Running the Numbers to Search for Value
Some years ago, I recall someone ran the numbers to decide if the extra cost to buy Office 365 E5 licenses was worthwhile. Despite my best efforts to hunt it down, I can’t find the document anymore. However, I believe that its conclusion was that Office 365 E5 is a relative bargain for organizations interested in compliance because the cost of buying add-on licenses for compliance features is higher than the cost differential between Office 365 E3 and E5.
Microsoft increased subscription fees in March 2022 and bumped up the monthly cost of both Office 365 E3 and E5 by $3, or $36 per user annually. In the U.S., a monthly subscription for Office 365 E3 is now $23 while Office 365 E5 runs to $38. The question is whether the extra $15 uplift is worthwhile.
Of course, Microsoft will say that you should upgrade from Office 365 E3 to E5. After all, this helps to increase the average revenue per user (ARPU) figure beloved by market analysts and cited in every Microsoft quarterly earnings. And if you’re really interested, they’d like you to move to Microsoft 365 E5, a snip at $57/month to access even more compliance and data governance capabilities, notably in device and identity management. In this comparison, I focus on the two Office 365 plans, guided by Microsoft’s feature and cost comparison for the plans and add-ons it offers.
Before plunging into the details of licensing, it’s worth recalling that compliance and data governance is a much bigger area now than it was when Microsoft started along the path with solutions like Messaging Records Management in Exchange 2007. At that time, the focus was mostly on removing items. This evolved to getting rid of items but keeping some that are important. Then work was done to deal with data at rest, both on-premises and in the cloud, and now much of Microsoft’s development focus is on analysis and machine learning, Trainable classifiers are an example of using machine learning in a compliance solution.
General Licensing Rules
Few people outside Microsoft are masters of licensing guidance for compliance and data governance solutions. I guess the folks who maintain the spreadsheet covering licensing rules must be, but the average tenant administrator has more pressing issues to deal with. My rules are simple. These situations create a requirement to have a high-end license like Office 365 E5 or the Microsoft 365 E5 compliance add-on
- Anywhere premium is in a solution name. For example, Microsoft Purview eDiscovery (Premium). This rule replaced the rule covering anything with advanced in a solution name.
- Anything that performs automated processing. For example, applying retention or sensitivity labels via an auto-label policy. The definition of automated stretches to scenarios like assigning a default retention label to a SharePoint document library.
- Anything involving machine learning, like trainable classifiers.
New Features for High-End Licenses
You could also argue that a fourth rule covers any new functionality Microsoft has added in the areas of compliance or data governance since 2016, including:
- Data Loss Prevention (DLP) policies for Teams (checks against Exchange Online and SharePoint Online content only require E3 but checking Teams messages for potential policy violations is very special and needs a higher license).
- Microsoft Purview Records management.
- Microsoft Purview Audit (Premium), aka Advanced Audit, like the MailItemsAccessed event logged by Exchange Online.
- Microsoft Purview Customer Lockbox.
- Microsoft Defender for Office 365 Plan 2.
- Microsoft Purview eDiscovery (Premium).
- Microsoft Purview Double Key Encryption.
- Microsoft Purview Communication Compliance.
- Microsoft Purview Information Barriers.
To be fair, users can apply sensitivity labels based on Microsoft Purview Information Protection to emails and documents manually with an Office 365 E3 license, and any account with an Office 365 or Microsoft 365 license can consume content encrypted by sensitivity labels. However, the point remains that most new Microsoft developments in compliance and data governance technology demand high-end licenses.
A case is arguable that the situation is both understandable and reasonable. The customers interested in solutions like communication compliance or records management usually come from the enterprise sector. Some smaller organizations need Microsoft Purview compliance and data governance solutions, but the majority do not. Therefore, Microsoft’s available market for these products is smaller than the overall Office 365 base, and they price licenses and add-ons to achieve a return on their engineering investments. At least, that’s the story.
The recent rebranding exercise to apply the Microsoft Purview brand to solutions in the areas of risk, compliance, and data governance. One potential benefit of the Purview rebranding is to bring a loose collection of products together into a single suite, which might help to make the licensing of Microsoft compliance solutions simpler in the future.
Computing License Costs
Returning to the original question, is the extra $15 (per user/month) cost to upgrade to Office 365 E5 worth it? The answer depends on if you think an organization can extract value from the additional investment.
The combination of Office 365 E3 and the Microsoft 365 E5 Information Protection and Governance add-ons delivers access to solutions like communication compliance, premium audit and eDiscovery, customer key, Teams DLP, endpoint DLP, information barriers, and automatic assignment of retention and sensitivity labels for $30 ($23 + $7), or $8 under Office 365 E5. That seems like a good deal because it liberates a lot of compliance and data governance functionality for a lower price.
However, Office 365 E5 is not all about compliance, and some additional functionality bundled into the E5 plan comes with a price tag if licensed separately. For instance, this trio adds up to an extra $23/month if licensed separately.
- Defender for Office 365 Plan 2 ($5)
- Teams Phone ($8)
- Power BI Pro ($10)
Even if you don’t value Power BI Pro too highly (it’s a capability that’s probably of interest to a limited user group), Teams Phone and Defender for Office 365 Plan 2 are attractive to many organizations. Taking the $18 for those items plus $7 for the compliance functionality, Office 365 E5 delivers an extra $25 worth of capabilities when the gap between it and E3 is $15.
Microsoft 365 E5
Taking things to the next level to buy Microsoft 365 E5 licenses adds an extra $19/month over Office 365 E5. For the money, you get more device management and identity management capabilities, like Microsoft Intune, Microsoft Endpoint Manager, Windows AutoPilot, Endpoint Analytics, Cortana Management, Insider Risk Management, Endpoint DLP, Privileged Identity Management, Access Reviews, Entitlement Management, Microsoft Defender for Cloud Apps. It’s an impressive list, but again, you’d need to be able to use these products to gain value from the investment.
Overall, it looks like Office 365 E5 remains a relative bargain for the functionality it delivers, especially in the areas of compliance and overcoming data governance challenges. Remember that you don’t need to buy Office 365 E5 licenses for all users unless you want to deploy features like communications compliance everywhere, so it might be possible to save some money by using a mix of licenses. Isn’t license management strategy fun?
And what about Office 365 E1 licence ?
Does this type of users will be able to manually label document or they need an extra AIP Plan 1 to do it ?
Thanks for your info.
You need Office 365 E3 or above (like the Microsoft 365 E5 compliance license) to use sensitivity labels.
Does setting a default sensitivity label with a label policy count as “automatic” applying of a label and thus needing an E5 license?
Update: I thought about this more and believe that using a default label in a policy does not constitute automation as defined by Microsoft. The logic is that the policy suggests a label to the user. However, the user has the option to choose and apply a different label. That’s a manual operation. It’s very different to the automatic processing done when a document library has a default label that the system applies each time a new file is uploaded into that library.
The text in https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#which-licenses-provide-the-rights-for-a-user-to-benefit-from-the-service-21 implies that E5 is needed. The service applies the license based on the policy:
For manual sensitivity labeling, the following licenses provide user rights:
Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium (Information Protection for Office 365 – Standard should be enabled if E5 license only has been assigned)
Enterprise Mobility + Security E3/E5
Office 365 E5/A5/E3/A3
AIP Plan 1
AIP Plan 2
For both client and service-side automatic sensitivity labeling, the following licenses provide user rights:
Microsoft 365 E5/A5/G5
Microsoft 365 E5/A5/G5 Information Protection and Governance
Office 365 E5/A5/G5
For client-side automatic sensitivity labeling only, the following license provides user rights:
Enterprise Mobility + Security E5/A5/G5
AIP Plan 2