Sorry for confusion. I use Sophos utm as a WAF for exchange. Basically reverse proxy that is specifically programmed for exchange attacks. It allows OWA to keep working.
I put the exchange admin URL behind authentication, so you try to go to /ecp, it Sophos intercepts and make you authenticate to Sophos utm first, which is passing to ad with radius.
MS got rid of intune on prem. It’s only Azure service now. I think.
My router is my biggest vuln. Oddly the most important. It’s an enterprise ISR. It’s updated as far as possible. My paranoia ends with the US gov/NSA. I don’t care if they want back door oddly. I don’t want China using me for attack relay however.
Loads of monitoring. You do a span/mirror port to your IDS like security Onion. Let it analyze all your traffic. Apparently there are some state sponsored exploits that allow them to owe a router at kernel level and hide their activities from you and monitoring, but that’s a level I can’t deal with.
As far as lock out, you create a break glass on everything. Emergency account with non rememberable ridiculous password, saved in a safe place.