Locations

Resources

Careers

Contact

Contact us

Microsoft O365 negotiations

Optimizing Microsoft EMS E5 Licensing: Strategies for CIOs and Sourcing Leaders

Optimizing Microsoft EMS E5 Licensing: Strategies for CIOs and Sourcing Leaders

Optimizing Microsoft EMS E5 Licensing: Strategies for CIOs and Sourcing Leaders

Enterprise Mobility + Security E5 (EMS E5) is Microsoft’s top-tier security and device management bundle, offering a rich set of tools for identity protection, device management, threat detection, and information security.

The challenge for CIOs and sourcing professionals is to leverage EMS E5’s capabilities fully without overspending

. This Gartner-style advisory outlines how to maximize the technical value of EMS E5, avoid common licensing pitfalls, and develop a cost-optimized licensing strategy. We focus exclusively on EMS E5 (not the broader Microsoft 365 suite), emphasizing cost optimization and real-world best practices.

What EMS E5 Includes – and Where Companies Underutilize It

Components included in EMS E3 (top) vs EMS E5 (bottom). EMS E5 adds advanced security capabilities on top of the E3 baseline.

EMS E5 Capabilities: EMS E5 encompasses all features of EMS E3 (core mobility and security tools) and adds several advanced solutions:

  • Identity and Access Management: Microsoft Entra ID Premium P2 (formerly Azure AD P2) is included in EMS E5. It brings risk-based conditional access, advanced Identity Protection (automated risk detection for sign-ins), and Privileged Identity Management (just-in-time admin access). These go beyond the basic identity management of EMS E3 (which has Entra ID P1).
  • Device and Endpoint Security: EMS E5 includes Microsoft Defender for Endpoint (Plan 2) – a robust endpoint detection and response (EDR) platform. This extends device protection beyond the anti-malware in standard Windows or EMS E3, offering behavioural threat detection, automated investigation, and response across user devices. (EMS E3 already includes Intune for device management; EMS E5 builds on this with advanced endpoint threat analytics.)
  • Cloud App Security: EMS E5 adds a Cloud Access Security Broker via Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). This tool discovers and monitors cloud app usage (e.g., detecting “Shadow IT”), provides risk assessment for SaaS apps, and enforces policies to protect data in third-party cloud services. EMS E3 does not include a CASB, making this a significant E5-only feature.
  • Threat Protection for Identities: Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is part of EMS E5, providing behavioural analytics for on-premises Active Directory. It identifies suspicious activities like lateral movement, pass-the-ticket attacks, and compromised user accounts in your on-prem/hybrid environment – capabilities absent in EMS E3.
  • Information Protection: EMS E5 upgrades data protection to Azure Information Protection Plan 2. This enables automated classification and labelling of sensitive data (using machine learning or pre-set rules), whereas EMS E3’s AIP Plan 1 only offers manual labelling. With AIP P2, documents and emails can be automatically encrypted or marked based on content, helping prevent data leaks.
  • Everything in EMS E3: Importantly, EMS E5 also includes the full EMS E3 suite. Microsoft Intune (mobile device and application management), Entra ID P1, Azure Information Protection P1, and basic security features are all part of EMS E5. In short, EMS E5 is a superset of EMS E3 – it’s not a separate product but an upgrade to the higher tier of capabilities.

Underutilization and Overpaying:

Many organizations purchase EMS E5 for its robust security promise, yet fail to utilize a significant portion of its features. Commonly underused components include Intune and Azure Information Protection features (data labelling and rights management), which require substantial planning and user training to implement.

It’s not unusual to find companies paying for Azure AD Premium P2 (as part of E5) but still not activating Privileged Identity Management or configuring any Identity Protection policies. Similarly, Defender for Cloud Apps might be left idle if the organization hasn’t set up cloud app discovery or governance processes.

This underutilization turns into “shelfware” – a sunk cost with no return. In fact, industry analysis shows a large chunk of E5 licenses go unused: one recent study found that roughly 23% of purchased Microsoft 365 E5 licenses were “inactive, and another 27% were completely unassigned—effectively money wasted on shelfware. For EMS E5 specifically, many companies have paid for advanced security tools that are never turned on.

Why does this happen? Often, EMS E5 is bought as part of a bundle or a strategic security upgrade. Still, organizations overestimate their ability to deploy all features or lack the immediate need for every component.

For example, a firm might upgrade to EMS E5 to get Cloud App Security and Azure AD P2 but end up not using AIP P2 because they have no data classification project in place, thus overpaying for a capability that sits unused. Overlapping tools can also lead to waste: if you continue running third-party MDM or CASB solutions in parallel with EMS E5, you might pay twice for similar functionality. The key is awareness – knowing exactly what EMS E5 includes and ensuring your IT team has a plan to use those features, or else considering cheaper alternatives.

Avoiding Waste:

First, get a clear inventory of the EMS E5 features to avoid overspending and map them to your needs. Identify which features you’re actively using, which are enabled but not fully adopted, and which aren’t even deployed. This insight will guide whether you truly need EMS E5 for all users.

Many organizations find that only a subset of EMS E5’s capabilities align with their current security program – the rest might be “nice to have” but not mission-critical. In those cases, it may be prudent to license only certain users with EMS E5 (or use add-on licenses for specific features) instead of blanketing everyone. We will explore those strategies in detail later in this article.

Licensing Options and Structuring EMS E5 for Your Enterprise

One size rarely fits all when it comes to licensing. Microsoft offers flexibility in acquiring EMS E5, and savvy organizations will mix and match license types to suit different user profiles or business units.

Key licensing options and approaches include:

  • Standalone EMS E5 Licenses: You can purchase EMS E5 as a standalone subscription for specific users or the entire organization. This is often done when you already have Office 365 or Microsoft 365 E3 but want to enhance security by adding EMS E5. Standalone EMS E5 costs roughly ~$15–16 per user/month (compared to ~$9 for EMS E3), though enterprise agreements and volume discounts can lower these prices. In a standalone model, you pay for the mobility + security bundle, independent of Office or Windows licenses. This is ideal if you aim to boost security while leaving productivity tools (Office 365) at a lower tier. For example, a company might keep Office 365 E3 for all employees but add EMS E5 for users handling sensitive data to get those advanced security features without paying for the full Microsoft 365 E5 suite.
  • Bundled as Part of Microsoft 365 E5: EMS E5 is also included by default in the Microsoft 365 E5 bundle (which combines Office 365 E5, Windows 11 Enterprise E5, and EMS E5). If your organization has M365 E5 licenses, you already have EMS E5 capabilities for those users. However, M365 E5 is a much broader (and more expensive) bundle covering voice, analytics (Power BI), compliance, etc. CIOs should be cautious not to conflate M365 E5 with EMS E5 – in our context, we only care about the EMS portion. Suppose you are considering an upgrade to the full M365 E5 primarily for the security features. In that case, opting for the EMS E5 standalone or the Security add-on (below) might be more cost-effective than paying for the entire M365 E5 package that includes many non-security extras. Bottom line: Use the M365 E5 bundle route only if you truly need those other components (like Power BI, Audio Conferencing, etc.), otherwise, consider a more focused licensing strategy for security.
  • E5 Security Add-On (for Microsoft 365 E3 users): Microsoft offers an M365 E5 Security add-on SKU that essentially packages EMS E5 features for users already licensed on M365 E3 or Office 365 E3. This add-on includes Entra ID P2, Defender for Endpoint P2, Defender for Cloud Apps, Defender for Identity, plus Defender for Office 365 Plan 2 (advanced email protection). In other words, it’s like EMS E5 plus the top-tier Office 365 security. This can be a compelling option if you have an E3 environment and want to enhance security without upgrading everything to E5. For instance, a global firm on M365 E3 could purchase the E5 Security add-on for their high-risk users, instantly providing the full EMS E5 toolset (and better email security) to those accounts. The add-on is priced lower than a full M365 E5 license, making it a targeted way to boost security. However, remember this add-on isn’t the same as standalone EMS E5 – it’s tied to users who already have E3, and it brings in one Office security component (Defender for O365). Still, it’s a licensing strategy that sources the EMS E5 capabilities selectively.
  • Mixing EMS E3 and E5 Across Users: Not every employee in your enterprise needs EMS E5. A common strategy is a tiered licensing model: for example, keep 70% of users on EMS E3 (or even no EMS at all, if their roles are very basic), and allocate EMS E5 only to the 30% who handle privileged systems, sensitive data, or elevated risk profiles. Microsoft’s licensing is per-user so that you can assign different licenses to different users in the same tenant. For instance, your IT administrators, security team, and senior execs might get EMS E5 (because they benefit from PIM, advanced threat protection, etc.), while regular knowledge workers get EMS E3. This approach ensures you pay for the expensive E5 licenses only where they deliver clear value. Different enterprise environments will have different criteria – some might base it on the department (e.g., finance and R&D get E5, other departments get E3), others on geography or business unit risk (e.g., a subsidiary with less critical operations might not need E5). The key is to align EMS E5 with user needs and risk, not simply job title or seniority. A licensing structure that maps to your internal risk assessment will be far more cost-efficient.
  • Per-User Versus Shared Scenarios: Be mindful that EMS E5 licensing is user-based, not device-based. In environments like factories or retail, where multiple staff might share a single device/login, you might not need E5 for each individual if they aren’t uniquely authenticated. Instead, you might use alternate licensing (like kiosk or F-series licenses with limited EMS rights) for those shared scenarios. In contrast, in knowledge worker environments where each person has a digital identity, you must license each person who benefits from the security features. Always ensure that a license covers any user leveraging an EMS E5 feature (even indirectly) – Microsoft compliance rules require this. For example, a conditional access policy can be applied using a tenant-wide EMS E5 feature (like risk-based sign-in). Technically, every user under that policy should have Entra ID P2 licensing. A structured approach might be to create separate security policies for E5-licensed users vs. others, so you remain compliant and cost-effective.
  • Enterprise Agreement (EA) Considerations: If you license through an EA, you have additional flexibility with “step-up” licenses and true-ups. A Step-up allows you to upgrade specific users from EMS E3 to E5 mid-term by paying a pro-rated difference rather than buying a whole new license outright. This is useful if you decide mid-year that 100 more users need EMS E5 – you can step them up for the remainder of the term. At your EA renewal, you can adjust quantities or the mix of E3/E5. In contrast, Cloud Solution Provider (CSP) or monthly subscriptions allow month-to-month adjustments of license counts, which can prevent overspending on unused licenses but might have higher per-unit costs. Structuring your EMS E5 deployment also means structuring your contract: ensure it allows the agility to scale E5 coverage up or down as your needs evolve. Sourcing leaders should negotiate provisions for flexibility (within reason) so that you’re not locked into paying for unused E5 seats for multiple years if your strategy shifts.

In summary, design your EMS E5 licensing like a portfolio: allocate the premium security where needed most and use more basic licensing or add-ons for the rest. Microsoft’s bundle can deliver value, but it’s up to you to structure it optimally within your enterprise environment.

Use Cases and Deployment Considerations for EMS E5

Adopting EMS E5 is not just a licensing decision – it’s a technical endeavour that should align with your organization’s security and mobility strategy. Below are real-world use cases where EMS E5 shines, along with key deployment considerations:

1. Zero Trust Security Implementation:

Many organizations embrace Zero Trust principles, and EMS E5 provides critical building blocks for that journey. Use case: A financial services firm needs to ensure that only compliant, secure devices and verified identities access sensitive customer data. EMS E5 enables this via Entra ID P2’s Conditional Access policies (e.g., requiring MFA and device compliance based on risk scores) and Intune’s device compliance enforcement.

Deployment considerations: You’ll need to integrate Intune with your identity policies, ensure all devices are enrolled or registered, and tune the risk-based policies in Entra ID so they don’t disrupt legitimate users. Rolling out phases (e.g., a pilot with the IT department, then high-risk groups, then a broader workforce) is wise to minimize business impact. Ensure you have a plan to handle users falling foul of new rules (like a process for users to quickly remediate a blocked sign-in flagged by Identity Protection).

2. Protecting Privileged Accounts and Admin Access:

A common use case for EMS E5 is to lock down admin credentials and other high-privilege accounts. For example, an enterprise with a hybrid AD environment might use Privileged Identity Management (PIM) to enforce just-in-time admin access for its Azure admins and Defender for Identity to monitor on-prem AD domain admins for suspicious activities.

Deployment considerations: PIM deployment requires defining approval workflows and educating your IT admins on new processes (they will have to request elevation for certain tasks). Defender for Identity (Azure ATP sensor) requires installation on domain controllers and tuning to reduce false positives.

Getting buy-in from your IT security team to monitor and respond to the alerts these systems generate is critical – technology alone doesn’t solve the problem without process. This use case delivers high value (preventing breaches via stolen admin credentials or insider abuse) but needs careful coordination between security and IT operations teams.

3. Cloud Application Governance and Shadow IT Control:

Organizations moving to cloud services often face “Shadow IT” – employees using unsanctioned cloud apps. EMS E5’s Defender for Cloud Apps addresses this by discovering cloud app usage through log collectors and API integrations. This lets you set policies (e.g., block downloads from risky apps and require session monitoring for certain services).

Use case: A multinational consulting firm wants visibility into which SaaS applications employees have adopted beyond the official IT toolkit to mitigate data leakage risks. After enabling Cloud App Security, they discovered hundreds of cloud apps in use and were able to consolidate and block risky services. Deployment considerations: Cloud App Security deployment means tapping into logs (from firewalls, secure web gateways, or using Microsoft Defender on endpoints to collect app telemetry).

It also requires defining governance policies – e.g., what makes an app “allowed” or “denied” in your environment. Involving your network security team and business application owners is important so that beneficial cloud tools aren’t inadvertently blocked. Expect a period of observation (letting the CASB monitor and report) before you enforce hard policies. Also, prepare end-user communications if you will start blocking apps or applying access conditions.

4. Data Protection in a Regulated Industry:

Consider a healthcare company dealing with patient data: they must prevent data leakage and ensure sensitive information is encrypted. EMS E5’s AIP P2 (now under Purview Information Protection) allows automatic encryption and labelling of files containing patient IDs or health records.

Use case: The company uses EMS E5 to automatically detect when a document contains a Social Security Number or diagnosis code and then label it as “Confidential – Patient Data,” which encrypts the file. Deployment considerations: Implementing this requires building a classification schema and a labelling policy set. It’s a project that involves compliance officers and data governance teams, not just IT.

They must identify what patterns or keywords denote sensitive data and configure those in the AIP scanner or client. User training is crucial so employees understand the new labels on their emails and documents. Moreover, you’ll want to integrate AIP with Defender for Cloud Apps and Exchange to catch sensitive info before it’s shared externally.

This use case can significantly reduce breach risks or compliance violations. Still, it demands cross-functional effort and possibly a pilot program to refine the accuracy of automatic classification (to avoid over-encrypting harmless content or missing real sensitive data).

5. Consolidating Point Solutions into EMS E5:

Many enterprises approach EMS E5 after realizing they can streamline their security toolset. For example, rather than paying for a third-party mobile device management solution, a separate identity MFA product, and a standalone CASB, they consider using the tools in EMS E5 to cover those needs under one umbrella.

Use case: A manufacturing company was using Okta for SSO, MobileIron for device management, and Netskope for CASB – each incurring separate costs. By moving to EMS E5, they aimed to use Entra ID P2 in place of Okta, Intune in place of MobileIron, and Defender for Cloud Apps instead of Netskope. Deployment considerations: such a consolidation requires careful migration planning.

IT teams must gain expertise in the Microsoft equivalents and possibly run the old and new systems in parallel during the transition. There might be feature gaps, e.g., does Entra ID P2 meet all of Okta’s needs? You must verify and potentially adjust processes.

Microsoft’s tight integration among EMS components can be a big advantage (e.g., unified reporting in the Security Center), but switching tools can disrupt users (for instance, enrolling devices into Intune from another MDM requires user action or a deployment script). In the long run, this use case can yield significant cost savings and simpler management, but only if the organization commits to fully adopting the EMS E5 toolset and retiring the redundant solutions.

Across these use cases, a recurring theme is planning and phased deployment. EMS E5 brings powerful capabilities, but they are not “plug-and-play” for most enterprises. CIOs should ensure that for each EMS E5 feature being rolled out, there’s adequate project planning, stakeholder buy-in, and resources (people or partners) to manage it.

It’s wise to prioritize use cases – for example, start with identity and device security (as those are foundational), then expand to cloud app security and data protection. Also, consider Microsoft’s FastTrack services or partner programs to assist with deployment.

At the same time, we don’t recommend blindly relying on the vendor’s guidance; leveraging available setup assistance can accelerate time-to-value (just be sure the advice aligns with your goals, not just Microsoft’s desire to turn everything on).

Lastly, be mindful of user impact and change management. Security improvements often introduce new prompts or restrictions for users (like MFA challenges or blocked apps). Invest in user education and get leadership support for these changes.

The full value of EMS E5 is realized not just by technically enabling features but by achieving organizational adoption of those features.

Common Pitfalls and How to Avoid Unnecessary Spend

Implementing EMS E5 can deliver big security gains, but many organizations fall into similar traps that erode the value or inflate the cost.

Below are common pitfalls, along with strategies to avoid them:

  • Blanket Licensing Everyone with E5: Perhaps the number one budget killer is indiscriminately upgrading all users to EMS E5 “just in case” they need it. This often results in paying for far more licenses than utilized (remember the shelfware statistics – nearly half of E5 licenses in some enterprises sit idle). Avoidance: Take a data-driven approach. Before purchasing or renewing EMS E5, analyze your user base and segment users by role/risk. If 40% of your staff never touches sensitive data or admin systems, they likely can thrive with EMS E3. Use EMS E5 for the users who truly benefit. By rightsizing license assignments upfront, one company avoided an estimated 25% of unnecessary spending by only provisioning E5 to high-impact roles. If you’re already in an “E5 for all” situation, it’s not too late – consider downgrading a portion to E3 at the next true-up or renewal (we’ll discuss how in the next section).
  • Paying for Overlap with Other Tools: Another pitfall is not adjusting your other software when you adopt EMS E5. We’ve encountered firms that paid for EMS E5 yet continued to renew contracts for third-party solutions that offered similar functions (like separate MFA providers, legacy MDM systems, or standalone threat intelligence tools). This leads to double-paying for the same outcomes. Avoidance: Conduct a tool rationalization exercise for your EMS E5 strategy. List all your security and management tools in identity, device management, threat protection, cloud security, etc. Identify which ones have features that overlap with the EMS E5 components. Then, make a strategic choice: if the Microsoft solution meets your requirements, plan to phase out the redundant tool (and save cost). If the third-party tool is superior or required, reconsider whether you need the overlapping piece of EMS E5 or license fewer users for that component. For example, suppose you have a best-of-breed endpoint security agent that you prefer over Defender for Endpoint. In that case, you might not need to pay for EMS E5 for everyone, or only use EMS E5’s other features and accept some overlap on a small scale. The key is to consciously decide to pay for both, not inadvertently.
  • Underestimating Deployment Effort (Leading to Low Adoption): Some organizations buy EMS E5 under a tight timeline (perhaps as part of a broader deal or a response to a security incident) but then fail to implement the features due to a lack of time or skills. The result: licenses burning money every month while the tools lie dormant. Avoidance: Treat EMS E5 deployment as a formal project with executive sponsorship. If you lack internal bandwidth, allocate a budget for deployment support (either Microsoft FastTrack or an independent consultant familiar with EMS). Set specific adoption targets – e.g., “Deploy Intune to 90% of devices by Q3” or “Classify 100% of SharePoint sites with sensitivity labels by year-end.” This creates accountability to activate what you’ve purchased. By actively using the features, you not only improve security (getting the ROI) but also justify the ongoing license cost. If, after an honest effort, you find adoption is still low, that’s a signal to rethink licensing levels (maybe you jumped to E5 too early).
  • Ignoring Usage Analytics and Not Reclaiming Licenses: A basic but common oversight is failing to monitor license usage. Often, IT buys a block of EMS E5 seats and assigns them, but when users leave or change roles, the licenses remain assigned (or sit unassigned in the pool) without being trimmed. In a dynamic organization, this leads to paying for more subscriptions than needed. Avoidance: Implement a periodic (e.g., quarterly) license review process. Use the Microsoft 365 admin portal reports or a third-party tool to identify inactive E5 licenses (users who haven’t utilized any E5-specific features or accounts that are inactive). For unassigned licenses, check why you’re holding them – if they were meant for growth that didn’t happen, you might be able to reduce the count. Some enterprises set up an internal chargeback for licenses to business units, which quickly highlights when licenses aren’t being used (no one wants to pay for something not used). Even without chargeback, IT asset management practices should extend to cloud licenses. Reassign or remove licenses for departed employees promptly (and ensure HR offboarding includes notifying IT to free up those subscriptions). One analysis found organizations could cut 10–15% of their Microsoft 365 costs just by reclaiming and optimizing inactive licenses – EMS E5 is often a big part of that potential savings.
  • Auto-Renewing at Premium SKUs Without Review: Microsoft’s enterprise agreements and cloud subscriptions often auto-renew, and if you don’t actively review your needs, you might roll over an expensive set of EMS E5 licenses by default. Microsoft (and their resellers) won’t usually remind you to downgrade some users to E3 – that’s up to you. Avoidance: Treat every renewal as a checkpoint. Several months before your true-up or renewal, analyze the EMS E5 usage and determine if the allocation still makes sense. If not, plan the changes (downgrade or perhaps even upgrade if new needs arise) and negotiate accordingly. This proactive stance can also be a leverage point: if you find you’re under-utilizing EMS E5, you can approach Microsoft or your licensing provider and say, “We’re considering reducing our E5 count due to low usage – what can you offer to make it worthwhile to retain or expand?” This opens the door for potential concessions or creative licensing offers (e.g., extended trials for new features or flexibility to shuffle licenses) that can optimize your spending. Of course, approach this carefully; you don’t want to cut truly needed security coverage to save money. But you also don’t want to pay for premium features you aren’t using. An independent licensing advisor can be invaluable here – they can benchmark your deal and identify if you’re overspending relative to industry peers.
  • Compliance and Audit Risks from Mis-licensing: A more subtle pitfall is trying to save money in ways that violate license rules – for example, only buying a few EMS E5 licenses and then enabling features for the whole organization. Microsoft’s licensing compliance checks (or audits) could flag this, potentially leading to penalties or a forced true-up. Avoidance: Make sure any cost-saving strategy is license-compliant. If you license only certain users with EMS E5, configure the EMS features (like conditional access, AIP label policies, or Defender for Cloud Apps policies) to apply only to those licensed users. This might mean scoping policies by group or using a phased deployment. It’s entirely fine (and smart) to have a mix of E3 and E5 users – be deliberate in your configuration so that you’re not inadvertently giving E5-level protections to users who don’t have that license. Microsoft documentation often spells out that an E5 feature can only be used by licensed users; follow those guidelines. By aligning your technical settings with your licensing, you avoid a situation where a Microsoft audit or compliance tool identifies a shortfall requiring back-pay of licenses (an unpleasant and costly surprise).

By sidestepping these pitfalls, you save money and ensure your EMS E5 investment drives meaningful security outcomes. To summarize, right-size your licenses, eliminate redundancy, actively manage usage, and enforce compliance with license terms.

In combination, these practices turn EMS E5 from a potential budget buster into a high-ROI security enabler.

Strategic Bundling and Downgrade Scenarios (EMS E3 + Add-ons)

There’s often more than one way to get the functionality you need when it comes to Microsoft licensing. EMS E5 can be achieved via different combinations of bundles and add-ons.

Here, we explore strategic approaches like using EMS E3 with selective add-ons, as well as how to downgrade from E5 if needed,d without sacrificing key features:

Bundling vs. À La Carte: Microsoft prices its bundles (like EMS E5) to be attractive if you need multiple components, but not so much if you only want one piece. For instance, EMS E5 includes Azure AD P2, Azure Information Protection P2, Defender for Identity, and Defender for Cloud Apps. If you tried to buy each of those separately (à la carte) for a user, the total cost would far exceed the single EMS E5 price. Analyses by licensing advisors have shown that purchasing the full EMS E5 bundle can be 50 %+ cheaper than buying its components individually, but only if you require most. The strategy here is: don’t buy the whole buffet if you only want a couple of dishes. Conversely, the bundle is your friend if you want a full plate of security features.

Consider a scenario: You absolutely need Azure AD Premium P2 for advanced identity for all 1,000 users in your company, but you don’t currently plan to use Cloud App Security, AIP P2, or Defender for Identity. Azure AD P2 standalone (Entra ID P2) costs around $9 per user. EMS E5 is about $15. If you only care about that one feature, buying P2 alone saves you $6 per user/month, significant at scale. You could stick with EMS E3 + the P2 add-on for those users and skip EMS E5. Microsoft allows mixing these: you could assign an Azure AD P2 standalone license to an EMS E3 user to effectively give them “almost E5” capabilities in identity without paying for the full E5.

Common Add-On Building Blocks: Aside from Azure AD P2, Microsoft sells other EMS components standalone:

  • Defender for Cloud Apps can be purchased as a separate Cloud App Security subscription.
  • Azure Information Protection P2 can also be a standalone add-on.
  • Defender for Identity (Azure ATP) can also be licensed per user, though often, it’s done at the enterprise level for AD coverage.
  • Defender for Endpoint P2 can be bought per user or device outside of EMS (e.g., as part of Microsoft 365 E5 Security or a standalone SKU).

Using these, you can craft a solution like “EMS E3 + selected add-ons” instead of EMS E5 for everyone:

  • Example 1 (Selective P2 for Privileged Users): A company keeps all employees on EMS E3 but buys 100 Azure AD P2 licenses for their administrators and high-risk users. Those 100 users now have the benefit of risk-based conditional access and PIM. They decided the other EMS E5 features weren’t necessary for the rest of the workforce, so they avoided E5 licenses for 900 users who wouldn’t use them. This targeted approach saves money while still covering critical accounts with extra security.
  • Example 2 (Cloud App Security for Specific Roles): Suppose only the IT security team and compliance officers need access to Defender for Cloud Apps (to monitor shadow IT and apply policies), and perhaps only a subset of users are allowed to use certain cloud apps. The organization might license 200 users with standalone Cloud App Security (or the full EMS E5 for those 200 if they also need other features) and leave everyone else on EMS E3. This way, they’re not paying for CASB for employees who never use unsanctioned apps or only work on-prem.
  • Example 3 (E5 for a Temporary Project): Another twist on the bundling strategy is using short-term licenses for transient needs. If you have a six-month project where a team needs EMS E5 (perhaps to protect a batch of sensitive data being shared with a partner), you could use CSP licensing to add EMS E5 just for those users for the project’s duration, then remove it later. This avoids long-term commitment and aligns costs to the period of value. It’s more of an operational tactic but underscores the flexibility of mixing license durations and types.

Downgrade Scenarios: What if you already have EMS E5 for many users and realize you’re over-licensed? It’s common to consider downgrading some users to EMS E3 + add-ons without losing too much.

Here’s how to approach it:

  • Identify Critical E5-Only Features: First, list the features you would lose by dropping a user from E5 to E3. For example, Entra ID P2, CASB, etc. Then ask if this specific user uses or needs those. If not, that user is a prime candidate to downgrade to E3. If yes, can that feature be supplied via an add-on instead? For instance, if the only thing an E5 user needs is AIP P2 (for auto-classification), but they don’t use Cloud App Security or Identity Protection, you could give them an EMS E3 + AIP P2 add-on. That would cover their need at a lower cost.
  • Partial Downgrade via E5 Security Add-on: If you originally had full Microsoft 365 E5 licenses for everyone, another trick is to evaluate moving to M365 E3 + the E5 Security add-on for some. The difference here is subtle but potentially cost-saving: M365 E5 includes Office, Windows, and EMS at E5 levels. M365 E3 + Security add-on gives Office and Windows at E3 (cheaper) while bumping the security part to E5. Organizations have saved money by downgrading things like phone systems or Power BI for users who didn’t need them (by dropping from M365 E5 to E3), yet kept the robust EMS E5 security via the add-on. This is more relevant if you were on the full Microsoft 365 E5 bundle; the concept is to un-bundle what you don’t need.
  • Staged Downgrade with Monitoring: If you are hesitant to drop licenses, consider a phased approach: downgrade a small pilot group of users to EMS E3 and see if there’s any negative impact on security or productivity. Monitor helpdesk tickets or security incidents for a period. If there’s no material difference, that validates a broader downgrade. If issues arise (e.g., “user X can’t do Y anymore” and that Y was an EMS E5 feature they relied on), you’ve found an exception to keep on E5. This cautious approach helps convince stakeholders that you can save costs safely.

Negotiating Bundles Wisely:

Microsoft loves to bundle, and sales reps may push for enterprise-wide adoption of E5. Stay clear-eyed on the value. Sometimes bundling does make sense – for example, if you foresee needing most of the EMS E5 components shortly, it’s simpler and often cheaper to go E5 now rather than piecemeal adding one by one (which could add up cost and administrative complexity).

Bundling also has intangible benefits: integrated features and a unified support channel. But don’t be afraid to push back on bundle pricing. An independent licensing expert (such as Redress Compliance or similar) can analyze your specific use case and tell you if a proposed bundle saves money or if it’s bundling “shelfware” you won’t use.

They might advise something like “EMS E3 for 80% of your users, EMS E5 for 20%, plus buy two standalone licenses for feature X instead of E5 for everyone” – a combination that Microsoft’s standard sales approach might not volunteer.

In summary, strategic bundling is about getting maximum functionality for a minimum cost, tailored to your organization’s use. Downgrading is the flip side – shedding unnecessary premium licenses while maintaining needed capabilities through other means. The best licensing strategy will often involve a blend: a core of EMS E5, where justified, surrounded by EMS E3 and select add-ons to cover edge cases, all aligned to actual usage patterns.

How to Evaluate Usage and ROI of EMS E5

It’s crucial to continually ask: Are we getting value from EMS E5 commensurate with its cost? To answer that, CIOs and sourcing leaders need to evaluate feature usage and the return on investment (ROI) regarding security outcomes and cost savings.

Here’s how to approach it:

Measuring Feature Usage: Start by establishing metrics for each major EMS E5 component:

  • Azure AD P2 Usage: Track how many risky sign-in attempts are detected and automatically remediated by Identity Protection each month. How many admins use Privileged Identity Management (e.g., number of weekly PIM elevation requests)? Also, check the coverage: what percentage of your users have active MFA and conditional access policies (a proxy for Entra P2 value)?
  • Defender for Endpoint: Review your security operations reports – how many endpoint incidents are being caught by Defender that might have been missed before? Have all your devices been onboarded to the service? You can get reports on device onboarding status and active EDR alerts. If you have 1000 licenses but only 600 devices onboarded, that’s a gap to address.
  • Defender for Cloud Apps: Look at the Cloud App Discovery dashboard. How many apps is it identifying, and how many policy alerts are generated? Is the security team actively reviewing those? If, after 6 months, your CASB shows zero policies and no governance actions, you’re not using it fully.
  • Defender for Identity: Check the alerts for on-prem AD threats. Are you catching any lateral movement attempts or risky behaviour? Even an absence of alerts can be meaningful (maybe you have a very safe environment, or the tool isn’t fully deployed on all domain controllers).
  • Azure Information Protection P2: Track the labeling activity. For instance, what fraction of documents or emails get a sensitivity label now? Are automatic classification rules executing (you can often get stats on how many items were labeled by a policy). Also, inspect if users are actually using the labels – low label counts might mean the feature has not yet been adopted.

Microsoft’s admin portals (Entra Admin Center, Microsoft 365 Security Center, Compliance Center, Intune reports) provide much of this data.

You might consolidate the key metrics into a monthly EMS E5 usage dashboard for your leadership: e.g., “EMS E5 Feature Adoption: MFA usage 98%, Devices protected 85%, Labeled documents 10k/month, Cloud apps discovered 250, etc.” This quantifies the utilization.

Qualitative Usage Assessment: Beyond raw numbers, talk to the teams involved:

  • Are security analysts leveraging the Defender alerts or still relying on other tools?
  • Do administrators feel PIM has improved their workflow, or is it causing friction (and are they using it or finding workarounds)?
  • Are employees aware of the new sensitivity labels or policies (which indicate whether the training and communication around these features have been effective)?

This qualitative feedback can highlight whether a feature is delivering intangible benefits or is lying fallow due to user resistance or lack of knowledge.

Calculating ROI: ROI for security investments can be tricky, but we can look at it from a few angles:

  • Reduction in Other Costs: One straightforward ROI element is cost avoidance from retiring other software. If EMS E5 allows you to eliminate a third-party CASB subscription or an MFA product, tally up those savings. For example, if you were paying $5/user for a CASB and $3 for an MDM solution, EMS E5 now covers $8/user. Subtract that from EMS E5’s cost to see net new spend vs. value. Many organizations find that consolidating into EMS E5 yields a net-neutral or even net-positive financial impact when factoring in the retirement of duplicative tools.
  • Security Incident Reduction: This is more qualitative but important. Have you seen a drop in security incidents (or their severity) since enabling EMS E5 features? For instance, if Identity Protection is blocking 50 high-risk sign-in attempts per month that might have led to breaches, what is the value of avoiding those breaches? While it’s hard to put a precise dollar value on prevented incidents, you can use industry data (e.g., the average cost of a data breach or an account takeover event) to create a rough estimate of risk reduction value. Even preventing one serious breach can justify a year’s worth of EMS E5 spent in many cases.
  • Productivity Gains: EMS E5 can also improve IT efficiency. For example, using Intune to remotely manage devices could reduce manual IT work or improve onboarding/offboarding time for employees. PIM might reduce the risk of privilege misuse and streamline admin access auditing. If you have data on how long it took to provision a laptop or set up a user with VPN, and now Intune automates it, you could quantify labour hours saved. Similarly, an integrated security ecosystem might mean fewer consoles for your analysts, freeing them to focus on actual threats.
  • Compliance and Audit Benefits: If your organization meets regulatory requirements, EMS E5 features like data encryption, audit logging enhancements, and compliance reporting can save money in compliance audits or avoid fines. For instance, demonstrating to auditors that you have AIP and DLP protecting personal data might reduce audit findings (which otherwise could lead to costly remediation projects or penalties). While this is not an immediate ROI in dollars, risk avoidance has value.

Tooling for Monitoring ROI:

Leveraging tools designed for cloud license management (like CoreView, Quadrotech, or Microsoft’s own Power BI adoption content packs) may be useful in deeply slicing usage data.

For example, CoreView’s analysis (cited earlier) can identify unused licenses and assign a dollar value to that waste. Running such reports quarterly can show trends, e.g., “unused EMS E5 licenses decreased from 30% to 10% after our optimization initiative,” which you can then translate into dollars saved.

Adjusting Course Based on Findings:

The ultimate point of evaluating usage and ROI is to inform decisions. If your analysis shows that Defender for Cloud Apps is barely used, you have a few options: invest in that area (train the team, get a pilot to use it better) or consider dropping that component’s license for some users in the next cycle. If ROI looks weak (maybe because you haven’t had any notable security incidents – which is good!), you might still decide to keep EMS E5 as insurance.

But you could also use a low-incident record to negotiate better pricing (“We haven’t had a breach in 2 years; maybe we don’t need all of this unless we get a more favourable price”). On the other hand, if ROI is strong (incidents stopped, tools well used), that justifies further investment and perhaps expansion of EMS E5 to more users who could benefit.

A savvy CIO will share key ROI and usage data with stakeholders like the CFO or procurement team to demonstrate prudent use of budget or to make a case for adjustments. Remember, ROI isn’t static – revisit these metrics as your organization grows or threat landscapes change.

You might find new value in a feature you hadn’t used before (e.g., suddenly needing Cloud App Security because of a surge in SaaS adoption) or discover that some tool’s value is diminishing (perhaps a new business direction makes a feature less relevant). Continuous evaluation ensures EMS E5 licensing remains aligned with the delivered business value.

Recommendations: What CIOs and Sourcing Leaders Should Do Now

1. Perform a Comprehensive License Audit:

Immediately assess your current EMS E5 footprint. Inventory how many EMS E5 licenses you have, who they’re assigned to, and how actively those users utilize the features.

This audit should identify any obvious “low-hanging fruit”, such as unassigned licenses or users who haven’t touched an EMS E5 feature in months. If you discover, for example, 500 EMS E5 licenses assigned but only 300 appear active, flag this for action.

Use available reporting tools to support the data (e.g., Microsoft 365 usage analytics or scripts to check user activity in Azure AD, Intune, etc.). This quantitative baseline is critical for making informed decisions.

2. Align Licenses with User Profiles:

Develop a clear segmentation of user groups based on security needs. For each segment (e.g., IT admins, knowledge workers, frontline workers, external collaborators), decide what level of EMS capabilities they truly require.

Right-size your license allocations by moving lower-need groups to EMS E3 (with or without selective add-ons) and reserving EMS E5 for the high-need groups. You might create a matrix of roles vs. required features as a concrete step. If a role doesn’t tick at least a couple of EMS E5 feature boxes, that role probably doesn’t justify a full E5 license.

Plan a transition for any changes – e.g., if 200 users will downgrade to E3, schedule that in coordination with IT to adjust any policies (so those users don’t lose access to something unexpectedly).

3. Maximize Deployment of Purchased Features:

For the EMS E5 licenses you maintain, ensure you fully leverage them. Identify any EMS E5 features not yet deployed or fully adopted in your organization and prioritize a rollout plan.

For instance, if you own Cloud App Security but haven’t activated it, set a project in motion to implement it in the next quarter. If Intune is only managing mobile devices but not laptops, consider expanding its scope to replace legacy group policies or third-party PC management tools. Essentially, turn on what you’re paying for – or if you consciously choose not to use a feature, question if you should be paying for it at all.

This might involve training internal IT staff on the new tool capabilities or bringing in specialists to accelerate configuration. It may also require internal advocacy: get buy-in from business units to adopt classification labels or MFA policies with EMS E5 by communicating the security benefits and offering support.

4. Evaluate Cost-Optimization Scenarios:

Run the numbers on different licensing scenarios using the data from your audit and alignment exercise. For example, what is the annual cost difference if you went 50% EMS E5 and 50% EMS E3 + add-ons versus 100% EMS E5? Quantify potential savings. Also, consider the upcoming renewal: are there loyalty discounts or concessions you can negotiate if you stay on E5 for key users?

Conversely, what leverage does that give you in price negotiations if you threaten to drop a portion of licenses? Build a business case for any proposed changes – CIOs should be ready to show CFOs the projected savings (or justify why keeping certain expensive licenses is worthwhile in risk terms).

This exercise often reveals a 15-30% cost reduction opportunity. Prioritize the options that save money without unacceptable risk trade-offs. If some savings scenario saves a lot but leaves a security gap, see if that gap can be filled in another way or if it’s not worth the trade-off.

5. Engage Independent Licensing Expertise:

Consult an independent licensing advisor (such as Redress Compliance or similar firms) to review your Microsoft agreements and EMS E5 usage. These experts can validate your internal findings, offer insights from industry benchmarks, and assist in crafting a negotiation strategy with Microsoft or your reseller.

They can often spot nuances, like a conditional clause in your EA that could be leveraged or a non-obvious combination of licenses that Microsoft’s sales team might not propose but could yield savings. Importantly, independent advisors have no incentive to upsell you Microsoft products; their goal is to optimize your licensing and compliance.

Engaging them before you make major changes or enter renewal talks can strengthen your position and ensure you don’t overlook any hidden costs or benefits. Even if you have a procurement team, these advisors’ specialized knowledge of Microsoft’s complex licensing can be invaluable for this specific task.

6. Negotiate and Communicate with Microsoft Proactively:

With data and a plan, proactively approach Microsoft (or your licensing provider). If renewal is on the horizon, start discussing your desire to optimize EMS E5 licensing early. Be transparent that you are evaluating downgrades or alternative solutions – this often opens the door for Microsoft to propose creative solutions (they would rather keep you on some form of their licenses than lose you entirely).

For instance, Microsoft might offer a promotional period for an E5 Security add-on or advisory support to help you deploy underused features (they’d rather see you use what you bought than cancel it). However, remain cautious of offers that expand your Microsoft footprint without clear value – keep the focus on cost-effective security improvement.

Any commitments from Microsoft should be in writing, ideally as amendments to your agreement. And if you do negotiate a reduction or a new mix of licenses, clarify any true-up or true-down rights for the future to maintain flexibility. Drive the conversation based on your identified needs and usage, not on a generic upsell script.

7. Implement Ongoing Governance for License Management:

Don’t treat this as a one-time optimization and then forget about it. From now on, governance will be implemented to continuously manage EMS (and overall Microsoft) licensing.

Assign an owner (or committee) responsible for quarterly usage reviews, tracking new feature releases (Microsoft might add new capabilities to EMS E5—evaluate if they change the value equation), and coordinating between IT and sourcing on license needs. This governance should also monitor organizational changes: mergers, divestitures, new hires, or layoffs can all impact license requirements.

A process to adjust licenses in tandem with such changes will prevent the creep of unused licenses. Additionally, integrate license considerations into your IT change management – e.g., if a new project wants to use a certain EMS E5 feature, make sure they budget the necessary licenses; if a project is decommissioning a system, see if related licenses can be dropped.

By instilling an ongoing discipline, you ensure that the hard-won optimizations stay in place and your EMS E5 investment continues to be right-sized.

8. Strengthen Internal Awareness and Training:

Lastly, recognize that maximizing EMS E5’s value is not just an IT or procurement issue – it’s an organization-wide effort. Educate relevant stakeholders about what tools are available with EMS E5. Often, business units might procure a third-party app not realizing a similar feature exists in your Microsoft suite.

Improving awareness of EMS E5 capabilities among your architects and application owners encourages internal adoption and discourages redundant spending. Likewise, provide training and support to end-users for any user-facing features (like Azure Information Protection labels or the Authenticator app for MFA) – higher user adoption directly correlates with better ROI.

When employees understand why certain security measures are in place (and how to use them properly), the organization benefits and encounters less resistance, making the most of your licensing spend.

In conclusion, CIOs and sourcing leaders should take a proactive, data-informed approach: audit current use, optimize license allocation, fully deploy purchased tools, and continuously govern the environment.

When aligned with a smart licensing strategy, Microsoft EMS E5 is a powerful suite that can significantly boost enterprise security without breaking the budget. Now is the time to ensure your EMS E5 licensing is a strategic asset rather than a cost liability

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts