In-Depth

Choosing Office 365 Plans: Licensing Compliance Pitfalls To Avoid

An analyst outlines some considerations when choosing Office 365 plans, and how to avoid possible licensing compliance issues.

• By Kurt Mackie
• 08/30/2018

It's perhaps useful to compare notes when making decisions about Office 365 software licensing, and a recent analyst presentation offered some pointers, with particular regard for staying compliant with Microsoft's complex licensing schemes.

Office 365 is a collection of products consisting of various components, ranging from the Office 365 ProPlus productivity suite to Exchange Online for e-mail, Skype for Business Online for communications, and SharePoint Online for collaboration and document sharing. The products are packaged and offered as F1, E1, E3 and E5 plans.

In a Wednesday online presentation, Rob Horwitz, CEO and research chair at analyst firm Directions on Microsoft, dissected the various product components and offered advice for organizations trying to make a purchasing decision. His presentation, "Office 365: E3 vs. E5," focused on comparing Microsoft's two upper-tier product plans.

Microsoft tends to sell suites within suites, Horwitz explained. For instance, the Microsoft 365 plans also contain Office 365 plans. In Office 365, the capabilities of the higher-tier plans act like supersets of the lower-tier plans. It's a sort of nested "Russian doll" packaging approach to selling software licensing. Horwitz joked that someone at Microsoft maybe has a Russian doll collection since it's such a favored approach. All of the Office 365 suites offer some cloud-based security and management features, but their components differ.

Office 365 E5 vs. E3
Horwitz explained the differences between the Office 365 E5 and E3 plans mostly by concentrating on the nine unique components that exist in the E5 plan. He noted that each of the nine components can be purchased on their own. However, if an organization finds they are buying two or three of the E5 components, then they might as well consider buying the E5 plan.

Perhaps the biggest caveat in Horwitz's presentation concerned the possible licensing pitfalls that organizations may face when they try to mix Office 365 plans. He noted that many organizations are going to be tempted to buy the E5 plans for some users, and the E3 or E1 plans for others. However, there can be issues when mixing them. Depending on the components used, organizations could end up being mis-licensed and possibly subject to Microsoft audits and unexpected higher costs. Horwitz made that point repeatedly throughout the talk as he described each of the features in the E5 plan.

"I hate to pop the bubble if you are moving to the cloud and thinking your license compliance issues will go away. No, it won't," Horwitz said.

E5 Plan Features
The nine features of the E5 plan, and their highest individual monthly prices (without discounts), were listed in the talk as follows:

• Office 365 Advanced Compliance: $8
• Office 365 Advanced Threat Protection: $2
• Office 365 Cloud App Security: $4
• Phone System: $8
• Power BI Pro: $10
• Audio Conferencing: $4
• Microsoft Stream Plan 2: $2
• Office 365 Threat Intelligence: $9
• MyAnalytics: $4

Office 365 Advanced Compliance: This feature is a grab-bag of regulatory compliance items to address governmental regulations. Office 365 Advanced Compliance has five feature areas. There's Advanced eDiscovery for assembling data for legal cases, Advanced Data Governance for document retention and deletion policies (Horwitz noted that without the E5 plan, the document retention policies in Office 365 are "pretty coarse"), Privileged Access Management for protection against rogue Office 365 administrators and compromised Office 365 admin accounts, Customer Key for Office 365 where the data is encrypted at rest but Microsoft provides the customer with a key and, lastly, Customer Lockbox, which allows customers to approve or reject Office 365 administrative requests by Microsoft for their account.

When using Office 365 Advanced Compliance, any user with data touched by an Office 365 compliance feature would require being licensed under the E5 plan, and that's likely everyone in an organization's Office 365 tenancy, Horwitz noted. If organizations mix their licensing plans, there are no built-in checks provided by Microsoft to determine that everyone is properly licensed. He added that Microsoft might not make an issue of such improper licensing right away, but it could later, especially if adoption becomes widespread.

Office 365 Advanced Threat Protection: This feature used to be called "Exchange Online Advanced Threat Protection." It's designed to protect against attachments with unknown malware. It opens attachments in sandboxes for testing, and if they are not considered malicious, it'll forward the attachments to end users.

Horwitz said that Office 365 Advanced Threat Protection is akin to an add-on layer. There are competing solutions out there, such as products from Proofpoint FireEye and SonicWall, he noted. Licensing compliance isn't built into Office 365 Advanced Threat Protection, so it doesn't check whether users are properly licensed. "However, the fact that you must explicitly provision users for the service gives you the ability to manage compliance on your own," he added. Horwitz described Office 365 Advanced Threat Protection as "a compelling feature" but it's possible to get something else from third parties.

Office 365 Cloud App Security: This feature is a cloud app security broker. It looks for suspicious activities and generates event logs for security events. It analyzes that info with other information, such as a list of risky IP addresses.

Horwitz said that one alternative to using Office 365 Cloud App Security is to use Microsoft Cloud App Security, which serves as a superset of Office 365 Cloud App Security. There also are "third-party" alternatives from Netskope, Symantec and McAfee, he noted. Everyone in your Office 365 tenancy will need a license to use Microsoft Cloud App Security, he added.

Phone System: This feature used to be called "Skype for Business PBX." It's a hosted private branch exchange service that works with Skype for Business Online and Microsoft Teams. Organizations will need to buy phone service from a local telco, as well. Fortunately, compliance is built into Phone System, so mixed Office 365 licensing is not an issue. Horwitz described Phone System as a compelling offering.

Power BI Pro: This data visualization feature pulls data from connectors and gateways, and manages user access to reports. Microsoft also offers Power BI Premium, which is a higher-performance implementation of Power BI Pro. Power BI Premium has a capacity-based licensing approach that permits users to view reports without requiring individual licenses, Horwitz noted.

Licensing compliance is built into Power BI Pro, but it doesn't afford access to the underlying data to refresh the reports. Horwitz suggested that organizations could get the capabilities of Power BI Pro less expensively by buying Power BI Premium instead.

Audio Conferencing: This feature enables Skype for Business and Teams meetings attendees to call in via traditional phone lines. Licensing compliance is built into this feature, but Horwitz clarified how that works:

Meeting attendees do not need to be licensed to use Audio Conferencing. The only people who need a license are users who schedule or host a dial-in meeting with Audio Conferencing enabled. And yes, the ability to schedule or host a dial-in meeting with Audio Conferencing enabled is gated based on the user's subscription level. So compliance is not an issue.

Horwitz commented that the value of Audio Conferencing is arguably low because you could buy it individually for individual meeting participants at $4 per user per month.

Microsoft Stream: Microsoft Stream is an enterprise video sharing service with in-video face recognition and the ability to search automatically generated transcripts. It has two plans. Microsoft did build licensing compliance into Stream, so it's not a concern to mix Office 365 plan levels.

Office 365 Threat Intelligence: Office 365 Threat Intelligence is similar to Cloud App Security, another Microsoft product offering. However, Office 365 Threat Intelligence seems to focus on a different set of security data that it gets from Exchange Online Protection, such as detonated e-mail payloads. Office 365 Threat Intelligence includes enhanced reporting and Internet investigation tools, but the tools seem ripe for consolidation, Horwitz noted. Anyone who has data analyzed in your tenancy must have a license to use Office 365 Threat Intelligence. Horwitz described the value of Office 365 Threat Intelligence as being "low, given [the] service's maturity."

MyAnalytics: This feature shows how workers spend their time with e-mail, meetings and other activities. Horwitz expressed skepticism as to the value of MyAnalytics, and noted that its use could entail privacy issues.

Horwitz's talk is expected to be available for viewing on-demand sometime next week. Directions on Microsoft is a Kirkland, Wash.-based independent research and consulting firm. Many of its analysts previously worked at Microsoft, including Horwitz.

In addition to its presentations, Directions on Microsoft publishes three roadmaps (on Enterprise Software, Office 365 and Azure) and Research Digests on Microsoft technologies, and provides advisory services. It also offers licensing publications and bootcamps, as well as help in negotiating Enterprise Agreement renewals.