Microsoft Purview Licensing Guide 2026

Chapter 1 The Purview Licensing Hierarchy

Microsoft Purview compliance capabilities are delivered across three primary licensing tiers. Understanding the boundaries between tiers is the foundation of any Purview cost optimisation exercise.

M365 E3 includes the foundational Purview layer: manual sensitivity labelling, basic DLP for Exchange/SharePoint/OneDrive, eDiscovery Standard (basic search and export), Audit Standard (90-day log retention), and basic retention policies. This foundation is suitable for organisations with minimal regulatory compliance requirements and low litigation exposure.

The M365 E5 Compliance add-on (~$12/user/month on top of E3) unlocks the complete Purview suite: auto-labelling with trainable classifiers, endpoint and Teams DLP, eDiscovery Premium with predictive coding, Audit Premium (1-year retention), Insider Risk Management, and Communication Compliance. For organisations with compliance requirements but without full E5 Security needs, this add-on is the correct purchase — at $45/user/month less than full E5, the annual saving for a 1,000-user organisation is $540,000.

Full M365 E5 ($57/user/month) includes all E5 Compliance features plus the complete E5 Security suite (Defender for Endpoint, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, Microsoft Sentinel integration). Organisations that need both compliance and security capabilities at the E5 level should evaluate whether the full E5 bundle is more economical than separate E5 Compliance and E5 Security add-ons.

Chapter 2 Purview Information Protection Licensing

Information Protection licensing determines whether your data classification programme is manual or automated — and whether your compliance controls will satisfy regulatory assessors. The capability gap between E3 and E5 is not minor: it is the difference between a framework (E3 provides label creation and manual application) and an operational system (E5 provides auto-classification across the entire M365 data estate).

The critical E5-only capabilities in Information Protection are client-side and service-side auto-labelling, trainable classifiers for unstructured content detection, Exact Data Match for custom PII identification, and the on-premises AIP scanner for extending classification to file servers and SharePoint Server. For regulated industries — financial services, healthcare, legal, defence — these are not optional enhancements. They are the technical controls that regulators assess when evaluating GDPR Article 32 compliance, HIPAA safeguards, and data governance programme maturity.

The deployment investment is also real: auto-labelling policy design, classifier training, and scanner deployment for a 1,000-user organisation typically requires 4–8 months of programme execution. This deployment timeline has direct implications for EA negotiation — organisations that negotiate E5 Compliance without a deployment plan risk paying for capabilities they never activate.

For the complete analysis, see the Purview Information Protection Licensing guide.

Chapter 3 Purview DLP Licensing Tiers

The DLP coverage gap in M365 E3 is more significant than most organisations realise. E3 DLP covers Exchange Online, SharePoint Online, and OneDrive — the legacy workloads. It does not cover Teams (the primary modern communication channel), Windows endpoints (the primary device-level exfiltration vector), macOS endpoints, or third-party cloud applications via Defender for Cloud Apps.

Endpoint DLP — covering USB copy, clipboard, printing, browser upload, and restricted application access on managed Windows and macOS devices — requires E5 Compliance plus Intune device management. This combination closes the most dangerous data exfiltration channels for departing employees and disgruntled insiders. The operational dependency on Intune is frequently overlooked in E5 Compliance purchasing decisions.

One critical distinction: Defender for Cloud Apps DLP (which extends DLP policies to Box, Dropbox, Salesforce, and other connected apps) is NOT included in the E5 Compliance add-on. It requires full E5 or the E5 Security add-on. Organisations purchasing E5 Compliance expecting to cover third-party cloud applications will find this gap during deployment planning.

For the complete DLP tier analysis, see the Purview DLP Licensing Tiers guide.

Chapter 4 eDiscovery: Standard vs Premium

The ROI case for eDiscovery Premium is built on legal review cost avoidance. For organisations running more than two litigation matters per year, the combination of near-duplicate detection (15–30% volume reduction), email threading (40–60% volume reduction for email-heavy data sets), and predictive coding (reducing review population to 15–25% of total documents) consistently produces savings that exceed the annual cost of E5 Compliance licences for the entire user population.

The custodian management workflow — which provides the legal hold acknowledgement tracking and chain of custody documentation required under FRCP Rule 37(e) — is the compliance-critical capability that E3 eDiscovery Standard does not provide. For US-based organisations facing federal litigation, the defensibility gap between Standard and Premium is a legal risk management issue, not merely a cost efficiency question.

The eDiscovery Premium licensing model is custodian-based: licences are required for users whose data is collected, not for administrators running searches. This allows targeted licensing for active litigation without universal E5 Compliance deployment, though it requires ongoing tracking of which users are active custodians in open matters.

For the complete analysis, see the Purview eDiscovery Premium vs Standard guide.

Chapter 5 Insider Risk Management Licensing

IRM is the Purview capability with the largest gap between purchase rate and deployment rate. Purchased by 65% of E5 customers; actively deployed by under 35%. The primary barriers are legal/HR governance requirements (particularly EU works council consultation requirements), technical complexity (HR connector integration, Endpoint DLP dependency), and licensing misunderstanding (many organisations believe deploying a policy covering all employees is acceptable with only a fraction licensed).

The correct licensing rule: every user subject to an IRM policy must hold an E5 Compliance licence. Microsoft audits this during EA true-up reviews. The most cost-efficient IRM programme combines scoped policy deployment (covering high-risk populations only: departing employees, disciplinary review cases, privileged access users, executives) with appropriate licence counts for those populations — typically 15–30% of total headcount.

The Departing Employee policy template, activated via the HR data connector, provides the highest ROI of any IRM configuration. It automatically elevates monitoring at the moment of highest insider risk — when an employee has submitted a resignation — without requiring manual intervention by the security team.

For the complete analysis, see the Purview Insider Risk Management Licensing guide.

Chapter 6 Communication Compliance Licensing

Communication Compliance is an E5-exclusive capability with no E3 equivalent. For financial services organisations under FINRA Rule 3110, FCA SYSC 10A, or MiFID II, this is not a discretionary feature — it is a regulatory requirement. The correct licensing model is scope-based: apply E5 Compliance to regulated employees (registered representatives, research analysts, trading desk) and retain E3 for non-regulated staff, reducing the compliance licensing cost by 30–50% versus a universal E5 Compliance deployment.

The competitive landscape includes Proofpoint Supervision, Smarsh, Global Relay, and Actiance — all with longer track records with FINRA examination teams and deeper integration with non-Microsoft communication channels. The Microsoft advantage is native M365 integration (no data egress), inclusion in the E5 Compliance bundle, and materially lower per-seat cost when E5 Compliance is already deployed for other Purview capabilities.

For the complete analysis, see the Purview Communication Compliance Licensing guide.

Chapter 7 EA Negotiation Levers for Purview

Five EA negotiation levers consistently produce measurable outcomes in Purview compliance licensing negotiations.

Lever 1: E5 Compliance vs Full E5 Explicit Comparison. Produce a written cost comparison and present it to your Microsoft account team before any EA renewal involving compliance features. This prevents the default push toward full E5 upgrades at $45/user/month more than required for compliance-only buyers.

Lever 2: Scoped Deployment Commitment. Document the IRM and Communication Compliance programme design — specifying which user populations are in scope. This creates a justifiable mixed-licence EA and reduces audit exposure from policy/licence scope mismatches.

Lever 3: Competitive Displacement Documentation. Purview competes with Varonis, Symantec DLP, Proofpoint, Smarsh, and Relativity. Document competitive contract values and remaining terms. Microsoft has specific displacement programmes for Proofpoint and Smarsh that provide 10–18% additional E5 Compliance discounts for documented displacements.

Lever 4: Phased Deployment Commitment. Purview deployments take 4–8 months. Negotiate payment terms or licence counts that reflect the deployment timeline — avoid paying for the full compliance deployment from day one of the EA term.

Lever 5: Right-Size the Add-On. Not every user needs the full E5 Compliance add-on ($12/user/month). The E5 Information Protection and Governance add-on (~$4/user/month) covers Information Protection and Endpoint DLP but not IRM or Communication Compliance. For organisations with information protection requirements but no IRM/Communication Compliance need, this more targeted add-on can save $8/user/month.