Microsoft 365 E3 combines best-in-class productivity apps with core security and compliance capabilities. Improve productivity and foster a culture of collaboration with connected experiences. Transform how you manage your business and enhance customer relationships with integrated workflows. Microsoft 365 Enterprise (E3) cost $12.- per user per month more than the Business Premium plan. In my opinion, the real value is in the additional security features that you get. Keeping your data safe is a never-ending task. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Office 365 Enterprise E3 $20/user/month – Annual commitment. Preferred by: Enterprises that need features like security, compliance, business intelligence, and voice capabilities. At best, the E3 plan can be compared to the Business Premium plan because of similar features. All the features of the Enterprise E1 plan are included in the E3. When managing licenses in the Azure portal or the Microsoft 365 admin center, you see product names that look something like Office 365 E3. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: ENTERPRISEPACK.
As a license bundle, Microsoft 365 E3 combines Office 365 E3, Enterprise Mobility + Security (EM+S) E3, and Windows 10 Enterprise E3. It’s the way to go if you want to add advanced security features to you O365 workloads and you also need a Windows 10 Enterprise license anyway.
If you want to get to know the additional capabilities of Microsoft 365 E5 visit my other post: Microsoft 365 E5 security baseline.
What you get (security related)
Office 365 E3 security baseline
- Configure anti-malware and anti-spam policies for basic mail protection. Implement SPF and DKIM to use authentication for your domains.
- Enable Office 365 auditing
- Enable Office 365 mailbox auditing
- Check Office 365 Secure Score on a regular basis but do not rely exclusively on it! Some things are not covered and probably never will.
- Use SharePoint / OneDrive for Business Access Controls to limit potential data loss.
Enterprise E3 Price
EMS E3 / Azure AD security baseline
- Use dedicated administrative accounts for Office 365 and Azure AD. Make sure that on-premises admin accounts are NOT cloud enabled.
- Implement Multi-factor Authentication for all administrative accounts
- Hybrid join Windows 10 devices to use them as known devices
- Use Device Writeback to implement Windows Hello for Business in hybrid mode
- Implement Multi-factor Authentication for standard users. Build a sufficient strategy based on known devices and locations by leveraging Conditional Access. If users are forced to confirm prompts at every logon, they will most likely do so for sign-ins they did not perform
- Use Conditional Access to limit cloud usage. Use known locations, known devices, and approved client apps to make sure an attacker would also need other factors besides username and password to gain access
- Get rid of legacy authentication
- Block Exchange ActiveSync and switch to modern authentication mail clients
- Regularly check Azure AD sign-in logs for failed authentication to get a feeling on how affected your tenant is by password spray attacks
- Monitor Azure AD Connect Health status including ADFS failed sign-ins (if you use federation)
- Monitor Azure AD app registrations
- Use Cloud App Discovery (sub-function of Microsoft Cloud App Security) to discover cloud app usage.
- Limit external access and guest users depending on your use cases
- Use Intune to prevent data leakage on mobile devices by leveraging either Intune App Protection (app containers) or a fully-managed implementation for Android and iOS
- Evaluate Azure Information Protection to protect corporate data. Start with a simple approach that allows users to get a feeling for how it works. Extend your deployment once you get an overview about the impact AIP has for users and how data is handled inside your organization.
- Deploy Microsoft Advanced Threat Analytics to monitor your on-premises Active Directory for known attacks like Pass-the-Hash, Pass-the-Ticket, and many others.
Enterprise E360 Login
Windows 10 Enterprise E3 security baseline
Expand your existing Windows 10 settings to leverage enhanced security features:
- Limit local administrative rights, users should work as standard users per default
- Randomize des built-in Administrator account, e.g. using LAPS (Local Administrator Password Solution)
- Make sure all devices come with a Trust Platform Module (TPM) version 2.0. Version 1.2 is fine for existing devices.
- Install devices in UEFI mode with Secure Boot enabled
- Activate virtualization capabilities
- Protect UEFI settings from unwanted changes
- Use BitLocker with a TPM for volume encryption. Protect from DMA attacks by either using a startup PIN or DMA protection which is now included in Windows 10.
- Activate Credential Guard to protect the LSASS process. Start without UEFI lock for fallback, switch to UEFI lock once you get comfortable with manually reseting UEFI variables, which is needed to deactivate Credential Guard
- Implement client isolation by leveraging the Windows Firewall. Clients mostly never need to communicate with other clients unsolicitedly
- Activate User Account Control, SmartScreen, and Network Protection
- Use Application Control (or AppLocker) and Exploit Guard at least in audit mode. Audit data can be evaluated in the cloud if you use Microsoft Defender ATP which is part of Windows 10 Enterprise E5. Keep in mind that some sub-features of Exploit Guard regarding monitoring are also exclusive to Microsoft Defender ATP.
- Use Windows Hello for Business for passwordless sign-in (PIN or biometry + TPM)
- Deprecate legacy protocols like SMBv1 and LM/NTLM
- Use all those Windows 10 security features to build Privileged Access Workstations (PAWs) for cloud and on-prem administration.
Disclaimer: This overview was created to the best of my knowledge. It might be suspect to change at any time, especially if Microsoft changes licensing. I do not guarantee that this is a comprehensive overview.
Thanks for reading!
Enterprise E3 License
Chris