Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD0.3 The M365 Security Stack You Already Have

4-5 hours · Module 0 · Free
Operational Objective
Most IT administrators know they have "Microsoft Defender" somewhere in their tenant but couldn't tell you exactly which products are included in their license, what each one protects, or which ones are actually turned on. This isn't a knowledge failure — it's a naming problem. Microsoft has renamed, merged, split, and reorganised its security products so many times that even experienced administrators lose track. The result: security tools that are included in the license sit unused because the administrator doesn't know they exist, doesn't know what they do, or assumes they're a separate paid product. This subsection maps the complete M365 security stack by license tier — what's included, what each product protects, and what's configured by default versus what requires manual setup.
Deliverable: A clear map of the security tools included in your M365 license (E3 and E5), what each tool protects, and which tools require manual configuration beyond the defaults.
Estimated completion: 30 minutes
M365 SECURITY STACK BY LICENSE TIERE3 — INCLUDEDEntra ID P1 — Conditional access, MFA, SSPRExchange Online Protection — Basic email filteringDefender for Office 365 Plan 1 — Safe Links, Safe AttachmentsIntune — Device management + compliance policiesPurview Information Protection — Basic sensitivity labelsBitLocker + Windows Hello — Endpoint encryption + authSecurity defaults — Basic MFA enforcementDefault state: Security defaults ON, everything else needs configThis is enough to cover 80% of attacks — if configuredTHIS COURSE FOCUSES HEREE5 — ADDSEntra ID P2 — Risk-based CA, PIM, access reviewsDefender for Office 365 Plan 2 — Threat Explorer, AIRDefender for Endpoint P2 — Full EDR, hunting, AIRDefender for Identity — AD attack detectionDefender for Cloud Apps — Shadow IT, app governanceMicrosoft Sentinel (add-on) — SIEM, automationPurview DLP — Data loss prevention policiesE5 adds investigation + detection + advanced protectionOther Ridgeline courses cover these (SOC Ops, ES, DE, EI, TH)For SOC analysts and security engineers

Figure AD0.3 — M365 security stack by license tier. E3 includes enough security tooling to protect against 80% of attacks — conditional access, email protection, device compliance, and basic data protection. E5 adds investigation, detection, and advanced protection capabilities designed for security teams. This course focuses on E3-level controls because they're the foundation, and because most IT administrators who need this course are in E3 environments.

The naming chaos

Microsoft’s security product naming has gone through enough changes that keeping track of it has become a discipline in itself. Azure Active Directory became Entra ID. Office 365 ATP became Defender for Office 365. Microsoft Defender ATP became Defender for Endpoint. Windows Defender became Microsoft Defender Antivirus. Azure Security Center merged with Azure Defender to become Defender for Cloud. If you find the naming confusing, you’re in good company — so does everyone else, including Microsoft’s own documentation teams, who sometimes use old and new names on the same page.

For practical purposes, here’s what matters. The security stack is organised around what it protects, not what it’s called. There are tools that protect identity (Entra ID, with its conditional access and MFA capabilities). There are tools that protect email (Defender for Office 365, with its anti-phishing policies, Safe Links, and Safe Attachments). There are tools that protect endpoints (Defender for Endpoint, with its antivirus, EDR, and attack surface reduction). There are tools that protect data (Purview, with its sensitivity labels and DLP policies). And there are tools that tie everything together for monitoring and investigation (the Defender XDR portal, and optionally Microsoft Sentinel for SIEM).

You don’t need to know every product name or every feature. You need to know which ones are in your license, which ones protect against the attacks you’re most likely to face, and which ones require configuration beyond the defaults. That’s what this subsection covers.

Checking your license with PowerShell

The portal shows your licenses, but PowerShell gives you the programmatic detail that tells you exactly which security features are available. Run these commands to build your license inventory:

1
2
3

Connect-MgGraph -Scopes "Organization.Read.All"
Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits,
    @{N="Total";E={$_.PrepaidUnits.Enabled}} | Format-Table -AutoSize

Look for these SKU part numbers in the output:

SPE_E3 — Microsoft 365 E3 (includes Entra ID P1, Defender for Office 365 P1, Intune, basic Purview). SPE_E5 — Microsoft 365 E5 (adds Entra ID P2, Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps). AAD_PREMIUM — Entra ID P1 standalone add-on. AAD_PREMIUM_P2 — Entra ID P2 standalone add-on.

If you see SPE_E3 with 210 consumed units, your entire organisation is on E3 and every feature taught in this course is available without additional licensing. If you see a mix of SPE_E3 and SPE_E5, check which users have which license — you may have E5 on admin accounts and E3 on everyone else, which gives you P2 risk-based policies for admins while the rest of the tenant uses E3 capabilities.

To check a specific user’s license:

1
2

Get-MgUserLicenseDetail -UserId "admin@northgateeng.com" |
    Select-Object SkuPartNumber | Format-Table

This is the definitive answer to “do we have X feature?” — not the portal, not Microsoft documentation, not a sales rep. Your license assignment determines what’s available.

What E3 gives you — and what’s actually turned on

M365 E3 is the most common enterprise license tier for organisations that aren’t security-focused. It includes a substantial set of security tools, but the default configuration uses almost none of them effectively.

Entra ID P1 is included in E3. This gives you conditional access — the policy engine that controls who can access what, from where, on which devices. It also gives you full MFA capabilities beyond security defaults, self-service password reset, and application proxy for publishing on-premises apps. By default, none of these are configured. Security defaults provide basic MFA, but conditional access policies require manual creation.

Exchange Online Protection (EOP) is included in every M365 subscription, not just E3. EOP provides basic email filtering — anti-malware, anti-spam, and basic anti-phishing. It catches obvious threats but misses sophisticated phishing, especially credential phishing with new domains. EOP is on by default, which is why you already catch some spam, but its default settings are not tuned for targeted attacks.

Defender for Office 365 Plan 1 is included in E3. This adds Safe Links (URL rewriting and click-time scanning) and Safe Attachments (sandboxed attachment detonation). These are powerful protections against phishing links and malicious documents, and they’re the single biggest upgrade over EOP’s basic filtering. By default, Safe Links and Safe Attachments require policy configuration — they’re not active until you create and assign policies.

Intune is included in E3 for device management. From a security perspective, Intune’s value is device compliance policies — rules that check whether devices meet security standards (encrypted, up to date, antivirus running) — and the integration with conditional access that blocks non-compliant devices from accessing corporate data. By default, no compliance policies exist.

Purview Information Protection provides basic sensitivity labels in E3. You can classify documents as Confidential, Internal, or Public and apply protection (encryption, access restrictions) based on the label. By default, no labels are configured.

Expand for Deeper Context

The licensing picture is more complex than the E3/E5 split suggests. Many organisations have a mix of licenses — E3 for most users, E5 for security and IT staff, F3 for frontline workers, and potentially add-on licenses for specific features. The add-on model means you can get Defender for Endpoint P2 without upgrading your entire tenant to E5, or add Entra ID P2 for your admin accounts only.

For the purposes of this course, we assume E3 as the baseline because it’s the most common scenario where an IT administrator needs this training. Every control taught in this course works with E3. Where a feature requires E5 or a specific add-on, it’s noted explicitly. The goal is to maximise the security of the license you already have — not to justify a license upgrade.

That said, if you’re in a position to influence licensing decisions, the single most impactful upgrade for security is adding Entra ID P2 for administrator accounts. P2 adds risk-based conditional access (which detects and blocks compromised sign-ins automatically) and Privileged Identity Management (which eliminates standing admin access). You don’t need P2 for all users — just the 5-10 accounts with administrative privileges.

What’s turned on by default — the dangerous assumptions

The most dangerous aspect of M365’s security model is that it gives you a false sense of coverage. When you look at your license, you see “Defender for Office 365” and assume email is protected. When you see “Entra ID P1” you assume identity is secure. When you see “Intune” you assume devices are managed. But “included in the license” and “configured and active” are two very different things.

Here’s what’s actually running with a default M365 E3 configuration. Security defaults are enabled, which means users are prompted for MFA registration and MFA is required for admin actions and when Microsoft detects a risky sign-in. EOP is filtering email at a basic level — catching known malware and obvious spam. Microsoft Defender Antivirus is running on Windows endpoints with default settings. That’s it.

Here’s what’s not running. No conditional access policies beyond security defaults. No Safe Links or Safe Attachments policies (even though Defender for Office 365 P1 is in your license). No device compliance policies in Intune. No sensitivity labels on documents. No audit log review process. No sign-in log monitoring. No Secure Score tracking. No incident response procedure.

The gap between “included” and “active” is where most M365 breaches happen. The attacker doesn’t need to find a vulnerability — they just need to find the control that’s included in the license but never configured. And with a default E3 deployment, that’s almost every security control beyond basic MFA.

Compliance Myth: "We have Microsoft 365 E3, so we have enterprise-grade security"
You have enterprise-grade security tools. You do not have enterprise-grade security. The tools are included in the license but require configuration. An E3 tenant running security defaults has better identity protection than an E3 tenant with security defaults disabled, but neither has conditional access policies, email protection beyond basic filtering, device compliance enforcement, or data loss prevention. The license gives you the capability. Configuration gives you the protection. This course closes the gap between the two.

Mapping tools to threats

Rather than memorising product names, map each security tool to the threat it addresses. This makes the product landscape immediately practical.

When an attacker tries to log in with stolen credentials, Entra ID with conditional access is what stops them. Conditional access checks the device, the location, the risk level, and the authentication method. If any of those conditions fail, the sign-in is blocked — even if the password and MFA are correct. This is your primary defense against credential-based attacks, which account for the vast majority of M365 compromises.

When an attacker sends a phishing email with a malicious link, Defender for Office 365 is what catches it. Safe Links rewrites URLs and checks them at click time — so even if a URL was clean when the email arrived, Safe Links catches it if the destination becomes malicious later. Safe Attachments opens attachments in a sandbox and checks for malicious behaviour before delivering them to the user’s inbox. These controls dramatically reduce the volume of phishing that reaches users.

When an attacker gains access and tries to download files from SharePoint or forward email externally, Purview DLP and session controls are what limit the damage. Conditional access can restrict a risky session to browser-only access with no downloads. DLP policies can block sensitive files from being shared externally. These are your last-line controls — they contain the blast radius when the identity and email controls fail.

When something goes wrong and you need to understand what happened, the Defender XDR portal is where you investigate. It correlates alerts across identity, email, and endpoint into unified incidents, shows you the timeline of what the attacker did, and provides response actions (isolate a device, revoke a session, quarantine an email). You won’t use this daily, but when you need it, you need to know where it is and how to read it.

Decision point

You’ve just confirmed that your E3 tenant has Defender for Office 365 Plan 1 included, but no Safe Links or Safe Attachments policies are configured. You also have no conditional access policies beyond security defaults. Your manager wants to know which one to configure first. What do you recommend?

Option A: Configure Safe Links and Safe Attachments first because phishing emails are the most visible threat and users have been complaining about suspicious emails.

Option B: Build conditional access policies first because identity protection stops the attacker regardless of how they obtained the credentials.

Option C: Configure both simultaneously since they’re independent controls.

The correct answer is Option B. Conditional access is the higher-priority control because it protects against all credential-based attacks — phishing, password spray, credential stuffing, and token theft. Even if a phishing email gets through and a user enters their credentials, conditional access can block the attacker’s sign-in based on device compliance or risk level. Email protection reduces the volume of phishing that reaches users, but it can’t catch everything — and it only takes one successful phish to compromise an account. Build the safety net (conditional access) before you improve the filter (email protection).

Try it: Identify your license tier and security features

Log into the Microsoft 365 Admin Center at admin.microsoft.com. Navigate to Billing → Licenses. Identify which license tier your users are on (E3, E5, Business Premium, etc.).

Then open a new tab to the Entra admin center at entra.microsoft.com. Navigate to Protection → Conditional Access → Policies. Count how many policies exist. If you see “Security defaults is enabled” and no custom policies, you’re running on defaults.

Open another tab to the Defender portal at security.microsoft.com. Navigate to Email & collaboration → Policies & rules → Threat policies. Check whether you have any Safe Links or Safe Attachments policies configured. If you see “No policies” or “Default policy only,” these protections are not active for your users.

Write down: your license tier, the number of conditional access policies, and whether Safe Links/Safe Attachments are configured. This is your security baseline — the starting point that the rest of this course improves.

Your M365 E3 tenant has security defaults enabled. A user's password is compromised through a phishing attack. The attacker attempts to log in from their own device in another country. What happens?
The attacker is blocked because security defaults enforce MFA on every sign-in — Not quite. Security defaults prompt for MFA registration and require MFA for admin roles and risky sign-ins, but they don't enforce MFA on every single sign-in for standard users. Microsoft's risk engine decides when to challenge for MFA, and a fresh sign-in from a new location would likely trigger it — but "likely" is not "always."
The attacker may or may not be challenged for MFA depending on Microsoft's risk assessment, and if the attacker uses a legacy authentication protocol, MFA is bypassed entirely — Correct. Security defaults block some legacy authentication but don't provide the granular control of conditional access. If the attacker uses a protocol like IMAP that slips through, MFA is not enforced. Conditional access provides deterministic enforcement — every sign-in matching the policy conditions is challenged, with no dependency on Microsoft's risk engine.
The attacker is blocked because the sign-in is from an unusual location — No. Security defaults don't include location-based blocking. That requires a conditional access policy with named locations configured. Without conditional access, there's no location-based access control.
The attacker succeeds because E3 doesn't include MFA — Incorrect. E3 includes full MFA capabilities through Entra ID P1. Security defaults provide basic MFA enforcement, and conditional access (also in E3) provides full policy-based enforcement.
Operational Artifact — M365 Security Stack License Map
The license-to-feature map in this subsection is the reference you'll use throughout this course and beyond. When someone asks "do we have X capability?" you can answer definitively based on your license tier without searching Microsoft documentation. When your manager asks about upgrading to E5, you can explain exactly which features are already in E3 and which ones E5 adds — and make a recommendation based on what your environment actually needs rather than what the sales pitch promises.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →