The Difference Between E3 and E5 Office365 Features

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and...
Michael Buckbee
3 min read
Last updated November 3, 2021

Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products.

If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Note: It’s a licensing distinction, not a technical one, but the EMS E5 features listed below are the same as those you receive from Azure AD Premium P2.

Bluntly speaking, if you’re an organization large enough to have an actual IT department and not a “Julie in accounting is good with computers so she handles that stuff in her spare time” department, the base security and management options of Office 365 will not be sufficient.

How to get Detailed reports of Office 365 File, Email and Active Directory Permissions

If you’re accustomed to having detailed insight to your file sharing, email, and Active Directory permissions and activity, as Varonis customers are, the (lack of) default security functionality in the base Office 365 license will shock you.

The following feature lists are organized to help you make sense of the different native Microsoft Office 365 security tool capabilities available at each license level. These capabilities are actually provided by a number of different applications and services which are included with the different tiers, so there are varying degrees of cohesion and coverage with them.

In particular, if you need to secure both cloud and on-premises infrastructure, you should check out the additional capabilities added by Varonis (listed below).

E3 features NOT in the base license
(ProPlus and E1)

Single Sign On

  • SSO across Office 365 + Azure services
  • Ability to develop apps to consume the SSO

Advanced Security Reporting

  • Auditing and Alerting


  • Search, hold and export data held in the organization’s Office 365 stores


  • Access revocation
  • Prevent accidental sharing of sensitive information
  • View DLP Reports showing content that matches policies

E5 Features not in E3

Risk Based Conditional Access

  • Limit data access based on location, device, user state, and application sensitivity.
    • Limit a kiosk application to only run from designated workstations
    • Block outside access to BI apps
    • Enforce web applications only running on company hardware
  • Machine Learning based detection of suspicious patterns of data access.
    • Leverage larger Azure touchpoints for risk identification (brute forcing)
    • Identify abnormal data access patterns that might indicate malware
  • Contextual Multi-Factor Authentication challenges
    • Issue MFA requests to modify data (update email/password) in an app but don’t issue a challenge to view the data
    • Issue MFA challenge on a session / periodic (once per week) basis

Privileged Identity Management

  • Better overview of which users are assigned privileged and admin roles in Azure resources and Azure AD
    • Get a 10,000 foot view of who has the capability of making changes in your infrastructure
  • On demand just in time admin access users
    • Grant and pull back admin rights for specific workflows
  • Administrator Assignment alerts
    • Find out when a new admin is added at 2:30am on a Saturday
  • Admin approval requirements for roles
    • Have the CTO/Director of IT approve new admin right grants
    • Audit + track admin right grants
  • Admin role auditing
    • Track what changes have happened with the admin group overall

Data Classification

  • Classify and label data based on sensitivity
    • Identify data in files that are potentially dangerous.
  • Carry label based sensitivity protection through the enterprise
    • As different systems interact with the data, you can restrict access, require MFA challenge, etc based on what classification label is applied.

Microsoft Cloud App Security

  • Monitor usage of SAAS apps on your network
    • Block Shadow IT SAAS apps
    • Enforce addition/removals from SAAS apps
  • Limit cloud app usage based on user, device and location
    • Better secure potentially weak SAAS apps

How to secure your move to Office365 Security Varonis

Moving from an on-premise to a hybrid environment with Office365 is inherently tricky. Make things easier on yourself by using Varonis to:

  1. Clean up your existing user accounts
  2. Lock down your current file permission and sharing strategy
  3. Skip moving stale and abandoned data to the cloud
  4. Quarantine sensitive information.

Post-move, Varonis lets you monitor your on-premise and Office365 resources in a single unified view. Without that capability, it’s almost impossible to track lateral data movement through your environment without manually stitching together logs. Which significantly increases your response time to a suspected data breach or other security event.

Enforcing Least Privilege

  • Allow data owners to manage permissions
  • Assign permissions based on historic usage
  • Model permissions structures before applying
  • BiDirectional view on permission and permission sources


  • Get transparency into permissions views
  • Understand exactly who owns what
  • Fine grained rule definition and alerting
  • User Account Behavioral Identification (Users, Admins and VIPs naturally behave different)


  • Regulating bodies don’t care where they data is located, so you need to cover both cloud and on premise as well as the localities your data is physically stored in.

Get Started Securing Office 365

If you’re interested in seeing where your file permissions are open, your sensitive data exists and which administrator who quit three years ago still has access to your network, you should get a free risk assessment from Varonis.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Copilot Security: Ensuring a Secure Microsoft Copilot Rollout
This article describes how Microsoft 365 Copilot's security model works and the risks that must be considered to ensure a safe rollout.
Microsoft Office 365 File Sharing Guide: OneDrive and SharePoint Tips
Microsoft Office 365 adds a layer of complexity to your data security strategy — learn how to protect data and improve collaboration in your organization.
Introducing Varonis for Microsoft 365 Copilot
Varonis for Microsoft 365 Copilot is the industry's first purpose-built cybersecurity solution to secure Microsoft’s AI-powered productivity tool before and after deployment.
Why Your Org Needs a Copilot Security Scan Before Deploying AI Tools
Assessing your security posture before deploying gen AI tools like Copilot for Microsoft 365 is a crucial first step.