💡
How to use this page: Work through the attack-to-defence matrix to identify which controls are missing in your tenant. Use the priority checklist to track remediation progress, and deploy the KQL detection rules into Microsoft Sentinel or Log Analytics to catch attacks in progress.

🗺 Attack-to-Defence Matrix

Full Attack Chain Defence Coverage

Every major technique from Phases 1–8 mapped to its defensive control, detection method, and the Microsoft product required to implement it.

Phase Attack Technique Severity Defensive Control Detection Method Microsoft Product
1 – Recon User enumeration via GetCredentialType High Disable GetCredentialType user enumeration in tenant settings (or accept risk with monitoring) Monitor for high-volume requests to login.microsoftonline.com/common/GetCredentialType from single IPs Entra ID
1 – Recon Domain and subdomain enumeration Medium Minimize public DNS records exposing internal service names; remove stale DNS entries External attack surface monitoring tools; DNS query logging Defender External Attack Surface Management
1 – Recon OpenID/OAuth metadata discovery Low Accept risk — these are public by design; ensure no sensitive info in metadata endpoints Monitor for automated scraping of well-known endpoints Entra ID
1 – Recon LinkedIn / OSINT employee harvesting Medium Train staff on social engineering awareness; avoid publishing email naming conventions publicly No direct detection; correlate with subsequent spray attacks Security Awareness Training
1 – Recon Tenant service enumeration (Teams, SPO, Exchange) Medium Disable unnecessary public-facing endpoints; restrict Teams federation to known domains Monitor external federation connection attempts Exchange Online + Teams Admin
2 – Initial Access Device code phishing Critical Block device code flow via Conditional Access policy; restrict to compliant devices only Monitor for deviceCodeCredential sign-ins in sign-in logs; alert on device code flow usage Entra ID + Conditional Access
2 – Initial Access Evilginx / AiTM phishing Critical Enforce phishing-resistant MFA (FIDO2/Windows Hello for Business); enable token binding; enable Continuous Access Evaluation (CAE) Monitor for impossible travel detections, anomalous token usage, new device/location sign-ins Entra ID + Defender for Cloud Apps
2 – Initial Access Illicit consent grant (OAuth phishing) Critical Require admin consent workflow; block user consent for all apps; review existing consented apps AuditLog: “Consent to application” activity; alert on new high-privilege consent grants Entra ID
2 – Initial Access HTML smuggling / macro payload delivery High Enable Safe Attachments and Safe Links policies; block macro execution via ASR rules Defender for Office 365 alert on malicious attachments; endpoint detection on macro execution Defender for Office 365 + Defender for Endpoint
3 – Credentials Password spraying High Enable smart lockout; configure banned password lists (custom + Microsoft); enforce MFA for all users Entra ID Protection risky sign-in detection; sign-in log analysis for distributed failed auth Entra ID Protection
3 – Credentials MFA fatigue / push bombing High Enable number matching in Authenticator (now default); enforce FIDO2 or passwordless for admins Alert on repeated MFA prompts for the same user within short time window Entra ID + Microsoft Authenticator
3 – Credentials Token theft / session hijacking Critical Enable token protection (token binding) via Conditional Access; enable CAE; reduce token lifetimes Detect anomalous token replay — sign-ins from new IPs using existing refresh tokens Entra ID + Conditional Access
3 – Credentials Legacy authentication brute force High Block legacy authentication protocols (IMAP, POP3, SMTP Auth, EWS Basic) via Conditional Access Monitor sign-in logs for clientAppUsed == “Exchange ActiveSync”, “Other clients”, “IMAP” Entra ID + Conditional Access
3 – Credentials Leaked credential exploitation High Enable Entra ID Protection user risk policies; enforce password change on high risk Entra ID Protection leaked credentials detection (Microsoft processes dark web feeds) Entra ID Protection (P2)
4 – Enumeration Over-permissive app consent scopes High Regular application consent reviews; enforce admin consent workflow; revoke excessive permissions Monitor new consent grants via AuditLog; review apps with Mail.Read, Files.ReadWrite.All, etc. Entra ID
4 – Enumeration Graph API tenant enumeration Medium Restrict user default permissions; disable “Users can read other users” if feasible; restrict group membership visibility Monitor for high-volume Microsoft Graph API calls from single user/app context Entra ID + Defender for Cloud Apps
4 – Enumeration Conditional Access policy enumeration Medium Restrict access to CA policy read (limit Directory Readers where possible); use named locations and exclusions carefully Audit log: “Read conditional access policy” events from unexpected users Entra ID
4 – Enumeration AzureHound / BloodHound data collection High Restrict user default permissions on directory reads; monitor for bulk Graph API enumeration patterns Detect high-volume sequential Graph API calls for users, groups, roles, service principals from single session Defender for Cloud Apps + Sentinel
5 – PrivEsc Application credential injection (adding secrets to existing apps) Critical Monitor app credential changes; restrict Application Administrator and Cloud Application Administrator roles; use PIM with approval AuditLog: “Update application – Certificates and secrets management”; “Add service principal credentials” Entra ID + Sentinel
5 – PrivEsc Abuse of Application Admin / Cloud App Admin role Critical Gate these roles behind PIM with multi-party approval; restrict eligible users; conduct quarterly role reviews Alert on role activation; monitor for credential changes to applications immediately after role activation Entra ID PIM + Sentinel
5 – PrivEsc Consent grant escalation (admin consent to malicious app) Critical Limit who can grant admin consent; enforce admin consent workflow with approval chain; block broad Graph permissions for new apps AuditLog: “Grant admin consent” with high-privilege scopes (RoleManagement.ReadWrite.All, etc.) Entra ID
5 – PrivEsc Exploiting Exchange Online admin roles for mailbox access High Limit Exchange admin role assignment; use PIM; monitor Add-MailboxPermission and Set-Mailbox commands Exchange admin audit log: Add-MailboxPermission, Add-RecipientPermission, Set-Mailbox -GrantSendOnBehalfTo Exchange Online + Sentinel
5 – PrivEsc PIM role activation without approval High Require approval for all privileged roles in PIM; enforce MFA on activation; set maximum activation duration AuditLog: “Add member to role completed (PIM activation)” — alert on unapproved activations Entra ID PIM (P2)
6 – Lateral Token scope switching (FOCI family abuse) High Enable Continuous Access Evaluation; implement token binding; limit FOCI app usage via CA app filters Monitor unusual resource access patterns — user accessing new services with existing refresh tokens Defender for Cloud Apps
6 – Lateral SharePoint / OneDrive lateral access High Restrict external sharing to specific domains; disable “Anyone” links; enforce sensitivity labels on sensitive sites Monitor SharePoint audit logs for bulk file access, downloads, or permission changes SharePoint Online + Defender for Cloud Apps
6 – Lateral Teams message / file access for credential harvesting Medium Restrict Teams guest access; monitor for sensitive data in Teams channels; enforce DLP policies Audit Teams message searches; alert on Graph API access to /teams/messages at scale Teams Admin + Defender for Cloud Apps
6 – Lateral Cross-tenant access via B2B collaboration High Configure cross-tenant access settings; restrict guest invitations to specific admin roles; enforce MFA for guests Monitor guest user sign-ins; alert on new guest invitations from non-admin users Entra ID + Conditional Access
6 – Lateral Power Automate / Logic App abuse for lateral pivoting High Restrict connector usage in Power Platform DLP policies; disable Power Automate for non-required users; block HTTP connector Monitor Power Automate flow creation events; alert on flows with external connectors (HTTP, SMTP) Power Platform Admin + Sentinel
7 – Exfiltration eDiscovery abuse for bulk data access Critical Restrict eDiscovery role membership to essential staff only; gate via PIM with approval; enable audit for compliance searches Audit log: SearchStarted, SearchExported, CaseCreated — alert on unexpected eDiscovery activity Microsoft Purview Compliance Center
7 – Exfiltration Inbox rule / mail forwarding to external addresses High Block auto-forwarding to external domains at transport rule level; alert on inbox rule creation with forwarding Transport rule alerting; Exchange audit log: New-InboxRule, Set-InboxRule, Set-Mailbox -ForwardingSmtpAddress Exchange Online + Defender for Office 365
7 – Exfiltration Graph API bulk mail / file download High Apply Conditional Access app-enforced restrictions; limit app permissions to least-privilege scopes; enable DLP Monitor for unusual volume of Graph API /messages or /driveItem calls from a single user or app Defender for Cloud Apps + Sentinel
7 – Exfiltration SharePoint bulk download / sync abuse High Restrict SharePoint sync to managed devices; block download from unmanaged devices via CA; enable sensitivity labels SharePoint audit: FileDownloaded events exceeding threshold; alert on mass file downloads SharePoint Online + Defender for Cloud Apps
7 – Exfiltration Power Automate flow exfiltration to external service High Enforce DLP policies in Power Platform; block external connectors; restrict HTTP and email connectors Monitor flow creation with external destination connectors; audit Power Automate admin logs Power Platform Admin + Sentinel
8 – Persistence Federation backdoor (trusted domain manipulation) Critical Monitor federation configuration changes; restrict domain federation permissions to Global Admin only; require approval for federation changes AuditLog: “Set domain authentication”, “Set federation settings on domain” — immediate alert Entra ID + Sentinel
8 – Persistence Rogue application registration with high privileges Critical Require admin consent for all app registrations; block user ability to register apps; regularly audit existing app permissions Monitor new app registrations with high-privilege API permissions (Directory.ReadWrite.All, RoleManagement.ReadWrite.All) Entra ID
8 – Persistence Service principal credential persistence Critical Set credential expiry policies; monitor for new credentials added to existing service principals; restrict who can manage app credentials AuditLog: “Add service principal credentials”, “Update application – Certificates and secrets” Entra ID + Sentinel
8 – Persistence Mailbox delegate / hidden inbox rules High Regularly audit inbox rules across organization; alert on rules with external forwarding or delete actions; block client-side rules via OWA policy Exchange audit: New-InboxRule with MoveToFolder, ForwardTo, RedirectTo, or DeleteMessage actions Exchange Online + Defender for Office 365
8 – Persistence Conditional Access policy tampering Critical Restrict CA policy management to dedicated admins via PIM; enable audit on all CA changes; use named location exclusions sparingly AuditLog: “Update conditional access policy”, “Delete conditional access policy” — immediate alerting Entra ID + Sentinel
8 – Persistence Guest user persistence Medium Regular access reviews for guest accounts; enforce guest expiration policies; restrict guest permissions AuditLog: “Invite external user”; monitor guest sign-in patterns for dormant-then-active accounts Entra ID + Access Reviews (P2)
Coverage Gap Warning: If your tenant does not have Microsoft 365 E5 or Entra ID P2 licensing, many of the detection and response capabilities listed above (risk-based policies, PIM, advanced audit, eDiscovery audit) will be unavailable. See the Licensing section below for details.

✅ Priority Hardening Checklist

Track your progress: Check off each item as you implement it. Your progress is saved in your browser's local storage and will persist between visits. The progress bar shows your overall remediation status.

0 / 0 completed

🔴 Critical — Implement Immediately

These controls address the most impactful attack techniques. Without them, an attacker can likely compromise admin accounts and maintain persistent access.

🟠 High Priority — Implement Within 30 Days

These controls significantly reduce the attack surface and should be prioritised after critical items are addressed.

🟡 Medium Priority — Implement Within 90 Days

These controls provide defence-in-depth and mature your security posture against more advanced or niche attack techniques.

Hardening Validation: After implementing controls, re-run the attack techniques from each phase to confirm they are now blocked or detected. A defensive control is only effective if it survives testing.

🔍 Detection Rules — KQL for Microsoft Sentinel

Deployment Note: These KQL queries are designed for Microsoft Sentinel and Log Analytics workspaces. Ensure you have the relevant data connectors enabled: Azure Active Directory (SigninLogs, AuditLogs), Office 365 (OfficeActivity), and Microsoft 365 Defender. Adjust time ranges and thresholds to match your environment’s baseline.

💥 Detect Password Spraying

Identifies potential password spray attacks by detecting a single IP address generating failed sign-in attempts across multiple distinct user accounts within a short time window.

Sentinel SigninLogs
KQL
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50126"  // Invalid username or password
    or ResultType == "50053"   // Account locked
    or ResultType == "50057"   // Account disabled
| summarize
    TargetCount = dcount(UserPrincipalName),
    AttemptCount = count(),
    TargetAccounts = make_set(UserPrincipalName, 25),
    AppList = make_set(AppDisplayName, 10)
    by IPAddress, Location = tostring(LocationDetails.city)
| where TargetCount >= 10 and AttemptCount >= 20
| sort by TargetCount desc
| project
    IPAddress,
    Location,
    DistinctTargets = TargetCount,
    TotalAttempts = AttemptCount,
    SampleAccounts = TargetAccounts,
    AppsTargeted = AppList
Tuning: Adjust the TargetCount >= 10 and AttemptCount >= 20 thresholds based on your environment. Large organisations may need higher thresholds to avoid false positives from legitimate failed sign-ins.

📱 Detect Suspicious Application Consent

Monitors for new OAuth consent grants, especially those granting high-privilege permissions. This detects both illicit consent grant attacks and overly broad admin consent.

Sentinel AuditLogs
KQL
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend AppName = tostring(TargetResources[0].displayName)
| extend AppId = tostring(TargetResources[0].id)
| extend ConsentType = tostring(
    parse_json(tostring(
        parse_json(tostring(TargetResources[0].modifiedProperties))[0]
    )).newValue)
| project
    TimeGenerated,
    InitiatingUser,
    InitiatingIP,
    AppName,
    AppId,
    ConsentType,
    OperationName,
    Result
| sort by TimeGenerated desc
Best Practice: Set this as a near-real-time (NRT) analytics rule in Sentinel. Any consent grant outside of your admin consent workflow should trigger an immediate investigation.

🏛 Detect Federation Configuration Changes

Alerts on any modification to domain federation settings. This is a critical detection because federation backdoors allow an attacker to generate tokens for any user without needing their password.

Sentinel AuditLogs
KQL
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any (
    "Set domain authentication",
    "Set federation settings on domain",
    "Set DomainFederationSettings",
    "Add unverified domain",
    "Verify domain"
)
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetDomain = tostring(TargetResources[0].displayName)
| extend ModifiedProps = parse_json(tostring(TargetResources[0].modifiedProperties))
| project
    TimeGenerated,
    OperationName,
    InitiatingUser,
    InitiatingApp,
    InitiatingIP,
    TargetDomain,
    ModifiedProps,
    Result
| sort by TimeGenerated desc
🚨
Critical Alert: Any federation change in a production tenant that is not part of a planned change should be treated as a potential compromise. This technique (AADInternals backdoor) enables full tenant takeover.

📨 Detect Mailbox Forwarding Rules

Detects creation of inbox rules that forward, redirect, or delete mail — common persistence and exfiltration mechanisms used after mailbox compromise.

Sentinel OfficeActivity
KQL
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")
    or (Operation == "Set-Mailbox" and Parameters has_any (
        "ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward"
    ))
| extend RuleParams = parse_json(Parameters)
| extend ForwardTo = tostring(RuleParams.[0].Value)
| extend RuleName = tostring(RuleParams.[1].Value)
| project
    TimeGenerated,
    Operation,
    UserId,
    ClientIP,
    RuleName,
    ForwardTo,
    Parameters
| sort by TimeGenerated desc

// Also check for transport-level forwarding
union (
ExchangeAdmin
| where TimeGenerated > ago(24h)
| where Operation has_any ("New-TransportRule", "Set-TransportRule")
| where Parameters has_any ("RedirectMessageTo", "BlindCopyTo", "CopyTo")
| project TimeGenerated, Operation, UserId, Parameters
)

📂 Detect Bulk Data Access via Graph API

Identifies applications or users making an unusually high volume of Microsoft Graph API requests to mail, files, or user data endpoints — indicative of data exfiltration or automated harvesting.

Sentinel MicrosoftGraphActivityLogs
KQL
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(1h)
| where RequestUri has_any ("/messages", "/driveItem", "/drive/root",
    "/sites", "/mailFolders", "/attachments")
| summarize
    RequestCount = count(),
    UniqueEndpoints = dcount(RequestUri),
    SampleRequests = make_set(RequestUri, 10)
    by UserId = tostring(UserId), AppId, IPAddress
| where RequestCount > 500
| sort by RequestCount desc
| project
    UserId,
    AppId,
    IPAddress,
    TotalRequests = RequestCount,
    UniqueEndpoints,
    SampleRequests

// Alternative if MicrosoftGraphActivityLogs not available:
// Use CloudAppEvents from Defender for Cloud Apps
// CloudAppEvents
// | where ActionType has_any ("FileDownloaded", "FileAccessed")
// | summarize count() by AccountId, Application
// | where count_ > 100
💡
Data Source Note: The MicrosoftGraphActivityLogs table requires the Microsoft Graph activity logs diagnostic setting to be enabled in Entra ID. If not available, use CloudAppEvents from Defender for Cloud Apps as an alternative data source.

🔑 Detect Service Principal Credential Addition

Monitors for new credentials (passwords or certificates) being added to existing service principals or application registrations. This is a key privilege escalation and persistence technique.

Sentinel AuditLogs
KQL
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (
    "Add service principal credentials",
    "Update application \u2013 Certificates and secrets management",
    "Add application key credential",
    "Add application password credential"
)
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| extend TargetAppType = tostring(TargetResources[0].type)
| extend ModifiedProps = parse_json(tostring(TargetResources[0].modifiedProperties))
| project
    TimeGenerated,
    OperationName,
    InitiatingUser,
    InitiatingApp,
    InitiatingIP,
    TargetApp,
    TargetAppId,
    TargetAppType,
    ModifiedProps,
    Result
| sort by TimeGenerated desc
Correlation Tip: Correlate this detection with PIM role activation events. An attacker who activates Application Administrator via PIM and then immediately adds credentials to a high-privilege app is a strong indicator of compromise.

💳 Recommended Microsoft Licensing

Licensing matters for security: Many of the defensive controls and detection capabilities in this guide require specific Microsoft licensing tiers. Organisations on E3 licensing alone have significant security visibility gaps. This section maps licence tiers to the security capabilities they unlock.

📦 Microsoft 365 E3

The baseline licence for most enterprise organisations. Provides foundational security controls but lacks advanced threat detection and response capabilities.

Capability What It Enables Limitations
Entra ID P1 (included) Conditional Access policies, MFA, self-service password reset, dynamic groups No risk-based policies, no PIM, no access reviews
Multi-Factor Authentication Per-user MFA, security defaults, Authenticator app, phone/SMS No phishing-resistant enforcement via CA (need to configure manually); no number matching control beyond Authenticator defaults
Basic Audit Logs Standard audit log with 180-day retention (recently extended from 90 days) No advanced audit events (MailItemsAccessed, SearchQueryInitiated); no long-term retention beyond 180 days
Exchange Online Protection Anti-spam, basic anti-malware, connection filtering No Safe Links, Safe Attachments, or advanced anti-phishing
Conditional Access Location-based, device-based, client app-based policies; block legacy auth No sign-in risk or user risk conditions (requires P2)
E3 Security Gap: Without E5 or P2 add-ons, you cannot detect risky sign-ins, enforce risk-based CA policies, use PIM for role management, or run automated investigation and response. Many attack techniques in this guide will go undetected on E3-only tenants.

🚀 Microsoft 365 E5

The full security stack. Includes everything in E3 plus advanced threat protection, identity protection, information governance, and compliance tools.

Capability What It Enables Relevant Attack Phase
Entra ID P2 (included) Identity Protection (risk-based CA), PIM, Access Reviews, Entitlement Management Phase 3 (credential attacks), Phase 5 (privilege escalation)
Defender for Office 365 Plan 2 Safe Links, Safe Attachments, advanced anti-phishing, automated investigation, attack simulation Phase 2 (initial access), Phase 7 (exfiltration via email)
Defender for Cloud Apps CASB: app discovery, session control, anomaly detection, OAuth app governance Phase 4 (enumeration), Phase 6 (lateral movement), Phase 7 (exfiltration)
Microsoft Purview Advanced Audit MailItemsAccessed, SearchQueryInitiated, Send events; 1-year retention; bandwidth throttling Phase 7 (exfiltration), Phase 8 (persistence detection)
Microsoft Purview eDiscovery (Premium) Advanced search, review sets, hold notifications, predictive coding Phase 7 (eDiscovery abuse detection requires audit of these events)
Defender for Identity On-premises Active Directory threat detection, lateral movement path analysis Phase 6 (lateral movement from hybrid environments)
Information Protection & DLP Sensitivity labels with auto-labelling, endpoint DLP, Teams/Exchange/SPO DLP Phase 7 (data exfiltration prevention)
E5 Security Advantage: Microsoft 365 E5 licensing provides detection and response coverage for the majority of attack techniques in this guide. If budget is constrained, the E5 Security add-on provides the most critical identity and threat protection features.

🔐 Entra ID P1 vs P2 Comparison

Understanding the differences between Entra ID P1 (included in E3) and P2 (included in E5) is critical for security control planning.

Feature Entra ID P1 (E3) Entra ID P2 (E5)
Conditional Access Location, device, client app, user/group targeting Everything in P1 + sign-in risk and user risk conditions
MFA Per-user MFA, Conditional Access MFA, security defaults Same + risk-based MFA triggering
Identity Protection Not available Risky sign-in/user detection, automated remediation, leaked credentials detection
Privileged Identity Management Not available Just-in-time role activation, approval workflows, activation alerts, role assignment reviews
Access Reviews Not available Automated periodic reviews of role assignments, group memberships, and app access
Entitlement Management Not available Access packages, approval workflows, automatic assignment
Workload Identities Not available Risk detection for service principals and managed identities (with Workload Identities Premium)
🚨
Critical Gap Without P2: Without Entra ID P2, you cannot use PIM to protect admin roles (Phase 5 defence), you cannot deploy risk-based Conditional Access (Phase 3 defence), and you have no automated leaked credential detection. These are foundational defences against the most common M365 attacks.

📊 Microsoft Sentinel (SIEM/SOAR)

Microsoft Sentinel is a cloud-native SIEM and SOAR solution that enables centralised detection, investigation, and automated response. All KQL detection rules in Section 3 are designed for Sentinel.

Capability What It Enables
Data Connectors Ingest SigninLogs, AuditLogs, OfficeActivity, CloudAppEvents, MicrosoftGraphActivityLogs, and hundreds more
Analytics Rules Scheduled and NRT detection rules using KQL; built-in templates for M365 threats
Playbooks (Logic Apps) Automated response: disable compromised accounts, revoke sessions, send notifications, create tickets
Workbooks Interactive dashboards for sign-in monitoring, CA policy coverage, and app consent activity
UEBA User and Entity Behavior Analytics for anomaly detection across identity and data access patterns
Threat Intelligence Integrate threat feeds to correlate known malicious IPs, domains, and indicators with sign-in data
KQL
// Verify your Sentinel data connector status
// Run this in your Log Analytics workspace
SigninLogs | take 1 | project TimeGenerated
AuditLogs | take 1 | project TimeGenerated
OfficeActivity | take 1 | project TimeGenerated
💡
Cost Tip: Sentinel pricing is based on data ingestion volume. Use data collection rules (DCRs) to filter and transform logs before ingestion. Enable the Microsoft 365 E5 benefit that provides up to 5 MB/user/day of specific data types at no additional Sentinel cost.

🛡 Defender for Office 365

Provides the anti-phishing, safe links, and safe attachments capabilities essential for defending against Phase 2 initial access techniques.

Feature Plan 1 Plan 2 (included in E5)
Safe Attachments Real-time detonation of attachments in sandboxed environment Same + Safe Attachments for SharePoint, OneDrive, Teams
Safe Links URL rewriting and time-of-click verification Same + URL detonation
Anti-Phishing Impersonation protection, mailbox intelligence, spoof intelligence Same + advanced tuning options
Automated Investigation & Response Not available Automated investigation of alerts, recommended or automatic remediation actions
Attack Simulation Training Not available Phishing simulation campaigns, training assignments, reporting
Threat Explorer Real-time detections only Full Threat Explorer with 30-day historical threat hunting

📝 Licensing Recommendation Summary

Based on the attack chain coverage in this guide, here is the minimum recommended licensing for effective defence:

RECOMMENDATION
MINIMUM VIABLE SECURITY LICENSING FOR M365 DEFENCE
====================================================

ALL USERS:
  - Microsoft 365 E3 (baseline) or E5 (recommended)
  - Entra ID P2 (included in E5, or add-on for E3)
    Required for: PIM, Identity Protection, Access Reviews

ADMIN / PRIVILEGED USERS (at minimum):
  - Microsoft 365 E5 Security add-on (if org is on E3)
    Required for: Defender for Cloud Apps, advanced audit

SECURITY OPERATIONS:
  - Microsoft Sentinel (consumption-based)
    Required for: KQL detection rules, SOAR playbooks
  - Defender for Office 365 Plan 2 (included in E5)
    Required for: anti-phishing, Safe Links, investigation

OPTIONAL BUT RECOMMENDED:
  - Defender External Attack Surface Management
    Required for: Phase 1 recon surface reduction
  - Entra Workload Identities Premium
    Required for: service principal risk detection
Budget Compromise: If full E5 licensing is not feasible, prioritise the Microsoft 365 E5 Security add-on for all admin and privileged users, and Entra ID P2 for all users. This provides the most critical detection and access control capabilities at a lower cost than full E5.