Microsoft 365 E3 organisations believe they have DLP protection. They have email and SharePoint DLP. What they do not have — and what most security assessors will flag as a material gap — is endpoint DLP, Teams DLP, and cloud application DLP. In organisations where Teams is the primary collaboration tool and managed Windows devices are the standard endpoint, the DLP coverage gap in M365 E3 is not a minor limitation. It is the functional absence of DLP on the workloads where most data exfiltration actually occurs. This guide provides the precise licensing map for each DLP tier and the commercial implications of each coverage decision.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →DLP Coverage by Licence Tier
| DLP Workload | M365 E3 | M365 E5 Compliance | M365 E5 | Notes |
|---|---|---|---|---|
| Exchange Online (email) | ✅ | ✅ | ✅ | Full policy enforcement, block, notify, encrypt |
| SharePoint Online | ✅ | ✅ | ✅ | Includes document libraries and sites |
| OneDrive for Business | ✅ | ✅ | ✅ | Sync client and web access |
| Teams chat & channel | ❌ | ✅ | ✅ | Critical gap — primary communication workload |
| Endpoint DLP (Windows) | ❌ | ✅ | ✅ | USB, clipboard, print, browser upload, app restrictions |
| Endpoint DLP (macOS) | ❌ | ✅ | ✅ | Subset of Windows endpoint controls |
| Defender for Cloud Apps (MDCA) | ❌ | ❌* | ✅ | *Not in E5 Compliance add-on — requires full E5 or E5 Security |
| Power BI (preview) | ❌ | ✅ | ✅ | Label-based DLP for Power BI datasets |
| DLP Policy simulation mode | Limited | ✅ | ✅ | Full simulation reporting requires E5 Compliance |
| DLP Analytics dashboard | Limited | ✅ | ✅ | Incident trends, false positive analysis |
Endpoint DLP: What It Covers and Why It Matters
Endpoint DLP is the most significant DLP capability gap in M365 E3. It monitors and controls data movement on managed Windows 10/11 and macOS endpoints, covering six primary exfiltration vectors that E3 DLP completely ignores.
The Six Endpoint DLP Controls
Removable storage (USB drives): Endpoint DLP can block or audit copying of sensitive content to USB drives and other removable media. This is the primary exfiltration vector for departing employees. Without endpoint DLP, an employee can copy an entire customer database to a USB drive and walk out of the office — with no DLP alert generated. This control alone justifies E5 Compliance for organisations in financial services, healthcare, or any regulated industry.
Clipboard: Endpoint DLP monitors clipboard operations involving sensitive content. An employee copying credit card numbers from a corporate system and pasting them into a personal email client or browser-based webmail is blocked or alerted on.
Printing: Sensitive documents can be blocked from printing, or printing can be allowed with audit logging. The printer control is particularly relevant for legal and financial services organisations where client documents are subject to confidentiality obligations.
Browser upload: Endpoint DLP monitors file uploads in Chrome, Edge, and Firefox (with the extension). Uploading a sensitive document to a personal Google Drive or Dropbox account via browser is detected and can be blocked. This control closes the gap where a technically aware user bypasses email DLP by uploading files to a personal cloud storage service.
Restricted app access: Endpoint DLP can restrict access to sensitive files by specific applications. For example, blocking unmanaged file manager applications from accessing content labelled "Highly Confidential."
Network share: Copy of sensitive content to unmapped network paths can be monitored and blocked.
Endpoint DLP Prerequisites
Endpoint DLP has a dependency on Microsoft Intune for device onboarding. Devices must be Intune-managed and enrolled in Endpoint DLP through the Intune portal. Intune is included in M365 E5 and E5 Compliance but is also available as a standalone licence (~$8/user/month). If your organisation already has Intune deployed for device management, the incremental step to enable Endpoint DLP is primarily a licensing change (E5 Compliance) plus policy configuration work.
Teams DLP: The Compliance Communication Gap
Microsoft Teams has displaced email as the primary communication tool in most Microsoft-centric enterprises. This shift has a direct and significant compliance implication: if your DLP programme was designed around email as the primary data channel, it does not cover the channel where most sensitive communication now occurs.
Teams DLP under E5 Compliance can enforce policies on Teams chat messages (1:1 and group chats) and Teams channel messages. Policy enforcement options include blocking the message before delivery, sending a policy tip notification to the sender, and generating an alert for compliance review. The policy can detect standard sensitive information types, custom SITs, and trainable classifiers — the same detection engines used in email DLP.
The practical scope: a 1,000-user organisation generates approximately 200,000–400,000 Teams messages per day. Without Teams DLP, every one of those messages is an unmonitored data exfiltration channel. The cost of a single data breach involving Teams messages that were not covered by DLP — particularly in a regulated industry where regulators expect comprehensive electronic communication surveillance — can exceed $5M in fines and remediation costs. The licence cost of E5 Compliance is approximately $144/user/year, or $144,000/year for 1,000 users.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →DLP and Information Protection Integration
DLP policies can trigger on sensitivity label values — this is the primary integration point between Purview Information Protection and DLP. A DLP policy that blocks external sharing of content labelled "Confidential" or higher is more precise and less prone to false positives than a DLP policy that attempts to detect sensitive content by keyword or regex pattern. The label carries the classification decision; DLP enforces the policy based on that decision.
This integration is powerful, but it requires both Information Protection and DLP to be operating correctly. An organisation that has deployed DLP policies based on sensitivity labels but whose label deployment is incomplete will have DLP gaps exactly where content is not yet labelled. For this reason, the Information Protection and DLP deployment should be treated as a single programme, not two independent workstreams.
For the Information Protection licensing analysis, see the companion guide on Purview Information Protection licensing. For the full Purview suite overview, see the Microsoft Purview Licensing Complete Guide.
DLP Incident Management and Alerting
DLP incidents — policy match events where sensitive data was detected and the configured action was taken — require review and remediation. E5 Compliance provides the DLP Analytics dashboard and incident management tools that make this operationally tractable. Key capabilities include incident trend analysis (identifying users and workloads generating the highest policy match volume), false positive rate monitoring (essential for tuning policies to reduce business disruption), and DLP alert management integration with the Microsoft Purview compliance portal.
E3 DLP provides basic incident logging but lacks the analytics layer. Organisations with high DLP policy match volumes on E3 (common in financial services and healthcare where sensitive data is pervasive) find that incident review becomes an operational bottleneck. The E5 Compliance analytics tools directly address this by enabling policy tuning based on actual match data, reducing false positive rates from typical initial deployment levels of 15–25% to under 5% within 90 days of active tuning.
EA Negotiation for DLP Licensing
Lever 1: Competitive DLP Platforms as Leverage
Enterprise DLP has strong competition from Symantec DLP, Forcepoint DLP, Trellix (McAfee), and Varonis. Symantec DLP in particular is deeply embedded in many regulated industry environments. If your organisation has existing DLP investment, document the annual cost, remaining contract term, and capability coverage. Present this as a migration cost that needs to be offset in the Microsoft EA pricing. Microsoft has shown willingness to offer 10–18% discounts on E5 Compliance in scenarios where a client provides documented competitive DLP platform analysis.
Lever 2: Endpoint DLP as Standalone Justification
If your primary DLP requirement is endpoint coverage, evaluate whether the Microsoft 365 E5 Information Protection and Governance add-on ($4/user/month, includes endpoint DLP and advanced labelling but not IRM or Communication Compliance) is more appropriate than the full E5 Compliance add-on ($12/user/month). This more targeted add-on is frequently overlooked in EA negotiations where Microsoft account teams default to recommending the full E5 Compliance bundle.
Lever 3: DLP Policy Simulation as Pre-Deployment Requirement
DLP simulation mode — which requires E5 Compliance — is not just a nice-to-have. Running DLP policies without simulation testing first consistently causes business disruption from false-positive blocks. Include DLP simulation capability as a deployment requirement in your EA justification for E5 Compliance, and document the business risk of deploying without it. This both strengthens your internal approval for the E5 Compliance investment and provides Microsoft with a legitimate deployment narrative.
📄 Free Guide: Microsoft Security Licensing Guide
Defender, Purview, Sentinel, and Entra licensing — with bundle optimisation framework and negotiation levers.
Download Free Guide →Frequently Asked Questions
What DLP is included in Microsoft 365 E3?
M365 E3 includes DLP for Exchange Online, SharePoint Online, and OneDrive for Business. It does not include endpoint DLP, Teams DLP, Defender for Cloud Apps DLP (third-party cloud services), or full DLP analytics and simulation mode. E3 DLP is workload-specific; E5 DLP is comprehensive.
What licence is required for endpoint DLP?
Endpoint DLP requires M365 E5, the E5 Compliance add-on, or the M365 E5 Information Protection and Governance add-on. It also requires Microsoft Intune for device management. Endpoint DLP monitors data movement on managed Windows 10/11 and macOS devices — USB drives, clipboard, printing, browser upload, and removable storage.
Does Microsoft Teams DLP require E5?
Yes. DLP policies applied to Teams chat and channel messages require M365 E5 or the E5 Compliance add-on. M365 E3 DLP does not cover Teams. This is a significant gap for organisations that use Teams as their primary communication platform.
How does DLP policy simulation mode work and does it require E5?
DLP simulation mode tests a policy and shows what it would have blocked without actually enforcing it. This is an E5 Compliance capability. E3 DLP does not include full simulation mode. Running DLP policies without simulation testing is a common cause of business disruption from false-positive blocks.
What is Defender for Cloud Apps DLP and how is it licensed?
Microsoft Defender for Cloud Apps (MDCA) DLP extends Purview DLP policies to third-party cloud applications. It requires M365 E5 or the E5 Security add-on — it is NOT included in the E5 Compliance add-on. This is a frequently missed licensing distinction when organisations purchase E5 Compliance expecting full cloud application DLP coverage.
Microsoft Purview Licensing — Related Guides
- Microsoft Purview Licensing Complete Guide — Full Purview suite overview and cost framework
- Purview Information Protection Licensing — Auto-labelling and classification licensing requirements
- Purview Insider Risk Management Licensing — Monitoring for departing employee data exfiltration
- Purview Communication Compliance — Teams and email surveillance licensing
- Microsoft 365 Compliance Add-Ons — Full add-on catalogue and bundle analysis
- Microsoft Intune BYOD and MAM Licensing — Device management prerequisite for endpoint DLP
- Microsoft Defender for Cloud Apps Licensing — MDCA DLP licensing for cloud application coverage