In many organizations, Microsoft 365 is a significant investment. However, you get so much with Microsoft 365 E3 licenses that many organizations are unaware of, including beneficial features across Productivity, Compliance, Security, and Device management. I want to share with you some of my secrets and the hidden gems that can be found in a Microsoft 365 E3 license.


As you might imagine, Microsoft 365 E3 comes with excellent collaboration and productivity tools, such as Exchange Online, Teams, and SharePoint. Still, it also has some productivity features that are not so obvious such as Power Virtual Agents for Microsoft Teams. Power Virtual Agents for Teams enables organizations with selected Office 365 licenses to build and deploy custom chatbots directly within Teams, using Dataverse for Teams.

If you are looking to use any premium connectors, or an on-premises gateway then you will need to upgrade your licensing. Power Virtual Agents has many use cases:

  • FAQ bot for users to ask questions about HR processes and information
  • Self-service bot for users to request new equipment
  • Sales help and support issues
  • COVID-19 infection rate and tracking information

You can create chatbots that can be easily integrated within Microsoft Teams to respond to questions posed by co-workers or teammates. Power Virtual Agents can save vast amounts of time and resources by producing fewer tickets to service desk teams. Create a chatbot with no code within 5 minutes by searching for Power Virtual Agents in the Teams App store and customizing your questions, user options, and responses:

Hidden Gems in Microsoft 365 E3 Licensing
Figure 1: Power Virtual Agents Chatbot in Microsoft Teams
Source: Microsoft


The ever-increasing amount of data collected by organizations worldwide raises concerns around privacy and could also threaten the organization concerning regulatory compliance. As part of Microsoft 365 E3, information protection tools can help overcome the challenge of locating data, classifying it, and protecting it wherever it is.

Within Microsoft Information Protection (MIP), administrators can create classification labels based on how sensitive data is. Sensitivity labels can be applied to Files, emails, SharePoint sites, and Microsoft Teams. Organizations can define their sensitivity labels, such as Public, Confidential, and Highly Confidential. End users apply labels manually and, when applied, the data will be protected and watermarked according to how you’ve configured it.

Many people are unaware that you can apply these labels to Microsoft Teams. Recent updates have made it possible to view protected documents in Teams and browsers, and Office has also improved, allowing co-authoring to become available.

When a user creates a Team and labels it as Highly Confidential, the privacy options will be limited, and the user will have to designate the Team as private:

Hidden Gems in Microsoft 365 E3 Licensing
 Figure 2: Sensitivity label applied when creating a Microsoft Team

This is useful for organizations that want to ensure confidential Teams are not open to the broader business and wish to prevent guest users from being added to the Team.

Another Compliance feature in Microsoft 365 E3 is Data Loss Prevention. With Data Loss Prevention (DLP), administrators can apply policies to sensitive data to protect it and prevent data leaks. Admins can apply DLP policies to Exchange, SharePoint Online, and OneDrive for Business. Policies are applied automatically and are determined by the type of sensitive information, such as credit or debit card numbers or National Identification numbers.

Microsoft provides templated sensitive info types in the M365 Compliance Centre. When a file is uploaded with sensitive information, the DLP policy that you have configured in the admin center will be automatically applied:

Hidden Gems in Microsoft 365 E3 Licensing
Figure 3: Data Loss Prevention Automatically Applied to file in SharePoint Online.

In the figure above, a user has created a new file in SharePoint Online and added a credit card number and passport number. So, the DLP policy is applied to prevent this information from being shared externally.

However, few know that you can customize your sensitive information types instead of using the Microsoft templated ones. You can define what you deem sensitive, for example, keywords or employee/customer numbers. Custom sensitive information types are pattern-based classifiers and are composed of:

  • Regular Expression
  • Keyword Lists
  • Keyword Dictionary
  • Functions
  • Confidence levels

Custom Sensitive Information Types can be used in DLP, Sensitivity Labelling in MIP, and Retention Labels to help protect sensitive information in your organization. If you see real value using Sensitive Information Types in E3, consider investigating E5, which gives you automatic labeling, DLP policies in Teams Chat and Channel Messages, and the ability to apply labels and DLP policies devices and third-party apps.


The first step in protecting your company’s data is to manage and secure access to it, and many organizations haven’t turned on multi-factor authentication. However, multi-factor authentication can safeguard your data and apps while reducing the risk of a compromised password.

The authentication process requires a second verification step such as sending a code to a mobile or using a Microsoft Authenticator App.  This is not an ideal user experience if users must keep authenticating each time, they log in. Here’s where Conditional Access comes in.


Organizations often don’t realize that with Microsoft 365 E3, they have all the technologies to implement Windows Autopilot. You can use Windows Autopilot to reset, repurpose, and recover devices, all without having to touch the device.

Intune, Windows 10 + 11, and Azure AD are some of the components of Windows Autopilot that help provision devices. A user can either have a new device delivered to their house/site by a supplier or an existing device delivered by the organization.

Once the user opens the box, they turn it on and log into the device with their work credentials. A short time after the user has logged in the business-ready device becomes operational. After deploying Intune policies and apps, it automatically builds itself:

Hidden Gems in Microsoft 365 E3 Licensing
Figure 4: Overview of Windows 10 Autopilot
Source: Microsoft

The ability for organizations to provide and manage devices easily has been critical in the world of hybrid work, and Windows Autopilot allows them to do that.


There you have it, my hidden gems in Microsoft 365 E3. The license comes with so much that some other features are rarely used, such as Dataverse for Teams, Azure AD App Proxy, Bookings, Endpoint Analytics, and more.

About the Author

Kathleen Greenan

Kat Greenan is a Microsoft Solutions Specialist helping customers plan their Microsoft 365 journey, specializing in Microsoft Teams, SharePoint, and Power Platform. Kat regularly delivers deployment planning workshops, end-user training, and Change Management planning for customers moving to the Cloud. Kat is a co-host on the Cloud Conversations podcast, a regular conference speaker, and publishes Microsoft Teams how-tos on her blog

Leave a Reply