Microsoft 365 E5 security baseline

Posted on

As a license bundle, Microsoft 365 E5 combines Office 365 E5, Enterprise Mobility + Security (EM+S) E5, and Windows 10 Enterprise E5. Regarding security it offers even more advanced features compared to M365 E3.

This post builds upon the E3 version that was also published on my blog: https://chrisonsecurity.net/2019/01/27/microsoft-365-e3-security-baseline/

What you get (security related)

Office 365 E5
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence
Cloud App Security
+ all features from Office 365 E3
EMS E5
Azure Active Directory Premium P2 (Identity Protection, Privileged Identity Management)
Azure Information Protection P2
Microsoft Cloud App Security
Azure Advanced Threat Protection
Azure AD Identity Governance
+ all features from EMS E3
Windows 10 Enterprise E5
Microsoft Defender Advanced Threat Protection
+ all features from Windows 10 Enterprise E3

Office 365 E5 security baseline

  • Implement advanced mail security with Office 365 ATP (anti-phishing, safe attachments, safe links).
  • Use O365 Threat Intelligence to monitor malware / phishing campaigns against your users.
  • Office 365 Cloud App Security (OCAS) is theoretically part of O365 E5. As this post refers to M365 E5 OCAS is enhanced to full functionality by MCAS as part of EMS E5.

EMS E5 security baseline

  • Enhance your Conditional Access policies by using the risk level provided by Azure AD Identity Protection to control access based on user and/or sign-in anomalies like leaked credentials or abnormal location. Risk-based MFA for standard users is one of the most common use cases.
  • Onboard to Azure ID Identity Protection. Implement alerting on events of a certain criticality (at least level medium and up). Work on a strategy on how to react to events with your security team.
  • Require users to register for MFA and SPPR. If applicable in your organization guests should also be required to register for MFA. Whether they have to use it can – again – be decided upon their risk level.
  • Add terms of use for guest accounts which they have to accept before getting access.
  • Use Azure AD Privileged Identity Management (PIM) to grant time-based permissions to administrators. Apart from a single break glass account all other roles should be on-demand only.
  • Go all-in with Microsoft Cloud App Security (MCAS). It allows you to monitor nearly all security-related events from the tenant.
    • Implement Cloud App Discovery with either local network infrastructure or Microsoft Defender ATP as a data source.
    • Link other features like Azure Information Protection, Azure ATP, and Intune to MCAS.
    • Adjust default alerts to your requirements or build new ones to enable you to notice the things you want to see.
    • Use Cloud App Security Conditional Access App Control (MCAS CAAC) to control sessions that might be suspicious (e.g. based on the risk level provided by Azure AD Identity Protection).
    • Regularly control OAuth applications that users might have added (if you do not require Admin Consent for Azure AD Applications). Block them in MCAS if unwanted.
    • Build a strategy and technical implementation on how to protect data from unwanted external sharing.
  • Implement Azure Advanced Threat Protection for your on-prem or IaaS-hosted Domain Controllers. It enables you to detect anomalies like Pass-the-Hash, Pass-the-Ticket, or reconnaissance activities in Active Directory.
  • Implement Azure AD Access Reviews to enable administrators or resource owners to decide whether certain users still require access to resources.
  • Use Azure AD Entitlements to give certain users the ability for self-service resource access. This can be useful if you work with a partner that must have access to a distinct set of resources with changing personnel on their end.
  • Implement enhanced data protection scenarios with Azure Information Protection P2. In addition to AIP P1 you can define automatic rule sets for classification and protection. You can also use HYOK (Hold Your Own Key) for cryptographic operations. However, this is a highly complex scenario compared to using the encryption keys provided by Azure RMS.

Windows 10 Enterprise E5 security baseline

  • Onboard Windows 10 and macOS Clients to Microsoft Defender ATP.
  • Implement Exploit Guard, Attack Surface Reduction rules, Network Protection, and Controlled Folder Access. Monitor those via Defender ATP Advanced Hunting. This makes it very easy to detect False Positives and to change the initial baseline policy.

Roundup

While Microsoft 365 E3 already offers some solid security features it is Microsoft 365 E5 that brings the really cool stuff regarding automation and monitoring. Especially Microsoft Cloud App Security plays a big role as a central security and compliance management tool.

Disclaimer: This overview was created to the best of my knowledge. It might be suspect to change at any time, especially if Microsoft changes licensing. I do not guarantee that this is a comprehensive overview.

Thanks for reading!

Chris