Considerations for a Move from an E3 to E5 License for M365

December 7, 2021 | By IANS Faculty

Moving from an E3 to an E5 license for Microsoft 365 (M365) services can be an expensive proposition, both in time and money. This piece outlines the key decision points organizations should consider when evaluating M365 licensing options (vs. third-party security platforms) for email hygiene, endpoint protection and eDiscovery/compliance. 

M365 E5 License Security Benefits   

Microsoft frames the E5 license either as a way to get the increased security benefits of using Microsoft-provided security monitoring and response services, or to gain additional business and data analytics services such as Power BI, Teams Phone System PBX capabilities or compliance tools for eDiscovery, audit and data retention. 

From a purely security perspective, however, the cost to upgrade to E5 should be assessed against both the potential cost savings realized by eliminating third-party email hygiene or endpoint detection and response (EDR) platforms and the need for increased M365 security training when moving away from third-party security tools and to an all-Microsoft setup. 

Microsoft says the upgrade from E3 to E5 represents a list price increase of 75 percent. For M365 customers with thousands of users, this can be a significant cost that requires reallocation of resources across IT. It’s not uncommon that the security team is tasked with eliminating third-party security tools to help recover the costs and apply those dollars toward the E5 license costs. 

While Microsoft has significantly improved the security services available as part of the E5 license, there may still real benefits to using third-party provided services for your particular organization. 

Email Hygiene Scenario

In the case of email hygiene, incumbent platforms have more granular controls. They can also provide a separation-of-duties of sorts that you may not have with Microsoft-native tools. 

For example, consider the case of an attacker using a combination of a browser exploit and an MFA bypass attack to compromise an Exchange administrator account. The attacker then uses those admin privileges to disable key email hygiene functions for high-value executive users, and then proceeds to run targeted spear-phishing attacks against those executives. Such an attack would likely be more difficult to coordinate with a diverse email hygiene supply chain (because it would require multiple sets of credentials to accomplish). 

Another perspective to consider, though, is the fact that Exchange Online Protection (EOP) does a much better job of reducing the risk of email-delivered ransomware for intra-company attacks. For example, if one user is compromised with a ransomware dropper, and the attacker uses that compromised email account as a distribution point for the ransomware executables, third-party email hygiene products would not be able to look as closely at that attack situation as would the native M365 Office Defender and EOP controls in an E5 licensing scenario. In cases where companies are using an email hygiene platform that only scans inbound emails from third parties, that email scan would not catch an internal ransomware delivery attempt. 

EDR Scenario 

The Microsoft Defender for Endpoint (MDE) platform has gone through a significant transformation over the last 24 months, with feature improvements and capabilities enhancements that in some cases exceed those of competitors (at least for fully updated Windows 10 endpoints). However, organizations with diverse endpoints (Mac, Linux, etc.) will see less value and greater operational burdens. 

A justifiable situation for leveraging an E5 license is one where the organization has a fully modernized endpoint fleet, uses Microsoft Endpoint Manager as the configuration management platform and updates all systems within three weeks of release of Microsoft updates. 

If third-party tools are used for configuration management and a full-featured EDR is in place across a highly diverse set of endpoints, the value of MDE is very difficult to realize. 

Archiving, eDiscovery and Compliance 

In addition to email and endpoint security, organizations often have significant investments in the eDiscovery realm that could potentially be redirected toward paying the cost of an E5 license. However, at the time of this writing, Microsoft’s compliance solutions are more focused on organizations with fewer than 10,000 users. 

An enterprise with under 10,000 users could conceivably rely on the E5 license to replace the costs of another compliance platform, but it will be important to make that changeover after a full evaluation of Microsoft’s capabilities. 

M365 E5 License Considerations

Relying on security tools provided via Microsoft’s E5 M365 licensing can provide an acceptable level of cybersecurity risk management for some organizations. Before that decision is made, however, security teams should perform a thorough risk analysis of the Microsoft services and capabilities versus third-party-provided services. Important areas to focus on include: 

  • Separation of duties (SoD): Use of all-Microsoft tools can sometimes make SoD more difficult to achieve. 
  • Endpoint diversity: Enterprises with large numbers of Linux or Macintosh devices may find the management headaches of all-Microsoft solutions outweigh the cost benefits. 
  • Viability in environments with more than 10,000 email users. This is especially true when considering Microsoft’s eDiscovery capabilities. 
  • Extra training costs: The evaluation must include the cost to properly train staff for the significant differences in security toolsets, reporting, alerting and auditing that come with all-Microsoft tools. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2021 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.