Aerial shot of a winding mountain road

Blog | 13-minute Read

A quick guide to Microsoft 365 E5 Security and Compliance add-ons

Mat Richard profile headshot

Mathew Richards

Head of Mobility and Security

Published: 05 January 2022

Want to beef up your security and compliance capabilities without jumping to a full E5 licence? Microsoft 365’s E5 Security and Compliance add-ons could be the answer.

It’s no secret that Microsoft 365 E5 features industry-leading security and compliance technology. It’s also no secret that an E5 licence is the most expensive Microsoft licence available.

A full E5 licence isn’t necessarily the right option for every organisation. Some may need to prioritise better threat detection and response powers over more granular compliance features and vice versa.

And some may want both of those things but not the additional phone and conferencing capabilities that come with a full E5 licence.

To provide the flexibility for organisations to access (and pay for) just the bits that they need, Microsoft has grouped some of the Microsoft 365 E5 security and compliance technologies into their own SKUs that can be applied to a Microsoft 365 E3 licence.

In this blog, we’ll explore these two add-ons. Covering what each SKU is, what it includes, what they cost, and whether they’re worth having.

What is Microsoft 365 E5 Security?

The Microsoft 365 E5 Security add-on acts as a sub-set of the Microsoft 365 E5 licence – allowing organisations to access Microsoft’s top-tier security technologies without paying for a full E5 licence.

It’s often thought that E5 Security only provides access to the E5 level Enterprise Mobility + Security (EMS) technologies. E5 Security actually spans a selection of security technologies from across EMS, Office 365 Enterprise, and Windows 11 Enterprise.

This ensures that you get the full benefits of Microsoft’s integrated, holistic approach to security by providing a layer of advanced security technologies that sit across your entire environment – enhancing and working with your existing Microsoft technologies and services.

The ultimate guide to Microsoft security **New for 2024**

Cut through the complexity. Master Microsoft security.

What’s included in Microsoft 365 E5 Security?

The following plans and technologies are included in the Microsoft 365 E5 Security SKU:

Azure AD Premium Plan 2

As part of E5 Security, you’ll get access to Azure AD Premium Plan 2 (AADP2), which contains some effective identity management features:

  • Access reviews: Manage group memberships, access to applications, and review user access privileges. Helps ensure the right users have the access they need to be productive – but also enables you to remove access as people leave or move throughout your organisation.
  • Azure AD Identity Protection: Draws on Microsoft’s security telemetry to automate the detection and remediation of identity-based risks.
  • Privileged identity management (PIM): Control and monitor access to sensitive resources. Limit elevated access privileges to only those who need them with just-in-time access – and remove it when the task is completed.
  • Entitlement management: An identity governance feature, entitlement management helps you manage your identity lifecycles at scale. Automate the provision and removal of access to users within your environment as well as those in external partners and suppliers.

Microsoft Defender for Office 365

One of three ‘Defender’ suites included in E5 Security, you’ll get both Plan 1 and Plan 2 versions of Defender for Office 365.

Plan 1 includes:

  • Anti-phishing: With phishing attacks accounting for 91% of large organisation breaches (UK Gov, 2021), it’s important to have robust anti-phishing capabilities in place. Defender for Office 365 provides everything you need to identify, isolate, and nullify attempts to phish your users.
  • Real-time detections: Using the Threat Explorer function, detect and respond to phishing attacks as they happen. See who was targeted and when then preview the phishing emails and identify what action was taken.
  • Safe attachments: Safe attachments uses a virtual environment to check email attachments before they’re delivered to a recipient. Scanned in a secure detonation chamber, URLs and links are validated before the document is approved for delivery.
  • Safe links: Safe links covers URLs found within emails, Microsoft Teams, and Office 365 apps. Links are rewritten, scanned, and compared against a list of known malicious destinations.

Plan 2 includes:

  • Attack simulation training: Run a variety of realistic phishing attack scenarios in your environment to help identify vulnerable users before a real attack does. Then provide relevant training to educate and improve your security.
  • Automated investigation and response (AIR): Takes the legwork out of identifying and responding to threats. Potential dangers are flagged with prepared remediation actions – simply awaiting approval from your security team.
  • Threat explorer: See all detected malware and phishing activity and launch investigation and remediation activity from one location.
  • Compromised user detection: Quickly locate compromised accounts through suspicious activity, such as spam emails coming from a verified user.

Microsoft Defender for Endpoint Plan 2

In a case of ‘doing what it says on the tin’, Defender for Endpoint helps protect endpoint user devices and access.

Using a combination of embedded behavioural sensors in Windows 11, Microsoft threat intelligence and cloud security analytics, Defender for Endpoint will help you identify compromised devices and activity – shutting down lateral movement attacks, fast.

Some of Defender for Endpoint’s features will be available in E3 under Plan 1 in 2022, but as part of Plan 2, you’ll get access to the following:

  • Advanced hunting: Explore up to 30 days of raw data with query-based threat hunting to identify both known and unknown threats. Create custom detection rules to automatically check for suspicious activity.
  • Evaluation lab: Run simulations and configuration tests to see how Defender for Endpoint would perform in your environment before applying it. Use lab results to refine and target vulnerable areas for improvement.
  • Automated investigation and response (AIR): Prioritising and investigating alerts is time-consuming, Defender for Endpoint’s AIR acts like a virtual analyst working 24/7 to determine if a threat requires action, what action to take, applying that action, and then investigating the alert further.
  • Threat and vulnerability management: Find and focus on endpoint weaknesses that pose the most risk based on threat landscape intelligence, detections in your environments, sensitive device data, and more.
  • Endpoint detection and response: Detect attacks in near real-time and take effective action in response. Defender for Endpoint organises and categorises attacks for easy investigation, storing behavioural data for 6 months for in-depth analysis.
  • Device discovery: Mapping all the devices in use in your network can be a challenge, particularly when it comes to unmanaged devices. Device discovery helps you identify laptops and mobiles not yet onboarded as well as other devices such as routers, printers and cameras.

Microsoft Defender for Identity

With 61% of breaches attributed to leveraged credentials (Verizon, Data Breach Investigations Report, 2021), monitoring and reacting to compromised identities is key to securing your environment – which is exactly what Defender for Identity was designed to do.

Defender for Identity utilises your on-premises Active Directory to detect and investigate suspicious user behaviour. Identity-based attacks typically target low-privileged users and then move laterally through your network to gain access to sensitive data and privileged accounts.

Defender for Identity helps you build a timeline of suspicious activity, identifying not only where the original breach occurred but the attacker’s direction of travel through your environment.

Microsoft Defender for Cloud Apps

Defender for Cloud Apps (previously called Cloud App Security) is a cloud access security broker, providing controlled access to cloud-based apps and services.

It does this by analysing things like device/user location and security configuration – this helps identify the use of any shadow IT devices and protects against suspicious access attempts.

It also helps you to identify any unapproved applications in use and keep sensitive data in the Cloud secure.

By employing Defender for Cloud Apps, managing the security and compliance of your cloud apps and resources becomes much easier.

What is Microsoft 365 E5 Compliance?

The second sub-set of Microsoft’s E5 licence allows you to add Microsoft’s top-tier compliance technologies to your E3 licence.

As legislation and data protection laws only increase in their importance, these technologies will become essential for enterprises that possess large amounts of sensitive data that needs to be identified, managed, and secured.

This will help show compliance at audit, offering detailed reports of what you have, where, and the proven ability to keep it safe.

What’s included in Microsoft 365 E5 Compliance?

The below are all available as individual licences, but as part of the E5 Compliance add-on, you’ll get access to:

Advanced eDiscovery and audit

Designed to help you respond to legal investigations or requests, Advanced eDiscovery enables you to easily identify persons of interest, associated data sources, and apply legal holds to that data.

Advanced eDiscovery identifies in-place data from across Teams, Yammer, SharePoint Online, OneDrive for Business, and Exchange Online. This functionality can also be extended to third-party sources via data connectors.

Adhering to the Electronic Discovery Reference Model, Advanced eDiscovery allows you to perform the following steps to reduce and manage relevant data on a case-by-case basis:

  • Identification – Add persons of interest as custodians to a case.
  • Preservation – Place a legal hold on data sources associated with custodians.
  • Collection – Search and collect live data relevant to the case.
  • Processing – Gain a static view of data in an Azure-based review set.
  • Review – View, tag, and annotate specific documents.
  • Analysis – Use integrated tools to cull irrelevant data quickly and accurately.
  • Production and Presentation – Export documents for review either in their native format or formatted for use by third-party software.

Insider risk management

When it comes to cyber security, the focus is typically on those trying to get in rather than those already inside.

But internal users can also pose a significant threat – whether by accident or deliberate action.

Insider risk management helps prevent various illegal, unauthorised, inappropriate, or unethical behaviour within your organisation. Using pre-defined policy templates and conditions, you can easily define what actions trigger an alert and what preventative or precautionary measures are implemented as a result.

When an alert has been triggered, your analysts can then create cases to investigate suspicious activity in greater detail and take any appropriate action required.

Utilising insider risk management can help you guard against:

  • Sensitive data leaks
  • Confidentiality violations
  • Intellectual property theft
  • Fraud
  • Insider trading
  • Regulatory compliance violations

Key features of the insider risk management suite are:

  • Communication compliance: Isolate and identify communications or messages containing profanity, threats, abuse, or sensitive information both inside and outside your organisation.
  • Customer Lockbox: Grant Microsoft support access to data in Exchange Online, SharePoint Online, and OneDrive for Business. Access must be approved by you and all action taken is logged for audit to ensure sensitive information stays secure.
  • Information barriers: Supported in Teams, SharePoint, and OneDrive, information barriers can be established to prevent communications between groups of users to prevent the sharing of confidential information.
  • Privileged Access Management: Reduce standing access to sensitive data and documents. Implement just-in-time access rules so users only have approved access for the task required – and that access is removed upon completion.

Information protection and governance

Microsoft’s information protection and governance suite is designed to help you achieve four things: know what data you have, protect that data, prevent data loss, and effectively govern it.

Having the ability to locate and protect data wherever it travels is key to remaining compliant with increasingly stringent data protection regulations.

Microsoft’s governance technologies will be especially important to highly regulated organisations such as those operating in financial services, healthcare, legal services, etc.

Key features of the information protection and governance suite are:

  • Endpoint data loss prevention (DLP): Classify certain data and documents as sensitive and use DLP to monitor the actions taken on them, whether they’re moved, copied, printed, or renamed.
  • Trainable classifiers: Auto-label sensitive information based on keywords or previously identified information such as credit card numbers. Use classifiers to apply protections based on item types by providing examples to speed up identification and security.
  • Customer Key: You provide and control the encryption of your Microsoft 365 data. Similar to Customer Lockbox, visibility of data and documents can only be granted to services approved by you.
  • Information governance: Keep on top of your data with processes that automatically keep what you need and delete what you don’t. Set retention policies and archive data for easy audit and compliance proof.
  • Records management: Place restrictions on items by labelling them as a ‘Record’ preventing them from being edited, deleted, or copied to ensure records are preserved and cannot be tampered with.

Microsoft 365 E5 Security and Compliance add-on pricing

The Microsoft 365 E5 Security and Compliance add-ons are available if you already have any of the following licences:

  • Enterprise Mobility + Security E3
  • Office E3
  • Microsoft 365 E3

Primarily used as add-ons for Microsoft 365 E3 licence holders, it should be noted that individual licensing plans are also available for Defender for Office 365, Defender for Endpoint, and Azure AD Premium, as well as the three licences that make up the Microsoft 365 E5 Compliance SKU.

Each complete E5 add-on will cost you around £9 per user/per month. If you were to purchase both the Security and Compliance add-ons you would have access to nearly all the E5-level technologies (barring audio conferencing, a phone system, and Power BI Pro).

But if that’s something you may be considering, then simply upgrading to a full E5 licence would be the recommended option – both to simplify your licensing costs and to ensure you get the full benefits.

Naturally, prices are subject to change, but E5 has remained fairly constant in recent times. So, it’s worth looking into what your preferred licensing combination could cost you per user/per month as you may be paying close to, or even more than, an E5 licence.

Are the Microsoft 365 E5 Security and Compliance add-ons worth it?

In 2021, Microsoft, the Government Digital Service, and the National Cyber Security Centre, updated their security and compliance guidance for UK public sector organisations using Microsoft 365.

Based on a tiered approach of ‘Good’, ‘Better’, and ‘Best’, the advice is that most organisations need to be hitting the ‘Better’ standard.

To do that, you’ll need access to the E5 level security technologies at least, to hit the ‘Best’ level you would need both add-ons or an E5 licence.

The ability to prove you have effective security and compliance capabilities in place will put your organisation in good stead for future threats and data legislation.

Whether it’s one add-on, both, or a full E5 licence, the security and compliance technologies included in Microsoft 365 E5 are becoming crucial to the success of modern enterprises – so it’s well worth putting some thought into what combination or solution works best for you.

Can I trial the Microsoft 365 E5 Security and Compliance add-ons?

It’s possible to trial some of the individual technologies included in E5 Security and Compliance, but not as an entire licence. Our recommendation is to use a Microsoft Partner to help you identify the best course of action, as they can support you through the entire process from selecting a solution to design and deployment.

Using a Partner will also enable you to take advantage of Microsoft’s FastTrack programme, giving you access to resources and specialist expertise to get you up and running much sooner.

Key takeaways

  • Microsoft 365 E5 Security and E5 Compliance package up Microsoft’s E5 security and compliance technologies into two individual licensing add-ons.

  • Not every organisation will need both, but if you do, consider the value of using a full E5 licence instead.

  • You’ll need the E5 Security add-on at least to hit the UK government’s ‘Better’ standard for security and compliance.

  • Licensing and deployment can be tricky, so lean on the expertise of a Microsoft Partner to gain access to FastTrack resources to ensure your solution adoption goes smoothly and you get the best value for what you need.

The ultimate guide to Microsoft security **New for 2024**

Cut through the complexity. Master Microsoft security.

tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Mat Richard profile headshot


Mathew Richards

Mat is Kocho’s Head of Mobility and Security. He leads a team of consultants and architects that live and breathe secure transformation – delivering excellence across Microsoft 365 and Azure.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.