Every recommendation, one page each

You landed here because the identity is non-interactive — a service principal, managed identity, or workload identity that no human signs in to. Microsoft licenses these separately from human users: no per-user M365 license is required for the identity itself.

Why workload identities aren’t user-licensed:

• Per-user M365 service licenses (Exchange, Teams, SharePoint, Office) are assigned to humans who consume those services.
• A service principal calling Graph or a managed identity authenticating to Azure SQL doesn’t consume those user-facing services. It runs as an application identity, separately billed.

Prefer managed identities over service principals with secrets. Microsoft’s guidance is consistent: managed identities for Azure resources eliminate stored credentials entirely. If the workload runs in Azure, managed identity is the default. Use a service principal only when the workload runs outside Azure or needs cross-tenant scope.

Conditional Access for workload identities is a separate feature. User-targeted CA policies (Users → All users) typically exclude service principals — they’re scoped to user objects. To enforce CA on workload identities (block from countries, require allowed sign-in locations, etc.), use the dedicated Conditional Access for workload identities policy type, which requires the Workload Identities Premium SKU per workload identity in scope.

Workload Identities Premium adds:

• Risk detection on service principals (leaked credentials, anomalous sign-in patterns).
• Conditional Access policies scoped to workload identities.
• Access reviews for service principal owners / role assignments.

It’s optional and per-identity, not per-user. License only the service principals where you actually need premium protection.

What’s still required even without a user license:

• Phishing-resistant credential rotation — replace long-lived client secrets with certificates, federated credentials, or managed identities.
• Owner accountability — assign a human owner to every service principal so it doesn’t become orphaned at staff transitions.

You landed here because the user organizes or attends Teams meetings that use Teams Premium features: advanced webinars, town halls premium, intelligent meeting recap, real-time translation, branded meetings, sensitivity-labeled meetings, or premium virtual appointments.

Teams Premium is a separate per-user add-on. It is not bundled with M365 E3, E5, or E7 — not even E7 (Frontier Suite) at GA includes it. Buy it as an add-on on top of whatever base plan already provides Teams.

What’s covered:

• Advanced webinars — registration waitlist, manual approval, RTMP-in, green room, presenter mode controls.
• Town halls premium — increased attendee capacity, on-demand recordings with chapters, multilingual captioning.
• Intelligent meeting recap — AI-generated summary, action items, speaker timeline, search across recordings.
• Real-time translation for captions and live captions.
• Branded meetings — custom themes, backgrounds, organizational logo on meeting lobby and join screens.
• Sensitivity-labeled meetings — apply Purview sensitivity labels directly to meetings to enforce watermark, recording, chat, copy policies.
• Premium virtual appointments — SMS notifications, custom branded lobby, queue management, analytics.

License only the users who actually use these features. Microsoft’s Teams Premium licensing model is straightforward: the organizer of a premium meeting needs the license. Attendees who join a Teams Premium meeting do not need the license for most features — they consume the premium experience because the organizer is licensed. (Exceptions: intelligent recap requires the viewer to be licensed to see the recap; some virtual-appointment features require both sides.)

Don’t confuse Teams Premium with Copilot for Teams. They’re different SKUs:

• Teams Premium = meeting-experience uplift (recap, webinars, branding, labels).
• Microsoft 365 Copilot = generative AI across Word / Excel / PPT / Outlook / Teams. Copilot includes Copilot in Teams meetings (real-time AI assistance during the meeting). That’s separate from Teams Premium’s intelligent recap.

Some scenarios use both. License accordingly.

You landed here because the user (admin, approver, or reviewer) is operating advanced identity-governance features: Entitlement Management access packages, Lifecycle Workflows, ML-driven access-review recommendations, or Privileged Access Groups governance. Entra ID P2 alone doesn’t cover these — they require Entra ID Governance.

What Entra ID Governance includes (that P2 does not):

• Entitlement Management — access packages with multi-stage approvals, time-bound assignments, automatic expiration, and external-user invitation as part of an access package workflow.
• Lifecycle Workflows — automated joiner / mover / leaver workflows with built-in tasks (enable account, assign licenses, send welcome email, disable on leave, run custom Logic App, etc.).
• ML-driven access-review recommendations — suggested approve / deny decisions based on user activity, eliminating rubber-stamping.
• Privileged Access Groups governance — role-assignable groups with PIM-style activation workflows.

Entra ID Governance includes Entra ID P2. One license covers PIM, Identity Protection, and Governance — you don’t need to stack P2 + Governance separately.

License every user in the governance flow — not just the admin. Microsoft’s licensing model is consistent: license the target of an access package, the approver, and the reviewer of an access review. A 20-person finance group reviewed quarterly by a single approver needs 21 licenses (20 targets + 1 approver), not just one.

How this stacks with other SKUs:

• Already on M365 E5? E5 includes P2 but not Governance — you still need Governance on top.
• Already on Microsoft Entra Suite? Entra Suite includes Governance — no separate purchase.
• Already on M365 E7 (Frontier Suite)? E7 bundles Entra Suite, which bundles Governance — already covered.

When Governance is overkill:

• You only need PIM for IT admins → Entra ID P2 is enough.
• You only need risk-based CA for everyone → Entra ID P2 is enough.
• You only need basic access reviews (without ML recommendations) → Entra ID P2 is enough; ML recommendations are the Governance uplift.

The Entra Suite is Entra ID P2 plus four products that historically had to be licensed and stitched together separately:

• Entra ID Governance — entitlement management, access reviews at scale, lifecycle workflows.
• Entra Internet Access — SSE/SWG for internet egress (the “Microsoft SSE” story).
• Entra Private Access — ZTNA replacement for legacy VPN.
• Verified ID — issuer + verifier for verifiable credentials.

Buy the Suite when you’re heading toward Zero Trust and genuinely adopting at least three of those pillars — typically:

• Replacing a VPN with Private Access.
• Replacing or fronting an SWG with Internet Access.
• Running formal access reviews and lifecycle workflows for joiners / movers / leavers.

Skip the Suite when:

• You only need Entra ID P2 PIM/Identity-Protection — license P2 directly.
• You’re not ready to retire the VPN or third-party SWG — Internet Access / Private Access become shelfware quickly.
• You don’t have a verifiable-credential issuance use case for Verified ID.

Stacking note: The Entra Suite includes P2. You shouldn’t double-pay if a user already has E5 (which bundles P2) — license the Suite standalone-style and the P2 entitlement piggybacks.

Microsoft’s posture (Secure Future Initiative): Entra Suite controls sit squarely in Microsoft’s Secure Future Initiative “Protect Identities and Secrets” pillar. Per Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft Product Terms still require a per-user Entra Suite (or Entra ID P2 + add-on) licence for every user covered by PIM, Identity Protection, Internet Access, or Private Access policies.

You landed here because the account is a break-glass emergency-access account that is deliberately excluded from Conditional Access, Privileged Identity Management, and Identity Protection. Microsoft’s emergency-access guidance recommends this exclusion specifically so the account can sign in when other identity controls fail (CA policy misconfiguration, Identity Protection false-positive, MFA service outage).

Because the account is not in scope of those premium policies, it does not trigger the premium-tier licensing requirement those policies normally create. Entra ID Free (included with the tenant) is sufficient.

Microsoft’s recommended break-glass posture:

• At least two break-glass Global Administrator accounts — one is a single point of failure.
• Stored offline — credentials in a sealed envelope or hardware vault, not in your normal password manager.
• FIDO2 hardware security keys as the primary authentication method (not phone-based MFA, which depends on cellular / push services that could be unavailable during an incident).
• No mailbox, no daily-use workload — these accounts exist to recover the tenant, not to do anything else.

Compensating controls are mandatory, not optional. Because the account is excluded from CA + PIM + Identity Protection, the only protection comes from:

• Strong credential hygiene (FIDO2, long randomly-generated password).
• Sign-in alerting — every sign-in to a break-glass account should trigger an immediate alert in Azure Monitor / Sentinel / your SIEM, reviewed by a human within hours.
• Periodic credential rotation and access test — verify the credentials still work before you need them.

Microsoft documents these compensating controls explicitly. If you skip them, the cost-saving rationale (no P2 license) becomes a security gap instead.

If you ever add these accounts back into PIM:

The exclusion is the entire reason no license is required. The moment a break-glass account is added to PIM (eligible for any role, or as an approver / reviewer), Entra ID P2 becomes required for that account, and you’ve also defeated the point of break-glass — it can no longer be relied on when PIM itself is the thing that’s failing.

Keep break-glass accounts permanently outside PIM.

Some identities do not require a Microsoft 365 license to function:

• Directory-only admin accounts that exist to hold a role assignment and never mailbox, file, or Teams.
• Break-glass / emergency-access accounts — Microsoft’s published guidance explicitly does not require a license; you assign Entra roles directly and exclude them from the CA policies that would lock you out.
• Service principals / app registrations for daemon-style applications. These are not user accounts and never need a per-user license.
• Workload Identities under Entra Workload ID standalone licensing, which is per-application not per-user.

Don’t apply this to:

• Shared mailboxes under 50 GB — those don’t need a license either, but the moment you cross 50 GB or enable in-place archive, Exchange Online Plan 1 (or higher) becomes mandatory.
• Admin accounts that also use Office / Teams / SharePoint — those need whatever SKU covers the workloads they actually consume.
• Service accounts that interactively sign in to Office.com — those are user accounts in practice and should be replaced with a managed identity or service principal.

Audit tip: Run an unlicensed-user report monthly. A user with a mailbox and no license is a compliance ticking clock. A directory-only admin with no mailbox is fine.

Copilot for Microsoft 365 is a per-user add-on that requires a qualifying base license (E3, E5, A3, A5, Business Standard, or Business Premium). It is not a standalone product and it is not part of E5.

The headline capabilities:

• Copilot inside Word, Excel, PowerPoint, Outlook, Teams, OneNote, Loop, Whiteboard, and the Microsoft 365 web app.
• Business Chat (the web/mobile/Teams chat experience grounded in your Graph data).
• Copilot Studio agents you embed in M365 apps.
• A commercial data protection boundary so prompts and responses don’t train base models.

Buy Copilot when:

• The pilot cohort has demonstrated measurable time saved on email triage, meeting summarization, document drafting, or spreadsheet analysis.
• Your data estate is already labelled and access-controlled — Copilot will surface whatever the user has access to, including the oversharing you never cleaned up.
• You have an adoption plan, training, and a measurement framework. Without those, Copilot is the most expensive shelfware in your tenant.

Defer Copilot when:

• SharePoint / OneDrive permissions are a mess (Copilot will broadcast that mess).
• You haven’t deployed sensitivity labels / DLP for the data Copilot will index.
• You bought it because “everyone is buying it” — the per-seat cost is high enough to require a real ROI conversation.

Pre-Copilot hygiene checklist: apply at least baseline sensitivity labels, audit SharePoint over-permissive sharing links, restrict guest access in Teams, and turn on Purview audit. Copilot will use whatever permissions you’ve given the user — make sure those permissions are right.

Defender for Endpoint Plan 2 brings the capabilities most security teams actually want from “Defender” — Endpoint Detection & Response, auto-investigation & remediation, Threat & Vulnerability Management at the enterprise tier, and Defender XDR incident correlation for the endpoint signal.

It’s an add-on on E3, F3, and Business Premium (Business Premium ships P1). This is the right answer when the tenant needs enterprise-grade EDR tenant-wide but doesn’t otherwise need the Purview E5 Compliance / Entra ID P2 surface that pushes you to full E5.

Combinations that usually win on price:

• E3 + Defender for Endpoint P2 — same EDR posture as E5, ~60% less per seat.
• Business Premium + Defender for Endpoint P2 add-on — when sub-300 seats but the P1 in Business Premium isn’t enough (you need auto-IR).

You should move all the way to E5 when you also need:

• Entra ID P2 for PIM / Identity Protection more broadly.
• Defender for Office P2 (safe links/attachments + attack simulator).
• Defender for Cloud Apps for shadow IT discovery.
• Purview E5 Compliance for advanced eDiscovery / Insider Risk.

Don’t conflate Defender for Endpoint with Defender XDR. Both P1 and P2 feed XDR signals; the meaningful EDR / response automation lives in P2.

Microsoft’s posture (Secure Future Initiative): Even on this E3 + Defender for Endpoint P2 path, the Defender service is tenant-wide. Per Microsoft’s Secure Future Initiative and Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft Product Terms still require a Defender for Endpoint P2 licence for every user whose device is onboarded — see the Defender for Endpoint licensing requirements.

The Intune Suite bundles every Intune add-on into a single per-seat SKU:

• Endpoint Privilege Management (EPM) — local admin elevation without granting full admin rights.
• Remote Help — assisted-session helpdesk tooling.
• Microsoft Cloud PKI — managed certificate authority.
• Microsoft Tunnel for Mobile Application Management — per-app VPN for iOS/Android.
• Advanced Endpoint Analytics (AEA) — Anomaly detection + medallion reporting.
• Enterprise Application Management (EAM) — packaged-app catalog.

Buy the Suite when the tenant needs three or more of those add-ons. The break-even point is roughly there: under three, individual add-ons win; three or more, the Suite is cheaper per seat and easier to license.

Skip the Suite when:

• You only need one or two add-ons (e.g. Remote Help + Cloud PKI). Buy those two individually.
• You don’t manage iOS/Android at scale — Microsoft Tunnel and parts of EPM become wasted spend.
• Your CA is already Active Directory Certificate Services or a third party you’re keeping — Cloud PKI is the headline value of the Suite, and removing it usually tips the math back to individual add-ons.

License stacking note: All Intune add-ons require an underlying Intune Plan 1 license (which is included in E3/E5/Business Premium/F3). The Suite does not replace that base entitlement.

You landed here because the user needs Microsoft Intune Endpoint Privilege Management (EPM) — and no other Intune premium feature (Remote Help, Tunnel for MAM, Cloud PKI, Enterprise App Management, Advanced Endpoint Analytics) is in scope. EPM standalone is cheaper than the full Intune Suite when EPM is the only piece you need.

What EPM does:

• Lets standard users elevate approved applications (e.g. installers, developer tools) without holding local admin rights on Windows.
• Reduces standing local-admin surface — the #1 contributor to endpoint privilege escalation paths.
• Centrally managed elevation rules in the Intune admin center; per-app audit trail of every elevation event.

The “one feature only” math:

The Intune Suite bundles all six premium features. If EPM is the only one this user needs, paying for the bundle is wasteful. EPM standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope. If you later add Remote Help, Tunnel for MAM, Cloud PKI, Enterprise App Management, or Advanced Endpoint Analytics for the same user, the Intune Suite becomes cheaper than stacking two or more standalones. The break-even is typically two premium features — at three, Suite always wins.

What’s already included (no Intune premium add-on needed):

• Base Intune device management, app deployment, compliance policies, configuration profiles, baseline endpoint analytics — all in M365 E3, E5, E7, Business Premium, and F3.

What’s not included in any Intune standalone add-on:

• Entra ID P2 is not bundled. If the same user is also a PIM eligible admin or in scope of Identity Protection, license P2 separately (or pick an SKU that includes both, like M365 E5).

You landed here because the user needs Intune Remote Help — secure, cloud-managed remote-control and view-only support sessions launched from the Intune admin center — and no other Intune premium feature is in scope. Remote Help standalone is cheaper than the full Intune Suite when this is the only premium piece you need.

What Remote Help provides:

• Cloud-brokered remote-control / view-only sessions for Windows / Android endpoints managed by Intune.
• Full audit trail of every session (initiator, target, duration, actions).
• Compliance check before session start — technicians can be required to come from a compliant device.
• End-user consent prompt before the session connects.

Microsoft licenses BOTH sides of the session. Helpdesk technicians who provide assistance and end users who receive assistance each need a Remote Help license. A 50-technician helpdesk supporting 5,000 end users needs 5,050 Remote Help licenses, not 50. This catches teams off guard at first true-up — budget accordingly.

The “one feature only” math:

The Intune Suite bundles all six premium features. If Remote Help is the only one this user needs, paying for the bundle is wasteful. Remote Help standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope. If you later add EPM, Tunnel for MAM, Cloud PKI, Enterprise App Management, or Advanced Endpoint Analytics for the same user, the Intune Suite becomes cheaper than stacking two or more standalones.

What’s already included (no Intune premium add-on needed):

• Base Intune device management, app deployment, compliance, configuration — all in M365 E3, E5, E7, Business Premium, F3.

Not bundled: Entra ID P2. License separately if the same admins also operate PIM / Identity Protection.

You landed here because the user needs Microsoft Tunnel for MAM — per-app VPN access on unmanaged iOS / Android devices (typically BYOD scenarios where MDM enrollment is not in scope) — and no other Intune premium feature is in scope.

Critical distinction — two different “Tunnels”:

• Microsoft Tunnel (for enrolled MDM devices) = already included in base Intune. No add-on needed. If your devices are Intune-enrolled, you can use Tunnel today at no extra cost.
• Microsoft Tunnel for MAM = the paid standalone add-on. Enables the same per-app VPN on devices that are not MDM-enrolled — only protected via Mobile Application Management (MAM) policies on managed apps like Outlook, Edge, Teams.

If your devices are enrolled, you don’t need this SKU. If they’re not enrolled (BYOD, contractors, partner devices), you do.

What Tunnel for MAM enables:

• Per-app VPN traffic from MAM-protected apps to on-prem resources behind the corporate firewall.
• No full-device VPN — only the protected app’s traffic is tunneled.
• Tied to the MAM policy on the app; user can’t bypass the tunnel for that app’s corporate access.

The “one feature only” math:

The Intune Suite bundles all six premium features. If Tunnel for MAM is the only one this user needs, paying for the bundle is wasteful. Tunnel for MAM standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope for the same user — at two premium features, the Intune Suite usually wins.

Adjacent option to evaluate: if you’re standing up corporate-resource access for a large internal population, Microsoft Entra Private Access (part of the Entra Suite) may be a stronger fit than Tunnel for MAM — it’s a modern ZTNA replacement for traditional VPN. Tunnel for MAM remains the right answer for the narrow “BYOD with no MDM” scenario.

Not bundled: Entra ID P2. License separately if the same admins operate PIM / Identity Protection.

You landed here because the user / environment needs Microsoft Cloud PKI — Microsoft’s managed cloud PKI service that issues device and user certificates to Intune-managed endpoints — and no other Intune premium feature is in scope.

What Cloud PKI replaces:

• On-prem Active Directory Certificate Services (AD CS) for the Intune-managed-endpoint use case.
• Custom NDES / SCEP connector infrastructure for certificate issuance to mobile devices.
• The operational burden of maintaining a private CA hierarchy, CRLs, OCSP responders, HSMs, certificate lifecycle automation — Microsoft runs the CA, you consume the API.

What it issues certificates for:

• Wi-Fi (EAP-TLS / PEAP-TLS) — 802.1X certificate-based authentication.
• VPN — certificate-based authentication to corporate VPN.
• SCEP / PKCS — certificate-based authentication for Exchange ActiveSync, internal web apps, or any scenario that needs an X.509 device or user cert.
• Authentication to AD CS-protected services via cross-signed root.

How it integrates with Intune:

• Configure Cloud PKI as the issuing CA in an Intune SCEP or PKCS profile.
• The profile targets Intune-managed devices; certificates are auto-issued, auto-renewed, and auto-revoked on device retirement.

The “one feature only” math:

The Intune Suite bundles all six premium features. If Cloud PKI is the only one this user needs, paying for the bundle is wasteful. Cloud PKI standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope for the same user — at two premium features, the Intune Suite usually wins.

Cloud PKI is per-user-licensed but is fundamentally an infrastructure decision. Once you commit to it as your PKI source for Wi-Fi / VPN / SCEP, every Intune-managed user needing those credentials needs the license. Plan as an infrastructure deployment, not a per-user feature decision — and confirm scoping with your Microsoft account team if you’re rolling it out broadly.

Not bundled: Entra ID P2. License separately if admins also operate PIM / Identity Protection.

You landed here because the user / fleet needs Intune Enterprise App Management (EAM) — Microsoft’s curated catalog of pre-packaged Win32 applications with built-in auto-update detection — and no other Intune premium feature is in scope.

What EAM solves:

The traditional Intune Win32 app deployment pipeline is:

1. Download the vendor installer.
2. Wrap it as .intunewin (Microsoft Win32 Content Prep Tool).
3. Author detection rules, install / uninstall commands, requirements.
4. Upload to Intune. Test. Deploy.
5. Vendor releases a new version. Repeat steps 1–4 every time.

For 50+ apps across hundreds of vendors, this becomes a full-time job.

What EAM provides:

• Pre-packaged Win32 apps in the Intune catalog — Microsoft has done the packaging, detection, and install-command work for you.
• Built-in update detection — when the vendor releases a new version, the catalog updates automatically; you choose when to deploy the update through your existing rings.
• Same Win32 deployment workflow for the assignment side — devices, groups, install context, restart behavior all work the same way.

EAM is the packaging / discovery / update-detection automation. The deployment itself still uses the standard Intune Win32 app pipeline. If you already have a sophisticated packaging team and prefer full control over every .intunewin, EAM is value-additive but not mandatory.

The “one feature only” math:

The Intune Suite bundles all six premium features. If EAM is the only one this user needs, paying for the bundle is wasteful. EAM standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope for the same user — at two premium features, the Intune Suite usually wins.

Not bundled: Entra ID P2. License separately if admins also operate PIM / Identity Protection.

You landed here because the user / fleet needs Intune Advanced Endpoint Analytics (AEA) — anomaly detection, per-device timeline view, and proactive remediation scripts — and no other Intune premium feature is in scope.

What’s already free in base Intune:

• Standard Endpoint Analytics reports: startup performance, application reliability, battery health, Windows update compliance.
• Aggregate fleet-level views and trending.

What AEA adds on top:

• Anomaly detection on the standard metrics — surfaces “something broke this week” before users start opening tickets.
• Per-device timeline view — drill into a single device’s reliability / boot / app / battery events to support help-desk triage.
• Proactive remediation scripts — PowerShell detection + remediation scripts that run on a schedule, automatically fix common issues (clear stuck print queues, reset corrupted credentials, restart hung services), and report outcomes back to Intune.

Why this matters operationally:

• Reduces ticket volume for repeat issues that scripted remediation can fix automatically.
• Shifts help-desk triage from “let me reproduce” to “I can see exactly what happened on this device at this time.”
• Useful for L1 support standardization — known issues get scripted away; L1 only escalates novel problems.

The “one feature only” math:

The Intune Suite bundles all six premium features. If AEA is the only one this user needs, paying for the bundle is wasteful. AEA standalone covers exactly this scenario.

Re-evaluate the moment a second Intune premium feature comes into scope for the same user — at two premium features, the Intune Suite usually wins.

Not bundled: Entra ID P2. License separately if admins also operate PIM / Identity Protection.

Entra ID P2 unlocks Privileged Identity Management (PIM), Identity Protection (sign-in & user risk policies), and access reviews. These are must-haves for a modern Zero-Trust admin program — but they only need to be licensed for users who actually use them.

License Entra ID P2 standalone when:

• You have a handful of privileged admins (Global Admins, Privileged Role Admins, Helpdesk Admins) who need PIM eligible assignments and just-in-time activation.
• Your break-glass account program needs PIM-managed assignments and alerting.
• You want to run access reviews for sensitive groups, but only for those specific admin / privileged-access groups — not every employee.

Move to E5 (or the Entra Suite) when:

• You need P2 capabilities tenant-wide (every user goes through risk-based CA, every department runs entitlement reviews).
• You already need at least two of: Defender for Endpoint P2, Defender XDR P2, Purview E5 Compliance.

Compliance pattern: Microsoft licensing terms allow per-user entitlement assignment for P2 — you do not have to license the whole tenant if only the admins use the feature. Document who is licensed (and why) so an audit can trace it.

You landed here because you confirmed that every user in scope of a P2 trigger (PIM eligible / approver / reviewer, or in scope of Identity Protection / risk-based CA) is already assigned a license that includes Entra ID P2 — M365 E5, M365 E7, EMS E5, Defender Suite, Entra Suite, or Entra ID Governance.

If that’s true, no additional purchase is needed. But there’s a subtle gotcha that fails audits:

Assignment vs entitlement — the distinction that matters. The tenant owning a pool of E5 SKUs is not the same as a specific user being assigned one. Auditors verify the license tick-box on each individual user account, not the tenant-wide pool. Before you rely on this answer, open the Microsoft 365 admin center → Users → the user → Licenses & apps, and confirm a P2-inclusive SKU is actually ticked on that user.

Three failure modes that look fine on paper but break at audit:

1. License pool, no assignment. Tenant has 500 unused E5 SKUs. PIM eligible admin is on E3. Auditor flags: admin is non-compliant for PIM licensing.
2. Assignment removed mid-flight. Admin was on E5 when PIM eligibility was created. Six months later, E5 was reassigned to someone else and admin was downgraded to E3. The PIM eligibility is still configured. The moment the SKU was removed, the configuration became non-compliant — Microsoft’s licensing model requires the SKU to remain assigned for as long as the user is in scope.
3. Risk policy scope drift. Identity Protection risk-based CA was originally scoped to a small admin group on E5. Someone later changed the policy scope to “All users” without checking SKUs. Every user evaluated by the policy must hold a P2-inclusive SKU at the moment the risk is evaluated — not just at policy creation time.

Identity Governance ≠ P2. Some P2-inclusive SKUs do not include Entra ID Governance:

• ✅ Microsoft Entra Suite, M365 E7, standalone Entra ID Governance → include Governance.
• ❌ M365 E5, EMS E5, Defender Suite → include P2 but do not include Governance.

If you also need Entitlement Management access packages, Lifecycle Workflows, or ML-driven access-review recommendations, the user needs an SKU from the first list — not just P2.

If even one in-scope user is on a non-P2 SKU (M365 E3, Business Premium, an F-series plan, or Office 365 E5 — yes, Office 365 E5 does not include Entra ID P2), go back and answer No: that user needs standalone Entra ID P2. Discovering this at audit costs more than the standalone license ever would.

The Frontier Suite (M365 E7) stacks the four big premium add-ons onto E5:

• Microsoft 365 Copilot per-user license (the headline).
• Entra Suite — Internet Access, Private Access, Verified ID, ID Governance.
• Intune Suite — Endpoint Privilege Management, Remote Help, Enterprise App Management, Advanced Endpoint Analytics.
• Teams Premium — meeting protections, advanced webinars, town halls.

The bundle math beats à-la-carte when at least three of those four would be purchased anyway. If only Copilot is in scope, license Copilot standalone on top of E5 instead.

Heads up: Frontier Suite availability and exact bundling change frequently. Confirm SKU codes and channel availability with your Microsoft account team before signing.

Microsoft’s posture (Secure Future Initiative): Frontier inherits every tenant-wide-not-scopeable E5 protection (Defender for Identity, Customer Lockbox, Customer Key) and adds Entra Suite controls that Microsoft’s Secure Future Initiative treats as Secure-by-Default — per Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft Product Terms still require a per-user licence for every user who benefits from each enabled feature.

E5 is the right answer when the same identity needs all three of:

• Advanced security analytics beyond just endpoint AV — Defender for Identity watches AD signals, Defender for Cloud Apps shadows SaaS usage, and Defender XDR P2 correlates the lot.
• Information protection at the data layer, not just the edge — Purview records management, communication compliance, eDiscovery Premium, and customer key.
• Premium identity controls — Entra ID P2’s Privileged Identity Management (PIM), Identity Protection risk policies, and access reviews.

If only one of those is in scope, you almost always save money by buying the relevant add-on on top of E3 (Defender for Endpoint P2, Defender for Office P2, Entra ID P2, or the Purview E5 Compliance add-on). E5 only wins when you need the whole stack.

Tradeoff: E5 prices roughly 60% above E3 per seat. If only a privileged admin subset needs PIM, license those few accounts with the Entra ID P2 add-on instead.

Microsoft’s posture (Secure Future Initiative): Several E5 protections are tenant-wide and not scopeable — e.g. Defender for Identity, Customer Lockbox, Customer Key. Per Microsoft’s Secure Future Initiative and Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft’s official recommendation is to enable those tenant-wide protections. The Microsoft Product Terms still require an E5-tier licence for every user who benefits — weigh both statements when sizing the E5 footprint.

You landed here because the user (or workload) needs Purview E5 features — but you’ve confirmed Defender XDR / Defender Suite is not also in scope. The E5 Compliance add-on (also marketed as the Microsoft Purview Suite) covers Purview without forcing a full E5 upgrade.

What E5 Compliance includes:

• Insider Risk Management — ML-driven detection of risky user behavior (data exfil, departing-employee patterns, IP theft).
• Communication Compliance — supervised review of chat / email for policy violations.
• Premium eDiscovery — case-based legal hold, custodian communications, predictive coding / TAR, advanced indexing.
• Endpoint DLP — DLP policies enforced on Windows / Mac endpoint activity (file copy, USB, cloud upload, printing).
• Records Management — retention with disposition review, file plan, event-based retention.
• Customer Lockbox — Microsoft engineer access to your tenant requires your explicit approval per access request.
• Customer Key — bring-your-own-key encryption for Exchange / SharePoint / OneDrive / Teams content.
• Privileged Access Management for Office — JIT elevation for Exchange / SharePoint tenant-admin operations.
• Information Barriers — block communication / collaboration between defined segments.
• Audit (Premium) — high-bandwidth audit, 1-year default retention (10-year with add-on), Audit Premium events.

E5 Compliance also includes Entra ID P2. Same identity-tier benefit as full E5 — covers PIM and Identity Protection for the same user.

License every user in scope of any covered Purview policy — not just the admin who configures it. Insider Risk Management licensing requires the SKU on every monitored user; eDiscovery Premium requires it on every custodian; endpoint DLP requires it on every endpoint user whose activity is in scope. Don’t license just the IR analyst.

Several E5 Compliance components are tenant-wide-not-scopeable — Customer Lockbox, Customer Key, Information Barriers. Once enabled, they apply tenant-wide; you can’t scope them to a subset of users. Treat those as tenant-level decisions, not per-user ones.

When to step up to full E5: if you later also need Defender XDR (Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, Defender for Office 365 P2), upgrading the user from E3 + E5 Compliance to full E5 is usually the cleanest path — the bundle math favors E5 once both halves are in scope.

E3 is the baseline for an enterprise information worker once headcount crosses the 300-seat Business Premium ceiling — or any time the tenant needs unlimited mailbox archive, Azure Information Protection labelling at scale, or Windows Enterprise editions.

You get:

• The Office desktop apps (Outlook, Word, Excel, PowerPoint, OneNote, Teams) plus the web/mobile versions.
• 100 GB mailboxes with unlimited online archive, Exchange Online Protection, and the data-loss-prevention starter set.
• Windows 11 Enterprise upgrade rights, Intune for endpoint management, and Entra ID P1 for Conditional Access.
• Microsoft Purview labelling, basic eDiscovery, and 1 TB of OneDrive.

Don’t pay for E5 unless you’ve ticked at least two of these boxes:

• You need Defender for Endpoint P2 (EDR with auto-investigation/response) — not just the P1 surface E3 ships with.
• You’re running PIM, Identity Protection, or access reviews — that’s Entra ID P2, an add-on on E3 but bundled in E5.
• You need Purview Premium eDiscovery, Communication Compliance, Customer Key, or Insider Risk Management.

If you only need one of those, buy that single add-on on top of E3 and keep the savings.

Common add-ons people layer onto E3: Entra ID P2 (privileged accounts only), Defender for Endpoint P2 tenant-wide, Defender for Office P2 for phish-targeted execs, or Copilot for M365 per seat.

You landed here because the user needs Copilot, but does not also need E5-tier security / compliance / identity. E3 + the Copilot add-on is the cheapest legitimate Copilot path for a knowledge worker.

What you get:

• M365 E3 — desktop Office, Exchange Online Plan 2, Teams, SharePoint, OneDrive, Microsoft Intune, Entra ID P1, Defender for Office 365 P1, AIP P1.
• Microsoft 365 Copilot add-on — Copilot in Word / Excel / PowerPoint / Outlook / Teams, Microsoft 365 Chat, and Copilot Studio grounded in tenant data.

Buy only as many Copilot add-ons as you have actual Copilot users. License assignment is what gates Copilot — every user who needs it gets the add-on; everyone else stays on plain E3.

Pre-deployment hygiene matters more than the license. Before turning Copilot on for a population, audit oversharing in SharePoint / OneDrive / Teams. Copilot surfaces files the user already has access to — if your tenant has loose permissions or stale “Everyone except external users” shares, Copilot will faithfully surface that content in chat results. Restricted SharePoint Search, Sensitivity Labels, and DLP for Copilot exist for exactly this reason — don’t skip them.

Common step-ups from here:

• User later needs E5-tier security / compliance / identity? Swap E3 → E5 and keep the Copilot add-on attached — it’s the same per-user SKU.
• Also needs Entra Suite (Internet Access / Private Access / Verified ID) + Agent 365 governance? Move to M365 E7 (Frontier Suite), which bundles E5 + Copilot + Entra Suite + Agent 365 — typically cheaper than stacking them separately.

Don’t pay for E5 just to get Copilot. Copilot doesn’t require any E5-tier feature to run. E5 is justified only when at least two of Defender Suite, Purview E5, and Entra ID P2 are independently in scope.

You landed on E5 because the user needs E5-tier security, compliance, or identity features. E5 is the single SKU that bundles all three:

• Microsoft Defender Suite — Defender XDR + Defender for Endpoint P2 + Defender for Identity + Defender for Cloud Apps + Defender for Office 365 P2.
• Microsoft Purview E5 — Insider Risk Management, Communication Compliance, eDiscovery Premium, Records Management, Audit (Premium), Customer Lockbox, Customer Key, Information Barriers, Privileged Access Management for Office.
• Microsoft Entra ID P2 — Privileged Identity Management (PIM), Identity Protection, access reviews.

It also throws in Power BI Pro and Teams Phone Standard.

E5 wins on price when the same identity needs at least two of those three pillars. If only one is in scope, the matching add-on (E5 Compliance add-on, Defender Suite, or standalone Entra ID P2) stacked on top of E3 is cheaper.

Tradeoff: E5 is roughly 60% above E3 per seat. Only license every user who is actually in scope of an E5-tier policy — not the whole tenant. If only a handful of admins need PIM, license them with the Entra ID P2 add-on instead and leave the rest on E3.

Microsoft’s posture (Secure Future Initiative): Several E5 protections are tenant-wide-not-scopeable — Defender for Identity, Customer Lockbox, Customer Key. Per Microsoft’s Secure Future Initiative and Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft’s recommendation is to enable those tenant-wide protections. The Microsoft Product Terms still require an E5-tier licence for every user who benefits — weigh both statements when sizing the E5 footprint.

Common upgrades from here:

• Need Copilot too? Add the Microsoft 365 Copilot per-user add-on on top of E5 — no base-plan change required.
• Also need Entra Suite (Internet Access / Private Access / Verified ID) + Agent 365 governance? Step up to M365 E7 (Frontier Suite), which bundles E5 + Copilot + Entra Suite + Agent 365 in one SKU.

E7 is the Frontier Suite, generally available since May 1, 2026. It bundles the four big add-on layers into one per-user SKU:

• Microsoft 365 E5 — Defender Suite + Purview E5 + Entra ID P2 + Power BI Pro + Teams Phone.
• Microsoft 365 Copilot — Copilot in Word / Excel / PowerPoint / Outlook / Teams + Microsoft 365 Chat + Copilot Studio grounding.
• Microsoft Entra Suite — Internet Access, Private Access, Verified ID, Entra ID Governance.
• Agent 365 — governance, identity, security, and compliance for AI agents.

E7 wins on price when the same user would have bought E5 + Copilot + Entra Suite + Agent 365 individually anyway. If only Copilot is in scope, license Copilot standalone on top of E5 instead.

Bundle math: Confirm pricing with your Microsoft account team. The bundle target is meaningfully cheaper than the four components stacked, but exact discount depends on your agreement type (EA / MCA-E / CSP).

E7 also includes Security Copilot capacity at no extra cost — the only SKU shape (other than the Security Copilot SCU-based purchase) that gives SOC teams Security Copilot without a separate buy.

Microsoft’s posture (Secure Future Initiative): Frontier inherits every tenant-wide-not-scopeable E5 protection (Defender for Identity, Customer Lockbox, Customer Key) and adds Entra Suite controls that Microsoft’s Secure Future Initiative treats as Secure-by-Default — per Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft Product Terms still require a per-user licence for every user who benefits from each enabled feature.

When E7 is NOT the right answer:

• Only Copilot is in scope (no Entra Suite, no Agent 365) — use E5 + Copilot add-on, or E3 + Copilot add-on if you don’t need E5 either.
• Only a small admin cohort needs the Entra Suite features — buy Entra Suite standalone for those few users instead of E7 for the whole population.
• Agent 365 isn’t yet in your roadmap — defer E7 until Agent governance is actually being deployed.

Microsoft 365 Apps for Enterprise is the installed Office apps as a per-user SKU — Word, Excel, PowerPoint, Outlook, OneNote, Access, Publisher on Windows (plus Word / Excel / PowerPoint / Outlook on Mac) on up to 5 PCs / Macs + 5 tablets + 5 phones per user. It’s roughly $12 / user / month in commercial pricing and is the cheapest legitimate way to license installed Office.

You get:

• The installed Office desktop apps on Windows and Mac (plus the mobile apps with the same 10.9-inch screen rule as every Office SKU).
• 1 TB of OneDrive for Business storage per user — this is the only Microsoft cloud service bundled.
• Standard Microsoft Update / Office Customization Tool deployment paths (channel control, ODT, Configuration Manager / Intune deployment via Win32 app).

You do not get:

• An Exchange Online mailbox (no Outlook hosted mail). Mail must come from a third-party service.
• Microsoft Teams, SharePoint Online, Loop, Forms, or any other Microsoft cloud collab service.
• A Windows licence, Microsoft Intune, or Microsoft Entra ID P1 (no Conditional Access, no group-based licensing, no SSPR by default).
• Any Defender or Purview features — including Defender for Office Plan 1 (no Safe Links / Safe Attachments because there’s no Exchange Online to attach to).

When this is the right answer

The classic fits are:

• Mixed-stack engineering shops on Google Workspace where employees need Excel + PowerPoint locally for Office-format compatibility with external partners but their day-to-day mail / chat / docs all live in Gmail / Meet / Drive.
• Migration scenarios — the org is still on on-premises Exchange or moving off IBM Notes / Zimbra / Skype for Business and hasn’t moved to Microsoft cloud yet, but users need Office locally today.
• Sub-tenants / acquisitions where Office is deployed centrally but the collab platform is run by the parent company under a different SKU / tenant.

When to step up

• Need cloud mail + Teams + SharePoint → step up to Office 365 E1 (web/mobile only) or Office 365 E3 (installed apps included anyway).
• Need Windows + Intune + Entra ID P1 as part of the same SKU → step up to Microsoft 365 E3 (bundles all of those with installed Office).
• Need Defender for Office P2 / Purview E5 / Power BI Pro / Teams Phone → step up to Office 365 E5 (or M365 E5 if the M365 bundle fits).

EEA note. This SKU has no Teams to unbundle, so there’s no separate “No Teams” EEA variant. The same Microsoft 365 Apps for Enterprise SKU sells worldwide.

Office 365 E1 is the cheapest Enterprise-class Microsoft cloud collab SKU — roughly $10 / user / month in commercial pricing. It’s the right answer when the user lives in the browser and on a phone, and the org licenses Windows + Intune + Entra ID separately (or not at all).

You get:

• Exchange Online Plan 1 — 50 GB mailbox, Outlook on the web, Outlook mobile, Exchange Online Protection.
• Microsoft Teams — chat, meetings, calling (PSTN extra), Walkie Talkie, Shifts, Tasks. Same Teams as every other M365 / O365 tier.
• SharePoint Online + OneDrive for Business — 1 TB user storage, document libraries, site collections, modern intranet.
• Office for the web — Word, Excel, PowerPoint, Outlook, OneNote running in the browser. Office mobile apps with commercial-use rights on devices with a screen ≤ 10.9 inches (iPhones and most Android phones qualify; iPads and Surface tablets generally don’t).

You do not get:

• Installed desktop Office apps. No installed Outlook, Word, Excel, or PowerPoint on Windows or Mac.
• Windows licence, Microsoft Intune, Microsoft Entra ID P1 — none of the EMS stack. Add EMS E3 (~$10.60 / user / month) if Conditional Access / Intune is needed, or buy Entra ID P1 standalone.
• Any premium Defender or Purview features (you get Exchange Online Protection and baseline DLP, nothing more).

When this is the right answer

• Web-first users — store managers, contact-center agents, field staff who primarily use shared kiosks or BYO phones, frontline-adjacent knowledge workers who don’t fit F1/F3 eligibility but still live in the browser.
• Low-touch contractors / vendors who need a real Exchange mailbox but won’t install Office locally.
• Education / training environments where Office is delivered via the browser.

When to step up

• Need installed desktop Office → step up to Office 365 E3.
• Need E5-tier premium (Defender for Office P2, Audit Premium, Power BI Pro, Teams Phone Standard) → Office 365 E5.
• Need Windows + Intune + Entra ID P1 bundled → Microsoft 365 E3 or E5.

EEA note. EU / EEA customers buy the “Office 365 E1 (no Teams) EEA” SKU + Microsoft Teams Enterprise as a separate per-user SKU per the post-antitrust packaging change. Same features, just split into two line items.

Office 365 E3 is the workhorse O365 tier — roughly $23 / user / month in commercial pricing, about $13 / user / month less than Microsoft 365 E3. It’s the right answer when the user needs cloud collab + installed Office, but the org licenses Windows + Intune + Entra ID separately (BYOD, Mac / Linux fleets, third-party MDM, existing EMS-only deal, or Windows handled by procurement under Volume Licensing).

You get:

• Installed Office desktop apps — Word, Excel, PowerPoint, Outlook, OneNote, Access, Publisher (Windows) and Word / Excel / PowerPoint / Outlook (Mac) on up to 5 PCs / Macs + 5 tablets + 5 phones per user.
• Exchange Online Plan 2 — 100 GB mailbox + unlimited online archive (auto-expanding to 1.5 TB).
• Microsoft Teams + SharePoint Online + OneDrive for Business (1 TB+, expandable).
• Microsoft Purview baseline — manual sensitivity labels, basic eDiscovery, baseline DLP, Office Message Encryption.
• Microsoft Defender for Office 365 Plan 1 — Safe Links / Safe Attachments / anti-phish basic.
• Azure Information Protection P1.

You do not get:

• Windows licence, Microsoft Intune, Microsoft Entra ID P1 — add EMS E3 (~$10.60 / user / month) to layer those on (Office 365 E3 + EMS E3 ≈ Microsoft 365 E3 in features, paid as two line items).
• Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, Defender XDR — none of the Defender Suite.
• Purview E5 — no IRM, no Communication Compliance, no Audit Premium, no eDiscovery Premium, no Customer Lockbox.
• Entra ID P2 — no PIM, no Identity Protection, no access reviews.

When this is the right answer

• Mac / Linux engineering shops where Windows licence has no value and the org runs Jamf / third-party MDM.
• BYOD knowledge workers where the org pays for the device through stipends and doesn’t enrol them in Intune.
• Customers with a separate EMS / Windows VL deal where M365 bundling would double-pay.
• Compliance-light environments where the standard Purview baseline + Defender for Office P1 is enough and Defender Suite isn’t needed.

When to step up

• Need E5-tier premium (Defender for Office P2, Audit Premium, Power BI Pro, Teams Phone Standard) → Office 365 E5.
• Need Windows + Intune + Entra ID P1 bundled → Microsoft 365 E3.
• Need full Defender Suite + Purview E5 + Entra ID P2 → Microsoft 365 E5, or Office 365 E5 + EMS E5 (sometimes priced better in legacy EAs).

EEA note. EU / EEA customers buy the “Office 365 E3 (no Teams) EEA” SKU + Microsoft Teams Enterprise as a separate per-user SKU. Same features, split into two line items.

Office 365 E5 is the premium O365 tier — roughly $38 / user / month in commercial pricing, about $20 / user / month less than Microsoft 365 E5. It bundles four uplifts that customers most often need together:

1. Microsoft Defender for Office 365 Plan 2 — Safe Links / Safe Attachments / anti-phish impersonation, Threat Explorer, Automated Investigation and Response (AIR), and Attack Simulation Training.
2. Microsoft Purview E5 — Insider Risk Management, Communication Compliance, eDiscovery Premium (custodian / hold / review), Audit Premium (1-year retention
   • MailItemsAccessed crucial events), Customer Lockbox, Customer Key (HSM-backed), Information Barriers, Privileged Access Management for Office, and automatic labelling.
3. Power BI Pro per user — publish / share / consume Pro workspaces and reports.
4. Microsoft Teams Phone Standard — PSTN calling control plane (calling plan / direct routing / operator connect minutes are extra).

You also get everything in Office 365 E3 — installed Office desktop apps, 100 GB Exchange mailbox + unlimited archive, Teams, SharePoint, OneDrive, Defender for Office P1, AIP P1.

You do not get:

• Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, Defender XDR — the rest of the Defender Suite. Add Defender Suite separately or step up to Microsoft 365 E5.
• Microsoft Entra ID P2 — no PIM, no Identity Protection, no access reviews. Add Entra ID P2 standalone or step up to EMS E5.
• Microsoft Intune or Windows licence — add EMS E5 (~$16.40 / user / month) for Intune + Entra ID P2 + Defender for Identity + Defender for Cloud Apps, or step up to Microsoft 365 E5.

When this is the right answer

• Premium O365 stack without the M365 bundle — the org licenses Windows + Intune + Entra ID separately and doesn’t want to double-pay through M365.
• Office 365 E5 + EMS E5 is a common stacking pattern that pre-dates M365 bundling — it covers everything M365 E5 does, sometimes priced better under legacy EA / CSP terms. Check with your Microsoft account team.
• Customers who need DfO P2 + Purview E5 + Power BI Pro + Teams Phone all together — buying those four as standalone add-ons on Office 365 E3 typically costs more than O5.

When to step up

• Need full Defender Suite + Entra ID P2 in one SKU → Microsoft 365 E5, or layer EMS E5 on top of Office 365 E5.
• Need Copilot + Entra Suite + Agent 365 bundled → Microsoft 365 E7 (Frontier Suite — GA 2026-05-01).
• Need just Defender for Office P2 alone, not all four uplifts → stay on Office 365 E3 and buy Defender for Office 365 P2 standalone.

EEA note. EU / EEA customers buy the “Office 365 E5 (no Teams) EEA” SKU + Microsoft Teams Enterprise as a separate per-user SKU per the post-antitrust packaging change. Teams Phone Standard still ships separately in the EEA bundle.

What this is

Microsoft 365 Apps for Business is the apps-only SKU in the Microsoft 365 Business family. It includes the installed Office desktop applications and 1 TB of OneDrive for Business storage — and intentionally excludes every other Microsoft cloud service (no Exchange mailbox, no Microsoft Teams, no SharePoint Online, no Loop, no Bookings, no Clipchamp).

It sits below Business Basic in price (the cheapest Basic-family SKU that includes any cloud collaboration) and below Business Standard in scope, and is targeted at small businesses that already get email and chat from a third-party platform — typically Google Workspace, on-premises Exchange, Slack, or a hosted IMAP/SMTP provider — but still need the installed Word / Excel / PowerPoint / Outlook desktop apps for documents and reporting.

When to pick it

Pick Microsoft 365 Apps for Business when all four are true:

1. The organization has 300 seats or fewer (the hard Business-family cap — shared across Apps for Business + Basic + Standard + Premium combined).
2. Users need installed Office desktop apps (Word, Excel, PowerPoint, Outlook, OneNote on Windows; Word, Excel, PowerPoint, Outlook on Mac) — Office for the web is not enough.
3. Mail and team collaboration come from somewhere else (Google Workspace Gmail + Meet, on-premises Exchange, a non-Microsoft SaaS, or nothing at all) — the org does NOT need an Exchange Online mailbox, Microsoft Teams, or SharePoint Online.
4. The org does not need Microsoft Defender for Business, Microsoft Intune device management, or Microsoft Entra ID P1 (Conditional Access + MFA enforcement + group-based licensing). If any of those are required, you need Business Premium instead — and Business Premium includes the installed Office apps too.

If criterion 3 ever flips (the org starts using Microsoft Teams or moves email to Exchange Online), step up to Business Basic / Standard / Premium — there is no licensing concept of “Apps for Business + Teams add-on.” Microsoft sells Teams Essentials as a standalone for orgs that want just Teams, but that’s a different SKU stack.

If criterion 1 ever flips (org grows past 300 seats), step laterally to Microsoft 365 Apps for Enterprise — same apps-only scope, no seat cap, sold as an Enterprise-tier SKU.

What it includes

• Installed Office desktop apps — Word, Excel, PowerPoint, Outlook, OneNote on Windows. Word, Excel, PowerPoint, Outlook on Mac. Access and Publisher on Windows only.
• Installation rights on up to 5 PCs/Macs + 5 tablets + 5 phones per user.
• 1 TB OneDrive for Business per user (this is the ONE cloud service bundled).
• Microsoft 365 Apps update channels (Monthly Enterprise, Semi-Annual Enterprise, Current).

What it does NOT include

• No Exchange Online mailbox. Mail must come from another provider. (You can buy Exchange Online Plan 1 or Plan 2 as a standalone add-on, but at that point compare against Business Basic.)
• No Microsoft Teams. No chat, no meetings, no calling. (Teams Essentials is a separate SKU.)
• No SharePoint Online sites or Microsoft Lists (other than the document storage within OneDrive).
• No Microsoft Loop, Bookings, Clipchamp, Stream, Forms, or Power Automate / Power Apps seeded usage rights.
• No security uplift. No Defender for Business, no Intune, no Entra ID P1, no Conditional Access enforcement, no Information Protection. Users get the base Microsoft Entra ID Free tier that comes with every Microsoft 365 tenant.

Sources

• Microsoft 365 Apps for Business — product page
• Compare Microsoft 365 Business plans
• Office applications service description
• Microsoft 365 Business 300-seat limit
• M365 Maps — Apps for Business

Business Basic is the smallest Microsoft 365 Business SKU. It covers the cloud services most SMBs actually run on:

• Exchange Online (50 GB mailbox), Teams, SharePoint, OneDrive.
• Office for the web (Word / Excel / PowerPoint in the browser).
• Microsoft Loop, Bookings, Forms, Clipchamp.

What it doesn’t include: installed desktop Word / Excel / PowerPoint / Outlook, Microsoft Intune, Entra ID P1, Defender for Business. If you need any of those, you’re on Business Standard or Business Premium — not Basic.

The 300-seat hard cap. All Microsoft 365 Business SKUs (Basic / Standard / Premium) share a single 300-seat ceiling across the tenant combined. Once you cross 301, Microsoft requires Enterprise (E) SKUs for new seats — and existing Business licenses cannot grow past the cap. If you’re trending toward 300, plan the cutover to E3 / E5 before you’re forced into it during a hiring spike.

When Business Basic is the right answer:

• The tenant is small (well under 300 seats).
• Users work primarily in the browser or on mobile — installed Office apps aren’t needed.
• No Defender for Business, no Intune, no Conditional Access requirement.

Step up to Business Standard the moment users need installed Office apps on their Windows / Mac desktops.

Step up to Business Premium the moment you need real endpoint security (Defender for Business), device management (Intune), or Conditional Access (Entra ID P1). For most security-conscious SMBs, Premium is the right starting tier — Basic and Standard are appropriate only when those controls are out of scope.

Business Standard is Business Basic plus the installed Office desktop apps. That’s the only meaningful uplift from Basic — everything else (mailbox size, Teams, SharePoint, OneDrive, the 300-seat cap) is the same.

What’s added over Basic:

• Word, Excel, PowerPoint, Outlook installed on Windows / Mac.
• Access and Publisher (Windows only).
• Microsoft Loop, Bookings, Clipchamp — same as Basic.

What’s still missing vs Business Premium:

• Microsoft Intune (device management).
• Microsoft Defender for Business (endpoint EDR).
• Microsoft Entra ID P1 (Conditional Access, MFA enforcement, SSPR).
• Defender for Office 365 P1 (advanced anti-phishing on email).
• Azure Information Protection P1 (sensitivity labels).

The 300-seat hard cap applies. All Business SKUs share a single 300-seat ceiling across the tenant. If you’re approaching it, plan the cutover to Enterprise E3 / E5 before you cross.

When Business Standard is the right answer:

• The tenant is small and security / device-management is genuinely out of scope (handled separately, or not yet a requirement).
• Users need installed Office desktop apps but nothing more.

In practice, most SMBs that buy Standard end up needing Premium within a year. The moment you turn on Conditional Access, deploy endpoint protection, or enrol devices in Intune, you’re on the Premium feature set. If that’s even slightly likely in the next 12 months, Premium is the better starting point — buying Standard and re-licensing later costs more than buying Premium up front.

For organizations under the 300-seat ceiling, Business Premium is the cheapest legitimate way to land everything most SMBs actually need:

• Office desktop + web/mobile.
• 50 GB mailboxes, 1 TB OneDrive.
• Intune for endpoint management (parity with Enterprise for the device surface most SMBs care about).
• Entra ID P1 — Conditional Access, MFA, self-service password reset.
• Defender for Business — endpoint EDR comparable to Defender for Endpoint P1, tuned for SMB consoles.
• Azure Information Protection P1 for basic labelling.

You outgrow Business Premium when any of these become true:

• You cross 300 paid seats. Once you do, you cannot add more — you must switch the new seats to E3 (or move the whole tenant to E3/E5).
• You need Entra ID P2 capabilities (PIM, Identity Protection, access reviews) on more than a handful of admins — at that point, E5 or E3 + the P2 add-on starts winning.
• You need eDiscovery Premium, Customer Key, or Insider Risk Management — those require Purview E5 Compliance, which only attaches to E3/E5 (not Business Premium).
• You need Defender for Endpoint P2 features (auto-investigation, threat-and-vuln management at the enterprise tier).

300-seat trap: Business Premium licenses already issued at the time you cross the ceiling keep working, but you cannot purchase new ones. Plan the swap before you’re forced into it during a hiring spike.

A1 is the entry Microsoft 365 Education SKU — web and mobile only, no installed desktop apps. It’s the right baseline for institutions that deliver classroom tooling through the browser.

What’s included:

• Office for the web (Word / Excel / PowerPoint / OneNote in the browser).
• Teams for Education with assignments, class teams, and meetings.
• SharePoint, OneDrive (capped storage), Forms, Sway, Stream.
• Basic Intune for Education, Entra ID P1 (faculty) or Entra ID Free (student).

A1 is free for qualifying students at validated academic institutions. Faculty A1 is paid (but inexpensive). Microsoft requires the institution itself to be validated as a Qualified Educational Institution — student-only purchases without institutional validation don’t qualify.

Eligibility matters. The Microsoft Product Terms define “Qualified Educational User” precisely (accredited educational institution, role of faculty / staff / student). Don’t assign A-series SKUs to administrative staff who don’t meet the definition — that’s a Product Terms violation and will be flagged at true-up.

Step up to A3 when faculty or students need installed Word / Excel / PowerPoint / Outlook desktop apps, full Exchange Online mailboxes, or full Microsoft Intune device management.

Step up to A5 when you need E5-tier security or compliance — Defender XDR, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, Purview E5 (eDiscovery Premium, IRM, Audit Premium), or Entra ID P2 (PIM, Identity Protection).

Education-only add-ons layer on top of any A-tier SKU: Microsoft 365 Copilot for Education, Minecraft Education, Reading Coach, Reflect, Insights.

A3 is the academic equivalent of M365 E3. It’s the most common paid education baseline — once your institution needs installed Office on faculty / student laptops, full Exchange mailboxes, or real device management, you’re on A3.

What’s included:

• Installed Office desktop apps (Word, Excel, PowerPoint, OneNote, Outlook).
• Exchange Online (mailbox), Teams for Education, SharePoint, OneDrive.
• Microsoft Intune — full MDM / MAM for Windows / Mac / iOS / Android / ChromeOS-via-WAM.
• Entra ID P1 — Conditional Access, MFA enforcement, SSPR.
• Defender for Office 365 P1 — anti-phishing on email.
• AIP P1 — sensitivity labels.

Faculty A3 includes Power BI Pro; student A3 does not. That’s the main faculty / student SKU split at the A3 tier.

Eligibility still gates everything. A-series SKUs require an accredited educational institution and Microsoft Product Terms-eligible users (faculty / staff / student). Administrative staff who don’t meet the “Qualified Educational User” definition should be on commercial E3, not A3.

Step up to A5 when you need any of:

• Defender XDR / Defender for Endpoint / Defender for Identity / Defender for Cloud Apps for the institution’s security operations.
• Purview E5 features — eDiscovery Premium for legal holds, Insider Risk Management for academic-misconduct workflows, Audit (Premium) for long-retention audit log.
• Entra ID P2 — PIM for IT-admin accounts, Identity Protection for risk-based Conditional Access.

If only one of those is in scope and only for a subset of users (e.g. IT admins need PIM but the rest of the institution doesn’t), the standalone A5 Security or A5 Compliance add-on layered on A3 is cheaper than upgrading the whole population to A5.

Education-specific add-ons layer on top: Microsoft 365 Copilot for Education (where licensed), Minecraft Education, Reading Coach, Reflect, Insights.

A5 is the EDU mirror of E5 and earns its price the same way — through the combination of Entra ID P2, Defender for Endpoint P2, and the full Purview compliance stack. It is not a sensible default for the average school district.

A5 wins when the institution genuinely needs:

• PIM + Identity Protection for IT staff and faculty admins (Entra ID P2).
• Defender XDR P2 correlation across endpoint, identity, and cloud apps — not just Defender for Endpoint P1.
• eDiscovery Premium / Insider Risk / Communication Compliance for legal hold, behavior-of-concern monitoring, or Title-IX style investigations.
• Power BI Pro licensing handed out widely (each user, not by capacity).

Most schools should stay on A3 and selectively attach:

• Entra ID P2 to the privileged-admin cohort only.
• Defender for Endpoint P2 if you’re running EDR with full auto-investigation.
• The Purview E5 Compliance add-on if (and only if) legal/compliance formally needs the advanced eDiscovery workflow.

Faculty vs. student licensing: The A-series faculty SKU and A-student SKU are priced separately. Don’t accidentally buy A5 for every student when only the faculty cohort actually uses the advanced features.

Microsoft’s posture (Secure Future Initiative): Several A5 protections (Defender for Identity, Customer Lockbox, Customer Key) are tenant-wide and not scopeable. Per Microsoft’s Secure Future Initiative and Satya Nadella’s May 2024 SFI memo, “security protections are enabled and enforced by default, require no extra effort, and are not optional.” Microsoft Product Terms still require an A5-tier licence for every user (faculty or student) who benefits from those tenant-wide protections.

G1 is the entry US Government tier — equivalent to commercial M365 E1 (web/mobile only, no installed Office) in your chosen sovereign cloud.

What’s included:

• Exchange Online (50 GB), Teams for Government, SharePoint, OneDrive.
• Office for the web. No installed desktop apps (that’s G3 territory).
• Microsoft Stream for Government, basic compliance.

Sovereign-cloud feature parity is NOT 1:1 with commercial. Each cloud (GCC, GCC High, DoD, Microsoft 365 Air-Gapped) has its own service description. Copilot for Government, Defender XDR, Entra Suite, Verified ID, and Purview Premium features are at different rollout stages in each cloud. Verify against the cloud-specific service description before assuming a feature is available — feature names and dates that work in commercial may not work in GCC High.

The three commercial-equivalent tiers:

• G1 ≈ commercial E1 — web/mobile only.
• G3 ≈ commercial E3 — installed Office + Exchange + Intune + Entra ID P1 + Defender for Office P1.
• G5 ≈ commercial E5 — G3 + Defender XDR + Purview E5 + Entra ID P2.

Step up to G3 when users need installed desktop Office apps or device management.

Step up to G5 when you need E5-tier security or compliance in the same cloud.

Cross-cloud collaboration is restricted by design. B2B between commercial / GCC / GCC High / DoD tenants is heavily constrained. Plan partner-collaboration scenarios against the Microsoft 365 Government cross-cloud documentation before assuming a vendor or partner can be invited as a guest.

G3 is the sovereign-cloud equivalent of M365 E3 — the standard paid government baseline. It runs in GCC, GCC High, or DoD depending on your clearance and data-classification requirements.

What’s included:

• Installed Office desktop apps (Word, Excel, PowerPoint, Outlook).
• Exchange Online, Teams for Government, SharePoint, OneDrive.
• Microsoft Intune for Government — MDM / MAM.
• Entra ID P1 for Government — Conditional Access, MFA, SSPR.
• Defender for Office 365 P1.
• AIP P1 — sensitivity labels.

Verify Defender XDR / Copilot / Entra Suite availability in your specific cloud before promising features. Feature parity with commercial E3 is generally good for the core productivity stack, but advanced security and AI features land in GCC → GCC High → DoD on a staggered schedule (sometimes 6–18 months apart). Always check the service description for your cloud.

Step up to G5 when you need:

• Defender XDR (Defender for Endpoint / Identity / Cloud Apps / Office P2).
• Purview E5 features in-cloud.
• Entra ID P2 (PIM, Identity Protection).

Cross-cloud B2B is restricted. Inviting partners or vendors from commercial / GCC / GCC High / DoD tenants is heavily constrained — plan against the Microsoft 365 Government cross-cloud documentation before assuming guest access works the way it does in commercial.

G5 is the sovereign-cloud equivalent of M365 E5 — full security, compliance, and advanced identity in GCC, GCC High, or DoD.

What G5 adds over G3:

• Defender XDR suite — Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, Defender for Office 365 P2.
• Purview E5 — eDiscovery Premium, Audit (Premium), Insider Risk Management, Communication Compliance, IRM, Records Management.
• Entra ID P2 — Privileged Identity Management, Identity Protection, Access Reviews, Entitlement Management.
• Power BI Pro, advanced analytics, MyAnalytics.

Feature-by-feature parity with commercial E5 is NOT guaranteed. Each sovereign cloud (GCC / GCC High / DoD) has its own service description. Advanced AI features (Copilot, Security Copilot), Entra Suite (Internet Access / Private Access / Verified ID), and the newest Defender XDR capabilities land on staggered schedules — often 6–18 months behind commercial. Verify each feature in your cloud’s service description before designing a deployment around it.

When G5 is right:

• You need Defender XDR for SOC operations.
• Legal / records / IR teams need Purview E5 features in-cloud.
• IT admin accounts need PIM for just-in-time elevation.

When G3 + targeted add-ons is cheaper:

• Only one of Defender Suite, Purview E5, or Entra ID P2 is in scope.
• That feature is only needed for a small subset (e.g. SOC analysts get Defender for Endpoint P2 standalone; admins get Entra ID P2 standalone).
• Layer the standalone SKU on G3 for those users instead of moving the entire population to G5.

Microsoft 365 Air-Gapped Cloud (the new “IL6+” sovereign environment) is a separate licensing track. If you need IL6, you’re not buying off the standard G3 / G5 price list — engage Microsoft Federal directly.

Microsoft 365 Air-Gapped is the physically-isolated sovereign cloud built for classified workloads at the Top Secret / IL6 level. It is not an upgrade tier of G5 — it is a separately-architected cloud with intentionally limited feature parity, and procurement happens through Microsoft directly.

What’s different vs GCC / GCC High / DoD:

• The infrastructure is physically separated from all other Microsoft clouds, including DoD IL5. No shared backbone.
• Most premium features (Copilot, Defender XDR, Entra Suite, Verified ID, Purview Premium, Teams Premium) either lag significantly behind commercial / GCC High or are unavailable. Verify every SKU against the Air-Gapped product page before assuming it works.
• Cross-cloud collaboration to commercial / GCC / GCC High / DoD is heavily restricted by design — there is no general-purpose B2B story.

This SKU is not in standard price lists. Pricing, eligibility, and entitlements are negotiated directly with the Microsoft Federal Civilian (FedCiv) account team. Standard CSP partners do not provision Air-Gapped tenants. Engage Microsoft early — provisioning timelines are measured in months, not days.

When this is the right answer:

• The workload is classified at a level that mandates Top Secret / IL6 infrastructure.
• You have an authorization to operate (ATO) requirement that no other cloud can satisfy.
• Your account team has confirmed Microsoft’s intake process and target go-live for the tenant.

When this is NOT the right answer:

• Most “high security” Federal workloads land in GCC High or DoD IL5 (G5), not Air-Gapped. Don’t over-shoot — the feature gap is real and many workloads simply cannot run in Air-Gapped today.
• Commercial-sensitive but unclassified data (FOUO, CUI Basic) belongs in GCC or GCC High, not Air-Gapped.

Always verify: the Air-Gapped service description and the Microsoft 365 Government cross-cloud documentation. Treat any feature you saw demoed in commercial as unavailable until proven otherwise in this cloud.

For qualifying nonprofits at or below 300 seats, Business Premium is both the right Business-family SKU and the Microsoft for Nonprofits grant SKU. The first 10 seats are free as a grant; additional seats are priced at Nonprofit Staff Pricing (NSP) — heavily discounted from commercial.

What you get per seat:

• Installed Office desktop apps, Exchange Online, Teams, SharePoint, OneDrive.
• Microsoft Intune — full MDM / MAM.
• Entra ID P1 — Conditional Access, MFA, SSPR.
• Microsoft Defender for Business — EDR for endpoints.
• Defender for Office 365 P1 — anti-phishing on email.
• AIP P1 — sensitivity labels.

The grant math:

• First 10 seats: free as a grant.
• Seats 11–300: NSP rate per seat per month.
• Above 300 seats: hard cap — move to E3 / E5 at NSP for additional users (Business SKUs share a single 300-seat ceiling).

The grant has eligibility strings attached. Microsoft for Nonprofits requires:

• Active enrollment in Microsoft for Nonprofits.
• Annual re-validation (in the US, this is TechSoup; other markets use the equivalent local partner).
• Mission-aligned use — the SKU is for staff and volunteers delivering the nonprofit’s charitable mission, not for unrelated commercial activity.

Losing or skipping re-validation pulls the grant and drops you to commercial pricing on renewal.

Common add-ons NOT included in the grant (priced at NSP, billed separately):

• Microsoft 365 Copilot.
• Teams Phone.
• Defender for Business standalone uplifts.
• Power BI Pro / Power Platform premium.

Step up to E3 / E5 at NSP when you cross 300 seats or need enterprise-tier features (Defender XDR, Purview E5, Entra ID P2).

E3 at Nonprofit Staff Pricing is the enterprise-tier baseline for larger nonprofits. You land here when:

• You’re above the 300-seat hard cap that gates the Business family, or
• You expect to cross 300 seats within the term and want to start on the enterprise track instead of re-licensing later.

What’s included (same feature shape as commercial E3, at NSP rates):

• Installed Office desktop apps, Exchange Online Plan 2, Teams, SharePoint, OneDrive.
• Microsoft Intune — full MDM / MAM, no seat cap.
• Entra ID P1 — Conditional Access, MFA, SSPR.
• Defender for Office 365 P1 — anti-phishing on email.
• AIP P1 — sensitivity labels.

No 300-seat cap. This is the enterprise SKU. Buy as many as you need.

Eligibility & re-validation still apply. NSP rates require active Microsoft for Nonprofits enrollment, annual re-validation (TechSoup in the US), and mission-aligned use of the licenses. Volunteer accounts and mission-aligned contractor accounts are typically eligible; commercial / revenue-generating activity outside the charitable mission is not.

Add Microsoft 365 Copilot at NSP rates per user as needed — the Copilot add-on layers on E3 the same way it does in commercial.

Step up to E5 at NSP when you need any of:

• Defender XDR (Endpoint P2, Identity, Cloud Apps, Office P2).
• Purview E5 features (eDiscovery Premium, IRM, Audit Premium).
• Entra ID P2 (PIM, Identity Protection).

If only one of those is in scope for a small population, the standalone add-on at NSP (e.g. Entra ID P2 just for admins) is cheaper than upgrading everyone to E5.

E5 at Nonprofit Staff Pricing is the enterprise security and compliance tier for larger nonprofits. You land here when:

• You’re above the 300-seat Business cap, and
• At least one of Defender Suite, Purview E5, or Entra ID P2 is genuinely in scope.

What E5 adds over E3 (same feature shape as commercial E5):

• Defender XDR — Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, Defender for Office 365 P2.
• Purview E5 — eDiscovery Premium, Audit (Premium), Insider Risk Management, Communication Compliance, IRM, Records Management.
• Entra ID P2 — Privileged Identity Management, Identity Protection, Access Reviews, Entitlement Management.
• Power BI Pro, MyAnalytics.

NSP requires active Microsoft for Nonprofits enrollment and annual re-validation. Mission-aligned use is mandatory — the SKU is for staff and volunteers delivering the charitable mission. Commercial activity outside the mission is not eligible.

When standalone add-ons on E3 NSP are cheaper than full E5:

• Only one of the three E5 pillars (Defender / Purview / Entra ID P2) is in scope.
• That feature is needed for a small subset (e.g. SOC analysts get Defender for Endpoint P2; IT admins get Entra ID P2; legal team gets Purview E5).

When E5 NSP wins: when two or more of the three pillars are in scope for the bulk of the population, the bundle math works out — at that point buying the components separately costs more than E5.

Considering Copilot or the Frontier Suite?

• Microsoft 365 Copilot at NSP rates layers on E5 the same way it does in commercial.
• M365 E7 / Frontier Suite at NSP (when available) bundles E5 + Copilot
  • Entra Suite + Agent 365. If you’re already planning to add all of those, evaluate E7 NSP vs E5 NSP + standalone Copilot + standalone Entra Suite — usually E7 wins.

F1 is the floor of the frontline catalog: identity, Teams, SharePoint, and device management — but no per-user mailbox and no Office authoring.

You get:

• Entra ID (with the F1 frontline rights) so the worker has a real identity.
• Teams chat + channels (calling/meetings require add-ons or higher SKUs).
• SharePoint sites & basic file collaboration.
• Intune-managed shared devices.

You do not get:

• A personal mailbox. Frontline staff communicate via shared inboxes that cost a separate license, or via Teams only.
• Office authoring on web or desktop. Read-only of files in SharePoint / OneDrive viewers is fine; editing requires F3 or higher.
• Defender for Endpoint, Purview, or Entra ID P2 — those require F3 or an add-on stack.

F1 is the right answer when:

• The worker only checks schedules, fills out a Teams form, and reads policy documents.
• The device is shared and provisioned via Intune’s shared-device mode.
• Communication is via a shared mailbox + Teams channels, not personal email.

Don’t default-license everyone to F1 to save money. If the role regularly opens Word docs or runs spreadsheets, the lost productivity will eclipse the per-seat savings against F3 inside the first quarter.

F3 is the frontline plan with web/mobile Office, a real mailbox, and Intune device management — designed for shared shop-floor / store / field devices where a kiosk-only experience (F1) doesn’t cut it.

You get:

• Outlook + Office on the web and on iOS/Android (no Windows desktop apps).
• A 2 GB mailbox (versus F1’s no-mailbox / shared-inbox-only posture).
• Teams (full client functionality, not just channels).
• Intune + Entra ID P1 for shared-device sign-in patterns.
• Defender for Endpoint Plan 1 coverage.

Use F3 when frontline staff need any of:

• A genuine per-user mailbox (e.g. store managers, field techs reporting back to HQ).
• Authoring documents in Office Web during a shift.
• Teams meetings as a full participant (not just chat).

Stay on F1 when the role is genuinely kiosk/shared-device only — a shared inbox + Teams channels are enough, the user never opens Word/Excel/PowerPoint, and you don’t need device-targeted Intune profiles per user.

Mixed deployments are normal. It’s common to license store managers as F3 (or even E3 if they author heavily) while line staff stay on F1. Don’t over-license an entire frontline cohort because a handful of leads need more.

You landed here because you need basic B2B collaboration — invite guests from other Entra tenants, share Teams channels, give guests access to SharePoint sites — and you don’t need premium identity features (risk-based Conditional Access, Identity Protection, PIM for guests, Verified ID).

For that, the free MAU tier is enough for most tenants.

How External ID is billed:

• Pricing is per Monthly Active User (MAU) at the tenant level — not per seat.
• The first 50,000 MAU per tenant per month are free.
• An MAU is a unique external user who authenticates against your tenant in a given calendar month. A user who never signs in that month does not count.

What’s covered by the free tier:

• B2B Collaboration — invite external users from any Entra tenant (or email one-time-passcode flows) and grant them access to apps, Teams channels, SharePoint sites, etc.
• B2B Direct Connect — Teams shared channels with partner tenants without provisioning a guest object.
• Basic Conditional Access policies against external sign-ins (the CA policy capability is licensed via the inviting tenant’s identity SKU, not via External ID).

Guests don’t need their own M365 license to consume your content. The 2024 update to the Microsoft Product Terms “External Users” definition confirms this: guest users invited via B2B can read / edit content in Teams, SharePoint, etc. using the inviting tenant’s licensed resources, within the documented limits. No separate per-seat M365 assignment is required for the guest.

Step up to External ID P1 / P2 when you need risk-based Conditional Access, Identity Protection signals, or PIM workflows scoped to external users.

Step up to Verified ID when you need decentralized verifiable credentials (employment / partner attestation).

Switch to External ID for customers (CIAM) when the scenario is end-customer sign-up / sign-in for a consumer-facing app — that’s a separate product line, not B2B.

You landed here because you need premium identity features evaluated against external users — risk-based Conditional Access, Identity Protection signals, or PIM workflows scoped to guests. The free MAU tier doesn’t cover these; External ID P2 MAU does.

How premium MAU pricing works:

• Billed per Monthly Active User in scope of premium policy, not flat per tenant.
• A guest only counts as a premium MAU in months where a premium feature is evaluated against their sign-in (e.g. risk-based CA matched them).
• The free 50,000 MAU tier still applies to the underlying B2B collaboration — premium pricing is purely the uplift for the premium feature scope.

P1 vs P2 — pick what you actually need:

• External ID P1 — basic premium identity (risk-based CA without Identity Protection’s premium risk detections, basic protection features). Cheaper.
• External ID P2 — adds Identity Protection’s premium risk detections (leaked credentials, anonymous IP, atypical travel, etc.) and PIM workflows for guest identities.

You only pay P2 rates for guests actually in scope of a P2 policy. If only 200 of your 10,000 guests are evaluated by a risk-based CA policy in a given month, you pay P2 MAU for 200 — not 10,000. Conditional Access scoping discipline directly controls cost.

When the simpler answer wins:

• If you only need basic B2B collaboration, the free MAU tier is enough — don’t upgrade to P2.
• If guests need verifiable credentials (employment / partner attestation), layer Verified ID on top (separate per-credential billing meter).
• If the scenario is consumer sign-up / sign-in, use External ID for customers (CIAM) instead — separate product line.

Bundling note: if your tenant already licenses Microsoft Entra Suite per internal user (Internet Access + Private Access + Verified ID + Governance + ID Protection), that doesn’t replace External ID MAU for guests — Entra Suite licenses internal users, External ID MAU licenses external ones.

You landed here because you need to issue verifiable credentials — W3C-standard cryptographically-signed attestations that subjects hold in their own wallet and present to verifiers. Common scenarios: employment verification, partner attestation, education credentials, license verification.

How Verified ID is billed:

• Per verifiable credential issued — a separate billing meter from External ID MAU.
• Issuance is the chargeable event; verification (a relying party checking a credential the subject presents) is free.
• The credential lives in the subject’s wallet, not your tenant. You don’t pay ongoing storage costs per subject.

What Verified ID is good for:

• Issuing employment / role / department credentials that employees can present to third parties (e.g. discount programs, partner portals).
• Issuing partner-organization attestations (e.g. “this user works for ContosoPartnerCorp”) that a relying party can verify cryptographically.
• Replacing fragile email-based verification flows with cryptographic attestation.

Verified ID is not a replacement for B2B guest collaboration. It’s an attestation channel. If those same external users also need to access Teams / SharePoint / apps in your tenant, you still need External ID (free MAU, or P1/P2 for premium features). The two stack.

When Entra Suite changes the math:

If you’re scaling Verified ID across many internal user populations, evaluate whether Microsoft Entra Suite is cheaper than buying Verified ID + Internet Access + Private Access + Governance + ID Protection separately. Entra Suite bundles Verified ID into the per-internal-user license — at scale, the bundle usually wins.

External user populations still use the External ID MAU model even when internal users are on Entra Suite.

You landed here because the scenario is a customer-facing application — end consumers signing up for your product, signing in with email or a social identity provider (Google, Facebook, Apple, Microsoft Account), managing their own profile and password. This is CIAM: Customer Identity and Access Management.

This is NOT B2B. B2B = your business inviting partner / vendor employees from other Entra tenants. CIAM = end consumers, often unauthenticated until they hit your sign-up flow.

What External ID for customers includes:

• Custom-branded sign-up and sign-in pages with your logo, colors, and copy.
• Social identity providers out of the box (Google, Facebook, Apple, Microsoft Account) plus generic OIDC for federation with other IdPs.
• Self-service password reset, profile editing, account linking.
• User-attribute collection at sign-up (custom claims, marketing consent, etc.).
• Conditional Access evaluated against customer sign-ins.

How it’s billed:

• Separate MAU billing meter from B2B External ID — see the External ID pricing page for current CIAM rates.
• A customer counts as MAU only in months where they authenticate.

Don’t mix B2B partners and CIAM customers in the same tenant “External Users” mental model. They’re separately licensed and separately tracked. Partner employees invited via B2B count against the B2B MAU meter; consumer customers signing up via CIAM count against the CIAM MAU meter. Many apps need both — that’s fine, just budget for both meters.

This replaces Azure AD B2C for new tenants. Existing Azure AD B2C tenants continue to operate, but new CIAM workloads should land on Entra External ID for customers — it’s the forward-investment product line.

If you also need to issue verifiable credentials to customers (e.g. a “verified buyer” credential), layer Verified ID on top — that’s a separate per-credential billing meter.