Microsoft 365 guidance for security & compliance

For the purposes of this article, a tenant-level service is an online service that is activated in part or in full for all users in the tenant (standalone license and/or as part of a Microsoft 365 or Office 365 plan). Appropriate subscription licenses are required for customer use of online services. To see the options for licensing your users to benefit from Microsoft 365 compliance features, download the Microsoft 365 Comparison table for Enterprise and Frontline Workers Plans or the Microsoft 365 Comparison table for Small and Medium Business Plans.

For detailed plan information on subscriptions that enable users for Microsoft 365 compliance features and are currently available in European Economic Area (EEA) countries and Switzerland see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.

Some tenant services aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

Microsoft Entra ID Governance

Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It uses entitlement management, access reviews, privileged identity management, and terms-of-use policies to ensure that the right people have the right access to the right resources.

How do users benefit from the service?

Microsoft Entra ID Governance increases users' productivity by making it easier to request access to apps, groups, and Microsoft Teams in one access package. Users can also be configured as approvers, without involving administrators. For access reviews, users can review memberships of groups with smart recommendations to take action on regular intervals.

Which licenses provide the rights for a user to benefit from the service?

The Microsoft Entra ID Governance capabilities are currently available in Microsoft Entra ID Governance and Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2. These two products provide the rights for as many users as there are purchased seats to have the identity governance capabilities. Microsoft Entra ID Governance requires that the tenant also has an active subscription to Microsoft Entra ID P1 (formerly known as Azure Active Directory Premium P1) or Microsoft Entra ID P2 (formerly known as Azure Active Directory Premium P2) or a subscription that includes Microsoft Entra ID P1 or P2. Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2 requires that the tenant also have an active subscription to Microsoft Entra ID P2 or a subscription that includes Microsoft Entra ID P2.

How is the service provisioned/deployed?

Microsoft Entra ID Governance features are enabled at the tenant level but implemented per user. For information about Microsoft Entra ID Governance, see What is Microsoft Entra ID Governance?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins should ensure that they have enough seats of Microsoft Entra ID Governance for all employees in scope of or benefiting from Microsoft Entra ID Governance features, including access packages, access reviews, lifecycle workflows and privileged identity management. For instructions on how to scope Microsoft Entra ID Governance deployments, see:

Microsoft Entra ID Protection

Microsoft Entra ID Protection is a feature of the Microsoft Entra ID P2 plan that lets you detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

How do users benefit from the service?

SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5, Enterprise Mobility & Security A5/E5/G5, Microsoft 365 A5/E5/F5/G5 Security and Microsoft 365 F5 Security & Compliance

For details on capabilities included in the different plans available, see What is Microsoft Entra ID Protection?

How is the service provisioned/deployed?

By default, Microsoft Entra ID Protection features are enabled at the tenant level for all users within the tenant. For information about Microsoft Entra ID Protection, see What is Identity Protection?

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Microsoft Entra ID Protection by assigning risk policies that define the level for password resets and allowing access for licensed users only. For instructions on how to scope Microsoft Entra ID Protection deployments, see How to configure and enable risk policies.

Compliance Program for Microsoft Cloud

Compliance Program for Microsoft Cloud is designed to offer personalized customer support, education, and networking opportunities. By joining the program, customers will receive the unique chance to engage directly with regulators, industry peers and Microsoft experts in the areas of security, compliance, and privacy. This program replaces the existing Financial Services Industry (FSI) Compliance Program created in 2013.

Who can access the Compliance Program for Microsoft Cloud?

The Compliance Program for Microsoft Cloud is available for organizations with Microsoft 365 and Office 365 licenses.

Customers who are currently enrolled in the FSI Compliance Program will need to purchase a subscription for the new Compliance Program for Microsoft Cloud. For more information, see Compliance Program for Microsoft Cloud.

How do users benefit from the service?

Enterprise organizations that are looking to Microsoft to assist them in their cloud journey, such as risk assessors, compliance officers, internal auditors, privacy officers, regulatory Affairs/Legal, CISOs will benefit from this service. The following are example scenarios of available benefits that customers can receive:

  • Ongoing risk and compliance assistance for risk assessments to onboard to and use Microsoft cloud services.
  • Support of Microsoft and customer-managed controls for Microsoft cloud services.
  • Assistance with internal audits, regulators, or a board level approval of using third-party cloud services.
  • Support with ongoing technical questions related to complex risk and compliance requirements in using our cloud services.
  • Direct assistance in filling out a fixed number of customer risk and compliance questionnaires.
  • A connection to regulators and industry experts to help solve questions with their compliance journey.

How is the service provisioned/deployed?

By default, the Compliance Program for Microsoft Cloud is enabled at the tenant level for all users that benefit from the service. For more information, see Compliance Program for Microsoft Cloud.

Microsoft Defender for Business

Microsoft Defender for Business is an endpoint security solution designed for small and medium-sized businesses (up to 300 employees). Defender for Business is available as a standalone solution and is also included as part of Microsoft 365 Business Premium. With this endpoint security solution, small and medium-sized business (SMB) organization devices are better protected from ransomware, malware, phishing, and other threats.

For more information, see Microsoft Defender for Business.

Which licenses provide the rights for users to benefit from the service?

Microsoft Defender for Business is included as part of the Microsoft 365 Business Premium subscription plan.

A standalone version of Defender for Business is also available as an option for small and medium business (SMBs) with up to 300 employees. To learn more, see How to get Microsoft Defender for Business.

How do users benefit from the service?

The addition of Microsoft Defender for Business into Microsoft 365 Business Premium strengthens Business Premium’s existing productivity and security offering by adding cross-platform endpoint protection and sophisticated ransomware defenses with technologies like endpoint detection and response and automated investigation and remediation.

The standalone version of Defender for Business provides the option for small and medium businesses with up to 300 employees to get enterprise-grade endpoint security technology at an affordable price.

How is the service provisioned/deployed?

If you have Microsoft 365 Business Premium, you can access Defender for Business via the Microsoft Defender portal.

By default, Microsoft Defender for Business features are enabled at the tenant level for all users within the tenant. For information on how to set up and configure Defender for Business, see Microsoft Defender for Business documentation | Microsoft Docs.

What is the Defender for Business servers add-on for Microsoft Defender for Business?

Microsoft Defender for Business servers provides endpoint security for Windows and Linux Servers for small and medium-sized businesses. The Defender for Business servers experience delivers the same level of protection for both clients and servers within a single admin experience inside of Defender for Business, helping you to protect all your endpoints in one location.

For more information, see Get Microsoft Defender for Business servers | Microsoft Learn.

Note that the maximum quantity/seat cap is 60 licenses per customer for Defender for Business servers. If customers require more than 60 server licenses, please see Microsoft Defender for Servers.

Which licenses provide the rights for a user to benefit from the service?

Defender for Business servers is available as an add-on to organizations with:

  • Microsoft Defender for Business (standalone)
  • Microsoft 365 Business Premium

Customers are required to have at least one license of Microsoft 365 Business Premium or Microsoft Defender for Business to purchase and use Microsoft Defender for Business servers.

Review the Microsoft Defender for Business FAQ for more information and links to more resources.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) solution that gives customers flexibility in how to implement core capabilities and supporting multiple types of deployment.

Which licenses provide the rights for a user to benefit from the service?

Microsoft Defender for Cloud Apps is available as a standalone license and is also available as part of the following plans:

  • Enterprise Mobility + Security E5
  • Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 E5/A5/G5/F5 Compliance
  • Microsoft 365 F5 Security & Compliance
  • Microsoft 365 E5/F5/G5 Information Protection and Governance

To benefit from the Conditional Access App Control capabilities in Defender for Cloud Apps, users must also be licensed for Microsoft Entra ID P1, which is included in Enterprise Mobility + Security F1/F3/E3/A3/G3, Enterprise Mobility + Security E5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5/F5 Security and Microsoft 365 F5 Security & Compliance.

To benefit from automatic client-side labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Compliance, Microsoft 365 F5 Security & Compliance, and Microsoft 365 E5/F5/G5 Information Protection and Governance.

Note: Automatic server-side labeling requires Information Protection for Office 365 - Premium licenses (MIP_S_CLP2 or efb0351d-3b08-4503-993d-383af8de41e3). For reference, see Product names and service plan identifiers for licensing.

How is the service provisioned/deployed?

By default, Microsoft Defender for Cloud Apps is enabled at the tenant level for all users within the tenant.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can scope Microsoft Defender for Cloud Apps deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped deployment.

What is app governance?

App governance is a security and policy management capability designed for OAuth-enabled apps registered on Microsoft Entra ID. It delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions.

Which licenses provide the rights for a user to benefit from this capability?

App governance is included in Microsoft Defender for Cloud Apps and product offers that include Defender for Cloud Apps:

  • Microsoft Defender for Cloud Apps (standalone)
  • Enterprise Mobility + Security E5/A5/G5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 Security E5/A5/F5/G5
  • Microsoft 365 Compliance E5/A5/F5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Microsoft 365 F5 Security + Compliance

For more information, see App governance in Microsoft 365 and Get Started with App Governance.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an endpoint security solution that includes:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction capabilities
  • Behavioral based and cloud-powered next generation protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

For more information, see Microsoft Defender for Endpoint.

Which licenses provide the rights for users to benefit from the service?

Microsoft Defender for Endpoint Plan 1 (P1)

Microsoft Defender for Endpoint P1 delivers core endpoint protection capabilities such as next generation anti-malware, attack surface reduction rules, device control, endpoint firewall, network protection and more. For details, see Microsoft Defender for Endpoint Plan 1 and Plan 2.

Microsoft Defender for Endpoint P1 is available as a standalone user subscription license and as part of Microsoft 365 E3/A3/G3.

Microsoft Defender for Endpoint Plan 2 (P2)

Microsoft Defender for Endpoint P2 delivers comprehensive endpoint protection capabilities including all the capabilities of Microsoft Defender for Endpoint P1 with additional capabilities such as endpoint detection and response, automated investigation and remediation, threat and vulnerability management, threat intelligence, sandbox, and Microsoft threat experts. For details, see Microsoft Defender for Endpoint documentation.

Microsoft Defender for Endpoint P2, is available as a standalone license and as part of the following plans:

  • Windows 11 Enterprise E5/A5
  • Windows 10 Enterprise E5/A5
  • Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security & Compliance

Microsoft Defender for Endpoint Server

Microsoft Defender for server is optimized for traditional on-prem server workloads, but also supports Windows and Linux servers. A separate license required for each Operating System Environment (OSE), for servers or virtual machines.​

Microsoft Defender for IoT – Enterprise IoT security

Microsoft Defender IoT – Enterprise IoT security integrates with Microsoft Defender for Endpoint to discover, continuously monitor, and manage vulnerabilities across your enterprise IoT devices from a single experience.

Microsoft Defender for IoT – Enterprise IoT security included with Microsoft 365 E5 and Microsoft 365 E5 Security subscriptions

Microsoft Defender IoT – Enterprise IoT security is included in Microsoft 365 E5 and Microsoft 365 E5 Security subscriptions. Customers with these subscriptions are entitled to Microsoft Defender IoT – Enterprise IoT security coverage for up to 5 eIoT devices per eligible user license.

Microsoft Defender for IoT – Enterprise IoT security per device add-on

Microsoft Defender IoT – Enterprise IoT security per device add-on is available for customers who have Microsoft Defender for Endpoint P2, or a subscription that includes Microsoft Defender for Endpoint P2:

  • Microsoft 365 A5/E5
  • Microsoft 365 A5/E5/F5 Security
  • Microsoft 365 F5 Security and Compliance
  • Windows 10/11 Enterprise A5/E5.

The Microsoft Defender IoT – Enterprise IoT security per device add-on license covers one eIoT device per license.

For more details, see Enable Enterprise IoT security in Microsoft 365 with Defender for Endpoint - Microsoft Defender for IoT | Microsoft Learn.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability management is available as a standalone user subscription license and as an add-on for Microsoft Defender for Endpoint Plan 2 customers.

Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.

Defender Vulnerability Management standalone: Customers who do not have Defender for Endpoint Plan 2 can complement their endpoint detection and response (EDR) solution with the Defender Vulnerability Management standalone to meet their vulnerability management program needs.

Defender Vulnerability Management add-on: Microsoft Defender for Endpoint Plan 2 includes vulnerability management capabilities that can be enhanced by adding new advanced vulnerability management tools included with the Microsoft Defender Vulnerability Management add-on.

Microsoft Defender Vulnerability Management add-on to Microsoft Defender for Endpoint for servers: Provides premium vulnerability management capabilities for customers with Microsoft Defender for Endpoint for servers.

Microsoft Defender for Servers Plan 1 and Defender for Servers Plan 2 also includes access to vulnerability management capabilities.

For more information, see Microsoft Defender Vulnerability Management | Microsoft Learn and Compare Microsoft Defender Vulnerability Management plans and capabilities | Microsoft Learn.

What licenses provide the rights for a user to benefit from the service?

Microsoft Defender Vulnerability is available as a standalone user subscription license for commercial, education and government cloud customers.
Defender Vulnerability Management is available as an add-on to organizations with:

  • Microsoft Defender for Endpoint Plan 2 (standalone)
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Security
  • Microsoft 365 F5 Security and Compliance add-on
  • Windows 11 Enterprise E5/A5/G5
  • Windows 10 Enterprise E5/A5/G5

Microsoft Defender Vulnerability Management add-on to Microsoft Defender for Endpoint for servers is available to organizations with Microsoft Defender for Endpoint for servers. For details on included capabilities, see Compare Microsoft Defender Vulnerability Management plans and capabilities | Microsoft Learn.

Microsoft Defender for Identity

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats. Microsoft Defender for Identity is a per user subscription license.

How do users benefit from the service?

SecOp analysts and security professionals benefit from the ability of Microsoft Defender for Identity to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Microsoft Defender for Identity.

Which licenses provide the rights for a user to benefit from the service?

Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users provide the rights to benefit from Microsoft Defender for Identity.

How is the service provisioned/deployed?

Microsoft Defender for Identity features are enabled at the tenant level for all users within the tenant. For information on configuring Microsoft Defender for Identity, see Create your Microsoft Defender for Identity instance.

How can the service be applied only to users in the tenant who are licensed for the service?

Some tenant services, such as Microsoft Defender for Identity, aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. Microsoft Defender for Office 365 also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

How do users benefit from the service?

Microsoft Defender for Office 365 protects users from sophisticated attacks such as phishing and zero-day malware. For the full list of services provided in Plan 1 and Plan 2, see Microsoft Defender for Office 365.

Which licenses provide the rights for a user to benefit from the service?

Microsoft Defender for Office 365 Plans 1 and 2, Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft 365 F5 Security & Compliance, and Microsoft 365 Business Premium provide the rights for a user to benefit from Microsoft Defender for Office 365.

This quick reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.

Microsoft Defender for Office 365 Plan 1 vs. Plan 2 Cheat Sheet

Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection capabilities:
  • Safe Attachments
  • Safe Links
  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
  • Anti-phishing protection in Defender for Office 365
  • Real-time detections
Defender for Office 365 Plan 1 capabilities
--- plus ---
Automation, investigation, remediation, and education capabilities:
  • Threat Trackers
  • Threat Explorer
  • Automated investigation and response
  • Attack simulation training

For more information, go to Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection - Office 365 | Microsoft Docs.

How is the service provisioned/deployed?

By default, Microsoft Defender for Office 365 features are enabled at the tenant level for all users within the tenant. For information on configuring Microsoft Defender for Office 365 policies for licensed users, see Microsoft Defender for Office 365.

Information Protection: Microsoft Purview Advanced Message Encryption

For information on Microsoft Purview Advanced Message Encryption, see Microsoft Purview Information Protection Advanced Message Encryption.

Information Protection: Microsoft Purview Message Encryption

For information on Microsoft Purview Message Encryption, see Microsoft Purview Information Protection Message Encryption.

Microsoft Priva

For more information, see Microsoft Priva.

Privileged access management in Office 365

Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. After enabling PAM, to complete elevated and privileged tasks, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound.

How do users benefit from the service?

Enabling PAM lets organizations operate with zero standing privileges. Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, and Microsoft 365 E5/A5/F5 Insider Risk Management provide the rights for a user to benefit from PAM.

How is the service provisioned/deployed?

By default, PAM features are enabled at the tenant level for all users within the tenant. For information on configuring PAM policies, see Get started with privileged access management.

How can the service be applied only to users in the tenant who are licensed for the service?

Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users.

Microsoft Purview Audit

For more information, see Microsoft Purview Audit service description

Microsoft Purview Communication Compliance

For more information, see Microsoft Purview Communication Compliance

Microsoft Purview Compliance Manager

For more information, see Microsoft Purview Compliance Manager

Microsoft Purview Customer Lockbox

For more information, see Microsoft Purview Customer Lockbox

Microsoft Purview Data Connectors

For more information, see Microsoft Purview Data Connectors

Microsoft Purview Data Lifecycle Management & Microsoft Purview Records Management

Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance) and Microsoft Purview Records Management provide you with tools and capabilities to retain the content that you need to keep and delete the content that you do not need. Often organizations retain and delete content to meet compliance and data regulatory requirements. Deleting content that no longer has business value also helps you manage risk and liability.

Both Data Lifecycle Management and Records Management use retention policies, retention labels, and retention label policies to enforce retention and deletion settings. Additionally, this area includes email archiving functionality.

Licensing for retention policies

For organization-wide, location-wide, or include/exclude retention policies, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3, Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3

If the retention policy location is an Exchange mailbox, then the following licenses also provide user rights:

  • Exchange Plan 2
  • Exchange Online Archiving

If the retention policy location is SharePoint or OneDrive for Business, the following licenses also provide user rights:

  • SharePoint Plan 2

If the retention policy location is Microsoft Teams chats, channels, or private channels, then the following licenses also provide user rights. The retention or deletion period must be more than 30 days for the plans that are underlined:

  • Microsoft 365 E5/G5/A5/E3/G3/A3/F3/F1, Business Basic, Business Standard, and Business Premium
  • Office 365 E5/G5/A5/E3/G3/A3/F3/E1/G1
  • Microsoft 365 F5 Compliance and Microsoft 365 F5 Security and Compliance add-on plans

If the retention policy uses an adaptive policy scope, then one of the following licenses is required to provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

If the retention policy applies to Microsoft 365 Copilot interactions, the following licenses provide user rights:

  • Microsoft 365 E3/E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Information Protection and Governance + Microsoft 365 Copilot

Licensing for retention labels

For retention label creation, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

The following retention label creation settings:

  • Start the retention period based on an event type
  • Trigger a disposition review at the end of the retention period
  • During the retention period mark items as a record or a regulatory record
  • After the retention period, automatically change the retention label,

Require these specific licenses to provide users rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Office 365 E5/A5/G5
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

Licensing for retention label policies

Retention labels are applied to files and emails in one of three ways:

  • Publishing labels so they are available to end users for manual labeling.
  • Auto-applying them through retention label policy configuration.
  • Through other application methods such as default labels.

To publish retention labels, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

If the publishing location is an Exchange mailbox, then Exchange Online Plan 1 and Plan 2 licenses provide user rights.

If the publishing location is SharePoint Online or OneDrive, SharePoint Online Plan 1 and Plan 2 licenses provide user rights.

The following deployment methods for retention labels require specific licensing:

  • Auto-apply to content that contains sensitive information
  • Auto-apply to content that contains specific words, phrases, or properties
  • Apply a default retention label to a SharePoint document library, folder, or document set
  • Using an adaptive policy scope in the retention label policy

The following licenses provide user rights for those deployment methods:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To auto-apply retention labels using a trainable classifier, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

Licenses for other retention label application methods

To apply a label using an Outlook rule or an Outlook default folder policy, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F3/F1/Business Premium
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3/F3/E1/A1/G1

To apply a retention label using a SharePoint Syntex model, the following licenses provide user rights. Additionally, you will need to purchase the appropriate SharePoint Syntex licenses.

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To use the file plan to maintain retention labels, including import and export, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

To use adaptive policies scopes to dynamically target Microsoft Copilot for Microsoft 365 interaction retention policies to specific users and/or retain the exact version of a document shared in a Microsoft 365 Copilot interaction, the following licenses provide user rights:

  • Microsoft 365 E5 + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft E5 Compliance + Microsoft 365 Copilot
  • Microsoft 365 E3 + Microsoft 365 E5 Information Protection and Governance + Microsoft 365 Copilot

Licenses for email archiving

To bulk-import PST files to Exchange Online mailboxes, the following licenses provide user rights:

  • Exchange Online P2
  • Microsoft 365 E5/A5/G5/E3/A3/G3
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5/E3/A3/G3

To enable an archive mailbox and auto-expanding archive, the following licenses provide user rights:

  • Archive mailbox limited to 50 GB
    • Exchange Online Plan 1
    • Office 365 E1
  • Archive mailbox limited to 1.5 TB
    • Exchange Online Archiving
    • Exchange Online Plan 2
    • Microsoft 365 E5/A5/G5/E3/A3/G3
    • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
    • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
    • Office 365 E5/A5/G5/E3/A3/G3
    • Microsoft 365 Business Premium

Which users need a license?

Any user benefiting from the service requires a license. For more information about service terms & conditions, see Product Terms. Here are examples of users benefiting from the service:

  • Users with the following assigned roles found in the Microsoft Purview compliance portal: disposition management, Record Management, Retention Management, View-Only Record Management, View-Only Retention Management.

  • SharePoint site owners and members when a retention policy or retention label policy is used on the site. Site visitors do not need a license.

  • Microsoft 365 Group owners and members when a retention policy or retention label policy is used on the site, mailbox, or Teams messages.

  • For user mailboxes, the user must have the required license assigned.

  • Users, SharePoint sites, and Microsoft 365 Groups included in an adaptive policy scope.

For many features, a shared or resource mailbox does not need a license assigned. For features requiring one of the following licenses, a shared, or resource mailbox does need a license assigned to provide usage rights:

  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance
  • Office 365 E5/A5/G5

Inactive mailboxes do not require a usage license.

Additionally, shared mailboxes are limited to 50 GB without the need for an Exchange add-on. To increase the size limit to 100 GB, the shared mailbox requires Exchange Online Plan 2 or Exchange Online Archiving + Exchange Online Plan 1.

Microsoft Purview Data Loss Prevention: Endpoint Data Loss Protection (DLP)

For more information, see Microsoft Purview Data Loss Prevention: Endpoint Data Loss Protection (DLP)

Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business

With Microsoft Purview Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business (formerly named Microsoft Office 365 Data Loss Prevention), organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

How do users benefit from the service?

Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

Which licenses provide the rights for a user to benefit from the service?

  • Microsoft 365 E5/A5/G5/E3/A3/G3, Microsoft 365 Business Premium, SharePoint Online Plan 2, OneDrive for Business (Plan 2), Exchange Online Plan 2
  • Office 365 E5/A5/G5/E3/A3/G3
  • Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance
  • Microsoft 365 E5/A5/F5/G5 Information Protection and Governance

How is the service provisioned/deployed?

By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. For more information about using DLP policies, see Overview of data loss prevention.

How can the service be applied only to users in the tenant who are licensed for the service?

Admins can customize locations (workloads), include users, and exclude users in the Microsoft Purview compliance portal.

Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Teams

For more information, see Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Teams

Microsoft Purview Data Loss Prevention: Graph APIs for Teams Data Loss Prevention (DLP) and for Teams Export

For more information, see Microsoft Purview Data Loss Prevention: Graph APIs for Teams Data Loss Prevention (DLP) and for Teams Export

Microsoft Purview eDiscovery

For more information, see Microsoft Purview eDiscovery

Microsoft Purview Information Barriers

For more information, see Microsoft Purview Information Barriers

Microsoft Purview Information Protection: Customer Key

For more information, see Microsoft Purview Information Protection: Customer Key

Microsoft Purview Information Protection: Data classification analytics: Overview Content & Activity Explorer

For information on Data classification analytic capabilities, Activity Explorer, and Content Explorer, see Microsoft Purview Information Protection: Data classification analytics: Overview Content & Activity Explorer.

Microsoft Purview Information Protection: Double Key Encryption

For more information, see Microsoft Purview Information Protection: Double Key Encryption

Microsoft Purview Information Protection: Sensitivity labeling

For more information, see Microsoft Purview Information Protection: Sensitivity labeling

Which licenses provide the rights for a user to benefit from the service?

For manual sensitivity labeling, the following licenses provide user rights:

  • Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium/OneDrive for Business (Plan 2)
  • Enterprise Mobility + Security E3/E5
  • Office 365 E5/A5/E3/A3
  • AIP Plan 1
  • AIP Plan 2

Note

Microsoft 365 Apps require user-based subscription licensing for the users to use sensitivity labels within the Office clients. Device-based licensing isn't supported.

Microsoft Purview Insider Risk Management

For more information, see Microsoft Purview Insider Risk Management

Insider Risk Management Forensic Evidence

For more information, see Microsoft Purview Insider Risk Management Forensic Evidence