Microsoft licences: Are you using what you're paying for?

E7 has arrived, E3 and E5 keep expanding, and many organisations are asking whether their current licence tier still fits. That’s a reasonable question, but often the better place to start is by asking what are you already paying for, and how much of it is genuinely in use?

Across a lot of the estates we review, licence value depends on how much of the available capability is genuinely working for them. Security, governance and identity features may already be included in the tenant, but too often they are only partly configured, or not switched on at all.

Microsoft licences: How they’ve changed

Microsoft has restructured what sits inside E3 and E5. Announced at Ignite 2025 and taking effect from July 2026, the changes bring capabilities such as endpoint management, privilege controls, certificate services, application governance and AI security tooling deeper into the core licensing stack.

But rather than deliberating on what commercial tier to buy, organisations would be better served assessing what they already have. What does your existing licence include, which are deployed properly, and which third-party tools are still being paid for out of habit.

The E7 licence takes that direction further. It packages E5 with the Microsoft Entra Suite, Microsoft 365 Copilot and Agent 365 into a single model, with Intune Suite included at no additional cost. For organisations moving towards AI adoption and stronger identity governance, the packaging signals where Microsoft is taking the platform.

But E7 is not a shortcut around underused E5 capability.

It only makes sense when the E5 foundation is already understood, governed and working.

The operational cost of duplicated tooling

In a lot of instances, E5 sits alongside standalone Copilot licences and a patchwork of third-party tools covering VPN, web filtering, endpoint controls and data protection. The Microsoft-native capability is present in the tenant, but not configured to the point where the organisation trusts it enough to retire the alternative.

Comparing Global Secure Access with Zscaler, or Purview with Varonis, can be useful. But assessing each control in isolation misses where Microsoft’s model is strongest. Its advantage is not that it has individual products in every category. It’s that those products are designed to use the same identity, device, risk and data signals.

A user authenticates through Entra ID. Identity Protection evaluates the sign-in risk. Conditional Access uses that signal, alongside device compliance from Intune, to decide what the user can reach and under what conditions.

If the session needs controlling, Defender for Cloud Apps applies session policies. If sensitive data is accessed or moved, Purview sensitivity labels and DLP policies determine what is allowed.

Each decision feeds the next, and the security outcome depends on that chain, not on any single control.

When those same functions are spread across four or five separate vendors, that chain is more liable to break. Each tool operates its own policy model, alert queue and view of risk. A scenario that regularly leads to security teams spending precious time reconciling signals that should already be connected.

The commercial spend on duplicated tooling is visible. The operational cost is often higher: fragmented control, slower incident response and gaps between systems that attackers can exploit.

Consolidation only works when it improves that operating model. Cost reduction should be the result of better integration, not the only reason to change.

Putting identity governance at the heart of AI implementation

Whether you are actively using 365 Copilot or building AI agents, the question is the same: who has access to what, and how do you maintain control as AI scales?

Copilot and agents inherit the permissions of the identities they act on behalf of. If identity governance is manual or incomplete, scaling AI introduces data exposure risk.

Getting this right in E5 is what makes an eventual move to E7 productive.

E7 takes this further with Agent 365, a dedicated control plane for managing and securing enterprise AI agents. Its value depends on the identity governance underneath it. If permissions are incomplete or manually maintained, there is nothing reliable for the control plane to enforce.

The path to E7 starts with E5 done properly

The most effective route to E7 starts with an honest audit of current licence utilisation. Activate the features Microsoft has already added to your tier. Deploy the Conditional Access and DLP policies already in your tenant. Get identity governance operational, then retire the third-party tools that duplicate what Microsoft now provides natively.

When you move to E7, you are building on a security foundation that is already working.

See what you own, what’s active, and what’s costing you twice

At Kocho, we can help you review and optimise your Microsoft licences, mapping your entitlements against what is actually enabled in your tenant, and identifying where duplicated third-party spend can be removed.

The output is a phased activation plan: improved utilisation now, and a clearer path to E7 when the timing is right.

Ready to find out more?

Then please reach out to the team.