Cloud & Infrastructure
Microsoft 365 E5 Security: What You're Actually Paying For
12 November 2025 · 0x1m3 · 6 min read
<div style="display: flex; flex-wrap: wrap; gap: 20px; margin: 24px 0;"> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out;">4</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Defender products included in E5</div> </div> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.2s; animation-fill-mode: both;">400</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Security Copilot Units (SCUs) per 1,000 users</div> </div> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.4s; animation-fill-mode: both;">E7</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Frontier Suite arriving May 2026</div> </div> </div>
<style> @keyframes fadeInUp { from { opacity: 0; transform: translateY(20px); } to { opacity: 1; transform: translateY(0); } } </style>
Microsoft 365 E5 is the most comprehensive productivity and security licence Microsoft offers. It is also one of the most underutilised. Many organisations pay for E5 but only configure the basics — email, Teams, and SharePoint — leaving powerful security tools switched off.
Here is what your E5 licence actually includes, and why every component matters.
---
The Defender Suite: Four Products, One Platform
E5's core security value comes from Microsoft Defender — not one product, but a family of four that work together across your entire environment.
Defender for Endpoint Plan 2
This is endpoint detection and response (EDR) for every device in your organisation. It goes well beyond traditional antivirus.
- Threat detection using behavioural analysis and machine learning - Automated investigation and remediation — the system resolves alerts without analyst intervention - Attack surface reduction rules that block common exploit techniques - Threat and vulnerability management to identify unpatched weaknesses before attackers do
E3 includes Defender for Endpoint Plan 1 (basic protection). E5 adds the full EDR capability.
Defender for Office 365 Plan 2
Email remains the primary attack vector for South African businesses. Defender for Office 365 P2 protects against phishing, business email compromise (BEC), and malicious attachments.
- Safe Attachments — detonates attachments in a sandbox before delivery - Safe Links — rewrites URLs and checks them at time of click - Automated investigation for reported phishing emails - Attack simulation training to test employee awareness
Note: E3 now includes enhanced email security from Defender for Office 365 Plan 1. E5 adds the investigation, simulation, and advanced hunting capabilities.
Defender for Identity
This product monitors your Active Directory (AD) environment — both on-premises and hybrid — for identity-based attacks.
- Detects lateral movement, pass-the-hash, and credential theft - Identifies compromised accounts and suspicious sign-in behaviour - Maps attack paths that adversaries could exploit - Integrates directly with Microsoft Entra ID (formerly Azure AD)
Identity attacks are the most common entry point in modern breaches. This product closes that gap.
Defender for Cloud Apps
Formerly Microsoft Cloud App Security (MCAS), this is your Cloud Access Security Broker (CASB).
- Discovers shadow IT — unsanctioned cloud applications your users access - Applies session controls and conditional access to cloud apps - Monitors data movement across SaaS platforms - Provides governance policies for sensitive information
---
<div style="display: flex; flex-wrap: wrap; gap: 20px; margin: 24px 0;"> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out;">P2</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Endpoint + Office 365 — full EDR and email investigation</div> </div> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.2s; animation-fill-mode: both;">CASB</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Cloud Apps — shadow IT discovery and governance</div> </div> <div style="flex: 1; min-width: 200px; background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; border-radius: 4px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.4s; animation-fill-mode: both;">AD</div> <div style="font-size: 14px; color: #4A7AB5; margin-top: 4px;">Identity — lateral movement and credential theft detection</div> </div> </div>
Security Copilot: AI-Assisted Threat Response
E5 licences now include Security Copilot at a rate of 400 Security Compute Units (SCUs) per 1,000 users. Security Copilot uses generative AI to assist security analysts with:
- Summarising incidents in natural language - Generating KQL queries for advanced hunting - Correlating alerts across Defender products - Accelerating investigation time from hours to minutes
This is not a replacement for your security team. It is a force multiplier that makes existing analysts faster and more effective.
E3 vs E5: What You Gain
| Capability | E3 | E5 |
|---|---|---|
| Defender for Endpoint | Plan 1 | Plan 2 (full EDR) |
| Defender for Office 365 | Plan 1 | Plan 2 (investigation + simulation) |
| Defender for Identity | No | Yes |
| Defender for Cloud Apps | No | Yes |
| Security Copilot | No | 400 SCUs / 1,000 users |
| Microsoft Sentinel discount | No | Yes |
| Audio Conferencing | No | Yes |
| Phone System | No | Yes |
The security gap between E3 and E5 is significant. E3 provides baseline protection. E5 provides detection, investigation, and response — the capabilities that matter when an attacker is already inside your network.
What Is Coming: M365 E7 Frontier Suite
Microsoft has announced the M365 E7 Frontier Suite, expected to reach general availability in May 2026. This new tier bundles:
- Everything in E5 - Microsoft Copilot (the full AI productivity assistant) - Agent 365 (autonomous AI agents for business workflows)
For organisations already on E5 and evaluating Copilot, E7 will simplify licensing. OAS is tracking this release closely and can advise on upgrade timing.
The Problem Is Not the Licence — It Is the Configuration
Most E5 deployments fail to deliver full value because the security features require careful configuration. Default settings leave gaps. Policies need tuning. Integration between Defender products must be deliberate.
This is where OAS makes the difference. We configure every Defender component, tune policies to your environment, and ensure the full security stack works as an integrated whole.
E5 security is powerful — but only when properly deployed. OAS configures every Defender component.