Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft 365 E5 security baseline

Posted on 27. July 201910. August 2019

As a license bundle, Microsoft 365 E5 combines Office 365 E5, Enterprise Mobility + Security (EM+S) E5, and Windows 10 Enterprise E5. Regarding security it offers even more advanced features compared to M365 E3.

This post builds upon the E3 version that was also published on my blog: https://chrisonsecurity.net/2019/01/27/microsoft-365-e3-security-baseline/

What you get (security related)

Office 365 E5
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence
Cloud App Security
+ all features from Office 365 E3
EMS E5
Azure Active Directory Premium P2 (Identity Protection, Privileged Identity Management)
Azure Information Protection P2
Microsoft Cloud App Security
Azure Advanced Threat Protection
Azure AD Identity Governance
+ all features from EMS E3
Windows 10 Enterprise E5
Microsoft Defender Advanced Threat Protection
+ all features from Windows 10 Enterprise E3

Office 365 E5 security baseline

  • Implement advanced mail security with Office 365 ATP (anti-phishing, safe attachments, safe links).
  • Use O365 Threat Intelligence to monitor malware / phishing campaigns against your users.
  • Office 365 Cloud App Security (OCAS) is theoretically part of O365 E5. As this post refers to M365 E5 OCAS is enhanced to full functionality by MCAS as part of EMS E5.

EMS E5 security baseline

  • Enhance your Conditional Access policies by using the risk level provided by Azure AD Identity Protection to control access based on user and/or sign-in anomalies like leaked credentials or abnormal location. Risk-based MFA for standard users is one of the most common use cases.
  • Onboard to Azure ID Identity Protection. Implement alerting on events of a certain criticality (at least level medium and up). Work on a strategy on how to react to events with your security team.
  • Require users to register for MFA and SPPR. If applicable in your organization guests should also be required to register for MFA. Whether they have to use it can – again – be decided upon their risk level.
  • Add terms of use for guest accounts which they have to accept before getting access.
  • Use Azure AD Privileged Identity Management (PIM) to grant time-based permissions to administrators. Apart from a single break glass account all other roles should be on-demand only.
  • Go all-in with Microsoft Cloud App Security (MCAS). It allows you to monitor nearly all security-related events from the tenant.
    • Implement Cloud App Discovery with either local network infrastructure or Microsoft Defender ATP as a data source.
    • Link other features like Azure Information Protection, Azure ATP, and Intune to MCAS.
    • Adjust default alerts to your requirements or build new ones to enable you to notice the things you want to see.
    • Use Cloud App Security Conditional Access App Control (MCAS CAAC) to control sessions that might be suspicious (e.g. based on the risk level provided by Azure AD Identity Protection).
    • Regularly control OAuth applications that users might have added (if you do not require Admin Consent for Azure AD Applications). Block them in MCAS if unwanted.
    • Build a strategy and technical implementation on how to protect data from unwanted external sharing.
  • Implement Azure Advanced Threat Protection for your on-prem or IaaS-hosted Domain Controllers. It enables you to detect anomalies like Pass-the-Hash, Pass-the-Ticket, or reconnaissance activities in Active Directory.
  • Implement Azure AD Access Reviews to enable administrators or resource owners to decide whether certain users still require access to resources.
  • Use Azure AD Entitlements to give certain users the ability for self-service resource access. This can be useful if you work with a partner that must have access to a distinct set of resources with changing personnel on their end.
  • Implement enhanced data protection scenarios with Azure Information Protection P2. In addition to AIP P1 you can define automatic rule sets for classification and protection. You can also use HYOK (Hold Your Own Key) for cryptographic operations. However, this is a highly complex scenario compared to using the encryption keys provided by Azure RMS.

Windows 10 Enterprise E5 security baseline

  • Onboard Windows 10 and macOS Clients to Microsoft Defender ATP.
  • Implement Exploit Guard, Attack Surface Reduction rules, Network Protection, and Controlled Folder Access. Monitor those via Defender ATP Advanced Hunting. This makes it very easy to detect False Positives and to change the initial baseline policy.

Roundup

While Microsoft 365 E3 already offers some solid security features it is Microsoft 365 E5 that brings the really cool stuff regarding automation and monitoring. Especially Microsoft Cloud App Security plays a big role as a central security and compliance management tool.

Disclaimer: This overview was created to the best of my knowledge. It might be suspect to change at any time, especially if Microsoft changes licensing. I do not guarantee that this is a comprehensive overview.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT