hours later because users are complaining. ASTRAL detects the deletion in 60 seconds, attributes it to the specific admin, and offers one-click rollback. This is not backup. This is configuration immunity."* ### Close the Email Security Gap (No Defender for Office 365 P2) EOP anti-phishing is reactive. Safe Links and Safe Attachments are proactive. **Mitigations within E3**: - **URL rewriting via transport rules**: Block known bad TLDs, force HTTPS where possible - **Attachment filtering**: Block executable attachments at transport rule level (EOP already does this partially) - **User education**: Phishing simulation via free or low-cost platforms (GoPhish is open-source) - **Third-party email gateway**: Proofpoint, Mimecast, Avanan (~$3-5/user/month) **The Strategic Conversation**: > *"EOP catches spam and known malware. It does not rewrite URLs or sandbox attachments. For a bank/telco/power client, that gap is meaningful. The most cost-effective close is either Defender for Office 365 P1 add-on or a third-party gateway. Let us quantify the phishing risk first, then size the investment."* ### Close the PAM Gap (No PIM) Without PIM, administrative roles are standing privileges. **Mitigations within E3**: - **Dedicated admin accounts**: Separate admin and user identity for every administrator - **PAW (Privileged Access Workstation)**: Physical or virtual separation for admin tasks - **Time-bounded access via process**: Manual approval workflow for admin elevation - **Quarterly admin access review**: Document every admin; remove stale assignments - **LAPS**: Free from Microsoft; randomizes local admin passwords --- ## Phase 3: M365-Specific Threat Scenarios ### Scenario 1: Business Email Compromise (BEC) **The Attack**: Adversary compromises executive mailbox, sends fraudulent payment instructions. **E3 Defenses**: - Impersonation protection in EOP (configured above) - Mailbox auditing (configured above) - MFA on all accounts (prevents initial compromise) - Outbound spam policy: flag unusual send patterns **Gap**: No Safe Links to rewrite URLs in real-time; no automated investigation. **Augmentation**: User education + third-party email gateway. ### Scenario 2: OAuth / Consent Grant Attack **The Attack**: User grants permissions to malicious app; adversary gains persistent access. **E3 Defenses**: - Audit all enterprise apps: `Get-AzureADServicePrincipal` - Review OAuth consents quarterly - Disable user consent to apps (admin consent required) - Microsoft 365 admin center → Settings → Org settings → User consent to apps → **Off** **Gap**: No automated anomaly detection for consent grants. **Augmentation**: Manual quarterly review + scripting. ### Scenario 3: Data Exfiltration via SharePoint / OneDrive **The Attack**: Insider or compromised account bulk-downloads sensitive files. **E3 Defenses**: - External sharing locked down (configured above) - Audit logging enabled (configured above) - Basic retention policies **Gap**: No DLP, no sensitivity labels, no insider risk analytics. **Augmentation**: - PowerShell scripts to detect bulk downloads - Quarterly access reviews on sensitive sites - Process: data classification by site owner (manual but effective) ### Scenario 4: Lateral Movement via Compromised Credentials **The Attack**: Phished credentials → mailbox compromise → password reset on other services → full identity takeover. **E3 Defenses**: - MFA (prevents password-only access) - SSPR with MFA enforcement (prevents account lockout abuse) **Gap**: No risk-based step-up; no impossible travel blocking. **Augmentation**: Monitor for impossible travel in audit logs (manual or scripted). --- ## The E5 Upgrade Conversation There will come a point where E3 augmentation is no longer cost-effective. Frame the E5 conversation around **specific capability gaps**, not feature lust. | E5 Capability | What It Solves | When to Recommend | |--------------|----------------|-------------------| | Defender for Endpoint P2 | EDR, ASR, threat analytics | Client has had malware incident or is in regulated industry | | Entra ID P2 | Risk-based conditional access, PIM, identity protection | Client has admin compromise or needs risk-based/impossible-travel blocking | | Defender for Office 365 P2 | Safe Links, Safe Attachments, automated investigation | Client has had phishing-driven incident | | Purview | DLP, sensitivity labels, insider risk | Client handles customer PII, financial data, or trade secrets | | Sentinel | SIEM, SOAR, threat hunting | Client has dedicated SOC or regulatory SIEM requirements | **The Pitch**: > *"We have extracted 80% of the security value from your E3 investment. The remaining 20% requires capabilities that only exist in E5 or specific add-ons. I am not recommending a blanket upgrade. I am recommending we selectively license the gaps that match your actual risk profile."* --- ## OT / Critical Infrastructure Overlay (Telco, Power) For clients with operational technology (OT) or critical infrastructure obligations: | E3 Consideration | OT Implication | |-----------------|----------------| | MFA enforcement | Admin accounts for OT-facing M365 tenants must have hardware tokens (no phone SMS in control rooms) | | Audit logging | 90-day retention may be insufficient; plan export to long-term storage | | External sharing | OneDrive/SharePoint must not become accidental conduit between IT and OT networks | | Guest access | Strictly prohibit guest accounts in OT-connected tenants | | Email security | EOP is baseline; NIS2 and critical infrastructure regulations may mandate advanced email filtering | See [Vertical: Power Utilities](../reference/vertical-power-utilities.md) for full OT alignment. --- ## Banking Overlay For financial services clients: | E3 Consideration | Regulatory Implication | |-----------------|----------------------| | Audit logging | DORA Article 12 (ICT risk management) requires comprehensive logging and monitoring | | MFA | PSD2 Strong Customer Authentication principles apply to internal systems | | Data residency | M365 data must remain in EU/geographically appropriate datacenters | | DLP gap | No native DLP in E3; manual data governance + eventual Purview upgrade likely required | | Email archiving | Financial regulations often require immutable, long-term email retention | See [Vertical: Banking](../reference/vertical-banking.md) for full regulatory alignment. --- *Previous: [Zero-Budget Hardening](zero-budget-hardening.md)* *Next: [AD and Endpoint Hardening](ad-endpoint-hardening.md)* *For the complete open-source tool arsenal including ASTRAL and AOC, see [Sovereign Tool Stack](sovereign-tool-stack.md)* For how Intune deployment becomes the natural entry point for broader security transformation, see [Endpoint Management Entry Vector](endpoint-management-entry-vector.md).