黑料海角91入口

Is E3 Right for You?

Risks of E3 Integrated Identity

Written by David Worthington on January 29, 2024

Share This Article


Contents


Active Directory (AD) admins are looking to modernize or replace AD, and Microsoft 365鈥檚 E3 is an attractive option for businesses to accomplish those objectives. Entra ID is also 鈥渇ree鈥 and available to use. It鈥檚 the prescribed path and bundles many products at one price. Reality sets in once admins recognize that its vast, vertically integrated suites of tools with apps for 鈥渆verything鈥 are a mismatch for their organization and limits their flexibility. 

In short, the true cost of licensing, implementing, integrating services, and training admins and users can be significant.

One needed feature can lead to the purchase of yet another entire product, creating a software monoculture that raises spending over time. Consolidating IT with one vendor also introduces inherent security risks from its platforms. Be skeptical of E3: its bundling is a sales mechanism instead of a bargain for IT departments. IT鈥檚 mission to drive business performance is lost in complexity.

The TL;DR is that E3 can homogenize your line of business apps, making it impossible to even consider using best-of-breed solutions. Its monolithic architecture obligates customers to adopt more cloud services via licensing and technical dependencies. The services seem integrated, but they鈥檙e not, and considerable work is necessary to get everything to work together. 

E3 also leaves security gaps and lacks controls that could prevent attacks like the that compromised the emails of Microsoft鈥檚 top executives. You’ll have to spend more to keep your identities safe. An industry expert has also raised concerns about Microsoft monetizing security and 鈥渁busing the term legacy鈥 to sell more products vs fixing its issues. Keeping your Identity Provider independent and isolating that legacy can help to mitigate risks. 

Read on to learn more about these important considerations and the impacts they can have.

Downstream Lock-In of Services with Microsoft Identity

Individual components appear harmless or even attractive, but the sum-total of Microsoft鈥檚 platform approach locks customers into services that may be a mismatch for their capabilities and needs. 

Apps

For example, Microsoft鈥檚 one-size-fits-all approach and apps may not map to business requirements. The result is that organizations lose the flexibility to use the best-of-breed apps.

E3 includes equivalent apps to many SaaS innovators and creates the impression that there’s no need to look elsewhere, while employees may want something different. And, are Microsoft鈥檚 products really better or more secure than best-of-breed solutions?

Identity

Identity is another mechanism for lock-in. Microsoft鈥檚 , , and new all make the assertion that you鈥檒l be using Entra ID and Intune. There鈥檚 not even a mention of or possibility of using anything else.

Forced Migrations

Admin features that were on-premises are moving to the cloud, e.g., Configuration Manager.

Organizations are looking for options outside of Microsoft to deal with the diversities of mixed device types, mixed working arrangements, accelerated cloud adoption, and integration of best-of-breed technologies. Using Microsoft isn’t all bad, but it may not be right for you.

The Bad Economics of Lock-In

Bundles and bargains almost always give way to higher administrative overhead and more spending. Microsoft鈥檚 objective is total consolidation; it envisions itself as being central to everything. That approach may not serve your organization鈥檚 best interests.

Buyer Beware

Many admins just want to use Microsoft Office, tighten up their security posture, and be business enablers by providing users with the solutions that they want/need. However, that鈥檚 not what they鈥檒l end up with. 

E3鈥檚 complexity can make it too overwhelming to support deployment, management, and regular, ongoing training. McKinsey closer involvement between IT and the business sides of companies. Microsoft鈥檚 bundling increases its customer lifetime value versus making small and medium-sized enterprises (SMEs) more responsive/competitive/cost-effective. Time spent implementing the product impedes business/IT alignment. SMEs can鈥檛 afford IT process managers, but may need someone to perform that role due to E3鈥檚 complexity, which is an antipattern to McKinsey鈥檚 advice.

Complex and Transient Licensing

License management and pricing can be complex/unpredictable without understanding how everything interconnects and what features are included in each plan. Some features are gated off, even deceptively, such as reporting in conditional access. For example:

  • Microsoft moved many Identity Governance features from Entra ID Premium 2 (P2) into an add-on SKU.
  • Supporting these features leads to reskilling and new hires at market rates.
  • Features within plans can change at any time, driving up costs.

It鈥檚 Difficult to Deploy

Customizations and integrations are just too difficult to handle in-house. Only proper planning and roadmapping will realize the true cost and benefits of E3. Small and medium-sized enterprises lack the resources to do that or to follow best practices correctly.

The deeper you go, the more people that you鈥檒l need.

There鈥檚 Always an Upsell

Admins discover that E3 doesn鈥檛 satisfy Microsoft鈥檚 recommendations to secure and modernize AD. It fails to provide the services Microsoft says will protect identities and detect attacks against AD鈥檚 vulnerabilities, which are endemic, given it鈥檚 a legacy product. Some that Microsoft is abusing the term legacy to dodge its obligation to secure its products while simultaneously using those flaws to upsell security services. 

A Patchwork of Consoles and Products

Things become even more complicated (and costly) once admins begin to experience Microsoft鈥檚 patchwork of consoles and services. One price doesn鈥檛 mean 鈥渋ntegrated.鈥 Don鈥檛 just take our word for it鈥 there are numerous examples of what you鈥檇 encounter with E3.

It鈥檚 Not Really All-in-One

Admins are in and out of many consoles and must understand them all and how they interrelate to turn things on: 

  • Intune and Entra are separate products and must be configured and managed separately.
  • Defender products are separate and must be manually integrated, e.g., Defender for Endpoint (MDE) and Intune. It takes deep knowledge and experience to use.
  • Entra ID鈥檚 conditional access 鈥渞eport-only mode鈥 means you must purchase Azure Monitor to set up a Log Analytics Workspace. You only see a placeholder in E3.
  • Microsoft Entra monitoring and health flows to Sentinel for SIEM and incident response (SOAR). There鈥檚 always a push toward more vertical integration (i.e., buying more Microsoft products) and many IT admins don鈥檛 learn this until it is too late. 

Note: Many of these items could also fit into lock-in鈥 you become so deeply embedded in Microsoft鈥檚 platforms that you can鈥檛 get out without serious cost and disruption.

Customization Gets Expensive

Custom workflows can require dedicated vendors/consultants indefinitely, because things can change rapidly with its platforms. Microsoft says this is to focus IT on P0 tasks. An unnecessary reliance on consultants is bad for day-to-day operations and binds you to Microsoft鈥檚 ecosystem.

Security Challenges

Microsoft disclosed that its top executives had their , despite having unlimited access and the expertise to fully utilize its broad portfolio of solutions. 

The most shocking revelation was that many of the technologies it recommends all customers should adopt weren鈥檛 even being used. It’s fair to ask what chance an SME would have to secure its platforms well if even Microsoft lacks the capacity to readily use all of the technologies that it鈥檚 prescribing.

E3 Lacks Recommended Security Controls

Let鈥檚 examine some security considerations that would be unique to an all Microsoft shop. Identity/platform monoculture enables lateral movement by attackers. Recall that E3 lacks security controls for AD. You must use MDE Plan 2 with Defender for Identity in order to extend the checks to include server threats. E3 doesn鈥檛 include those features/services. E3 has other security shortcomings, if you view it as a holistic package.

鈥淚n many organizations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premise (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence,鈥 Alex Stamos, who is Chief Trust Officer at SentinelOne.

The E3 SKU lacks Defender for Identities, despite including AD integration via Entra ID Connect. Defender for Identifies detects the attacks that Stamos describes. Anything related to session/user risk is in Entra ID P2 (E3 only has Premium 1).

  • E3鈥檚 edition of MDE (Plan 1) only has antivirus protection and no Endpoint Detection and Response (EDR). This can create a false sense of security given E3 is presented as being 鈥渁ll-in-one鈥 for SMEs. Its EDR is necessary to detect/react to lateral movement.

You may be wondering why these details matter. The takeaway is that a failure to protect legacy Microsoft products leaves the proverbial backdoor open. A key passage in the article covering theft of sensitive emails from Microsoft executives describes how attackers, 鈥…used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold.

A Windows-Centric Approach

Microsoft supports other platforms, but Windows is its first-class denizen. That comes with advantages such as compatibility, but also drawbacks owing to its legacy. For example:

  • Windows Hello doesn鈥檛 extend beyond Windows, limiting its modern passwordless authentication to Windows only.
  • SMEs may still need AD co-management with Intune; some admins starting with Entra ID won鈥檛 receive any value/utility from higher license offerings without also having AD deployed.
  • Vulnerabilities from legacy Office apps can be critical on Windows systems. These vulnerabilities account for a significant portion of breaches reported anywhere, with Office apps accounting for of Cybersecurity and Infrastructure Security Agency鈥檚 (CISA) top 20 routinely exploited vulnerabilities list. 

Note: Many admins find that there鈥檚 a need for a substitute spam filter than what鈥檚 provided with Microsoft 365 to avoid email compromises, adding to the expense of using E3.

There鈥檚 Better Path

Admins can manage these risks by keeping their identity provider (IdP) independent and isolating AD. A cloud-based productivity suite, such as Google Workspace, may also reduce potential vulnerabilities. Security features should also be easy to implement and universal.

Try 黑料海角91入口

黑料海角91入口 provides an open directory platform that鈥檚 interoperable with other IdPs, such as Active Directory instances, even when there鈥檚 multiple domains. It provides frictionless access to resources with support for common networking and web protocols, secured by environment-wide MFA and cross-OS device management. And 黑料海角91入口 Go鈩 provides modern authentication for more than just Windows. 

The open directory platform is a single pane of glass for managing access to all of your resources with automations and workflows that can increase IT efficiency and get to results faster. Other features and options include:

  • A password manager
  • Cross-OS (and browser) patch management
  • Remote access and troubleshooting tools

and find out if it鈥檚 the best option for your organization. You can also try to see how the platform works without having to perform any work.

黑料海角91入口

Securely connect to any resource using Google Workspace and 黑料海角91入口.

David Worthington

I'm the 黑料海角91入口 Champion for Product, Security. 黑料海角91入口 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter