The easy Microsoft 365 license guide
This is an updated post that provides you with an overview to align Microsoft Cloud products/features with licenses (suites). Often these topics are misunderstood or inadequatly applied.
This post is intended to break the complexity down to some basics, explain the license suites easily and highlight Enterprise Mobility + Security license plans.
Tenant-level license compliance
First up; Tenant-level compliance defines the "highest" (according to feature set) license, that is available in your tenant. Based from that license, many features will be available, or configurable. But be careful, this does not mean, that you are also always allowed to legitly use some features. You can find your tenant license level in Azure AD>Overview.
Microsoft 365 delivers services for everyone:
- Enterprise (E) - large customers, ~500+ seats
- Government (G) - U.S. government or DoD
- Business - small to medium sized organizations, usually ~5 to 250 seats
- Education (A) - educational institues, often profit of special discounts
- Home (personal and family) - consumer use, non commercial
Licenses are formed by the license suite and the license level.
Often, we also differentiate between Security related license plans and Compliance related licenses.
The Microsoft 365 license suite is bundled into the following components:
- Office 365 includes all productivity and collaboration products for the Web (SaaS) and app installations, Office security, plus compliance subjects
- Enterprise Mobility + Security hosts several endpoint management, diverse security and information protection topics
- Windows Enterprise includes enterprise features for the Windows OS and Defender security
Within a license suite, there is also a level, that results in advanced features, but also in a higher price. The most common in the enterprise segment constitute of:
- F3 - Frontline workers, mostly includes the essential features of M365 apps to stay productive, limited security and compliance features, cheapest edition
- E3 - Standard license plan, covers all basic features and core secure and compliance, medium prize
- E5 - Full feature set, advanced security and compliance products, cost intense
Some specific features are only available through dedicated add-on licenses and are not covered through any license bundle.
I have put a green border around all licenses that are especially important for the Enterprise Mobility + Security suite and are often featured on Oceanleaf.ch.
As you can see, there are lots of combinations of different plans. In reality, we mostly see that companies have the Microsoft 365 license, which includes the three sub-plans. This also allows them to implement the most popular products as well as basic security in their cloud environment.
Eventually, most organizations choose to purchase a step-up license for security and/or compliance. This is great if you are in a transition phase and want to focus on one of these areas.
At some point, or for cloud-only customers, the complete Microsoft 365 E5 suite becomes interesting to cover every need with the appropriate license.
Of course, it is also possible to buy individual parts of plans, but this is only a good idea if you only want to cover a specific product.
Azure AD Premium Plan 1 & 2
- Plan 1 - offers identity basics and integrated Azure AD features that are access related
- Plan 2 - the elevated version for security and identity governance needs
Microsoft 365 E5 Step-up Security
The E5 Security Step-up is very attractive, because it contains the most important Defender product plans, including:
- Defender for Office 365 Plan 1 & 2
- Defender for Cloud Apps
- Defender for Identity
- Defender for Endpoint Plan 2
- Azure AD Premium Plan 2
Defender for Endpoint Plan 1 & 2
Defender for Endpoint Plan 1 is now integrated to Microsoft 365 E3. Read more about it on the official docs This allows to use a subset of EDR capabilities, powered by Defender, such as: Central configuration & (limited) operation/response actions, Attack Surface reduction, API's, Security Reports and Cross-platform support.
Defender for Office 365 Plan 1 & 2
Defender for Office is the supplement to Exchange Online Protection and is separated in two plans. Plan 1 contains the basic protection (Anti-Phishing, real-time reports, safe attachments and links) for Exchange and with Plan 2 you get the all-inclusive package with investigation, remediation and Attack simulation training. Read more about it on the official docs.
For Intune we expect the new suite with advanced endpoint management features in March 2023. This is an add-on and must be acquired separately. (Currently only Remote help is available as add-on)