Super-charging security on non-Microsoft 365 E5 plans
This article was updated in April of 2020
Microsoft 365 E5 is the Cadillac of plans. Basically every product in the 365 universe is bundled into this level subscription, and that includes a ton related to security.
Recently, Microsoft announced two new bundles aimed at security & compliance. The idea behind these plans is that non-E5 customers could pick one or both of these up, to super-charge their subscription with the same level of luster that E5 has to offer, but without fully moving into E5 (which also includes, among other things, a Teams-based Phone System).
After all, the retail price on the E5 bundle is USD $57.00/user/month–ouch!
Wouldn’t you much rather have a 12.00 security super-charge added on to an existing Microsoft 365 Business or Enterprise E3 bundle? Sign me up, Scotty!
Microsoft 365 E5 Security
Microsoft 365 E5 Security (formerly Identity & Threat Protection) retails for USD 12.00/user/month and is an amazing security bundle for the price. Here’s what it includes:
- Azure AD Premium P2
- Office 365 Advanced Threat Protection P2, which includes:
- Office 365 ATP P1 AND
- Office 365 Threat Intelligence
- Microsoft Cloud App Security
- Azure ATP
- Microsoft Defender ATP
The question is, will it also be possible to attach this new subscription bundle to Microsoft 365 Business Premium? The answer is yes you can. However, be aware that you must also have Azure AD Premium P1 in place for this configuration to work (P1 is a pre-requisite to adding P2). (UPDATE: Microsoft 365 Business Premium now includes Azure AD Premium P1, making this even easier and more attractive).
*Also, as I have previously mentioned here, as a Business subscriber you’d have to purchase Windows 10 Enterprise first, in order to really be licensed to use the full version of Microsoft Defender ATP (an Enterprise EDR product). Windows 10 E3 runs USD 7.00/user/month. Eeesh. So, compare the total pricing:
Microsoft 365 Business (20.00)Azure AD Premium P1 (6.00)Microsoft 365 E5 Security (12.00)Windows 10 Enterprise E3 (7.00)
GRAND TOTAL = $45.00 (USD). Therefore you’re better off moving to Microsoft 365 E3 (which DOES include Azure AD Premium P1) then add Identity & Threat Protection for USD $44.00 ($1.00/user/month savings).
UPDATE: Microsoft Defender ATP is now available as a standalone add-on to any version of Windows 10, even Pro. That price is USD 5.20/user/month for up to 5 devices.
Enterprise Mobility & Security E5
Perhaps you have considered the Enterprise Mobility & Security E5 bundle. This package contains many of the same products as Microsoft 365 E5 Security, but also includes the P2 upgrade for Azure Information Protection (which gives you the ability to automatically classify your data).
This add-on is 14.80. Note however that you won’t have Office 365 ATP P2 or Microsoft Defender ATP. Picking up both separately on top of EM+S E5 would land you at 25.00 total for your add-ons. However, when you consider that Azure Information Protection P2 weighs in at only $5.00 USD/user/month, it clearly becomes a better deal to start with Microsoft 365 Business Premium or E3, and add Microsoft 365 E5 Security. That combo is $32.00 or $44.00 respectively, and if you also wanted AIP P2 for auto-classifications, etc. then you’re up to $37.00/$49.00.
Wheew. Not confusing at all, right? Which is why I ask Microsoft: why not simplify all of this for us, and include a Microsoft 365 Business “B5” plan that runs somewhere between 30.00 and 40.00 USD, and contains the most reasonable bundle of software, for those with stronger security/compliance needs?
I am going to be watching for more developments on this, closely. I will let you know when I hear something definitive. If the MS licensing gods do ever open up WDATP to Windows 10 Business subscribers, or finally just include Azure AD Premium P1 with the primary product bundle, then Identity & Threat Protection is the one add-on I would recommend. If they come out with my dream plan (B5), better still. But until then, its just a confusing cluster.
So Microsoft 365 E5 Security is my go-to recommendation if you want to be successful with a “Security as a Service” offering to your customers.
Comments (28)
Hi Alex,
thanks for this article!
I’m wondering if the fact that AAD P1 is needed in addition to the M365 Identity & Threat Protection Add-On is not just a bug. Were you able to get an official statement from Microsoft?
Thanks and best,
Boris
Hi Alex,
Now that conditional access is included with M365 Business, are you still recommending the P1 on top of M365B for all your clients? My understanding is the P1 features that are now included in the M365B is not the full P1 license, so if you want to add a P2, you’d still need a separate P1. Clear as mud, thanks Microsoft :)
Thanks
True fact. I do recommend to my customers that sensitive accounts, including global admins, have EM+S E5, that way they get AAD P1 & P2 in that bundle, as well as AIP P2. They can take advantage of Identity Protection, PIM, MCAS, and auto-classification for the most sensitive users and their datasets.
Hey there!
Thanks for info. If I understand correctly, if I want just WDATP, I need Windows 10 E3 + M365 E5 Security? Or is it really not intended to work this way and I need either M365 E3 + E5 Security?
That combo would work, I believe. However, you get more full functionality when MDATP is integrated with the other components of Microsoft 365, including Intune, Azure AD Premium and so forth.
Microsoft does not even understand it very well. I have an open ticket with them on this. So far the answers have not been forthcoming. My testing in Windows Defender ATP has been through using Microsoft 365 E5 licenses. However, I want to roll this out to more users. So, here is my scenario:
If I have a user with these licenses, do I get every security application including the Windows Defender ATP?
-Office 365 Business Premium. $12.50 a month (or Office 365 E3, I have non assigned Action Pack license I can use)
-EMS Security E5 $14.80
-Microsoft 365 E5 Security $12
—-Total per Month —-
$39.30
In theory this then gives us all of the security products including the Windows Defender, ATP, right? Compare this monthly cost with the Microsoft 365 E5 license at $57 a month. Or, the Microsoft 365 E3 license $32 plus the Microsoft 365 E5 security $12, total cost of $47, still saves us $10 a month over Enterprise E5.
Am I understanding this correctly?
A better combination starts with Microsoft 365 Business Premium (formerly Microsoft 365 Business). This now includes Azure AD Premium P1. Microsoft 365 E5 security effectively includes the “security” apps that close the gap to E5 (MCAS, MDATP, Azure ATP, AAD P2, etc.). Note however that it does NOT include the compliance items (e.g. AIP P2, Advanced Compliance, etc.)–that’s available in a separate package called Microsoft 365 E5 compliance.
What are the key things that you are trying to deploy or take advantage of? Most are available standalone as well–it can be daunting to consume all of it, so be clear about what you want to accomplish–that can help you narrow down the stuff that “really matters.” E5 if you just want everything, don’t want to think about and don’t mind paying a premium to have the “Yes” SKU.
Hi Alex!
I’ve been looking at Microsoft Defender ATP as endpoint protection. Until I stumbled across this blog post I thought that you were not able to combine Enterprise plans with Business plans. But as far as I can read I can combine M365 Business Premium with a M365 E5 Security right?
From the docs I cannot see that Microsoft Defender ATP is supported on anything else but Windows 10 Enterprise. See this link: https://www.microsoft.com/en-us/windowsforbusiness/compare but you are saying they have released it for Windows 10 Business. Can you confirm this?
See here: https://www.microsoftpartnercommunity.com/t5/UK-Modern-Workplace-Community/Announcing-Microsoft-Defender-Advanced-Threat-Protection-MDATP/gpm-p/16338
Confusingly when you go to purchase the Microsoft 365 E5 Security add-on it has the message:
Microsoft 365 E5 Security
A complete set of threat protection solutions, leveraging cloud signal to detect and protect against threats to your organization, along with automated incident responses. A Microsoft 365 E3 subscription is a pre-requisite for this plan.
Yes this is still old based on a time when:
1. Azure AD Premium P1 was not included with the Business subscription
2. The MDATP license was not compatible w/ Win 10 Pro/Business subscription
Both of these have been dealt with, so there should be no blockers as far as I can tell (as you could easily buy the add-ons piecemeal, why not in the bundle?)
Seriously, to get 99% of the security features I can just license these products:
-Office 365 Business Premium $12.50 a month
-Microsoft 365 E5 Security $12
-EMS + Security E5 $14.80
— Total — $39.30 ——
Compare that to $57 for Microsoft 365 E5.
What am I missing? Even moving the Business Premium up to Microsoft 365 Business Premium ($20 a month) does not get me much more than having this combination of licenses.
We will have to see if that is an approved license combo. It makes sense on the surface, but as another person pointed out, they technically expect that Microsoft 365 E3 is a pre-req for M365 E5 Security as of right now. I believe this should be expanded to M365 Business Premium at least now that the road-blockers have been removed. But looking into this further I suspect any combo with the Business SKU’s is “illegal” (even though it probably works). I will try to get clarification from Microsoft.
The E5 would still have some advanced compliance features, Teams based phone system, the ProPlus apps, etc. that are still pushing the value of that SKU, and so the price is also going to be higher, but most people do find that to be a tad expensive.
I would like to know. I plan to call the licensing support folks about this. I want to be legal of course, but want I really want is the best way forward that makes sense. I have some users on Microsoft 365 E5 already. This makes sense for us in many cases. Thanks for looking into this.
Hi Alex do you use this in your MSP for EDR?
No, we use Panda Adaptive Defense 360–we started a security practice a couple of years ago, and at that time you could only get MDATP via full E5 licensing, so it was non-starter for SMB.
Alex, were you able to receive any confirmation if it is possible, or not, to add “M365 E5 Security” to “Microsoft 365 Business Premium”?
Thanks,
Marcus
Still have not heard back but it is not looking promising. For example, in a tenant where you purchase only M365 Business Premium the E5 Security add-on will not even be listed under purchase additional services. It doesn’t appear until you add an M365 E3 to the tenant. My favorite combo for the SMB really is MDATP and MCAS. A close third would be O365 ATP P2. Most of my customers are trying to get rid of on-prem servers anyway, so Azure ATP is not that interesting, and Azure AD Premium P2 is underwhelming, IMO for an SMB. They just aren’t going to take advantage of PIM, for example. MDATP is like 5.20 I think and MCAS is 3.50, for 8.70 total. Still less than the E5 add-on. Would be nice if they had like a “Microsoft Threat Protection for Business” SKU with just the endpoint (EDR) and CASB for cloud apps (MCAS). Arguably you could throw the upgrade to O365 ATP P2 in there and make it like 9 bucks maybe? That would be my wish.
Thanks for the update and detailed suggestions. As a non-profit the E5 Security is very cost effective for us as there is no non-profit SKU for just MDATP.
“Microsoft Threat Protection for Business” sounds like an ideal SKU. MS seems to be making the Business SKU choices easier, so hopefully something like this will eventuate.
Alex,
Have you heard back from Microsoft about whether the Microsoft 365 Business Premium and Microsoft 365 E5 Security combo is allowed?
Nobody is willing to say, but all signs point to no at the moment. Perhaps they are working on an advanced security add-on for the Business plan–one can hope.
Does anyone have any Microsoft documentation on the M365 E5 Security? I cannot find anything on it specifically. Also, I want to purchase 230 of the M365 E3 license but only need to add 35 of the Microsoft 365 E5 Security addon license. Will the 35 users be able to use the features of this addon or will I be required to purchase the addon for all 230 users?
The E5 Security SKU is just a bundle of other individual products, so you can find documentation on all the products to see what is included and how to use it, etc. I also have written a guide on Microsoft 365 E5 Security (which I still have to update since they started changing the names of everything to Defender this and Defender that). Note that once you add a single copy of this license to the tenant the features basically are available for the entire tenant, but to be in bounds for their license agreement you have to apply the license to every individual who benefits from a feature. So for example, if you want to take advantage of Privileged Identity Management, the folks who are utilizing that feature would need to be licensed for it (Azure AD Premium P2) but the standard end users would not. By another example, if you are applying a “risk based” conditional access to “All users” then everyone would need the license. Hope that makes sense.
That definitely helps! Thank you.
Any update on E5 stacking on Business Premium? Pax8 says it is not possible. What is the alternative for customers that want security on top of Business Premium? Maybe O365 E3 + E5 security + Intune which would be 37. Or O365 E3 + EMS E5 + ATP P2 for 39.80?
It stinks that if they force you to go the enterprise route, then you have to go down a completely different path and uninstall office apps for business and migrate to office apps for enterprise. Hopefully they come out with something soon!
Stacking the E5 Security add-on is officially NOT supported. The best way to max out your security is to use M365 E3 + E5 security so you get all security-related items. With Business Premium it can be done but it is more difficult. For example: EM+S E5 + Defender for Endpoint (only available via CSP for like 5 and change per user, USD). So total comes out to about USD $40 per user vs. 44 if you go the E3 + E5 security route.
Hi Thanks for the insightful article. Kindly let me know if its possible to add E5 security to M365 BP?
No, that add-on can only be added to E3, not business premium.