The Naming Problem That Creates Licensing Confusion
Microsoft Information Protection has been renamed, rebranded, and restructured multiple times in the past five years — from Azure Information Protection (AIP) to Microsoft Information Protection (MIP) to its current position as a core component of Microsoft Purview. This history of renaming means many enterprise IT teams are still budgeting for "AIP P2" licences when that product name has been retired, purchasing standalone licences for capabilities already included in their M365 bundle, or missing the fact that the sensitivity labelling infrastructure they need is available in E3 without any add-on purchase.
The commercial clarity needed for any enterprise licensing decision is this: Microsoft Information Protection capabilities today are delivered through Microsoft Purview, with two tiers (P1 and P2) that map to M365 E3 and M365 E5 respectively. The standalone AIP products (AIP P1, AIP P2) have been unified into Purview Information Protection P1 and P2. If your Order Form still references Azure Information Protection, the licences you hold today map to Purview Information Protection at the same capability tier.
What E3 and E5 Include for Information Protection
The inclusion boundary between E3 and E5 for information protection is one of the most commercially important and least-understood aspects of M365 licensing. Many organisations purchase Purview Information Protection add-ons for capabilities already included in E3, or upgrade to E5 for information protection capabilities that E3 already provides.
| Capability | M365 E3 (MIP P1) | M365 E5 (MIP P2) | Standalone Add-On |
|---|---|---|---|
| Sensitivity labels (manual + recommended) | Included | Included | MIP P1 (in E3) |
| Label policies (publish to users/groups) | Included | Included | MIP P1 |
| Microsoft 365 DLP (Exchange, SharePoint, Teams) | Included | Included | MIP P1 |
| Encryption via Rights Management Service | Included | Included | MIP P1 |
| Endpoint DLP (Windows) | Included | Included | MIP P1 |
| Automatic classification (trainable classifiers) | Not included | Included | MIP P2 |
| Auto-labelling at rest (SharePoint/OneDrive) | Not included | Included | MIP P2 |
| Exact Data Match (EDM) for DLP | Not included | Included | MIP P2 |
| Double Key Encryption (DKE) | Not included | Included | MIP P2 |
| Purview data map (content scanning) | Not included | Included | MIP P2 |
| Document fingerprinting for DLP | Not included | Included | MIP P2 |
The critical commercial insight from this table: the core sensitivity labelling infrastructure — manual labelling, label policies, M365 DLP for Exchange/SharePoint/Teams, RMS encryption, and even Endpoint DLP for Windows — is fully available in M365 E3 (Purview Information Protection P1). The P2 tier adds the capability layer that most organisations don't operationally need until they have mature P1 deployment: automatic classification, auto-labelling at rest, Exact Data Match, and Double Key Encryption.
Organisations in the early stage of information protection maturity — establishing a label taxonomy, deploying label policies to users, configuring DLP rules for sensitive data types — should not be purchasing P2 licences. The P1 capabilities available in E3 are more than sufficient for a 12–18 month initial deployment. P2 is the right investment when automatic classification replaces manual labelling as the primary deployment mechanism — which requires a mature label taxonomy, trained classifiers, and operational review processes for auto-label accuracy.
When P2 Auto-Labelling Justifies the Cost
Automatic classification and auto-labelling at rest (Purview MIP P2) are genuinely transformative capabilities for organisations that have struggled to achieve manual label adoption at scale. The commercial case for P2 centres on this deployment reality: manual label adoption in enterprise M365 environments typically plateaus at 40–60% of documents over 12 months, while auto-labelling policies can achieve 85–95% coverage within 60 days of deployment for document repositories where sensitive data types are clearly defined.
For regulated industries where data classification coverage is a compliance requirement — financial services with PCI data, healthcare with PHI, defence contractors with controlled unclassified information — P2 auto-labelling is not optional. For organisations where classification is a best-practice goal rather than a compliance mandate, the P2 premium ($3.50/user/month at standalone or $6–8/user/month embedded in E5 cost attribution) should be evaluated against the operational cost of manual labelling programmes and their actual coverage rates.
Exact Data Match: The High-Value, Narrow-Use Case
Exact Data Match (EDM) for DLP is a P2 capability that allows DLP rules to match specific data values — employee IDs, patient record numbers, account numbers — against an uploaded dataset, rather than matching generic patterns. This provides near-zero false positive DLP matching for organisations that need to detect specific regulated data instances rather than data patterns. The use case is narrow but where it applies — insurance claim numbers, patient MRN matching, financial account number exact-match — it is commercially difficult to replicate with P1 pattern-matching alone.
EDM is licensed per user who needs DLP policies applied — not per the users whose data is in the EDM schema. This means a 10,000-user organisation protecting 1 million patient records needs P2 for the users who handle those records, not necessarily the full 10,000 user population. Population segmentation applies to MIP P2 exactly as it applies to Defender for Endpoint P2.
On-Premises and Non-Microsoft File Coverage
A frequently overlooked aspect of Purview Information Protection licensing is coverage for on-premises file repositories and non-Microsoft content. The AIP Unified Labelling Scanner (now Purview Information Protection Scanner) allows automatic scanning and labelling of on-premises file shares and SharePoint Server content. This is included in the MIP P2 licence — but requires on-premises scanner installation and configuration.
For organisations with significant on-premises file repository estates (Windows File Servers, NAS devices, SharePoint Server), the MIP P2 scanner is the mechanism by which auto-labelling extends beyond M365 cloud services to cover the full data estate. Organisations that have purchased MIP P2 without deploying the scanner have paid for this capability without consuming its on-premises value. Conversely, organisations with large on-premises estates that haven't yet evaluated MIP P2 scanner deployment should include this as a P2 value quantification point in the E3 vs E5 decision.
MIP vs Purview E5 Compliance Add-On
It is important to distinguish between Purview Information Protection P2 (included in M365 E5) and the M365 E5 Compliance add-on ($12/user/month). These are separate products. Purview Information Protection P2 covers classification, labelling, encryption, and DLP. The M365 E5 Compliance add-on adds Insider Risk Management, Communication Compliance, Information Barriers, and Records Management.
For data protection purposes, Purview Information Protection P2 (available as a standalone add-on at ~$3.50/user/month for E3 users, or included in M365 E5) is the relevant licence. The E5 Compliance add-on is a separate investment for regulatory compliance and insider risk programmes. Do not conflate these SKUs when evaluating information protection licensing cost — many proposals include E5 Compliance as a package with MIP P2 when only MIP P2 is required for the stated use case.
For the complete security licensing context, see our Microsoft Security Licensing guide and our analysis of M365 E5 security value. For M365 licence optimization broadly, see our M365 Optimization service and our E3 vs E5 cost comparison white paper.
5-Step MIP Licensing Optimization
Step 1: Map your current information protection deployment against P1 capabilities. Document which sensitivity labels exist, which DLP policies are active, and what percentage of your document estate is currently classified. If your deployment is in early maturity with manual labelling and M365 DLP only, P1 is the correct tier.
Step 2: Assess your P2 use case genuinely. Do you need automatic classification because manual label adoption has plateaued below compliance requirements? Do you have on-premises file repositories requiring scanner coverage? Do you need Exact Data Match for specific regulated data types? If you cannot answer yes to at least one of these questions, P2 is premature.
Step 3: Segment the P2 population if P2 is justified. For auto-labelling, EDM, and scanner — these capabilities are applied to content, not user populations directly. However, the MIP P2 licence requirement applies to users who are subject to auto-label policies and DLP policies using P2 capabilities. Identify this population (regulated function staff, legal, compliance, finance, HR) rather than defaulting to full-organisation P2 deployment.
Step 4: Audit for AIP/MIP standalone licences against M365 bundle inclusions. Many organisations have legacy standalone AIP P1 or P2 licences that are now redundant if E3 (MIP P1) or E5 (MIP P2) has been purchased. Reconcile your Order Form against current M365 bundle inclusions and remove any standalone licences that are duplicated by the bundle.
Step 5: Present the segmented P2 deployment in EA renewal discussions. If P2 is required for a subset of your population, counter Microsoft's full-population P2 or E5 upgrade proposal with a validated segmentation showing the regulated-function population that requires P2 and the broader population adequately served by E3 + P1. Contact our team via the assessment page for a segmentation benchmark against comparable deployments.