Microsoft has recently announced the ability to purchase and pair the Microsoft 365 E5 Security add-on license with Microsoft 365 Business Premium. This is a major benefit to organizations under 300 user-based licenses as new security capabilities are now available without a major shift in licensing to the enterprise plans.
INFO
Table of Contents
- Microsoft 365 Business Premium and Microsoft 365 E5 Security
- Microsoft 365 Business Premium with Defender for Business
- Microsoft 365 E5 Security
- Comparison
- Pricing
- Preparing for the transition
- Conclusion
Microsoft 365 Business Premium and Microsoft 365 E5 Security
Let’s first take a look at what’s already included in Microsoft 365 Business Premium:
Cloud access security broker
- Microsoft Defender for Cloud Apps Discovery
Identity and access management
- Microsoft Entra ID Plan 1
- User Provisioning
- Cloud user self-service password change
- Cloud user self-service password reset
- Hybrid user self-service password change/reset with on-premises write-back
- Conditional Access
- Single sign-on (SSO)
- Windows Hello for Business
Threat Protection
- Microsoft Defender for Business
- Microsoft Defender Exploit Guard
- Microsoft Defender Credential Guard
- BitLocker and BitLocker To Go
- Windows Information Protection
- Microsoft Defender for Office 365 Plan 1
Microsoft 365 Business Premium with Defender for Business
Microsoft Defender for Business is bundled within Microsoft 365 Business Premium. At the time of this posting, you can’t mix the two licenses within a given tenant. Thus, if your organization decides to go forward with adding Microsoft 365 E5 Security to your users, you’ll need to purchase enough licensing and then contact Microsoft Support to request the switch for your tenant.
Defender for Business is closer to Defender for Endpoint Plan 2 than it is to Defender for Endpoint Plan 1.
You can find more information on the differences between those plans here: https://learn.microsoft.com/en-us/defender-business/mdb-faq#what-are-the-differences-between-defender-for-business-and-defender-for-endpoint-plans-1-and-2
Microsoft 365 E5 Security
The Microsoft 365 E5 Security license has been around for quite a while but was previously limited to being assigned to users within Microsoft 365 E3 or Office 365 E3 and Enterprise Mobility + Security E3.
Microsoft describes the capabilities of Microsoft 365 E5 Security as:
- Comprehensive XDR capabilities across identities, endpoints, apps, and email to help protect against, detect, and respond to sophisticated attacks
- Identity protection with AI-driven risk detection and automated response
- AI-powered endpoint security with applied threat intelligence and threat hunting
- Enhanced AI-driven phishing protection and detailed reporting
- Software as a service (SaaS) security to track employee use, manage access, and restrict suspicious behavior in cloud apps
Here is a more technical breakdown of what’s included in Microsoft 365 E5 Security:
Cloud access security broker
- Microsoft Defender for Cloud Apps
- App Governance in Defender for Cloud Apps
- Office 365 Cloud App Security
Identity and access management
- Microsoft Entra ID1 Plan 2
- Microsoft Entra ID Protection
- User Provisioning
- Cloud user self-service password change
- Cloud user self-service password reset
- Hybrid user self-service password change/reset with on-premises write-back
- Advanced Security Reports
- Multi Factor Authentication
- Conditional Access
- Risk Based Conditional Access / Identity Protection
- Privileged Identity Management
- Access Reviews
- Entitlement Management
Threat Protection
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for IoT – Enterprise IoT
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 Plan 2
- Microsoft Defender Application Guard for Office
- Safe Documents
Comparison
Here’s a table to help sort out what is included within Microsoft 365 Business Premium and what capabilities are added with Microsoft 365 E5 Security.
| Premium | E5 Security | ||
|---|---|---|---|
| Identity and access management | Microsoft Entra ID Plan 1 | Y | |
| Microsoft Entra ID Plan 2 | Y | ||
| Microsoft Entra ID Protection | Y | ||
| User Provisioning | Y | Y | |
| Cloud user self-service password change | Y | Y | |
| Cloud user self-service password reset | Y | Y | |
| Hybrid user self-service password change/reset with on-premises write-back | Y | Y | |
| Advanced Security Reports | Y | ||
| Multi Factor Authentication | Y | Y | |
| Conditional Access | Y | Y | |
| Risk Based Conditional Access / Identity Protection | Y | ||
| Privileged Identity Management | Y | ||
| Access Reviews | Y | ||
| Entitlement Management | Y | ||
| Single sign-on (SSO) | Y | ||
| Windows Hello for Business | Y | ||
| Cloud access security broker | Microsoft Defender for Cloud Apps Discovery | Y | |
| Microsoft Defender for Cloud Apps | Y | ||
| App Governance in Defender for Cloud Apps | Y | ||
| Office 365 Cloud App Security | Y | ||
| Threat protection | Microsoft Defender for Business | Y | |
| Microsoft Defender for Endpoint Plan 1 | |||
| Microsoft Defender for Endpoint Plan 2 | Y | ||
| Microsoft Defender for IoT – Enterprise IoT | Y | ||
| Microsoft Defender for Identity | Y | ||
| Microsoft Defender for Office 365 Plan 2 | Y | ||
| Microsoft Defender Application Guard for Edge | Y | ||
| Microsoft Defender Application Guard for Office | Y | ||
| Safe Documents | Y |
Pricing
Keep in mind that the Microsoft 365 E5 Security license is an add-on to each of your Microsoft 365 Business Premium licenses. At the time of this posting, that add-on price is $12 per user/per month. According to Microsoft, you must make the change for ALL users and not just a subset of users. This can be a tough pill to swallow since the price of Microsoft 365 Business Premium is $22.00 per user/per month.
That’s a monthly cost increased by 54.55%.
The natural question here is, “Is it worth it?” The answer ranges between probably to absolutely.
One example is if your environment has Hybrid Identity with Windows Active Directory. The inclusion of Defender for Identity is significant to increase your security posture.
Also, the inclusion of Defender for Endpoint Plan 2 adds “30 days advanced hunting and six months of data retention in the device timeline” and “Microsoft Threat Experts”
The additions of Risk Based Conditional Access / Identity Protection, Privileged Identity Management, Access Reviews, and Entitlement Management add additional protection that are critical for defining and maintaining roles and permission management.
If you have an existing Managed Service Provider and/or Managed Security Service Provider, there may be some overlap here. Overlap isn’t always bad but should be identified and managed accordingly.
Preparing for the transition
Before you purchase the licensing and dive into these new capabilities, I’d recommend the following:
- Assess your existing environment – You should do this at least every six months to ensure that you’re leveraging the current capabilities
- Clean up – This normally means updating and deleting exiting security groups and assignments, updating configurations and policies, and transitioning services due to technical debt
- Prioritize by risk not fruit – Don’t go for the proverbial low hanging fruit. Security is about risk management, so look for areas in your business and environment that needs the most attention and benefit gain. (note: if you have Windows Active Directory in hybrid identity with Entra ID, I’d start there)
Conclusion
Is investing in Advanced Security Solutions Worth It? Absolutely!
In today’s world of hybrid identities and advanced security threats, investing in robust security solutions is essential. Integrating tools like Defender for Identity and Defender for Endpoint Plan 2 can significantly enhance your security posture. With features such as advanced hunting, data retention, and expert threat management, these tools offer crucial protection.
Additionally, implementing Risk-Based Conditional Access, Privileged Identity Management, Access Reviews, and Entitlement Management is essential for effective role and permission management.
Investing in advanced security solutions is not just worth it—it’s critical for safeguarding your organization.
Pairing Microsoft 365 Business Premium and Microsoft 365 E5 Security is a smart move for organizations looking to enhance their security without a major shift in licensing.
Not sure if you’re ready for this, need help planning, or just looking for guidance on getting started?
That’s what we’re here for! Contact us to get the conversation started.