There is little debate over whether the Microsoft 365 E5 license is a fantastic product. However, over the past two years, the E5 license offering has matured greatly, and it seems like Microsoft customers would be even more receptive to the upgraded license. If anything, customers will see major benefits from a one-stop-shop approach that replaces the need for third-party endpoint protection and mail hygiene solutions with Microsoft 365 E5 services like Microsoft 365 Defender for Endpoint and Microsoft 365 Defender for Office 365.
But does everything residing only in Microsoft 365 E5 truly belong there? I’ve been pondering this question for a while now and believe that there is a compelling case for certain premium features to make the journey over to Microsoft 365 E3.
Pros vs. Cons
The benefits are two-fold in my opinion: First, it makes important security features that are no longer simply “nice to have” more accessible to a wider customer base. It also gives Microsoft the incentive to stay at the leading edge of innovation and bring new and exciting features to their premium offering. While this rationale definitely made sense to me, I was curious as to what my colleagues thought, so I decided to pose the question on my Twitter feed:
The responses were numerous and quite varied, with many opinions on the matter. Before we examine the responses, it should be noted this licensing discussion revolves around Microsoft 365, not Office 365 – two very different things. For example, basic Microsoft 365 E3 security capabilities are not included within the Office 365 E5 license. For more information on how Microsoft 365 and Office 365 differ, you can also refer to this Microsoft page.
Which Features are the Most Wanted in Microsoft 365 E3?
After tallying up the responses, most of those voting for Microsoft 365 E5 were only voting for those specific E5 features. However, there were two clear favorites in Privileged Identity Management and Auto labelling (Table 1):
Other non-feature specific responses included:
- Eliminate add-on licenses such as Viva and SharePoint Syntex, and add these to Microsoft 365 E5
- Custom license bundles with competitive pricing
- A new SKU for Power BI read-only included in Microsoft 365 E3
- Eliminate Microsoft 365 E3 entirely, and change Microsoft 365 Business to no user limit
- Make tenant wide license feature activation less confusing
- Custom search indexes
So, some quite interesting responses indeed, and overall, a wider range of answers than I anticipated. What, if anything, can we derive from this straw poll? Let’s examine some of the key takeaways.
Privileged Identity Management and Auto Labeling – an Expensive Luxury
Privileged Identity Management (PIM) enables just-in-time and approval-based access to privileged roles within Microsoft 365. This means that users who require occasional access to elevated roles do not need to have them permanently assigned to their accounts. They instead activate the roles on-demand for a limited period of time.
The benefits of this are self-evident – the attack surface is reduced when there are less privileged accounts. Without PIM available, powerful admin roles will inevitably be granted to users and then forgotten about, which creates a potential vulnerability.
Auto labeling with Microsoft Information Protection provides the means to automatically assign a sensitivity label to Microsoft 365 content based on matches to built-in sensitive information types. This is an important feature as it reduces the burden on the end-user, who oftentimes do not realize when it’s appropriate and important to apply a label to their emails and documents.
So, what would the impact on Microsoft be if these features were included in Microsoft 365 E3? It’s difficult to speculate, but these are only two features of Microsoft 365 E5. Their inclusion in the more affordable licensing tier would demonstrate that Microsoft is committed to making important security and compliance features accessible to their wider customer base, and not just those who can afford the cost of a Microsoft 365 E5 subscription.
This is also unlikely to significantly affect subscriptions to Microsoft 365 E5. Many Microsoft 365 E5 features are justifiably included in the premium subscription, and Cloud App Security and Advanced eDiscovery are two good examples of this. We have also seen recent innovations with Microsoft 365 E5, such as Insider Risk Management and Communication Compliance. Therefore, it seems there will still be plenty of exclusive features for Microsoft 365 E5 subscribers.
Questions to Consider
An important question that may provide somewhat of an answer to this debate is, “Where should you start with your Microsoft 365 Security and Compliance posture?” In this article, Microsoft recently provided updated Security and Compliance guidance aimed specifically at the UK public sector.
They separate their Security and Compliance control capabilities into three categories – Good, Better, and Best. Microsoft recommends “starting with Better“, which does require some Microsoft 365 E5 functionality.
If “Better” is the minimum recommendation for a Security and Compliance posture for Microsoft 365 public sector customers, then there’s also an argument to be made that even the lowest SKUs (e.g., Office 365 E1) should have at least “Good” security controls.
If you’re surveying Microsoft customers, they will of course answer that they would like the most useful parts of Microsoft 365 E5 as part of Microsoft 365 E3. But If “Better” is the recommended and essential starting point from Microsoft, then why sell products that don’t include these key features?
Playing Devil’s Advocate
Whilst this survey clearly shows there is an appetite for more choice when it comes to Microsoft 365 licensing, there are some other perspectives to consider.
For example, if Microsoft Defender for Office 365 were to be included in Microsoft 365 E3, this could lead to protests from third-party vendors from a competition law standpoint. There are many widely adopted third-party security products used with Microsoft 365 and if a premium feature like Defender became more widely accessible, then many customers may be tempted to discontinue such third-party subscriptions.
We should also consider that some of the premium features of Microsoft 365 E5 may have a clear ongoing cost to Microsoft to run, and these couldn’t simply be thrown into Microsoft 365 E3. This may be the case for Auto-labelling, for example.
Teams Phone System is a difficult one. Customers must bring their own SIP trunk or purchase calling plans. On that basis, should they also have to purchase Microsoft 365 E5? There may be ongoing costs to Microsoft for Teams Phone System that justify this, but we can’t say for sure.
That being said – there is one glaring offender within Microsoft 365 E5 that I find impossible to defend.
Teams DLP Does Not Belong in Microsoft 365 E5!
The presence of Data Loss Prevention for Teams within Microsoft 365 E5 only, is baffling to me. The arguments above on adding PIM, Auto labeling, or any other Microsoft 365 E5 feature to Microsoft 365 E3 can be debated and counter-argued, as can the need for more customization within license SKU’s.
If I’m going to stick my neck out on one opinion though, it’s that I genuinely don’t feel that DLP for Teams is correctly allocated when it comes to licensing. How can it be fair for DLP to apply to the other key services within Microsoft 365 within the Microsoft 365 E3 subscription, but not the most relevant product in Microsoft’s recent history – Teams? It’s difficult for me to wrap my head around this decision.
Licensing is often a confusing and divisive subject, and at the end of the day, it’s all about opinions – of which there will be many. Whilst no one could expect Microsoft to “give away the farm,” there is always a balance that can be struck or a compromise to be made.
What is clear is that there’s a common view from customers and partners that unless some of the premium features are added to Microsoft 365 E3, these customers will need to either consider buying Microsoft 365 E5 licenses; uplift current licenses for some or all users; or continue to rely on third-party alternative solutions.
Microsoft should be a good citizen and make all cybersecurity products available at every M365 level, at least the ATP solutions. The threat to everyone is too high.
You can get M365 Defender for O365 plan 1 and plan 2 as add-ons at not a bad cost, so at least there are some other ways than just getting M365 E5.
I agree completely. My feeling is that software vendors/publishers should have all available security in place as a foundation and always up to date. Possibly a spurious equivalency, but imagine any motor vehicle manufacturer providing a vehicle with brakes, airbags and steering that are very effective 90% of the time. But geez, that leather trim is primo and that touch screen infotainment system is always updated. Security should never be a cost option.
Interesting article and food for thought for MS for sure.
It’s also perhaps worth pointing out that the most requested feature in this list isn’t exclusive to M365 E5 and is accessible via AAD P2 licensing – sure it’s not as cheap as being bundled in with E3 if you already have it, but it’s not an E5 like cost uplift and includes AAD Identity Protection which then allows the evaluation of user and sign-in risk levels in Conditional Access policies and other benefits.
Worth considering that as an upgrade, even if only for a subset of users (admins and senior staff).
Yes this is absolutely true. Definitely another option that can be considered.