antifragile/antifragile-consulting/playbooks/m365-e3-hardening.md

M365 E3 Hardening Playbook

"Most of your clients own E3, not E5. That is not a handicap. It is a constraint that forces precision."

This playbook is designed for consulting engagements where the client's primary environment is Microsoft 365 with E3 licensing. It provides a pragmatic hardening roadmap that respects the E3 feature boundary while closing critical security gaps through configuration, process, and low-cost augmentation.

E3 provides the foundation. The gaps are real but manageable. This document shows you exactly what E3 gives you, what it does not, and how to close the gaps without immediately pushing an E5 upgrade.

---

What E3 Actually Includes (Security-Relevant)

Capability	E3 Inclusion	Notes
Exchange Online Protection (EOP)	Yes	Anti-malware, anti-spam, basic anti-phishing
Entra ID P1	Yes	Conditional access, per-user MFA, SSPR; no PIM, no risk-based policies
Microsoft Defender for Endpoint P1	Yes	Next-gen AV, device control, ASR audit mode; no EDR, no automated investigation
Office 365 Audit Logging	Yes	Must be manually enabled
Microsoft Intune	Yes	Full MDM/MAM, device compliance, configuration policies
Self-Service Password Reset (SSPR)	Yes	Requires Azure AD Basic configuration
Teams, SharePoint, OneDrive	Yes	Data governance limited without Purview

What E3 Does NOT Include (The Gaps)

Capability	Missing in E3	Business Impact
Microsoft Defender for Endpoint P2	No	No EDR, no ASR rules, no threat analytics, no automated investigation
Entra ID P2 (Identity Protection)	No	No PIM, no risk-based conditional access, no identity protection, no automated remediation
Entra ID PIM	No	No just-in-time admin elevation
Microsoft Defender for Office 365 P2	No	No Safe Links, no Safe Attachments, no advanced anti-phishing
Microsoft Purview	No	No DLP, no sensitivity labels, no insider risk management
Microsoft Sentinel	No	No native SIEM; logs go to Log Analytics only with additional cost

---

The E3 Hardening Strategy

We operate in three layers:

1. Maximize E3 — Every configuration, every policy, every log that E3 can produce
2. Augment E3 — Open-source and low-cost tools that close the most dangerous gaps
3. Justify E5 selectively — Use E3 gaps as evidence for strategic E5 upgrades, not blanket licensing

---

Phase 1: E3 Foundation (Week 1-2)

Identity and Access

Enable MFA for All Users

E3 includes Entra ID P1, which supports both per-user MFA and conditional access-based MFA. Conditional access is the preferred approach because it provides more granular control.

• Navigate to Microsoft Entra admin center → Users → Per-user MFA
• Enable MFA for all administrative accounts first
• Roll out to all users within 14 days
• Enroll at least one backup method per user (authenticator app + phone)

Document the Gap: E3 conditional access cannot enforce risk-based step-up or impossible-travel blocking (these require Entra ID P2). Document risk-based policies as a gap for steering committee.

Disable Legacy Authentication

• Microsoft 365 admin center → Settings → Org settings → Modern authentication
• Verify legacy auth is disabled tenant-wide
• If specific protocols are required (e.g., IMAP for legacy devices), document exceptions with expiration dates

Audit and Cleanse Identities

• Export all users: Get-MsolUser -All | Export-Csv
• Export all guest users: Get-MsolUser -All -UnlicensedUsersOnly (guests often hidden)
• Export all service principals / enterprise apps: Get-MsolServicePrincipal
• Disable unused accounts (> 90 days inactive)
• Review and revoke excessive OAuth consents

Secure Break-Glass Accounts

• Create 2-3 Global Admin accounts that are excluded from MFA (for emergency access)
• Use non-personal, complex passwords (20+ characters, managed offline)
• Log every use; review quarterly

Email Security (EOP-Only)

Harden Anti-Phishing in EOP

EOP anti-phishing is basic but not useless. Configure it aggressively:

• Exchange admin center → Protection → Anti-phishing
• Enable impersonation protection for:
  • Domain (your own domains)
  • Users (CEO, CFO, board members)
• Enable mailbox intelligence (learns sender patterns)
• Set action for impersonated users: Quarantine
• Set action for impersonated domains: Quarantine

Configure Anti-Malware

• Exchange admin center → Protection → Anti-malware
• Enable common attachment filter (block executable content)
• Notify internal senders if malware detected
• Notify administrators with full message details

Anti-Spam Tuning

• Exchange admin center → Protection → Anti-spam
• Set bulk email threshold to 6 or 7 (aggressive)
• Enable SPF hard fail evaluation
• Configure outbound spam notifications

Audit Logging

Enable Unified Audit Log

This is not enabled by default in many tenants and is the most underutilized E3 feature.

# Verify status
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

# Enable if false
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

• Retention: 90 days (E3 default); document the gap vs. 1-year requirement in some regulations
• Export for analysis: Search-UnifiedAuditLog or use Microsoft Purview Audit (Standard) if available

Enable Mailbox Auditing

# Enable for all mailboxes
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

SharePoint and OneDrive

External Sharing Lockdown

• SharePoint admin center → Policies → Sharing
• Default: Only people in your organization
• Override per site only with documented business justification
• Disable "Anyone" links (anonymous sharing)

OneDrive Retention

• OneDrive admin center → Storage
• Set retention for deleted users: 30 days minimum
• Document data ownership transfer process

---

Phase 2: Augment E3 (Week 3-4)

Close the EDR Gap (Defender for Endpoint P1, Not P2)

E3 includes Microsoft Defender for Endpoint P1 (next-gen AV, device control, ASR rules in audit mode, network protection in audit mode). It does not include full EDR, automated investigation, or threat analytics. You need visibility beyond what P1 provides.

Option	Cost	Effort	When to Use
Wazuh (open-source)	Free	Medium	Need centralized EDR-like visibility without purchase
Sysmon + free log forwarding	Free	Medium	Need detailed Windows endpoint telemetry
Upgrade select users to E5 Security	~$10/user/month	Low	Critical users only (admins, executives, finance)
Microsoft Defender for Business	~$3/user/month	Low	Small business clients; includes EDR-lite

Recommended Hybrid Approach for E3 Clients:

1. Deploy Sysmon (free) on all Windows endpoints with the SwiftOnSecurity config
2. Forward Sysmon logs to Wazuh (free) or existing syslog/SIEM
3. Upgrade only privileged users to Microsoft Defender for Endpoint P2 via add-on or E5 Security
4. This gives you EDR coverage where it matters most at ~10% of full E5 cost

Close the Risk-Based Identity Gap (No Entra ID P2)

E3 includes Entra ID P1, which provides robust conditional access: device compliance gating, location-based blocking, and per-protocol legacy auth blocking are all available. What E3 lacks is risk-based intelligence:

• Risk-based step-up (e.g., require MFA when sign-in risk is elevated)
• Impossible travel detection and blocking
• Identity protection and automated remediation
• PIM for just-in-time admin elevation

Mitigations within E3:

• Conditional access policies: Enforce MFA for all users, block legacy auth, require compliant devices for sensitive apps, and restrict by location—all with Entra ID P1
• Intune MDM enrollment: E3 includes full Intune; enroll all corporate devices to make them conditional access signals
• Per-user MFA: As a fallback if conditional access deployment is phased
• Manual risk review: Export sign-in logs weekly; flag anomalous locations, failed MFA attempts, and unknown devices

The Strategic Conversation:

"E3 gives us strong authentication and solid authorization. We can enforce MFA, block legacy auth, and require managed devices. What we cannot do is automatically step up authentication when a sign-in looks risky, or block access from impossible travel. If that is a requirement for your risk profile, the minimum viable upgrade is Entra ID P2 for identity protection, not a full E5 jump."

Close the Email Security Gap (No Defender for Office 365 P2)

EOP anti-phishing is reactive. Safe Links and Safe Attachments are proactive.

Mitigations within E3:

• URL rewriting via transport rules: Block known bad TLDs, force HTTPS where possible
• Attachment filtering: Block executable attachments at transport rule level (EOP already does this partially)
• User education: Phishing simulation via free or low-cost platforms (GoPhish is open-source)
• Third-party email gateway: Proofpoint, Mimecast, Avanan (~$3-5/user/month)

The Strategic Conversation:

"EOP catches spam and known malware. It does not rewrite URLs or sandbox attachments. For a bank/telco/power client, that gap is meaningful. The most cost-effective close is either Defender for Office 365 P1 add-on or a third-party gateway. Let us quantify the phishing risk first, then size the investment."

Close the PAM Gap (No PIM)

Without PIM, administrative roles are standing privileges.

Mitigations within E3:

• Dedicated admin accounts: Separate admin and user identity for every administrator
• PAW (Privileged Access Workstation): Physical or virtual separation for admin tasks
• Time-bounded access via process: Manual approval workflow for admin elevation
• Quarterly admin access review: Document every admin; remove stale assignments
• LAPS: Free from Microsoft; randomizes local admin passwords

---

Phase 3: M365-Specific Threat Scenarios

Scenario 1: Business Email Compromise (BEC)

The Attack: Adversary compromises executive mailbox, sends fraudulent payment instructions.

E3 Defenses:

• Impersonation protection in EOP (configured above)
• Mailbox auditing (configured above)
• MFA on all accounts (prevents initial compromise)
• Outbound spam policy: flag unusual send patterns

Gap: No Safe Links to rewrite URLs in real-time; no automated investigation.

Augmentation: User education + third-party email gateway.

Scenario 2: OAuth / Consent Grant Attack

The Attack: User grants permissions to malicious app; adversary gains persistent access.

E3 Defenses:

• Audit all enterprise apps: Get-AzureADServicePrincipal
• Review OAuth consents quarterly
• Disable user consent to apps (admin consent required)
• Microsoft 365 admin center → Settings → Org settings → User consent to apps → Off

Gap: No automated anomaly detection for consent grants.

Augmentation: Manual quarterly review + scripting.

Scenario 3: Data Exfiltration via SharePoint / OneDrive

The Attack: Insider or compromised account bulk-downloads sensitive files.

E3 Defenses:

• External sharing locked down (configured above)
• Audit logging enabled (configured above)
• Basic retention policies

Gap: No DLP, no sensitivity labels, no insider risk analytics.

Augmentation:

• PowerShell scripts to detect bulk downloads
• Quarterly access reviews on sensitive sites
• Process: data classification by site owner (manual but effective)

Scenario 4: Lateral Movement via Compromised Credentials

The Attack: Phished credentials → mailbox compromise → password reset on other services → full identity takeover.

E3 Defenses:

• MFA (prevents password-only access)
• SSPR with MFA enforcement (prevents account lockout abuse)

Gap: No risk-based step-up; no impossible travel blocking.

Augmentation: Monitor for impossible travel in audit logs (manual or scripted).

---

The E5 Upgrade Conversation

There will come a point where E3 augmentation is no longer cost-effective. Frame the E5 conversation around specific capability gaps, not feature lust.

E5 Capability	What It Solves	When to Recommend
Defender for Endpoint P2	EDR, ASR, threat analytics	Client has had malware incident or is in regulated industry
Entra ID P2	Risk-based conditional access, PIM, identity protection	Client has admin compromise or needs risk-based/impossible-travel blocking
Defender for Office 365 P2	Safe Links, Safe Attachments, automated investigation	Client has had phishing-driven incident
Purview	DLP, sensitivity labels, insider risk	Client handles customer PII, financial data, or trade secrets
Sentinel	SIEM, SOAR, threat hunting	Client has dedicated SOC or regulatory SIEM requirements

The Pitch:

"We have extracted 80% of the security value from your E3 investment. The remaining 20% requires capabilities that only exist in E5 or specific add-ons. I am not recommending a blanket upgrade. I am recommending we selectively license the gaps that match your actual risk profile."

---

OT / Critical Infrastructure Overlay (Telco, Power)

For clients with operational technology (OT) or critical infrastructure obligations:

E3 Consideration	OT Implication
MFA enforcement	Admin accounts for OT-facing M365 tenants must have hardware tokens (no phone SMS in control rooms)
Audit logging	90-day retention may be insufficient; plan export to long-term storage
External sharing	OneDrive/SharePoint must not become accidental conduit between IT and OT networks
Guest access	Strictly prohibit guest accounts in OT-connected tenants
Email security	EOP is baseline; NIS2 and critical infrastructure regulations may mandate advanced email filtering

See Vertical: Power Utilities for full OT alignment.

---

Banking Overlay

For financial services clients:

E3 Consideration	Regulatory Implication
Audit logging	DORA Article 12 (ICT risk management) requires comprehensive logging and monitoring
MFA	PSD2 Strong Customer Authentication principles apply to internal systems
Data residency	M365 data must remain in EU/geographically appropriate datacenters
DLP gap	No native DLP in E3; manual data governance + eventual Purview upgrade likely required
Email archiving	Financial regulations often require immutable, long-term email retention

See Vertical: Banking for full regulatory alignment.

---

Previous: Zero-Budget Hardening Next: AD and Endpoint Hardening

For how Intune deployment becomes the natural entry point for broader security transformation, see Endpoint Management Entry Vector.