Microsoft 365 licensing guidance for security & compliance

For the purposes of this article, a tenant-level service is an online service that—when purchased for any user in the tenant (standalone or as part of Office 365 or Microsoft 365 plans)—is activated in part or in full for all users in the tenant. Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service.

Note

Some tenant services are not currently capable of limiting benefits to specific users. Efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption to your organization once targeting capabilities are available.

To see the options for licensing your users to benefit from Microsoft 365 compliance features, download the Microsoft 365 Comparison table.

Advanced Audit

Advanced Audit in Microsoft 365 provides one-year retention of audit logs for user and admin activities and provides the ability to create custom audit log retention policies to manage audit log retention for other Microsoft 365 services. It also provides access to crucial events for investigations and high-bandwidth access to the Office 365 Management Activity API. For more information, see Advanced Audit in Microsoft 365.

You can also enable a retention period of 10 years with an add-on SKU.

Which users benefit from the service?

Licensed users of Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, and Microsoft 365 E5/A5/G5 eDiscovery and Audit can benefit from Advanced Audit.

Licensed users with Advanced Audit and the 10-year Audit Log Retention add-on can benefit from 10-year Audit Log Retention.

How do users benefit from the service?

Users benefit from Advanced Audit because audit records related to user activity in Microsoft 365 services can be retained for up to one year. Additionally, high-value auditing events are logged, such as when items in a user's mailbox are accessed or read. For more information, see Advanced Audit in Microsoft 365.

How is the service provisioned/deployed?

By default, Advanced Audit is enabled at the tenant level for all users that benefit from the service, and automatically provides one-year retention of audit logs for activities (performed by users with the appropriate license) in Azure Active Directory, Exchange, and SharePoint. Additionally, organizations can use audit log retention policies to manage the retention period for audit records generated by activity in other Microsoft 365 services. The 10-year Audit Log Retention functionality is also enabled using the same retention policies. For more information, see Manage audit log retention policies.

How can the service be applied only to users in the tenant who are licensed for the service?

One-year retention of audit logs and the auditing of crucial events only apply to users with the appropriate license. Additionally, admins can use audit log retention policies to specify shorter retention durations for the audit logs of specific users.

10-year retention of audit logs only applies to users with the appropriate add-on license. The add-on SKU will be required starting early 2021.

Azure Active Directory Identity Protection

Azure Active Directory Identity Protection is a feature of the Azure Active Directory Premium P2 plan that lets you detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

How do users benefit from the service?

SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

Which licenses provide the rights for a user to benefit from the service?

  • Azure Active Directory Plan 1: Microsoft 365 E3/A3/G3/F1/F3, Enterprise Mobility & Security E3 and Microsoft 365 Business Premium
  • Azure Active Directory Plan 2: Microsoft 365 E5/A5/G5, Enterprise Mobility & Security E5, Microsoft 365 E5/F5 Security and Microsoft 365 F5 Security & Compliance

How is the service provisioned/deployed?

By default, Azure AD Identity Protection features are enabled at the tenant level for all users within the tenant. For information about Azure AD Identity Protection, see What is Identity Protection?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Azure AD Identity Protection by assigning risk policies that define the level for password resets and allowing access for licensed users only. For instructions on how to scope Azure AD Identity Protection deployments, see How to configure and enable risk policies.

Azure Active Directory Identity Governance

Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It uses entitlement management, access reviews, privileged identity management, and terms-of-use policies to ensure that the right people have the right access to the right resources.

How do users benefit from the service?

Azure Active Directory Identity Governance increases users' productivity by making it easier to request access to apps, groups, and Microsoft Teams in one access package. Users can also be configured as approvers, without involving administrators. For access reviews, users can review memberships of groups with smart recommendations to take action on regular intervals.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Security and F5 Security & Compliance, and Azure Active Directory Premium Plan 2 provide the rights for a user to benefit from Azure Active Directory Identity Governance.

How is the service provisioned/deployed?

Azure AD Identity Governance features are enabled at the tenant level but implemented per user. For information about Azure AD Identity Governance, see What is Azure AD Identity Governance?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Azure AD Identity Governance by assigning access packages, access reviews, or privileged identity management for licensed users only. For instructions on how to scope Azure AD Identity Governance deployments, see:

Communication Compliance

Communication compliance in Microsoft 365 helps minimize communication risks by helping you detect, capture, and take remediation actions for inappropriate messages in your organization. You can define specific policies that capture internal and external email, Microsoft Teams, or third-party communications in your organization. Reviewers can take appropriate remediation actions to make sure they're compliant with your organization's message standards.

How do users benefit from the service?

Compliance specialists benefit from the service by having organization communications monitored by communication compliance policies.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance and Microsoft 365 E5/A5/G5 Insider Risk Management provide the rights for a user to benefit from communication compliance.

How is the service provisioned/deployed?

Admins and compliance specialists create communication compliance policies in the Microsoft 365 compliance center. These policies define which communications and users are subject to review in the organization, define custom conditions that communications must meet, and specify who should perform reviews.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins choose specific users or groups to include in a communication compliance policy. When choosing a group, they can also select specific users in the group to exclude from the communication compliance policy. For more information about communication compliance policies, see Get started with communication compliance in Microsoft 365.

Compliance Manager

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs.
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Who can access Compliance Manager?

Compliance Manager is available to organizations with Office 365 and Microsoft 365 licenses, and to US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) customers. Assessment availability and management capabilities depend on your licensing agreement.

What are premium assessments?

Premium assessments are an add-on value for Compliance Manager and help:

  • Translate complex regulatory requirements to specific controls
  • Suggest recommended improvement actions
  • Provide quantifiable measure of compliance against regulations

Compliance Manager has 300+ premium assessments that customers can use to assess their compliance with a wide range of global, regional, and industrial regulations and standards.

Any customer with a subscription that includes Microsoft Exchange Online license may purchase Compliance Manager premium assessments.

Which premium assessments are available?

Here is the List of premium assessments.

Which assessments are included by default (free of cost)?

Some assessments are included as part of Compliance Manager and the type of customer license. See the table below for details:

License Type Assessment Templates (included by default)
  • Microsoft 365 or Office 365 A1/E1/F1/G1
  • Microsoft 365 or Office 365 A3/E3/F3/G3
  • Data Protection Baseline
  • Microsoft 365 or Office 365 A5/E5/G5
  • Microsoft 365 A5/E5/F5/G5 Compliance
  • Microsoft 365 A5/E5/F5/G5 eDiscovery and Audit
  • Microsoft 365 A5/E5/F5/G5 Insider Risk Management
  • Microsoft 365 A5/E5/F5/G5 Information Protection and Governance
  • Data Protection Baseline
  • EU GDPR
  • NIST 800-53
  • ISO 27001
  • CMMC Level 1-5 (only available for G5)
  • Custom Assessments

What are custom assessments?

Custom assessments are a Compliance Manager feature that provide the ability to either create a new template or customize an existing assessment template including adding or updating controls and improvement actions.

Who can access custom assessments?

The custom assessments feature is available to customers with an E5 subscription as listed below:

  • Microsoft 365 or Office 365 A5/E5/G5
  • Microsoft 365 A5/E5/F5/G5 Compliance
  • Microsoft 365 A5/E5/F5/G5 eDiscovery and Audit
  • Microsoft 365 A5/E5/F5/G5 Insider Risk Management
  • Microsoft 365 A5/E5/F5/G5 Information Protection and Governance

Customer Key for Microsoft 365

With Customer Key, you control your organization's encryption keys and configure Microsoft 365 to use them to encrypt your data at rest in Microsoft data centers. In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files within SharePoint Online and OneDrive for Business.

How do users benefit from the service?

Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, and Office 365 E5/A5/G5 provide the rights for a user to benefit from Customer Key. To get the full benefit of Customer Key, you must also have a subscription for Azure Key Vault.

How is the service provisioned/deployed?

Customer Key for Microsoft 365 encryption keys can be enabled for all data stored in Exchange Online and Skype for Business mailboxes, and SharePoint Online, OneDrive for Business, and Teams files. For more information about Customer Key, including how to get started, see Service encryption with Customer Key.

How can the service be applied only to users in the tenant who are licensed for the service?

For Exchange Online and Skype for Business, mailboxes can be encrypted by using Customer Key. You must set up Azure before you can use Customer Key for Microsoft 365. See Set up Customer Key for the steps you need to follow to create and configure the required Azure resources and the steps for setting up Customer Key in Microsoft 365. After you've completed the Azure setup, determine which policy and, therefore, which keys to assign to mailboxes and files in your organization. For more information about Customer Key, and content regarding data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams, see Service encryption with Customer Key.

Data Connectors

Microsoft provides third-party data connectors that can be configured in the Microsoft 365 compliance center. For a list of data connectors provided by Microsoft, see the Third-party data connectors table. This table also summarizes the compliance solutions that you can apply to third-party data after you import and archive data in Microsoft 365, and links to the step-by-step instructions for each connector.

How do users benefit from the service?

The primary benefit of using data connectors to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft 365 compliance solutions to the data after it's been imported. This helps ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization.

Which licenses provide the rights for a user to benefit from the service?

The following licenses provide the rights for a user to benefit from Data Connectors:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5 Info Protection & Governance
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/A5/G5 Insider Risk Management
  • Microsoft 365 E5/A5/G5 eDiscovery and Audit
  • Office 365 E5/A5/G5

For data connectors in the Microsoft 365 Security & Compliance Center that are provided by a Microsoft partner, your organization will need a business relationship with the partner before you can deploy those connectors.

How is the service provisioned/deployed?

Connectors are configured using the Security & Compliance Center and Connector Catalog.

How can the service be applied only to users in the tenant who are licensed for the service?

Data Connectors services are a tenant-level value. Every user intended to benefit from this service must be licensed.

Data classification analytics: Overview Content & Activity Explorer

Data classification analytic capabilities are available within Microsoft 365 compliance center experience. Overview shows the locations of digital content and most common sensitive information types and labels present. Content Explorer provides visibility into amount and types of sensitive data and allows users to filter by label or sensitivity type to get a detailed view of locations where the sensitive data is stored. Activity Explorer show activities related to sensitive data and labels, such as label downgrades or external sharing that could expose your content to risk.

Activity Explorer provides a single pane of glass for admins to get visibility about activities that are related to sensitive information that is being used by end-users. These data include label activities, data loss prevention (DLP) logs, auto-labeling, Endpoint DLP and more.

Content Explorer provides admins the ability to index the sensitive documents that are stored within supported Microsoft 365 workloads and identify the sensitive information that they are storing. In addition, Content Explorer helps identify documents that are classified with sensitivity and retention labels.

How do users benefit from the service?

Information protection and compliance admins can access the service to get access to these logs and indexed data to understand where sensitive data are stored and which activities are related to this data and performed by end users.

Which licenses provide the rights for a user to benefit from the service?

Licensed users of Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection & Governance and Office 365 E5 can benefit from Microsoft 365 data classification analytics.

Microsoft 365 E3/A3/G3 and Office 365 E3/A3/G3 allow users to benefit from Content Explorer data aggregation only.

How is the service provisioned/deployed?

By default, Overview Content and Activity Explorer features are enabled at the tenant level for all users within the tenant. For information on configuring data classification analytics for licensed users, see:

How can the service be applied only to users in the tenant who are licensed for the service?

This feature needs to be scoped for users who actively use the solution within Microsoft 365 Compliance portal.

Data Loss Prevention for Teams

With Communication DLP for Teams, organizations can block chats and channel messages that contain sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

Which users benefit from the service?

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

How do users benefit from the service?

Senders benefit by having sensitive information in their outgoing chat and channel messages inspected for sensitive information, as configured in the organization's DLP policy.

How is the service provisioned/deployed?

By default, Teams chat and channel messages are an enabled Location (workload) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

Data loss prevention for Exchange Online, SharePoint Online, and OneDrive for Business

With Office 365 data loss prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business, organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E3/A3/Business Premium, Office 365 E3/A3, and Office 365 Data Loss Prevention and F5 Compliance and F5 Security & Compliance provide the rights for a user to benefit from Office 365 DLP for Exchange Online, SharePoint Online, and OneDrive for Business.

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

Double Key Encryption for Microsoft 365

Double Key Encryption for Microsoft 365 lets you protect your highly sensitive data to meet specialized requirements and maintain full control of your encryption key. Double Key Encryption uses two keys to protect your data, with one key in your control and the second key stored securely by Microsoft Azure. To view the data, you must have access to both keys. Since Microsoft can access only one key, your key and also your data are unavailable to Microsoft, ensuring that you have full control over the privacy and security of your data.

How do users benefit from the service?

Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud, which prevents third-party access as long as the key remains in control of the users. Users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, Office 365 E5/A5/G5 and EMS E5 provide the rights for a user to benefit from Double Key Encryption.

How is the service provisioned/deployed?

Double Key Encryption supports the desktop version of Microsoft Office for Windows.

How can the service be applied only to users in the tenant who are licensed for the service?

To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions.

eDiscovery

eDiscovery provides investigation and eDiscovery solutions for IT and legal departments within corporations to identify, collect, preserve, reduce, and review content related to an investigation or litigation prior to export out of the Microsoft 365 system.

How do users benefit from the service?

A user benefits from Advanced eDiscovery when the user is selected as a data custodian (a person having administrative control of a document or electronic file) for a case.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5/E3/A3/G3, Office 365 E5/A5/G5/E3/A3/G3 and F5 Compliance and F5 Security & Compliance provide the rights for a user to benefit from Core eDiscovery.

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 eDiscovery and Audit, and Office 365 E5/A5/G5 provide the rights for a user to benefit from Advanced eDiscovery.

How is the service provisioned/deployed?

By default, Advanced eDiscovery features are enabled at the tenant level for all users within the tenant when admins assign eDiscovery permissions in the Security & Compliance Center.

How can the service be applied only to users in the tenant who are licensed for the service?

eDiscovery administrators can select specific users as data custodians for a case by using the built-in custodian management tool in Advanced eDiscovery as described in Add custodians to an Advanced eDiscovery case.

Information Barriers

Information Barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you should not be communicating with, you won't find that user in the people picker.

How do users benefit from the service?

Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. Information barriers policies can be defined to prevent certain segment of users from communication with each or allow specific segments to communicate only with certain other segments. For more information on defining information barrier policies, see Define information barrier policies. For scenarios in which two groups cannot communicate with each other, users in both groups require a license to benefit from the service (see below example).

Scenario Who requires a license?
Two groups (Group 1 and Group 2) cannot communicate with each other (that is, Group 1 users are restricted from communicating with Group 2 users, and Group 2 users are restricted from communicating with Group 1 users. Users in both Group 1 and Group 2

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Insider Risk Management, and Office 365 E5/A5/G5, provide the rights for a user to benefit from information barriers.

How is the service provisioned/deployed?

Admins create and manage information barrier policies by using PowerShell cmdlets in the Security & Compliance Center. Admins must be assigned the Microsoft 365 Enterprise Global Administrator, Office 365 Global Administrator, or Compliance Administrator role to create an information barrier policy. By default, these policies apply to all users in the tenant. For more information about information barriers, see Information barriers in Microsoft Teams.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center. For example, if all users are licensed for Office 365 E3, and none are licensed for Office 365 Advanced Compliance/E5, they wouldn't need to create any information barrier policies for the organization. For more information, see Information barriers in Microsoft Teams.

Information Protection

Information Protection helps organizations discover, classify, label, and protect sensitive documents and emails. Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

How do users benefit from the service?

Users benefit by having the ability to manually apply sensitivity labels to their content or by having their content automatically classified.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium, F5 Compliance and F5 Security & Compliance, Enterprise Mobility + Security E3/E5, M365 E5/A5/G5, Office 365 E5/A5/E3/A3/F3, AIP Plan 1, and AIP Plan 2 provide the rights for a user to benefit from manual sensitivity labeling.

Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium and Enterprise Mobility + Security E3/E5, AIP Plan 1, and AIP Plan 2 and F5 Compliance and F5 Security & Compliance provide the rights for a user to benefit from applying and viewing sensitivity labels in Power BI and to protect data when it's exported from Power BI to Excel, PowerPoint, or PDF.

Microsoft 365 Business Premium and Enterprise Mobility provide the rights to use the AIPService PowerShell module to administer the Azure Rights Management protection service for Azure Information Protection.

Note

Power BI is included with Microsoft 365 E5/A5/G5; in all other plans, Power BI must be licensed separately.

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance, Office 365 E5, Enterprise Mobility + Security E5/A5/G5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling.

Information Protection does not include rights to automatic classification based on Machine Learning (trainable classifiers).

How is the service provisioned/deployed?

By default, information protection features are enabled at the tenant level for all users within the tenant. For information on configuring policies for licensed users, see Activating Azure Rights Management.

How can the service be applied only to users in the tenant who are licensed for the service?

Except when using the AIP scanner feature, policies can be scoped to specific groups or users and registries can be edited to prevent unlicensed users from running classification or labeling features.

For the AIP scanner feature, Microsoft does not commit to providing file classification, labeling, or protection capabilities to users who are not licensed.

For more information, see Create and publish sensitivity labels and Understanding the Azure Information Protection unified labeling scanner.

Information Governance

Information Governance helps organizations manage their risk through discovering, classifying, labeling, and governing their data. Information Governance lets organizations meet business and regulatory requirements as well as reduce their attack surface by providing retention and deletion capabilities across their Microsoft 365 and third-party data.

How do users benefit from the service?

Users benefit by being able to classify data for retention purposes to uphold specific policies and regulations.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 F3/Business Premium, Office 365 E5/A5/G5/E3/A3/G3/E1/A1/G1/F3, and standalone Exchange plans provide the rights for a user to benefit from manually applying non-record retention labels to mailbox data.

Microsoft 365 F3/F1/Business Premium, Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1, and standalone SharePoint plans provide the rights for a user to benefit from manually applying non-record retention labels to files in SharePoint or OneDrive.

Microsoft 365 E5/A5/G5/E3/A3/Business Premium, Office 365 E5/A5/G5/E3/A3, Exchange Plan 2, and Exchange Online Archiving provide the rights for a user to benefit from a basic organization-wide or location-wide mailbox retention policy.

Microsoft 365 E5/A5/G5/E3/A3, Office 365 E5/A5/G5/E3/A3, and SharePoint Plan 2 provide the rights for a user to benefit from a basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.

Organizations can use retention policies to keep or delete Teams messages according to their policies. This includes managing messages in Teams chats and conversations.

The following licenses provide the rights for a user to benefit from a Teams retention policy:

  • Microsoft 365 E5/G5/A5/E3/G3/A3/F3/F1, Business Basic, Business Standard, and Business Premium
  • Office 365 E5/G5/A5/E3/G3/A3/F3/E1/G1

For users with the following licenses, the supported minimum retention or deletion period is 30 days:

  • Microsoft 365 F1/F3, Business Basic, Business Standard, and Business Premium
  • Office 365 E1/G1 and F3

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 Information Protection and Governance E5/A5/G5, and Office 365 E5/A5 provide the rights for a user to benefit from automatically applying retention labels or policies, applying default retention labels or policies, starting the retention period of a retention label based on a custom event, triggering a manual disposition review at the end of the label's retention period, importing third-party data through native data connectors, declaring a file a record, discovering labeled content, and monitoring labeling activity.

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 E5/A5/G5 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention labels based on trainable classifiers.

How is the service provisioned/deployed?

By default, Information Governance features are enabled at the tenant level for all users within the tenant. For information on configuring Information Governance to apply autolabeling and policies for licensed users, see Microsoft Information Governance in Microsoft 365.

How can the service be applied only to users in the tenant who are licensed for the service?

Information Governance features can be applied to licensed users in specific locations (team sites, group sites, etc.). For information on configuring Information Governance to apply autolabeling and policies for licensed users, see Microsoft Information Governance in Microsoft 365.

Insider Risk Management

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by letting you detect, investigate, and take action on risky activities in your organization.

Custom policies allow you to detect and take action on malicious and inadvertently risky activities in your organization, including escalating cases to Microsoft Advanced eDiscovery, if needed. Risk analysts in your organization can quickly take appropriate actions to make that sure users are compliant with your organization's compliance standards.

How do users benefit from the service?

Users benefit by having their activities monitored for risk.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/G5 Insider Risk Management provide the rights for a user to benefit from Insider Risk Management.

How is the service provisioned/deployed?

Insider Risk Management policies must be created in the Microsoft 365 compliance center and assigned to users.

How can the service be applied only to users in the tenant who are licensed for the service?

When creating a policy in the Microsoft 365 compliance center, on the Choose users and groups page, select Choose users or groups to select only licensed users, or, if all of your users are licensed, you may select the All users and mail-enabled groups check box. For more information, see Get started with insider risk management.

Microsoft Defender for Identity

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats.

How do users benefit from the service?

SecOp analysts and security professionals benefit from the ability of Microsoft Defender for Identity to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Microsoft Defender for Identity.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users provide the rights to benefit from Microsoft Defender for Identity.

How is the service provisioned/deployed?

By default, Microsoft Defender for Identity features are enabled at the tenant level for all users within the tenant. For information on configuring Azure ATP, see Create your Microsoft Defender for Identity instance.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Defender for Identity services aren't currently capable of limiting capabilities to specific users. You must license every user you intend to benefit.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. Microsoft Defender for Office 365 also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

How do users benefit from the service?

Microsoft Defender for Office 365 protects users from sophisticated attacks such as phishing and zero-day malware. For the full list of services provided in Plan 1 and Plan 2, see Microsoft Defender for Office 365.

Which licenses provide the rights for a user to benefit from the service?

Microsoft Defender for Office 365 Plans 1 and 2, Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft 365 F5 Security & Compliance, and Microsoft 365 Business Premium provide the rights for a user to benefit from Microsoft Defender for Office 365.

How is the service provisioned/deployed?

By default, Microsoft Defender for Office 365 features are enabled at the tenant level for all users within the tenant. For information on configuring Microsoft Defender for Office 365 policies for licensed users, see Microsoft Defender for Office 365.

How can the service be applied only to users in the tenant who are licensed for the service?

To scope Microsoft Defender for Office 365, follow the Safe Links and Safe Attachments deployment policies:

Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives organizations visibility into their cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across any cloud app.

How do users benefit from the service?

MCAS discovers and assesses Shadow IT, provides threat protection across first- and third-party cloud apps, and protects information across first- and third-party cloud apps.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, and Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from MCAS.

Azure AD P1 provides the rights for a user to benefit from the Discovery capabilities in MCAS.

To benefit from the Conditional Access App Control capabilities in MCAS, users must also be licensed for Azure Active Directory P1, which is included in Enterprise Mobility + Security F1/F3/E3/A3/G3, Enterprise Mobility + Security E5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5/F5 Security and Microsoft 365 F5 Security & Compliance.

To benefit from automatic client-side labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, and Microsoft 365 Information Protection and Governance.

Note

Automatic server-side labeling requires Information Protection for Office 365 - Premium licenses (MIP_S_CLP2 or efb0351d-3b08-4503-993d-383af8de41e3). For reference, see Product names and service plan identifiers for licensing.

For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How is the service provisioned/deployed?

By default, MCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring Microsoft Cloud App Security policies for licensed users, see Microsoft Cloud App Security overview.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope MCAS deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped deployment.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) is an endpoint security solution that includes risk-based vulnerability management and assessment; attack surface reduction capabilities; behavioral based and cloud-powered next generation protection; endpoint detection and response (EDR); automatic investigation and remediation; and managed hunting services. See Microsoft Defender for Endpoint page to learn more.

Which users benefit from the service?

Licensed users of Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5/G5, which includes Windows 10 Enterprise E5, Microsoft 365 E5/A5/G5/F5 Security, and Microsoft 365 F5 Security & Compliance can benefit from Microsoft Defender for Endpoint.

How do users benefit from the service?

SecOps analysts and security professionals benefit from endpoint security capabilities of Microsoft Defender for Endpoint to do preventative protection, post-breach detection, automated investigation, and response to advanced threats. End users benefit by having malicious events monitored by Microsoft Defender for Endpoint.

How is the service provisioned/deployed?

By default, Microsoft Defender for Endpoint features are enabled at the tenant level for all users within the tenant. For information on deployment, see Deployment phases.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Defender for Endpoint administrators can use role-based access control (RBAC) to create roles and groups within the security operations team to grant appropriate access to the Microsoft Defender Security Center. For more information, see Manage portal access using role-based access control.

Microsoft Graph APIs for Teams Data Loss Prevention (DLP)

This API lets developers build apps that can listen to Microsoft Teams messages in near-real time and enable DLP scenario implementations for both customers and ISVs. Additionally, Microsoft Graph Patch API allows applying DLP actions to Teams messages.

How do users benefit from the service?

Data loss prevention (DLP) capabilities are widely used in Microsoft Teams, particularly as organizations have shifted to remote work. If your organization has DLP, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/A5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

How is the service provisioned/deployed?

API access is configured at the tenant level.

How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Graph API for Teams DLP is a tenant-level value. Every user intended to benefit from this service must be licensed.

Office 365 Advanced Message Encryption

Office 365 Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/G5 Information Protection and Governance provide the rights for a user to benefit from Advanced Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Advanced Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Advanced Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Office 365 Cloud App Security

Office 365 Cloud App Security (OCAS) is a subset of Microsoft Cloud App Security, with features limited to Office 365 and without additional security for third-party cloud apps and IaaS services.

OCAS gives organizations visibility into their productivity cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across Office 365.

To compare features, see Differences between Microsoft Cloud App Security and Office 365 Cloud App Security.

How do users benefit from the service?

OCAS discovers Shadow IT, provides threat protection across Office 365, and can control which apps have permission to access data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A3/A5/G5 provide the rights for a user to benefit from OCAS. For more information, see the Microsoft Cloud App Security Licensing Datasheet.

How is the service provisioned/deployed?

By default, OCAS features are enabled at the tenant level for all users within the tenant.

For information on configuring the service, see Basic setup for Cloud App Security.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope OCAS deployments to enforce how certain apps are accessed and limit user groups monitored by Office 365 Cloud App Security. For more information, see Scoped deployment.

Office 365 Customer Lockbox

Customer Lockbox provides an additional layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox may also help organizations meet certain compliance obligations such as HIPAA and FedRAMP.

How do users benefit from the service?

Customer Lockbox ensures that no one at Microsoft can access customer content to perform a service operation without the customer's explicit approval. Customer Lockbox brings the customer into the approval workflow for requests to access their content. Occasionally, Microsoft engineers are involved during the support process to troubleshoot and fix customer-reported issues. In most cases, issues are fixed through extensive telemetry and debugging tools that Microsoft has in place for its services. However, there may be cases that require a Microsoft engineer to access customer content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. This gives organizations the option to approve or deny these requests, which gives them direct control over whether a Microsoft engineer can access the organizations' end-user data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/G5 Insider Risk Management provide the rights for a user to benefit from Customer Lockbox.

How is the service provisioned/deployed?

Admins can turn on Customer Lockbox in the Microsoft 365 admin center. For more information, see Customer Lockbox in Office 365. When Customer Lockbox is turned on, Microsoft is required to obtain an organization's approval prior to accessing any of their content.

How can the service be applied only to users in the tenant who are licensed for the service?

Currently, the Customer Lockbox service can't be limited to specific users. Although the tenant services are not currently capable of limiting benefits to specific users, efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption once targeting capabilities are available.

Office 365 Message Encryption

Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a subscription to view encrypted messages or send encrypted replies.

How do users benefit from the service?

Message senders benefit from the added control over sensitive emails provided by Office 365 Message Encryption.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E3/A3/G3, Office 365 E3/A3/G3, and Azure Information Protection Plan 1 provide the rights for a user to benefit from Office 365 Message Encryption.

How is the service provisioned/deployed?

Admins create and manage Office 365 Message Encryption policies in the Exchange admin center under Mail flow > Rules. By default, these rules apply to all users in the tenant. For more information about setting up new Office 365 Message Encryption capabilities, see Set up new Message Encryption capabilities.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should apply mail flow rules for Office 365 Message Encryption only to licensed users. For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages.

Privileged access management in Office 365

Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. After enabling PAM, to complete elevated and privileged tasks, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound.

How do users benefit from the service?

Enabling PAM lets organizations operate with zero standing privileges. Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5 Information Protection and Governance provide the rights for a user to benefit from PAM.

How is the service provisioned/deployed?

By default, PAM features are enabled at the tenant level for all users within the tenant. For information on configuring PAM policies, see Get started with privileged access management.

How can the service be applied only to users in the tenant who are licensed for the service?

Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users. For more information, see Privileged access management in Office 365.

Records Management

Records Management helps organizations meet their business and regulatory record-keeping obligations through discovering, classifying, labeling, retention, and defensible deletion capabilities across their Microsoft 365 and third-party data.

Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, Microsoft 365 Information Protection and Governance E5/A5/G5, and Office 365 E5/A5/G5 provide the rights for a user to benefit from Records Management including declaring items as records or regulatory records, automatically applying retention or record labels and executing disposition review processes (excluding automatically applying a retention label based on trainable classifiers).

Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention or record labels based on trainable classifiers.

How do users benefit from the service?

Users benefit by being able to declare content as a record and manage their full records process from policy definition and declaration through defensible disposal.

How is the service provisioned/deployed?

By default, Records Management features are enabled at the tenant level for all users within the tenant. For information on configuring Records Management to apply for licensed users, see Learn about records Management in Microsoft 365.

How can the service be applied only to users in the tenant who are licensed for the service?

Records Management features can be applied to licensed users in specific locations (team sites, group sites, etc.). For information on configuring Records Management to apply for licensed users, see Learn about records Management in Microsoft 365.