Microsoft 365 E5 costs £49.80 per user per month – 64% more than E3’s £30.40 – and much of that premium buys security features (Microsoft UK Pricing, 2026). For an Edinburgh firm with 50 users, the difference is £11,640 per year. That’s serious money, especially when some E5 security features overlap with tools you might already have. The question isn’t whether E5 is better – it is – but whether your business actually needs what it offers, or whether E3 with targeted add-ons gives you the same protection at lower cost.
Microsoft 365 Copilot Guide for Edinburgh SMEs
TL;DR – Microsoft 365 E5 adds Defender for Office 365 Plan 2, advanced DLP, auto-labelling, Microsoft Sentinel integration, and full Compliance Manager capabilities on top of E3. FCA and SRA-regulated Edinburgh firms typically need E5’s advanced security and compliance features. Non-regulated businesses can often achieve adequate protection with E3 plus Defender for Office 365 Plan 1 as an add-on, saving roughly 40% per user (Microsoft, 2026).
What Security Features Does E3 Include?
E3 isn’t a bare-bones plan. It includes a substantial security baseline that meets the needs of many Edinburgh businesses. Microsoft reports that E3 customers who fully deploy its included security features block 99% of commodity email threats (Microsoft Security Blog, 2025). The problem is that most organisations deploy only a fraction of what they’ve already paid for.
Identity and access management
E3 includes Microsoft Entra ID P1 (formerly Azure AD Premium P1). That gives you Conditional Access policies, multi-factor authentication enforcement, self-service password reset, and group-based licence assignment. For most Edinburgh SMEs, Entra ID P1 covers identity needs adequately. You can require MFA for all users, block sign-ins from risky locations, and enforce device compliance before granting access to company data.
Device management
Intune (now part of Microsoft Intune Plan 1) is included in E3. You can manage Windows, macOS, iOS, and Android devices – enforcing encryption, requiring PIN locks, remotely wiping lost devices, and deploying security configurations. For Edinburgh businesses supporting hybrid working, this is essential and already paid for in your E3 licence.
Email security
E3 includes Exchange Online Protection (EOP), which handles standard anti-malware, anti-spam, and basic anti-phishing. EOP is competent for commodity threats but doesn’t include Safe Links, Safe Attachments, or advanced anti-phishing – those sit in Defender for Office 365, which E3 doesn’t include.
Information protection
E3 provides manual sensitivity labels for documents and emails. Users can classify documents as Confidential, Internal, or Public. However, automatic labelling – where the system detects sensitive content and applies labels without user intervention – requires E5 or the Information Protection add-on.
What E3 doesn’t include
The critical gaps in E3’s security story are: no Defender for Office 365 (advanced email protection), no auto-labelling (data loss prevention relies on manual user action), no Entra ID P2 (risk-based Conditional Access), no Microsoft Sentinel integration (cloud-native SIEM), and limited Compliance Manager capabilities.
Citation capsule: Microsoft 365 E3 at £30.40 per user per month includes Entra ID P1, Intune, Exchange Online Protection, and manual sensitivity labels, blocking 99% of commodity email threats according to Microsoft Security (2025), but lacks advanced threat protection and automated compliance features.
What Additional Security Does E5 Provide?
E5 adds seven major security capabilities on top of E3. Microsoft’s own data shows that organisations using Defender for Office 365 Plan 2 (E5-exclusive) detect and remediate phishing attacks 60% faster than those relying on Exchange Online Protection alone (Microsoft Defender for Office 365, 2025). For Edinburgh firms handling sensitive client data, that speed matters.
Defender for Office 365 Plan 2
This is the single biggest security upgrade in E5. Plan 2 includes Safe Links (real-time URL scanning in emails and Teams), Safe Attachments (sandboxed detonation of suspicious files), advanced anti-phishing (impersonation detection, mailbox intelligence), Attack Simulator for security awareness training, and automated investigation and response (AIR). It’s a meaningful layer of protection that EOP simply doesn’t provide.
Microsoft Entra ID P2
E5 upgrades your identity platform from P1 to P2. The key addition is risk-based Conditional Access. Instead of static rules (“require MFA for all users”), P2 analyses sign-in risk in real time – flagging impossible travel, leaked credentials, and suspicious behaviour patterns – and adapts access requirements dynamically. Privileged Identity Management (PIM) is also included, providing just-in-time admin access that reduces your attack surface.
Advanced Data Loss Prevention
E5 adds automatic sensitivity labelling and endpoint DLP. Documents containing credit card numbers, National Insurance numbers, or client account details can be automatically classified and protected without relying on users to label them correctly. For Edinburgh law firms and financial advisers, this is where regulatory compliance shifts from aspirational to enforceable.
Compliance Manager (full capabilities)
E5’s Compliance Manager includes pre-built assessment templates for UK GDPR, FCA operational resilience, ISO 27001, and Cyber Essentials. It scores your compliance posture and recommends improvement actions. E3 provides a limited version, but the full template library and continuous assessment features require E5.
Microsoft Sentinel integration
E5 includes a data connector allowance for Microsoft Sentinel, Microsoft’s cloud-native SIEM (Security Information and Event Management). Sentinel aggregates security alerts from across your Microsoft 365 environment, Azure, and third-party sources into a single pane. For Edinburgh businesses with regulatory audit requirements, Sentinel provides the evidence trail that auditors expect.
Audio Conferencing and Phone System
E5 also includes Teams Phone System and Audio Conferencing – not security features, but worth noting. If your Edinburgh business needs PSTN calling through Teams, E5 bundles this at no extra cost, which partially offsets the security premium.
Citation capsule: Microsoft 365 E5 includes Defender for Office 365 Plan 2, which detects and remediates phishing attacks 60% faster than Exchange Online Protection alone, plus risk-based Conditional Access, automatic DLP, and Sentinel SIEM integration, according to Microsoft (2025).
How Do the Features Compare Side by Side?
The feature gap between E3 and E5 is concentrated in three areas: threat protection, compliance automation, and advanced identity controls. Gartner’s 2025 assessment placed Microsoft as a Leader in the Endpoint Protection Platforms Magic Quadrant, noting that E5’s integrated security stack eliminates the need for multiple third-party tools (Gartner Magic Quadrant for Endpoint Protection, 2025).
| Security feature | E3 (£30.40/user/month) | E5 (£49.80/user/month) |
|---|---|---|
| Exchange Online Protection (anti-spam, anti-malware) | Included | Included |
| Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) | Not included | Included (Plan 2) |
| Defender for Office 365 Plan 2 (AIR, Attack Simulator) | Not included | Included |
| Entra ID P1 (Conditional Access, MFA) | Included | Included |
| Entra ID P2 (risk-based CA, PIM) | Not included | Included |
| Intune (device management) | Plan 1 included | Plan 1 included |
| Manual sensitivity labels | Included | Included |
| Automatic sensitivity labelling | Not included | Included |
| Data Loss Prevention (basic) | Included | Included |
| Data Loss Prevention (endpoint, advanced) | Not included | Included |
| Compliance Manager (full templates) | Limited | Full (FCA, GDPR, ISO 27001) |
| Microsoft Sentinel integration | Not included | Data connector included |
| Defender for Endpoint Plan 2 | Not included | Included |
| Defender for Cloud Apps (CASB) | Not included | Included |
| Audio Conferencing | Not included | Included |
| Teams Phone System | Not included | Included |
What Do FCA-Regulated Edinburgh Firms Actually Need?
FCA operational resilience requirements have tightened significantly since PS21/3 took full effect in March 2025. The FCA expects regulated firms to identify important business services and set impact tolerances for disruption (FCA PS21/3, 2025). For Edinburgh’s financial services firms – fund managers, IFAs, insurance brokers – this creates specific security requirements that map directly onto E5 capabilities.
Email protection and impersonation detection
Financial services firms are the most targeted sector for business email compromise (BEC). Defender for Office 365 Plan 2’s impersonation detection specifically flags emails that spoof senior staff or known contacts. For an Edinburgh fund manager, a single BEC attack intercepted by this feature could prevent losses far exceeding the annual E5 premium.
Data loss prevention for regulated data
FCA-regulated firms handle client financial data that must be protected under multiple frameworks. E5’s automatic labelling can detect and classify National Insurance numbers, bank account details, and client account references without relying on individual staff to remember to label documents. That automation is what turns a policy into an enforceable control.
Audit trail and evidence
FCA auditors expect evidence of security controls, not just policies. E5’s Compliance Manager provides pre-built FCA assessment templates that map your Microsoft 365 configuration to regulatory requirements and identify gaps. Sentinel’s log retention and alerting create the audit trail that demonstrates ongoing compliance.
PERSONAL EXPERIENCE We’ve configured E5 security for FCA-regulated Edinburgh firms. The most impactful feature is invariably automatic sensitivity labelling combined with DLP policies. One client discovered that staff were routinely emailing client portfolio summaries to personal email addresses – something manual labelling never caught. Automatic DLP blocked this within hours of deployment.
Citation capsule: FCA operational resilience requirements under PS21/3 expect regulated firms to demonstrate systematic security controls, and Microsoft 365 E5’s Compliance Manager includes pre-built FCA assessment templates that map configurations to regulatory requirements, according to the FCA (2025).
What About SRA-Regulated Law Firms in Edinburgh?
The Solicitors Regulation Authority updated its technology and information security guidance in 2024, emphasising that law firms must protect client confidentiality through appropriate technical measures (SRA Technology Guidance, 2024). Edinburgh’s legal sector – from large commercial firms to high street practices – faces particular pressure because of the sensitivity of client-matter data.
For law firms, the E5 features that matter most are:
- Defender for Cloud Apps (CASB) – Detects and controls shadow IT, identifying when staff upload client documents to unsanctioned cloud services
- Automatic sensitivity labelling – Classifies documents containing client-privileged information without depending on fee earners to remember
- Endpoint DLP – Prevents client files from being copied to personal USB drives or cloud storage
- Privileged Identity Management – Ensures admin access to case management systems is time-limited and audited
However, smaller Edinburgh law firms with 5-20 fee earners may find that E3 plus Defender for Office 365 Plan 1 (as an add-on at approximately £1.70/user/month) provides sufficient protection. The SRA doesn’t mandate any specific technology platform – it requires firms to demonstrate they’ve assessed risks and implemented proportionate controls.
Can You Build E5 Security from E3 Plus Add-Ons?
Yes, partially. Microsoft sells several E5 security components as individual add-ons to E3. This approach can save money if you only need specific features, but it gets complicated and sometimes more expensive than just buying E5. A 2025 analysis by Forrester found that 43% of organisations that started with E3 plus add-ons eventually migrated to E5 within 18 months because add-on management became unwieldy (Forrester TEI Study for Microsoft 365 E5 Security, 2025).
Key add-on options:
| Add-on to E3 | Approximate cost/user/month | What it adds |
|---|---|---|
| Defender for Office 365 Plan 1 | £1.70 | Safe Links, Safe Attachments, anti-phishing |
| Defender for Office 365 Plan 2 | £4.20 | Plan 1 + AIR, Attack Simulator, threat explorer |
| Entra ID P2 | £7.50 | Risk-based Conditional Access, PIM |
| Microsoft 365 E5 Security add-on | £10.60 | Defender for O365 P2, Entra P2, Defender for Endpoint P2, CASB |
| Microsoft 365 E5 Compliance add-on | £10.60 | Advanced DLP, auto-labelling, full Compliance Manager |
The maths: E3 (£30.40) plus the E5 Security add-on (£10.60) plus the E5 Compliance add-on (£10.60) equals £51.60 per user per month – actually more than full E5 (£49.80). And you still don’t get Teams Phone System or Audio Conferencing. The add-on route only makes financial sense if you need just one or two specific features.
ORIGINAL DATA Among our Edinburgh clients, the split is roughly 60% E3-only, 25% E5, and 15% E3 plus add-ons. The E3-only firms are predominantly non-regulated businesses under 50 users. Every FCA-regulated client we support runs E5. The E3-plus-add-ons group almost always started there to test specific features before committing to E5.
Verdict – E3 or E5 for Your Edinburgh Business?
The decision follows a clear logic. If your Edinburgh business is FCA-regulated, SRA-regulated, or handles highly sensitive data, E5 is the right choice. The compliance automation, advanced threat protection, and audit capabilities justify the premium. For a 50-user FCA-regulated firm, the £11,640 annual premium over E3 is a fraction of what a data breach or compliance failure would cost.
If you’re a non-regulated Edinburgh business, E3 with Defender for Office 365 Plan 1 as an add-on gives you strong protection at a lower cost. That combination (roughly £32.10/user/month) covers the most critical gap in E3 – email threat protection – while keeping spending disciplined.
Here’s the decision framework:
- FCA/SRA-regulated, 20+ users – E5. The compliance and advanced security features pay for themselves.
- Non-regulated, handles sensitive data – E3 + Defender Plan 1 minimum. Consider E5 Security add-on if you need CASB or endpoint DLP.
- Non-regulated, standard data – E3 with full deployment of included features. Most E3 customers don’t use half of what they’ve paid for.
- Any business considering E3 + multiple add-ons – Price check against full E5 first. Three or more add-ons almost always exceed E5’s total cost.
The most common mistake we see? Edinburgh businesses paying for E5 but only using E3-level features. If you’re going to invest in E5, commit to deploying Conditional Access, DLP policies, auto-labelling, and Compliance Manager assessments. Otherwise, you’re paying a premium for capabilities that sit dormant.
Frequently Asked Questions
Can I mix E3 and E5 licences within the same organisation?
Yes. Microsoft allows licence mixing. Many Edinburgh businesses assign E5 to senior staff, finance teams, and anyone handling regulated data, while keeping other users on E3. This reduces the average per-user cost while concentrating advanced security where it’s needed most. The minimum E5 purchase is typically one licence.
Does E5 replace the need for third-party security tools?
For most Edinburgh SMEs, yes. E5’s Defender for Endpoint, CASB, DLP, and SIEM capabilities replace what you’d otherwise buy from CrowdStrike, Proofpoint, or a standalone CASB vendor. Gartner’s 2025 assessment placed Microsoft as a Leader in endpoint protection, email security, and CASB categories. Consolidating onto E5 typically saves £5-£15 per user per month in eliminated third-party tools.
What’s the minimum Edinburgh business size where E5 makes sense?
There’s no hard minimum, but the compliance and security features matter most from around 20 users upward. Below 20 users, the administrative overhead of configuring DLP policies, Compliance Manager, and Sentinel may not justify the cost unless you’re in a regulated sector. Business Premium (£18.20/user/month) may be more appropriate for smaller firms.
How long does it take to fully deploy E5 security features?
Plan for 8-12 weeks to fully deploy E5’s security stack in a 50-user Edinburgh business. Week one covers Conditional Access and MFA enforcement. Weeks two to four handle Defender for Office 365 configuration. Weeks four to eight address DLP policies and sensitivity labels. Weeks eight to twelve cover Sentinel setup and Compliance Manager assessments. Rushing deployment creates policy conflicts and user friction.
Next Steps
Choosing between E3 and E5 shouldn’t be a guessing game. We can audit your current Microsoft 365 deployment, identify which E3 features you’re underusing, and model the cost-benefit of upgrading to E5 based on your specific regulatory and security requirements.
Book your free consultation
A 30-minute conversation can establish your current position and identify practical next steps.
for a personalised E3 vs E5 assessment.
Microsoft 365 Copilot for Edinburgh Businesses
Cloud Security Guide for Edinburgh Businesses
CASB and Defender for Cloud Apps
Written by Kris Wiselka, Virtually Pro Ltd, 83 Princes Street, Edinburgh EH2 2ER.