When Should I Upgrade my Microsoft 365 Subscription?
I get some form of this question pretty often. It’s been on my backburner for ages to write an article that covers this topic, so that I can more easily point people to it. The question usually goes something like this:
- I currently have X subscription. Is this good enough?
- When should I upgrade to another subscription or use add-ons to supplement my subscription?
- There are so many different add-ons now, it just feels overwhelming. Do I really need any of it?
- What if I have third-party tools that already do some of these things?
- Should I switch plans and consolidate more on Microsoft, or should I keep what I have?
There is a lot to unpack here, so let’s approach this one step at a time.
What is the best “base level” subscription for me?
This first part is probably my most controversial position, but I stand by it 100%. Here it is: As a Managed Services Provider, I would NEVER sell Business Basic or Standard plans to a customer. These plans, in my view, are garbage.
When I see Microsoft partners selling these plans, I really feel that they are doing a disservice to their customers. You would never have recommended a workgroup in the past, right? You would have recommended a common security boundary (Active Directory) and a centralized server. Likewise, in today’s world, your subscription should include Microsoft Entra ID Premium (P1 minimum) and Microsoft Intune.
With those tools in your arsenal, you will be able to centralize and customize your security policies. Not only do you gain better control over both corporate and personally owned devices, but you will also be able to amp up your Conditional Access policies and block most of the attacks that are out in the wild today.
This means that your lowest or most “base level” subscription should always start at Microsoft 365 Business Premium. As a bonus, this plan also includes Microsoft Defender for Business (which is an Endpoint Detection and Response solution) and Defender for Office 365 (which provides additional email security over the normal plans). If you configure these appropriately and manage them well, then you can drop third-party subscriptions which do the same. Or you can continue to double-pay for those things, which is, of course, your choice.
If an unmanaged small business buys Basic or Standard on their own (as often happens), then once they start working with a Microsoft partner, one of the first recommendations should be upgrading that subscription to Microsoft 365 Business Premium so they can become properly managed.
Going Beyond Premium?
The other flagship bundles are Microsoft 365 Enterprise E3 and E5. I don’t consider E3 to be an upgrade from Business Premium, since you would be losing some of the security features (e.g., Microsoft Defender for Business). Therefore, if you did need to move into Enterprise E3 due to your total license count exceeding 300 users (Business Premium is limited to 300 seats per tenant), then you would have to include the cost of upgrading to E3 and covering the difference of replacing missing security features (e.g., by adding back subscriptions or by using a third-party alternative).
Microsoft 365 E5 on the other hand is a giant upgrade from either Business Premium or E3 (and it comes with a matching price tag). Some organizations, in spite of the massive price jump, may prefer to go with a top-tier subscription as their base, particularly if they have really stringent security & compliance requirements in their business.
Other times, you only want one or two features from the E5 world, so it might make more sense to add the appropriate standalone SKUs. Let’s look at some examples of the upgrades that “borrow” from E5.
Add-ons that are also found in E5
Note: prices listed below are in USD at the time of this writing.
- Microsoft Entra ID Premium P2 ($9.00/u/m): Get access to Entitlement Management, Privileged Identity Management (PIM), plus Risk-based Conditional Access policies (and more). Worth a look, especially for your administrative accounts.
- Microsoft Defender for Cloud Apps ($3.50/u/m): Discover, assess, monitor, and govern SaaS applications in your environment (plus a lot more). This is a really deep product ripe with Managed Services opportunities, but it is still under-explored in our marketplace. Check out my course on this product if you want to know more.
- Microsoft Defender for Identity ($5.50/u/m): Monitor events on your legacy Domain Controllers and have them correlated with incidents from other Microsoft Defender XDR tools in the cloud. Only for hybrid organizations.
- Microsoft Defender for Office 365 P2 ($5.00/u/m): Includes Threat Explorer, AIR, plus the ability to launch fake phishing campaigns against your user base and assign training to help improve behavior (and more).
- Azure Information Protection Premium P2 ($5/u/m): Several compliance-related upgrades, for example the ability to automatically label your data based on rules (in Business Premium and E3 we can only manually apply labels to documents and emails individually).
- Microsoft Defender for Endpoint P2 ($5.20/u/m): In Business Premium we get Microsoft Defender for Business, which gives us about 90% of the features. With the full version, we can access Advanced Hunting via the security portal, and have 6 months of data retention.
We also have special SKUs that take these E5 features and put them into bundles so that you can simplify licensing and save some money. Unfortunately, none of these are compatible with Business Premium so you have to have Microsoft 365 E3 as a base level subscription in order to use them:
- Microsoft 365 E5 Security ($12/u/m):
- Microsoft Entra ID P2
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint P2
- Microsoft Defender for Office 365 P2
- Microsoft 365 E5 Information Protection and Governance ($7/u/m):
- Microsoft Defender for Cloud Apps
- Azure Information Protection Premium P2
- Microsoft Purview Customer Lockbox
- Microsoft 365 E5 Compliance ($12/u/m):
- Everything from the Information Protection and Governance bundle above, plus Microsoft Purview eDiscovery Premium and more!
Other add-ons beyond E5
And if you thought all that sounded like a lot to keep track of, we also have all this other stuff that’s been born outside of the Microsoft 365 E5 bundle (upgrades for everyone):
- Teams Premium
- Teams Phone plans
- Windows 365 (and/or Azure Virtual Desktop)
- Microsoft 365 Copilot
- Microsoft Defender Vulnerability Management
- Microsoft Intune Suite:
- Endpoint Privilege Management
- Enterprise App Management
- Advanced Analytics
- Remote Help
- Microsoft Cloud PKI
- Intune Plan 2
- Microsoft Entra Suite:
- Microsoft Entra ID Premium P2
- Microsoft Entra Private Access
- Microsoft Entra Internet Access
- Microsoft Entra ID Governance
- Microsoft Entra Verified ID
- Microsoft Sentinel
And probably more that I am neglecting to mention.
So, you aren’t wrong for thinking that this is becoming a bit of a mess. Which of these deserves our attention in the SMB space, if any?
The reality of these add-ons
In practice, very few small businesses are buying any of these add-ons. Most Microsoft Partners today are still advising their customers to stick with the Business Premium bundle, and maybe they have been dabbling with Copilot. Otherwise, they tend to supplement using third-party tools where it makes sense.
Again, there are always exceptions to this rule. Some add-ons enjoy more adoption than others, but most of the SKUs here get a passing glance and a “would be nice” from partners, before they go out and sell an alternative product. And honestly, I cannot fault them.
After all, most of the features we are after can be had for less elsewhere versus the “standalone” or “add-on” versions we can get from Microsoft. The fact is, outside of the core bundles, we are still likely to pay less money for a third-party product that is targeted to MSPs specifically (and which is multi-tenant out of the box).
Some of the bundles that exist today, which could help to lower the price barrier at least, end up being more expensive in the end if we are required to upgrade to the Microsoft 365 E3 plan first. So, until we get more partner-friendly, SMB-friendly bundle options that take the Business Premium “base-level” bundle into consideration, I don’t see this pattern changing much.
(Note to Microsoft, if you’re listening: the key to unlocking the true potential of the SMB market will be: SELL through partners + MULTI-TENANT controls + BUNDLES compatible with Business subscriptions).
Business objectives drive the upgrade conversation
Whether you decide to upgrade into a more premium Microsoft bundle or go with an assortment of third-party solutions, the decision of when to upgrade is always driven by a why, and that “why” always comes back to our business objectives.*
Sometimes we have a requirement to align our systems with a specific compliance framework (e.g., because of legal or insurance purposes, or sometimes internal policy), other times it is to alleviate a pain point (e.g., manual data governance is too tedious), or, the goal is to open new features and functionality like hosting larger scale webinars and/or town halls.
Whatever the case may be, you first get to know the needs and pain points that are particular to your customers in your market, and from there you will be able to choose the software and configurations that are most appropriate for the given situation.
The library of options in Microsoft’s cloud continues to grow, but as of today, I think it is honestly difficult to use a “Microsoft-first” approach in all cases, even if we would like to. Many times, we end up shopping for an alternative; Microsoft is often getting beat on price, multi-tenant management capabilities, or both.
But hey, that’s just what I think. You might have a different opinion. If so, leave it in the comments!
*Aside: Some people ask me about my favorite upgrades. Keep in mind that what I think works well in my own market and with my own customers may not translate into your own situation. Instead, follow the business objectives you are faced with, and you can’t go wrong. That having been said, in no particular order, here are some upgrades that I think have tremendous potential and are still widely under-explored in the SMB space:
- If I could have the Information Protection and Governance add-on for Business Premium, I would buy it. MSPs and SMBs in general need to learn how to become better stewards of their apps & data in the 21st Century. The components I am most interested in are:
- Microsoft Defender for Cloud Apps
- Azure Information Protection Premium P2
- Customer Lockbox (you can’t buy this one standalone)
- Windows 365 – great option for part-time employees or contractors; we also have some multi-tenant capabilities with this product now in Microsoft 365 Lighthouse!
- Teams Phone plans – I would love to see another try at a simplified voice plan for the SMB; Microsoft gave up on it too soon in my opinion.
- Microsoft Entra Suite – for just $3 more than the upgrade into Entra ID Premium P2 you get a lot of other superpowers, including my favorite, Global Secure Access!
- Microsoft Intune Suite – with a caveat; I would like to see some improvements to the Remote Help experience before I started deploying this widely, including multi-tenant management capability (i.e., initiate remote help sessions right from M365 Lighthouse)
- Microsoft Sentinel – implies that you would be building a SOC (and you will want to use Azure Lighthouse as well in conjunction)
- Copilot for Microsoft 365 – at least for power users (all the cool kids are doing it…); I would also like to see a smaller version of this plan for workers who still want the consumption-based work perks like searching, reading and responding to emails, etc., but who might not be drafting and creating content day-in and day-out in other apps
Leave a Reply