Medhacloud Logo
Medhacloud Logo
5
Chapter 5 of 14

Security & Compliance Licensing — What's in E3, What Requires E5, and Where Add-ons Fit

Deep dive into M365 security licensing: Defender P1 vs P2, Entra ID P1 vs P2, Purview compliance tiers, what E3 includes vs E5-only features, and the most common licensing mistakes that leave organizations exposed.

22 min read read 4 quiz questions

Key Facts

  • Microsoft 365 E3 includes Defender for Office 365 Plan 1 (Safe Attachments, Safe Links), Defender for Endpoint Plan 1 (next-gen antivirus, attack surface reduction), and Entra ID Plan 1 (Conditional Access, MFA, self-service password reset).
  • Microsoft 365 E5 upgrades to Defender for Office 365 Plan 2 (automated investigation, attack simulation), Defender for Endpoint Plan 2 (EDR, threat analytics, auto-investigation), and Entra ID Plan 2 (Privileged Identity Management, Identity Protection, access reviews).
  • Purview Data Loss Prevention (DLP) for Exchange, SharePoint, and OneDrive is included in E3. DLP for Teams chat and endpoint DLP require E5 or the Purview DLP add-on.
  • E5 exclusive features include: Insider Risk Management, Information Barriers, eDiscovery Premium (formerly Advanced eDiscovery), Communication Compliance, and Customer Lockbox.
  • Sensitivity labels are available in E3, but auto-labeling (applying labels automatically based on content inspection) requires E5 or the Information Protection and Governance add-on.
  • Defender for Cloud Apps (formerly Microsoft Cloud App Security) — the CASB that monitors shadow IT and governs third-party SaaS — is E5 only or available as a standalone add-on at $3.50/user/month.
  • The single most common security licensing mistake is assuming E3 provides endpoint detection and response (EDR). E3 includes Defender for Endpoint Plan 1 (prevention only). Full EDR with investigation tools requires Plan 2 (E5 or add-on).
  • Microsoft Sentinel (cloud SIEM) and Defender for Identity (on-premises AD monitoring) are not included in any Microsoft 365 plan — they are Azure consumption services billed separately.

The Microsoft Security Stack — A Layered Approach

Microsoft has built its security licensing around a defense-in-depth model. Each license tier adds another layer of protection. Understanding which layer comes with which plan is the single most important security decision you will make for your organization. This is especially critical during Microsoft 365 migrations — security policies must be configured before users go live, not bolted on after the fact.

E3 Security: What You Already Have

Many organizations are surprised by how much security is already included in Microsoft 365 E3. Before buying any security add-ons, make sure you have fully deployed these E3-included features. If you are migrating from Exchange Server to Microsoft 365 or switching from Google Workspace, configure Conditional Access and Defender policies in your tenant before the first batch of mailboxes goes live:

  • Entra ID P1 — Conditional Access policies, MFA, self-service password reset, hybrid identity
  • Intune Plan 1 — Mobile device management, app protection policies, compliance policies
  • Defender for Office 365 P1 — Safe Links, Safe Attachments, anti-phishing policies
  • Defender for Endpoint P1 — Next-gen anti-malware, attack surface reduction, device control
  • Data Loss Prevention (DLP) — Policies for Exchange, SharePoint, OneDrive, Teams
  • Sensitivity Labels — Manual classification and encryption of documents and emails
  • Microsoft Purview Audit (Standard) — 90-day audit log retention
  • Windows Hello for Business — Passwordless authentication for Windows devices

Pro Tip

A shocking number of E3 customers pay for third-party endpoint protection when Defender for Endpoint P1 is already included and consistently scores top marks in independent AV tests (AV-TEST, AV-Comparatives). Check if you are double-paying for endpoint security.

E5 Security: The Full Arsenal

E5 adds the advanced detection, investigation, and automated response capabilities:

  • Entra ID P2 — Privileged Identity Management (PIM), Identity Protection (risk-based Conditional Access), access reviews
  • Defender for Endpoint P2 — Full EDR, threat analytics, sandbox detonation, threat hunting
  • Defender for Office 365 P2 — Threat Explorer, automated investigation and response (AIR), attack simulation training
  • Defender for Cloud Apps — Cloud access security broker (CASB), shadow IT discovery, session controls
  • Defender for Identity — On-premises AD monitoring, lateral movement detection, compromised credential detection
  • Auto-labeling for sensitivity labels — Automatically classify and protect documents based on content
  • Insider Risk Management — Detect potential data theft, IP exfiltration, policy violations
  • eDiscovery Premium — Advanced holds, review sets, predictive coding, conversation threading
  • Microsoft Purview Audit (Premium) — 1-year log retention, crucial event types
  • Information Barriers — Prevent communication between specific groups (financial services compliance)

The E3 + Add-Ons vs. E5 Decision

This is the question we get asked most often. Here is the honest math:

Scenario: You want advanced endpoint + identity protection

E3 base$36.00
+ Defender for Endpoint P2$5.20
+ Entra ID P2$9.00
+ Audio Conferencing$4.00
Total$54.20
E5 (includes all of the above + much more)$57.00

The delta is just $2.80/user/month — and E5 includes Defender for Cloud Apps, Defender for Identity, Insider Risk Management, eDiscovery Premium, Power BI Pro, and Teams Phone. If you need even 2 of those add-ons on top of the above, E5 is the better deal.

Watch Out

Do not make this decision purely on price. If your organization genuinely only needs endpoint and identity protection, E3 + targeted add-ons is more cost-effective. But if you are on a path toward Zero Trust architecture, E5 gives you the complete toolkit without piecing together 5-6 separate add-ons.

Common Security Licensing Mistakes

  • Paying for third-party email security when Defender for Office P1 is already in E3
  • Not enabling Conditional Access in E3 — it is included but must be configured
  • Buying Entra ID P2 for all users when only admins need PIM (mix licensing — P2 for admins, P1 for everyone else)
  • Ignoring the Microsoft Secure Score dashboard — it tells you exactly which included features you have not configured
  • Over-buying E5 for frontline workers who do not need advanced compliance features
Microsoft 365 E3$36.00/user/mo
Buy — 5% Off
Microsoft 365 E5$57.00/user/mo
Buy — 5% Off

Did You Know?

Microsoft 365 E3 includes Defender for Office 365 Plan 1 (Safe Attachments, Safe Links), Defender for Endpoint Plan 1 (next-gen antivirus, attack surface reduction), and Entra ID Plan 1 (Conditional Access, MFA, self-service password reset).

Test Your Knowledge

Question 1 of 4

Which Defender for Endpoint capability is available in E3 but NOT full endpoint detection and response (EDR)?

Chapter Summary

  • 1Think of Microsoft 365 security as a three-tier stack: E3 provides baseline protection (prevention-focused), E5 provides advanced protection (detection, investigation, and response), and Azure services (Sentinel, Defender for Cloud) extend coverage to multi-cloud and hybrid infrastructure.
  • 2Defender for Office 365 Plan 1 (E3) handles Safe Links, Safe Attachments, and anti-phishing policies. Plan 2 (E5) adds Threat Explorer, automated investigation and response (AIR), attack simulation training, and campaign views — critical for security operations teams.
  • 3Defender for Endpoint Plan 1 (included in E3) provides next-generation antivirus, attack surface reduction rules, device control, and network protection. Plan 2 (E5 or $5/user/month add-on) adds full EDR, threat analytics, sandbox detonation, and automated investigation — without Plan 2 your SOC is essentially blind to advanced threats.
  • 4Entra ID Plan 1 (E3) delivers Conditional Access, MFA, self-service password reset, and application proxy. Plan 2 (E5 or $9/user/month) adds Privileged Identity Management (just-in-time admin access), Identity Protection (risk-based Conditional Access), and access reviews — all essential for zero-trust architecture.
  • 5On the compliance side, E3 gives you basic DLP (Exchange, SharePoint, OneDrive), standard retention policies, basic eDiscovery (content search and hold), and manual sensitivity labels. E5 unlocks DLP for Teams and endpoints, auto-labeling, trainable classifiers, eDiscovery Premium with review sets and machine learning, Insider Risk Management, Communication Compliance, and Information Barriers.
  • 6Common licensing traps: (1) Buying E5 for all users when only your security team needs advanced investigation tools — consider E3 for most users with E5 for admins and SOC analysts. (2) Purchasing Defender for Endpoint P2 add-ons on top of E3 when the cost delta to E5 is minimal. (3) Overlooking that eDiscovery Premium requires E5 — legal teams that run investigations need E5 licenses even if the rest of the organization is on E3. (4) Assuming Microsoft Sentinel is included in E5 — it is a separate Azure billing item.
  • 7A practical hybrid approach: license most knowledge workers on E3, assign E5 to IT admins, security analysts, legal/compliance, and executives (high-value targets), and use Frontline F3 for shift workers. This tiered strategy can reduce licensing costs by 30–40% versus blanket E5 while maintaining strong security coverage.
Chapter 5 of 1436% complete
Previous

Ch. 4: Add-on Architecture

Next Chapter

Ch. 6: Device Management

Ready to Buy Microsoft 365?

Save 5% when you purchase through Medha Cloud

View prices in:
Business Basic
$6.00
/user/mo
Our price: $5.70
Business Standard
$12.50
/user/mo
Our price: $11.88
Business Premium
$22.00
/user/mo
Our price: $20.90
Microsoft 365 E3
$36.00
/user/mo
Our price: $34.20
Microsoft 365 E5
$57.00
/user/mo
Our price: $54.15
Microsoft 365 F3
$8.00
/user/mo
Our price: $7.60
Get a Quote — 5% DiscountCompare All Plans

Popular Plans

Our Services