What is the Difference Between an O365 E5 and an E3 License with Respect to Security Features?

Microsoft’s licensing can be a little confusing when it comes to figuring out exactly how many E5/E3 licenses you will need to actually leverage the security features associated with a given license. This blog is written with the assumption that you know what features you are interested in buying and/or at have a basic understanding of the O365 E3/E5 license suites security features.

One of the main reasons I looked into this in the first place was to figure out how features which require high levels of licensing translate to general users. I’ll answer that question up front if that is what you were looking for when you found this blog: An organization will need an E5/E3 licensed account to view any advanced analytic reporting, create new DLP policies in the compliance center and/or create AIP labels. All O365 users regardless of license will still be able to view AIP protected files after a label has been created and applied to a document but they will not be able to see the label itself. In order for users to view or change the AIP label, they will need an AIP P1 license (US $2/user) or AIP P2 license (US $5/user) if automatically applying classification rules.

So, you should only end up needing to pay that US$32-$57 user/month price for a handful of E3 or E5 licenses depending on how many people you would want to be accessing advanced analytics reports, creating DLP policies or creating AIP/classification labels. 

O365 E5 Licensing – what you don’t get with E3

Depending on what your organization is already paying for an E5 license may be more than what you need, below is a list of what you would get from an O365 E5 license and not an E3 license.

• Advanced Analytics – PowerBI
  • Access to both PowerBI and MyAnalytics (E3 only has access to MyAnalytics)
• Identity Management –
  • Azure AD Premium Plan 2 features: (E3 only comes with Azure AD Premium P1 features)
    • Vulnerabilities and risky account detection
    • Risk events investigation
    • Risk based conditional access policies
    • Privileged Access Management
    • Access Reviews
    • Entitlement Management
• Threat Protection –
  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
• Information protection –
  • Azure Information Protection P2 (E3 only has AIP P1)
    • Configure conditions for automatic and recommended classification
    • Set labels to automatically apply pre-configured S/MIME protection in Outlook
    • Control oversharing of information when using Outlook (warn, justify or block emails)
    • Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory Rights Management for highly regulated scenarios
    • Azure Information Protection scanner for automated classification, labeling, and protection of supported on-premises files
  • Cloud app security
• Microsoft Cloud App security
  • (MCAS) is a Cloud Access Security Broker (CASB) solution which gives visibility into an organizations cloud apps and services, provides threat analytics to identify and stop cyber threats as well as provides some control on how data travels across your cloud apps

Conclusion

If none of the features described above are of interest but you still want to use things like DLP policies and AIP then go with the E3 license. Once you have decided between E5 and E3 licensing you will only need to purchase enough licenses for those on your security team who will be in charge of creating new DLP policies and AIP labels. So, for some small organizations you may only need one or two licenses to accomplish your DLP and AIP goals. If you were interested in some of the E5 features but don’t think you can justify the cost associated with them, third party vendors like stealthbits can more than likely help fill in the gaps. Specifically when it comes to O365/SharePoint, Privileged Access Management, Access and Entitlement Mangement and vulnerability and risk monitoring/assessment!