Introduction
Often, customers—and even we as Microsoft Security Solution Partner—struggle to navigate the complexities of Microsoft’s licensing structure. This is especially true when it comes to determining which security solutions are included. The overlapping features, the varying levels of coverage, and Microsoft’s passion for renaming products… All of this can make it difficult to identify the right solutions for specific needs. It can also be difficult to assess what level of protection we can benefit from.
In this blog post, we embark on a journey through the intricate world of Microsoft licensing from a security standpoint. More specifically, our goals are to:
- Simplify Microsoft security licensing: Break down the complexity of popular Microsoft licensing plans by identifying the security products included in those plans.
- Guide decision-makers: Help IT and security professionals making informed decisions on their security roadmap by aligning licensing plans with a Zero Trust perspective. Knowing which product belongs to which licensing plan simplifies strategic choices and may save costs on unnecessary third-party products.
Let’s dive in!
Zero Trust Guiding Principles and Components
It may be interesting to recall the three guiding principles supporting Microsoft’s Zero Trust approach:
- Verify explicitly: Always check and confirm the identity and security of every user and device, no matter where they are.
- Use least privilege access: Give users and devices only the access they need to do their job.
- Assume breach: Always operate as if the system is compromised. Continuously monitor and respond to threats to minimize damage in case of an attack.
Microsoft’s Zero Trust approach also focuses on securing what are called the components1: identities, endpoints, network, infrastructure, applications and data.
Each of these components works together to provide end-to-end security. We also recognize each as a potential target for cyber threats. The following table lists the six components, along with their expected objectives and the associated Microsoft security product(s):
| Component | Objective | Associated Microsoft product(s) |
|---|---|---|
| Identities | Fortifying user authentication and access control. | Entra ID
Defender for Identity |
| Endpoints | Securing devices in a perimeter-less environment. | Intune
Defender for Endpoint |
| Network | Safeguarding data transmission and communication channels. | Azure Networking (virtual network, firewall, bastion, etc.) |
| Infrastructure | Strengthening the foundations of security, from on-premises servers to cloud-based virtual machines. | Defender for Cloud |
| Applications | Securing the application ecosystems that comprise the productivity tools through which users access their data. | Microsoft 365 Cloud App Security
Defender for Cloud Apps |
| Data | Protecting the crown jewels of organizations. | Defender for Office 365
Purview Priva |
Understanding Popular Microsoft Licensing Plans…
Now, let’s take a moment to familiarise ourselves with the most popular licensing plans offered by Microsoft. These licensing plans are central to organizations’ IT strategies, providing features to enhance productivity, collaboration, and security:
| Licensing Plan | Description |
| Office 365 E3 | This plan is ideal for mid-sized to large organizations that require cost-effective collaboration and communication, as well as basic compliance features. |
| Office 365 E5 | Organizations that benefit the most from Office 365 E5 are large enterprises that need data-focused security, advanced analytics, and comprehensive communication tools. |
| Enterprise Mobility + Security E3 | Mid-sized to large organizations looking to start securing their mobile and cloud environments while simplifying access management for their identities would find EMS E3 particularly useful. This plan doesn’t include collaboration and communication features. |
| Enterprise Mobility + Security E5 | Organisations with more complex identity protection needs that cannot be met by EMS E3 would benefit most from EMS E5. This plan also doesn’t include collaboration and communication features. |
| Microsoft 365 E3 | Organizations that need a balanced mix of productivity, device management, and security would find Microsoft 365 E3 most beneficial. Particularly those looking to streamline IT management and improve security across their digital environment. |
| Microsoft Business Premium | Offers an all-in-one solution that balances productivity and security, making it ideal for small to mid-sized businesses. |
| Microsoft 365 E5 | Large enterprises with high security and compliance requirements, seeking to leverage data-driven insights for strategic decision-making, would benefit the most from Microsoft 365 E5. |
… To Map Them to a Zero Trust Coverage Potential
What we define as Zero Trust Coverage Potential is a rating (from 1✫ to 5✫) that reflects the extent to which a licensing plan includes and integrates different security products. A higher score enables more comprehensive protection within a Zero Trust security model. To determine that rating, here are some of the assumptions we make:
- Products included in the plan are fully configured according to best practices and guidelines.
- Identity is the new perimeter. Therefore, we rank a licensing plan that includes better identity and access management higher than one that does not (all things being equal).
- The more security products included in your plan, the better overall security you can achieve through enhanced integration (ex: Defender for Endpoint with Intune or Entra ID with Defender for Identity).
| Zero Trust component | Product | O365 E3 | O365 E5 | EMS E3 | EMS E5 | M365 E3 | MBP | M365 E5 |
| Identities | Entra ID Free | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Entra ID P1 | ✔ | ✔ | ✔ | ✔ | ✔ | |||
| Entra ID P2 | ✔ | ✔ | ||||||
| Defender for Identity | ✔ | ✔ | ||||||
| Endpoints | Intune | ✔ | ✔ | ✔ | ✔ | ✔ | ||
| Defender for Endpoint (P1) | ✔ | ✔ | ||||||
| Defender for Endpoint (P2) | ✔ | |||||||
| Defender for Business | ✔ | |||||||
| Network | Azure Networking | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ |
| Infrastructure | Defender for Cloud | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ |
| Apps | Cloud App Security | ✔ | ✔ | ✔ | ||||
| Defender for Cloud Apps | ✔ | ✔ | ||||||
| Data | Defender for Office 365 (P1) | ✔ | ✔ | ✔ | ||||
| Defender for Office 365 (P2) | ✔ | ✔ | ||||||
| Purview | ◼ | ◼ | ◼ | ◼ | ✔ | |||
| Priva | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ | ▲ | |
| Zero Trust Coverage Potential | 1✫ | 2✫ | 2✫ | 3✫ | 3✫ | 4✫ | 5✫ | |
License plans such as M365 E3, MBP, and M365 E5 provide essential identity and device protection, which are crucial for a robust security posture. While M365 E5 is the top-tier option, it’s important to maximize the potential of your current plan before considering an upgrade to this comprehensive ‘Rolls-Royce’ solution.
I Want To Adopt a Zero Trust Strategy With Microsoft Products, Where Should I Start?
So, now that you have a better idea of the products available to you, you may ask: “What should I do to implement a Zero Trust strategy with these products?“
A Zero Trust implementation should start with assessing your security posture. To get started, you can take the Microsoft Zero Trust Maturity Assessment Quiz2 to quickly evaluate your organization’s network, endpoints, data, and user identity maturity levels. The Microsoft Zero Trust Maturity Model3 also provides useful information on how to move from a traditional security model, all the way to an optimal Zero Trust model.
For the implementation part, consider the Zero Trust Rapid Modernisation Plan (RaMP)4 if you are interested in quickly implementing key layers of protection. RaMP targets impactful items that enhance security and productivity with minimal resources. Not only does it include project management steps, but it also includes checklists for deploying Zero Trust components.
Approach as a Trusted Microsoft Security Solution Partner
As a Microsoft Security Solution Partner, we take a holistic approach to improve your cyber security. This approach spans IAM, cloud security, threat protection and information governance. Doing so, we ensure your investment in Microsoft technologies boosts collaboration and strengthens your defences against digital threats.
Let’s secure your digital future together. Contact us to learn how we can build a security strategy that aligns with your business goals.
