Microsoft 365 Security on E3, Business Premium, and F3: What Health Care IT Actually Has to Work With
Most health care organizations running Microsoft 365 are running it on a mix of licenses. A 25-bed Critical Access Hospital might have ten administrative staff on Business Premium, sixty clinical and nursing staff on F3, and the IT director on an E3 because somebody talked them into it three years ago. An FQHC might have everyone on E3. A medical group might be 100 percent Business Premium because they came in under the 300-user cap.
Whatever the shape, the practical question for the person actually running the environment is the same: what controls do I actually have available, and what do I need to do with them?
This article focuses on what comes in the box with E3, Business Premium, and F3 - no E5, no Defender for Office 365 Plan 2 add-ons, no Entra ID P2, no premium Purview. These are the plans most non-enterprise health care organizations are actually running, and there is a meaningful amount of HIPAA-relevant security work you can do with them once you understand what you have.
What Each Plan Actually Includes
Before we get to controls, let's clear up some recurring confusion about what these three plans contain. The differences matter for how you build your security baseline, and a few of them get misrepresented often enough that it's worth being explicit.
Microsoft 365 E3 includes Microsoft Entra ID Plan 1 (Conditional Access, MFA, modern authentication), Intune Plan 1 and Plan 2, Configuration Manager (MECM/SCCM) client management rights, Microsoft Defender for Endpoint Plan 1 (next-generation antivirus, attack surface reduction, network protection, application control), Microsoft Defender for Office 365 Plan 1 (Safe Links, Safe Attachments, advanced anti-phishing), Microsoft Purview Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive (not Teams), manual sensitivity labels, and Audit (Standard) with 180-day retention.
Microsoft 365 Business Premium is capped at 300 users and includes Entra ID Plan 1, Intune (Business), Microsoft Defender for Business (not Defender for Endpoint Plan 1 - they are similar but not the same SKU), Defender for Office 365 Plan 1, DLP for Exchange/SharePoint/OneDrive, manual sensitivity labels, and Audit (Standard). Defender for Business is built on Defender for Endpoint and includes some Plan 2 features (basic EDR, automated investigation), but it is licensed separately and tops out at 300 users. Business Premium does not include Configuration Manager client management rights, which is worth noting if you are running ConfigMgr or planning a co-management deployment.
Microsoft 365 F3 is the frontline plan. It includes Entra ID Plan 1 (yes, Conditional Access works on F3), Intune Plan 1, Configuration Manager client management rights, Office desktop apps for shared/kiosk use, and Exchange Online Kiosk (2 GB mailbox). What it does not include is just as important: no Defender for Endpoint, no Defender for Office 365 Plan 1, no DLP. F3 users do get Exchange Online Protection and the baseline anti-phishing protections that apply to all cloud mailboxes (spoof intelligence, the first contact safety tip, unauthenticated sender indicators, and the default anti-phishing policy). What they don't get is the impersonation protection and configurable phishing email thresholds that come with Defender for Office 365 Plan 1. This matters a lot for any frontline staff who touch email containing ePHI.
If you are running mixed licensing, build your security model around the floor of what your lowest-tier users have, not the ceiling of what your admins have.
| Capability | Microsoft 365 E3 | Microsoft 365 Business Premium | Microsoft 365 F3 |
|---|---|---|---|
| User cap | No cap | 300 users | No cap (frontline) |
| Microsoft Entra ID | Plan 1 | Plan 1 | Plan 1 |
| Conditional Access / MFA | Yes | Yes | Yes |
| Intune | Plan 1 and Plan 2 | Included (Business) | Plan 1 |
| Configuration Manager (MECM/SCCM) client rights | Yes | Not included | Yes |
| Endpoint protection | Defender for Endpoint Plan 1 | Defender for Business | Not included |
| Email security beyond EOP | Defender for Office 365 Plan 1 | Defender for Office 365 Plan 1 | EOP only |
| DLP (Exchange / SharePoint / OneDrive) | Yes | Yes | Not included |
| Sensitivity labels (manual) | Yes | Yes | Limited (via EMS F3) |
| Audit (Standard) retention | 180 days | 180 days | 180 days |
| Exchange Online mailbox | 100 GB (Plan 2) | 100 GB (Plan 1+) | 2 GB (Kiosk) |
| Windows licensing | Windows 11 Enterprise | Windows 11 Business (Pro) | Windows 11 Enterprise |
| Windows Server CAL rights | Yes | Not included | Yes |
| Windows 11 support period | 36 months | 24 months | 36 months |
Capabilities current as of April 2026. Microsoft licensing is subject to change; verify entitlements in your tenant before relying on this summary for procurement decisions.
The Crawl: Non-Negotiables That Work on All Three Plans
Some controls are available on all three plans and should be in place before anything else. These are the highest-leverage items, and putting them off because you're trying to get fancier work done first is a common pattern that ends badly.
Multi-factor authentication for every user, with priority on administrators. Entra ID P1 is included in E3, Business Premium, and F3, which means Conditional Access is on the table for every user in your tenant regardless of plan. Use Conditional Access to require MFA for all cloud apps. Microsoft Authenticator with number matching is the floor; passkeys (Windows Hello for Business, FIDO2 security keys, platform authenticators) are better and increasingly practical to deploy. Phase out SMS and voice MFA as users get re-enrolled.
This supports 45 CFR 164.312(d) (person or entity authentication, Required). It does not, by itself, satisfy that standard, but it is the practical foundation any reasonable implementation builds on.
Break-glass accounts done right. Create at least two cloud-only emergency access accounts with long, unique passwords stored offline. Exclude them from the broad MFA Conditional Access policy, but protect them with separate hardware-token MFA, monitor their sign-ins with alerts, and test them on a schedule. The single most common mistake is creating break-glass accounts and forgetting they exist until the day you need them, only to find the password manager they were stored in has been rotated, the alerting on them was never set up, or they were caught in a tenant-wide MFA enforcement and locked out anyway.
Block legacy authentication. Legacy protocols (IMAP, POP3, SMTP AUTH, MAPI/HTTP without modern auth) bypass MFA entirely. A Conditional Access policy that targets legacy authentication clients and blocks access closes a wide and well-understood attack surface. In 2026, legitimate use cases for legacy auth in health care are rare; the most common holdouts are old MFP scan-to-email configurations and a handful of legacy line-of-business apps. Both have modern-auth alternatives that are worth the migration time.
Least privilege for administrators. Stop using Global Administrator for daily work. Assign granular roles (Exchange Administrator, User Administrator, Security Reader, Intune Administrator) and reserve Global Admin for the small number of tasks that actually require it. In smaller organizations where the same person wears multiple hats, this still matters - the goal is to avoid having a daily-driver account that can do everything if it gets compromised. Entra ID Plan 1 supports administrative units for scoped delegation if you have multiple sites or a clear separation of duties.
These four items support 45 CFR 164.312(a)(1) (access control) and the unique user identification specification at 164.312(a)(2)(i) (Required), as well as 164.308(a)(4) (information access management).
The Walk: Plan-Dependent Controls
Once the foundation is in place, the next layer of controls is where plan differences start to matter.
Conditional Access policies beyond the MFA baseline. Entra ID P1 supports a useful set of grant and session controls. Practical starting policies for health care environments include requiring compliant or hybrid-joined devices for Exchange and SharePoint access, blocking access from countries you don't operate in, and applying stricter controls to admin roles. Always start a new Conditional Access policy in Report-only mode, watch the sign-in logs for a few days, and verify it is matching only what you expect before you flip it to On. One misconfigured Conditional Access policy can lock clinical staff out of the EHR-adjacent systems they need; this is not a hypothetical.
Audit (Standard) is on by default and worth using. All three plans include Audit (Standard) with 180-day retention. This is unified audit logging across Exchange, SharePoint, OneDrive, Teams, and Entra ID. It will not give you the granular file-read events that Audit (Premium) does, but it captures what you need for most incident response work: sign-ins, mailbox rule changes, admin actions, file sharing events, and permission changes. Verify it is enabled in the Microsoft Purview portal, assign the Audit Logs role to the people who need to query it, and build a habit of pulling specific event types on a regular schedule. This supports 45 CFR 164.308(a)(1)(ii)(D) (information system activity review, Required) and 164.312(b) (audit controls, Required).
If 180 days isn't enough for your environment, Audit (Premium) is available as an add-on or via the E5 Compliance add-on, but for the audience of this article, get value out of Standard first before adding cost.
Defender for Office 365 Plan 1, where you have it. E3 and Business Premium include DfO Plan 1, which adds Safe Links (URL rewriting and time-of-click verification), Safe Attachments (detonation in a sandbox before delivery), and advanced anti-phishing including impersonation protection. Configure preset security policies (Standard or Strict) in the Microsoft Defender portal as your starting point and tune from there. Anti-phishing impersonation protection in particular is worth configuring carefully for health care, with your CEO, CFO, CMO, CIO, and any frequently-impersonated providers added to the protected users list.
One important caveat on impersonation protection: when mailbox intelligence is enabled (the default), user and domain impersonation protection skip messages where the sender and recipient have a prior email history. Microsoft treats prior contact as a signal of legitimacy. This means a sender who is later spoofed to a recipient they have previously corresponded with may not get caught by impersonation protection. Don't treat the feature as a complete defense against business email compromise; it is one layer in a stack that still needs Safe Links, user training, and reporting workflows around it.
F3 users do not get DfO Plan 1. If your frontline staff handle email - and in health care they almost always do - this is a meaningful gap. Practical options for closing it include adding Defender for Office 365 Plan 1 as a per-user add-on for the F3 users who actually handle PHI in email (Microsoft list price is around $2 per user per month), or layering a third-party email security gateway in front of Exchange Online for the whole tenant.
What is not a clean fix is moving F3 users to Business Premium. F3 includes Windows 11 Enterprise per-user licensing, Windows Server CAL rights, and Configuration Manager client management rights; Business Premium drops you down to Windows 11 Business (essentially Pro), does not include Server CAL rights, and does not include Configuration Manager. In a domain-joined Windows environment with on-premises file or print servers and a ConfigMgr deployment, that means you would need to acquire User CALs separately for those moved users, you would lose Enterprise-edition Windows features (Credential Guard, AppLocker / Windows Defender Application Control, Application Guard, and the longer 36-month Windows 11 support period that drops to 24 months on Business Premium), and you would lose ConfigMgr client management rights for those users. For most health care environments running ConfigMgr or Active Directory at scale, the Windows-side and management-side losses outweigh the Microsoft 365 security gains. If you genuinely need the full security stack on a single SKU for the affected users, E3 is the closer match than Business Premium.
Microsoft Defender for Endpoint Plan 1 (E3) or Defender for Business (Business Premium). Both deliver next-generation antivirus, attack surface reduction rules, and centralized management through the Microsoft Defender portal. Defender for Business adds basic endpoint detection and response and automated investigation that Plan 1 doesn't include - which is part of why Business Premium is often a better security value than E3 for organizations under 300 users. Either way, configure the ASR rules in audit mode first, watch for false positives in your specific environment for two weeks, and then move them to block mode rule by rule. ASR rules generate a lot of noise in environments with old line-of-business applications, which describes most health care environments.
F3 includes attack surface reduction capability listed in the licensing matrix but does not include Defender for Endpoint. If you need endpoint protection for F3 users, you need to add a Defender for Business or Defender for Endpoint license per user. In practice, most organizations end up adding Defender for Business at roughly $3 per user per month (Microsoft's standalone list price) for their F3 population. As noted above, moving the affected users to Business Premium is not a clean substitute because of the Windows entitlement losses; if a single-SKU consolidation is the goal, E3 keeps the Windows 11 Enterprise rights F3 users currently have.
One footnote on mixed-licensing tenants: Microsoft does not support running Defender for Business and Defender for Endpoint Plan 2 side-by-side in the same tenant. When both are present, the tenant defaults to the Defender for Business experience for all users. This is not an issue at the E3 + Business Premium combination most readers will be running (E3 includes Defender for Endpoint Plan 1, not Plan 2), but it is worth knowing about if you ever consider layering E5 Security on top of a Business Premium foundation.
Device management and compliance with Configuration Manager and Intune. All three plans include Intune Plan 1 capability sufficient to enforce compliance policies (encryption, OS version floor, password requirements, antivirus running, Defender signatures up to date) and use them as a Conditional Access signal. E3 and F3 also include Configuration Manager (MECM/SCCM) client management rights; Business Premium does not. For organizations running ConfigMgr today, that is worth knowing about both for licensing compliance and for co-management planning.
In a domain-joined health care environment, ConfigMgr remains the most capable tool for Windows update delivery, hardware and software inventory, application deployment, and compliance baselines, and most rural and small health system IT shops running ConfigMgr have no good reason to walk away from it. Co-management with Intune (where ConfigMgr and Intune jointly manage the same Windows device with workloads split between them) is fully supported on Intune Plan 1 and does not require any additional licensing beyond what is already in your E3, F3, or Business Premium. In practice, the most common pattern is to keep workstation lifecycle, software deployment, and patching on ConfigMgr; use Intune for compliance policies, mobile device management, and the Conditional Access signal; and have one place to look (the Microsoft Defender portal) for endpoint security telemetry.
A Conditional Access policy that requires a compliant device for Exchange and SharePoint access prevents a stolen credential from being usable on an unmanaged personal laptop. Whether you build that compliance signal from Intune, ConfigMgr (via the co-management compliance evaluator), or both is up to you. This is one of the highest-impact controls available on these plans, regardless of which management tool drives it.
Data Loss Prevention for Exchange, SharePoint, and OneDrive. E3 and Business Premium include this; F3 does not. Microsoft provides built-in sensitive information types for the U.S. HIPAA category and for general PHI patterns. Start with policy tip mode (which warns users but doesn't block) for two to four weeks before turning on blocking actions. This gives you a chance to find the legitimate workflows that are matching your DLP rules before they become support tickets.
Sensitivity labels. E3 and Business Premium support manual sensitivity labels. Auto-labeling, the more useful capability, requires E5 or a Purview add-on, but manual labeling is still worth setting up - it gives users a documented way to mark something as containing PHI, and you can pair labels with DLP rules that act on the label as a condition.
How These Controls Map to HIPAA
These controls support a meaningful set of Security Rule specifications. None of them satisfy the rule on their own, and the rule does not specify Microsoft 365 or any other product. But for an organization that uses Microsoft 365 as part of its environment, these are the levers Microsoft gives you to address the relevant safeguards.
The rule itself is at 45 CFR Part 164 Subpart C. The relevant standards include 164.308(a)(1) (security management process, including risk analysis and risk management at 164.308(a)(1)(ii)(A) and (B), both Required), 164.308(a)(4) (information access management), 164.308(a)(5) (security awareness and training), 164.312(a)(1) (access control), 164.312(b) (audit controls, Required), 164.312(d) (person or entity authentication, Required), and 164.312(e)(1) (transmission security).
A few items are worth flagging for compliance-focused readers. The encryption and decryption specification at 164.312(a)(2)(iv) is currently Addressable, not Required. The transmission security encryption specification at 164.312(e)(2)(ii) is also currently Addressable. Addressable does not mean optional - you must either implement the specification or document why an equivalent measure is in place under your risk analysis. HHS published a Notice of Proposed Rulemaking in January 2025 that would, among other changes, eliminate the Required/Addressable distinction and make most specifications Required. OCR has kept finalization on its regulatory agenda for May 2026, but the rule has drawn substantial industry opposition and the timing remains uncertain. The work to put MFA, encryption, audit logging, and asset inventory in place under the current rule is the same work the proposed rule would require. None of it is wasted.
Practical Sequencing for Resource-Limited Shops
If you are a one-person IT department at a 20-bed Critical Access Hospital, none of this gets done in a week. A reasonable order of operations:
The first weekend gets you MFA enforcement, break-glass accounts, and a legacy authentication block. Pre-communicate to staff, do it on a Friday night, and spend Saturday on the help desk handling the inevitable phone calls about the Authenticator app.
The next two weeks gets you baseline Conditional Access policies in Report-only mode, audit log validation, and admin role review. Watch the Conditional Access "What If" tool and the sign-in logs to see what your policies are actually matching before you turn them on.
The month after that gets you device compliance for managed devices (Intune compliance policies, ConfigMgr configuration baselines, or both depending on what you are running), a Conditional Access policy that requires compliant devices for Exchange and SharePoint, and Defender for Endpoint or Defender for Business onboarding for everything you can onboard. ASR rules go in audit mode.
After that, you start on DLP in policy-tip mode, sensitivity label rollout, anti-phishing tuning, and the rest of the hardening work.
This is not the only valid sequence, and the right order depends on your specific risks and existing gaps. But it is a workable one for an under-resourced environment, and it puts the highest-impact controls in place first.
Where E3, Business Premium, and F3 Stop
It is worth being honest about what these plans don't give you. No risk-based Conditional Access (that's Entra ID P2). No Privileged Identity Management for just-in-time admin elevation (also P2). No Insider Risk Management. No automated investigation in Defender for Office 365 (P2). No DLP for Teams chat or endpoint DLP. No Audit (Premium) or longer retention. No eDiscovery (Premium).
Some of these gaps matter more than others depending on your environment. A health system handling a meaningful volume of PHI in Teams chat probably needs Teams DLP, which means at least an E5 Compliance add-on for the affected users. An organization with a sufficiently complex admin team probably needs PIM. Most rural health care IT shops do not need any of this on day one, and the discipline of getting the most out of what you already pay for - before adding more - is worth practicing.
This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.
Sources
- 45 CFR Part 164, Subpart C - Security Standards for the Protection of Electronic Protected Health Information. Available at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- HHS Office for Civil Rights, "HIPAA Security Rule NPRM," published December 27, 2024 (Federal Register publication January 6, 2025). https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
- Microsoft Learn, "Microsoft Defender service description." https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
- Microsoft Learn, "Microsoft Purview service description." https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-purview-service-description
- Microsoft Learn, "What is Microsoft Defender for Business?" https://learn.microsoft.com/en-us/defender-business/mdb-overview
- Microsoft Learn, "Microsoft Defender for Business frequently asked questions." https://learn.microsoft.com/en-us/defender-business/mdb-faq
- Microsoft Learn, "Anti-phishing policies in Microsoft 365." https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about
- Microsoft Learn, "Product and licensing FAQ - Configuration Manager." https://learn.microsoft.com/en-us/intune/configmgr/core/understand/product-and-licensing-faq
- Alston & Bird, "HIPAA Security Rule: Still on Track for Finalization," November 2025. https://www.alston.com/en/insights/publications/2025/11/hipaa-security-rule-overhaul
