Profiles — M365 Profiles

Profile × capability map

Each cell shows whether the profile's decision path can land on that premium capability. Click a dot to jump to that recommendation in the reference catalog.

Profile	Entra P2 Entra ID P2	Governance Entra ID Governance	Entra Suite Entra Suite	Defender Defender XDR / Suite	Purview Purview E5	Intune+ Intune Suite	Teams+ Teams Premium	Copilot Microsoft 365 Copilot	E7 E7 (Frontier Suite)	Paths Result paths
Privileged (dedicated) admin account	¹⁰	²	⁶	⁵	⁴	⁷		⁴	⁷	29
Information / knowledge worker (end user)	³	·			²	·	·	²		8
Frontline worker (F1 / F3)	³	·			²	·	·	²		9
Education (faculty / student)		·	·			·	·	·	·	3
Government (GCC / GCC High / DoD / Air-Gapped)		·	·			·	·	·	·	4
Nonprofit (validated eligibility)		·	·			·	·	·	·	3
Small / mid-size business (≤ 300 seats)	·	·	·	·	·	·	·	·	·	4
External ID / B2B guest / CIAM		·		·	·	·	·	·	·	4

reachable not on this profile's path Hover a column header for the full capability name; hover a cell for the matching recommendation(s).

Pick a profile to start the tree

Privileged (dedicated) admin account

Industry standard for separation of duties. Used only for privileged work — no mailbox, no Teams, no Office consumption. Runs the full admin licensing tree.

See profile details → Start tree →

Primary daily-use account that also holds admin roles

Same identity does email/Teams/Office AND privileged work. Microsoft does not recommend this.

See profile details → Start tree →

Information / knowledge worker (end user)

Office, Teams, Outlook, OneDrive, SharePoint user on a desktop or laptop. Two short questions → exact E3 / E3+Copilot / E5 / E7 recommendation.

See profile details → Start tree →

Frontline worker (F1 / F3)

Shift / deskless / field worker — retail, manufacturing, healthcare, hospitality. Step-by-step wizard walks Microsoft's eligibility criteria, then asks one question per E-vs-F feature gap, tracks add-on costs, and recommends F1 / F3 / F3 + add-ons / E3 / E5 by best total value.

See profile details → Start tree →

Education (faculty / student)

Qualifying academic institution. Two short questions → exact A1 / A3 / A5 recommendation.

See profile details → Start tree →

Government (GCC / GCC High / DoD / Air-Gapped)

US public-sector sovereign clouds. Pick a cloud + tier → exact G1 / G3 / G5 / Air-Gapped recommendation with cloud-specific caveats.

See profile details → Start tree →

Nonprofit (validated eligibility)

Charitable / nonprofit org enrolled in Microsoft Nonprofits. Two short questions → exact Business Premium grant / E3 NSP / E5 NSP recommendation.

See profile details → Start tree →

Small / mid-size business (≤ 300 seats)

Commercial business with no more than 300 seats. Two short questions → exact Business Basic / Standard / Premium recommendation.

Baseline SKU recommendation only — no premium add-ons on this path.

See profile details → Start tree →

External ID / B2B guest / CIAM

Partner / vendor / contractor / customer identity. Pick the scenario → exact MAU free / P1 / P2 / Verified ID / CIAM recommendation.

See profile details → Start tree →

Scope tags · how each feature is licensed

Three umbrella questions inside the assessment span more than one Microsoft Product Terms feature — Microsoft Purview E5, the Microsoft Defender Suite, and the Entra ID P2 bundle check. Each individual capability inside those umbrellas is tagged with one of five scope models drawn straight from the Microsoft Product Terms and the relevant service descriptions. Those tags drive the colored badges you see while running the tree, and they are the single biggest determinant of who must hold a licence for any given feature. We tagged 62 individual capabilities across 7 umbrella questions.

The five scope tags

Tag	What it means	Licensing rule	In our tree
Per-user licence	Microsoft Product Terms require the licence on every user benefiting from the feature. Assignment is checked on the individual user's Licenses tab.	License every user in scope of a policy.	35 features
Per-device licence	Licence attaches to the device (typically via the user signed in). Every user signing into an onboarded device whose activity is evaluated needs the licence.	License every device — or the user signed in — that is evaluated.	3 features
Tenant-wide · scopeable	Feature is enabled centrally, but its policy can be scoped to a defined user / group / recipient set. Only the targeted users need the licence — scope down explicitly.	Scope the policy down; license only the targeted users.	12 features
Tenant-wide · not scopeable	Once enabled, the feature covers every user / mailbox / device in the tenant. Product Terms require every covered user to be licensed — there is no 'only Alice' option.	All-or-nothing: license every covered user, or leave the feature off.	12 features

Where we use each tag

Every row below is one Microsoft Product Terms feature we wired into the assessment with a scope tag, the SKU(s) that grant it, and the umbrella question it lives under. Open the question inside the assessment to see the full per-product card — what "in scope" means, a Yes / No example, and the Microsoft source citations.

Feature	SKU(s)	Scope tag	Umbrella question
Conditional Access — USER IN POLICY SCOPE	Entra ID P1 (per-user, bundled in M365 E3 / E5 / Business Premium / EMS E3+)	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Self-Service Password Reset (SSPR) — with on-prem writeback	Entra ID P1 (per-user, bundled in M365 E3 / E5 / Business Premium / EMS E3+)	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Application Proxy — connecting USER	Entra ID P1 (per-user)	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Privileged Identity Management (PIM)	Entra ID P2 (per ELIGIBLE user, bundled in M365 E5 / A5 / G5 / Entra Suite)	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Identity Protection — sign-in / user risk policies	Entra ID P2 (per-user, bundled in M365 E5 / A5 / G5 / Entra Suite)	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Intune Remote Help (helpers AND sharers)	Remote Help standalone or Intune Suite — required on BOTH the helper admin's account AND the end-user sharer's account.	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Entra ID Governance — admin who CONFIGURES	Entra ID Governance per-user (bundled in Entra Suite / M365 E7) — required on the admin who configures Lifecycle Workflows / Entitlement Management.	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Teams Premium — admin-only features (Advanced collaboration analytics)	Teams Premium per-user — required on the Teams admin's own account.	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft 365 Copilot — admin who USES Copilot	Microsoft 365 Copilot per-user add-on, OR M365 E7 (bundles Copilot).	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Global Secure Access (Internet Access + Private Access)	Microsoft Entra Suite per-user (or standalone GSA license) — required on EVERY USER whose device runs the GSA client.	Per-user licence	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Insider Risk Management (IRM)	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Communication Compliance	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Adaptive Protection	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Premium eDiscovery (eDiscovery Premium)	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Auto-labeling (sensitivity & retention)	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Records Management	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Information Barriers	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Privileged Access Management for Office (PAM)	M365 E5 / E5 Compliance / Purview Suite	Per-user licence	Premium service features
Audit (Premium)	M365 E5 / E5 Compliance / E5 eDiscovery & Audit / Purview Suite	Per-user licence	Premium service features
Remote Help (helper + sharer license rule)	Microsoft Intune Suite / Remote Help standalone add-on (per-user). Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Endpoint Privilege Management (EPM)	Microsoft Intune Suite / EPM standalone add-on (per-user). Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Microsoft Tunnel for MAM	Microsoft Intune Suite ONLY (per-user) — no standalone SKU. Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Microsoft Cloud PKI	Microsoft Intune Suite / Cloud PKI standalone add-on (per-user). Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Enterprise App Management (EAM)	Microsoft Intune Suite / EAM standalone add-on (per-user). Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Advanced Endpoint Analytics	Microsoft Intune Suite / Advanced Analytics standalone add-on (per-user). Requires Microsoft Intune Plan 1 or Plan 2 base.	Per-user licence	Premium service features
Insider Risk Management (IRM)	M365 E5 / E5 Compliance / IRM standalone	Per-user licence	Premium service features
Communication Compliance	M365 E5 / E5 Compliance / Communication Compliance standalone	Per-user licence	Premium service features
eDiscovery (Premium)	M365 E5 / E5 Compliance / E5 eDiscovery & Audit / eDiscovery Premium standalone	Per-user licence	Premium service features
Audit (Premium)	M365 E5 / E5 Compliance / E5 eDiscovery & Audit / Audit Premium standalone	Per-user licence	Premium service features
Microsoft 365 E5	M365 E5 (commercial) / A5 (education) / G5 (US Gov)	Per-user licence	Premium identity features
Microsoft 365 E7 (Frontier Suite)	M365 E7 — generally available since May 1, 2026	Per-user licence	Premium identity features
Enterprise Mobility + Security E5 (EMS E5)	EMS E5 — standalone identity + security suite	Per-user licence	Premium identity features
Microsoft Defender Suite	Defender Suite — security add-on (commercial)	Per-user licence	Premium identity features
Microsoft Entra Suite	Entra Suite — identity + network access add-on	Per-user licence	Premium identity features
Microsoft Entra ID Governance	Entra ID Governance — standalone governance add-on	Per-user licence	Premium identity features
Endpoint DLP	M365 E5 / E5 Compliance / Purview Suite	Per-device licence	Premium service features
Defender for Endpoint Plan 2	M365 E5 / M365 E5 Security / Defender for Endpoint P2 standalone (per-user or per-device)	Per-device licence	Premium service features
Defender for Endpoint Plan 2	M365 E5 / M365 E5 Security / Defender for Endpoint P2 standalone (per-user or per-device)	Per-device licence	Premium service features
Conditional Access — POLICY CONFIGURATION	Entra ID Free (role-gated: Conditional Access Administrator)	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Application Proxy — admin who configures the connector	Entra ID Free (role-gated: Application Administrator)	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Defender XDR portal (security.microsoft.com)	Free for admin (role-gated). Per-user license required for protected USERS.	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Purview portal (purview.microsoft.com)	Free for admin operation (role-gated). Per-user E5/E5 Compliance/Purview Suite required for PROTECTED USERS and admins IN MONITORED SCOPE.	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Intune admin center	Free for admin operation (role-gated: Intune Administrator). Per-USER Intune Plan 1+ for managed users / devices.	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Cross-tenant access settings & B2B / B2B Direct Connect	Entra ID Free for admin config. Per-MAU billing for guests (External ID), free baseline.	Tenant-wide · scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Defender for Office 365 Plan 2	M365 E5 / M365 E5 Security / Defender for Office 365 P2 standalone / Office 365 E5	Tenant-wide · scopeable	Premium service features
Defender for Cloud Apps	M365 E5 / M365 E5 Security / EMS E5 / Defender for Cloud Apps standalone	Tenant-wide · scopeable	Premium service features
Microsoft Defender XDR (correlation and incident layer)	Auto-entitled by any qualifying license; no separate per-user SKU	Tenant-wide · scopeable	Premium service features
Defender for Office 365 Plan 2	M365 E5 / M365 E5 Security / Defender for Office 365 P2 standalone / Office 365 E5	Tenant-wide · scopeable	Premium service features
Defender for Cloud Apps	M365 E5 / M365 E5 Security / EMS E5 / Defender for Cloud Apps standalone	Tenant-wide · scopeable	Premium service features
Microsoft Defender XDR (correlation and incident layer)	Auto-entitled by any qualifying license; no separate per-user SKU	Tenant-wide · scopeable	Premium service features
Security Defaults	Entra ID Free (tenant-wide on/off; mutually exclusive with Conditional Access)	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Multi-Factor Authentication (Authenticator push / TOTP / FIDO2)	Entra ID Free (per-user MFA, Security Defaults, or as part of any CA policy)	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Self-Service Password Reset (SSPR) — cloud users only	Entra ID Free (cloud-only password reset)	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Sentinel	Azure GB-based consumption (NOT per-user). Role-gated for admin operation.	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Security Copilot	SCU (Security Compute Unit) tenant capacity. NOT per-user. Role-gated.	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Entra Verified ID	Free — no special licensing requirements (per Verified ID FAQ).	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft Entra Connect / Cloud Sync — admin who configures	Entra ID Free (role-gated: Hybrid Identity Administrator)	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Microsoft 365 admin center & Power Platform admin center	Free — Global Administrator and Power Platform Administrator administer WITHOUT a license.	Tenant-wide · not scopeable	Privileged admin capability map — what's free, what's P1, what's P2, what's E5
Customer Lockbox	M365 E5 / E5 Compliance / Purview Suite	Tenant-wide · not scopeable	Premium service features
Customer Key	M365 E5 + Customer Key add-on	Tenant-wide · not scopeable	Premium service features
Defender for Identity	M365 E5 / M365 E5 Security / EMS E5 / Defender for Identity standalone	Tenant-wide · not scopeable	Premium service features
Defender for Identity	M365 E5 / M365 E5 Security / EMS E5 / Defender for Identity standalone	Tenant-wide · not scopeable	Premium service features

Why this matters. The Microsoft Product Terms phrase "any user benefiting from the service requires a licence" is enforced differently for each tag. Per-user / per-device / per-mailbox features can be scoped to named principals; tenant-wide-scopeable features can be limited to a recipient set; tenant-wide-not-scopeable features (Customer Lockbox, Customer Key, Defender for Identity, etc.) cover every account in the tenant the moment you flip them on. The assessment uses these tags to colour the per-product cards so you can spot the all-or-nothing features at a glance.