# M365 E3 Hardening Playbook > *"Most of your clients own E3, not E5. That is not a handicap. It is a constraint that forces precision."* This playbook is designed for consulting engagements where the client's primary environment is **Microsoft 365 with E3 licensing**. It provides a pragmatic hardening roadmap that respects the E3 feature boundary while closing critical security gaps through configuration, process, and low-cost augmentation. E3 provides the foundation. The gaps are real but manageable. This document shows you exactly what E3 gives you, what it does not, and how to close the gaps without immediately pushing an E5 upgrade. --- ## What E3 Actually Includes (Security-Relevant) | Capability | E3 Inclusion | Notes | |-----------|-------------|-------| | Exchange Online Protection (EOP) | Yes | Anti-malware, anti-spam, basic anti-phishing | | Azure AD Free / Entra ID Free | Yes | Basic identity, no conditional access, no PIM | | Microsoft Defender Antivirus | Yes | Client-side AV, no EDR, no ASR | | Office 365 Audit Logging | Yes | Must be manually enabled | | Basic Mobile Device Management (MDM) | Yes | Via Microsoft Intune limited enrollment | | Self-Service Password Reset (SSPR) | Yes | Requires Azure AD Basic configuration | | Teams, SharePoint, OneDrive | Yes | Data governance limited without Purview | ## What E3 Does NOT Include (The Gaps) | Capability | Missing in E3 | Business Impact | |-----------|---------------|-----------------| | Microsoft Defender for Endpoint P2 | No | No EDR, no ASR rules, no threat analytics, no automated investigation | | Entra ID P2 / P1 Conditional Access | No | No risk-based policies, no device compliance gating, no location-based rules | | Entra ID PIM | No | No just-in-time admin elevation | | Microsoft Defender for Office 365 P2 | No | No Safe Links, no Safe Attachments, no advanced anti-phishing | | Microsoft Purview | No | No DLP, no sensitivity labels, no insider risk management | | Microsoft Sentinel | No | No native SIEM; logs go to Log Analytics only with additional cost | --- ## The E3 Hardening Strategy We operate in three layers: 1. **Maximize E3** — Every configuration, every policy, every log that E3 can produce 2. **Augment E3** — Open-source and low-cost tools that close the most dangerous gaps 3. **Justify E5 selectively** — Use E3 gaps as evidence for strategic E5 upgrades, not blanket licensing --- ## Phase 1: E3 Foundation (Week 1-2) ### Identity and Access **Enable MFA for All Users** E3 includes MFA via Azure AD Free/Entra ID Free, but it is **per-user MFA** (less flexible than conditional access). This is still mandatory. - Navigate to Microsoft Entra admin center → Users → Per-user MFA - Enable MFA for all administrative accounts first - Roll out to all users within 14 days - Enroll at least one backup method per user (authenticator app + phone) **Document the Gap**: Per-user MFA cannot enforce risk-based step-up, device compliance, or location-based blocking. Document this as a risk for steering committee. **Disable Legacy Authentication** - Microsoft 365 admin center → Settings → Org settings → Modern authentication - Verify legacy auth is disabled tenant-wide - If specific protocols are required (e.g., IMAP for legacy devices), document exceptions with expiration dates **Audit and Cleanse Identities** - Export all users: `Get-MsolUser -All | Export-Csv` - Export all guest users: `Get-MsolUser -All -UnlicensedUsersOnly` (guests often hidden) - Export all service principals / enterprise apps: `Get-MsolServicePrincipal` - Disable unused accounts (> 90 days inactive) - Review and revoke excessive OAuth consents **Secure Break-Glass Accounts** - Create 2-3 Global Admin accounts that are excluded from MFA (for emergency access) - Use non-personal, complex passwords (20+ characters, managed offline) - Log every use; review quarterly ### Email Security (EOP-Only) **Harden Anti-Phishing in EOP** EOP anti-phishing is basic but not useless. Configure it aggressively: - Exchange admin center → Protection → Anti-phishing - Enable impersonation protection for: - Domain (your own domains) - Users (CEO, CFO, board members) - Enable mailbox intelligence (learns sender patterns) - Set action for impersonated users: **Quarantine** - Set action for impersonated domains: **Quarantine** **Configure Anti-Malware** - Exchange admin center → Protection → Anti-malware - Enable common attachment filter (block executable content) - Notify internal senders if malware detected - Notify administrators with full message details **Anti-Spam Tuning** - Exchange admin center → Protection → Anti-spam - Set bulk email threshold to 6 or 7 (aggressive) - Enable SPF hard fail evaluation - Configure outbound spam notifications ### Audit Logging **Enable Unified Audit Log** This is **not enabled by default** in many tenants and is the most underutilized E3 feature. ```powershell # Verify status Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled # Enable if false Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true ``` - Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations - Export for analysis: `Search-UnifiedAuditLog` or use Microsoft Purview Audit (Standard) if available **Enable Mailbox Auditing** ```powershell # Enable for all mailboxes Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true ``` ### SharePoint and OneDrive **External Sharing Lockdown** - SharePoint admin center → Policies → Sharing - Default: **Only people in your organization** - Override per site only with documented business justification - Disable "Anyone" links (anonymous sharing) **OneDrive Retention** - OneDrive admin center → Storage - Set retention for deleted users: 30 days minimum - Document data ownership transfer process --- ## Phase 2: Augment E3 (Week 3-4) ### Close the EDR Gap (No Defender for Endpoint P2) E3 includes Microsoft Defender Antivirus but **not** EDR. You need visibility. | Option | Cost | Effort | When to Use | |--------|------|--------|-------------| | **Wazuh** (open-source) | Free | Medium | Need centralized EDR-like visibility without purchase | | **Sysmon + free log forwarding** | Free | Medium | Need detailed Windows endpoint telemetry | | **Upgrade select users to E5 Security** | ~$10/user/month | Low | Critical users only (admins, executives, finance) | | **Microsoft Defender for Business** | ~$3/user/month | Low | Small business clients; includes EDR-lite | **Recommended Hybrid Approach for E3 Clients**: 1. Deploy **Sysmon** (free) on all Windows endpoints with the SwiftOnSecurity config 2. Forward Sysmon logs to **Wazuh** (free) or existing syslog/SIEM 3. Upgrade **only privileged users** to Microsoft Defender for Endpoint P2 via add-on or E5 Security 4. This gives you EDR coverage where it matters most at ~10% of full E5 cost ### Close the Conditional Access Gap (No Entra ID P1/P2) Without conditional access, you cannot enforce: - Device compliance gating - Location-based blocking - Risk-based step-up - Block legacy auth per-protocol **Mitigations within E3**: - **Per-user MFA**: Enforce for 100% of users (already covered above) - **Block legacy auth tenant-wide**: Already covered above - **Intune MDM enrollment**: E3 includes basic Intune; enroll all corporate devices - **Third-party MFA with policy engine**: Duo, Okta (additional cost, but cheaper than full E5) **The Strategic Conversation**: > *"E3 gives us strong authentication but weak authorization. We can enforce MFA, but we cannot say 'only from a managed device in the Czech Republic.' If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P1 for conditional access, not a full E5 jump."* ### Close the Email Security Gap (No Defender for Office 365 P2) EOP anti-phishing is reactive. Safe Links and Safe Attachments are proactive. **Mitigations within E3**: - **URL rewriting via transport rules**: Block known bad TLDs, force HTTPS where possible - **Attachment filtering**: Block executable attachments at transport rule level (EOP already does this partially) - **User education**: Phishing simulation via free or low-cost platforms (GoPhish is open-source) - **Third-party email gateway**: Proofpoint, Mimecast, Avanan (~$3-5/user/month) **The Strategic Conversation**: > *"EOP catches spam and known malware. It does not rewrite URLs or sandbox attachments. For a bank/telco/power client, that gap is meaningful. The most cost-effective close is either Defender for Office 365 P1 add-on or a third-party gateway. Let us quantify the phishing risk first, then size the investment."* ### Close the PAM Gap (No PIM) Without PIM, administrative roles are standing privileges. **Mitigations within E3**: - **Dedicated admin accounts**: Separate admin and user identity for every administrator - **PAW (Privileged Access Workstation)**: Physical or virtual separation for admin tasks - **Time-bounded access via process**: Manual approval workflow for admin elevation - **Quarterly admin access review**: Document every admin; remove stale assignments - **LAPS**: Free from Microsoft; randomizes local admin passwords --- ## Phase 3: M365-Specific Threat Scenarios ### Scenario 1: Business Email Compromise (BEC) **The Attack**: Adversary compromises executive mailbox, sends fraudulent payment instructions. **E3 Defenses**: - Impersonation protection in EOP (configured above) - Mailbox auditing (configured above) - MFA on all accounts (prevents initial compromise) - Outbound spam policy: flag unusual send patterns **Gap**: No Safe Links to rewrite URLs in real-time; no automated investigation. **Augmentation**: User education + third-party email gateway. ### Scenario 2: OAuth / Consent Grant Attack **The Attack**: User grants permissions to malicious app; adversary gains persistent access. **E3 Defenses**: - Audit all enterprise apps: `Get-AzureADServicePrincipal` - Review OAuth consents quarterly - Disable user consent to apps (admin consent required) - Microsoft 365 admin center → Settings → Org settings → User consent to apps → **Off** **Gap**: No automated anomaly detection for consent grants. **Augmentation**: Manual quarterly review + scripting. ### Scenario 3: Data Exfiltration via SharePoint / OneDrive **The Attack**: Insider or compromised account bulk-downloads sensitive files. **E3 Defenses**: - External sharing locked down (configured above) - Audit logging enabled (configured above) - Basic retention policies **Gap**: No DLP, no sensitivity labels, no insider risk analytics. **Augmentation**: - PowerShell scripts to detect bulk downloads - Quarterly access reviews on sensitive sites - Process: data classification by site owner (manual but effective) ### Scenario 4: Lateral Movement via Compromised Credentials **The Attack**: Phished credentials → mailbox compromise → password reset on other services → full identity takeover. **E3 Defenses**: - MFA (prevents password-only access) - SSPR with MFA enforcement (prevents account lockout abuse) **Gap**: No risk-based step-up; no impossible travel blocking. **Augmentation**: Monitor for impossible travel in audit logs (manual or scripted). --- ## The E5 Upgrade Conversation There will come a point where E3 augmentation is no longer cost-effective. Frame the E5 conversation around **specific capability gaps**, not feature lust. | E5 Capability | What It Solves | When to Recommend | |--------------|----------------|-------------------| | Defender for Endpoint P2 | EDR, ASR, threat analytics | Client has had malware incident or is in regulated industry | | Entra ID P2 | Conditional access, PIM, identity protection | Client has admin compromise or needs device/location gating | | Defender for Office 365 P2 | Safe Links, Safe Attachments, automated investigation | Client has had phishing-driven incident | | Purview | DLP, sensitivity labels, insider risk | Client handles customer PII, financial data, or trade secrets | | Sentinel | SIEM, SOAR, threat hunting | Client has dedicated SOC or regulatory SIEM requirements | **The Pitch**: > *"We have extracted 80% of the security value from your E3 investment. The remaining 20% requires capabilities that only exist in E5 or specific add-ons. I am not recommending a blanket upgrade. I am recommending we selectively license the gaps that match your actual risk profile."* --- ## OT / Critical Infrastructure Overlay (Telco, Power) For clients with operational technology (OT) or critical infrastructure obligations: | E3 Consideration | OT Implication | |-----------------|----------------| | MFA enforcement | Admin accounts for OT-facing M365 tenants must have hardware tokens (no phone SMS in control rooms) | | Audit logging | 90-day retention may be insufficient; plan export to long-term storage | | External sharing | OneDrive/SharePoint must not become accidental conduit between IT and OT networks | | Guest access | Strictly prohibit guest accounts in OT-connected tenants | | Email security | EOP is baseline; NIS2 and critical infrastructure regulations may mandate advanced email filtering | See [Vertical: Power Utilities](../reference/vertical-power-utilities.md) for full OT alignment. --- ## Banking Overlay For financial services clients: | E3 Consideration | Regulatory Implication | |-----------------|----------------------| | Audit logging | DORA Article 12 (ICT risk management) requires comprehensive logging and monitoring | | MFA | PSD2 Strong Customer Authentication principles apply to internal systems | | Data residency | M365 data must remain in EU/geographically appropriate datacenters | | DLP gap | No native DLP in E3; manual data governance + eventual Purview upgrade likely required | | Email archiving | Financial regulations often require immutable, long-term email retention | See [Vertical: Banking](../reference/vertical-banking.md) for full regulatory alignment. --- *Previous: [Zero-Budget Hardening](zero-budget-hardening.md)* *Next: [AD and Endpoint Hardening](ad-endpoint-hardening.md)* For how Intune deployment becomes the natural entry point for broader security transformation, see [Endpoint Management Entry Vector](endpoint-management-entry-vector.md).