Microsoft licensing is about as a clear as mud. There are standalone licenses and bundled licenses, security add-ons and compliance add-ons, Office 365 and Microsoft 365. If that’s not confusing enough, let’s also not forget that some bundles go inside other bundles….and somewhere along the line, G-series licenses got thrown into the mix as well. How do organizations begin to sort the options and make smart decisions?
While we can’t delve into every licensing option Microsoft has available in a single blog, I can cover one of the more common questions we see: why purchasing the Microsoft 365 E5 license is the best solution for your compliance and security journey. Note: Unless otherwise noted, all of the features discussed in this blog apply to the Commercial, GCC, and GCC High versions of Microsoft 365.
Microsoft 365 E3 vs E5
Let’s start with the differences between the Microsoft 365 E3 and E5 licenses. The E3 and E5 license bundles include a few of the same features:
From a security perspective, the Microsoft 365 E5 bundle offers a significant differentiator in value because it also includes:
Why is this important? Well, the Plan 2 versions of each product include features that will not only improve your security, but also help with compliance needs as well. Below I will provide an explanation as to what matters for each product.
Defender for Office 365 Plan 2 – The core functionality of Defender for Office 365 is e-mail and file hygiene, which are included in both levels of Defender for Office 365. With the Plan 2 version, not only do you add threat hunting, but you can also run attack simulations against the user community. For example, you can run a phishing campaign that includes auditing of user action or deploy a password spray attack against your tenant. These simulations provide valuable opportunities to test security; Defender for Office 365 Plan 2 provides both capabilities.
Azure Active Directory Plan 2 – Azure Active Directory Plan 2 adds automation capabilities to user account management. It includes recurring tasks for common administrative hurdles such as reviewing user accounts for inactivity, the ability to provision user access based on pre-defined criteria, and risk-based evaluation of user accounts. This automates much of the life cycle of user accounts as they are created, automatically adding access to SharePoint, Teams and Groups. Automations like these eliminate the need to maintain cumbersome checklists of user access which can quickly become inaccurate or outdated. Furthermore, once an account is provisioned, Azure Active Directory will send reports of inactive accounts on a recurring basis. Admins or delegated business user(s) can review the list and either approve or block user accounts. The results are logged for future reference. Taking Azure Active Directory Plan 2 a step further, it monitors the dark web for leaked credentials (a recommendation from NIST 800-63b) and monitors user accounts and sign-ins for risky events. These policies provide a strong layer of protection towards against compromised identities AND provide automated instant response in the event an identity is potentially compromised.
Defender for Endpoint – There is a distinct difference between the built-in Defender that comes with Windows 10 and Windows 11 versus the version that comes with the Microsoft 365 E5 license: Endpoint Detection and Response (EDR). I highly recommend EDR. Not only was it federally mandated in 2021 via Executive Order 14028, but it is a ‘must’ in today’s security landscape. Without it, anti-virus is largely reliant on file definitions which are easily evaded. Another significant benefit to Defender for Endpoint is the Threat and Vulnerability management pack. This set of features gives visibility into security recommendations to further harden your endpoints, which can be leveraged for the required security reviews from CMMC as well as vulnerability scanning. Without the Threat and Vulnerability management pack, an alternative vulnerability scanning service will need to be purchased, deployed, secured, monitored, and supported to meet even the lowest level of CMMC. Finally, the Defender for Endpoint license allows you to backup device logs and ingest them at no cost into Sentinel. Without this license you would need to deploy the Windows endpoint collection agent to ingest logs to Sentinel, and incur additional costs.
Defender for Cloud Apps – Defender for Cloud Apps (formerly Cloud App Security) is a little-known gem in the Defender lineup. Defender for Cloud Apps watches your system border (a CMMC Level 2 requirement) in the cloud. Defender for Cloud Apps monitors for situations such as data exfiltration, newly connected cloud apps, and malicious Oath apps in the environment via connections through Defender for Endpoint, Office 365, and Azure. For example, if an employee logs into Dropbox or their personal Yahoo mail, Defender for Cloud Apps administrators can either receive an alert to investigate or automatically block access to the cloud app. This is just the beginning of the capabilities with Defender for Cloud Apps.
Conclusion
Perhaps the best part of this is that all of these capabilities are fully integrated into each other. With the Microsoft 365 E5 bundle, Defender for Cloud Apps, Defender for Endpoint, an Azure Active Directory natively integrate as part of the same platform. This means there is no requirement for service accounts, clumsy third-party API’s, or patchwork to compensate for incompatible features. Instead you have a single vendor that supports compliance, security, and functionality…all conveniently packaged in a single license bundle.
C3 Integrated Solutions has a proven track record of expertise with Microsoft solutions. We work with our customers to implement systems and solutions to support a range of compliance standards including ISO 27001 and CMMC Level 2. Our configurations are designed to create a balance between business requirements, security, and compliance. Most importantly, we prioritize working with you, our customer, to ensure they are tailored to fit your environment. If you have questions or are ready to take the next step in your compliance journey; contact us at info@c3isit.com.
Scott Whitehouse is a Senior Systems Consultant at C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Scott is part of C3’s Projects Team and focuses on Microsoft Office 365 Engineering, including Intune, EM+S, and Compliance.
Your Information Is Safe With Us. C3 Integrated Solutions will never sell, rent, share or distribute your personal details with anyone. In addition, we will never spam you.
