Active Directory (AD) admins are looking to modernize or replace AD, and Microsoft 365’s E3 is an attractive option for businesses to accomplish those objectives. Entra ID is also “free” and available to use. It’s the prescribed path and bundles many products at one price. Reality sets in once admins recognize that its vast, vertically integrated suites of tools with apps for “everything” are a mismatch for their organization and limits their flexibility.
In short, the true cost of licensing, implementing, integrating services, and training admins and users can be significant.
One needed feature can lead to the purchase of yet another entire product, creating a software monoculture that raises spending over time. Consolidating IT with one vendor also introduces inherent security risks from its platforms. Be skeptical of E3: its bundling is a sales mechanism instead of a bargain for IT departments. IT’s mission to drive business performance is lost in complexity.
The TL;DR is that E3 can homogenize your line of business apps, making it impossible to even consider using best-of-breed solutions. Its monolithic architecture obligates customers to adopt more cloud services via licensing and technical dependencies. The services seem integrated, but they’re not, and considerable work is necessary to get everything to work together.
E3 also leaves security gaps and lacks controls that could prevent attacks like the password spray technique that compromised the emails of Microsoft’s top executives. You’ll have to spend more to keep your identities safe. An industry expert has also raised concerns about Microsoft monetizing security and “abusing the term legacy” to sell more products vs fixing its issues. Keeping your Identity Provider independent and isolating that legacy can help to mitigate risks.
Read on to learn more about these important considerations and the impacts they can have.
Downstream Lock-In of Services with Microsoft Identity
Individual components appear harmless or even attractive, but the sum-total of Microsoft’s platform approach locks customers into services that may be a mismatch for their capabilities and needs.
Apps
For example, Microsoft’s one-size-fits-all approach and apps may not map to business requirements. The result is that organizations lose the flexibility to use the best-of-breed apps.
E3 includes equivalent apps to many SaaS innovators and creates the impression that there’s no need to look elsewhere, while employees may want something different. And, are Microsoft’s products really better or more secure than best-of-breed solutions?
Identity
Identity is another mechanism for lock-in. Microsoft’s cybersecurity reference architecture, rapid modernization plan, and new enterprise access model for AD all make the assertion that you’ll be using Entra ID and Intune. There’s not even a mention of or possibility of using anything else.
Forced Migrations
Admin features that were on-premises are moving to the cloud, e.g., Configuration Manager.
Organizations are looking for options outside of Microsoft to deal with the diversities of mixed device types, mixed working arrangements, accelerated cloud adoption, and integration of best-of-breed technologies. Using Microsoft isn’t all bad, but it may not be right for you.
The Bad Economics of Lock-In
Bundles and bargains almost always give way to higher administrative overhead and more spending. Microsoft’s objective is total consolidation; it envisions itself as being central to everything. That approach may not serve your organization’s best interests.
Buyer Beware
Many admins just want to use Microsoft Office, tighten up their security posture, and be business enablers by providing users with the solutions that they want/need. However, that’s not what they’ll end up with.
E3’s complexity can make it too overwhelming to support deployment, management, and regular, ongoing training. McKinsey advises closer involvement between IT and the business sides of companies. Microsoft’s bundling increases its customer lifetime value versus making small and medium-sized enterprises (SMEs) more responsive/competitive/cost-effective. Time spent implementing the product impedes business/IT alignment. SMEs can’t afford IT process managers, but may need someone to perform that role due to E3’s complexity, which is an antipattern to McKinsey’s advice.
Complex and Transient Licensing
License management and pricing can be complex/unpredictable without understanding how everything interconnects and what features are included in each plan. Some features are gated off, even deceptively, such as reporting in conditional access. For example:
- Microsoft moved many Identity Governance features from Entra ID Premium 2 (P2) into an add-on SKU.
- Supporting these features leads to reskilling and new hires at market rates.
- Features within plans can change at any time, driving up costs.
It’s Difficult to Deploy
Customizations and integrations are just too difficult to handle in-house. Only proper planning and roadmapping will realize the true cost and benefits of E3. Small and medium-sized enterprises lack the resources to do that or to follow best practices correctly.
The deeper you go, the more people that you’ll need.
There’s Always an Upsell
Admins discover that E3 doesn’t satisfy Microsoft’s recommendations to secure and modernize AD. It fails to provide the services Microsoft says will protect identities and detect attacks against AD’s vulnerabilities, which are endemic, given it’s a legacy product. Some security experts have suggested that Microsoft is abusing the term legacy to dodge its obligation to secure its products while simultaneously using those flaws to upsell security services.
A Patchwork of Consoles and Products
Things become even more complicated (and costly) once admins begin to experience Microsoft’s patchwork of consoles and services. One price doesn’t mean “integrated.” Don’t just take our word for it… there are numerous examples of what you’d encounter with E3.
It’s Not Really All-in-One
Admins are in and out of many consoles and must understand them all and how they interrelate to turn things on:
- Intune and Entra are separate products and must be configured and managed separately.
- Defender products are separate and must be manually integrated, e.g., Defender for Endpoint (MDE) and Intune. It takes deep knowledge and experience to use.
- Entra ID’s conditional access “report-only mode” means you must purchase Azure Monitor to set up a Log Analytics Workspace. You only see a placeholder in E3.
- Microsoft Entra monitoring and health flows to Sentinel for SIEM and incident response (SOAR). There’s always a push toward more vertical integration (i.e., buying more Microsoft products) and many IT admins don’t learn this until it is too late.
Note: Many of these items could also fit into lock-in… you become so deeply embedded in Microsoft’s platforms that you can’t get out without serious cost and disruption.
Customization Gets Expensive
Custom workflows can require dedicated vendors/consultants indefinitely, because things can change rapidly with its platforms. Microsoft says this is to focus IT on P0 tasks. An unnecessary reliance on consultants is bad for day-to-day operations and binds you to Microsoft’s ecosystem.
Security Challenges
Microsoft disclosed that its top executives had their emails broken into, despite having unlimited access and the expertise to fully utilize its broad portfolio of solutions.
The most shocking revelation was that many of the technologies it recommends all customers should adopt weren’t even being used. It’s fair to ask what chance an SME would have to secure its platforms well if even Microsoft lacks the capacity to readily use all of the technologies that it’s prescribing.
E3 Lacks Recommended Security Controls
Let’s examine some security considerations that would be unique to an all Microsoft shop. Identity/platform monoculture enables lateral movement by attackers. Recall that E3 lacks security controls for AD. You must use MDE Plan 2 with Defender for Identity in order to extend the checks to include server threats. E3 doesn’t include those features/services. E3 has other security shortcomings, if you view it as a holistic package.
“In many organizations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premise (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence,” wrote Alex Stamos, who is Chief Trust Officer at SentinelOne.
The E3 SKU lacks Defender for Identities, despite including AD integration via Entra ID Connect. Defender for Identifies detects the attacks that Stamos describes. Anything related to session/user risk is in Entra ID P2 (E3 only has Premium 1).
- E3’s edition of MDE (Plan 1) only has antivirus protection and no Endpoint Detection and Response (EDR). This can create a false sense of security given E3 is presented as being “all-in-one” for SMEs. Its EDR is necessary to detect/react to lateral movement.
You may be wondering why these details matter. The takeaway is that a failure to protect legacy Microsoft products leaves the proverbial backdoor open. A key passage in the article covering theft of sensitive emails from Microsoft executives describes how attackers, “…used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold.“
A Windows-Centric Approach
Microsoft supports other platforms, but Windows is its first-class denizen. That comes with advantages such as compatibility, but also drawbacks owing to its legacy. For example:
- Windows Hello doesn’t extend beyond Windows, limiting its modern passwordless authentication to Windows only.
- SMEs may still need AD co-management with Intune; some admins starting with Entra ID won’t receive any value/utility from higher license offerings without also having AD deployed.
- Vulnerabilities from legacy Office apps can be critical on Windows systems. These vulnerabilities account for a significant portion of breaches reported anywhere, with Office apps accounting for 70% of Cybersecurity and Infrastructure Security Agency’s (CISA) top 20 routinely exploited vulnerabilities list.
Note: Many admins find that there’s a need for a substitute spam filter than what’s provided with Microsoft 365 to avoid email compromises, adding to the expense of using E3.
There’s Better Path
Admins can manage these risks by keeping their identity provider (IdP) independent and isolating AD. A cloud-based productivity suite, such as Google Workspace, may also reduce potential vulnerabilities. Security features should also be easy to implement and universal.
Try JumpCloud
JumpCloud provides an open directory platform that’s interoperable with other IdPs, such as Active Directory instances, even when there’s multiple domains. It provides frictionless access to resources with support for common networking and web protocols, secured by environment-wide MFA and cross-OS device management. And JumpCloud Go™ provides modern authentication for more than just Windows.
The open directory platform is a single pane of glass for managing access to all of your resources with automations and workflows that can increase IT efficiency and get to results faster. Other features and options include:
- A password manager
- Cross-OS (and browser) patch management
- Remote access and troubleshooting tools
Try JumpCloud for free and find out if it’s the best option for your organization. You can also try guided simulations to see how the platform works without having to perform any work.