Intro
The Decision
E3 vs E5
Business Premium
Add-ons
License Waste
Storage
Close
Licensing Framework
Microsoft Licensing That Actually Makes Sense
A practical guide to getting it right
Microsoft licensing decisions have long-term financial and operational consequences. Most organizations either overpay for capabilities they never use or underspend and leave critical security gaps. This guide explains how I think about it.
$
The Core Tension
"The question isn't which license is cheapest. It's which license fits where the organization actually is."
Daniel Lepel  ·  Principal Microsoft Cloud Architect
Starting Point
The Decision Framework
Two questions that determine everything
Before looking at any license tier, two questions need honest answers: how many seats does the organization need, and which advanced capabilities will they actually use? Everything follows from there.
The 300-seat threshold is a real inflection point. Below it, Microsoft 365 Business Premium is almost always the right answer. Above it, the conversation shifts to E3 vs E5.
How I Approach It
  • Start with seat count
    In Practice
    The 300-seat line isn't arbitrary. Business Premium tops out there. Organizations over 300 need the Enterprise tier, which opens up E3 and E5 as the main choices. Under 300, Business Premium covers the vast majority of use cases and includes security capabilities that used to require enterprise licensing.
  • Identify which advanced capabilities they genuinely need
    In Practice
    Advanced compliance, Cloud PBX (Teams Phone), and Privileged Access Management are the three E5-specific capabilities that most often drive the upgrade decision. If none of those apply, E3 with the right add-ons usually gets you where you need to be at a lower total cost.
  • Account for annual commitment economics
    In Practice
    Annual commitments save money per seat but create rigidity. Getting the initial tier decision right matters more than most organizations realize because you're locked in for a year. Overbuying on day one is expensive. So is underbuying and needing to add licenses mid-term at a higher rate.
  • Plan for add-ons before finalizing the base license
    In Practice
    Some capabilities are worth adding as standalone SKUs rather than upgrading the entire base license tier. Defender for Office 365 Plan 2 is the clearest example - strong email security at a fraction of the E5 upgrade cost when you don't need everything else E5 includes.
Enterprise Tier
E3 vs E5
When the upgrade actually earns its cost
E3 is the right base license for most enterprise organizations. It covers the full productivity suite, basic compliance, and enough security for organizations without advanced regulatory requirements.
E5 is worth it when the organization genuinely needs advanced compliance capabilities, Teams Phone (Cloud PBX), or Privileged Access Management - and will actually use them.
Microsoft 365 E3
Right for most enterprise orgs
  • Full Office suite + Teams + Exchange
  • Basic compliance and retention
  • Entra ID P1 (Conditional Access)
  • Intune device management
  • No advanced compliance workloads
  • No Cloud PBX
  • No Privileged Access Management
Microsoft 365 E5
Worth it when you need these
  • Everything in E3
  • Advanced compliance (Purview)
  • Cloud PBX / Teams Phone
  • Privileged Access Management
  • Microsoft Defender XDR included
  • Entra ID P2 (Identity Protection, PIM)
The E5 premium is significant. Before recommending it, I want to know that the organization will actually activate the advanced capabilities it's paying for. An E5 tenant running at E3 capability levels is just an expensive E3.
Under 300 Seats
Business Premium
The most underestimated license in the catalog
Microsoft 365 Business Premium is consistently underestimated. It includes Intune, Conditional Access, Defender for Business, and Entra ID P1, capabilities that used to require enterprise licensing - at a price point designed for smaller organizations.
For organizations under 300 seats without advanced compliance requirements, it is almost always the right call.
What Business Premium Gets You
  • Full Office productivity suite plus Exchange, Teams, and SharePoint
    In Practice
    Same productivity suite as enterprise tiers. Users get the full M365 experience. No capability gaps at the application layer.
  • Microsoft Intune
    Microsoft Intune
    Cloud-based endpoint management platform that handles device enrollment, policy enforcement, application deployment, and compliance reporting.
     for device management and policy enforcement
    In Practice
    Intune at Business Premium gives smaller organizations the same device management capabilities as enterprise. I use it to enroll machines, enforce compliance policies, deploy applications, and configure Windows Hello for Business across the environment.
  • Conditional Access
    Conditional Access
    Policy engine that evaluates user, device, location, and risk signals to decide whether to allow, block, or require additional verification for each sign-in.
     for identity-based access control
    In Practice
    Conditional Access is one of the highest-ROI security tools in the Microsoft stack. Getting it included in Business Premium rather than requiring an enterprise upgrade is a significant value driver for smaller organizations.
  • Defender for Business for endpoint protection
    In Practice
    Defender for Business is the Business Premium-tier version of Defender for Endpoint. It covers threat protection, vulnerability management, and attack surface reduction for organizations that don't need the full enterprise Defender suite. For most sub-300-seat organizations, it's more than sufficient.
  • Entra ID P1 included for identity security
    In Practice
    Entra ID P1 powers Conditional Access, group-based licensing, and self-service password reset. Having it bundled into Business Premium means smaller organizations have the identity security foundation that enterprise environments depend on.
Filling the Gaps
Add-ons Worth Knowing
Where targeted spending beats full tier upgrades
Not every capability gap requires upgrading the base license. Some workloads are available as standalone add-ons that cost significantly less than the next tier jump and deliver the specific capability you actually need without paying for everything else.
Defender for Office 365 Plan 2 is the one I recommend most consistently.
Add-ons I Recommend
Defender for Office 365 Plan 2
My default recommendation for any E3 tenant. Adds Safe Links, Safe Attachments, anti-phishing with impersonation detection, and automated investigation and response for email threats. The email protection gap in E3 is real, and this closes it without requiring a full E5 upgrade. I add this to practically every E3 environment I manage.
Entra ID P2 (standalone)
Adds Identity Protection and Privileged Identity Management on top of Entra ID P1. Worth considering for E3 organizations with privileged access concerns who don't need the rest of E5. PIM alone - eliminating standing Global Admin accounts - is a significant security improvement at a targeted cost.
Microsoft Purview compliance add-ons
For organizations with specific compliance requirements - eDiscovery, advanced audit, insider risk - individual Purview workloads can be licensed separately rather than upgrading to E5 compliance. Useful when one or two workloads are needed but the full compliance bundle isn't justified.
Operational Reality
License Waste
The problem that annual commitments make worse
License waste is one of the most consistent findings in any Microsoft environment review. Unused seats, under-utilized capabilities, and duplicate tools paying for the same function twice.
Annual commitments save money on a per-seat basis but make waste harder to address in-year. Getting the initial buy right is the best mitigation.
Where Waste Typically Lives
  • Unused or unassigned licenses accumulating mid-term
    In Practice
    Organizations add seats on annual commits and then experience turnover. The seats stay licensed until renewal even if nobody is using them. A license audit before renewal catches this and prevents automatic renewals on seats that should be dropped.
  • E5 capabilities paid for but never activated
    In Practice
    Upgrading to E5 and then running at E3 capability is the most expensive form of license waste. If Purview advanced compliance isn't configured, if PIM isn't deployed, if Defender XDR isn't active - the organization is paying E5 prices for E3 utilization. I look at capability activation rates, not just seat counts.
  • Duplicate third-party tools doing what M365 already does
    In Practice
    Third-party email security tools running alongside Defender, backup products covering workloads Azure Backup handles, endpoint agents duplicating Defender for Endpoint. At Latham Pool Products, replacing Mimecast with native E5 email security eliminated the third-party cost entirely while improving coverage. The capability was already licensed.
  • Annual commitment timing misaligned with actual headcount
    In Practice
    Organizations that buy seats based on projected growth and then don't hit those numbers end up paying for licenses they don't use for the rest of the commitment period. I advise buying to current headcount plus a modest buffer, not to optimistic projections.
Storage Architecture
SharePoint vs Azure Storage
The right tool depends on who - or what - needs the data
SharePoint is document storage built for people. Azure Storage is data storage built for systems, archival, and large volumes of infrequently accessed content. Both are part of the Microsoft ecosystem. They are not interchangeable, and getting the choice wrong has direct cost and usability consequences.
The licensing implications matter too. SharePoint storage comes pooled with M365 licensing. Azure storage is consumption-based. For large, rarely accessed data, Azure is almost always cheaper over time.
How to Choose
  • SharePoint for content people need to find, share, and collaborate on
    In Practice
    SharePoint is the right answer when humans are the primary consumers - documents being actively worked on, files shared across teams, content that needs search, version history, and permissions tied to the M365 identity model. It integrates natively with Teams, OneDrive, and the rest of the M365 productivity surface. That integration has real value for day-to-day work.
  • Azure Blob or File Storage for large volumes of infrequently accessed data
    In Practice
    Archival records, compliance data retained for regulatory reasons, backup files, media assets, and log data that nobody is opening on a Tuesday afternoon - these belong in Azure Storage, not SharePoint. SharePoint is not designed to hold hundreds of gigabytes of rarely touched files, and using it that way drives up M365 storage costs unnecessarily.
  • Azure Data Lake for large-scale analytical and system-to-system workloads
    In Practice
    At Latham Pool Products, I built Azure Data Lake Storage as part of the ERP integration project - storing structured data for downstream processing by Azure Data Factory and Databricks. That is not a SharePoint use case. When data pipelines, analytics platforms, or application integrations are the consumers, Azure Storage is the correct architecture and SharePoint would be the wrong one.
  • Understand the cost model before defaulting to SharePoint for everything
    In Practice
    M365 tenants include pooled SharePoint storage based on license count - roughly 1TB plus 10GB per licensed user. It sounds like a lot until an organization starts storing engineering files, video archives, or application backups there. Azure Blob Storage with cool or archive tiers is a fraction of the cost for data that doesn't need to live in the M365 productivity layer.
  • Governance applies to both - just differently
    In Practice
    SharePoint governance is about permissions, sharing policies, and site structure tied to the M365 identity model. Azure Storage governance is about access keys, SAS tokens, private endpoints, and RBAC at the resource level. Both need governance. The mistake is assuming that because both are Microsoft, the same approach applies to each.
Closing Thought
"The right license is the one the organization will actually use. Everything else is just overhead."
Daniel Lepel  ·  Principal Microsoft Cloud Architect
The Practical Summary
Under 300 seats: Business Premium, add Defender for Office 365 Plan 2.
Over 300 seats: E3 as the default. E5 only when advanced compliance, Cloud PBX, or Privileged Access Management are genuinely required.
In either case: audit what's actually being used before every renewal, eliminate duplicate tools, and don't buy to projections.
The license decision is not a one-time event. It needs a review cycle just like everything else in the environment.