Microsoft SPE: E3 or E5?

When it comes to deciding which Secure Productive Enterprise* (SPE) license fits your organisation best, there’s a lot of information to process. As you will be able to tell if you’ve read our guide to Secure Productive Enterprise licensing, SPE contains a lot of technology.

Here we’ll make it easier for you to confidently make a decision between the available licenses: E5 and E3. We’ll be taking a closer look at each of the core elements in SPE – Windows 10, Office 365, and Enterprise Mobility + Security – focusing specifically on what additional capabilities an E5 license can offer your business.


Windows 10 Enterprise

Anti-malware/virus is no longer enough on its own. All organisations are encouraged to adopt an “assume breach” attitude to security. A recent survey showed that 46% of compromised endpoints had no malware on them (Mandiant M-Trends Report, 2017), and attackers are just as likely to use an array of more advanced methods to compromise an endpoint: social engineering, direct hacking and inside knowledge, to name just a popular few.

Windows 10 E5 adds a new service – Windows Defender Advanced Threat Protection (WDATP) – that helps organisations to detect, investigate and react to advanced attacks on their networks and endpoints. Your organisation’s threat risk is well presented in a simple-to-use portal/dashboard, with a rich attack timeline for investigation that enables you to prioritise actions and remediate.

With WDATP, Microsoft has added a post-breach layer to the extensive Windows 10 security stack that is already available in E3, across device protection, identity protection, information protection and threat resistance.


Office 365 – Advanced Security

Office 365 E5 is a suite offering that includes features across three categories of investment:

  • Real-time communications (Skype for Business)
  • Analytics (Power BI)
  • Advanced Security

A recently-published UK survey has revealed that the use of fake or compromised email accounts (via a practice known as phishing or whaling) to steal information increased by 39% in the last three months of 2016 (Warren Ashford, Computer Weekly).

Microsoft has a comprehensive set of security technologies built-in to Office 365, which help mitigate against these and many other sophisticated threats.

Advanced Threat Protection

Office 365 ATP provides Safe Attachments and Safe Links by protecting against both known and unknown malware and viruses, providing a cleaner user inbox and better zero-day protection to safeguard your organisation.

All relevant threat information is presented through a clean and clear dashboard, which allows you to see who in your organisation is being targeted and the category of attacks you are facing.

A screenshot of Advanced Threat Protection, one of many technologies offered in Microsoft's Secure Productive Enterprise suite.

Take a look at our recent blog post for more information on Advanced Threat Protection.

Customer Lockbox

Many organisations want to understand whether your data is truly isolated and define exactly who has access to it (including Microsoft) and for how long. Customer Lockbox provides you with explicit control in the very rare instances when a Microsoft engineer may need access to your organisation’s content (e.g. to resolve a support issue).

Advanced Security Management

Advanced Security Management provides threat detection and enhanced visibility into your organisation’s Office 365 usage and shadow IT, so that you can take the appropriate action when there is suspicious activity on your Office 365 tenant and before your environment has been breached.

Advanced eDiscovery

Advanced eDiscovery adds machine learning and text analytics to strengthen the eDiscovery capabilities in E3. It accelerates the sorting of vast quantities of information, helping you to quickly identify relevant data while decreasing cost and risk.


Enterprise mobility + security (EMS) 

To call EMS E5 the “advanced security workloads” is doing EMS E3 a slight disservice. There are many great security technologies in E3, particularly Advanced Threat Analytics (ATA). For an overview  and demo of ATA you can view our on-demand webinar.

Here we will focus on  the extended security technologies in EMS E5.

Cloud App Security (CAS)

CAS gives you visibility and control of shadow IT in your organisation. It can provide you with the ability to set policies (out-of-the-box or custom) that control data sharing and data loss prevention across over 13,000 Microsoft and third-party SaaS apps.

The in-built machine-based learning helps to identify high-risk usage and abnormal user behaviour, which are automatically surfaced through the threat dashboard to help you understand when you need to respond and stop a threat in its tracks.

A screenshot of the discovery dashboard in Cloud App Security, one of many technologies offered in Microsoft's Secure Productive Enterprise suite.

View our online CAS demos, which look closely at discovering the prevalence of unauthorised software usage (Discovery) and presenting useful information on users shown to have accessed your cloud-based applications without permission (Investigate).

Azure Information Protection (AIP) P2

AIP extends the rights management function available in E3 to include automatic data/document classification and labelling. This means you now have the ability to set policies for each new document created, which will enforce or suggest its level of classification, as opposed to relying on users to self-classify each document accurately.

This ensures that you have greater control over your data and information; where it goes and who can open, forward, print and save it. You can also track each document in a portal and revoke access at any time.

Azure Active Directory Premium (AADP) P2

AADP includes all the capabilities in Azure AD Premium P1 (EMS E3) and adds Identity Protection and Privileged Identity Management.

Azure AD Identity Protection

Azure AD Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities.

Using this data, Identity Protection generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions to keep your organisation and data safe.

Azure AD Privileged Identity Management

Azure AD Privileged Identity Management helps you define, manage and protect defined “privileged” accounts, so you can discover, restrict and monitor administrators and their access to resources, and provide just-in-time access when needed. This minimises the risk of a security breach if – or when – those identities become compromised.



Microsoft’s Secure Productive Enterprise (SPE) goes a long way to supporting organisations through the journey of delivering a modern, productive workforce experience, while ensuring data is protected from the latest cyber security threats that continue to proliferate and increase in sophistication.

We have merely revealed the tip of the iceberg when it comes to the variety and breadth of technology available in SPE. We have focused heavily on the security aspects of SPE E5 and highlighted the components that help organisations protect themselves from the latest cyber security threats, as well as detect and react to a successful breach.

In an “assume breach” world, we all need to think differently about the level of security and protection we need, to safeguard our information and data, whilst ensuring that all employees continue to have a simple, seamless and highly productive experience.

The security technology now available in both E3 and E5 variants is extensive and growing, and the per user subscription model (allows user access on up to 5 devices) has made SPE a straightforward, cost-effective and extremely compelling offering.

If you are keen to evaluate where your organisation is on this journey to delivering a modern productive workforce, why not complete our Secure Digital Transformation Assessment? It takes just 90 seconds, and you’ll receive a tailored report with recommended actions and best practices to consider.

For an all-in-one overview of which technologies are included in the different available SPE licenses, download our snapshot licensing guide.

*Please note: Secure Productive Enterprise was renamed Microsoft 365 in July 2017.