The easy Microsoft 365 license guide
Introduction
This is an updated post that provides you with an overview to align Microsoft Cloud products/features with licenses (suites). Often these topics are misunderstood or inadequatly applied.
This post is intended to break the complexity down to some basics, explain the license suites easily and highlight Enterprise Mobility + Security license plans.
Tenant-level license compliance
First up; Tenant-level compliance defines the "highest" (according to feature set) license, that is available in your tenant. Based from that license, many features will be available, or configurable. But be careful, this does not mean, that you are also always allowed to legitly use some features. You can find your tenant license level in Azure AD>Overview.
License types
Microsoft 365 delivers services for everyone:
- Enterprise (E) - large customers, ~500+ seats
- Government (G) - U.S. government or DoD
- Business - small to medium sized organizations, usually ~5 to 250 seats
- Education (A) - educational institues, often profit of special discounts
- Home (personal and family) - consumer use, non commercial
General overview
Licenses are formed by the license suite and the license level.
Often, we also differentiate between Security related license plans and Compliance related licenses.
License suites
The Microsoft 365 license suite is bundled into the following components:
- Office 365 includes all productivity and collaboration products for the Web (SaaS) and app installations, Office security, plus compliance subjects
- Enterprise Mobility + Security hosts several endpoint management, diverse security and information protection topics
- Windows Enterprise includes enterprise features for the Windows OS and Defender security
License level
Within a license suite, there is also a level, that results in advanced features, but also in a higher price. The most common in the enterprise segment constitute of:
- F3 - Frontline workers, mostly includes the essential features of M365 apps to stay productive, limited security and compliance features, cheapest edition
- E3 - Standard license plan, covers all basic features and core secure and compliance, medium prize
- E5 - Full feature set, advanced security and compliance products, cost intense
Add-ons
Some specific features are only available through dedicated add-on licenses and are not covered through any license bundle.


Interpretation
Especially the blue marked Enterprise Mobility + Security suite are often featured on Oceanleaf.ch.
As you can see, there are lots of combinations of different plans. In reality, we mostly see that companies have the Microsoft 365 license, which includes the three sub-plans. This also allows them to implement the most popular products as well as basic security in their cloud environment.
Eventually, most organizations choose to purchase a step-up license for security and/or compliance. This is great if you are in a transition phase and want to focus on one of these areas.
At some point, or for cloud-only customers, the complete Microsoft 365 E5 suite becomes interesting to cover every need with the appropriate license.
Of course, it is also possible to buy individual parts of plans, but this is only a good idea if you only want to cover a specific product.
Product overview
Azure AD Premium Plan 1 & 2
- Plan 1 - offers identity basics and integrated Azure AD features that are access related
- Plan 2 - the elevated version for security and identity governance needs
Microsoft 365 E5 Step-up Security
The E5 Security Step-up is very attractive, because it contains the most important Defender product plans, including:
- Defender for Office 365 Plan 1 & 2
- Defender for Cloud Apps
- Defender for Identity
- Defender for Endpoint Plan 2
- Azure AD Premium Plan 2
Defender for Endpoint Plan 1 & 2
Defender for Endpoint Plan 1 is now integrated to Microsoft 365 E3. Read more about it on the official docs This allows to use a subset of EDR capabilities, powered by Defender, such as: Central configuration & (limited) operation/response actions, Attack Surface reduction, API's, Security Reports and Cross-platform support.
Note, that these also exist: Defender Vulnerability Management add-on and Defender for Business.
Defender for Office 365 Plan 1 & 2
Defender for Office is the supplement to Exchange Online Protection and is separated in two plans. Plan 1 contains the basic protection (Anti-Phishing, real-time reports, safe attachments and links) for Exchange and with Plan 2 you get the all-inclusive package with investigation, remediation and Attack simulation training. Read more about it on the official docs.
Intune
Intune is separated in three plans:
- Intune plan 1 - core capabilities of Intune, is integrated in other licenses
- Intune plan 2 - additionally to plan 1 for more capabilities
- Intune Suite (includes plan 2, but not plan 1)
Official docs
Furthermore there are add-ons seperatly from the plans available.


