The Complete Office 365 and Microsoft 365 Licensing Comparison

The Complete Office 365 And Microsoft 365 Licensing Comparison (infusedinnovations.com)

Microsoft E3 vs. E5 License Comparison

A critical decision point to consider when deciding between Microsoft E3 vs. E5, separate from cost is team commitment.

With a team committed to fully using E5, the cost savings could exceed the annual cost.

Without such commitment, the upgrade may not be successful.

This piece explains the differences between the two license tiers and the main factors to consider before choosing to stay with Microsoft E3 or upgrade to Microsoft E5.

Microsoft E3 vs. E5 Features Comparison

In the years since Microsoft launched Office 365, now re-branded to Microsoft 365, the service offerings have changed, features have moved between tiers and capabilities of different features have changed.

Figure 1: E5 Features Not Found in E3 (as of September 2020)

Category	Features
Communication	Audio Conferencing and Phone System (portions of Skype for Business) Power BI Pro (data analytics with sharing between other data analyses)
Security	Azure Active Directory (AD) Premium Plan 2 (adding identity protection and governance to E3’s AD) Microsoft 365 Defender (configuration and checks monitoring) Defender for Endpoint (cross-platform vulnerability, threat malware and behavior management) Defender for Office 365 (monitoring of environment, awareness and training, and security templates) Azure Information Protection P2 (automated data scanning, classification/ labeling and key management) Cloud App Security (shadow IT identification, application/web service control, app usage monitoring)
Compliance	Advanced eDiscovery (document searching, archival and repositories)Customer Lockbox (ability to keep data encrypted and unparseable – in theory – by Microsoft)Advanced Data Governance (machine learning for data management, retention and deletion)Service Encryption with Customer Key (facilitates key management requirements)Privileged Access Management (role-based minimum-access administrative functions)

Complicating Factor – Licensing Models

Microsoft offers a lot of services, and several of those bundled in E5 can be added as a la carte options to an existing E3 license.

For example, all the compliance features listed in Figure 1 can be added to E3 without a full upgrade for $10 per user per month under the E5 Compliance Plan.

Similarly, all the security features listed can be added to E3 for $12 per user per month under the hard-to-find E5 Security Plan.

The communications features were once available separately, but that program appears to have sunset.

The $22 per user per month for both compliance and security is less than the extra $25 per user per month. However, the difference is slight – less than a single full-time employee (FTE) for a company with 1,000 employees – and there is a significant advantage in using all of the features that have been designed to work together.

Using only compliance would require building your own integrations with your other security toolset, as would using only security. By using both, you gain the integration capability automatically.

Succeeding and Failing with E5

E5 brings along a lot of features, and businesses should consider the following potential commitment and knowledge issues that might hinder success.

Examples may include:

Communications features require expertise. Properly using the communication features to replace or augment an existing phone system with videoconferencing requires a skilled team, not only to set it up, but also to manage it.

Most organizations find Microsoft Teams to be more than sufficient to augment a legacy phone system.

Given the high number of remote workers at present, the value of such legacy phone systems is proving to be lower than many thought.

Identity tools are complex. From a security perspective, the capabilities included in Microsoft Defender for Identity, Azure Active Directory Premium Plan 2 and Privileged Access Management are extremely powerful and, when used correctly, can justify the entire cost of upgrading to E5.

However, identity is complex and can be challenging for teams to successfully implement.

Other Considerations for E3 vs. E5

Other features, such as the anti-malware replacement – Defender for Endpoint – can justify the cost alone if the current anti-malware system is lightly configured and costs anywhere near $25 per user per month.

However, it might not compare favorably to a well-tuned anti-malware solution that ties into enterprise-level monitoring through an endpoint detection and response (EDR) approach.

Similarly features like Microsoft 365 Defender, Defender for Office 365 and Cloud App Security could be replaced with other products at a lower cost than upgrading from E3 to E5. A team will succeed or fail equally with any product selection in this space – cost is a greater factor than anything else.

Finally, the remaining compliance features – Customer Lockbox and Service Encryption with Customer Key – provide a level of independence from Microsoft through encryption. If you need this capability, then there may be no choice but to invest in local encryption competence and upgrade to E5.

Deciding Between E3 and E5

There are many ways to run the analysis of cost-comparing licenses and features to those of equivalent or other desired products. The difference between E3 and E5 is about features but consider your commitment to a fully cloud-based work environment.

If you have not taken full advantage of E3 and don’t have a team committed to understanding it, following changes to functionality and pushing the licenses to their limit, making the case for upgrade to E5 becomes more difficult.

In contrast, if you have a dedicated and enthusiastic team willing to dive deep into E5 and use the functionality to its greatest extent, eliminating other vendors and fully embracing E5 could be a cost-saving strategy.

When making the decision between E3 and E5, organizations should understand

There is no one right answer: All companies are different.

Consider metrics and factors beyond cost. Look at team interest and capability. Try to avoid investing in a product that will not be used.

The importance of matching expectations to maturity: Be weary of buying licenses and expecting everything to suddenly get better.

It may take years to learn how to fully use each feature in your environment.

If you are fully committed to running the business using cloud services, supporting a fully remote work force and fundamentally re-thinking the so-called “best practices” of the last 30 years, then E5 can be a sensible investment.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

How to Monitor within Office 365

In this piece, we’ll look an example of a security team using Splunk as its SIEM. We will recommend what should be monitored within O365 and what events should be placed in Splunk.

The key considerations we’ll examine in this example are:

What are the most important O365 events a security operations center (SOC) should monitor?

What should go into a SIEM (Splunk) versus what should remain in O365 for ad hoc investigations?

Are there any O365 tools available to facilitate these actions?

Microsoft O365’s Monitoring Options

While O365 has been around for years and we will examine what exactly should be monitored and tracked within it. This is likely due to the steady release of new features and evolving monitoring functions Microsoft provides to O365 subscribers.

O365 has subscribers in every market vertical. As a result, it offers many monitoring and event collection options than any one organization can – or perhaps even should – consume. Instead of viewing the available events as a mandatory list, consider them as a custom menu of options; choose to use those that make the most sense for you and your organization.

Focus on the Core

Monitoring user access is fairly straightforward. By enabling and monitoring login auditing, you can observe user and administrative access. Additionally, it enables easier detection of various account hijacking attempts.

At a minimum, this data must be consumed in a SIEM for analysis and trend reporting because credential compromises of all sorts are increasingly an attack goal of adversaries. Of interest should be new devices and systems logging in from unexpected geolocations.

These are alert logics Microsoft cannot easily provide, simply because it does not know your environment.

If the volume of this traffic is too high, consider building a custom report where “normal” access is filtered and not sent to the SIEM.

Events That Can Stay in the Cloud

Some major event types should be monitored, but may not be worthy of SIEM space:

File access events. These events – especially with OneDrive and SharePoint (also SharePoint-based apps) – generate so much volume that saving them in the SIEM would quickly move many Splunk clients into a different licensing tier. As a best practice, consider monitoring for odd behaviors in access, including:

Access to especially sensitive files or directories.

Files access attempt failures.

File enumeration alerts.

File sharing with entities outside the organization.

Policy changes: These provide an alert with an almost zero false positive rate. Attackers can attempt to downgrade the security settings or audit controls to lower the detection capabilities of a targeted organization during the early phases of a campaign. Policy changes initiated by an organization are rare and should be known events.

User mailbox rule changes: Somewhat related to policy changes, these should be carefully monitored. During many account hijack attacks, adversaries create rules to route mail in such a way as to not alert the user to the illicit use. While this rule can create false positives – some users create mail rules – it can uncover troubling events. Of concern should be mail auto-forwarding and outbound mail being routed to odd/unexpected folders.

Leverage What’s Available in Office 365

Consider granting access to the O365 Security and Compliance Center to members of the SOC. While it may not be appropriate for all analysts, the center can be a resource for those who are charged with monitoring an organization’s security posture.

Another useful feature, role-based access control (RBAC), allows organizations to create accounts with audit-only capabilities. Examples of the roles most appropriate for SOC staff might include “security operator” or “security reader.”

How to Monitor Microsoft Office 365

Provided an organization, as in our example, has the infrastructure to leverage the capabilities of O365, the following will help ensure monitoring goes as planned:

Leverage O365’s built-in alerting, dashboards and reporting wherever practical. Not only does it save your organization from having to consume data, it saves your SIEM’s processing power for use cases that will be unique to your organization.

Make API queries directly to O365. If that’s not possible, consider using the Splunk Add-on for Microsoft Cloud Services. If either of those are not an option, as a fallback, use the O365 reporting functions to auto-generate reports on an hourly basis and consume those in Splunk.

Be cautious of online advice: Many articles – especially ones from the early releases of O365 – did not age well, primarily because Microsoft continues to improve its reporting capabilities and APIs.

While Microsoft hasn’t yet deprecated many of its APIs, the methods these older documents suggest are primitive and require more work than what is currently needed.

Remember, it’s important to periodically review the functions Microsoft O365 provides. The threat and regulatory landscape continue to evolve, and O365’s monitoring capabilities continue to evolve along with them.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

DISCLAIMER:

The statements made in this website are the opinions and views of the creators, authors, and editors.  We attempt to publish accurate information based on verified sources; however we cannot guarantee the accuracy of all the information posted on this website.  Individuals need to confirm for themselves through personal research and obtaining information directly from the source by BestITDocuments.  Any errors brought to our attention will be corrected in a timely fashion.