This is an updated post that provides you with an overview to align Microsoft Cloud products/features with licenses (suites). Often these topics are misunderstood or inadequatly applied.

This post is intended to break the complexity down to some basics, explain the license suites easily and highlight Enterprise Mobility + Security license plans.

Tenant-level license compliance

First up; Tenant-level compliance defines the "highest" (according to feature set) license, that is available in your tenant. Based from that license, many features will be available, or configurable. But be careful, this does not mean, that you are also always allowed to legitly use some features. You can find your tenant license level in Azure AD>Overview.


License types

Microsoft 365 delivers services for everyone:

General overview

Licenses are formed by the license suite and the license level.

Often, we also differentiate between Security related license plans and Compliance related licenses.

License suites

The Microsoft 365 license suite is bundled into the following components:

  • Office 365 includes all productivity and collaboration products for the Web (SaaS) and app installations, Office security, plus compliance subjects
  • Enterprise Mobility + Security hosts several endpoint management, diverse security and information protection topics
  • Windows Enterprise includes enterprise features for the Windows OS and Defender security

License level

Within a license suite, there is also a level, that results in advanced features, but also in a higher price. The most common in the enterprise segment constitute of:

  • F3 - Frontline workers, mostly includes the essential features of M365 apps to stay productive, limited security and compliance features, cheapest edition
  • E3 - Standard license plan, covers all basic features and core secure and compliance, medium prize
  • E5 - Full feature set, advanced security and compliance products, cost intense


Some specific features are only available through dedicated add-on licenses and are not covered through any license bundle.

I always recommend the m365maps by Aaron Dinnage.


Especially the blue marked Enterprise Mobility + Security suite are often featured on

As you can see, there are lots of combinations of different plans. In reality, we mostly see that companies have the Microsoft 365 license, which includes the three sub-plans. This also allows them to implement the most popular products as well as basic security in their cloud environment.
Eventually, most organizations choose to purchase a step-up license for security and/or compliance. This is great if you are in a transition phase and want to focus on one of these areas.
At some point, or for cloud-only customers, the complete Microsoft 365 E5 suite becomes interesting to cover every need with the appropriate license.
Of course, it is also possible to buy individual parts of plans, but this is only a good idea if you only want to cover a specific product.

Product overview

Azure AD Premium Plan 1 & 2

  • Plan 1 - offers identity basics and integrated Azure AD features that are access related
  • Plan 2 - the elevated version for security and identity governance needs

Source: Microsoft

Microsoft 365 E5 Step-up Security

The E5 Security Step-up is very attractive, because it contains the most important Defender product plans, including:

Defender for Endpoint Plan 1 & 2

Defender for Endpoint Plan 1 is now integrated to Microsoft 365 E3. Read more about it on the official docs This allows to use a subset of EDR capabilities, powered by Defender, such as: Central configuration & (limited) operation/response actions, Attack Surface reduction, API's, Security Reports and Cross-platform support.

Source: Microsoft

Note, that these also exist: Defender Vulnerability Management add-on and Defender for Business.

Defender for Office 365 Plan 1 & 2

Defender for Office is the supplement to Exchange Online Protection and is separated in two plans. Plan 1 contains the basic protection (Anti-Phishing, real-time reports, safe attachments and links) for Exchange and with Plan 2 you get the all-inclusive package with investigation, remediation and Attack simulation training. Read more about it on the official docs.

Source: Microsoft


Intune is separated in three plans:

  • Intune plan 1 - core capabilities of Intune, is integrated in other licenses
  • Intune plan 2 - additionally to plan 1 for more capabilities
  • Intune Suite (includes plan 2, but not plan 1)
    Official docs


Furthermore the features from the Suite are available as add-ons separately from the full plans.


Microsofts license suites often underlie changes. I try to keep this post up to date, however there might be minor changes. Please consult the official resources for clarification. (initially written November 2022, updated in March 2023)

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
Defender Suite
Enterprise security solutions, cloud-based, intelligent and automated security responses for Endpoint, Identity, Office 365 and Cloud Apps. A full protection stack. Defender for EndpointHandle threat and vulnerability events on endpoints to prevent malicious and harmful contents. Microsoft Defender:…
Fundamentals Microsoft security concepts V2Learn about Microsoft’s cloud security concepts to secure your organization with Microsoft 365 and Azure built-in products and features. The way to secure your digital assets such as identities, infrastructures, platforms, apps and data. These are the offic…
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.