.png){kind=logo}
Clients are often unaware of Microsoft security features outside Microsoft 365 E5. This post intends to help educate clients on the advanced investments Microsoft has made outside E5 for security, compliance, identity, and device management.
Author: Nathan Berger Security Practice Lead @ Cyclotron
Our clients often think that Microsoft 365 E5 includes the entirety of Microsoft security products. Although E5 is an incredibly well-featured suite (detailed here), Microsoft offers many other security tools as well.
Microsoft 365 E5 does not include the products in the list below. These products dramatically expand customer’s security architecture to consolidate existing tools or plug security gaps.
This list is not comprehensive; minor security features or on-premises products are likely omitted. We find the below items are the most requested by E5 customers.
Microsoft Security Tools Beyond E5
Threat Protection
Microsoft Copilot for Security - Empowers security admins and operators with generative AI experiences to investigate threats, inventories, and much more. Copilot for Security queries and interprets data in Sentinel, Defender, Purview, Intune, Entra & third-party tools.
Pricing: Consumption-based (time spent on queries - $x per hour)
Release: GA availability April 1st, 2024
Does Cyclotron help deploy this? Yes! We offer a 6–8-week deployment engagement involving setup, training, and operationalization.
Learn more: Microsoft Copilot for Security: General Availability details
Microsoft Defender for Cloud – Microsoft’s Cloud-Native Application Protection Platform (CNAPP), intended to secure cloud workloads across Azure, AWS, GCP, and on-premises. It covers DevSecOps workloads and serves as both a Cloud Security Posture Management (CSPM) tool and a Cloud Workload Protection Platform (CWPP) for many platforms.
Pricing: Per-asset per-month or consumption-based, depending on the workload. Exact pricing here, and better explained here.
Release: Available now.
Does Cyclotron help deploy this? Yes! We offer a 4-week implementation of Defender for Cloud across your entire cloud & infrastructure estate, including setup, deployment, training & operationalization.
Learn more: What is Microsoft Defender for Cloud?
Microsoft Defender Exposure Management – provides comprehensive attack surface visibility across many types of assets, attack path analysis, exposure mitigation steps, asset classification, and features to help communicate risk & mitigation value to business leaders to drive change.
Pricing: TBD.
Release: TBD. Entered free public preview in March 2024.
Does Cyclotron help deploy this? Not yet – it’s too new, still being developed. Once it reaches Public Preview, we’ll have a deployment framework for it.
Learn more: Introducing Microsoft Security Exposure Management
Microsoft Defender External Attack Surface Management – Examine your attack surface from an outsider’s perspective, exposing vulnerabilities on public-facing assets like domains, webpages, IP addresses, and more. It’s unique because it exposes public assets that other Defender tools don’t protect.
Pricing: Per-asset, per-day, shown here.
Release: Available now.
Does Cyclotron help deploy this? Yes! It’s a 2-week setup & operational training exercise.
Learn more: Defender EASM Overview
Microsoft Defender for Servers (MDS) - EDR protection for Windows Server and Linux, integrated with the unified Security portal.
Don’t I already own this in E5? No. A common misconception is that E5 includes Server coverage – that’s not true.
What’s the difference between MDS P1 and P2? All details here. In brief, MDS P1 = the MDE P2 capabilities in M365 E5 for your user endpoints. MDS P2 includes the full protection feature set for servers, including the vulnerability management add-on, security baseline assessment, just-in-time access for Azure machines, agentless scanning, and much more.
Pricing: Per-server, per-month, shown here. Because server counts vary wildly per org, Microsoft doesn’t include this in E5’s user-based pricing.
Release: Available now.
Does Cyclotron help deploy this? Yes! It’s one of our most frequent Defender deployments. We can deploy this very quickly (within 4 weeks), though we recommend 8-12 weeks for a comprehensive deployment.
Learn more: Common questions - Defender for Servers
Microsoft Defender Threat Intelligence – a massive threat intelligence library that helps Security Operators and Security Admins better hunt and respond to threats, both as a standalone product and a library that extends other security tools.
Don’t I already own this in E5? No. Defender has its own built-in threat intelligence with functions like Threat Analytics, but it pales in comparison to the vast library and feature set of Defender TI. This used to be part of RiskIQ until acquired by Microsoft.
Pricing: Per-user, per-month (only your security personnel need this license)
Release: Available now
Does Cyclotron help deploy this? No, Cyclotron doesn’t provide professional services for this, as it’s mostly operational enablement.
Learn more: What is Microsoft Defender Threat Intelligence (Defender TI)?
Microsoft Defender for IoT – protects IoT devices with network device discovery, vulnerability assessment, and threat protection.
Pricing: Per-device, per-month. Details here.
Release: Available now
Does Cyclotron help deploy this? Yes, Cyclotron provides an 8-week deployment for Defender for IoT enablement, including design, setup, training, and operationalization.
Learn more: Overview - Microsoft Defender for IoT for organizations
Microsoft Defender Vulnerability Management - A comprehensive vulnerability management solution, including automated blocking & remediation, security baseline assessment, intelligent risk-based prioritization, network scans, and more.
Don’t I already own this in E5? Sort of. E5 includes the “Core” version. See the differences here.
Pricing: Per-user, per-month
Release: Available now.
Does Cyclotron help deploy this? Yes! We help E3 & E5 orgs with setup, deployment, training & operationalization, including replacement of third-party tools.
Learn more: Microsoft Defender Vulnerability Management
Microsoft Sentinel – A comprehensive, scalable, cloud-native SIEM & SOAR solution. Sentinel has tons of features packed-in, a massive library of third-party tool integrations, native Microsoft integrations for Defender, Purview, M365, and many more features. Many Defender customers ask if they need Sentinel – there’s a very small overlap in capabilities between Sentinel & Defender XDR, but every client benefits from Sentinel’s robust extensibility to non-Microsoft solutions and its unique SIEM/SOAR features.
Don’t I already own this in E5? E5 customers get a discount on Sentinel.
Does Cyclotron help deploy this? Yes! We offer a 6-week implementation of Sentinel including price estimation assessment, data connector setup, report creation, training & operationalization.
Pricing: Consumption-based
Release: Available now.
Learn more: What is Microsoft Sentinel?
Other notable threat protection mentions include Microsoft's Expert services, which provide Microsoft personnel for SOC augmentation.
Compliance
Microsoft Purview Governance Portal, also known as Microsoft Purview in Azure. The best move to increase the value of your Purview implementation is to extend it to your cloud infrastructure (Azure, AWS, GCP, more), and on-premises infrastructure.
Modules include:
Data Map – create data lineage relationships, scanning and classification across your infrastructure estate.
Data Catalog – enable users to search and explore infrastructure using business terms, classifications, and relationships.
Data Estate Insights – examine executive-level reports on overall sensitive data flows and governance gaps and resolve them within the product.
Data Sharing – configure secure external sharing and revocation of governed data with external business partners.
Data Policy – configure access policies for internal users to governed data based on conditions and rules.
Release: Available now
Pricing: Consumption-based, mostly charged on automatic scans from data connectors.
Does Cyclotron help deploy this? Yes! We provide design, configuration and setup for all 5 Purview Governance solutions, helping your admins define or extend classification taxonomy, design & connect data sources, train & operationalize the solution.
Learn more: Introduction to Microsoft Purview governance solutions
Microsoft Priva Subject Rights Requests – enables automatic workflows for data subject rights requests (DSRs) for management at scale, with extensible integration across third-party tools and Microsoft 365.
Pricing: Quantity-based
Release: Available now
Does Cyclotron help deploy this? Yes, we can provide training & operationalization for this. There’s not much to configure, as it’s largely a built-in, guided experience in Priva.
Learn more: Learn about Priva Subject Rights Requests
Microsoft Priva Privacy Risk Management – protect and reduce personal data in your Microsoft 365 tenant with automatic PII detection, overexposure remediation, reduction recommendations and communication templates to guide end-users through reducing personal data on corporate platforms.
Pricing: Per-user, per-month
Release: Available now
Does Cyclotron help deploy this? Yes, we can provide training & operationalization for this in a 2-week engagement. Our configuration guidance focuses on the remediation activities recommended in the platform, and practical strategies between Purview & Priva to address Priva’s PII recommendations.
Learn more: Priva Privacy Risk Management policies
Microsoft Purview IRM Forensic Evidence – An add-on for Insider Risk Management that enables screen recording of insider risk activities based on customizable triggers while maintaining significant user privacy protection with pseudonymization, content blocking, and approval processes.
Pricing: Consumption-based. Talk to your account team, as public information is scarce. Some VARs have the add-on license listed for a committed 100GB over a period, so expect a similar type of model.
Release: Available now
Does Cyclotron help deploy this? Yes, as part of our Purview deployments.
Learn more: Learn about insider risk management forensic evidence
Microsoft Compliance Manager templates – reduce effort and improve compliance efforts with automated assessments & recommended remediations for your specific compliance templates, across Microsoft 365, Azure, GitHub and connected third-party apps.
Don’t I already own this in E5? Yes, in small quantity. E5 customers get 3 templates of their choice, plus the Microsoft Data Protection baseline. Each following template will require another license.
Pricing: Quantity-based/per-template, per-month. See here.
Release: Available now
Does Cyclotron help deploy this? Yes, as part of our Purview deployments.
Learn more: Microsoft Purview Compliance Manager
Others notable Compliance mentions include Microsoft 365 Backup, Microsoft 365 Archive (preview), Microsoft 365 Multi-Geo, and the Compliance Program for Microsoft Cloud.
Identity
Microsoft Entra Identity Governance – Integrated with core Entra capabilities, Identity Governance automates identity workflows such as joiner/mover/leaver workflows, access packages, access reviews, and privileged access.
Don’t I already own this in E5? Yes, partially. It’s complicated, but this breakdown chart explains it best. In brief, basic capabilities are in E5, and advanced capabilities/extensibility to third-party solutions. are available only in the add-on.
Pricing: Per-user, per-month. See Microsoft Entra Identity Governance
Release: Available now
Does Cyclotron help deploy this? Yes! We help organizations design, configure and deploy Identity Governance solutions over an 8-week implementation.
Learn more: Microsoft Entra ID Governance
Microsoft Entra Private Access – This is one of the most exciting capabilities coming to Entra. Private Access is one facet of Microsoft’s Secure Access Service Edge (SASE) solution, providing direct access to on-premises applications, IPs and FQDNs with traffic tunneled to the app rather than reliance on VPN. This enables Conditional Access with the same rules across cloud apps and on-premises apps, addressing a major gap in most clients’ zero-trust security strategy. Best of all, unlike other solutions on the market, these access requests never leave Entra – meaning increased reliability and native Conditional Access features are already built-in.
Price: TBD
Release: Public Preview
Does Cyclotron help deploy this? Yes – Cyclotron helps with PoC’s today (as it’s in public preview), and will offer full deployments once the tool is GA.
Learn more: Learn about Microsoft Entra Private Access
Microsoft Entra Internet Access – Another very exciting solution, with even more features than Private Access: Using the same client, Internet Access provides public web protections including IP & domain blocking, blocking access from your devices to other Microsoft 365 tenants, improves precision of risk assessments, prevents stolen Entra tokens, and more. It’s a huge set of features within the unified client.
Price: TBD
Release: Public Preview
Does Cyclotron help deploy this? Yes – Cyclotron helps with PoC’s today (as it’s in public preview), and will offer full deployments once the tool is GA.
Learn more: Learn about Microsoft Entra Internet Access and especially the key features list here.
Microsoft Entra Workload ID – Extends Conditional Access policies (sign-in rules based on IP address, application, groups) to service principals, further protecting your organizations assets from malicious use.
Don’t I already own this in E5? No – M365 E3 & E5 include Conditional Access for your end-users, but not for workload identities (as that quantity can vary wildly between orgs). The separate license is needed.
Price: Per-workload-identity, per-month, detailed here.
Release: Available now
Does Cyclotron help deploy this? Yes, as part of our Entra projects.
Learn more: Microsoft Entra Conditional Access for workload identities
Microsoft Entra Verified ID – Microsoft’s Entra integration with decentralized identity standards to provide user-privacy-oriented authentication from your consumers to your consumer-facing resources.
Price: Free (as of March 2024) – details here.
Release: Available now
Does Cyclotron help deploy this? No, we don’t offer this. Verified ID bridges into custom development work with consumer-facing applications, which is a specific skillset we don’t offer today.
Learn more: Introduction to Microsoft Entra Verified ID
Microsoft Entra Permissions Management – Assesses infrastructure (AWS, Azure, GCP) for permissions overexposure and creep, automating removal of permissions based on usage rates to reduce the overall attack surface on cloud infrastructure from your accounts.
Price: Per-resource, per-month, detailed here.
Release: Available now
Does Cyclotron help deploy this? Yes, we can help with a 2-week training & operationalization to kickstart use.
Learn more: What's Microsoft Entra Permissions Management?
Microsoft Entra Domain Services – Let Microsoft manage your domain controllers for you. Entra Domain Services reverses the standard hybrid architecture: Your Entra instance becomes the Source of Authority for on-premises users and authentication (many customers ask for this). Entra Domain Services provides scalable, high-availability, locked-down DCs managed by Microsoft so your organization can lift-and-shift applications and resources to the cloud without the management burden of on-premises Active Directory.
Price: Per-domain, per month. Details here.
Release: Available now
Does Cyclotron help deploy this? Yes! It’s common to use Entra Domain Services with our cloud-native projects; our Azure team and Security teams work in tandem to help deploy this & shift apps to the cloud.
Learn more: Overview of Microsoft Entra Domain Services
Other solutions not mentioned here include licenses for extra Entra External Identities beyond the included 50,000, including B2B and B2C.
Device Management
Intune Suite – a litany of device management features on top of standard Intune capabilities, providing native integration which displace several common third-party products for device management.
Intune Suite includes the following services:
Remote Help – Remote screensharing tool for helpdesk, with lots of helpful admin features like escalation, approval, and native Entra sign-in.
Endpoint Privilege Management – Local admin escalation for end-users, both policy-based and approval-based.
Enterprise App Management (Public Preview) – Microsoft provides and updates app binaries to your Intune console for common apps. (#1 most requested Intune capability from our customers)
Cloud PKI (Public Preview) – Certificate infrastructure as a cloud service, managed by Microsoft.
Advanced Endpoint Analytics – Extra device reporting features including anomaly detection, device inventory queries, battery health metrics, scoped reporting, and custom device scopes for reporting.
Microsoft Tunnel – Expands VPN access for individual app connections on iOS/iPadOS and Android.
Specialty Devices – Adds capability to enroll VR/AR headsets, Teams Room Devices & Surface Hubs to Intune.
Price: Per-user, per-month. Details here. In brief, Intune P1 is the standard Intune that comes with M365 E3 or E5; Intune P2 is a subset of the above capabilities; Intune Suite is the full set of capabilities.
Release: Marked above as preview; all other items are GA.
Does Cyclotron help deploy this? Yes! Cyclotron helps configure any or all the Intune Suite capabilities to support client operations and replace third-party tools.
Learn more: Use Intune Suite add-on capabilities
Intune Device-only license – enables user-less device management scenarios where your existing user-based M365 licensing wouldn’t apply. This doesn’t replace per-user licensing; it just enables user-less device management scenarios.
Price: Per-device, per-month. Talk to your Microsoft rep, as public details are scarce.
Release: Available now
Does Cyclotron help deploy this? Yes, as part of our Intune deployments.
Learn more: Licenses available for Microsoft Intune
Microsoft Universal Print: Cloud-based print solution native in Microsoft 365, with support for both Windows print servers and native third-party printers.
Price: Detailed here. Both per-user, per-month and quantity-based. Most customers will only pay outright when reaching their pooled print job count for the month.
Release: Available now.
Don’t I already own this in E5? Yes, in E3 and E5. As linked above, M365 E3 and E5 include 100 print jobs per-user. For additional print jobs, they can be purchased in bulk.
Does Cyclotron help deploy this? No, we don’t offer Universal Print enablement today, but we likely will soon.
Learn more: What is Universal Print?
Frequently asked questions
Are you saying all the products that list aren’t included in E5?
Yes! Mostly. Sometimes parts of these products included in E5, but as add-ons. Most of these features have a free trial period, so you can try them without commitment.
This feels cheap. We own E5 - shouldn’t we get everything Microsoft offers?
No, and you’d dislike that. Here’s why:
If these were included in E5, Microsoft would have to raise the E5 price every year for new product development effort, which they are choosing not to force on you. This way, you pay for only the features you want to add.
Microsoft is still investing in new E5 features, which you frequently receive.
Some features are consumption-based rather than user-based, so they wouldn’t fit into E5’s user-based pricing.
Some features are intended for very specific use cases and wouldn’t be appropriate to bundle.
How do I buy these?
For enterprises: Talk your Microsoft rep. They can provide pricing.
For smaller customers: Shop from your VAR’s store or look in the M365 Admin Center under the Purchase Licenses option.
You didn’t provide exact dollar pricing. Where’s the price?
Links are provided to Microsoft pricing pages when available. Pricing can get complicated when looking at over 30 different tools, but the differences are appropriate. Across the list, you’ll see the following price models:
Per-user, per-month (PUPM): These products are a paid add-on, just like your existing M365 licenses. This is because Microsoft engineering had a great idea to improve an E5 product, but the development cycle was too costly to not charge for it - so instead of raising the price of E5, they made it an optional add-on. Sometimes, basic features are included in E3 or E5, but a paid add-on improves these capabilities. A trial version is usually available for 30-90 days.
Per-[object], per-month or Quantity-based pricing: You get the full product for a limited quantity of use cases/objects depending on how many you need to purchase. This is because Microsoft wanted to create a new product, but it wouldn’t fit as a per-user subscription. Sometimes, Microsoft includes a free quantity of licenses inside E5 to make it easier to try (such as 3 included Compliance Manager templates of your choice).
Data-ingestion-based pricing: You pay based on how much data you send into the tool for security analysis. Sentinel’s core SIEM functions are a great example of this, being priced per-GB.
Consumption-based licensing: This tool charges based on the amount of time a user spends using the service, or how many workflows are run. Sentinel’s core SOAR functions, Copilot for Security, and Priva Subject Rights Requests are great examples of this.
Want to talk to Cyclotron about implementing these tools? We have many years of experience helping clients deploy the E5 stack and add-ons. Reach out to nathan.berger@cyclotron.com to discuss a free Zero-Trust Assessment for your security requirements, vision, and strategy.
This list was last updated March 2024. Expect this blog to be updated with more products and services over time.