top of page
Writer's pictureNathan Hutchinson

Is there still a place for the current Microsoft 365 E3 license?

Updated: Mar 31, 2022

With the addition of Defender for Business into the Microsoft 365 Business Premium license the gap between it, and Microsoft 365 E3 just got even smaller. In this blog post I explore whether or not E3 still has a place in the Microsoft 365 licensing stack or whether the big wigs at Redmond should just bite the bullet and merge the two somehow.


All opinions and statements are based on my real world experience with end users and clients using the Microsoft 365 stack, if you have differing opinions, I would genuinely love to hear them and explore other scenarios that I might not have thought of, so leave a comment below if that's the case.


To be clear, I want to start this post by saying I understand there will be some elements of the M365 E3 license that organisations, particularly larger ones, may need and I am also aware that M365 BP is only to be used for organisations up to 300 users. I feel those additional features are usually somewhat niche for the SMB world that a lot of us work in and what I hope to achieve in this post is to conclude whether or not small to medium size businesses should ever use M365 E3, whether there is realistic additional value adds to be had for the SKU and at what point would they or even larger ones, just make the jump to M365 E5.


With that out of the way, lets get started on the comparisons and real world requirements for included features, starting with the obvious ones.


Defender for Business/Endpoint


The latest addition I believe to both licenses, is the addition of the Defender for Endpoint features with M365 E3 gaining Defender for Endpoint Plan 1 and the M365 BP version getting it's own dedicated version aptly named Defender for Business, but how do these stack up?


In the above image I have highlighted the individual features that are included in M365 BP but not in M365 E3, that's a lot of red, right? Let's walk through each one briefly.


Simplified client configuration is new to Defender for Business and not included in either of the other SKUs and is designed to get most SMB's up and running quickly without any hassle of worrying about the enterprise version which typically requires a bit more knowledge on when it comes to setup and deployment.


Threat and Vulnerability Management or TVM is probably my favourite addition to DFB (that's Defender for Business if you didn't catch on) and here's why. TVM gives you a single dashboard and management panel for assessing all of your Defender onboarded assets, detailing their discovered vulnerabilities, misconfigurations and deprecated software in real time so you can visualise your current organisational risk and if that wasn't enough for you, it also provides recommendations on how you can reduce your organisational exposure by hardening endpoints with up to date security recommendations, pretty damn cool if you ask me.


Endpoint detection and response provides near real time and actionable alerting, alert management and alert aggregation, when alerts are aggregated, this is usually because Defender has deemed them to be part of the same attack chain or attack attempt, at which point they become part of an incident.


Automated investigation and response is exactly what it sounds like, automated investigation and if configured, automated remediation of endpoint threats, reducing the volume of active alerts coming into the portal.


Threat Analytics is where Microsoft highlights the latest emerging threats from around the world and provides an assessment on which endpoints are directly impacted and which devices under your management are vulnerable, providing a quick and easy way to visualise your exposure to the latest threats.


Microsoft 365 Lighthouse is an MSP centric, management portal that allows managed service providers that oversee multiple tenants to easily view Defender related data and quickly and easily make bulk changes to multiple tenant configurations if required.


Now, I can understand why simplified client configuration might not be included in Plan 1 and Plan 2 with them being geared towards the "enterprise" market you'd expect configuration to be fairly specific so granular controls would be required but not extending M365 E3 or even M365 E5 for that matter to Microsoft 365 Lighthouse is a real shame for MSPs and other organisations that manage multiple tenants.


I feel like I could argue, if I'm an organisation big enough to require M365 E3 as a minimum that I'd want all (or most) of the above features but the one that really stands out for me is TVM, given it's a single pane of glass for assessing endpoint risk at scale I feel strongly that this should be included in the M365 E3 license and is one of the biggest reasons I would recommend businesses either downgrade to M365 BP if that's an option or look to something like M365 E5.


In order to investigate further let’s take a look at Aaron Dinnage’s M365 Maps feature matrix across both licenses.


The URL for the below is here: Feature Matrix | M365 Maps - It should be noted that features like DFB are not in the below list yet, I'm not sure the reason for this but I'm sure it will be added eventually.


Your mileage may vary on some of my opinions but like I said at the start, these are my opinions based on organisations I have worked with in the SMB market and I would love to hear how you may or may not be using the features I highlight below. I am going to make my suggestions on features I think should be included in either M365 BP and M365 E3 or both.


I won't compare every feature as some will quite obviously be tailored for the enterprise market, some you could argue most SMBs just wouldn't even think about and some might be in the grey area.


Exchange Online - I think the chosen feature set sits nicely between the SKUs, given both support Exchange Online Archiving, it works well as is.


Live Events & Webinars - I would have liked to see these features included in M365 BP, there are organisation out there with 300 or less users that want to do Live Events and Webinars.


Defender for Office 365 Plan 1 - One of the best features available within the M365 BP license, also one of the main reasons I don't like the current M365 E3 license. As consultants we are tasked with providing the best advice to our client base, especially around security, as such before M365 BP came along, I made Defender for Office 365 Plan 1 (or Microsoft Office 365 ATP as it was called then) a mandatory add-on license for SKUs such as Business Standard, I feel strongly that this should be included with the M365 E3 license, period.


OneDrive for Business - Until I started writing this article, I hadn't appreciated that M365 BP only included Plan 1 and that Plan 2 included the DLP features for data within OneDrive for Business, mainly because I don't think I've ever ran into a scenario where those features haven't worked for me. The OneDrive for Business comparison page is also confusing as it states features that should not be available in Plan 1 but seemingly are in M365 BP, I have highlighted the obvious ones below, like for example KFM or 'OneDrive Backup' as it's also known which certainly does work with the M365 BP license as does Sensitivity Labels for files in OneDrive for Business. Maybe M365 BP has it's own special OneDrive for Business features that sit somewhere in the middle?




Server CAL rights - I suspect most hybrid organisations utilising M365 BP will already have CALs purchased and are doing so less frequently than larger organisations might be at scale, makes sense to have this included in the M365 E3 only. Including the AVD rights in both SKUs is a smart move as this would tease organisations into leaning towards AVD rather than on-premises investments at next hardware refresh cycle.


AppLocker - As documented on the MS docs page for AppLocker, it's only restricted to Enterprise OS's if using Group Policy to configure it, if using MDM, it's supported on all SKUs, bonus.


Credential Guard and Device Guard - Fantastic security features that should be kept for the enterprise world, I don't believe these features would belong in M365 BP and if they were, would likely be over looked, they act as a good 'step up' feature to the enterprise SKUs.


Defender for Cloud Apps - Another fantastic security feature that I also believe should be kept for the enterprise market although, it would be neat if they could include a trimmed down version of it for M365 BP that only allowed you to connect Office 365 with the option to connect third-party apps reserved for the enterprise SKUs.


So, all in all, bar a few nice to haves I think the M365 BP license is sat pretty much at the sweet spot for the SMB market and a great baseline license for any start up business. Well duh, Microsoft have done a good job of putting this SKU together, tell me something I don't know? Is what you are probably thinking, right?


While some of you reading this might think I started this post to glorify M365 BP or just batter down on M365 E3, it's actually the opposite; I want to save the M365 E3 SKU.


You might argue that if you are a 300+ user organisation that you can afford to put up with M365 E3 as your baseline SKU and bolt on from there until it finally becomes more cost effective to jump to M365 E5, but that annoys me. M365 E3 is the next 'step up' license from M365 BP and it should justify itself in that way, I don't think it holds value with it's current feature set and Microsoft should get their act together and re-think it, just like they did with M365 BP which now makes it stand out from the crowd.


With that out of the way, what do I think should be included in the M365 E3 SKU in order to provide more value.


Azure Active Directory Premium P2 - Hands down one of the best licenses out there. Access Reviews, Azure Identity Protection, Entitlement Management, Privileged Identity Management and my personal favourite Risk Based Conditional Access. I have included this license as an add-on to M365 BP for so many clients because the features within it are just that good, this should be included in M365 E3 without a doubt.


Defender for Office 365 - Plan 1 is included in M365 BP, why take it out the next step up? M365 E3 should at a minimum, have Defender for Office 365 Plan 1 included.


Defender for Endpoint - It kills me a little inside that M365 E3 only gets Defender for Endpoint Plan 1. I lose all of the best features that allow me to manage my endpoint risk at scale. It should have Defender for Endpoint Plan 2 included or at least the new Defender for Business so it's on par with M365 BP.


So, how much would only these 3 add-ons take me to with M365 E3 as my baseline license? Assuming we're on a best case scenario and you are on the new NCE annual pricing, I'll break it down below.


Microsoft 365 E3 - £31.70

Azure Active Directory Premium Plan 2 - £6.80

Defender for Office 365 Plan 1 - £1.51

Defender for Endpoint Plan 2 - £3.90

Total - £43.91


How much was Microsoft 365 E5 again?...£48.10.


Very clever, Microsoft - We love you, but we also hate that you do this to us. With the above differences it's pretty much where you just say "You know what, we get loads more features and it's not that much more, lets just go M365 E5".


I get it, at the end of the day they have to make money too, I just really wish they could add more value to the M365 E3 SKU, I'd even be happy with a price hike. Take it to £39.20 and include all of the above features so it's at a decent starting point for the "enterprise" market and keep all of the other juicy features for M365 E5. I know we have the add-on packs but any size organisation will want to consolidate where possible and just having this entry level license for the enterprise market have just those few extra features will really put the SKU in a position to be well placed between M365 BP and M365 E5.


TLDR; I'd find it hard to recommend M365 E3 to any size organisation and it is in my opinion a pretty poor license to use and start with, I'd be happier if they upped the price a little and included some Plan 2 features such as Azure AD Premium Plan 2, Defender for Office 365 and Defender for Endpoint as this would make the jump to M365 E5 a little less steep, but also keep that gap large enough for the next 'step up' to be a worthwhile investment.


Who knows, they might do something soon, but we'll see.


I would love to hear your thoughts on this, especially which features you think should be included within M365 E3, if indeed you think it should be changed at all!


EDIT; It has been brought to my attention that the Microsoft 365 E5 Security add-on license covers all of my wants within the M365 E3 for an annual NCE cost of £9 which takes the total cost to £40.70 which isn't so bad, once you add the Compliance add-on then you might as well jump to M365 E5. I still think there are bits that should be included as part of M365 E3, maybe Defender for Office 365 Plan 1 and Defender for Endpoint Plan 2 included? Who knows, maybe in the future - Thanks a lot to Mark for highlighting the E5 Security add-on though as that will certainly help me in future when dealing with clients on the M365 E3 SKU.




378 views3 comments

Recent Posts

See All

3 Comments


mark.taylor
Mar 15, 2022

Hi Nate, there is a step up to E5, the E5 Security add on, and it adds all the good parts you'd want in E5 (DFE, DFCA, DFI, DFO, AADP2). E3 + E5 Sec is a powerful combo, we use it a lot. No doubt that M365 BP is the best license out there right now, but its being hobbled by Microsoft. They have literally just added DFB to it, but DFB wont talk to Microsoft Sentinel, so you have DFI, DFCA, DFO (will all talk to Microsoft Sentinel), and suddenly DFB wont. Classic poor execution from Microsoft. And I disagree slightly about TVM, it is great, no doubt about that, but EDR capabilities are top of the tree value…

Like
mark.taylor
Mar 16, 2022
Replying to

Hi Nate,


RRP for E5 Security (NCE Annual) is about £9 PUPM.


Check out Aaron's Home | M365 Maps for a good way to see the different licenses and add on's.


Regards to MDB, its complex and we are still testing a lot of scenarios, but what we have seen, is that in a 'pure' MDE P2 environment that had the MDE P2 removed (and was left with just MDB). Ingestion into Sentinel stopped the same day.


We've seen that twice. And if intended, its crazy!


What I will say is.. its easy to work around for now... and in plenty of environments would not occur in a 'pure' sense.


Happy to share details, don't exactly want to alert Microsoft…


Like
bottom of page