How to Configure Your Microsoft E5 Licences for Security
Security is something all organisations must take seriously. Microsoft makes doing so easy with the security-specific tools included in its core E5 licences; offered as add-on licences; or bundled into the Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Security, and Microsoft 365 Business Premium packages.
If your organisation currently holds E3 licences, you may be wondering whether upgrading to E5 is worth it. In fact, Elston, a Mangano IT client and one of Australia’s largest privately owned and operated financial services companies, recently faced this question.
Given their organisation’s compliance demands, we counselled the team that moving to E5 licences would be a better match for the aggressive security posture they wanted to pursue. After supporting Elston in implementing and configuring their E5 licences, the industry leader is now well-equipped to securely access and manage its Microsoft cloud environment, as well as remain in compliance with critical regulatory standards.
Security Features Exclusive to Microsoft E5 Licences
If you’re thinking about a similar transition, there are several security features you’ll want to be aware of within Microsoft’s E5 licences.
Although the company’s E3 licences do include a number of inbuilt security features, E5 licence-holders gain access to an even greater level of protection. For instance, E5 licences may include access to the following features, depending on the specific licence being utilised.
- Azure Active Directory Premium 1 & 2
- Microsoft Defender for Office 365
- Azure Information Protection Plan 2
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Advanced eDiscovery and advanced audit tools
- Information protection and governance capabilities
- Insider risk management tools
That’s in addition to the security features included with E3 licences, such as Microsoft Defender Antivirus, Credential Guard, Data Loss Prevention for files and emails, Microsoft Advanced Threat Analytics, BitLocker, Device Guard, and more.
Configuring Microsoft E5 Licences for Security
Once you’ve made the move to E5 licences, there are a number of features you’ll want to configure. Here’s where to start:
Enable Microsoft’s Security Defaults
Within Azure Active Directory, all Microsoft 365 tenants are equipped with defaults that enable five of the most common security features and controls, including:
- Requiring all users to register and use Azure Multi-Factor Authentication
- Requiring that Administrators use Multi-Factor Authentication
- Blocking any Legacy Authentication protocols used by the organisation
- Forcing all users to perform Multi-Factor Authentication, as needed
- Protecting privilege access
To turn these on, take the following steps (though note that you won’t be able to use these controls if you’ve implemented any custom Conditional Access policies):
- Log in to your Azure Portal as a Security Administrator, Conditional Access Administrator, or Global Administrator
- Click ‘Azure Active Directory’
- Click ‘Properties’
- Click ‘Manage Security Defaults’
- Locate the ‘Enable Security Defaults’ toggle
- Switch it to ‘Yes’
- Click to save your changes
Configure More Advanced Security Controls
To progress your security configurations beyond Microsoft’s Security Defaults, consider implementing the following advanced controls:
- Enable multi-factor authentication (MFA) using Conditional Access policies for Administrators and users. Note, however, that adding a single Azure Active Directory Premium (Plan 1 or Plan 2) for an Administrator won’t licence it for every user (but will enable the features).
- Use Idle Session Sign-Outs to automatically sign users out of their accounts if they remain inactive for a specified period of time. Doing so prevents unauthorised users from accessing accounts improperly.
- Block legacy authentication through protocols like POP, SMTP, IMAP, and MAPI, which can’t enforce second-factor authentication.
- Disable password expiration on either an organisation or user level. Though many people are surprised to hear it, the National Institute of Standards and Technology (NIST) actually recommends disabling password expiration, as it tends to make user passwords less secure.
- Implement a banned password list that prevents users from selecting reused, common, or easy-to-guess passwords.
- Set up external sharing protections at the tenant or application level in SharePoint to prevent the inadvertent sharing of sensitive or personally-identifying information.
- Customise Azure Active Directory account lockout thresholds to suit your organisation’s needs (by default, smart lockout features are active, and the default setting is 10 failed sign-ins).
- Design mobile application management (MAM) policies that protect app data organisation-wide without compromising end-user productivity. For example, you may want to block users’ ability to access company data from BYOD endpoints or to move it from one device to another.
- Limit email auto-forwarding to prevent the malicious exfiltration of company data to external recipients. Exchange Online allows you to manage forwarding based on remote domains, use rule-based account controls (RBAC), and implement transport rules, as needed.
- Control how Administrators and end-users can grant consent to un-managed applications.
That said, given the breadth of security features enabled with E5 licences – as well as the unique circumstances posed by different IT environments – working with a partner like Mangano IT to configure different settings is a smart choice.
Not only can we help your organisation determine the appropriate Microsoft licensing for your needs, but our customised Security Assessment process can also identify your unique risks. Because we go above and beyond automated assessments, we’re able to determine not just your particular vulnerabilities, but also plan and implement the specific configurations needed to mitigate them.
For more information on Mangano IT’s approach to Microsoft security, connect with our team of security specialists today.