Why does the mid-market all have Microsoft M365 E3 licenses

Detexian’s CTO Adrian Kitto starts off a 12 part blog series on tackling some hard productivity and SaaS application security use cases with Microsoft’s M365 E3 product suite.

In the more than twenty years since I left the Royal New Zealand Navy, I have been continuously testing, configuring, and deploying Microsoft products. For more than 10 years, my specialty has been Microsoft's productivity tools and Active Directory. Therefore, when Office 365 and Azure AD were launched in 2011, I was eager to deploy my first client to this new solution set. This set the path for my career as a SaaS/Cloud application security specialist.

Since 2019, I have been exclusively focused on solving problems for mid-sized enterprises. The problems in this segment are also seen in other segments but are often more profound due to the size and resources available to the IT and security teams. To avoid confusion, we are talking about companies with 300 to 2200 information workers, generating between $10 million and $1 billion in annual revenue.

This size puts them above the cut-off for Microsoft's Business Premium offerings (300 users) and below the threshold for a Microsoft direct Enterprise Agreement (2200 users). While in this window, the customer is required to make a decision and purchase Microsoft licenses via a Microsoft "Cloud Service Partner" without direct engagement with Microsoft product, security, or consulting teams.

When these mid-market enterprises face the decision to purchase cloud-hosted productivity tools, the decision is often made purely on a financial or functional basis, focusing only on the Microsoft M365 E3 ecosystem. There is often little or no consideration given to the security risks that a native Microsoft M365 E3 deployment exposes the company to.

The gaps in the M365 E3 stack

Since Microsoft introduced the Office 365 (now named Microsoft 365) stack in 2011 there have been multiple license tiers with functional and security tools included. For customers with more than 300 seats they are faced with the decision to buy either Enterprise E3 or Enterprise E5 licenses. These Enterprise licenses are actually bundles made up of multiple products including endpoint software, cloud hosting, productivity and security tools. Microsoft products typically have multiple tiers themselves with increasing functionality and security tooling in the upper end product tiers. 

Microsoft positions their Enterprise E5 license as including all their functional and security products and tools to meet business, security and compliance needs. Where a product has multiple tiers, E5 includes the top tier product offering with full integration and tools to manage included. 

As many companies make product selection decisions based on core productivity functionality required rather than security and compliance requirements the de facto standard in the mid-market is Enterprise E3 rather than E5. 

Microsoft has significant security products to meet core security functionality however some are restricted to E5 licenses only

1. Device Management - Microsoft Intune - E3 + E5

2. User Identity - Azure Active Directory - E3 + E5 

3. Privileged Access Management - Azure Privileged Identity Management - E5 Only

4. Endpoint Security - Microsoft Defender for Endpoint  - E3 + E5

5. Email Security - Microsoft Defender for Office 365 - E5 Only

6. Cloud Security - Microsoft 365 Defender   - E5 Only

However, as mentioned earlier, many mid-market companies may not be aware of the security risks associated with a native Microsoft M365 E3 deployment. While the product includes some security features, it may not offer the same level of protection as the higher-tier Enterprise E5 license, which includes additional security and compliance tools.

With my role at Detexian I am lucky enough to have worked with the Microsoft partnering team; only 6% of Microsoft customers in the 300-2200 seat range buy M365 E5 licenses. This means there is a significant coverage gap that is introduced in both with companies growing above the 300 seat limit for business premium or transitioning to the cloud without taking into account the additional exposure that SaaS is introducing. 

This means that these mid-market companies that elect to procure Enterprise E3 licenses due to productivity requirements are faced with significant gaps in gaining visibility, governance and compliance of users, applications and their corporate data. 

Over the next 12 blog posts I will be covering how to reduce some of these gaps with scripting, automation and best practice processes that I have learnt over the last 15-20 years.

Security thought for the week

Have you ever thought that security comes in many forms including cyber, physical and military controls and capabilities? More than 100 years ago on March 20th 1922 the United States Navy commissioned its first aircraft carrier, the USS Langley. This was a landmark advancement in military capabilities for the U.S. Navy at the time an involved converting a coal transport ship after World War One. 

USS Langley’s commissioning would not be its only first for the U.S. Navy. She would also become the first ever U.S. aircraft carrier to be lost in combat when she was sunk on February 27th 1942. 

Join me next time when I get into the details about “How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications.” 

Till then, stay secure.

Adrian