Microsoft 365 E3 costs approximately £24.50 per user per month; E5 costs approximately £47 per user per month. For a 50-user organisation, that difference is £13,500 per year. The question is not whether E5 is more capable — it clearly is. The question is whether the additional capability justifies that cost for your specific business, your specific risk profile, and your specific regulatory obligations.
The answer varies significantly by sector and size. For an FCA-regulated financial services firm with communication compliance obligations and eDiscovery requirements, E5 is almost certainly cheaper than the combination of E3 plus standalone tools that cover the same ground. For a professional services firm of 40 people with solid security hygiene and no regulated data obligations, E3 or even Business Premium may be the right answer.
This guide cuts through the feature lists to explain what actually matters in the E3 vs E5 decision — particularly on the security side, where the capability gap is most significant.
What Microsoft 365 E3 Includes
E3 is a comprehensive enterprise plan that covers productivity, device management, and solid baseline security. At approximately £24.50/user/month (2026 pricing), it includes:
Productivity and collaboration: Full Office desktop applications (Word, Excel, PowerPoint, Outlook, Access, Publisher), Exchange Online Plan 2 (unlimited mailbox archiving, legal hold), SharePoint Online, Microsoft Teams, OneDrive for Business (unlimited storage), Yammer, Forms, Planner, and the full Power Platform suite.
Security foundations: Microsoft Entra ID P1 (formerly Azure AD Premium P1) — this is the key security component in E3. It provides conditional access policies, multi-factor authentication, self-service password reset, and hybrid identity management. Defender for Office 365 Plan 1 is included, covering anti-phishing, safe links (URL detonation and rewrite), and safe attachments (sandboxing email attachments). Microsoft Intune provides complete device management (MDM and MAM) for all platforms. Azure Information Protection Plan 1 enables basic document classification and labelling.
Compliance: Microsoft Purview standard audit logging, litigation hold and basic eDiscovery, and standard data loss prevention policies. Windows Enterprise E3 licensing (Intune-managed deployment, Windows Autopilot) is also included.
What Microsoft 365 E5 Adds
At approximately £47/user/month, E5 adds Microsoft's complete enterprise security platform, advanced compliance tooling, and Teams Phone Standard. The additions that matter most are on the security side.
Advanced Security (the Core E5 Difference)
Microsoft Entra ID P2 (upgrading from P1): adds Identity Protection (risk-based sign-in policies that respond automatically to leaked credentials and impossible travel scenarios), Privileged Identity Management (just-in-time admin access with approval workflows), and access reviews. These features are particularly valuable for remote workforces and organisations with privileged account risk exposure.
Defender for Office 365 Plan 2 (upgrading from Plan 1): adds Attack Simulator (controlled phishing simulation campaigns for staff training), Threat Explorer (real-time threat intelligence in your tenant), and Automated Investigation and Response (AIR) — which automatically investigates and remediates email threats without manual intervention.
Defender for Endpoint Plan 2 (full EDR): this is a substantial capability uplift. Where Plan 1 (included in Business Premium) provides basic next-generation antivirus and attack surface reduction, Plan 2 adds: endpoint detection and response with full timeline visibility, threat hunting tools, device health reporting, and Microsoft's Threat and Vulnerability Management engine. The difference in incident response capability between P1 and P2 is significant.
Microsoft Defender for Cloud Apps (CASB): provides shadow IT discovery (what cloud applications are your users actually using?), session control (blocking copy/paste/download in risky sessions), and anomaly detection across cloud services. Essential for organisations with significant cloud app sprawl.
Microsoft Defender for Identity: monitors on-premise Active Directory for advanced attack patterns — credential theft, lateral movement, Kerberoasting, pass-the-hash, DCSync attacks. If your organisation has on-premise Active Directory (or a hybrid setup), Defender for Identity provides detection capability that no cloud-only solution can replicate.
Microsoft Sentinel: included in E5, Microsoft's cloud-native SIEM (Security Information and Event Management) platform. Standalone Sentinel costs are consumption-based and can be substantial — for most organisations ingesting typical data volumes, Sentinel in standalone form adds meaningful monthly cost. E5's inclusion of Sentinel at no additional licence cost is one of the strongest economic arguments for upgrading.
Advanced Compliance
E5 adds: Communication Compliance (monitoring communications for policy violations — mandatory for FCA-regulated financial services), Insider Risk Management (detecting unusual data access patterns and potential data exfiltration), Advanced eDiscovery (full Relativity-equivalent legal hold and review workflows), Customer Lockbox (requiring explicit approval for Microsoft engineers to access your data), Information Barriers (preventing communication between designated groups), and Compliance Manager (automated assessment against regulatory frameworks).
The Security Capability Gap: What Matters Most
The headline features of E5 that most directly justify the cost uplift for businesses with genuine security requirements are:
Microsoft Sentinel (SIEM)
E5 includes Sentinel at no additional per-user cost. For organisations that would otherwise operate a SIEM (and any organisation with meaningful security monitoring ambitions should), this alone can justify the E5 price delta. Sentinel's standalone cost at typical data ingestion volumes frequently exceeds the E3-to-E5 price difference for mid-sized organisations.
Defender for Endpoint Plan 2 (Full EDR)
Plan 2's threat hunting capability and complete endpoint timeline visibility represents a qualitative step up from Plan 1's detection-focused approach. In a ransomware incident response scenario, the ability to reconstruct a complete attack timeline across all affected endpoints — from initial access through lateral movement to encryption — makes the difference between a contained incident and an extended, expensive recovery.
Entra ID Identity Protection
Automatic risk-based responses to leaked credentials and suspicious sign-in patterns. In 2026, credential compromise remains the primary initial access vector for UK businesses. Identity Protection's automated block-and-challenge responses to high-risk sign-ins operate faster than any human analyst — critical for containing identity-based attacks before they become full incidents.
Defender for Identity (On-Premise AD)
If your organisation has an on-premise Active Directory domain — even in a hybrid configuration — Defender for Identity provides detection coverage for attacks that operate entirely within the on-premise environment: Kerberoasting, pass-the-ticket, DCSync replication attacks. These attack patterns are invisible to cloud-only security tools.
Full Feature Comparison
| Feature | E3 (~£24.50/user/mo) | E5 (~£47/user/mo) |
|---|---|---|
| Office apps (desktop + web) | ✓ | ✓ |
| Exchange Online Plan 2 | ✓ | ✓ |
| Microsoft Intune (MDM/MAM) | ✓ | ✓ |
| Entra ID P1 (MFA, Conditional Access) | ✓ | ✓ |
| Defender for Office 365 Plan 1 | ✓ | ✓ |
| Windows Enterprise E3 | ✓ | ✓ |
| Entra ID P2 (Identity Protection, PIM) | ✗ | ✓ |
| Defender for Office 365 Plan 2 (Attack Simulator) | ✗ | ✓ |
| Defender for Endpoint Plan 2 (Full EDR + Threat Hunting) | ✗ | ✓ |
| Defender for Cloud Apps (CASB) | ✗ | ✓ |
| Defender for Identity (On-Prem AD) | ✗ | ✓ |
| Microsoft Sentinel (SIEM) | ✗ | ✓ |
| Communication Compliance | ✗ | ✓ |
| Insider Risk Management | ✗ | ✓ |
| Advanced eDiscovery | ✗ | ✓ |
| Teams Phone Standard | ✗ | ✓ |
Who Should Choose E3?
E3 Is Right When:
- No regulated data obligations (FCA, NHS, MoD)
- No on-premise Active Directory to protect
- Separate EDR or SIEM already in place
- Under 100 users with limited cloud app sprawl
- Budget sensitivity — the £22.50/user gap is material
- Business Premium not viable (>300 users)
E5 Is Right When:
- FCA, PRA, or regulated sector compliance required
- On-premise or hybrid Active Directory environment
- SIEM requirement — Sentinel inclusion makes E5 cost-effective
- Post-breach environment needing maximum detection
- Legal (eDiscovery, client data isolation)
- Healthcare (DSP Toolkit, communication compliance)
The Mix-and-Match Approach
Microsoft licensing does not require every user in your organisation to be on the same plan. Most businesses benefit from a mixed licensing model, and Vertex9 recommends this approach for the majority of clients evaluating the E3/E5 decision.
A typical structure: the bulk of the workforce on E3 (or Business Premium if under 300 users), with IT administrators, finance leadership, legal, and the executive team on E5. The high-risk users — those with elevated access rights, significant financial authority, or access to sensitive client data — are the ones who benefit most from E5's Identity Protection, Insider Risk Management, and Communication Compliance capabilities.
For organisations that specifically need Defender for Endpoint Plan 2 without the full E5 upgrade, Microsoft offers Defender for Endpoint P2 as a standalone add-on at approximately £5/user/month on top of an E3 licence. Similarly, Entra ID P2 can be purchased as a standalone add-on. These add-ons often represent a more cost-effective route to specific capabilities than upgrading the entire estate to E5.
The most expensive Microsoft 365 configuration is not E5 — it is E3 combined with the standalone security tools needed to fill the gaps E5 would have covered. A proper licensing audit almost always reveals a more cost-effective path to the security posture a business actually needs.
Optimise Your Microsoft 365 Licensing
Vertex9 conducts M365 licensing audits that identify the right plan mix for your business — removing wasted licences and ensuring you have the security capabilities you need without paying for features you don't. Most clients find meaningful savings.
Cybersecurity Services Get a Licensing ReviewFrequently Asked Questions
Can I upgrade from M365 E3 to E5 mid-contract?
Yes — Microsoft allows upgrades at any point during a contract period. Billing is adjusted pro-rata for the remainder of the term. Downgrades are more restricted and typically can only be processed at renewal, so be certain before committing to E5 on a multi-year agreement.
Is Microsoft 365 Business Premium comparable to E3?
Business Premium (maximum 300 users) includes Microsoft Defender for Business — a lighter version of Defender for Endpoint P1 — alongside most of the productivity features in E3. For organisations under 300 users that don't need full E3 compliance tools, Business Premium is often the better value choice at approximately £19.70/user/month. Above 300 users, E3 is required.
Does E5 eliminate the need for a separate SIEM?
Microsoft Sentinel is included in E5, which is a significant benefit given Sentinel's standalone consumption-based cost. However, Sentinel still requires configuration, ongoing tuning of detection rules, and operational management to deliver value. E5 includes the licence; your MSP or security team needs to operate it effectively to realise the investment.
Can Vertex9 help us optimise our M365 licensing?
Yes — Vertex9 conducts Microsoft 365 licensing audits that review actual usage data, identify unused or over-licensed users, and recommend the optimal plan mix for your organisation's size, sector and security requirements. Many organisations are paying for E3 where Business Premium would suffice, or are missing E5 security tools they genuinely need.
What is the difference between Microsoft 365 and Office 365?
Office 365 was Microsoft's original branding for the cloud productivity suite — primarily covering Office apps, Exchange Online and SharePoint. Microsoft 365 expanded this to include security features (the Defender suite, Intune), device management, and in the enterprise tiers, Windows licensing. The Office 365 branding has largely been retired, though some legacy plan names persist in certain contexts.