Microsoft 365 Licensing Decision Builder: Business Premium, E3, E5 or Add-ons?

Introduction

Most licensing mistakes do not happen because someone ignored Microsoft 365. They happen because someone bought a licence for one feature and only later discovered the missing dependency. An IT admin buys E3 for Intune and Conditional Access, then discovers that risk-based Conditional Access requires Entra ID P2, which is not in E3. A compliance officer requests sensitivity labels, gets them in E3, then learns that auto-labelling policies require E5 or a Purview add-on. A security team deploys Defender for Endpoint P1 through E3, then realises that automated investigation and response needs P2, which is only included in E5.

These are not edge cases. They are the normal pattern. Microsoft 365 licensing is a dependency tree, and the product names do not make the dependencies obvious. "Microsoft 365 E3" and "Microsoft 365 E5" sound like versions of the same product, where E5 is simply "more." In practice, the gap between E3 and E5 is not linear. It is a set of specific capabilities, each with its own operational requirements, and whether you need them depends entirely on what you are trying to do.

This guide does not try to reproduce Microsoft's feature comparison pages. Those already exist. Instead, it gives you a decision framework. It helps you map your requirements to licensing directions, identify hidden dependencies before they become budget surprises, and avoid the two most common outcomes: paying for features you never operate, or discovering a critical gap three months after signing a renewal.

The guide is structured to support different reading patterns. If you need a quick answer, jump straight to the interactive builder. If you are preparing a licensing proposal, use the comparison table, feature matrix, and persona cards. If you are conducting a licensing review, the "What good looks like" checklist and common mistakes section will help you identify gaps. And if you are saving this as a PDF for a project, the entire guide is formatted for clean printing.

Licensing disclaimer

What this guide helps you decide

Microsoft 365 licensing decisions are not one decision. They are a connected set of choices that affect security, compliance, cost, and user experience. This guide helps you work through each of them:

• When Business Premium is enough and when you are stretching it beyond its design point
• When E3 makes sense as a base licence and what add-ons you should expect to need
• When E5 is justified vs. when it is being purchased for one feature that could be an add-on
• When add-ons are more cost-effective than upgrading the entire base licence
• How to map personas to licences so different user types get what they need without over-provisioning
• How to assess Copilot readiness from a licensing and governance perspective
• How to identify over-licensing (paying for features you do not use) and under-licensing (missing features you need)
• Which feature dependencies are not obvious from the product names alone

Before you start

Before making any licensing decision, work through this pre-flight checklist. Licensing choices made without this context almost always need to be revisited. The cost of a wrong decision is not just the licence fee; it is the disruption of changing licences mid-contract, the security gaps that exist until the right licence is in place, and the time spent explaining to stakeholders why the budget needs to change.

I treat this checklist as non-negotiable. In every licensing review I have conducted, at least one item on this list uncovers a gap that would have led to a wrong decision. The most common one is "inventory current licences." I cannot count the number of times an organisation has requested a quote for a capability they already own but have never enabled.

• Identify your user personas. Standard users, frontline workers, executives, privileged admins, SecOps analysts, compliance officers, developers, shared device users, external collaborators. Each persona may need a different licence or add-on combination.
• Document device management needs. Which devices need management? Windows, macOS, iOS, Android? Company-owned, BYOD, shared? Do you need Autopilot? Endpoint security policies? App protection without enrolment?
• Define identity and access requirements. MFA only, Conditional Access, risk-based CA, PIM, access reviews, identity governance? Each step up has a different licensing threshold.
• Clarify compliance requirements. Retention policies, sensitivity labels, DLP, eDiscovery, audit logging, insider risk management, communication compliance, records management? Compliance features span a wide range of licence tiers.
• Assess email and threat protection needs. Basic Exchange Online Protection, Defender for Office 365 P1, P2? Safe Attachments, Safe Links, automated investigation? Threat protection is one of the most common reasons to move from E3 to E5 or add-ons.
• Determine Copilot plans. Not planned, planning, ready to buy, or already using? Copilot can be licensed with eligible base plans, but governance readiness (SharePoint permissions, sensitivity labels, DLP, oversharing remediation) should come before broad rollout.
• Count frontline vs. standard vs. privileged users. Frontline workers may use F1/F3 licences. Privileged admins may need E5 features even if standard users do not. Do not force every user into the same licence.
• Inventory current licences and unused features. Before buying more, check what you already have. Microsoft 365 admin centre licence usage reports show which features are assigned but not used. You may already own what you need.
• Identify required add-ons. Some features are only available as add-ons regardless of base licence (Teams Premium, Copilot, certain Purview capabilities). List these separately from base licence decisions.
• Confirm tenant size and Business plan limits. Business plans (Business Basic, Standard, Premium) have a user limit. Validate the current limit against Microsoft documentation. If you are approaching or exceeding it, Enterprise plans become necessary regardless of feature needs.
• Review regulatory requirements. Industry regulations (GDPR, HIPAA, SOX, NIS2) may mandate specific compliance or audit capabilities that are only available in E5 or Purview add-ons. Start with regulatory requirements, not product features.
• Check your renewal date. Licence changes mid-term may have different pricing or availability than at renewal. Plan licensing reviews at least 90 days before renewal.
• Validate against Product Terms. After you have a direction, validate the specifics against the Microsoft Product Terms and your agreement type. This guide gives you the framework; the Product Terms give you the binding details.

Interactive Licensing Decision Builder

Use this tool to get a recommended licensing direction for a specific scenario. Select your organisation size, user persona, primary need, and the specific requirements across endpoint management, identity, security, compliance, Copilot, and budget strategy. The recommendation updates automatically as you change any input.

The builder evaluates your selections against a practical decision engine based on real-world deployment experience. It accounts for feature dependencies, licence tier thresholds, and common over/under-licensing patterns. The output is a starting direction, not a purchase order. Always validate the recommendation against current Microsoft Product Terms.

Licence families explained simply

Microsoft 365 has dozens of SKUs, but they fall into a handful of families. Understanding the families helps you navigate the naming without memorising every product. Here is each family with what it is actually for and the most common misunderstanding.

Business plans

Enterprise plans

Security and identity add-ons

Compliance, collaboration, and AI add-ons

Understanding the naming convention

Microsoft's product naming creates confusion because similar-sounding products have fundamentally different inclusions. Here is a quick decoder:

• "Office 365" vs "Microsoft 365": Office 365 plans provide productivity services only (Exchange, SharePoint, Teams, Office apps). Microsoft 365 plans bundle Office 365 + Windows Enterprise + EMS (Intune, Entra ID). If you see "Office 365 E3" vs "Microsoft 365 E3," the Microsoft 365 version includes significantly more.
• "Business" vs "Enterprise": Business plans have a user count limit and are designed for SMBs. Enterprise plans have no user limit and include additional features (larger mailboxes, more storage, additional compliance capabilities). The feature gap between Business Premium and E3 is narrower than most people think.
• "P1" vs "P2": Within both Entra ID and Defender products, P1 is the standard tier and P2 is the advanced tier. P1 features are generally included in lower-cost plans. P2 features are generally reserved for E5 or available as add-ons.
• "Defender for" [Product]: Each Defender product protects a different surface. The name after "for" tells you what it protects: Office 365 (email), Endpoint (devices), Identity (on-prem AD), Cloud Apps (SaaS). They are not interchangeable.
• "Purview": The umbrella brand for compliance, data governance, and information protection capabilities. Purview includes capabilities from what used to be called Azure Information Protection, Microsoft Information Protection, Compliance Manager, and others.

Business Premium vs E3 vs E5

This is the comparison most organisations need. The differences are practical, not just feature-list items. Each licence represents a different level of security, compliance, and management capability, and each comes with different operational requirements.

The table below is structured to help you compare across eight dimensions. Read it column by column to understand each licence's profile, or row by row to compare a specific aspect across all four options. The "E3 + Add-ons" column is included because it represents the most common real-world alternative to buying E5 outright.

Business Premium to Enterprise transition

Many organisations start on Business Premium and eventually need to transition to Enterprise plans. This transition is usually triggered by one of three things: exceeding the Business plan user limit, needing Entra ID P2 features (PIM, risk-based CA), or needing advanced compliance capabilities. When this transition happens, plan for the following:

• Licence swap, not upgrade. Business Premium and Microsoft 365 E3 are separate licence families. You remove Business Premium and assign E3 (or E5). This is not a simple "upgrade" button.
• Mailbox size change. Business Premium typically provides a 50 GB primary mailbox. E3/E5 typically provide a 100 GB primary mailbox. Validate current Exchange Online limits and archive behaviour against service descriptions before planning migrations. The transition will not shrink mailboxes, but plan communication if users rely on auto-expanding archives.
• Defender product change. Business Premium includes Defender for Business. E3 includes Defender for Endpoint P1. E5 includes Defender for Endpoint P2. These are different products with different portals and policy structures. You may need to reconfigure endpoint security policies.
• Feature parity gaps. Business Premium includes Defender for Office 365 P1. E3 does NOT include Defender for Office 365. If you transition from Business Premium to E3 without adding Defender for Office 365, you will lose email threat protection. This is the most commonly missed gap in Business Premium to E3 transitions.

Feature decision matrix

This matrix maps specific needs to the minimum licence direction. Use it to identify which features drive your licence tier and where add-ons fill gaps. The "Notes" column highlights dependencies and common pitfalls that are not obvious from the feature name alone.

Read the matrix row by row for each feature you need. If multiple rows point to E5, count them. If three or more features require E5 or E5-level add-ons, compare the add-on cost against E5. The matrix is intentionally structured so you can quickly identify your licensing "ceiling" by scanning the rows relevant to your requirements.

Persona-based licensing model

Not every user needs the same licence. Persona-based licensing matches licence tiers to actual job requirements, which reduces cost without creating security gaps. The personas below cover the most common patterns. Your organisation may have variations, but these are a practical starting point.

Persona mapping summary

Use this table as a quick reference when mapping your organisation's personas to licence tiers. The "typical count" column helps estimate the licensing mix for budgeting purposes.

Security licensing decisions

Security features are the most common driver for licence upgrades. The challenge is that security capabilities build on each other, and the dependencies are not always obvious. MFA is available broadly, but Conditional Access requires Entra ID P1. Conditional Access is powerful, but risk-based CA requires P2. Each level unlocks capabilities that the previous level cannot replicate.

The key question is not "what security features exist?" but "what security capabilities does our organisation have the maturity to operate?" Buying a feature you cannot staff, configure, and monitor is not a security improvement. It is a false sense of security.

This section maps the most common security decisions to licensing tiers. For each decision, the table below shows the minimum licence direction, common add-on paths, and practical notes from real deployments. Use this alongside the interactive builder to identify which security features drive your licensing tier.

The Defender product family clarified

One of the most confusing aspects of Microsoft 365 security licensing is the Defender product family. There are five distinct Defender products, each protecting a different surface, each with different licensing. They share a name but are operationally separate products with separate consoles, separate alert queues, and separate configuration.

The unified experience across all Defender products is called Defender XDR (Extended Detection and Response). It provides a single incident queue, cross-product correlation, and automated investigation across all surfaces. To get the full XDR experience, you need all four Defender products active (Office 365, Endpoint, Identity, Cloud Apps), which is why E5 is the simplest path to XDR. Assembling it from individual add-ons is possible but complex and often more expensive.

Intune and endpoint licensing

Intune licensing is one of the more straightforward areas of Microsoft 365 licensing because Intune is included in several base plans. The complexity comes from understanding what "Intune" actually covers in each plan and when you need additional capabilities.

When Business Premium is enough for endpoint management

Business Premium includes full Intune capabilities for organisations within the Business plan user limit. This means device enrolment, compliance policies, configuration profiles, app deployment, app protection policies, Autopilot, and security baselines. For most SMBs, Business Premium covers every endpoint management scenario they will encounter.

When E3 is needed

E3 is needed when you exceed the Business plan user limit or need Enterprise-specific features like Windows Enterprise (including Windows Autopatch), advanced Group Policy replacement scenarios, or Enterprise-tier information protection. The Intune capabilities in E3 are functionally equivalent to those in Business Premium for core device management.

When standalone Intune makes sense

Standalone Intune is useful when you have an Office 365 plan (not Microsoft 365) and need device management, or when you are using a non-Microsoft productivity suite but need endpoint management. It is also used in specific scenarios where only device management is needed without the full M365 stack.

Intune add-on capabilities

Beyond the base Intune capabilities included in Business Premium and M365 E3/E5, Microsoft offers additional Intune add-on capabilities for advanced scenarios. These are separate from the base Intune licence and provide features such as advanced endpoint analytics, remote help, tunnel for mobile application management, and specialised device management scenarios. The availability and naming of these add-ons evolves; validate current offerings against Microsoft documentation.

BYOD and app protection licensing

App protection policies (MAM without enrolment) are one of the most cost-effective security features in Microsoft 365. They protect corporate data on personal devices without requiring full device management, which reduces both licensing cost and user friction. MAM is included in all Intune-including plans (Business Premium, M365 E3/E5, Intune standalone). For organisations with significant BYOD populations, MAM provides data protection without the overhead and privacy concerns of full device enrolment.

The key licensing consideration for BYOD is not Intune itself but the Conditional Access policy that enforces app protection. You need Entra ID P1 (included in Business Premium, E3, E5) to create a CA policy that requires an approved client app or app protection policy. Without CA, you can create app protection policies, but you cannot enforce them as a condition of access.

Compliance and Purview licensing

Compliance licensing is where the gap between E3 and E5 is most pronounced. E3 includes baseline compliance capabilities that satisfy basic requirements. But if your organisation faces regulatory obligations, legal discovery requirements, or data governance mandates, you will quickly find that E3 compliance features are necessary but not sufficient.

The Purview product family consolidates what used to be scattered across Azure Information Protection, Microsoft Information Protection, Compliance Manager, and several other brands. The licensing, however, remains spread across multiple tiers and add-ons.

The most important thing to understand about compliance licensing is the gap between "basic" and "advanced." E3 compliance capabilities handle common requirements: retention policies, manual sensitivity labels, basic DLP, standard audit, and eDiscovery Standard. These are sufficient for organisations without specific regulatory mandates. The moment you need auto-labelling, advanced DLP with endpoint coverage, eDiscovery Premium, advanced audit with long-term retention, insider risk management, or communication compliance, you move into E5 or Purview add-on territory. There is very little middle ground.

Compliance licensing by regulatory driver

Different regulations drive different compliance requirements. Here is a practical mapping of common regulatory frameworks to the Microsoft 365 compliance capabilities they typically require. This is not legal advice; work with your compliance and legal teams to determine exact requirements.

Copilot readiness and licensing

Copilot licensing is not only about buying the Copilot add-on. The add-on itself is straightforward: it requires an eligible base licence, and you assign it per user. What is not straightforward is the governance, permissions, and data readiness that Copilot demands. Copilot surfaces data based on user permissions. If your SharePoint permissions are over-shared, Copilot will surface content users should not see. If your data is not labelled, Copilot cannot respect sensitivity boundaries.

I have seen organisations buy Copilot licences for 200 users and then pause the rollout for three months while they fix SharePoint permissions. The licensing cost ran while governance was being remediated. The lesson is clear: do the governance work before the procurement. If your data is not ready, your Copilot deployment is not ready, regardless of what licence you hold.

Copilot readiness is a governance problem disguised as a licensing problem.

Copilot governance readiness checklist

Before purchasing or deploying Copilot licences, verify that these governance prerequisites are in place. Copilot will amplify whatever state your data is in. If your data is well-governed, Copilot is a productivity multiplier. If your data is poorly governed, Copilot is a data exposure risk.

• SharePoint permissions audited and remediated. Review site permissions, sharing links, and "Everyone except external users" access. Copilot surfaces content based on the user's permissions. Over-shared content will be surfaced to anyone with access.
• Sensitivity labels deployed and adopted. Sensitivity labels classify and protect content. Copilot respects sensitivity labels. Without them, Copilot cannot distinguish between public and confidential content.
• DLP policies active for sensitive data types. DLP prevents sensitive content from being shared inappropriately. Copilot respects DLP policies. Without them, Copilot could include sensitive data in responses or generated content.
• Retention policies configured. Copilot-generated content is subject to the same retention policies as other content. Ensure retention policies cover the locations where Copilot outputs will be stored.
• Validate update channel requirements. Copilot features have historically required Current Channel or Monthly Enterprise Channel for Microsoft 365 Apps. Channel support may have expanded; validate the current update channel requirements against Microsoft documentation before deployment to ensure Copilot features are available on your chosen channel.

Add-ons vs E5 decision

The "add-ons vs. E5" question comes up in almost every licensing review. There is no universal answer because it depends on how many E5-level features you need, for how many users, and whether you have the operational maturity to use them. Here is a decision table for common scenarios.

Step-up licences

Microsoft offers "step-up" licences that allow you to upgrade from one licence tier to a higher one by paying only the price difference. For example, if you have E3 and want to move to E5, a step-up licence covers the incremental cost rather than requiring you to buy E5 at full price. Step-up availability depends on your agreement type and licensing channel. Check with your licensing provider or Microsoft account team for current step-up options and pricing.

Step-up licences are particularly useful when you need to upgrade a subset of users (for example, moving your security team from E3 to E5) without disrupting the licensing of users who should stay on E3. They also simplify the transition because the step-up adds E5 features on top of the existing E3 assignment rather than requiring a remove-and-reassign process.

The hidden cost of complexity

There is a cost to mixed licensing that does not appear on the invoice: management complexity. Every additional SKU or add-on in your tenant is a SKU you need to track, assign correctly, verify at renewal, and support when something breaks. Three add-ons across four personas across two agreement types creates a matrix that no one fully understands six months later. When evaluating add-ons vs. E5, factor in the operational cost of managing a more complex licence portfolio, not just the per-user price difference.

Over-licensing and under-licensing warnings

Signs you are over-licensing

Signs you are under-licensing

Common licensing mistakes

These are mistakes I see repeatedly in real environments. Each one has a pattern: someone made a reasonable-sounding decision based on incomplete information, and the gap only became visible later. The fix for most of them is the same: map requirements to features before mapping features to SKUs.

I have listed these in rough order of frequency. The first three are the ones I see in almost every licensing review. The rest are common enough that they deserve explicit mention. If you recognise any of these in your own environment, you are not alone; they are practically universal.

1. Confusing Office 365 E3 with Microsoft 365 E3. These are different products. Office 365 E3 does not include Intune, Entra ID P1, or Windows Enterprise. Microsoft 365 E3 does. The "Microsoft 365" vs "Office 365" distinction is the most common naming confusion in M365 licensing.
2. Assuming E3 includes Defender for Office 365. It does not. Microsoft 365 E3 includes Exchange Online Protection (EOP) for basic email filtering, but Safe Attachments, Safe Links, and advanced anti-phishing policies require Defender for Office 365 P1 or P2, which are in Business Premium, E5, or as add-ons.
3. Buying E5 for everyone "just in case." E5 is valuable when you will operate its advanced features. For standard users who need email, Office apps, and basic security, E3 with targeted add-ons is usually more appropriate and significantly less expensive.
4. Accumulating E3 add-ons without comparing against E5. This is the inverse of the previous mistake. If you need Entra ID P2 + Defender for Endpoint P2 + Defender for Office 365 P2 + advanced audit + eDiscovery Premium, compare the total add-on cost against E5. Depending on agreement type, region and discounts, the add-on path may exceed E5 cost while adding management complexity.
5. Full E3/E5 licences for frontline workers. Frontline workers on shared devices using Teams and basic apps do not need full productivity licences. F1/F3 licences are designed for this scenario and cost significantly less.
6. Admin accounts on E3 without Entra ID P2. No P2 means no PIM, no risk-based CA, no Identity Protection, no access reviews. Admin accounts without these controls are a governance gap that auditors and attackers both notice.
7. Staying on Business Premium past the user limit. Business plans have a user count limit. Organisations that grow past it need to transition to Enterprise plans. Validate the current limit against Microsoft documentation and plan the transition proactively.
8. Buying Intune standalone when E3 already includes it. Microsoft 365 E3 includes Intune. Purchasing Intune standalone on top of M365 E3 is paying twice for the same capability. Always check what your existing licences include before buying add-ons.
9. Ignoring licence usage reports. Microsoft 365 admin centre provides licence usage reports that show which features are assigned but not used. If you are not reviewing these quarterly, you are probably paying for capabilities that sit idle.
10. Deploying Copilot without governance readiness. Copilot surfaces data based on user permissions. If SharePoint is over-shared, sensitivity labels are not deployed, and DLP is not configured, Copilot can surface data users should not see. Governance readiness is not a technical prerequisite for Copilot licensing, but deploying Copilot without it creates operational and security risk.
11. Assuming sensitivity labels auto-apply works in E3. Manual sensitivity labels are available in E3. Auto-labelling policies (which apply labels automatically based on content) require E5 or Purview add-ons. This catches people who plan a label strategy around auto-labelling and then discover they need a licence upgrade.
12. Not licensing guests for Conditional Access. CA policies targeting guest users require appropriate licensing. The guest licensing model depends on the features being applied. Validate guest licensing requirements against current Microsoft documentation to avoid policies that do not enforce as expected.
13. Treating all Defender products as the same thing. Defender for Office 365, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps are separate products with separate licensing. Buying one does not give you the others. Each protects a different surface.
14. Buying compliance licences without a compliance programme. eDiscovery Premium, insider risk management, and communication compliance are operational tools, not checkboxes. Without policies, processes, trained staff, and legal review, the licence is wasted and may even create legal exposure if partially deployed.
15. Assuming the licence alone provides security. A licence gives you access to a capability. It does not configure, deploy, monitor, or respond to that capability. Buying E5 and not configuring Defender, Purview, PIM, and Identity Protection gives you the cost of E5 with the security of a poorly configured E3.
16. Not reviewing licensing at renewal. Licensing needs change over time. New hires, role changes, new regulations, feature updates. A licence model that was right 12 months ago may not be right today. Review at least 90 days before renewal.
17. Assuming Business Premium and E3 are interchangeable. Business Premium includes Defender for Office 365 P1, which E3 does not. E3 includes Windows Enterprise and 100 GB mailboxes, which Business Premium does not. They are different products optimised for different organisation sizes. Switching between them is not a simple upgrade path.
18. Not accounting for tenant-wide vs. per-user features. Some features activate tenant-wide once any user has the licence. Others are strictly per-user. The licensing rules for features like DLP, audit log retention, and eDiscovery vary by capability and scope. For example, eDiscovery holds apply to specific custodians who need the licence. The exact licensing requirements for tenant-wide vs per-user enforcement are detailed in the Microsoft Product Terms and can differ by feature. Validate each compliance feature's licensing scope before assuming coverage applies to all users.
19. Mixing NCE and legacy agreement terms. New Commerce Experience (NCE) agreements have different commitment terms, pricing, and flexibility than legacy agreements. If you are still on a legacy agreement, the transition to NCE may change your cost structure. Understand the implications before your next renewal.

Field notes

Practical observations from real licensing reviews and deployments. These are the things that do not show up in Microsoft documentation but matter in practice.

Field notes are not theoretical advice. These are patterns I have seen across multiple organisations, industries, and tenant sizes. They represent the practical reality of licensing decisions, including the mistakes that are obvious in hindsight but invisible before deployment.

What good looks like

A mature Microsoft 365 licensing model is not the one with the most features. It is the one where every licence is justified, every feature is operated, and every gap is documented as an accepted risk. Here is what that looks like in practice.

I have audited licensing models that ranged from "everyone is on Business Basic and we hope for the best" to "everyone is on E5 and we use about 15% of what we pay for." Neither extreme is good. The organisations with the best licensing models share a common trait: they document their decisions, they review them regularly, and they treat licensing as an operational process rather than a one-time purchase event.

Use the checklist below to evaluate your own licensing model. If you can check every box, your licensing programme is in good shape. If you cannot, start with the unchecked items as your improvement roadmap.

• Personas are defined and mapped to licence tiers. Every user is assigned a persona (standard, frontline, admin, executive, etc.) and each persona has a documented licence tier with justification.
• No licence is assigned without a corresponding feature utilisation plan. If a user is on E5, there is documentation showing which E5 features they use and why E3 + add-ons would not suffice.
• Add-ons are tracked separately from base licences. A spreadsheet or CMDB entry shows which add-ons are assigned to which users, with cost, justification, and renewal date.
• Licence usage reports are reviewed quarterly. The Microsoft 365 admin centre usage reports are checked at least quarterly to identify unused features, inactive licences, and optimisation opportunities.
• Security features that are licensed are also configured and monitored. If you pay for Defender XDR, someone is monitoring the incidents. If you pay for PIM, admins are using just-in-time activation. Licences without operations are waste.
• Compliance features are backed by policies and processes. eDiscovery, insider risk, and communication compliance are not just enabled; they have documented policies, trained operators, and legal review.
• Licensing is reviewed 90 days before renewal. A formal review compares current licensing against current needs, persona changes, new requirements, and pricing updates.
• The licensing model is validated against Microsoft Product Terms. The organisation's licensing interpretation has been validated against official documentation. No licensing decision is based solely on blog articles, community posts, or vendor presentations.

Licensing review template

Use this template structure for your quarterly or annual licensing review. A structured review prevents the drift that happens when licences are purchased reactively and never reconciled.

Licensing decision workflow

If you follow one process from this guide, make it this one. This is the workflow I use for licensing reviews and new deployments:

1. Inventory current state. What licences do you have? What features are in use? What features are assigned but unused? Export usage reports from the Microsoft 365 admin centre.
2. Define personas. List every user type in your organisation. Standard users, frontline, admins, executives, shared devices, guests, service accounts. Count users in each persona.
3. Map requirements. For each persona, list the features they need: productivity, security, compliance, identity, endpoint management, Copilot. Be specific. "Advanced security" is not a requirement. "Defender for Office 365 P1 for email threat protection" is.
4. Identify the base licence. For each persona, determine the minimum licence tier that covers their requirements. Start low and escalate only when a specific feature forces you to a higher tier.
5. Identify add-ons. For features not included in the base licence, determine whether an add-on is available and cost-effective. Compare add-on total against the next licence tier up.
6. Run the break-even calculation. For personas with multiple add-ons, compare the total add-on cost against upgrading to the next tier. Factor in management complexity.
7. Build the proposal. Document: persona, user count, base licence, add-ons, total cost, justification, what is covered, what is not covered, accepted risks.
8. Validate against Product Terms. Before finalising, validate your licensing interpretation against the Microsoft Product Terms, service descriptions, and your licensing provider.
9. Test with pilot. Before deploying licence changes, test with a pilot group per persona to verify all services work correctly.
10. Schedule review. Set a calendar reminder for 90 days before renewal to repeat this process.

Save as PDF

Save this guide as a PDF for offline reference, licensing reviews, or project documentation. The PDF version includes all sections, the feature matrix, comparison tables, and persona cards. The interactive builder outputs will reflect the last selections you made before printing.