Office 365 Security Licensing and Pricing – 2019 Edition

Office_365_logoIn late 2017, I wrote a post, Office 365 Security Licensing Demystified, to help clarify the dizzying array of cloud security licensing options available from Microsoft, and how those options compare in both price and functionality to the Bitglass Next-Gen Cloud Access Security Broker. Both vendors have continued to develop their offerings, adding new features and functions, so this comprehensive update reflects those changes over the past year.

DevOps Connect:DevSecOps @ RSAC 2022

A couple of points on how to use these tables:

  • The Overview table shows the addressable scope/use cases of the respective technologies – across both app support and enforcement capabilities (inline vs out-of-band). The Details table shows the details of available data protection capabilities that can be used within the addressable scope.
    • For example, if a solution doesn’t support inline data protection, none of the data protection capabilities in the second table can be applied inline. 
  • The E3 and E5 options are base Office 365 enterprise license packages. Most organizations will opt for the E3 at least, since that is the first Office package that includes the traditional offline Office applications, so the table assumes E3 as the starting point. E5 includes all E3 functionality, as well as additional features.
  • All of the packages marked as “add-on” are in addition to the E3 or E5 package, and they build upon one another. For example, the EMS E3 includes CAS and some additional functionality. Add-ons can be bought with either the E3 or the E5 Office license.
  • All pricing is list pricing.
  • Links to Microsoft’s description and pricing for each service have been included in the table for easy reference.

Takeaways from this update?

  • The shift from a core group of major SaaS applications for most enterprises makes the Microsoft offering, which still only supports 7 applications, less and less relevant with each day that passes.
  • Microsoft has not dropped prices on any of its offerings, continuing to provide limited functionality at a very high price.
  • It remains as confusing as ever to purchase and deploy the Microsoft suite of products, with  numerous packages available and many separate tools from which to configure and deploy their security offering.

Regardless, many enterprises will at least take a look at the Microsoft offerings, and hopefully this post can make that challenge at least a bit easier, though I would recommend skipping the whole exercise and heading straight for the Bitglass CASB:

Request a Free Trial

 Bitglass E3E5 CAS Add-onEMS E3 Add-onEMS E5 Add-on
Price ($$$ / user / month)From $7 $20$35 $3.50$8.74$14.80i
App Support        
O365 SupportYes YesYes YesYesYes
Major SaaS SupportYes NoNo YesiiYesiiYesii
Other SaaS SupportYes NoNo NoNoNo
IaaS SupportYes NoNo LimitediiiLimitediiiLimited
Custom App SupportYes NoNo NoNoNo
Enforcement capabilities        
Inline Data Protection on unmanaged devicesYes NoNo LimitedivLimitedivLimitediv
Inline data protection on managed devicesYes NoNo NoNoNo
API out-of-band data protection in the cloudYes NoYesv YesYesYes


Identity Bitglass E3E5 CASEMS E3EMS E5
Single sign-onYes NoNo NoYesYes
Native Multifactor AuthenticationYes NoNo NoYesYes
Integrates with 3rd Party MFAYes NoNo NoNoNo
Auto-redirectYes NoNo NoNoNo
Contextual step-up authYes NoNo NoNoviNovi
Credential compromise detectionYes NoNo NoNoviYesvi
IDaaS IntegrationYes NoYes YesviiiYesviiiYesviii
Premises AD integrationYes YesYes YesYesYes
Mobile data protection        
Data protection for managed devicesYes NoNo NoYesixYesix
Agentless data protection for BYODYes NoNo NoNoNo
Data protection        
Basic DLP (Keyword, Regex only)Yes YesYes YesYesYes
Advanced DLP (exact match, prox, occur, image, ML, etc)Yes NoNo NoNoNo
DLP Actions (WM, Redact, Encrypt, etc)Yes NoNo NoNoNo
Apply & Read Data Classification LabelsYes NoxNox NoNoxYesx
DRMYes YesxYesx NoYesxYesx
Access Control        
Managed vs Unmanaged Device DetectionYes NoNo NoYesxiYesxi
Allow/block session conditional accessYes NoNo YesxiiYesxiiYesxii
Restricted app access via real-time controlsYes NoNo LimitedxiiiLimitedxiiiLimitedxiii
IP address restrictionsYes NoNo NoYesYes
Geo-fencingYes NoNo NoNoNo
In-cloud file encryption and data residencyYes NoNo NoNoNo
Field encryptionYes NoNo NoNoNo
BYOK key managementYes NoLimitedxiv NoNoNo
Threat Protection        
Known malware protectionYes YesYesxv NoNoYes
Zero Day threat protectionYes NoYes NoNoNo
Cloud Security Posture Management        
Admin Portal Access ControlYes NoNo YesYesYes
Service visibility and remediationYes NoNo NoNoNo
Data-at-rest DLP scanningYes NoNo NoNoNo
Data-at-rest encryptionYes NoNo NoNoNo
Custom app in IaaS CASBYes NoNo NoNoNo
Audit level transaction loggingYes NoNo NoNoNo
Manual Shadow IT discoveryNo NoYes YesYesYes
Automated Shadow IT discoveryYes NoNo NoNoNo
Breach discoveryYes NoNo NoNoNo
Integration & Architecture        
Coexists w/Fwd Proxies (SWG)Yes YesYes YesYesYes
ICAP w/prem DLPYes NoNo NoNoNo
SIEM integrationYes NoNo NoNoNo


iEMS E3, E5 available with all O365 enterprise levels
 iiCAS, EMS E3, EMS E5 support 7 apps, including O365
iiiCAS, EMS offer admin portal conditional access only, no CSPM or CASB functionality
ivCAS, EMS offer browser reverse proxy only; no Office 365 support
vE5 incl. CAS subset – O365 only, barebones feature set
viEMS E3, E5 include Azure AD Premium P2 identity protection
viiiCAS/EMS includes Azure AD and Okta connectors only
ixEMS E3, E5 include inTune MDM
xAzure Information Protection differs for O365 vs P1/P2 in EMS Suites
xiEMS E3, E5 detect domain joined Win, InTune MDM mgd devices, or certificates; Requires use of Azure AD
xiiCAS, EMS restrict Activesync and all browser apps only
xiiiCAS/EMS: Browser only, limited apps, DOES NOT SUPPORT Office365
xivE5 Customer Key available for O365 only
xvE5, EMS E5 include Advanced Threat Protection

*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Rich Campagna. Read the original post at: