Microsoft Entra & Purview Licensing, and E5 Security vs EM+S Conundrum
Microsoft made a big to-do about renaming and re-organizing their security & compliance stacks into the Entra and Purview (and partially Priva) stacks earlier this year, and with those big changes assured customers that there were no immediate impacts to licensing.
We’ve seen that position begin to shift with the deprecation of Windows Information Protection (WIP), which is being removed from Windows to make room for Purview’s Endpoint DLP solution. Personally, I’m kinda sad about WIP because it was always a lot of fun to present, but it raised the question of what might be coming next.
We’ve covered the re-alignment in webinars and blog posts in the past, but as a recap, everything that had already lived at “compliance.microsoft.com” was transitioned into the Purview family:
Similarly, Microsoft Entra became the aligned identity & access management toolsets of Azure AD, Permissions Management (Microsoft’s CIEM), and Verified ID. Since 2 of these products simply didn’t exist prior to the announcement, there wasn’t quite as much to rename, but the astute observer will note that “Windows Information Protection” does not appear by name in either product family.
WIP was a component of Microsoft Information Protection (MIP), which until very recently comprised the pairing of Azure Information (AIP, sensitivity labels) Protection with Windows Information Protection. MIP was a member of the Purview family already, but moving Endpoint DLP out of MIP and into its own space represented a pretty fundamental change in how to access those capabilities. WIP was free(ish)—Endpoint DLP is most decidedly not.
Purview Endpoint DLP is only available in the Microsoft 365 E5 and E5 Compliance licenses, whereas AIP & sensitivity labels are available thru Microsoft 365, E5 Compliance, and EM+S licenses. EM+S has entered the chat.
We see a lot of organizations that have decided to right-size their licensing at Microsoft 365 E3, and then add on the E5 Security or E5 Compliance licenses where necessary for key workers & workloads. But in many cases, EM+S E5 is the better and less expensive solution.
To understand why this is a challenge, let’s talk about what actually comprises “Microsoft 365”. In the beginning, there was Office, and it was the only thing that was managed and licensed in the cloud. There were some fledgling attempts at things like E1 & E2, but in the end we settled on E3 & E5, setting the stage for all “enterprise” licensing models to come. Then Microsoft introduced a mobility & security toolset originally called…well who even remembers any more because that was a million years ago: it first entered my lexicon as EMS, then gained that little plus sign a year or so later. That, too, got the E3 & E5 treatment, and finally we saw the introduction, thru fits & starts, of Windows licensing at the E3 & E5 levels. Put the three together: Office, Windows, and mobility & security, and by their powers combined they become Microsoft 365!
Microsoft has had Enterprise Mobility + Security E3 & E5 offerings for almost 7 years now, and in that time the capabilities have grown immensely, but the product family has remained largely unchanged. Here’s a slide from a deck I presented in February 2016:
Aside from a couple of renamed products and the end-of-life for Advanced Thread Analytics, this 6.5-year-old slide is still mostly accurate. But if it’s still mostly accurate, then it means there’s a single licensing vehicle for some of the best elements of both the E5 Security & the E5 Compliance stacks, namely the ability to combine MIP and Azure AD P2, which includes Defender for Identity, Privileged Identity Management, Access Reviews, and a whole host of other top-shelf identity controls. We’ve done webinars about a lot of these capabilities, too.
So if you have Microsoft 365 E3, then you also already have EM+S E3. Trying to figure out which way to scale up from there can be vexing, because the obvious “just buy M365 E5 and you get everything” is easy to say, not so easy to afford.
Microsoft therefore offers ways to get there from here: you can just buy add-on licenses for the security side, which raise all of your Defenders to the E5 level, or you can just buy add-on licenses for the compliance side, which raise all of your Purviews to the E5 level. Or you can go workload-by-workload and buy a P2 here, a P2 there, and create a very granular (i.e., hard to manage) license-scape for your workforce. Or you can step up the EM+S stack and get some of the best of both.
But which is the right answer? As with all things in IT: it depends. But we’re ready to help you figure out a scalable solution that meets your needs.
Would you like to find out more about Microsoft Purview? Learn how you can manage & govern on-premises, multicloud, & SaaS data with Microsoft Purview today.
Comments