Security "Bits"

Office 365 Security Licensing and Pricing - 2019 Edition

By Rich Campagna | January 7, 2019 at 4:54 AM

Office_365_logoIn late 2017, I wrote a post, Office 365 Security Licensing Demystified, to help clarify the dizzying array of cloud security licensing options available from Microsoft, and how those options compare in both price and functionality to the Bitglass Next-Gen Cloud Access Security Broker. Both vendors have continued to develop their offerings, adding new features and functions, so this comprehensive update reflects those changes over the past year.

A couple of points on how to use these tables:

  • The Overview table shows the addressable scope/use cases of the respective technologies - across both app support and enforcement capabilities (inline vs out-of-band). The Details table shows the details of available data protection capabilities that can be used within the addressable scope.
    • For example, if a solution doesn't support inline data protection, none of the data protection capabilities in the second table can be applied inline. 
  • The E3 and E5 options are base Office 365 enterprise license packages. Most organizations will opt for the E3 at least, since that is the first Office package that includes the traditional offline Office applications, so the table assumes E3 as the starting point. E5 includes all E3 functionality, as well as additional features.
  • All of the packages marked as "add-on" are in addition to the E3 or E5 package, and they build upon one another. For example, the EMS E3 includes CAS and some additional functionality. Add-ons can be bought with either the E3 or the E5 Office license.
  • All pricing is list pricing.
  • Links to Microsoft's description and pricing for each service have been included in the table for easy reference.

Takeaways from this update?

  • The shift from a core group of major SaaS applications for most enterprises makes the Microsoft offering, which still only supports 7 applications, less and less relevant with each day that passes.
  • Microsoft has not dropped prices on any of its offerings, continuing to provide limited functionality at a very high price.
  • It remains as confusing as ever to purchase and deploy the Microsoft suite of products, with  numerous packages available and many separate tools from which to configure and deploy their security offering.

Regardless, many enterprises will at least take a look at the Microsoft offerings, and hopefully this post can make that challenge at least a bit easier, though I would recommend skipping the whole exercise and heading straight for the Bitglass CASB:

Request a Free Trial

  Bitglass   E3 E5   CAS Add-on EMS E3 Add-on EMS E5 Add-on
Price ($$$ / user / month) From $7   $20 $35   $3.50 $8.74 $14.80i
App Support                
O365 Support Yes   Yes Yes   Yes Yes Yes
Major SaaS Support Yes   No No   Yesii Yesii Yesii
Other SaaS Support Yes   No No   No No No
IaaS Support Yes   No No   Limitediii Limitediii Limited
Custom App Support Yes   No No   No No No
Enforcement capabilities                
Inline Data Protection on unmanaged devices Yes   No No   Limitediv Limitediv Limitediv
Inline data protection on managed devices Yes   No No   No No No
API out-of-band data protection in the cloud Yes   No Yesv   Yes Yes Yes


Identity  Bitglass   E3 E5   CAS EMS E3 EMS E5
Single sign-on Yes   No No   No Yes Yes
Native Multifactor Authentication Yes   No No   No Yes Yes
Integrates with 3rd Party MFA Yes   No No   No No No
Auto-redirect Yes   No No   No No No
Contextual step-up auth Yes   No No   No Novi Novi
Credential compromise detection Yes   No No   No Novi Yesvi
IDaaS Integration Yes   No Yes   Yesviii Yesviii Yesviii
Premises AD integration Yes   Yes Yes   Yes Yes Yes
Mobile data protection                
Data protection for managed devices Yes   No No   No Yesix Yesix
Agentless data protection for BYOD Yes   No No   No No No
Data protection                
Basic DLP (Keyword, Regex only) Yes   Yes Yes   Yes Yes Yes
Advanced DLP (exact match, prox, occur, image, ML, etc) Yes   No No   No No No
DLP Actions (WM, Redact, Encrypt, etc) Yes   No No   No No No
Apply & Read Data Classification Labels Yes   Nox Nox   No Nox Yesx
DRM Yes   Yesx Yesx   No Yesx Yesx
Access Control                
Managed vs Unmanaged Device Detection Yes   No No   No Yesxi Yesxi
Allow/block session conditional access Yes   No No   Yesxii Yesxii Yesxii
Restricted app access via real-time controls Yes   No No   Limitedxiii Limitedxiii Limitedxiii
IP address restrictions Yes   No No   No Yes Yes
Geo-fencing Yes   No No   No No No
In-cloud file encryption and data residency Yes   No No   No No No
Field encryption Yes   No No   No No No
BYOK key management Yes   No Limitedxiv   No No No
Threat Protection                
Known malware protection Yes   Yes Yesxv   No No Yes
Zero Day threat protection Yes   No Yes   No No No
Cloud Security Posture Management                
Admin Portal Access Control Yes   No No   Yes Yes Yes
Service visibility and remediation Yes   No No   No No No
Data-at-rest DLP scanning Yes   No No   No No No
Data-at-rest encryption Yes   No No   No No No
Custom app in IaaS CASB Yes   No No   No No No
Audit level transaction logging Yes   No No   No No No
UEBA Yes   No No   No No No
Manual Shadow IT discovery No   No Yes   Yes Yes Yes
Automated Shadow IT discovery Yes   No No   No No No
Breach discovery Yes   No No   No No No
Integration & Architecture                
Coexists w/Fwd Proxies (SWG) Yes   Yes Yes   Yes Yes Yes
ICAP w/prem DLP Yes   No No   No No No
SIEM integration Yes   No No   No No No


iEMS E3, E5 available with all O365 enterprise levels
 iiCAS, EMS E3, EMS E5 support 17 apps, including O365
iiiCAS, EMS offer admin portal conditional access only, no CSPM or CASB functionality
ivCAS, EMS offer browser reverse proxy only; no Office 365 support
vE5 incl. CAS subset - O365 only, barebones feature set
viEMS E3, E5 include Azure AD Premium P2 identity protection
viiiCAS/EMS includes Azure AD and Okta connectors only
ixEMS E3, E5 include inTune MDM
xAzure Information Protection differs for O365 vs P1/P2 in EMS Suites
xiEMS E3, E5 detect domain joined Win, InTune MDM mgd devices, or certificates; Requires use of Azure AD
xiiCAS, EMS restrict Activesync and all browser apps only
xiiiCAS/EMS: Browser only, limited apps, DOES NOT SUPPORT Office365
xivE5 Customer Key available for O365 only
xvE5, EMS E5 include Advanced Threat Protection


see all