Lab Setup: M365 E5 Developer Tenant

Why you need E5 specifically

The course requires Microsoft 365 E5 because the security features it teaches are E5 features. Six E5-specific capabilities are critical, and understanding what each one does explains why the licensing requirement exists.

Defender for Endpoint Plan 2 provides the full device timeline, automated investigation and response, and live response sessions. Plan 1 (included in Business Premium) provides prevention: attack surface reduction rules, next-generation protection, and device control. Plan 2 adds the investigation capabilities. The device timeline shows every process execution, file creation, network connection, and registry modification on a device over time. Module 2 teaches you to read device timelines to trace malware execution chains. Module 14 uses Defender for Endpoint telemetry to identify which devices had tokens stolen. Without Plan 2, you cannot see what happened on the endpoint after an alert fired.

Defender for Office 365 Plan 2 provides advanced anti-phishing, Safe Links and Safe Attachments with detonation, and investigation features for email-based attacks. Plan 1 provides protection. Plan 2 adds the ability to trace a phishing email from delivery through click-through, credential entry, and token theft. Module 12's AiTM investigation depends on this telemetry.

Purview Audit (Premium) extends audit log retention from 90 days to 180 days and adds critical audit events including MailItemsAccessed. Without MailItemsAccessed, you can confirm an attacker accessed a mailbox but cannot determine which emails they read. Module 13's BEC investigation uses MailItemsAccessed to trace which financial communications the attacker monitored before inserting themselves into payment conversations.

Entra ID P2 provides Identity Protection with risk-based conditional access. Risk detections (anonymous IP, atypical travel, password spray, leaked credentials) generate the signals that Module 12's AiTM investigation queries. Without P2, these risk detections do not exist in your tenant's telemetry. P2 also provides Privileged Identity Management (PIM), which Module 8 covers for just-in-time access to security roles.

Defender for Cloud Apps provides shadow IT discovery, OAuth app governance, and session control policies. Module 15's consent phishing investigation uses Defender for Cloud Apps to identify and remediate unauthorized OAuth consent grants.

Microsoft Sentinel integration works with any Azure subscription, but the M365 data connectors that populate Sentinel with Defender XDR telemetry require E5 licensing on the source tenant. Without E5, the tables that most course queries target (SigninLogs, AADUserRiskEvents, EmailEvents, DeviceProcessEvents) contain limited or no data.

Every KQL query in the course runs against tables that E5 populates. Every detection rule targets telemetry that E5 generates. A lower-tier license will let you follow the conceptual teaching, but you will not be able to run the queries, deploy the detections, or complete the investigation exercises.

Option 1: M365 Developer Program (if you qualify)

The Developer Program provides a free M365 E5 sandbox with 25 user licenses that renews every 90 days as long as you are actively using it. Navigate to developer.microsoft.com/en-us/microsoft-365/dev-program and sign in with a Microsoft account. If your dashboard shows the "Set up E5 subscription" button, you qualify. If it shows "you don't currently qualify," you are not in the eligible pool and cannot force eligibility through support requests. Skip to Option 2 or 3.

Eligibility is restricted. As of 2025, Microsoft limits sandbox provisioning to members with an active Visual Studio Professional or Enterprise subscription or membership in the Microsoft AI Cloud Partner Program. The eligibility check is automated and cannot be overridden by Microsoft support. Many developers report receiving the "don't currently qualify" message even with what they believe are valid qualifications. If you see that message, do not spend time troubleshooting it. Options 2 and 3 produce the same E5 feature set with no eligibility gate.

If you do qualify, select "Instant sandbox" when prompted. This provisions your tenant with 24 test users plus one admin, pre-configured with Teams, SharePoint, Outlook, and sample data. The instant sandbox saves hours of manual user creation. The alternative "Configurable sandbox" gives you an empty tenant. Only choose this if you need a specific tenant name or regional configuration.

The setup creates an admin account at your chosen tenant domain (for example, admin@yourtenant.onmicrosoft.com). Store the credentials in a password manager. You will use them for every Microsoft portal in the course: admin.microsoft.com, security.microsoft.com, entra.microsoft.com, and portal.azure.com.

The 90-day renewal is automatic if Microsoft detects development activity. Course activity (deploying configurations, running Graph API calls, modifying security policies) counts as valid use. If the sandbox expires, you can create a new one from the Developer Program dashboard, but configurations and data from the expired sandbox are lost. Your detection rules, KQL queries, and investigation playbooks are stored in the course materials. The tenant is where you deploy them, not where you store them.

The instant sandbox creates test users with pre-generated mail, calendar events, and SharePoint documents. This sample data is useful for demonstrating M365 search features but is not security telemetry. Section 0.6 covers how to generate the sign-in events, audit log entries, and security signals that the course's KQL queries target.

Option 2: M365 E5 trial (30 days)

The E5 trial provides 30 days of full E5 access with no eligibility requirement. Navigate to the Microsoft 365 Enterprise E5 product page and select "Try for free." You need a phone number for verification and a credit card for identity validation. You will not be charged during the trial period.

Enter your business information (a company name is required but can be anything for a personal lab), create your admin credentials, and choose your tenant domain. The domain takes the form yourtenant.onmicrosoft.com. Choose something recognizable. The process takes five minutes and produces a fully functional E5 tenant with one admin license. You can add test user accounts through the admin center. The course works with a single admin account, but creating two or three test users provides more realistic investigation telemetry since you can trace activity across different identities.

The trial automatically converts to a paid subscription on day 31. Set a calendar reminder for day 25. At that point: cancel and lose the environment, convert to paid and keep everything, or export your configurations before cancellation. If you plan to complete the course in 30 days at concentrated pace, the trial is sufficient. If you are studying part-time over ten to sixteen weeks, Option 3 is more practical. Cancel through the M365 admin center under Billing, then Your products.

Option 3: Paid E5 single license

Purchase a single M365 E5 license through the Microsoft 365 admin center for approximately $57 per month. This produces a stable environment with no expiration and no risk of losing your configurations. The monthly cost is approximately the same as one month of a commercial video training platform.

The paid tenant has an advantage the other options lack: permanence. When you complete the course, your tenant contains working detection rules, configured protections, and investigation playbooks. You can demonstrate this to an employer or apply the configurations to a client environment. For MSP technicians or consultants who manage client tenants, a paid E5 license also provides a permanent test environment for validating configurations before deploying them to production. Every conditional access policy, detection rule, and Defender configuration can be tested in your lab before you apply it to a client tenant.

Verifying your tenant

Regardless of which option you chose, verify the following within 30 minutes of setup. License propagation can take up to 30 minutes, so if services are unavailable immediately, wait and retry before troubleshooting.

Sign in to security.microsoft.com with your admin credentials. The Defender XDR portal should display the incident queue, Advanced Hunting, and Settings menu. A permissions error means the E5 license has not fully propagated. Wait 30 minutes and try again. Empty queues are expected since you have not generated telemetry yet.

Check every service now. Fixing a propagation issue at this stage takes five minutes. Discovering in Module 12 that Identity Protection was never enabled costs an hour of investigation debugging.

Cost context

For learners weighing the cost of a paid E5 license, some perspective. A single E5 license at $57/month for 16 weeks of study costs approximately $228 total. SANS SEC555 (SIEM with Tactical Analysis) costs $8,525 for a six-day course. A three-day instructor-led Microsoft security training through a Microsoft Learning Partner runs $2,000-3,000. Even a monthly subscription to a commercial video platform like Pluralsight or A Cloud Guru runs $29-49/month without providing a lab environment. The E5 license is both your learning platform and your lab environment. And unlike a training course that ends, the configurations you build in your tenant persist for as long as you maintain the license.