Microsoft 365 Tenant-Level Services Licensing Guidance

For the purposes of this article, a tenant-level service is an online service that—when purchased for any user in the tenant (standalone or as part of Office 365 or Microsoft 365 plans)—is activated in part or in full for all users in the tenant. Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service.

Note

Some tenant services are not currently capable of limiting benefits to specific users. Efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption to your organization once targeting capabilities are available.

Azure Active Directory Identity Protection

Azure Active Directory Identity Protection (AADIP) is a feature of the Azure Active Directory Premium P2 plan that enables you to detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

Which users benefit from the service?

Licensed users of Enterprise Mobility + Security E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Azure Active Directory Premium Plan 2 can benefit from AADIP.

How do users benefit from the service?

SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

How is the service provisioned/deployed?

By default, AADIP features are enabled at the tenant level for all users within the tenant. For information on configuring AADIP, see Enabling Azure Active Directory Identity Protection.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope AADIP by assigning risk policies that define the level for password resets and allowing access for licensed users only. For instructions on how to scope AADIP deployments, see Configure the sign-in risk policy.

Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats.

Which users benefit from the service?

Licensed users of Enterprise Mobility + Security E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Azure Advanced Threat Protection for Users can benefit from Azure ATP.

How do users benefit from the service?

SecOp analysts and security professionals benefit from the ability of Azure ATP to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Azure ATP.

How is the service provisioned/deployed?

By default, Azure ATP features are enabled at the tenant level for all users within the tenant. For information on configuring Azure ATP, see Create your Azure ATP instance.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft does not commit to providing threat detection capabilities to users who are not licensed. Over time, license checks or targeted tooling will be added to Azure ATP to ensure Azure ATP functionality is applicable to licensed users only.

Azure Information Protection

Azure Information Protection (AIP) helps organizations discover, classify, label, and protect sensitive documents and emails. Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

Which users benefit from the service?

Licensed users of Microsoft 365 F1, Microsoft 365 E3, and AIP Plan 1 can benefit from AIP Plan 1. Licensed users of Microsoft 365 E5, Microsoft 365 E5 Compliance, and AIP Plan 2 can benefit from AIP Plan 2.

How do users benefit from the service?

The AIP scanner feature automatically classifies, labels, and protects files that reside in on-premises file repositories.

How is the service provisioned/deployed?

By default, AIP features are enabled at the tenant level for all users within the tenant. For information on configuring AIP policies for licensed users, see Activating Azure Rights Management.

How can the service be applied only to users in the tenant who are licensed for the service?

AIP feature policies (except the scanner feature) can be scoped to specific groups or users; registries can be edited to prevent unlicensed users from running AIP classification or labeling features. For instructions on how to scope AIP deployments, see Configuring the Azure Information Protection policy.

For the AIP scanner feature, Microsoft does not commit to providing file classification, labeling, or protection capabilities to users who are not licensed. Over time, license checks or targeted tooling will be added to AIP to ensure the scanner feature is assignable to licensed users.

Office 365 Advanced Threat Protection

Advanced Threat Protection (ATP) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. It also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 Business, and Office 365 ATP Plans 1 and 2 can benefit from ATP.

How do users benefit from the service?

ATP protects users from sophisticated attacks such as phishing and zero-day malware. For the full list of services provided in Plan 1 and Plan 2, see Office 365 Advanced Threat Protection.

How is the service provisioned/deployed?

By default, ATP features are enabled at the tenant level for all users within the tenant. For information on configuring ATP policies for licensed users, see Office 365 Advanced Threat Protection.

How can the service be applied only to users in the tenant who are licensed for the service?

To scope ATP, follow the Safe Links and Safe Attachments deployment policies:

Office 365 Cloud App Security

Office 365 Cloud App Security (OCAS) is a subset of Microsoft Cloud App Security, with features limited to Office 365 and without additional security for third-party cloud apps and IaaS services.

OCAS gives organizations visibility into their productivity cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across Office 365.

To compare features, see Differences between Microsoft Cloud App Security and Office 365 Cloud App Security.

Which users benefit from the service?

Licensed users of Office 365 E5 can benefit from OCAS.

For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How do users benefit from the service?

OCAS discovers Shadow IT, provides threat protection across Office 365, and can control which apps have permission to access Office 365 data.

How is the service provisioned/deployed?

By default, OCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring the service, see Basic setup for Cloud App Security.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope OCAS deployments to enforce how certain apps are accessed and limit user groups monitored by Office 365 Cloud App Security. For more information, see Scoped Deployment.

Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives organizations visibility into their cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across any cloud app.

Which users benefit from the service?

Licensed users of MCAS, Enterprise Mobility + Security E5, Microsoft 365 E5, and Microsoft 365 E5 Security can benefit from MCAS.

Licensed users of Azure AD P1 can benefit from the Discovery capabilities in MCAS.

To benefit from the Conditional Access App Control capabilities in MCAS, users must also be licensed for Azure Active Directory P1, which is included in Enterprise Mobility + Security E3, Enterprise Mobility + Security E5, Microsoft 365 E3, Microsoft 365 E5, and Microsoft 365 E5 Security.

To benefit from automatic labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5, Microsoft 365 E5, and Microsoft 365 E5 Compliance.

For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How do users benefit from the service?

MCAS discovers and assesses Shadow IT, provides threat protection across first- and third-party cloud apps, and protects information across first- and third-party cloud apps.

How is the service provisioned/deployed?

By default, MCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring Microsoft Cloud App Security policies for licensed users, see Microsoft Cloud App Security overview.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope MCAS deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped Deployment.

Office 365 Advanced Data Governance

Advanced Data Governance (ADG) helps organizations meet information governance requirements with policies to enable retention and deletion. ADG lets organizations auto-label content based on sensitive information type and apply governance policies to that content.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from ADG.

How do users benefit from the service?

ADG lets users apply labels to specific data to uphold specific policies, automatically label content as a record, and manage the full records process from declaration to disposal.

How is the service provisioned/deployed?

By default, ADG features are enabled at the tenant level for all users within the tenant. For information on configuring ADG to apply auto-labeling and policies for licensed users, see Overview of retention labels.

How can the service be applied only to users in the tenant who are licensed for the service?

ADG retention policies can be applied to licensed users in specific locations (team sites, group sites, etc.) through automatic classification. For instructions on applying ADG retention policies, see Applying a retention policy to an entire organization or specific locations.

Office 365 Advanced eDiscovery

Advanced eDiscovery provides investigation and eDiscovery solutions for IT and legal departments within organizations to identify, collect, preserve, reduce, and review content related to an investigation or litigation prior to export out of the Office 365 system.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from Advanced eDiscovery.

How do users benefit from the service?

Users benefit from Advanced eDiscovery when their content is put on hold as part of a litigation or investigation.

How is the service provisioned/deployed?

By default, Advanced eDiscovery features are enabled at the tenant level for all users within the tenant when admins assign eDiscovery permissions in the Security & Compliance Center.

How can the service be applied only to users in the tenant who are licensed for the service?

Organizations can manage Advanced eDiscovery on a per-user basis and add users to an Advanced eDiscovery case, as well as provide users with edit access to the shared locations through eDiscovery permissions. For instructions on how to apply Advanced eDiscovery permissions to licensed users, see Assign eDiscovery permissions in the Security & Compliance Center.

Office 365 Customer Key

With Customer Key, you control your organization's encryption keys and configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files within SharePoint Online and OneDrive for Business.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from Customer Key. To get the full benefit of Customer Key, you must also have a subscription for Azure Key Vault.

How do users benefit from the service?

Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

How is the service provisioned/deployed?

Office 365 Customer Key encryption keys can be enabled for all data stored in Exchange Online and Skype for Business mailboxes, and SharePoint Online and OneDrive for Business files. For information on configuring Office 365 Customer Key to encrypt your data at rest, see Controlling Your Data in Office 365 Using Customer Key.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 tenant for licensed users, follow the Customer Key encryption keys deployment policies:

Office 365 Customer Lockbox

Customer Lockbox provides an additional layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox may also help organizations meet certain compliance obligations such as HIPAA and FEDRAMP.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and the Office 365 Advanced Compliance can benefit from Customer Lockbox.

How do users benefit from the service?

Users benefit from Customer Lockbox ensuring that no one at Microsoft can access their content to perform a service operation without the customer’s explicit approval. Customer Lockbox brings the customer into the approval workflow for requests to access their content. Occasionally, Microsoft engineers are involved during the support process to troubleshoot and fix customer-reported issues. In most cases, issues are fixed through extensive telemetry and debugging tools that Microsoft has in place for its services. However, there may be cases that require a Microsoft engineer to access customer content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. This gives organizations the option to approve or deny these requests, which gives them direct control over whether a Microsoft engineer can access the organizations’ end-user data.

How is the service provisioned/deployed?

Admins can turn on Customer Lockbox controls in the Microsoft 365 admin center. For more information, see Customer Lockbox in Office 365. When Customer Lockbox is turned on, Microsoft is required to obtain an organization’s approval prior to accessing any of their content.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft does not commit to providing Customer Lockbox access-control approval requests for users who are not licensed. Over time, license checks or targeted tooling will be added to Customer Lockbox to ensure Customer Lockbox is assignable to licensed users.

Privileged access management in Office 365

Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. After enabling privileged access management, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound in order to complete elevated and privileged tasks.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from PAM.

How do users benefit from the service?

Enabling PAM lets organizations operate with zero standing privileges. Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

How is the service provisioned/deployed?

By default, PAM features are enabled at the tenant level for all users within the tenant. For information on configuring PAM policies, see Configuring privileged access management in Office 365.

How can the service be applied only to users in the tenant who are licensed for the service?

Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users. For more information, see Privileged Access Management in Office 365.

Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business

With Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business, organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

Which users benefit from the service?

Licensed users of Office 365 E3, Microsoft 365 E3, and Office 365 Data Loss Prevention can benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business.

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization’s DLP policy.

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Office 365 Security & Compliance Center, under Data loss prevention > Locations.

Data Loss Prevention for Teams chat and channel conversations

With Data Loss Prevention (DLP) for Teams chat and channel conversations, organizations can block messages in chats and channel conversations that contains sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from DLP for Teams chat and channel conversations.

How do users benefit from the service?

Senders benefit by having sensitive information in their outgoing chat and channel conversation messages inspected for sensitive information, as configured in the organization’s DLP policy.

How is the service provisioned/deployed?

By default, Teams chat and channel conversations are an enabled Location (workload) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Office 365 Security & Compliance Center, under Data loss prevention > Locations.

Information barriers

Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you should not be communicating with, you won't find that user in the people picker.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from information barriers.

How do users benefit from the service?

Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. For example:

Scenario Who requires a license?
Two groups (Group 1 and Group 2) cannot communicate with each other (that is, Group 1 users are restricted from communicating with Group 2 users, and Group 2 users are restricted from communicating with Group 1 users. Users in both Group 1 and Group 2
Users in Group 1 are restricted from communicating with the rest of the company. Users in Group 1 only
The rest of the company is restricted from communicating with Group 1. All users except those in Group 1
Group 1 users are restricted from communicating with Group 2 users, but Group 2 users can communicate with Group 1 users. Users in Group 1 only

How is the service provisioned/deployed?

Admins create and manage information barrier policies by using PowerShell cmdlets in the Security & Compliance Center. Admins must be assigned the Microsoft 365 Enterprise Global Administrator, Office 365 Global Administrator, or Compliance Administrator role to create an information barrier policy. By default, these policies apply to all users in the tenant. For more information about information barriers, see Information barriers in Microsoft Teams.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Office 365 Security & Compliance Center. For example, if all users are licensed for Office 365 E3, and none are licensed for Office 365 Advanced Compliance/E5, they wouldn't need to create any information barrier policies for the organization. For more information, see Information barriers in Microsoft Teams.

Office 365 Advanced Message Encryption

Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Office 365 Advanced Compliance can benefit from Advanced Message Encryption.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Advanced Message Encryption policies in the Exchange admin center under mail flow rules. By default, these rules apply to all users on the tenant. For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Advanced Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.