The short version
Three tiers cover most of it. Free gets you security defaults and basic MFA. Premium 1 (P1) unlocks the everyday controls most organizations actually need, Conditional Access chief among them. Premium 2 (P2) and the E5 tier unlock the advanced, risk-based, and investigative features.
| If you want... | You generally need... |
|---|---|
| Basic MFA, security defaults | Microsoft Entra ID Free (included with any Microsoft 365 plan) |
| Conditional Access, self-service password reset | Microsoft Entra ID P1 (in M365 E3, EMS E3, Business Premium, F1/F3) |
| Risk-based access, Identity Protection, PIM | Microsoft Entra ID P2 (in M365 E5, EMS E5) |
| Advanced Defender (EDR, Defender for Identity, Defender for Cloud Apps) | Microsoft 365 E5, or the E5 Security add-on |
| Advanced Purview (auto-labeling, endpoint DLP, Insider Risk) | Microsoft 365 E5, or the E5 Compliance add-on |
| Device management (Intune) | Intune Plan 1 (in M365 E3/E5, EMS, Business Premium, F1/F3) |
How Siemserva reads your licensing, and scans more when you have more
Siemserva does not assume what you own. At the start of a scan it asks your tenant what is actually licensed by reading your subscribed SKUs and their service plans from Microsoft Graph. It then turns the matching checks on or off automatically. The more security you have licensed, the more Siemserva can inspect, so the same tool fits a lean Business Premium tenant and a full Microsoft 365 E5 enterprise without any reconfiguration.
It also distinguishes a missing license from a missing permission. If a workload is not licensed, or the account running the scan lacks the directory role to read it, Siemserva does not fail. It records a clear, named result explaining what was skipped and why, then continues with everything else. Your scan always finishes, and you can see exactly which features would add coverage.
What more licensing unlocks in a scan
| When the tenant has... | Siemserva adds... |
|---|---|
| Microsoft Entra ID (any plan) | Core identity coverage: users, directory and Azure roles, applications and service principals, sign-in and authentication checks. |
| Microsoft Entra ID P1 | Conditional Access and MFA posture checks across the tenant. |
| Microsoft Entra ID P2 (or E5) | Privileged Identity Management and Identity Protection checks, and risk-based access review. |
| Microsoft Intune | Device compliance, configuration profiles, antivirus, firewall, attack surface reduction, encryption, and update coverage. |
| Microsoft Purview | Sensitivity label, retention, and data governance checks. |
| Microsoft Defender workloads | The matching email, endpoint, identity, and cloud-app protection checks for what is enabled. |
In short: license detection is automatic, coverage scales with your subscriptions, and an unlicensed or unreachable workload is reported as skipped rather than silently dropped. You always know what was checked and what was not.
The feature-to-license map
The capability you want, the minimum license that turns it on, and the common suites that include it. "M365" means Microsoft 365.
| Security capability | Minimum license to unlock | Commonly included in |
|---|---|---|
| Identity and access (Microsoft Entra ID) | ||
| Security defaults, basic MFA | Entra ID Free | Every Microsoft 365 plan |
| Conditional Access policies | Entra ID P1 | M365 E3 / E5, EMS E3 / E5, Business Premium, F1 / F3 |
| Self-service password reset (cloud) | Entra ID P1 | M365 E3 / E5, EMS, Business Premium |
| Risk-based Conditional Access | Entra ID P2 | M365 E5, EMS E5 |
| Identity Protection (risky users and sign-ins) | Entra ID P2 | M365 E5, EMS E5 |
| Privileged Identity Management (PIM) | Entra ID P2 | M365 E5, EMS E5 |
| Access reviews | Entra ID P2 or Entra ID Governance | M365 E5, EMS E5 |
| Entitlement management, lifecycle workflows | Entra ID Governance (add-on) | Add-on on top of P1 / P2 |
| Workload identity Conditional Access | Workload Identities Premium (add-on) | Standalone add-on |
| Threat protection (Microsoft Defender) | ||
| Anti-malware, anti-spam (EOP) | Exchange Online / any M365 plan | M365 Business and Enterprise |
| Safe Links, Safe Attachments, anti-phishing | Defender for Office 365 Plan 1 | M365 E5, E5 Security, Business Premium |
| Threat Explorer, Attack Simulation, auto investigation | Defender for Office 365 Plan 2 | M365 E5, E5 Security |
| Next-gen AV, attack surface reduction | Defender for Endpoint Plan 1 | M365 E3 |
| Endpoint EDR, threat and vulnerability management | Defender for Endpoint Plan 2 | M365 E5, E5 Security |
| SMB endpoint protection | Defender for Business | Business Premium, standalone |
| Defender for Identity (on-prem AD signals) | Defender for Identity | M365 E5, E5 Security, EMS E5 |
| Defender for Cloud Apps (CASB) | Defender for Cloud Apps | M365 E5, E5 Security, EMS E5 |
| Microsoft Defender XDR portal | Any Defender workload above | M365 E5, E5 Security |
| Microsoft Secure Score | Free with the workloads | All plans with the relevant workloads |
| Data security and compliance (Microsoft Purview) | ||
| Manual sensitivity labels | M365 E3 | M365 E3 / E5, Business Premium |
| Automatic labeling (client and service) | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| DLP for Exchange, SharePoint, OneDrive, Teams | M365 E3 | M365 E3 / E5 |
| Endpoint DLP | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Retention policies (basic) | M365 E3 | M365 E3 / E5 |
| Records management, auto-apply retention | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Audit (Standard) | M365 E3 | M365 E3 / E5 |
| Audit (Premium, longer retention) | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| eDiscovery (Standard) | M365 E3 | M365 E3 / E5 |
| eDiscovery (Premium) | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Insider Risk Management | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Communication Compliance | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Information Barriers | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Customer Key, Double Key Encryption | M365 E5 or E5 Compliance | M365 E5, E5 Compliance |
| Device management (Microsoft Intune) | ||
| MDM and MAM, compliance policies, config profiles | Intune Plan 1 | M365 E3 / E5, EMS E3 / E5, Business Premium, F1 / F3 |
| App protection policies | Intune Plan 1 | M365 E3 / E5, EMS, Business Premium |
| Endpoint Privilege Management, Remote Help, Advanced Analytics | Intune Suite (add-on) | Standalone add-on |
| Cloud PKI, specialty and cloud devices | Intune Plan 2 / Intune Suite | Add-on |
| Cloud workloads and SIEM | ||
| Microsoft Sentinel (SIEM and SOAR) | Azure consumption (per GB ingested) | Not a per-user license; pay-as-you-go in Azure |
| Defender for Cloud (Azure and multicloud CSPM) | Azure consumption, per-resource plans | Free CSPM tier; paid plans per resource |
The suites and add-ons, and what they cost
The licenses behind the table above, what each is for, and an approximate list price. Prices are USD per user per month on an annual commitment unless noted.
Approximate list prices as of mid-2026. Microsoft changes pricing and packaging regularly, partner and volume pricing differs, and nonprofit and education pricing is much lower. Treat these as ballpark, not a quote.
| License / SKU | What it is for | Approx list price (USD / user / mo) |
|---|---|---|
| Microsoft 365 suites | ||
| Microsoft 365 Business Basic | SMB email and apps, basic security | ~$6 |
| Microsoft 365 Business Standard | SMB apps plus desktop Office | ~$12.50 |
| Microsoft 365 Business Premium | SMB security bundle: Entra ID P1, Intune, Defender for Business, Defender for Office P1 | ~$22 |
| Microsoft 365 F1 | Frontline, identity and basic security (no Office desktop) | ~$2.25 |
| Microsoft 365 F3 | Frontline with Office web, Entra ID P1, Intune | ~$8 |
| Microsoft 365 E3 | Enterprise base: Entra ID P1, Intune P1, Defender for Endpoint P1, core Purview | ~$36 |
| Microsoft 365 E5 | Everything in E3 plus Entra ID P2, advanced Defender and Purview | ~$57 |
| Office 365 and EMS | ||
| Office 365 E3 / E5 | Apps and services without the EMS security stack | ~$23 / ~$38 |
| Enterprise Mobility + Security E3 | Entra ID P1 and Intune, without Office | ~$10.60 |
| Enterprise Mobility + Security E5 | Entra ID P2, Intune, Defender for Identity and Cloud Apps | ~$16.40 |
| Identity add-ons | ||
| Microsoft Entra ID P1 | Conditional Access, SSPR, password protection | ~$6 |
| Microsoft Entra ID P2 | Identity Protection, PIM, access reviews | ~$9 |
| Microsoft Entra ID Governance | Entitlement management, lifecycle workflows (on top of P1/P2) | ~$7 |
| Security and compliance add-ons (on top of E3) | ||
| Microsoft 365 E5 Security | Adds the advanced Defender stack and Entra ID P2 to E3 | ~$12 |
| Microsoft 365 E5 Compliance | Adds advanced Purview to E3 | ~$12 |
| Standalone Defender and Intune | ||
| Defender for Office 365 Plan 1 / Plan 2 | Email and collaboration protection | ~$2 / ~$5 |
| Defender for Endpoint Plan 1 / Plan 2 | Endpoint AV and EDR | ~$3 / ~$5.20 |
| Defender for Business | SMB endpoint protection | ~$3 |
| Defender for Cloud Apps | Cloud app discovery and control (CASB) | ~$5 |
| Microsoft Intune Plan 1 | Device and app management | ~$8 |
| Microsoft Intune Suite | Advanced endpoint management add-on | ~$10 |
| Microsoft Sentinel | SIEM, billed by data ingested | Consumption, roughly $2 to $5 per GB |
How to actually buy them
The same license can be bought several ways, and the channel changes the price, the support, and the flexibility.
| Channel | Best for | Notes |
|---|---|---|
| Microsoft 365 admin center (web direct) | Small organizations buying a handful of seats | Self-serve with a credit card, monthly or annual. Simple, but list price and limited negotiation. |
| Cloud Solution Provider (CSP) partner | Most SMB and mid-market organizations | A Microsoft partner bills you, often monthly, bundles support, and can mix and add-on SKUs flexibly. The most common path. |
| Enterprise Agreement (EA) or Microsoft Customer Agreement | Large organizations (typically 500-plus seats) | Volume discounts, true-ups, and longer terms. More commitment, better unit pricing. |
| Microsoft 365 for Nonprofits | Eligible 501(c)(3) and equivalent nonprofits | Grants (including free Business Premium seats) and deep discounts on E-series. Apply through Microsoft. |
| Microsoft 365 Education (A1 / A3 / A5) | Schools and universities | Education-priced equivalents of the enterprise suites, with A5 carrying the advanced security stack. |
Licensed it? Now prove it is actually configured
Buying E5 does not make you secure. It gives you the features. The gap that hurts is the one between what you pay for and what is actually turned on and configured correctly: Conditional Access that was never built, PIM left unused, DLP in report-only mode, Defender policies at defaults.
Siemserva scans your tenant and surfaces exactly that gap. It runs 650+ deterministic checks across Microsoft 365, Intune, Entra ID (logs included), CVEs, and Purview, shows where licensed security features are unconfigured or weak, and pairs each finding with AI-created, Siemserva-validated remediation. You see the security you are already paying for, and what it would take to switch it on.
See the full Microsoft security landscape | How Microsoft baselines map to your tenant | Compliance frameworks reference
Frequently asked questions
Which license do I need for Conditional Access?
Conditional Access requires Microsoft Entra ID P1. P1 is included in Microsoft 365 E3 and E5, EMS E3 and E5, Microsoft 365 Business Premium, and the F1 and F3 frontline plans. Risk-based Conditional Access, which reacts to sign-in and user risk, additionally requires Entra ID P2.
What is the difference between Microsoft 365 E3 and E5 for security?
E3 gives you the baseline: Entra ID P1 (Conditional Access), Intune, Defender for Endpoint Plan 1, and core Purview such as standard DLP, retention, and audit. E5 adds the advanced tier: Entra ID P2 (Identity Protection and PIM), Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, and advanced Purview such as auto-labeling, endpoint DLP, and Insider Risk Management.
Can I add E5 security features to E3 without buying full E5?
Yes. The Microsoft 365 E5 Security add-on layers the advanced Defender stack and Entra ID P2 onto an E3 base, and the E5 Compliance add-on layers on the advanced Purview features. Together they are a common, lower-cost path to most of the E5 security value.
Which license do I need for Privileged Identity Management (PIM)?
PIM requires Microsoft Entra ID P2, which is included in Microsoft 365 E5, EMS E5, and the Microsoft 365 E5 Security add-on.
Is Microsoft Sentinel a per-user license?
No. Sentinel is billed on Azure consumption, primarily by the volume of data ingested per day, not per user. You can start pay-as-you-go and move to commitment tiers for volume discounts.
Do nonprofits get Microsoft security licenses for less?
Yes. Eligible nonprofits can receive grants, including free Microsoft 365 Business Premium seats, and discounted enterprise plans. Siemserva itself is free for 501(c)(3) nonprofits.
Try the Advanced Microsoft 365 Security Simulator
See exactly what Siemserva finds on a rich, realistic simulated tenant, no access to your environment needed. Launch it right after install, or ask for a free key. Teams report cutting Microsoft 365 and Azure hardening time by up to 80 percent.
Launch the Simulator, free