cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
763da003d36dd9387e35758dbb93833da4cc30ae
antifragile/antifragile-consulting/playbooks/m365-antifragile-project.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

14 KiB
Raw Blame History

M365 Antifragile Project Playbook

"Most M365 deployments create fragile monocultures: one tenant, one identity provider, one way in, and no way out. We architect M365 as an antifragile platform: decoupled, observable, recoverable, and sovereign."

This playbook applies antifragile principles to Microsoft 365 projects—both greenfield deployments (new tenant, new organization, or post-merger consolidation) and modernisation (existing tenant hardening, restructuring, or security transformation).

It is designed for M365/Azure consultancies who want to deliver resilient, governance-ready, and future-proof M365 environments—not just functional ones.

The Antifragile M365 Philosophy

Traditional M365 projects optimize for:

  • User adoption: How quickly can we get people using Teams?
  • Feature enablement: Which M365 apps should we roll out?
  • License efficiency: Are we using all our E3/E5 seats?

Antifragile M365 projects optimize for:

  • Structural decoupling: Can we migrate, split, or exit this tenant without existential disruption?
  • Observability: Do we know who has access to what, and what they are doing with it?
  • Recoverability: Can we rebuild this tenant from zero in 48 hours?
  • Sovereignty: Does our proprietary data improve our position, or Microsoft's?

Part 1: Greenfield M365 Deployment

Phase 0: Architecture and Sovereignty Design (Before Migration)

Objective: Design the tenant so it does not become a trap.

Decision Antifragile Default Fragile Alternative
Tenant location Data center in client's primary jurisdiction (e.g., EU, Germany, Switzerland) Default US tenant with data residency afterthought
Domain strategy Custom domain owned by client; MX records client-controlled Microsoft-managed domain; no exit path
Identity architecture Cloud-only Entra ID with documented exit path, OR hybrid with phased cloud-native migration Hybrid AD with indefinite synchronization; no cloud-only plan
Email archiving Immutable third-party journal or customer-managed retention; not Exchange Online-only Exchange Online retention only; vendor-dependent
External sharing Default off; enabled per-site with justification Default on; locked down reactively after incidents
Guest access Disabled by default; enabled via governed workflow Enabled by default; cleaned up never
Third-party apps Admin consent required; app catalog governed User consent allowed; shadow OAuth proliferation
Backup strategy Third-party backup with immutable storage; tested quarterly Native recycle bin only; no recovery testing

The conversation:

"We are not just setting up email and Teams. We are designing the digital foundation of your organization for the next decade. Every decision we make in the first two weeks will either preserve your optionality or eliminate it. We choose optionality."

Phase 1: Tenant Foundation (Week 1-2)

Identity and Access Architecture

  • Custom domain verification: Client retains DNS control; Microsoft is a service, not an owner
  • Break-glass accounts: 2-3 global admins, excluded from conditional access, complex passwords managed offline
  • Initial admin roles: No standing global admins for daily work; delegated admin roles (Exchange admin, SharePoint admin, User admin)
  • Security defaults or conditional access baseline:
    • E3: Per-user MFA for all admins; block legacy authentication
    • E5: Conditional access requiring MFA for all users, compliant devices for admins, block legacy auth, risky sign-in policies

Data Governance Foundation

  • Retention policies: Define retention from day one
    • Email: 7 years for regulated industries; 3 years for general business
    • Teams chat: 2 years minimum
    • SharePoint: per-site classification
  • Microsoft Purview labels (if licensed): Deploy default sensitivity labels (Public, Internal, Confidential, Highly Confidential)
  • Data loss prevention (if licensed): Pilot DLP for PCI, PII, and client-defined crown jewels

Baseline Security Configuration

  • Audit logging: Enable Unified Audit Log immediately; configure 10-year retention for regulated clients
  • Mailbox auditing: Enable for all mailboxes via PowerShell
  • Alert policies: Configure default alert policies for elevated privileges, malware, phishing
  • Secure Score: Baseline and weekly tracking

Phase 2: Workload Deployment (Week 3-6)

Deployment Order (Antifragile Priority)

Priority Workload Why First?
1 Exchange Online Identity verified, email secured, archiving established
2 SharePoint / OneDrive Document governance foundation before content accumulates
3 Teams Collaboration with the governance guardrails already in place
4 Intune / Endpoint Management Device compliance before conditional access enforcement; see Endpoint Management Entry Vector
5 Power Platform Low-code governance before citizen developers create shadow IT
6 Copilot / AI features Only after data governance, access control, and sovereignty architecture are proven

The antifragile rule: Governance before workload. Every Teams channel created without retention policy is technical debt. Every Power App deployed without DLP is a future incident.

Phase 3: Hardening and Governance (Week 7-10)

Conditional Access (E5 or Entra ID P1/P2)

  • Require MFA for all users
  • Require compliant or hybrid Azure AD joined device for sensitive apps
  • Block legacy authentication
  • Block downloads from unmanaged devices for confidential content
  • Require password change on high user risk
  • Enforce token binding where supported

SharePoint and OneDrive Lockdown

  • External sharing: Only people in your organization (default)
  • Anyone links: Disabled
  • Guest access: Admin-controlled per site
  • Site creation: Admin-only or governed workflow
  • Access requests: Disabled or routed to site owner

Teams Governance

  • Team creation: Governed workflow (not open to all)
  • Guest access in Teams: Disabled by default; enabled per team with justification
  • Private channel creation: Restricted
  • Third-party apps in Teams: Admin-approved catalog only
  • Meeting recordings: Retention policy applied; transcription governed

Power Platform Governance

  • Environment strategy: Default environment restricted; production environments for approved use cases
  • DLP policies: Block connectors that exfiltrate data (personal email, unauthorized cloud storage)
  • Data policies: Prevent citizen developers from creating unmanaged databases of customer data
  • ALM: Require solution packaging for production environments

Phase 4: Validation and Handover (Week 11-12)

Recovery Testing

  • Perform tenant recovery drill: restore a deleted mailbox, a deleted SharePoint site, a corrupted Teams channel
  • Validate backup integrity if third-party backup is deployed
  • Document recovery runbooks

Governance Documentation

  • Acceptable use policy for M365
  • Data classification and handling guide
  • Guest access policy
  • External sharing decision tree
  • Incident response runbook for M365-specific threats (BEC, OAuth consent grants, data exfiltration)

Knowledge Transfer

  • Admin training: Entra ID, Exchange admin center, SharePoint admin, Security & Compliance
  • End-user training: Phishing awareness, data handling, external sharing procedures
  • Champion program: Identify M365 champions per department

Part 2: M365 Modernisation

The Modernisation Audit

Before any changes, assess the current tenant against antifragile criteria:

Category Audit Question Finding
Identity How many global admins? How many unused accounts? Is PIM enabled?
Access Is conditional access deployed? Is legacy auth blocked? Is MFA enforced?
Data Are sensitivity labels deployed? Is DLP active? Who can share externally?
Applications How many enterprise apps? How many OAuth consents? Are they justified?
Devices What is EDR coverage? Is Intune managing devices? Are PAWs used for admin?
Recovery When was the last backup test? Is there a tenant recovery plan?
Governance Is there an acceptable use policy? Who owns site creation?
AI Is shadow AI in use? Is there a sanctioned alternative?

The conversation:

"Most M365 modernisations start with 'What new features should we enable?' We start with 'What would kill this organization if it failed?' Then we fix that first."

Phase 1: Kill Chain Closure (Week 1-4)

Identity Blitz

# Export and analyze the full identity estate
Get-MgUser -All | Select-Object DisplayName,UserPrincipalName,AccountEnabled,LastSignInDateTime | Export-Csv users.csv
Get-MgDirectoryRole | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id }
Get-MgOAuth2PermissionGrant -All | Export-Csv oauth-grants.csv
  • Disable unused accounts (> 90 days inactive)
  • Remove excessive admin roles
  • Revoke stale OAuth consents
  • Enable PIM for all privileged roles (if licensed)
  • Enforce MFA for all users (per-user MFA for E3; conditional access for E5)

External Access Lockdown

  • Audit all guest users: business justification per guest
  • Audit all external shares: revoke stale links
  • Audit all enterprise apps: remove unused, justify retained
  • Disable user consent for apps (admin consent required)

Email Security Tuning

  • E3: Maximize EOP (anti-phishing impersonation protection, anti-malware, anti-spam)
  • E5: Enable Safe Links, Safe Attachments, advanced anti-phishing
  • Mailbox auditing: enable for all mailboxes

Phase 2: Structural Improvement (Week 5-8)

Data Governance Deployment

  • Deploy sensitivity labels (if Purview available) or manual classification guidance
  • Deploy retention policies for all workloads
  • Deploy DLP policies for high-sensitivity data types
  • Site provisioning governance: restrict site creation or implement approval workflow

Device and Endpoint

  • Deploy Intune MDM for all corporate devices
  • Deploy Windows Defender features available in E3
  • Consider Sysmon + Wazuh for EDR-like visibility without E5
  • Deploy LAPS for local admin password randomization

Power Platform Cleanup

  • Inventory all environments, apps, and flows
  • Apply DLP policies
  • Migrate unmanaged production apps to governed environments
  • Document and train citizen developers

Phase 3: Sovereignty and AI Integration (Week 9-12)

AI Sovereignty Bridge

  • Inventory shadow AI usage
  • Deploy Azure OpenAI Service as sanctioned alternative (see Azure OpenAI Sovereignty Bridge)
  • Configure private endpoints, CMK, and conditional access for AI endpoints
  • Pilot Copilot for M365 with governance guardrails (if licensed)

Tenant Recovery Validation

  • Third-party backup test: restore mailbox, SharePoint site, Teams data
  • Document tenant rebuild runbook
  • Validate domain recovery procedures (DNS, MX, SPF, DKIM, DMARC)

Operational Handover

  • Transfer admin knowledge to client team
  • Establish recurring governance review cadence
  • Deploy automated Secure Score monitoring

Antifragile M365 Checklist

Greenfield Deployment

  • Tenant in correct geographic region
  • Custom domain with client-controlled DNS
  • Break-glass accounts created and secured
  • Security defaults or conditional access baseline
  • Unified Audit Log enabled
  • Retention policies defined and deployed
  • External sharing default: off
  • Guest access default: disabled
  • User consent for apps: disabled
  • Intune MDM baseline configured
  • Third-party backup deployed and tested
  • Recovery runbook documented
  • Admin and end-user training completed
  • AI governance framework defined before Copilot deployment

Modernisation

  • Full identity census completed
  • Unused accounts disabled
  • Admin roles minimized and justified
  • OAuth consents audited and cleaned
  • MFA enforced for 100% of users
  • Legacy authentication blocked
  • External sharing audited and locked down
  • Guest access audited and time-bounded
  • Email security tuned (EOP or Defender for O365)
  • Sensitivity labels or classification guidance deployed
  • Retention policies applied to all workloads
  • Power Platform governed with DLP
  • Shadow AI inventoried and sanctioned alternative deployed
  • Backup recovery tested
  • Secure Score trending upward

Integration With the Rapid Modernisation Plan

Rapid Modernisation Phase M365 Project Mapping
Hygiene (Days 0-30) Identity audit; external access lockdown; MFA enforcement; shadow AI inventory
Control (Days 30-60) Conditional access; data governance; device management; email security tuning
Sovereignty (Days 60-90) Azure OpenAI bridge deployment; backup recovery validation; tenant exit architecture
Antifragility (Days 90-180) Automated governance monitoring; quarterly recovery drills; red team including M365 vectors; AI pilot expansion

For the M365 E3 hardening specifics, see M365 E3 Hardening. For the Azure OpenAI sovereignty bridge, see Azure OpenAI Sovereignty Bridge. For the M365 project risk register, see M365 Project Risk Register.

Reference in New Issue View Git Blame Copy Permalink