A quick guide to Microsoft 365 E5 Security and Compliance add-ons

Microsoft 365 E5 packs a serious punch when it comes to managing security and compliance in complex environments. The reality is, however, not every organisation needs all the bells and whistles that come with the full E5 licence.

Microsoft recognises this, which is why the E5 security and compliance add-ons exist to fill the gap.

These add-ons are perfect for organisations using Microsoft 365 E3 (or similar plans) who need more than basic coverage but aren’t ready to go all-in on a full upgrade.

In this article, we’ll break down what they offer, how they differ from the full E5 licence, and what you need to consider when looking to optimise your Microsoft 365 investment, without compromising security.

What are Microsoft 365 E5 security and E5 compliance add-ons?

The Microsoft 365 E5 security and E5 compliance add-ons are packages designed to give organisations access to the advanced security and compliance features that are part of the E5 plan, without upgrading to the full E5 suite.

For organisations already using Microsoft 365 E3, these add-ons provide a more tailored and cost-effective way to get critical security and compliance capabilities. This allows businesses to enhance protection, governance, and regulatory adherence while keeping the familiar structure and features of their current plan.

Let’s take a closer look at each add-on and what it offers.

What is Microsoft 365 E5 Security?

The E5 security add-on is designed for organisations that need comprehensive security features to protect against modern threats.

It’s ideal for those using Microsoft 365 E3 who want advanced protection for identity, endpoints, and data, but don’t need the full range of tools and capabilities included in the broader E5 licence.

This ensures that you get the full benefits of Microsoft’s integrated, holistic approach to security by providing a layer of advanced security technologies that sit across your entire environment – enhancing and working with your existing Microsoft technologies and services.

What’s included in Microsoft 365 E5 Security?

The following plans and technologies are included in the Microsoft 365 E5 Security SKU:

Microsoft Entra ID P2

As part of E5 Security, you’ll get access to Entra ID P2 (in addition to the P1 tools already available via your E3 licence).  This effectively means you’re gaining access to the comprehensive suite of Microsoft’s industry leading identity and access management (IAM) system.

Which means getting access to tools like:

• Access reviews: Manage group memberships, access to applications, and review user access privileges. Helps ensure the right users have the access they need to be productive – but also enables you to remove access as people leave or move throughout your organisation.
• Entra ID Protection: Draws on Microsoft’s security telemetry to automate the detection and remediation of identity-based risks.
• Privileged Identity Management (PIM): Control and monitor access to sensitive resources. Limit elevated access privileges to only those who need them with just-in-time access – and remove it when the task is completed.
• Basic Entitlement management: An identity governance* feature that helps you manage your identity lifecycles at scale. Automate the provision and removal of access to users within your environment as well as those in external partners and suppliers.

Microsoft Defender for Office 365

Offers protection against phishing, malware, and other sophisticated threats targeting emails, SharePoint, OneDrive, and Teams. With the E5 Security add-on you’ll gain access to plans 1 & 2.

Plan 1 includes:

• Anti-phishing: Phishing remains the most common form of cyber attack, with Kocho partner and phishing awareness specialist, Hoxhunt, reporting a staggering global incident increase of 1265% in 2023 (Get their full report here). And as malicious actors adopt new technology like AI to enhance their effectiveness, it’s never been so important to have robust anti-phishing capabilities in place. Defender for Office 365 provides everything you need to identify, isolate, and nullify attempts to phish your users.
• Real-time detections: Using the Threat Explorer function, detect and respond to phishing attacks as they happen. See who was targeted and when then preview the phishing emails and identify what action was taken.
• Safe attachments: Safe attachments uses a virtual environment to check email attachments before they’re delivered to a recipient. Scanned in a secure detonation chamber, URLs and links are validated before the document is approved for delivery.
• Safe links: Safe links covers URLs found within emails, Microsoft Teams, and Office 365 apps. Links are rewritten, scanned, and compared against a list of known malicious destinations.

Plan 2 includes:

• Attack simulation training: Run a variety of realistic phishing attack scenarios in your environment to help identify vulnerable users before a real attack does. Then provide relevant training to educate and improve your security.
• Automated investigation and response (AIR): Takes the legwork out of identifying and responding to threats. Potential dangers are flagged with prepared remediation actions – simply awaiting approval from your security team.
• Threat explorer: See all detected malware and phishing activity and launch investigation and remediation activity from one location.
• Compromised user detection: Quickly locate compromised accounts through suspicious activity, such as spam emails coming from a verified user.

Microsoft Defender for Endpoint Plan 2

In a case of ‘doing what it says on the tin’, Defender for Endpoint helps protect endpoint user devices and access.

Using a combination of embedded behavioural sensors in Windows 11, Microsoft threat intelligence and cloud security analytics, Defender for Endpoint will help you identify compromised devices and activity – shutting down lateral movement attacks, fast.

Some of Defender for Endpoint’s features are available in E3 under Plan 1. The E5 add-on provides access to Plan 2, and feature such as:

• Advanced hunting: Explore up to 30 days of raw data with query-based threat hunting to identify both known and unknown threats. Create custom detection rules to automatically check for suspicious activity.
• Evaluation lab: Run simulations and configuration tests to see how Defender for Endpoint would perform in your environment before applying it. Use lab results to refine and target vulnerable areas for improvement.
• Automated investigation and response (AIR): Prioritising and investigating alerts is time-consuming, Defender for Endpoint’s AIR acts like a virtual analyst working 24/7 to determine if a threat requires action, what action to take, applying that action, and then investigating the alert further.
• Threat and vulnerability management: Find and focus on endpoint weaknesses that pose the most risk based on threat landscape intelligence, detections in your environments, sensitive device data, and more.
• Endpoint detection and response: Detect attacks in near real-time and take effective action in response. Defender for Endpoint organises and categorises attacks for easy investigation, storing behavioural data for 6 months for in-depth analysis.
• Device discovery: Mapping all the devices in use in your network can be a challenge, particularly when it comes to unmanaged devices. Device discovery helps you identify laptops and mobiles not yet onboarded as well as other devices such as routers, printers and cameras.

Microsoft Defender for Identity

With more than 600 million identity attacks identified globally per day (Microsoft Digital Defence Report, 2024), monitoring and reacting to compromised identities is key to securing your environment. Which is exactly what Defender for Identity was designed to do.

Defender for Identity utilises your on-premises Active Directory to detect and investigate suspicious user behaviour. Identity-based attacks typically target low-privileged users and then move laterally through your network to gain access to sensitive data and privileged accounts.

Defender for Identity helps you build a timeline of suspicious activity, identifying not only where the original breach occurred but the attacker’s direction of travel through your environment.

Microsoft Defender for Cloud Apps

Defender for Cloud Apps is a cloud access security broker, providing controlled access to cloud-based apps and services.

It does this by analysing things like device/user location and security configuration – this helps identify the use of any shadow IT devices and protects against suspicious access attempts.

It also helps you to identify any unapproved applications in use and keep sensitive data in the Cloud secure.

By employing Defender for Cloud Apps, managing the security and compliance of your cloud apps and resources becomes much easier.

Unlocking the power of Microsoft Defender XDR

It’s also worth noting that combining these Defender products means users can tap into the new extended detection and response (XDR) powers of Microsoft Defender XDR.

By integrating all the Microsoft Defender products together, this XDR approach unifies how you detect, investigate, and respond to threats across your environment. It’s a major step forward, offering a cohesive defence strategy that evolves to stay ahead of emerging threats.

What is Microsoft 365 E5 Compliance?

The second sub-set of Microsoft’s E5 licence allows you to add Microsoft’s top-tier compliance technologies to your E3 licence.

As legislation and data protection laws only increase in their importance, these technologies are essential for enterprises that possess large amounts of sensitive data that needs to be identified, managed, and secured.

This will help show compliance at audit, offering detailed reports of what you have, where, and the proven ability to keep it safe.

What’s included in Microsoft 365 E5 Compliance?

The E5 compliance add-on includes several Microsoft compliance and information protection tools, including:

Microsoft Purview Compliance Manager

Keeping up with evolving regulations can be daunting, but Purview Compliance Manager makes it easier. With over 300 pre-built assessments for standards like GDPR and HIPAA, it helps you manage your compliance posture.

It continuously assesses your Microsoft 365 environment, offering insights and recommendations through a compliance score. Automated workflows simplify meeting complex regulatory requirements, helping to reduce compliance risks.

Microsoft Purview Information Protection

Data breaches are costly, making data protection crucial. Purview Information Protection uses machine learning to classify and encrypt sensitive data, whether it’s stored or shared.

It applies labels automatically, ensuring consistent protection and encryption for confidential content, reducing risks of accidental exposure and securing data throughout its lifecycle.

Microsoft Purview Data Loss Prevention (DLP)

Protecting against data loss is key to maintaining trust. Purview DLP monitors and restricts the unauthorised sharing of sensitive data across Microsoft 365 apps, email, and cloud environments.

It detects risky actions and can block them automatically, alerting administrators when needed. With real-time control over data sharing, it helps prevent accidental or intentional data breaches.

Insider Risk Management

Internal threats can be just as damaging as external ones. Insider Risk Management identifies potential risks from within by analysing user behaviour for anomalies.

It tracks activities like file downloads and data sharing, allowing you to detect risky patterns early. This proactive approach helps prevent internal data leaks and ensures a safer work environment.

Advanced eDiscovery and Audit

Managing legal inquiries and compliance investigations can be complex. Advanced eDiscovery and Audit streamline the process, allowing you to search, preserve, and analyse data across Microsoft 365.

It offers deep search capabilities and legal holds, while detailed auditing provides a clear record of user actions. This reduces the time and effort needed to respond to legal requests and ensures data integrity.

Records Management

Organisations need to control their data lifecycles for compliance. Records Management helps you classify, retain, and dispose of information according to policies.

It automates retention and deletion across emails and documents, ensuring that critical records are kept as required and excess data is removed. This structured approach supports compliance and reduces storage costs.

E5 licences and UK cyber security standards

In 2024, UK public sector organisations need to align with the updated Cyber Security Standard, which supports the GovS 007 framework.

This standard emphasises compliance with the Cyber Assessment Framework (CAF), requiring organisations to meet specific baseline or enhanced security profiles. Therefore, a risk-based, threat-driven approach is central, with critical systems requiring assurance through the GovAssure process.

For organisations aiming for higher security standards, implementing advanced tools like Microsoft 365 E5, either as a full suite option, or via the add-ons, can play a crucial role in achieving enhanced compliance and resilience against cyber threats. Something worth considering when deliberating what licences you need, especially if working in the public sector or within critical national infrastructure (CNI).

Microsoft 365 E5 Security and Compliance add-on pricing

Both the E5 security and E5 compliance add-ons are available as separate purchases for organisations already using Microsoft 365 E3 or lower-tier licences. The exact pricing may vary depending on the organisation’s region and specific contract terms, but here’s a general overview:

• E5 security add-on: Typically priced around £10-£12 per user per month. This provides access to the full suite of security tools mentioned above.
• E5 compliance add-on: Typically priced around £8-£10 per user per month. This grants access to the compliance features.

To purchase these add-ons, organisations must already have a Microsoft 365 E3 plan in place. These add-ons are not available to organisations using lower-tier plans like Microsoft 365 Business Standard or Business Premium, which don’t have the same baseline security or compliance frameworks as the enterprise plans.

Why not choose the full E5 licence?

While the full E5 plan provides unparalleled security, compliance, collaboration, and analytics tools, not all organisations require its full feature set. The decision to go with an E5 security or E5 compliance add-on instead of a full E5 licence typically comes down to specific business needs:

• Cost efficiency: If an organisation primarily needs either enhanced security or compliance features without the extras, the add-ons provide significant cost savings.
• Customisation: The add-ons allow organisations to build their security and compliance capabilities incrementally, without committing to an all-in-one solution.
• Scalability: The add-ons enable businesses to focus on what they need now, with the option to upgrade to a full E5 licence later if their requirements change.

These updates reflect Microsoft’s continued efforts to help organisations navigate and manage their cloud environments more effectively.

Can I trial the Microsoft 365 E5 Security and Compliance add-ons?

It’s possible to trial some of the individual technologies included in E5 Security and Compliance, but not as an entire licence. Our recommendation is to use a Microsoft Partner to help you identify the best course of action, as they can support you through the entire process from selecting a solution to design and deployment.

Using a Partner will also enable you to take advantage of Microsoft’s FastTrack programme, giving you access to resources and specialist expertise to get you up and running much sooner.

As a leading Microsoft partner we can help you benefit from the FastTrack programme, as well as offering a range of additional support, services, and even funding opportunities (subject to requirements). Speak to our team today to discuss the right licence options for your business and ensure your investment is optimised to maximise return without compromise to security.

Key takeaways

Next steps

If you liked this, please share on your social channels.