Nearly every article in this cluster mentions a licensing tier at some point — Conditional Access needs Entra ID P1, Entra ID Protection needs P2, Defender's deeper capability sits behind Plan 2. This article pulls all of that scattered guidance into one place: what each major Microsoft 365 tier and security add-on actually includes, and how to reason about which one fits a specific organization.
The core bundles
| Tier | Typically Includes |
|---|---|
| Microsoft 365 Business Premium | Entra ID P1-equivalent Conditional Access, Defender for Business (endpoint), Intune, basic Purview features — the practical floor for a security-conscious small organization |
| Microsoft 365 E3 | Entra ID P1, full Intune, base Purview information protection — the common mid-market baseline |
| Microsoft 365 E5 | Entra ID P2, Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, advanced Purview (DLP, insider risk), Microsoft Sentinel data ingestion allowances — the full security-and-compliance bundle |
Bundles change — verify current contents before purchasing
Microsoft periodically revises exactly what's bundled into each tier, and offers standalone add-ons for capabilities not included in a given bundle. Treat this table as a directional reference for reasoning about tiers, and confirm exact current contents directly with Microsoft or a licensing partner before making a purchasing decision.
Add-on tiers referenced throughout this cluster
| License | Unlocks | Covered In |
|---|---|---|
| Entra ID P1 | Conditional Access, hybrid identity features | Microsoft Entra ID Overview, Conditional Access Best Practices |
| Entra ID P2 | Entra ID Protection, Privileged Identity Management | Microsoft Entra ID Protection, Privileged Identity Management and Privileged Access |
| Defender for Office 365 Plan 1 | Safe Links, Safe Attachments, anti-phishing | Microsoft Defender for Office 365 |
| Defender for Office 365 Plan 2 | Automated investigation, attack simulation training | Microsoft Defender for Office 365 |
| Defender for Endpoint Plan 1 | Next-gen antivirus, attack surface reduction | Microsoft Defender for Endpoint |
| Defender for Endpoint Plan 2 | EDR, automated investigation, threat & vulnerability management | Microsoft Defender for Endpoint |
| Microsoft Sentinel | SIEM — consumption-based, not bundled | Microsoft Sentinel Overview |
Reasoning from architecture layer to licensing, not the other way around
Microsoft 365 Security Architecture makes this point structurally: licensing decisions should follow from identifying which architectural layer has the biggest unaddressed gap, not from picking a bundle first and working backward. A practical process:
- Run the Microsoft 365 Security Readiness Assessment or Microsoft Security Stack Planner to identify the specific gap.
- Map that gap to the license that closes it, using the tables above.
- Compare the cost of the targeted add-on against a full tier upgrade — sometimes a standalone add-on (Entra ID P2 alone, for instance) is more cost-effective than jumping a full bundle tier if only one specific capability is the actual gap.
- Reassess annually, since both organizational needs and Microsoft's bundle contents change.
When each major tier makes business sense
| Situation | Reasonable Starting Point |
|---|---|
| Small organization, limited IT staff, general business risk | Business Premium — covers the baseline security architecture without E5's deeper investigative tooling that requires dedicated staff time to use well |
| Mid-market, moderate compliance exposure (general business, not heavily regulated) | E3, with Entra ID P2 or Defender Plan 2 added selectively where a specific gap justifies it |
| Regulated industry (healthcare, financial services), or dedicated security/compliance staff | E5 — the bundled deeper tooling (DLP, insider risk, EDR, Entra ID Protection) is more likely to be actively used and justified by compliance exposure |
Staffing capacity should influence the decision as much as budget
As emphasized in Microsoft Defender for Office 365 and Microsoft Sentinel Overview, deeper investigative tooling (Plan 2 tiers, Sentinel) delivers value only when someone is actually using it. An organization without that staffing capacity may get more real protection from Plan 1 tiers plus a managed service than from E5's full bundle sitting partially unused.
Common mistakes
- Purchasing E5 for its full feature set without staffing capacity to use the deeper tools, paying for capability that goes unused — the same gap noted for Defender Plan 2 and Sentinel individually.
- Under-licensing identity specifically (staying on Entra ID Free or P1 when P2's risk-based protection would meaningfully reduce risk) while over-licensing less foundational layers.
- Treating licensing as a one-time decision rather than revisiting it as the organization's risk profile, staffing, and Microsoft's bundle contents all change over time.
- Not comparing a targeted add-on against a full tier jump, missing a more cost-effective path to closing a specific gap.
FAQ
Is E5 always the "most secure" choice? Not automatically — E5 includes the deepest tooling, but that tooling only translates to better security outcomes if it's actually configured and actively used. A well-configured, actively monitored Business Premium or E3 environment can outperform a poorly configured E5 environment.
Can we mix and match — E3 with specific E5 add-ons? Yes — this is often the most cost-effective path, adding specific capabilities (Entra ID P2, Defender Plan 2) as standalone add-ons rather than upgrading the entire user base to a higher bundle tier.
How often does Microsoft change what's included in each tier? Bundle contents and add-on availability have changed multiple times historically — always verify current tier contents directly with Microsoft or a licensing partner rather than relying on a static reference, including this one, for a purchasing decision.