InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
The information, pricing and product details included in this post are accurate as of September 2020.
A critical decision point to consider when deciding between Microsoft E3 vs. E5, separate from cost is team commitment. With a team committed to fully using E5, the cost savings could exceed the annual cost. Without such commitment, the upgrade may not
This piece explains the differences between the two license tiers and the main factors to consider before choosing to stay with Microsoft E3 or upgrade to Microsoft E5.
In the years since Microsoft launched Office 365, now re-branded to Microsoft 365, the service offerings have changed, features have moved between tiers and capabilities of different features have changed. However, for the last several years, businesses
faced one fundamental question: Is the E5 license worth the extra cost?
Figure 1: E5 Features Not Found in E3
Microsoft offers a lot of services, and several of those bundled in E5 can be added as a la carte options to an existing E3 license. For example, all the compliance features listed in Figure 1 can be added to E3 without a full upgrade for $10 per user
per month under the E5 Compliance Plan. Similarly, all the security features listed can be added to E3 for $12 per user per month under the hard-to-find E5 Security Plan. The communications features were once available separately, but that program
appears to have sunset.
The $22 per user per month for both compliance and security is less than the extra $25 per user per month. However, the difference is slight – less than a single full-time employee (FTE) for a company with 1,000 employees – and there is a
significant advantage in using all of the features that have been designed to work together. Using only compliance would require building your own integrations with your other security toolset, as would using only security. By using both, you gain
the integration capability automatically.
E5 brings along a lot of features, and businesses should consider the following potential commitment and knowledge issues that might hinder success. Examples may include:
Communications features require expertise. Properly using the communication features to replace or augment an existing phone system with videoconferencing requires a skilled team, not only to set it up, but also to manage it. Most organizations find Microsoft
Teams to be more than sufficient to augment a legacy phone system. Given the high number of remote workers at present, the value of such legacy phone systems is proving to be lower than many thought.
Identity tools are complex. From a security perspective, the capabilities included in Microsoft Defender for Identity, Azure Active Directory Premium Plan 2 and Privileged Access Management are extremely powerful and, when used correctly, can justify
the entire cost of upgrading to E5. However, identity is complex and can be challenging for teams to successfully implement.
Other features, such as the anti-malware replacement – Defender for Endpoint – can justify the cost alone if the current anti-malware system is lightly configured and costs anywhere near $25 per user per month. However, it might not compare
favorably to a well-tuned anti-malware solution that ties into enterprise-level monitoring through an endpoint detection and response (EDR) approach.
Similarly features like Microsoft 365 Defender, Defender for Office 365 and Cloud App Security could be replaced with other products at a lower cost than upgrading from E3 to E5. A team will succeed or fail equally with any product selection in this space
– cost is a greater factor than anything else.
Finally, the remaining compliance features – Customer Lockbox and Service Encryption with Customer Key – provide a level of independence from Microsoft through encryption. If you need this capability, then there may be no choice but to invest
in local encryption competence and upgrade to E5.
There are many ways to run the analysis of cost-comparing licenses and features to those of equivalent or other desired products. The difference between E3 and E5 is about features but consider your commitment to a fully cloud-based work environment.
If you have not taken full advantage of E3 and don’t have a team committed to understanding it, following changes to functionality and pushing the licenses to their limit, making the case for upgrade to E5 becomes more difficult.
In contrast, if you have a dedicated and enthusiastic team willing to dive deep into E5 and use the functionality to its greatest extent, eliminating other vendors and fully embracing E5 could be a cost-saving strategy.
The importance of matching expectations to maturity: Be weary of buying licenses and expecting everything to suddenly get better. It may take years to learn how to fully use each feature in your environment.
If you are fully committed to running the business using cloud services, supporting a fully remote work force and fundamentally re-thinking the so-called “best practices” of the last 30 years, then E5 can be a sensible investment.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.