Skip to content
Griffin31 Help Center

Microsoft 365 Tenant Level Service Licensing Guide

Microsoft 365 Tenant-Level Service Licensing Guide

Section titled “Microsoft 365 Tenant-Level Service Licensing Guide”

Overview

Section titled “Overview”

Microsoft 365 provides security and compliance services that apply across the entire organization, known as tenant-level services. These services help maintain a uniform security and compliance framework but can raise licensing questions when not all users are licensed for specific services.

This guide explains how to configure these services to apply only to licensed users while maintaining compliance and cost-effectiveness.

Information Protection and Governance

Section titled “Information Protection and Governance”

This suite helps manage sensitive information throughout its lifecycle.

Microsoft Purview Information Protection

Section titled “Microsoft Purview Information Protection”
FeatureCapabilityLicensing RequirementsBusiness Value
Sensitivity LabelsClassification and encryption toolsBasic: All users
Advanced: E5 or IP&G add-on		Data protection across emails and documents
Automatic LabelingAI-powered content classificationE5 or IP&G add-on onlyStreamlined compliance automation
Manual LabelingUser-driven classificationAll usersFlexible data governance

Tenant-Level Guidance: Sensitivity labels are tenant-wide, but advanced features like automatic labeling require Microsoft 365 E5 or E5 Information Protection and Governance licenses. Configure label policies to apply only to licensed user groups.

Retention and Deletion Policies

Section titled “Retention and Deletion Policies”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic RetentionStandard data retention rulesAll usersRegulatory compliance
Event-Based RetentionTrigger-based retentionE5 Compliance onlyDynamic compliance management
Disposition ReviewManual review before deletionE5 Compliance onlyEnhanced governance control

Tenant-Level Guidance: Advanced retention features require E5 Compliance licenses. Scope policies to specific groups or locations where licensed users reside.

Insider Risk Management

Section titled “Insider Risk Management”

A suite of tools designed to manage potential risks originating from internal users.

Core Features

Section titled “Core Features”
FeatureCapabilityLicensing RequirementsBusiness Value
Risk DetectionBehavioral analysis for threatsE5 Compliance/SecurityProactive threat identification
Investigation ToolsTimeline analysis and evidenceE5 Compliance/SecurityComprehensive incident response
Communication CompliancePolicy violation monitoringE5 Compliance/SecurityRegulatory adherence

Tenant-Level Guidance: Configure policies to target specific licensed user groups. Risk detection and investigation apply only to users with E5 Compliance or E5 Security licenses.

Compliance Solutions

Section titled “Compliance Solutions”

Tools that help organizations meet regulatory obligations and manage legal compliance.

Microsoft Purview Compliance Manager

Section titled “Microsoft Purview Compliance Manager”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic Compliance TrackingStandard compliance scorecardsAll usersCompliance visibility
Risk AssessmentsAdvanced risk analysisE5 Compliance onlyEnhanced compliance management
Third-Party AssessmentsExternal regulatory complianceE5 Compliance onlyIndustry-specific compliance

Advanced eDiscovery

Section titled “Advanced eDiscovery”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic eDiscoveryStandard search and exportAll usersLegal investigation support
Advanced eDiscoveryAI-powered analyticsE5 Compliance onlyEnhanced legal capabilities

Tenant-Level Guidance: Scope eDiscovery cases to specific custodians or data locations associated with licensed users.

Data Loss Prevention (DLP)

Section titled “Data Loss Prevention (DLP)”

DLP policies prevent the sharing of sensitive information outside the organization.

DLP Capabilities

Section titled “DLP Capabilities”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic DLPStandard sensitive data protectionAll usersFundamental data protection
Exact Data MatchCustom sensitive data patternsE5 or IP&G add-onPrecise data classification
Advanced SITsEnhanced sensitive information typesE5 or IP&G add-onComprehensive data protection

Tenant-Level Guidance: Configure targeted DLP rules focusing on specific user groups or locations with appropriate licenses.

Privileged Access Management

Section titled “Privileged Access Management”

Provides granular control over high-value systems and data access.

PAM Features

Section titled “PAM Features”
FeatureCapabilityLicensing RequirementsBusiness Value
Just-in-Time AccessTemporary privileged accessE5 Security onlyReduced attack surface
Access ApprovalMulti-level authorizationE5 Security onlyEnhanced security control
Audit LoggingComprehensive access trackingE5 Security onlyCompliance reporting

Tenant-Level Guidance: Restrict PAM to specific roles or groups with E5 Security licenses.

Microsoft Defender Security Suite

Section titled “Microsoft Defender Security Suite”

Defender for Identity

Section titled “Defender for Identity”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic Identity ProtectionStandard threat detectionAll usersIdentity security foundation
Advanced Identity ProtectionBehavioral analyticsE5 Security onlySophisticated threat detection

Defender for Office 365

Section titled “Defender for Office 365”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic ProtectionStandard email securityAll usersEssential email protection
Safe Attachments/LinksAdvanced threat scanningE5 Security or P2Enhanced email security

Defender for Endpoint

Section titled “Defender for Endpoint”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic Endpoint ProtectionStandard antivirusAll usersDevice security foundation
EDR & AIRAdvanced detection and responseE5 Security or P2Comprehensive endpoint security

Defender for Cloud Apps

Section titled “Defender for Cloud Apps”
FeatureCapabilityLicensing RequirementsBusiness Value
Basic CASBCloud app visibilityAll usersCloud security foundation
App GovernanceAdvanced cloud controlE5 Security or standaloneEnhanced cloud management

Licensing Configuration Best Practices

Section titled “Licensing Configuration Best Practices”

Scoping Strategies

Section titled “Scoping Strategies”
StrategyImplementationBenefit
Group-Based TargetingCreate license-specific security groupsPrecise license management
Location-Based ScopingTarget specific SharePoint/OneDrive sitesFocused protection
Policy SegmentationSeparate policies for different license tiersClear compliance boundaries

Configuration Steps

Section titled “Configuration Steps”

  1. Identify Licensed Users

    • Create security groups for each license type
    • Maintain up-to-date group memberships

  2. Scope Policies Appropriately

    • Apply advanced features only to licensed groups
    • Use location-based targeting for content services

  3. Monitor Compliance

    • Regular audit of policy applications
    • Review license utilization reports

Conclusion

Section titled “Conclusion”

Key Takeaway: While tenant-level services in Microsoft 365 provide organization-wide security and compliance, advanced features must be scoped to licensed users to maintain licensing compliance and cost-effectiveness.

By implementing proper configuration strategies through group-based targeting, location-based scoping, and policy segmentation, organizations can leverage the full power of Microsoft 365’s security and compliance tools while ensuring only licensed users benefit from advanced features.

This approach enables organizations to maintain robust security postures, achieve regulatory compliance, and optimize their Microsoft 365 investment through strategic license management.