Primary daily-use account that also holds admin roles

What this profile is

Same identity does email/Teams/Office AND privileged work. Microsoft does not recommend this.

Premium capabilities this profile can land on

Each chip is a premium Microsoft 365 capability bucket the primary daily-use account that also holds admin roles decision path can recommend. Click through to the matching reference entry.

• Entra ID P2 ×10
• Intune Suite ×7
• E7 (Frontier Suite) ×7
• Entra Suite ×6
• Defender XDR / Suite ×5
• Purview E5 ×4
• Microsoft 365 Copilot ×4
• Entra ID Governance ×2
• Teams Premium

Recommendations on this path (29)

Every result your decision path can reach is listed below. Click any badge to open the full reference entry with all bullets and Microsoft source citations.

1. No user license

   No user license required

   Use a managed identity or service principal — they don't consume Microsoft 365 user licenses.

   License: None per-user. Optional: Workload Identities Premium (per workload identity) for risk detection and Conditional Access on service principals

   Why this lands here: You answered Yes to this being a non-interactive identity (service principal / managed identity / workload identity). Per Microsoft's workload identities documentation, these are billed differently from human users — no per-user Microsoft 365 license is required. Optional Workload Identities Premium adds risk detection and CA for workload identities.

   • Prefer managed identities for Azure workloads and replace service-account passwords where possible.
   • Service principals are excluded from user-targeted Conditional Access; use Conditional Access for workload identities instead.
   • For advanced workload protection (risk detection on service principals, CA for workload identities), license with Workload Identities Premium.
2. Teams Premium add-on

   Microsoft Teams Premium required

   Per-user add-on on top of any plan that already includes Teams.

   License: Microsoft Teams Premium add-on, per user that organizes or attends premium meetings (not bundled with E3, E5, or E7)

   Why this lands here: You answered Yes to using Teams Premium features (advanced webinars, town halls premium, intelligent recap, branded meetings, premium virtual appointments, etc.). The Microsoft Teams add-on licensing page lists Teams Premium as a separate per-user SKU — it is not bundled with E3, E5, or E7. Only license users who actually host / attend these meetings.

   • Teams Premium covers advanced webinars, town halls premium, intelligent meeting recap, real-time translation, branded meetings, sensitivity-labeled meetings, and premium virtual appointments.
   • It is NOT bundled with M365 E3 or E5. E7 (Frontier Suite) at GA does not include Teams Premium either — buy it as a separate add-on for users who need these features.
   • License only the users who organize or attend Teams Premium-protected events; ad-hoc attendees do not need it.
   • If the same admin is also in PIM / Identity Protection, layer Entra ID P2 on top — Teams Premium is feature-scoped, not identity-tier.
3. Entra ID Governance

   Microsoft Entra ID Governance license required

   Lifecycle Workflows and Entitlement Management access packages sit above P2.

   License: Microsoft Entra ID Governance per user (target, approver, or reviewer in a governance flow) — also included in the Microsoft Entra Suite and M365 E7

   Why this lands here: You answered Yes to using advanced governance features (Entitlement Management access packages, Lifecycle Workflows, ML access-review recommendations, or Privileged Access Group governance). The Entra ID Governance licensing fundamentals page lists these as exclusive to Entra ID Governance (or the Entra Suite, which bundles Governance with Internet/Private Access and Verified ID).

   • Entitlement Management (access packages with multi-stage approvals), Lifecycle Workflows, machine-learning recommendations on access reviews, and Privileged Access Groups governance require the Entra ID Governance SKU.
   • Entra ID Governance includes Entra ID P2 — one license covers both PIM and Governance.
   • Also included in the Microsoft Entra Suite and Microsoft 365 E7 (Frontier Suite).
   • Per Microsoft licensing: license each user who is a target, approver, or reviewer in a governance flow.
4. Entra Suite required

   Microsoft Entra Suite required

   Bundles P2 + ID Governance + Internet Access + Private Access + Verified ID.

   License: Microsoft Entra Suite per user in scope (bundles P2 + Governance + Internet Access + Private Access + Verified ID) — also included in M365 E7

   Why this lands here: You answered Yes to operating Entra Suite features (Global Secure Access — Internet Access / Private Access — Verified ID issuance, or unified network-identity CA). The Microsoft Entra Suite documentation packages these into a single per-user SKU that also includes P2 and Governance. M365 E7 includes the Entra Suite outright.

   • The Microsoft Entra Suite is required for Global Secure Access (Internet Access + Private Access), Verified ID issuance, and unified network + identity Conditional Access.
   • It includes Entra ID P2 and Entra ID Governance — one license satisfies PIM, Identity Protection, Governance, and Entra Suite scenarios.
   • Microsoft 365 E7 (Frontier Suite) includes the Entra Suite outright — the simplest path if you also need Copilot.
   • License per-user for everyone in scope of Internet/Private Access policies.
5. No license required

   No license required — break-glass account

   Microsoft recommends excluding emergency-access accounts from Conditional Access, PIM, and risk policies.

   License: None. Microsoft Entra ID Free (included with the tenant) is sufficient as long as the account stays excluded from CA, PIM, and Identity Protection

   Why this lands here: You confirmed this is a break-glass account explicitly excluded from Conditional Access, PIM, and Identity Protection. Microsoft's emergency-access guidance recommends that exclusion to avoid lockout; because the account is not in scope of those policies, it does not trigger the per-user premium-tier licensing requirement those policies normally create.

   • Keep the account excluded from CA, PIM, and Identity Protection to keep it license-free.
   • Monitor sign-ins with an Azure Monitor / Sentinel alert; rotate credentials and review usage on a schedule.
   • Recommended: at least two break-glass Global Administrator accounts, stored offline with FIDO2 keys.
   • If your tenant adds these accounts back to PIM later, an Entra ID P2 license becomes required.
6. No license required

   No license required — admin-only account

   Global Administrators and Power Platform Administrators can administer without a license assigned.

   License: None. Microsoft Entra ID Free (included with the tenant) covers baseline directory / role work for an admin-only account

   Why this lands here: You answered No to every premium-tier trigger — no P1-audience features (Conditional Access targeting the admin, SSPR writeback, Application Proxy as a user, Cloud Discovery), no Copilot, no Purview E5, no Defender XDR, no Intune Suite, no Teams Premium, no PIM, no Identity Protection, no Governance, and no Entra Suite. Microsoft's Entra licensing page confirms that a privileged admin who is only doing baseline directory / role work can run on Entra ID Free, which is included with the tenant.

   • Microsoft Entra ID Free already covers user/group management, basic reports, SSO, Security Defaults, basic per-user MFA (Authenticator / FIDO2), cloud-user SSPR, and CA policy CONFIGURATION (role-gated) — no purchase needed.
   • Unlicensed admins land in 'Administrative access mode' for Dynamics 365 / Power Platform with no end-user access.
   • Add a license only if this admin needs to use a service (mailbox, Teams, etc.), becomes in-scope of a CA policy (P1), or crosses into PIM, ID Protection, Purview E5, or Defender Suite policies (E5).
   • Still required: phishing-resistant MFA on every privileged role (free with Security Defaults / CA / Authentication Strengths).
7. Entra ID P1

   Microsoft Entra ID P1 — admin in scope of a P1-audience feature

   The admin's OWN account is the audience of a Conditional Access policy, SSPR with on-prem writeback, Application Proxy as a connecting user, or Cloud App Discovery on their device.

   License: Microsoft Entra ID P1, per user — assigned to the admin's own account. Already bundled in M365 E3 / E5 / Business Premium / A3 / A5 / G3 / G5 / EMS E3+; available standalone for pure Entra ID Free tenants.

   Why this lands here: You answered Yes to the Entra ID P1 audience question — the admin's own account is in scope of at least one Conditional Access policy, uses SSPR with on-prem writeback, connects through Entra Application Proxy as a user, or is in the Defender for Cloud Apps Cloud Discovery report. Per Microsoft's Conditional Access licensing FAQ, every user targeted by a CA policy must have Entra ID P1 assigned — including the admin's own account. This is the most-missed admin licensing trigger.

   • Microsoft Entra ID P1 is required on the admin's own account because they're in the audience scope of a P1 feature (most commonly: at least one CA policy targets them).
   • P1 is bundled in M365 E3, M365 E5, M365 Business Premium, Microsoft 365 A3/A5/G3/G5, EMS E3, EMS E5, and Entra Suite — if the tenant already buys any of those for the admin, the requirement is satisfied.
   • For pure Entra ID Free tenants where the admin needs P1 standalone, license at the Microsoft Entra ID P1 per-user price.
   • Configuring CA policies, Authentication Strengths, Security Defaults, Application Proxy connectors, SSPR settings, and Cloud Discovery data collectors is all FREE (role-gated). The license requirement here is for the admin's account being the AUDIENCE of those policies — not for operating them.
8. Copilot add-on

   Microsoft 365 Copilot add-on

   Per-user Copilot add-on layered on an eligible base plan — keeps the existing tenant SKU mix.

   License: Microsoft 365 Copilot add-on, per user, on top of an eligible base plan (E3 / E5 / Business Standard / Business Premium)

   Why this lands here: You answered Yes to Copilot but No to needing Entra Suite + Agent 365 in one bundle. The Copilot add-on is the lowest-cost path — it just layers Copilot on top of an eligible base plan without forcing a base-plan upgrade.

   • Add the Microsoft 365 Copilot per-user license to the existing base plan; no base-plan change required.
   • Only license users who will actually use Copilot — license assignment gates access.
   • Pay-as-you-go (Copilot Credits) is also available for limited agent access without a full Copilot license.
   • E5 and E7 customers get Security Copilot capacity included at no extra cost.
9. M365 E7 (Frontier Suite)

   Microsoft 365 E7 (Frontier Suite)

   Single bundled SKU that includes E5 + Copilot + Entra Suite + Agent 365.

   License: Microsoft 365 E7 (Frontier Suite), per user — bundles E5, Copilot, Entra Suite, and Agent 365 in one license

   Why this lands here: You answered Yes to Copilot AND Yes to also needing Entra Suite (Internet/Private Access, Verified ID) and Agent 365 governance. E7 (generally available since May 1, 2026) bundles all four into one per-user SKU and is typically cheaper than stacking the add-ons individually.

   • Microsoft 365 E7 includes Microsoft 365 E5 + Microsoft 365 Copilot + Microsoft Entra Suite + Agent 365.
   • Pricing target is the bundle being meaningfully cheaper than E5 + Copilot + Entra Suite + Agent 365 priced individually — confirm with your Microsoft account team.
   • E7 includes Entra ID P2 (via Entra Suite) — covers PIM, Identity Protection, and Governance use cases for the licensed users.
   • E7 customers get Security Copilot capacity included at no extra cost.
10. Microsoft 365 E5

    Microsoft 365 E5

    Single bundled SKU that covers both Purview E5 and the Microsoft Defender Suite (plus Entra ID P2).

    License: Microsoft 365 E5, per user — bundles Purview E5 + Defender Suite + Entra ID P2 + Power BI Pro + Teams Phone

    Why this lands here: You answered Yes to BOTH Purview E5 features and Defender XDR / Defender Suite features. M365 E5 is the single SKU that covers both at once — and it also includes Entra ID P2, so it satisfies PIM, Identity Protection, and Governance triggers for the same user.

    • Microsoft 365 E5 includes Microsoft Purview E5 (IRM, Communication Compliance, premium eDiscovery, Audit Premium, Customer Lockbox), the Microsoft Defender Suite (Defender XDR + Defender for Endpoint P2 + Defender for Identity + Defender for Cloud Apps + Defender for Office 365 P2), and Microsoft Entra ID P2.
    • Buying E5 once is meaningfully cheaper than stacking E3 + E5 Compliance + Defender Suite + Entra ID P2 add-ons.
    • M365 E7 (Frontier Suite) bundles E5 + Copilot + Entra Suite + Agent 365 if you also need those.
    • License every user in scope of the policies — not just the policy author.
11. E5 Compliance add-on

    Microsoft 365 E5 Compliance add-on

    Covers Purview E5 features without forcing a full E5 upgrade — keep your existing base plan.

    License: Microsoft 365 E5 Compliance add-on (or Microsoft Purview Suite), per user in scope of the Purview policy

    Why this lands here: You answered Yes to Purview E5 features but No to also needing Defender XDR / Defender Suite. The E5 Compliance add-on covers Purview without forcing you to buy full E5 — buy it on top of E3 / Business Premium for the in-scope users only.

    • Microsoft 365 E5 Compliance includes IRM, Communication Compliance, premium eDiscovery, endpoint DLP, Records Management, Customer Lockbox, Customer Key, Privileged Access Management for Office, Information Barriers, and Audit (Premium).
    • It also includes Microsoft Entra ID P2 — same identity-tier benefit as full E5.
    • License every user in scope of any covered Purview policy — not just the admin who configures it.
    • If you later need Defender XDR / Endpoint P2 too, upgrading the user from E3 + E5 Compliance to full E5 is the cleanest path.
12. Defender Suite add-on

    Microsoft Defender Suite add-on

    Covers Defender XDR + Defender for Endpoint P2 + Identity + Cloud Apps + Office P2 — without forcing a full E5 upgrade.

    License: Microsoft Defender Suite add-on (formerly E5 Security), per user — also includes Entra ID P2

    Why this lands here: You answered Yes to Defender XDR / Defender Suite features but No to also needing Purview E5. The Defender Suite add-on covers the security workloads without forcing you to buy full E5 — buy it on top of E3 / Business Premium for the SOC analyst / security admins only.

    • Microsoft Defender Suite includes Defender for Endpoint Plan 2, Defender for Identity, Defender for Cloud Apps, Defender for Office 365 Plan 2, and the Defender XDR portal.
    • Defender Suite also includes Microsoft Entra ID P2 — covers PIM and Identity Protection for the same user.
    • Microsoft Sentinel is billed in Azure per-GB and is a separate purchase, but Defender Suite + Sentinel is the standard unified SecOps combo.
    • If you later need Purview E5 too, upgrading to full M365 E5 is the cleanest path.
13. Intune Suite add-on

    Microsoft Intune Suite add-on

    All six Intune premium features bundled — cheaper than stacking standalones.

    License: Microsoft Intune Suite add-on, per user that needs two or more premium endpoint features

    Why this lands here: You answered Yes to two or more Intune premium features. The Intune Suite bundles all six (EPM, Remote Help, Microsoft Tunnel for MAM, Cloud PKI, Enterprise App Management, Advanced Endpoint Analytics) for less than the sum of the individual standalone add-ons.

    • Bundles Endpoint Privilege Management, Remote Help, Microsoft Tunnel for MAM, Cloud PKI, Enterprise App Management, and Advanced Endpoint Analytics.
    • Layers on top of base Intune (already included in M365 E3 / E5 / E7 / Business Premium / F3) — only license users that actually use the premium features.
    • Intune Suite does NOT include Entra ID P2 — if those admins are also in PIM, license them with P2 (or M365 E5/E7) separately.
    • Also bundled with some M365 + Intune Suite enterprise agreement offers — confirm with your Microsoft account team.
14. Intune EPM standalone

    Microsoft Intune Endpoint Privilege Management standalone

    Cheapest path when EPM is the only Intune premium feature this user needs.

    License: Microsoft Intune Endpoint Privilege Management (EPM) standalone add-on, per user

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (EPM). The EPM standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • EPM lets standard users elevate approved applications without holding local admin rights — reduces standing-admin attack surface on Windows endpoints.
    • Base Intune (device management, app deployment, configuration profiles, compliance) is already included in M365 E3 / E5 / E7 / Business Premium / F3 — EPM standalone is the per-user uplift for elevation.
    • If a second Intune premium feature (Remote Help, Tunnel for MAM, Cloud PKI, Enterprise App Management, Advanced Endpoint Analytics) later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
    • Standalone add-ons do NOT include Entra ID P2 — license separately if these admins are also in PIM.
15. Intune Remote Help standalone

    Microsoft Intune Remote Help standalone

    Cheapest path when Remote Help is the only Intune premium feature this user needs.

    License: Microsoft Intune Remote Help standalone add-on, per user (helpdesk technicians AND end users in scope of assistance sessions)

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (Remote Help). The Remote Help standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • Remote Help delivers secure, cloud-managed remote-control and view-only support sessions launched from the Intune admin center, with full audit trail.
    • License every helpdesk technician who provides assistance AND every end user who receives assistance — Microsoft licenses both sides of the session.
    • Base Intune is already included in M365 E3 / E5 / E7 / Business Premium / F3 — Remote Help standalone is the per-user uplift for the assistance capability.
    • If a second Intune premium feature later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
16. Tunnel for MAM standalone

    Microsoft Tunnel for MAM standalone

    Cheapest path when Microsoft Tunnel for MAM is the only Intune premium feature this user needs.

    License: Microsoft Tunnel for Mobile Application Management (MAM) standalone add-on, per user

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (Tunnel for MAM). The Tunnel for MAM standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • Microsoft Tunnel for MAM provides per-app VPN access on unmanaged iOS / Android devices — typically used for BYOD scenarios where MDM enrollment is not in scope.
    • Base Microsoft Tunnel (for enrolled MDM devices) is already included in base Intune — only the MAM variant requires this standalone add-on.
    • Base Intune is already included in M365 E3 / E5 / E7 / Business Premium / F3 — Tunnel for MAM standalone is the per-user uplift for the unmanaged-device VPN capability.
    • If a second Intune premium feature later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
17. Cloud PKI standalone

    Microsoft Cloud PKI standalone

    Cheapest path when Cloud PKI is the only Intune premium feature this user needs.

    License: Microsoft Cloud PKI standalone add-on, per user

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (Cloud PKI). The Cloud PKI standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • Microsoft Cloud PKI is a managed cloud PKI service that issues device and user certificates to Intune-managed endpoints — removes the need to run on-prem AD CS for certificate-based authentication.
    • Issues certificates for Wi-Fi, VPN, SCEP, and 802.1X scenarios; integrates with Intune SCEP / PKCS profile policies.
    • Base Intune is already included in M365 E3 / E5 / E7 / Business Premium / F3 — Cloud PKI standalone is the per-user uplift for the managed PKI service.
    • If a second Intune premium feature later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
18. Enterprise App Mgmt standalone

    Microsoft Intune Enterprise App Management standalone

    Cheapest path when Enterprise App Management is the only Intune premium feature this user needs.

    License: Microsoft Intune Enterprise App Management standalone add-on, per user

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (Enterprise App Management). The Enterprise App Management standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • Enterprise App Management provides a curated catalog of pre-packaged Win32 apps with built-in auto-update detection — removes the need to manually repackage and re-deploy each vendor update.
    • Catalog apps are deployed via standard Intune Win32 app workflow; only the discovery / packaging / update-detection automation requires the standalone add-on.
    • Base Intune is already included in M365 E3 / E5 / E7 / Business Premium / F3 — Enterprise App Management standalone is the per-user uplift for the catalog automation.
    • If a second Intune premium feature later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
19. Advanced Endpoint Analytics standalone

    Microsoft Intune Advanced Endpoint Analytics standalone

    Cheapest path when Advanced Endpoint Analytics is the only Intune premium feature this user needs.

    License: Microsoft Intune Advanced Endpoint Analytics standalone add-on, per user

    Why this lands here: You answered Yes to needing Intune premium features, scoped down to exactly one (Advanced Endpoint Analytics). The Advanced Endpoint Analytics standalone add-on is cheaper than the full Intune Suite when no other premium Intune feature is in play.

    • Advanced Endpoint Analytics adds anomaly detection, per-device timeline, and proactive remediation scripts on top of the base Endpoint Analytics reporting included in Intune.
    • Useful for proactive support — surfaces battery / boot / app reliability anomalies before users open tickets.
    • Base Intune is already included in M365 E3 / E5 / E7 / Business Premium / F3 — Advanced Endpoint Analytics standalone is the per-user uplift for the anomaly / remediation features.
    • If a second Intune premium feature later comes into scope for the same user, the Intune Suite becomes the cheaper path — re-evaluate.
20. Entra ID P2 — standalone

    Microsoft Entra ID P2 — standalone add-on

    Cheapest path when the user isn't already on E5 / E7 / EMS E5 / Defender Suite / Entra Suite / Governance.

    License: Microsoft Entra ID P2 standalone, per user (admin + every approver / reviewer in PIM, and every user in scope of risk-based policies)

    Why this lands here: You answered Yes to a P2 trigger (PIM-eligible / approver / reviewer, OR in scope of Identity Protection / risk-based CA) AND the user is not on any SKU that already includes P2. Standalone Entra ID P2 is the cheapest path for these users.

    • License the admin AND every approver / reviewer in PIM workflows.
    • For Identity Protection: license every user evaluated by the risk-based policy, not just the policy author.
    • If you later upgrade users to M365 E5 / E7 / EMS E5 / Defender Suite / Entra Suite / Entra ID Governance, P2 is included — drop the standalone for those users.
    • Standalone P2 does NOT include Governance — if you also need Lifecycle Workflows or Entitlement Management access packages, use Entra ID Governance instead.
21. Already included

    Entra ID P2 — already included in the user's existing license

    No additional purchase needed — provided every in-scope user is actually assigned a P2-inclusive SKU (not just covered by the tenant's license pool).

    License: No additional license. Entra ID P2 is already included in the SKU the user holds (M365 E5 or E7, EMS E5, Defender Suite, Entra Suite, or Entra ID Governance).

    Why this lands here: You confirmed that every user who will be a PIM eligible admin, approver, or reviewer — and every user in scope of a risk-based Conditional Access, user-risk, or sign-in-risk policy — is already assigned at least one P2-inclusive SKU. No new purchase is needed for those users. If you were uncertain about assignment, go back and answer No: buying standalone Entra ID P2 for a few extra admins is far cheaper than discovering at audit that PIM eligibility was non-compliant for the uncovered users.

    • Verify the P2-inclusive SKU is actually assigned on every PIM-eligible admin, approver, and reviewer in the Microsoft 365 admin center — not just owned by the tenant.
    • Identity Protection follows the same rule: every user evaluated by a risk-based Conditional Access, user-risk, or sign-in-risk policy must hold the SKU at the moment the risk is evaluated.
    • Keep the SKU assigned for as long as the user is in scope. Removing the SKU while leaving the PIM eligibility or risk policy in place makes the configuration non-compliant.
    • If you also need Entra ID Governance features later (Entitlement Management access packages, Lifecycle Workflows, ML-driven access reviews), only Microsoft Entra Suite, M365 E7, and standalone Microsoft Entra ID Governance include those — M365 E5, EMS E5, and Defender Suite do not.
22. Microsoft 365 E3

    Microsoft 365 E3

    Baseline knowledge-worker SKU — desktop Office, Exchange P2, Teams, SharePoint, OneDrive, Intune, Entra ID P1, Defender for Office P1, AIP P1.

    License: Microsoft 365 E3, per user

    Why this lands here: You picked Information / knowledge worker, declined E5-tier security/compliance/identity, and don't need Copilot. M365 E3 is the smallest Enterprise SKU that includes desktop Office + Exchange + Teams + Intune + Entra ID P1 — the right baseline.

    • Includes desktop Office (Word/Excel/PowerPoint/Outlook), Exchange Online Plan 2 (100 GB mailbox), Teams, SharePoint, OneDrive (1 TB+).
    • Includes Microsoft Intune, Microsoft Entra ID P1 (Conditional Access, MFA), Defender for Office 365 P1, AIP P1.
    • Add Microsoft 365 Copilot per user if Copilot need emerges later — no base-plan change required.
    • Step up to M365 E5 when you need Defender XDR / Purview E5 / Entra ID P2 for the same user.
23. M365 E3 + Copilot

    Microsoft 365 E3 + Microsoft 365 Copilot add-on

    E3 baseline with the Copilot add-on layered per user — no base-plan upgrade required.

    License: Microsoft 365 E3 per user PLUS the Microsoft 365 Copilot add-on per Copilot user

    Why this lands here: You picked Information / knowledge worker, declined E5-tier security/compliance/identity, but need Copilot. M365 E3 + Copilot add-on is cheaper than jumping to M365 E5 or E7 — and only the users who actually use Copilot need the add-on.

    • E3 covers the desktop Office + Exchange + Teams + Intune + Entra ID P1 baseline.
    • Copilot add-on per user enables Copilot in Word/Excel/PowerPoint/Outlook/Teams + Copilot Studio grounded in tenant data + Microsoft 365 Chat.
    • Only license the users that will actually use Copilot — license assignment is what gates access.
    • If the user later needs E5-tier security/compliance/identity, swap E3 → E5 (keep the Copilot add-on); or move to E7 (bundles E5 + Copilot + Entra Suite + Agent 365).
24. Microsoft 365 E5

    Microsoft 365 E5

    Single bundled SKU that covers Defender Suite + Purview E5 + Entra ID P2 + Power BI Pro + Teams Phone.

    License: Microsoft 365 E5, per user — includes Defender Suite + Purview E5 + Entra ID P2

    Why this lands here: You picked Information / knowledge worker AND need E5-tier security / compliance / identity. M365 E5 is the single SKU that covers Defender XDR + Purview E5 + Entra ID P2 — usually cheaper than E3 + E5 Compliance + Defender Suite + P2 add-ons.

    • Includes Microsoft Defender Suite (Defender XDR + Endpoint P2 + Identity + Cloud Apps + Office P2), Microsoft Purview E5 (IRM, eDiscovery Premium, Audit Premium, Customer Lockbox, etc.), Microsoft Entra ID P2 (PIM, Identity Protection).
    • Also includes Power BI Pro and Teams Phone Standard.
    • Add Microsoft 365 Copilot per user if Copilot need emerges (or move to M365 E7).
    • For Entra Suite features (Internet/Private Access, Verified ID) — buy Entra Suite add-on or move to E7.
25. M365 E7 (Frontier Suite)

    Microsoft 365 E7 (Frontier Suite)

    Single bundled SKU that includes E5 + Copilot + Entra Suite + Agent 365.

    License: Microsoft 365 E7 (Frontier Suite), per user — bundles E5, Copilot, Entra Suite, and Agent 365

    Why this lands here: You picked Information / knowledge worker AND need E5-tier security AND Copilot + Entra Suite + Agent 365 in a single bundle. E7 (GA 2026-05-01) bundles all of those — typically cheaper than E5 + Copilot + Entra Suite + Agent 365 priced individually.

    • Bundles Microsoft 365 E5 + Microsoft 365 Copilot + Microsoft Entra Suite + Agent 365 in one license.
    • Covers Defender Suite + Purview E5 + Entra ID P2 + Internet/Private Access + Verified ID + Copilot + Agent governance — the most comprehensive M365 SKU.
    • Security Copilot capacity included at no extra cost.
    • Confirm pricing vs. E5 + Copilot + Entra Suite stacked individually with your Microsoft account team — E7 is normally cheaper when all three are needed.
26. M365 Apps for Enterprise

    Microsoft 365 Apps for Enterprise

    Installed Office desktop apps as a per-user SKU — NO Exchange, Teams, SharePoint, or OneDrive cloud services.

    License: Microsoft 365 Apps for Enterprise, per user (~$12 / user / month)

    Why this lands here: You picked Information / knowledge worker, declined the full M365 bundle, AND said the user only needs the installed Office apps (no Microsoft cloud email / Teams / SharePoint). M365 Apps for Enterprise is the apps-only SKU — meaningfully cheaper than any Office 365 E-tier when the user gets mail / chat / file-share from a third-party service.

    • Installed Office desktop apps (Word / Excel / PowerPoint / Outlook / OneNote / Access / Publisher on Windows; Word / Excel / PowerPoint / Outlook on Mac) on up to 5 PCs/Macs + 5 tablets + 5 phones per user.
    • Includes 1 TB OneDrive for Business storage for the user — this is the ONE cloud service bundled.
    • Does NOT include Exchange Online (no mailbox), Microsoft Teams, SharePoint Online, Loop, or Forms cloud services. Mail and collaboration must come from a third party (Google Workspace, on-prem Exchange, IBM Notes, etc.) or be added as standalone SKUs.
    • Does NOT include Windows licence, Microsoft Intune, Microsoft Entra ID P1, or any Defender / Purview features.
27. Office 365 E1

    Office 365 E1

    Cheapest Enterprise O365 tier — cloud collab (Exchange 50 GB + Teams + SharePoint + OneDrive) with Office for the web / mobile only. NO installed desktop Office apps.

    License: Office 365 E1, per user (~$10 / user / month)

    Why this lands here: You picked Information / knowledge worker, declined the full M365 bundle, picked O365 cloud collab over apps-only, declined O5-tier premium services, AND said installed desktop Office apps are not required. Office 365 E1 is the cheapest O365 SKU that includes cloud collab — the user lives in the browser + mobile apps.

    • Exchange Online Plan 1 (50 GB mailbox), Microsoft Teams, SharePoint Online, OneDrive for Business (1 TB), Office for the web (Word / Excel / PowerPoint / Outlook / OneNote in the browser).
    • Office mobile apps with commercial-use rights on devices with a screen ≤ 10.9 inches — iPhones and most Android phones qualify; iPads and Surface tablets generally do NOT (Microsoft's service description rule).
    • NO installed desktop Office apps (no installed Outlook / Word / Excel / PowerPoint on Windows or Mac). If installed apps are needed, step up to Office 365 E3.
    • NO Windows licence, NO Microsoft Intune, NO Microsoft Entra ID P1. Add EMS E3 (~$10.60 / user / month) or buy Entra ID P1 standalone if Conditional Access / Intune is needed.
28. Office 365 E3

    Office 365 E3

    Office cloud productivity — Exchange 100 GB + Teams + SharePoint + OneDrive + installed desktop Office apps. NO Windows / Intune / Entra ID P1.

    License: Office 365 E3, per user (~$23 / user / month) — about $13 / user / month less than Microsoft 365 E3

    Why this lands here: You picked Information / knowledge worker, declined the full M365 bundle, picked O365 cloud collab, declined O5-tier premium services, AND said installed desktop Office apps ARE needed. Office 365 E3 is the workhorse O365 tier — same Office productivity as M365 E3 minus the Windows + Intune + Entra P1 bundle.

    • Installed Office desktop apps (Word / Excel / PowerPoint / Outlook / OneNote / Access / Publisher) on up to 5 PCs / Macs + 5 tablets + 5 phones per user.
    • Exchange Online Plan 2 (100 GB mailbox + unlimited online archive), Microsoft Teams, SharePoint Online, OneDrive (1 TB+, expandable).
    • Includes Microsoft Purview baseline (manual sensitivity labels, basic eDiscovery, baseline DLP, Office Message Encryption), Microsoft Defender for Office 365 Plan 1 (Safe Links / Safe Attachments / anti-phish basic), Azure Information Protection P1.
    • NO Windows licence, NO Microsoft Intune, NO Microsoft Entra ID P1 — add EMS E3 (~$10.60 / user / month) if Intune + Conditional Access are needed (Office 365 E3 + EMS E3 ≈ Microsoft 365 E3 in features but you pay for them as two separate line items).
29. Office 365 E5

    Office 365 E5

    O5 = O3 + Defender for Office 365 P2 + Microsoft Purview E5 + Power BI Pro + Teams Phone Standard. Still NO Windows / Intune / Entra ID P2.

    License: Office 365 E5, per user (~$38 / user / month) — about $20 / user / month less than Microsoft 365 E5

    Why this lands here: You picked Information / knowledge worker, declined the full M365 bundle, picked O365 cloud collab, AND need O5-tier premium services. Office 365 E5 bundles DfO P2 + Purview E5 + Power BI Pro + Teams Phone — cheaper than buying O3 + those four as add-ons, and meaningfully cheaper than M365 E5 if Windows / Intune / Entra P2 are licensed separately.

    • Everything in Office 365 E3 (installed Office apps + 100 GB Exchange + Teams + SharePoint + OneDrive + DfO P1 + AIP P1).
    • Microsoft Defender for Office 365 Plan 2 — Safe Links / Safe Attachments / anti-phish impersonation + Threat Explorer + Automated Investigation and Response (AIR) + Attack Simulation Training.
    • Microsoft Purview E5 — Insider Risk Management, Communication Compliance, eDiscovery Premium (custodian / hold / review), Audit Premium (1-year retention + MailItemsAccessed crucial events), Customer Lockbox, Customer Key (HSM-backed), Information Barriers, Privileged Access Management for Office, automatic labelling.
    • Power BI Pro per user — publish / share / consume Pro workspaces and reports.

Microsoft sources behind this profile

Combined citation list from the entry question and every reachable result, deduped by URL (71 links).

• Why separate admin accounts matter
• Securing privileged access — overview
• Compare Microsoft 365 Enterprise plans
• Managed identities for Azure resources
• Workload Identities
• Conditional Access for workload identities
• Teams Premium licensing
• Teams Premium overview
• M365 Maps — Teams Premium SKU
• Entra ID Governance licensing
• Lifecycle Workflows overview
• Entitlement Management overview
• M365 security & compliance licensing guidance
• Microsoft Entra service description
• M365 Maps — Entra ID Governance
• What is Global Secure Access?
• Microsoft Entra Suite overview
• Microsoft Entra Verified ID
• M365 Maps — Entra Suite
• Manage emergency access accounts
• Conditional Access best practices
• Microsoft Entra ID Free
• Global / Power Platform admins can administer without a license
• Microsoft Product Terms — Universal License Terms (admin-without-license rule)
• M365 Maps — Entra ID Free vs P1 vs P2
• Conditional Access licensing fundamentals (per-user-in-scope rule)
• Microsoft Entra plans & pricing (Free vs P1 vs P2 feature matrix)
• SSPR licensing — cloud users free, writeback needs P1
• Application Proxy licensing
• Microsoft Entra ID Free, P1, P2 feature comparison
• M365 Maps — Microsoft 365 E3 (includes P1)
• M365 Maps — Microsoft 365 Business Premium (includes P1)
• Microsoft 365 Copilot licensing
• Copilot Studio licensing
• M365 Maps — Copilot SKU comparison
• Microsoft Licensing — Microsoft 365 + Teams 2025 packaging update (eligible base-plan changes)
• Microsoft 365 E7 (Frontier Suite) announcement
• M365 Maps — E5 comparison
• Microsoft Purview eDiscovery licensing
• Insider Risk Management — subscriptions & licensing
• M365 Maps — E5 Compliance comparison
• Microsoft Defender XDR overview
• Defender for Endpoint plans
• M365 Maps — E5 Security comparison
• Microsoft Intune Suite & add-ons
• Endpoint Privilege Management
• M365 Maps — Intune Suite
• Remote Help overview
• Microsoft Tunnel for MAM
• Microsoft Cloud PKI overview
• Enterprise App Management overview
• Advanced Endpoint Analytics
• PIM licensing fundamentals
• Identity Protection — risks
• M365 Maps — Entra ID
• Identity Protection — license requirements
• Assign or unassign licenses in the M365 admin center
• Microsoft 365 E3 service description
• M365 Maps — Enterprise plan comparison
• Microsoft 365 Apps for Enterprise — overview
• Office applications service description
• M365 Maps — Apps for Enterprise
• Microsoft 365 Apps for Enterprise pricing
• Compare Office 365 plans (E1 / E3 / E5)
• M365 Maps — Office 365 E1
• Enterprise Mobility + Security (EMS) plans
• M365 Maps — Office 365 E3
• Microsoft Purview service description — E5 features
• Microsoft Defender for Office 365 P2 service description
• Power BI Pro licensing
• M365 Maps — Office 365 E5