Microsoft Purview is the most complex licensing area in the entire Microsoft portfolio — and the most frequently misunderstood. In 500+ EA engagements, we find that fewer than 30% of organisations have correctly identified which Purview features they have licensed, which they have activated, and which they are paying for but not using. The result is a compliance licensing landscape where organisations simultaneously overpay for unused features and carry compliance gaps in areas they believe are covered. The stakes are high: misconfigurations can result in regulatory non-compliance, failed e-discovery requests, or undiscovered data breaches.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →What Is Microsoft Purview?
Microsoft Purview is the unified brand for Microsoft's compliance, data governance, and risk management portfolio. Launched in 2022 by consolidating Microsoft 365 Compliance, Azure Purview (data governance), and Microsoft Information Protection under a single brand, Purview now encompasses more than 20 distinct product capabilities spanning data classification, protection, retention, eDiscovery, audit, insider risk, and communication compliance.
For licensing purposes, Purview capabilities divide into two distinct families. The Microsoft 365 Purview capabilities are licensed per user through M365 subscription tiers and add-ons. The Microsoft Purview data governance capabilities (including the Data Catalog, Data Estate Insights, and Data Sharing) are Azure-based services billed on consumption metrics. This guide focuses on M365 Purview — the compliance and protection suite that most enterprises are purchasing as part of EA negotiations.
The Purview Licensing Hierarchy
Purview compliance features are delivered across four licensing tiers. Understanding the boundaries between tiers is essential for both compliance management and cost optimisation.
| Tier | Plan | Approx. Cost/User/Month | Key Purview Capabilities Included |
|---|---|---|---|
| Foundation | M365 E3 / Business Premium | $36–$22 | Basic sensitivity labels, Exchange/SharePoint DLP, Audit Standard (90 days), eDiscovery Standard, basic retention |
| Advanced Compliance | M365 E5 Compliance add-on | +$12 | Full Information Protection, Advanced DLP (endpoints, Teams), Insider Risk Management, Communication Compliance, Audit Premium (1yr), Advanced eDiscovery |
| Full E5 | M365 E5 | $57 | All E5 Compliance features + E5 Security features (Defender, Sentinel integration, etc.) |
| Standalone | Individual Purview add-ons | $3–$8 each | Specific capabilities (eDiscovery, Audit log retention extension, Communication Compliance standalone) |
Core Purview Capabilities: Licensing Requirements
Microsoft Purview Information Protection
Information Protection (formerly Azure Information Protection / Microsoft Information Protection) enables classification and labelling of documents and emails based on sensitivity. The feature set spans from basic manual labelling through to automatic classification using trainable classifiers and machine learning models.
M365 E3 includes sensitivity label creation and manual labelling capabilities. This sounds comprehensive, but the gap between E3 and E5 Information Protection is significant for regulated industries: E3 does not include automatic labelling (where the system auto-classifies based on content detection), trainable classifiers, or the full suite of protection actions (encryption, access restriction, label-based conditional access). For organisations in financial services, healthcare, or legal where auto-classification is a regulatory requirement, E5 Compliance is necessary. For the detailed analysis, see our guide on Purview Information Protection licensing.
Microsoft Purview Data Loss Prevention
DLP capabilities under M365 E3 cover Exchange Online, SharePoint Online, and OneDrive for Business. This leaves significant gaps: Teams chat and channel messages, Windows endpoint DLP (monitoring data movement on managed devices), and third-party cloud application DLP all require E5 Compliance or the E5 Compliance add-on.
The practical compliance gap is material. An organisation on M365 E3 believing it has DLP protection may have unmonitored data exfiltration channels through Teams direct messages (not covered), USB drives on Windows endpoints (not covered), and cloud storage apps like Box or Dropbox (not covered). E5 DLP closes all of these gaps. For full DLP tier analysis, see the Purview DLP licensing guide.
Microsoft Purview eDiscovery
eDiscovery Standard (included in M365 E3) provides basic content search, hold capabilities, and export for litigation response. eDiscovery Premium (E5 Compliance) adds custodian management, advanced case management workflows, intelligent review sets, attorney-client privilege detection, and predictive coding for large-scale review cost reduction.
For organisations that run more than two or three e-discovery matters per year, the cost of eDiscovery Premium pays for itself through reduced legal review costs. A predictive coding-assisted review of a 500,000-document set can reduce manual review time by 60–70%, saving $150,000–$400,000 in external counsel fees on a single matter. See the detailed Purview eDiscovery Premium vs Standard comparison.
Microsoft Purview Insider Risk Management
Insider Risk Management (IRM) is an E5-only feature with no E3 equivalent. It monitors user behaviour signals across M365 workloads to detect data exfiltration, intellectual property theft, policy violations, and departing employee data movement. The feature requires E5 Compliance or the E5 Compliance add-on for every monitored user.
IRM is one of the most frequently purchased Purview capabilities in regulated industries, and also one of the most frequently misconfigured. The licensing requirement applies to every user subject to an IRM policy — not just users who trigger an alert. For a 2,000-user organisation with IRM policies covering all users, this requires 2,000 E5 Compliance licences. Licensing only the users who generate alerts is a common compliance error. See Purview Insider Risk Management licensing for the full per-feature breakdown.
Microsoft Purview Communication Compliance
Communication Compliance enables organisations to monitor communications (email, Teams messages, Viva Engage) for regulatory requirements, harassment policies, and financial services communication surveillance obligations. Like IRM, this is an E5 Compliance feature requiring a licence for every monitored user.
The financial services sector drives the majority of Communication Compliance adoption, where FINRA, FCA, and similar regulators require electronic communications surveillance for registered representatives. For the licensing tiers and per-user cost analysis, see Purview Communication Compliance licensing.
Microsoft Purview Audit
Purview Audit Standard (M365 E3) retains audit logs for 90 days with basic event coverage. Purview Audit Premium (E5 Compliance) extends retention to one year, adds high-value forensic events (MailItemsAccessed, Send, SearchQueryInitiated — critical for breach investigation), and provides access to the high-bandwidth Management Activity API for SIEM integration. For organisations subject to GDPR, HIPAA, SOX, or similar frameworks requiring 12-month audit log retention, E5 or E5 Compliance is a compliance requirement, not a premium feature.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →The Purview Cost Map: What You Actually Pay
The following cost map represents a 1,000-user enterprise organisation evaluating Purview compliance requirements. Pricing is 2026 list; EA discounts of 10–20% typically apply.
| Scenario | Per-User Plan | Monthly Cost (1,000 users) | Annual Cost | Key Gap |
|---|---|---|---|---|
| M365 E3 only | $36/user | $36,000 | $432,000 | No endpoint DLP, no IRM, no Comm Compliance, 90-day audit |
| E3 + E5 Compliance add-on (all users) | $48/user | $48,000 | $576,000 | None — full Purview suite |
| E3 + E5 Compliance (subset — 300 users) | Mixed | $39,600 | $475,200 | Compliance gaps for 700 unlicensed users |
| M365 E5 (all users) | $57/user | $57,000 | $684,000 | None — also includes E5 Security |
| E3 + individual add-ons | $36 + $3–8 each | $40,000–$47,000 | $480K–$564K | Complex compliance, gap risk from piecemeal approach |
The cost delta between M365 E3 and M365 E3 + E5 Compliance is $12/user/month. For an organisation where 100% of users need the full Purview suite, this is $144/user/year — the most straightforward compliance licensing decision in the Microsoft portfolio. The complexity arises when organisations attempt to tier their compliance coverage, applying E5 Compliance to a subset of users and leaving others on E3. The PUR (product use rights) interpretation of whether this is compliant is nuanced and has been a subject of Microsoft audit findings.
Purview Compliance Decisions: The Framework
Regulatory Requirements Drive the Baseline
The starting point for any Purview licensing decision is the regulatory framework your organisation operates under. GDPR requires specific data retention, subject access response capabilities, and breach notification audit trails — requirements that typically map to E5 Compliance. HIPAA requires audit log retention of at least 6 years for electronic PHI — the standard 90-day Audit Standard retention is wholly inadequate. FINRA Rule 17a-4 requires broker-dealers to retain communications for defined periods and produce them on regulatory request — this requires Communication Compliance at minimum.
The compliance cost of not having the right Purview tier is almost always higher than the licensing cost of getting it. A GDPR breach response without proper audit logs (only available in Audit Premium) typically costs $500,000–$2M more in regulatory investigation and remediation than the same breach with proper audit infrastructure. The licensing cost difference is $144/user/year. The ROI calculation is not difficult.
The E5 vs E5 Compliance Add-On Decision
The decision framework is simple: if your security team uses or plans to use Microsoft Defender XDR, Microsoft Sentinel, or Defender for Endpoint, the full E5 bundle may be cost-effective. If your requirements are compliance-only (Purview suite), the E5 Compliance add-on saves $45/user/month. For a 1,000-user enterprise, the annual difference is $540,000. For a 5,000-user enterprise: $2.7M/year.
Microsoft's account teams often push for full E5 upgrades citing "unified experience" benefits. We have seen this framing deployed consistently regardless of whether the security features are genuinely needed. The unified experience argument is worth approximately $3/user/month in real operational benefit for most organisations — not $45/user/month.
For the full E3 vs E5 decision framework, see the E3 vs E5 cost comparison guide and the Microsoft 365 Compliance add-ons deep-dive.
EA Negotiation for Purview Licensing
Lever 1: Compliance Add-On vs Full E5 Explicit Comparison
Before any EA renewal involving compliance features, produce a written comparison of E5 Compliance add-on versus full E5. Present this to your Microsoft account team and request explicit justification for any recommendation to upgrade to full E5. This simple step changes the negotiation dynamic — it signals that you understand the alternatives and will not be sold a more expensive bundle without justification. In our experience, account teams who receive this analysis routinely accept E5 Compliance add-on proposals without further pressure for full E5.
Lever 2: Staged Rollout Commitment
Purview features have non-trivial deployment timelines. Information Protection classification requires data discovery and labelling work that takes 3–6 months for a 1,000-user organisation. IRM requires HR and legal policy framework development before deployment. Negotiate staged commitments in the EA: commit to full E5 Compliance seat count in year 1 with a deployment milestone schedule, and use deployment progress as leverage for pricing concessions in the renewal negotiation.
Lever 3: Competitive Benchmark
Purview competes with Proofpoint (eDiscovery, DLP, communication compliance), Varonis (data classification, DLP), Relativity (eDiscovery), and Smarsh (communication compliance). Each has a published pricing model. Obtaining quotes from one or two competitors creates genuine leverage in EA negotiations for Purview pricing — particularly for Communication Compliance, where Proofpoint and Smarsh are strong alternatives with established regulatory credibility.
Lever 4: User Count Optimisation
Not every user in your organisation requires E5 Compliance. Frontline workers on F3 licences, certain contractor populations, and users without access to sensitive data may not require IRM or Communication Compliance coverage. Build a segmented licence model: E3 + E5 Compliance for knowledge workers handling regulated data, E3 for administrative and operational users, F3 for frontline workers. This can reduce the per-user compliance licensing cost by 20–35% compared to a blanket E5 Compliance deployment.
📄 Free Guide: Microsoft Security Licensing Guide
Complete licensing analysis for Defender, Purview, Sentinel, and Entra — with bundle optimisation framework.
Download Free Guide →Purview Feature Activation vs Licensing
A consistent finding in our compliance engagements: organisations are paying for Purview features they have not activated. The three most commonly purchased-but-not-deployed Purview capabilities are Insider Risk Management (purchased by 65% of E5 customers, actively deployed by 35%), advanced sensitivity label policies (purchased 80%, configured 45%), and eDiscovery Premium (purchased 70%, utilised for actual matters 40%). The unused licence cost is real — the compliance benefit is not being realised.
This pattern has an important implication for EA renewal negotiations. If your organisation has significant unactivated Purview capacity, you have two choices: accelerate deployment to realise the value, or negotiate a right-sizing of the E5 Compliance licence count at renewal. Microsoft will resist the latter but will accept it with sufficient justification and documented deployment timelines. We have successfully negotiated reductions of 200–500 E5 Compliance seats in renewal scenarios where deployment audit showed chronic underutilisation.
Frequently Asked Questions
What Microsoft 365 plan includes Microsoft Purview compliance features?
Microsoft 365 E3 includes foundational Purview features: basic sensitivity labels, basic DLP (Exchange + SharePoint), Audit Standard (90 days), eDiscovery Standard, and basic retention policies. Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on unlocks the full Purview suite: Advanced eDiscovery, Insider Risk Management, Communication Compliance, Purview Audit Premium, advanced DLP (all workloads including endpoints), and Information Protection auto-labelling.
What is the Microsoft 365 E5 Compliance add-on and what does it cost?
The Microsoft 365 E5 Compliance add-on provides the full Purview compliance suite for users on M365 E3 plans. List price is approximately $12/user/month (2026 pricing). For organisations on M365 E3 who need compliance capabilities, this add-on is more cost-effective than upgrading to E5 ($57/user/month) unless the security features of E5 are also needed — a $45/user/month difference.
Do Microsoft Purview features require licensing for every user?
It depends on the feature. Information Protection and DLP policies must be licensed for every user whose data is being protected or whose activity is being monitored. Insider Risk Management and Communication Compliance require licences for every monitored user. eDiscovery licences are required for custodians whose data is searched. Audit requires licences for users whose audit logs are collected.
Can Purview features be licensed for a subset of users?
Technically yes for some features — you can apply IRM policies to a subset of users and licence only those users. However, Microsoft's product use rights require that all users who benefit from or are subject to a policy be licensed. For DLP protecting SharePoint, all users who access that SharePoint site should be licensed. Microsoft's interpretation is increasingly enforced during audits.
What is the difference between Purview Audit Standard and Purview Audit Premium?
Purview Audit Standard (M365 E3) retains audit logs for 90 days and covers basic mailbox and SharePoint events. Purview Audit Premium (E5 or E5 Compliance) extends retention to 1 year, adds high-value audit events including MailItemsAccessed and Send (critical for breach investigation), and provides high-bandwidth Management Activity API access for SIEM integration. The 1-year retention is the minimum requirement for most regulatory frameworks.
Microsoft Purview Licensing — Complete Cluster
- Purview Information Protection Licensing — Auto-classification, sensitivity labels, and protection tiers
- Purview DLP Licensing Tiers — Exchange vs endpoint vs Teams DLP coverage gaps
- Purview eDiscovery Premium vs Standard — Cost analysis and legal operations ROI
- Purview Communication Compliance Licensing — FINRA, FCA, and surveillance licensing
- Purview Insider Risk Management Licensing — Per-user requirements and policy scoping
- Purview Audit Standard vs Premium — MailItemsAccessed, 1-year retention, SIEM bandwidth guide
- M365 E5 Compliance Add-on Deep Dive — Full capability breakdown, E3 vs E5 cost analysis, EA strategy
- Retention Policies Licensing Guide — E3 vs E5 retention, regulatory records, litigation hold, adaptive scopes
- Sensitivity Labels Licensing Guide — Service-side auto-labelling, trainable classifiers, DKE, container labels
- Microsoft 365 Compliance Add-Ons Deep-Dive — Full add-on catalogue and bundle analysis
- Microsoft 365 Compliance Center Guide — Administration and compliance score overview
- Microsoft 365 Defender Licensing Comparison — Security licensing complement to compliance
- Microsoft Compliance Manager Licensing — Risk assessment and compliance score tools
- Microsoft Entra ID P1 vs P2 — Identity licensing that complements Purview