πŸ‡¨πŸ‡¦VancouverπŸ‡¨πŸ‡¦TorontoπŸ‡ΊπŸ‡ΈLos AngelesπŸ‡ΊπŸ‡ΈOrlandoπŸ‡ΊπŸ‡ΈMiami
1-855-KOO-TECH
KootechnikelKootechnikel
Search⌘KFree Health Check
Insights Β· Field notes from the SOC
Plain-language briefings from the people watching the alerts.
Weekly Β· No spam
Read4
Field GuideNewEngineer-written playbooks.β†’Blog & Field NotesWeekly threat briefings.β†’WhitepapersDeep dives on Secure AI, Zero Trust.β†’Case StudiesReal clients, real numbers.β†’
Watch & listen3
WebinarsMonthly Β· live Q&A with the team.β†’PodcastNew"Stronger.Smarter" Β· biweekly.β†’Quick Clips90-second how-tos on YouTube.β†’
Use3
Free Vulnerability Scan30-sec domain + email check.β†’Compliance ChecklistsSOC 2, HIPAA, PCI printable.β†’ROI CalculatorEstimate cost-of-incident savings.β†’
New series
Field Guide
Engineer-written playbooks for the problems 30-100 person companies actually hit.
MFA rollouts, SOC 2 timelines, M365 backup, HIPAA/PHIPA, CIS Controls, AI governance β€” specific, narrow, practical.
Open the Field Guide
Subscribe to weekly β†’All resources β†’
NO SPAM Β· UNSUBSCRIBE IN ONE CLICK
Security architecture Β· the four pillars

Defender. Purview. Entra. Intune.
Four pillars. One Microsoft 365 security architecture.

The Microsoft 365 security architecture in 2026 is four pillars β€” Defender for threat detection, Purview for information governance, Entra for identity, Intune for endpoint management. Each pillar is its own product family; together they cover what traditional security organizations bought from a half-dozen point vendors. Below: what each pillar does, how they integrate, and which licensing tier you need for genuine compliance defensibility.

Book a security architecture reviewTeams Phone (bundled in E5) β†’

Microsoft Defender (XDR)

Threat detection, prevention, and response across endpoints, email, identities, cloud apps, and cloud workloads.

Components

  • Defender for Endpoint β€” endpoint XDR (Windows, macOS, Linux, iOS, Android). P1 in E3, P2 in E5.
  • Defender for Office 365 β€” email + Teams + Office threat protection. P1 bundled into E3 since 2024.
  • Defender for Identity β€” on-prem Active Directory threat detection (E5).
  • Defender for Cloud Apps β€” CASB for SaaS apps. Shadow IT discovery, OAuth app governance, in-session controls (E5).
  • Defender XDR β€” cross-domain correlation across all the above. Single incident view across endpoint + email + identity + cloud (E5).
  • Defender for Cloud β€” Azure + AWS + GCP workload protection (separate Azure consumption pricing).
Integration: Native integration with Microsoft Sentinel (SIEM/SOAR), Entra ID for identity context, Intune for device posture, Purview for data classification context. The most consequential integration is Defender XDR: a single pane that shows the same incident from endpoint + email + identity + cloud perspectives, eliminating the cross-tool correlation work that traditional SOCs spend 60% of their time on.
Licensing: Business Premium gets entry-level Defender for Business + Defender for Office 365 P1. E3 gets Defender for Endpoint P1 + Defender for Office 365 P1. E5 gets the full XDR stack including Defender for Identity, Cloud Apps, and the cross-domain Defender XDR layer. E5 is required for genuine SOC 2 Type II audit defensibility.

Microsoft Purview (information governance)

Data discovery, classification, protection, retention, and compliance across the M365 estate plus connected non-Microsoft sources.

Components

  • Sensitivity labels β€” manual + auto-labeling for Office files, PDFs, emails, Teams messages, SharePoint sites.
  • DLP (Data Loss Prevention) β€” policies that block or warn on sensitive data in Exchange, SharePoint, OneDrive, Teams, Endpoints, and (since November 2024) the Microsoft 365 Copilot policy location.
  • Records Management β€” declared records with retention + disposition.
  • Information Protection β€” encryption, rights management, content scanning.
  • Insider Risk Management β€” behavioral analytics for data exfiltration, IP theft, policy violations (E5).
  • eDiscovery (Premium) β€” legal hold, search, review, export. Tier above the basic eDiscovery in E3.
  • Communication Compliance β€” supervised messaging review for regulated industries (E5).
  • AI Hub β€” Copilot governance surface (added 2024, expanded 2025-2026). Inventory of AI agents, prompt and response audit, sensitive data flow into AI surfaces.
Integration: Sensitivity labels propagate from source β†’ derivative documents β†’ Copilot outputs. DLP policies apply consistently across Exchange, SharePoint, OneDrive, Teams, Endpoints, and Copilot. Insider Risk Management correlates with Defender XDR for cross-tool threat detection. The Purview AI Hub is the layer Microsoft 365 Copilot governance is built on.
Licensing: Information Protection P1 (basic labels) bundled with Business Premium / E3. Full Purview suite (DLP, Information Protection P2, Records Management, Insider Risk Management, eDiscovery Premium, Communication Compliance) requires E5. The AI Hub is included with Copilot, but the underlying DLP for Copilot policy location requires E5.

Microsoft Entra (identity + access)

Identity, authentication, authorization, and access governance across all Microsoft and connected applications.

Components

  • Entra ID (formerly Azure AD) β€” directory + SSO + MFA + Conditional Access.
  • Entra ID P1 β€” Conditional Access, MFA enforcement, group-based licensing, dynamic groups (Business Premium / E3).
  • Entra ID P2 β€” Privileged Identity Management (just-in-time admin elevation), Identity Governance (access reviews, entitlement management), risk-based Conditional Access (E5).
  • Microsoft Entra Suite (added 2024) β€” bundles Entra ID Governance, Entra Internet Access (SWG), Entra Private Access (ZTNA), Entra Verified ID. $12/user/mo standalone, included in E7.
  • Entra External ID β€” B2B + B2C identity for partners and customers.
Integration: Single SSO surface for all M365 apps + 10,000+ federated SaaS apps. Conditional Access integrates with Defender XDR signals (compromised device β†’ block sign-in), Intune device posture (non-compliant device β†’ require MFA + restrict access), and Purview labels (Confidential content β†’ require encrypted device). The Entra Suite extends this beyond M365 into web traffic (Internet Access SWG) and private apps (Private Access ZTNA).
Licensing: Entra ID P1 in Business Premium and E3. Entra ID P2 in E5. The Entra Suite ($12/user/mo) standalone or bundled into E7. For zero-trust network architecture replacing legacy VPN, the Entra Suite is the modern path.

Microsoft Intune (endpoint management)

Device, application, and configuration management for Windows, macOS, iOS, Android, ChromeOS, and Linux endpoints.

Components

  • MDM (Mobile Device Management) β€” full device enrollment, configuration policies, compliance policies.
  • MAM (Mobile Application Management) β€” app-level controls without enrolling the device. The BYOD pattern.
  • Configuration Manager (now part of Microsoft Intune Suite) β€” co-management with on-prem ConfigMgr for legacy Windows estates.
  • Endpoint Privilege Management β€” just-in-time admin elevation on Windows endpoints.
  • Remote Help β€” IT-initiated remote control with auditing.
  • Microsoft Tunnel β€” VPN client for managed mobile devices.
  • Advanced Endpoint Analytics β€” proactive remediation, anomaly detection.
Integration: Compliance policies in Intune feed Conditional Access in Entra (non-compliant device β†’ restricted access). Defender for Endpoint signals feed Intune (compromised device β†’ automatic compliance failure). Win32 + MSIX + Microsoft Store + LOB app deployment via the Intune Company Portal. Windows Autopilot for zero-touch device provisioning.
Licensing: Intune included with Business Premium / E3 / E5. The Intune Suite (Endpoint Privilege Management, Remote Help, Microsoft Tunnel for MAM, Advanced Endpoint Analytics, Specialty Devices) is a separate add-on at ~$10/user/mo. Most enterprise endpoint management deployments include the Suite.
Compliance posture

What this stack delivers across the major frameworks.

SOC 2 Type II

Microsoft 365 E5 covers the full audit trail required for SOC 2 Type II β€” Defender XDR for security operations, Purview for data governance, Entra ID P2 for access management, Intune for endpoint compliance. Most SOC 2-blocked deployments are blocked because they're on E3 (no Defender XDR cross-domain correlation, no full Purview suite, no Entra ID P2 PIM) β€” moving to E5 closes the audit findings.

HIPAA

Microsoft 365 is HIPAA-eligible under a Business Associate Agreement (BAA). The Defender + Purview + Entra + Intune stack provides the technical safeguards required by the HIPAA Security Rule. ePHI handling requires sensitivity labels with encryption, DLP policies for ePHI in motion, audit logging, and Insider Risk Management for behavioral anomaly detection β€” all in the E5 / Purview Premium tier.

PIPEDA + Quebec Law 25

Microsoft 365 baseline data residency in Canadian data centers (Toronto, Quebec City). PIPEDA-aligned by default; Quebec Law 25 compliance requires proper configuration of cross-border transfer disclosures, retention policies, breach-notification workflows, and consent management. Canadian Copilot inference is announced for 2027 β€” until then, prompts and grounding queries leave Canada for inference, requiring documented disclosures.

NIS2 / DORA (EU)

For organizations with EU operations: NIS2 (Network and Information Systems Directive 2) covers cybersecurity for critical infrastructure operators. DORA (Digital Operational Resilience Act) applies to financial services. M365 E5 + Defender XDR + Purview provides the technical baseline; the operational controls (incident reporting timelines, third-party risk management) require process work alongside the platform.

EU AI Act (August 2, 2026)

Copilot itself is "minimal risk" under the Act. Your USE CASE determines its classification. The same Copilot tenant deployed for marketing copy is minimal risk; the same Copilot used for HR shortlisting becomes high-risk and triggers full Annex III obligations. The Purview AI Hub provides the inventory and audit trail required for the high-risk classification readiness.

FAQ

Security architecture questions, answered.

What licensing tier is required for genuine Microsoft 365 SOC 2 Type II compliance?

Microsoft 365 E5. Genuine SOC 2 Type II compliance requires the full audit trail: Defender XDR for security operations across endpoints + email + identities + cloud apps; the full Purview suite for data governance (DLP, Information Protection P2, Records Management, Insider Risk Management, eDiscovery Premium, Communication Compliance); Entra ID P2 for privileged access management and identity governance; Intune for endpoint compliance reporting. E3 is missing Defender XDR cross-domain correlation, Defender for Identity, Defender for Cloud Apps, and the Purview Premium tier β€” all of which generate findings in a typical SOC 2 audit.

How does Microsoft Purview handle sensitivity labels?

Purview sensitivity labels are policy-published taxonomies (typical: Public / General / Confidential / Highly Confidential) that apply to Office files, PDFs, emails, Teams messages, and SharePoint sites. Labels can be applied manually by users or auto-applied via classification rules (sensitive info type detection, machine learning, or trainable classifiers). Once applied, labels propagate to derivative documents, drive encryption + access controls, and integrate with Microsoft 365 Copilot (a Confidential-labeled email used as Copilot source produces a Confidential-labeled draft). Auto-labeling is essential β€” manual labeling does not scale beyond ~15% coverage.

Do we need Microsoft Entra Suite if we have Entra ID P2?

Entra ID P2 covers identity-and-access for Microsoft and federated SaaS apps. The Entra Suite ($12/user/mo standalone, bundled in E7) extends this with Entra Internet Access (a Microsoft-built SWG replacing third-party secure web gateways like Zscaler ZIA), Entra Private Access (a ZTNA replacing legacy VPN), Entra ID Governance (access reviews + entitlement management at scale), and Entra Verified ID. For organizations modernizing zero-trust network architecture (replacing Zscaler / Netskope / legacy VPN), the Entra Suite is the consolidation play. For organizations satisfied with their existing SWG/VPN, Entra ID P2 alone is enough.

How does Microsoft Intune compare to a third-party MDM like Jamf or Workspace ONE?

For pure Apple shops (macOS + iOS), Jamf still has more depth on Apple-specific configuration (App-Specific Volume Purchase, iOS supervised profiles at scale, Apple Business Manager integration). For mixed Windows + macOS + iOS + Android + ChromeOS estates, Microsoft Intune is the consolidation play β€” single console, native Conditional Access integration, native Defender for Endpoint integration, Endpoint Privilege Management on Windows, Remote Help with audit trail. Most mid-market organizations land on Intune for everything except specialized Apple-heavy verticals where Jamf is retained for the Apple fleet.

What is the Purview AI Hub?

The Purview AI Hub is a Microsoft 365 Copilot governance surface introduced in 2024 and expanded throughout 2025-2026. It provides: inventory of AI agents (Microsoft + third-party) operating in your tenant; audit log of prompts and responses; sensitive data flow analysis showing what content has been routed to Copilot; DLP policy enforcement for the Copilot policy location; activity classification (drafting / summarizing / analysis / search); and integration with Insider Risk Management to detect AI-misuse patterns. The AI Hub is required for the EU AI Act high-risk classification readiness and for any organization claiming "we have AI governance" in a vendor questionnaire.

The four pillars work as one architecture, not four products.

Buying E5 and configuring each pillar in isolation is what most tenants look like at the start of an engagement. Operating the four pillars as one architecture β€” Conditional Access driven by device + identity + sensitivity-label signals, DLP enforced consistently across surfaces, Defender XDR correlating signals cross-domain β€” is what genuine compliance defensibility looks like. We do that for a living.

Plans + pricing β†’E5 vs E7 β†’Book a security architecture review β†’