Microsoft 365 licensing guidance for security & compliance

For the purposes of this article, a tenant-level service is an online service that—when purchased for any user in the tenant (standalone or as part of Office 365 or Microsoft 365 plans)—is activated in part or in full for all users in the tenant. Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service.

Note

Some tenant services are not currently capable of limiting benefits to specific users. Efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption to your organization once targeting capabilities are available.

To see the options for licensing your users to benefit from Microsoft 365 compliance features as of April 1, 2020, download the Detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel)

Azure Active Directory Identity Protection

Azure Active Directory Identity Protection is a feature of the Azure Active Directory Premium P2 plan that lets you detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

How do users benefit from the service?

SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Security, and Azure Active Directory Premium Plan 2 provide the rights for a user to benefit from Azure Active Directory Identity Protection.

How is the service provisioned/deployed?

By default, Azure AD Identity Protection features are enabled at the tenant level for all users within the tenant. For information about Azure AD Identity Protection, see What is Azure Active Directory Identity Protection?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Azure AD Identity Protection by assigning risk policies that define the level for password resets and allowing access for licensed users only. For instructions on how to scope Azure AD Identity Protection deployments, see Configure the sign-in risk policy.

Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats.

How do users benefit from the service?

SecOp analysts and security professionals benefit from the ability of Azure ATP to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Azure ATP.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Security, and Azure Advanced Threat Protection for Users provide the rights to benefit from Azure ATP.

How is the service provisioned/deployed?

By default, Azure ATP features are enabled at the tenant level for all users within the tenant. For information on configuring Azure ATP, see Create your Azure ATP instance.

How can the service be applied only to users in the tenant who are licensed for the service?

​Azure ATP services are not currently capable of limiting capabilities to specific users. You must license every user you intend to benefit.

Office 365 Advanced Threat Protection

Advanced Threat Protection (ATP) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. ATP also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

How do users benefit from the service?

ATP protects users from sophisticated attacks such as phishing and zero-day malware. For the full list of services provided in Plan 1 and Plan 2, see Office 365 Advanced Threat Protection.

Which licenses provide the rights for a user to benefit from the service?

Office 365 Advanced Threat Protection, Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Security, Microsoft 365 Business Premium, and Office 365 ATP Plans 1 and 2 provide the rights for a user to benefit from Advanced Threat Protection.

How is the service provisioned/deployed?

By default, ATP features are enabled at the tenant level for all users within the tenant. For information on configuring ATP policies for licensed users, see Office 365 Advanced Threat Protection.

How can the service be applied only to users in the tenant who are licensed for the service?

To scope ATP, follow the Safe Links and Safe Attachments deployment policies:

Office 365 Cloud App Security

Office 365 Cloud App Security (OCAS) is a subset of Microsoft Cloud App Security, with features limited to Office 365 and without additional security for third-party cloud apps and IaaS services.

OCAS gives organizations visibility into their productivity cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across Office 365.

To compare features, see Differences between Microsoft Cloud App Security and Office 365 Cloud App Security.

How do users benefit from the service?

OCAS discovers Shadow IT, provides threat protection across Office 365, and can control which apps have permission to access data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5 provides the rights for a user to benefit from OCAS. For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How is the service provisioned/deployed?

By default, OCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring the service, see Basic setup for Cloud App Security.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope OCAS deployments to enforce how certain apps are accessed and limit user groups monitored by Office 365 Cloud App Security. For more information, see Scoped deployment.

Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives organizations visibility into their cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across any cloud app.

How do users benefit from the service?

MCAS discovers and assesses Shadow IT, provides threat protection across first- and third-party cloud apps, and protects information across first- and third-party cloud apps.

Which licenses provide the rights for a user to benefit from the service?

MCAS, Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Security, Microsoft 365 E5/A5/G5 Compliance, and Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from MCAS.

Azure AD P1 provides the rights for a user to benefit from the Discovery capabilities in MCAS.

To benefit from the Conditional Access App Control capabilities in MCAS, users must also be licensed for Azure Active Directory P1, which is included in Enterprise Mobility + Security E3/A3/G3, Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5 Security.

To benefit from automatic labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, and Microsoft 365 Information Protection and Governance.

For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How is the service provisioned/deployed?

By default, MCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring Microsoft Cloud App Security policies for licensed users, see Microsoft Cloud App Security overview.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope MCAS deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped deployment.

Microsoft Defender ATP

Microsoft Defender ATP is an endpoint security solution that includes risk-based vulnerability management and assessment; attack surface reduction capabilities; behavioral based and cloud-powered next generation protection; endpoint detection and response (EDR); automatic investigation and remediation; and managed hunting services. See Microsoft Defender ATP page to learn more.

Which users benefit from the service?

Licensed users of Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5, Microsoft 365 E5 Security, Microsoft 365 A5 (M365 A5) can benefit from Microsoft Defender ATP.

How do users benefit from the service?

SecOps analysts and security professionals benefit from endpoint security capabilities of Microsoft Defender ATP to do preventative protection, post-breach detection, automated investigation, and response to advanced threats. End users benefit by having malicious events monitored by Microsoft Defender ATP.

How is the service provisioned/deployed?

By default, Microsoft Defender ATP features are enabled at the tenant level for all users within the tenant. For information on deployment, see Deployment guide.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Defender ATP administrators can utilize role-based access control (RBAC) to create roles and groups within the security operations team to grant appropriate access to the Microsoft Defender Security Center.

Information Protection

Information Protection helps organizations discover, classify, label, and protect sensitive documents and emails. Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

How do users benefit from the service?

Users benefit by having the ability to manually apply sensitivity labels to their content or by having their content automatically classified.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium, Enterprise Mobility + Security F3/E3/E5, Office 365 E5/A5/E3/A3/F3, AIP Plan 1, and AIP Plan 2 provide the rights for a user to benefit from manual sensitivity labeling.

Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium, Enterprise Mobility + Security F3/E3/E5, AIP Plan 1, and AIP Plan 2 provide the rights for a user to benefit from applying and viewing sensitivity labels in Power BI and to protect data when it's exported from Power BI to Excel, PowerPoint, or PDF.

Note

Power BI is included with Microsoft 365 E5/A5/G5; in all other plans, Power BI must be licensed separately.

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling.

For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel) Does not include rights to automatic classification based on Machine Learning (trainable classifiers).

How is the service provisioned/deployed?

By default, information protection features are enabled at the tenant level for all users within the tenant. For information on configuring policies for licensed users, see Activating Azure Rights Management.

How can the service be applied only to users in the tenant who are licensed for the service?

Except when using the AIP scanner feature, policies can be scoped to specific groups or users and registries can be edited to prevent unlicensed users from running classification or labeling features. For instructions on how to scope AIP deployments, see Configuring the Azure Information Protection policy.

For the AIP scanner feature, Microsoft does not commit to providing file classification, labeling, or protection capabilities to users who are not licensed.

Information Governance

Information Governance helps organizations manage their risk through discovering, classifying, labeling and governing their data. Information Governance lets organizations meet business and regulatory requirements as well as reduce their attack surface by providing retention and deletion capabilities across their Microsoft 365 and third-party data.

How do users benefit from the service?

Users benefit by being able to classify data for retention purposes to uphold specific policies and regulations.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 F3/Business Premium, Office 365 E1/A1/F3, and standalone Exchange plans provide the rights for a user to benefit from manually applying non-record retention labels to mailbox data.

Microsoft 365 F3/F1/Business Premium, Office 365 E1/A1/F3, and standalone SharePoint plans provide the rights for a user to benefit from manually applying non-record retention labels to files in SharePoint or OneDrive.

Microsoft 365 E5/A5/E3/A3/Business Premium, Office 365 E5/A5/E3/A3, Exchange Plan 2, and Exchange Online Archiving provide the rights for a user to benefit from a basic organization-wide or location-wide mailbox retention policy and/or to manually apply a non-record retention labeling to mailbox data.

Microsoft 365 E5/A5/E3/A3, Office 365 E5/A5/E3/A3, and SharePoint Plan 2 provide the rights for a user to benefit from a basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.

Microsoft 365 E5/A5/E3/A3 and Office 365 E5/A5/E3/A3 provide the rights for a user to benefit from a Teams retention policy.

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from automatically applying retention labels or policies, applying default retention labels or policies, starting the retention period of a retention label based on a custom event, triggering a manual disposition review at the end of the label's retention period, importing third-party data through native data connectors, declaring a file a record, discovering labeled content, and monitoring labeling activity.

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention labels based on trainable classifiers.

For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel)

How is the service provisioned/deployed?

By default, Information Governance features are enabled at the tenant level for all users within the tenant. For information on configuring Information Governance to apply auto-labeling and policies for licensed users, see Manage Information Governance.

How can the service be applied only to users in the tenant who are licensed for the service?

Information Governance features can be applied to licensed users in specific locations (team sites, group sites, etc.). For information on configuring Information Governance to apply auto-labeling and policies for licensed users, see Manage Information Governance.

Records Management

Records Management helps organizations meet their business and regulatory record-keeping obligations through discovering, classifying, labeling, retention and defensible deletion capabilities across their Microsoft 365 and third-party data.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, Office 365 Advanced Compliance provide the rights for a user to benefit from Records Management including declaring items as records, automatically applying retention or record labels and executing disposition review processes (excluding automatically applying a retention label based on trainable classifiers).

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention or record labels based on trainable classifiers.

For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel)

How do users benefit from the service?

Users benefit by being able to declare content as a record and manage their full records process from policy definition and declaration through defensible disposal.

How is the service provisioned/deployed?

By default, Records Management features are enabled at the tenant level for all users within the tenant. For information on configuring Records Management to apply for licensed users, see Records Management in Microsoft 365.

How can the service be applied only to users in the tenant who are licensed for the service?

Records Management features can be applied to licensed users in specific locations (team sites, group sites, etc.). For information on configuring Records Management to apply for licensed users, see Records Management in Microsoft 365.

eDiscovery

eDiscovery provides investigation and eDiscovery solutions for IT and legal departments within corporations to identify, collect, preserve, reduce, and review content related to an investigation or litigation prior to export out of the Microsoft 365 system.

How do users benefit from the service?

A user benefits from Advanced eDiscovery when the user is selected as a data custodian (a person having administrative control of a document or electronic file) for a case.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5/E3/A3/G3, Office 365 E5/A5/G5/E3/A3/G3, and Office 365 Advanced Compliance provide the rights for a user to benefit from Core eDiscovery. Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5 eDiscovery and Audit, Office 365 E5/A5/G5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Advanced eDiscovery.

How is the service provisioned/deployed?

By default, Advanced eDiscovery features are enabled at the tenant level for all users within the tenant when admins assign eDiscovery permissions in the Security & Compliance Center.

How can the service be applied only to users in the tenant who are licensed for the service?

eDiscovery administrators can select specific users as data custodians for a case by using the built-in custodian management tool in Advanced eDiscovery as described in Add custodians to an Advanced eDiscovery case.

Office 365 Customer Key

With Customer Key, you control your organization's encryption keys and configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files within SharePoint Online and OneDrive for Business.

How do users benefit from the service?

Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Customer Key. To get the full benefit of Customer Key, you must also have a subscription for Azure Key Vault.

How is the service provisioned/deployed?

Office 365 Customer Key encryption keys can be enabled for all data stored in Exchange Online and Skype for Business mailboxes, and SharePoint Online, OneDrive for Business, and Teams files. For more information about Office 365 Customer Key, including how to get started, see Service encryption with Customer Key in Office 365.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Customer Key encryption keys deployment instructions.

  • For SharePoint Online, OneDrive for Business, and Teams files, files on one or more sites can be encrypted using Customer Key.

  • For Exchange Online and Skype for Business, mailboxes can be encrypted using Customer Key.

Office 365 Customer Lockbox

Customer Lockbox provides an additional layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox may also help organizations meet certain compliance obligations such as HIPAA and FEDRAMP.

How do users benefit from the service?

Users benefit from Customer Lockbox ensuring that no one at Microsoft can access their content to perform a service operation without the customer's explicit approval. Customer Lockbox brings the customer into the approval workflow for requests to access their content. Occasionally, Microsoft engineers are involved during the support process to troubleshoot and fix customer-reported issues. In most cases, issues are fixed through extensive telemetry and debugging tools that Microsoft has in place for its services. However, there may be cases that require a Microsoft engineer to access customer content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. This gives organizations the option to approve or deny these requests, which gives them direct control over whether a Microsoft engineer can access the organizations' end-user data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Insider Risk Management, and Office 365 Advanced Compliance provide the rights for a user to benefit from Customer Lockbox.

How is the service provisioned/deployed?

Admins can turn on Customer Lockbox controls in the Microsoft 365 admin center. For more information, see Customer Lockbox in Office 365. When Customer Lockbox is turned on, Microsoft is required to obtain an organization's approval prior to accessing any of their content.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft provides Customer Lockbox access control approval requests for users in your organization.

Privileged access management in Office 365

Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. After enabling PAM, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound in order to complete elevated and privileged tasks.

How do users benefit from the service?

Enabling PAM lets organizations operate with zero standing privileges. Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance provide the rights for a user to benefit from PAM.

How is the service provisioned/deployed?

By default, PAM features are enabled at the tenant level for all users within the tenant. For information on configuring PAM policies, see Get started with privileged access management.

How can the service be applied only to users in the tenant who are licensed for the service?

Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users. For more information, see Privileged access management in Office 365.

Double Key Encryption for Microsoft 365

Double Key Encryption for Microsoft 365 allows you to protect your highly sensitive data to meet specialized requirements and maintain full control of your encryption key. Double Key Encryption uses two keys to protect your data, with one key in your control and the second key stored securely Microsoft Azure. To view the data, you must have access to both keys. Since Microsoft can access only one key, your key and also your data are unavailable to Microsoft, ensuring that you have full control over the privacy and security of your data.

How do users benefit from the service?

Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud and preventing third party access as long as the key remains in control of the users. End users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Double Key Encryption.

How is the service provisioned/deployed?

Double Key Encryption supports the desktop version of Microsoft Office for Windows.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions.

Office 365 data loss prevention for Exchange Online, SharePoint Online, and OneDrive for Business

With Office 365 data loss prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business, organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 A1/E3/A3/Business, Office 365 E3/A3, and Office 365 Data Loss Prevention provide the rights for a user to benefit from Office 365 DLP for Exchange Online, SharePoint Online, and OneDrive for Business.

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

Communication Data Loss Prevention for Teams

With Communication DLP for Teams, organizations can block chats and channel messages that contain sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

Which users benefit from the service?

Licensed users of Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 Information Protection and Governance, and Office 365 Advanced Compliance can benefit from Communication DLP for Teams.

How do users benefit from the service?

Senders benefit by having sensitive information in their outgoing chat and channel messages inspected for sensitive information, as configured in the organization's DLP policy.

How is the service provisioned/deployed?

By default, Teams chat and channel messages are an enabled Location (workload) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

Information barriers

Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you should not be communicating with, you won't find that user in the people picker.

How do users benefit from the service?

Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. For example:

Scenario Who requires a license?
Two groups (Group 1 and Group 2) cannot communicate with each other (that is, Group 1 users are restricted from communicating with Group 2 users, and Group 2 users are restricted from communicating with Group 1 users. Users in both Group 1 and Group 2

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Insider Risk Management, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from information barriers.

How is the service provisioned/deployed?

Admins create and manage information barrier policies by using PowerShell cmdlets in the Security & Compliance Center. Admins must be assigned the Microsoft 365 Enterprise Global Administrator, Office 365 Global Administrator, or Compliance Administrator role to create an information barrier policy. By default, these policies apply to all users in the tenant. For more information about information barriers, see Information barriers in Microsoft Teams.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center. For example, if all users are licensed for Office 365 E3, and none are licensed for Office 365 Advanced Compliance/E5, they wouldn't need to create any information barrier policies for the organization. For more information, see Information barriers in Microsoft Teams.

Office 365 Message Encryption

Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a subscription to view encrypted messages or send encrypted replies.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Office 365 Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E3/A3, Office 365 E3/A3, and Azure Information Protection Plan 1 provide the rights for a user to benefit from Office 365 Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Office 365 Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Office 365 Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Office 365 Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Office 365 Advanced Message Encryption

Office 365 Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, and Office 365 Advanced Compliance provide the rights for a user to benefit from Advanced Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Advanced Message Encryption policies in the Exchange admin center under mail flow rules. By default, these rules apply to all users on the tenant. For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Advanced Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Communication Compliance

Communication compliance in Microsoft 365 helps minimize communication risks by helping you detect, capture, and take remediation actions for inappropriate messages in your organization. You can define specific policies that capture internal and external email, Microsoft Teams, or third-party communications in your organization. Reviewers can take appropriate remediation actions to make sure they're compliant with your organization's message standards.

How do users benefit from the service?

Compliance specialists benefit from the service by having organization communications monitored by communication compliance policies.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 Insider Risk Management provide the rights for a user to benefit from communication compliance.

How is the service provisioned/deployed?

Admins and compliance specialists create communication compliance policies in the Microsoft 365 compliance center. These policies define which communications and users are subject to review in the organization, define custom conditions that communications must meet, and specify who should perform reviews.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins choose specific users or groups to include in a communication compliance policy. When choosing a group, they can also select specific users in the group to exclude from the communication compliance policy. For more information about communication compliance polices, see Communication compliance in Microsoft 365.

Insider Risk Management

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and take action on risky activities in your organization. Custom policies allow you to detect and take action on malicious and inadvertently risky activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed. Risk analysts in your organization can quickly take appropriate actions to make that sure users are compliant with your organization's compliance standards.

How do users benefit from the service?

Users benefit by having their activities monitored for risk.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 Insider Risk Management provide the rights for a user to benefit from Insider Risk Management.

How is the service provisioned/deployed?

Insider Risk Management policies must be created in the Microsoft 365 compliance center and assigned to users.

How can the service be applied only to users in the tenant who are licensed for the service?

When creating a policy in the Microsoft 365 compliance center, on the Choose users and groups page, select Choose users or groups to select only licensed users, or, if all of your users are licensed, you may select the All users and mail-enabled groups checkbox. For more information, see Get started with insider risk management.

Conditional Access policies

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the identity driven control plane. Conditional Access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

Which users benefit from the service?

Licensed users of Enterprise Mobility + Security E3/A3, Microsoft 365 F3/E3/A3/Business Premium, and Azure Active Directory Premium Plan 1 can benefit from Conditional Access policies. Licensed users of Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5, Microsoft E5 Security, and Azure Active Directory Premium Plan 2 can benefit from Identity Protection (risk-based Conditional Access policies).

How do users benefit from the service?

Security operations analysts and security professionals benefit by having the ability to enforce organizational policies on users, requiring them to meet certain criteria before granting access to corporate content. End users benefit by being able to access their work wherever and whenever they choose, while protecting the organization's assets.

How is the service provisioned/deployed?

By default, Conditional Access features are enabled at the tenant level for all users within the tenant.

How can the service be applied only to users in the tenant who are licensed for the service?

For Identity Protection and Conditional Access specifically, a user must be included in a Group or be added to a Conditional Access policy. The users and groups condition is mandatory in a Conditional Access policy. In your policy, you can select either All users or specific users and groups. You should select only appropriately licensed users and groups. For more information, see What are conditions in Azure Active Directory Conditional Access?.

Advanced Audit

Advanced Audit in Microsoft 365 provides one-year retention of audit logs for user and admin activities, and provides the ability to create custom audit log retention policies to manage audit log retention for other Microsoft 365 services. It also provides access to crucial events for investigations and high-bandwidth access to the Office 365 Management Activity API. For more information, see Advanced Audit in Microsoft 365.

Which users benefit from the service?

Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 eDiscovery and Audit can benefit from Advanced Audit.

How do users benefit from the service?

A user benefits from Advanced Audit because audit records related to user activity in Microsoft 365 services can be retained for up to one year. Additionally, high-value auditing events are logged such as when items in a user's mailbox are accessed or read. For more information, see Advanced Audit in Microsoft 365.

How is the service provisioned/deployed?

By default, Advanced Audit is enabled at the tenant level for all organizations that have an Office 365 or Microsoft 365 E5 subscription, and automatically provides one-year retention of audit logs for activities (performed by users with the appropriate license) in Azure Active Directory, Exchange, and SharePoint. Additionally, organizations can use audit log retention policies to manage the retention period for audit records generated by activity in other Microsoft 365 services. For more information, see Manage audit log retention policies.

How can the service be applied only to users in the tenant who are licensed for the service?

One-year retention of audit logs and the auditing of crucial events only apply to users with the appropriate license. Additionally, admins can use audit log retention policies to specify shorter retention durations for the audit logs of specific users.