Introduction

This is an updated post that provides you with an overview to align Microsoft Cloud products/features with licenses (suites).

This post is intended to break the complexity down to some basics, explain the license suites easily and highlight Enterprise Mobility + Security license plans.

Tenant-level license compliance

First up; Tenant-level compliance defines the "highest" (according to feature set) license, that is available in your tenant. Based from that license, many features will be available, or configurable. But be careful, this does not mean, that you are also always allowed to legibly use some features. You can find your tenant license level in Entra ID > Overview.

License types

Microsoft 365 delivers services for everyone:

• Enterprise (E) - large customers, ~300+ seats
• Government (G) - U.S. government
• Business - small to medium sized organizations, usually up to 300 seats
• Education (A) - educational institues, often profit of special discounts
• Student Use Benefit - Special discounts for educational programs
• Consumer - retail versions for private use

General overview

Licenses are formed by the license suite and the license level.

License suites

The Microsoft 365 license suite is bundled into the following components:

• Office 365 includes all productivity and collaboration products
• Enterprise Mobility + Security provides identity, endpoint managment, security and compliance
• Windows Enterprise includes enterprise features for the Windows OS

License level

Within a license suite, there is also a level, that results in advanced features, but also in a higher price. Those are the most popular license plans with the most relevant features:

Business

• Basic - Office 365 (no desktop apps) + Entra ID free, low cost
• Standard - Office 365 + Entra ID free, low cost
• Premium - Office 365 + Entra ID Plan 1 + Windows + Intune Plan 1 for Business + Defender for Business + Information Protection

Education

• A1 - Office 365 (no desktop apps), Intune Plan 1 for Education, Windows (reduced), Remote Help
• A3 - Office 365, Intune Plan 1 for Education, Windows, Remote Help, Entra ID Plan 1, Information Protection, Defender for Endpoint Plan 1
• A5 - All from A3 + A5 Security and A5 Compliance, which include Defender for Endpoint - Identity - Cloud Apps and Office 365 full plans, Teams Phone

Enterprise

• E3 - Office 365 + Entra ID Plan 1 + Windows + Intune Plan 1 for Business + Defender for Endpoint Plan 1 + Information Protection
• E5 - All from E3 + E5 Security and E5 Compliance, which include Defender for Endpoint - Identity - Cloud Apps and Offcie 365 full plans, Teams Phone

Frontline

• F1 - Office 365 (no desktop Outlook version), Entra ID Plan 1, Intune Plan 1, Information Protection
• F3 - Office 365 (no desktop Outlook version), Entra ID Plan 1, Intune Plan 1, Information Protection, Windows (reduced)
• F3 - All from F3 + F5 Security and F5 Compliance, which include Defender for Endpoint - Identity - Cloud Apps and Office 365 full plans

Interpretation

As you can see, there are lots of combinations of different plans. In reality, we mostly see that companies have the Microsoft 365 license, which includes the three sub-plans. This also allows them to implement the most popular products as well as basic security in their cloud environment.
Eventually, most organizations choose to purchase a step-up license for security and/or compliance. This is great if you are in a transition phase and want to focus on one of these areas.
At some point, or for cloud-only customers, the complete Microsoft 365 E5 suite becomes interesting to cover every need with the appropriate license.
Of course, it is also possible to buy individual parts of plans, but this is only a good idea if you only want to cover a specific product.

Product specific

Microsoft Entra Premium Plan 1 & 2

• Plan 1 - offers identity basics and integrated Microsoft Entra features that are identity & access management related
• Plan 2 - the elevated version for security and identity governance needs
• Governance - advanced identity governance, management and lifecycle features
• Workload - protect workload identities

Microsoft 365 E5 Step-up Security

The E5 Security Step-up is very attractive, because it contains the most important Defender product plans, including:

• Defender for Office 365 Plan 1 & 2
• Defender for Cloud Apps
• Defender for Identity
• Defender for Endpoint Plan 2
• Entra ID Premium Plan 2

Defender for Endpoint Plan 1 & 2

Defender for Endpoint Plan 1 is integrated in some Microsoft plans. Read more about it on the official docs. This allows to use a subset of EDR capabilities, powered by Defender, such as: Central configuration & (limited) operation/response actions, Attack Surface reduction, API's, Security Reportsand Cross-platform support.

Note, that these also exist: Defender Vulnerability Management add-on

Defender for Office 365 Plan 1 & 2

Defender for Office is the supplement to Exchange Online Protection and is separated in two plans. Plan 1 contains the basic protection (Anti-Phishing, real-time reports, safe attachments and links) for Exchange and with Plan 2 you get the all-inclusive package with investigation, remediation and Attack simulation training. Read more about it on the official docs.

Intune

Intune is separated in three plans:

• Intune plan 1 - core capabilities of Intune, is integrated in other licenses
• Intune plan 2 - additionally to plan 1 for more capabilities
• Intune Suite (includes plan 2, but not plan 1)
  Official docs

Oceanleaf

Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.

OceanleafNiklas Tinner

powered by Oceanleaf