Licensing Optimization: Lessons Learned

At some point in almost every Microsoft 365 engagement I have with customers, we talk about licensing. Even if the project has absolutely nothing to do with licensing, and no one planned for it to come up, and we all pinky-swear that we won’t talk about it, it inevitably still comes up. There are two lessons that I would like to share today about that:

  • Microsoft 365 licensing is usually misunderstood, but it is not as complicated as everyone thinks.
  • Most organizations are not maximizing the value of the licenses they already own.

Many times, customers do not realize that they can accomplish their goals with what they already own, or they assume that what they want to do with Microsoft 365 will cost far more than it actually will. I have provided some insight, resources, and examples below.

Understand What You Have

It goes without saying that Microsoft 365 E5 provides a robust, comprehensive set of productivity, collaboration, systems management, compliance, and security tools.  If you can make this investment and implement all that comes along with it, you should.

That said, do not assume you need E5 to get significant value out of the Microsoft 365 platform. The E3 license levels (especially Microsoft 365 E3) offer a ton of features and functionality, and I recommend that you maximize what you can out of those features before looking at add-ons or upgrading.  M365 E3 includes most of Office 365, Intune, Windows Enterprise, and strong identity protection. If you have frontline workers, the F3 license complements the E3 license well.

If you need more features, make sure to consider the add-ons that are available for Teams Voice, the Defender security functions, or Purview data governance and compliance. Keep in mind though, that the cost of adding a couple of add-ons may require nearly as much spending as a full E5 license. It may end up making more sense to move to E5—in this case, to simplify license administration and take advantage of the full E5 feature set.

Also, the common thread that the E5 suite or add-on SKUs provide is automation on top of the E3 functionality. Automated security response features, email hygiene, identity protection, and data labeling are prominent, and the time savings that the automation brings to both end users and the technology or security teams can be a reason to move to E5.

(The links above reference a great resource at that can help you understand how Microsoft 365 licenses are structured, and showing which features are part of each bundle. This site provides color-coded diagrams of the Microsoft 365 features, along with a wealth of other information. In particular, this diagram shows what is included in each bundle and add-on as it relates to Office 365 and Microsoft 365 E3 and E5, including a breakdown of the add-ons you can purchase separately.)

Maximize the Value—Leverage the Ecosystem!

I am still surprised at how many organizations don’t know what they are licensed for and still have not implemented features that could help them achieve their goals related to identity, security, compliance, and device management. They made the decision to invest in the integrated Microsoft 365 ecosystem, but then did not implement the integrated tools it provides. Not only are they often paying for redundant solutions, but in many cases, they can easily address gaps that do not require much effort to deploy. A few of the more common scenarios:

  • Mail Hygiene: There are still many unintegrated, siloed spam and phishing platforms in use that can easily be replaced with Defender for Office.
  • Device Management: Intune is included in several SKUs (including M365 E3), and it’s usually more effective and easier to manage than a separate MDM solution. In addition to providing traditional device management, it also provides for a robust set of BYOD controls for mobile devices. Combined with Windows Enterprise, it improves deployment, secure configurations, and Windows endpoint administration.
  • Entra ID Conditional Access: MFA is no longer enough. If you have M365 E3 or the Entra ID P1 add-on, please configure Conditional Access to further secure your authentication rules. Ideally, register your devices with Intune and only allow those registered devices to connect.
  • Data Loss Prevention: Purview provides effective DLP policies out of the box and they are relatively easy to implement. While designing a full data governance plan and policies can be a significant effort, getting some basic DLP protections applied to common PII and payment card data types is not. Check out our step-by-step Purview eGuide.

If the last time the IT team really considered some of these features was more than a year ago, I would encourage a second look now.  Microsoft is continually adding features, and often customers find that the current feature sets in Microsoft 365 do provide features that may have been missing the last time they were reviewed. This is especially true when it comes to identity, security, and data governance toolsets.

Lastly, Look Towards the Future

Customers that do a good job deploying the Microsoft 365 integrated services I’ve discussed, also give themselves a leg up when it comes to other cloud adoption initiatives. Implementing additional services like Copilot for Microsoft 365 or migrating infrastructure and applications to Azure is easier if the Microsoft 365 services are already in place as the foundation. All these components are designed to integrate and complement each other.

We Can Help!

eGroup Enabling Technologies works with customers all the time to help with licensing evaluations and alignment with technical and business initiatives. Let us know if you would like to have a licensing discussion or need some help making sense of it all.
Learn more about our Licensing Optimization Workshop here. 

Need Help Navigating Microsoft Licensing?

Contact our team to schedule a Licensing Optimization Workshop.