Sign In
In this module

AD7.9 Making the Case for E5

5-6 hours · Module 7 · Free
Operational Objective
Throughout this course, you've built a complete security program on E3. At several points, you've noted features that require E5: auto-labeling, Endpoint DLP, Teams DLP, Defender for Endpoint, Defender for Cloud Apps, Attack Simulation Training, and advanced Entra ID Protection. Each gap is documented in your program summary (Section 9). This subsection transforms those documented gaps into a data-driven business case for E5 — using your monitoring data, incident history, and gap analysis to justify the investment with specific, quantified benefits rather than vendor marketing claims.
Deliverable: A data-driven E5 business case document using your own operational data — ready to present to management when the budget conversation occurs.
Estimated completion: 25 minutes
E5 BUSINESS CASE — DATA-DRIVEN, NOT VENDOR-DRIVEN GAPS (FROM YOUR DATA) AiTM incidents: [X] this year → need phishing-resistant MFA (E5/add-on) Label adoption: 91% Internal, 3% Confidential → need auto-labeling (E5) USB data copy: unknown volume → need Endpoint DLP (E5) After-hours detection: 36-hour gap → need advanced risk detection (E5) Quantified from your monitoring data COST-BENEFIT ANALYSIS E5 cost: ~£20/user/month additional (£240/user/year) 200 users: £48,000/year vs average BEC loss: £25,000-£50,000 per incident vs current risk gaps: quantified from incident data ROI based on YOUR incidents and gaps

Figure AD7.9 — The E5 business case uses YOUR operational data (incident count, monitoring gaps, label adoption metrics) to justify the investment. Each gap is quantified from your program data, not from a vendor datasheet.

Building the business case from your data

The E5 business case has three components: gaps identified (from your program summary Section 9 and incident data), cost quantified (E5 licensing vs current E3), and benefit measured (risk reduction from closing each gap).

Gap 1: Auto-labeling (E5 Information Protection). Your monitoring shows 91% of documents labeled as Internal (the default) with only 3% Confidential — but you know 15-20% should be Confidential. Auto-labeling scans existing and new content for sensitive information types and applies labels automatically. Estimated impact: 2,000+ documents correctly classified without user action. Cost: included in E5 licensing. Your data: "Label adoption report shows [X]% under-classification of sensitive content."

Gap 2: Endpoint DLP (E5 Compliance). Your current DLP covers email and SharePoint only. Users can copy Confidential documents to USB drives, print them, or paste content into personal apps — all unmonitored. Endpoint DLP extends protection to the device itself. Your data: "No visibility into endpoint data actions. [X] incidents involved data that may have been copied to USB — unable to confirm or deny."

Gap 3: Defender for Endpoint (E5 Security). Your current endpoint protection is Defender Antivirus via Intune — no EDR, no advanced threat detection, no device timeline. Defender for Endpoint adds EDR, automated investigation, and advanced hunting. Your data: "Endpoint visibility limited to AV status. No ability to investigate endpoint-level threats beyond basic malware detection."

Gap 4: Advanced Entra ID Protection (E5 or P2 add-on). Enhanced risk detection reduces dwell time. Your data: "After-hours detection gap averages [X] hours. Advanced risk policies would auto-remediate high-risk sign-ins without waiting for the Monday review."

The cost calculation

E5 COST ANALYSIS — [Organization Name]

Current licensing: M365 E3 at £[X]/user/month
E5 upgrade: M365 E5 at £[X+20]/user/month
Additional cost: ~£20/user/month (£240/user/year)

For [200] users:
Annual additional cost: £48,000

COMPARED TO:
- Average BEC financial loss (IC3 2023): £25,000-£50,000 per incident
- Average credential compromise remediation cost: £5,000-£15,000
- Your incidents this year: [X] at estimated cost: £[X]

BREAK-EVEN: E5 pays for itself if it prevents [X] incidents per year
that your current E3 controls don't catch.

ALTERNATIVE: Selective add-ons
- Entra ID P2 only: ~£7/user/month (advanced risk detection)
- Defender for Endpoint P2 only: ~£4.20/user/month (EDR)
- Information Protection P2: included in E5 only

Present this to management as: "Our E3 program is operational and effective. E5 closes [X] specific gaps identified through our monitoring data. The annual cost is £[X]. Based on our incident history, the investment prevents an estimated [X] additional incidents per year worth £[X] in potential losses. I recommend evaluating E5 during the next budget cycle."

The phased upgrade roadmap

If full E5 isn't immediately affordable, present a phased approach:

Phase 1 (immediate, £7/user/month): Entra ID P2 add-on. This provides: advanced risk-based conditional access policies (auto-remediate high-risk sign-ins without waiting for the Monday review), access reviews (automate quarterly review of admin role assignments and guest access), Privileged Identity Management (just-in-time admin access instead of permanent role assignments), and identity protection risk policies. This is the highest-impact single add-on — it addresses after-hours detection delays and reduces manual monitoring workload.

For 200 users: £1,400/month (£16,800/year). Measurable benefit: after-hours risk events auto-remediated instead of waiting 12+ hours for the Monday review. Estimated incidents prevented: [X] based on your after-hours sign-in anomaly data.

Phase 2 (month 3-6, £4.20/user/month): Defender for Endpoint P2 add-on. This provides: EDR (endpoint detection and response), automated investigation and response, advanced hunting with KQL across endpoint data, device timeline for investigation, and live response for remote evidence collection. This closes the endpoint visibility gap — you can see what's happening on devices, not just whether they're compliant.

For 200 users: £840/month (£10,080/year). Measurable benefit: endpoint-level threat detection that Intune compliance doesn't provide. Estimated value: earlier detection of malware, fileless attacks, and lateral movement.

Phase 3 (month 6-12): Full E5 upgrade. Once Phase 1 and Phase 2 are operational and demonstrating value, the case for full E5 is stronger: you've proven that advanced capabilities deliver measurable security improvement. The remaining E5 features (auto-labeling, Endpoint DLP, Defender for Cloud Apps, Attack Simulation Training) add incremental value on top of the Phase 1-2 foundation.

Present the phased roadmap as: "Rather than a single £48,000/year commitment, we can deploy in phases: £16,800/year for identity protection (immediate), £10,080/year for endpoint detection (month 3), and evaluate full E5 at year-end based on measured results. Each phase delivers specific, measurable security improvement before the next phase begins."

What NOT to include in the E5 business case

Don't lead with features. Management doesn't care about "advanced hunting with KQL" or "automated investigation and response." They care about: fewer incidents, faster detection, reduced risk of financial loss, and compliance improvement. Translate every feature into a business outcome.

Don't compare to competitors. "CrowdStrike costs more than Defender for Endpoint" is a technical comparison, not a business justification. The business case is about your risk reduction, not vendor comparison.

Don't present it as urgent. Your E3 program is operational and effective. E5 is an improvement, not a necessity. Presenting it as urgent when it's not undermines your credibility. Present it as: "Our current program is strong. E5 makes it stronger in specific, measurable ways. I recommend evaluating during the next budget cycle."

Don't forget the operational cost. E5 features require configuration, monitoring, and maintenance. Defender for Endpoint needs onboarding, policy configuration, and alert triage. Auto-labeling needs policy creation and tuning. Budget for the operational time (estimate: 2-4 hours per week for the first 3 months of E5 deployment, reducing to 1-2 hours per week once tuned) alongside the licensing cost.

Verifying current licensing and E5 pricing

Before building the business case, verify your current licensing and the exact E5 pricing for your tenant:

Navigate to admin.microsoft.com → Billing → Licenses. This shows your current licence assignments: how many E3 licences, how many are assigned, and the per-licence cost. Note your current per-user monthly cost.

For E5 pricing, navigate to admin.microsoft.com → Billing → Purchase services → search "Microsoft 365 E5." The portal shows the current per-user monthly price for your region and agreement type. Prices vary by: agreement type (direct vs CSP vs EA), payment frequency (monthly vs annual commitment), and region.

As of early 2026, approximate UK pricing:

  • M365 E3: ~£30/user/month
  • M365 E5: ~£50/user/month
  • Difference: ~£20/user/month per user
  • Entra ID P2 standalone: ~£7/user/month
  • Defender for Endpoint P2 standalone: ~£4.20/user/month

Create a simple cost comparison worksheet for the business case:

E5 COST COMPARISON — [Organization Name]

Current: M365 E3 × [200] users = £[6,000]/month (£[72,000]/year)
Option A: Full E5 × [200] users = £[10,000]/month (£[120,000]/year)
  Additional cost: £[4,000]/month (£[48,000]/year)

Option B: E3 + Entra ID P2 × [200] = £[7,400]/month (£[88,800]/year)
  Additional cost: £[1,400]/month (£[16,800]/year)

Option C: E3 + Entra ID P2 + MDE P2 × [200] = £[8,240]/month (£[98,880]/year)
  Additional cost: £[2,240]/month (£[26,880]/year)

Current security program cost: £0 additional (E3 only)
Current security program effectiveness: [reference quarterly report]

Present all three options. Let management choose the investment level. Your recommendation (Option B or C) should be based on which gaps are most impactful based on your incident data. If 3 of 4 incidents this year were AiTM attacks that advanced risk detection would have auto-remediated, Entra ID P2 (Option B) is the clear first priority. If endpoint visibility is the bigger gap, add MDE P2 (Option C).

When to present the business case

Timing matters. Don't present the E5 business case during a random Tuesday meeting. Present it at one of these moments:

During annual budget planning. This is when licensing decisions are made. Have the business case ready 2-4 weeks before the budget deadline.

After a significant incident. If a BEC attempt almost succeeded, or an AiTM attack required manual response that E5 would have auto-remediated, the business case has immediate relevance. "This incident would have been prevented/auto-contained by [E5 feature]. Here's the business case."

During the quarterly report presentation. Section 7 (Next Steps) naturally includes the E5 recommendation. The quarterly data provides the evidence base. The management audience is already engaged with security metrics.

Staying current on E5 features and pricing

Microsoft updates M365 licensing, features, and pricing regularly. Before presenting the E5 business case, verify your pricing against the current admin portal (admin.microsoft.com → Billing → Purchase services) — blog posts and third-party articles may reference outdated pricing.

Subscribe to the Microsoft 365 Message Center (admin.microsoft.com → Health → Message center) for announcements about new security features, licensing changes, and preview availability. Some E5 features become available as standalone add-ons at lower cost — monitoring announcements may reveal a cheaper path to the specific capability you need.

Track the Microsoft 365 roadmap (microsoft.com/microsoft-365/roadmap) for upcoming features that may address your documented gaps without an E5 upgrade. Microsoft occasionally moves E5-exclusive features to lower tiers — if a feature you need moves to E3, update your gap analysis and remove it from the E5 business case. The business case should be current when presented, reflecting the latest licensing reality rather than assumptions from when you first drafted it.

Compliance Myth: "E5 is always worth the upgrade — more features mean more security"
E5 is worth the upgrade when you've exhausted E3 capabilities and can quantify the gaps. An organization that hasn't deployed E3 controls properly (default MFA, no compliance policies, no DLP) gains more from deploying E3 controls than from upgrading to E5. The controls you've built in this course (AD1-AD7) represent 80-90% of the security value available in M365. E5 adds the remaining 10-20%: auto-labeling, Endpoint DLP, EDR, advanced risk detection. If your budget allows E5, the additional features are valuable. If the budget is constrained, the E3 program you've built is already a strong security posture — significantly above average for organizations your size.
Decision point

Your manager reviews the E5 business case and says: "The full E5 upgrade is too expensive at £48,000/year. Is there a middle ground?" How do you respond?

Option A: "It's all or nothing — E5 is a bundle."

Option B: "Yes — we can add specific E5 capabilities as add-ons rather than upgrading the full suite. The highest-impact add-on is Entra ID P2 (~£7/user/month = £16,800/year) which gives us advanced risk detection and auto-remediation for sign-in anomalies — addressing our biggest gap (after-hours detection). We can defer Endpoint DLP and auto-labeling to next year's budget. This gives us 60% of the E5 security value at 35% of the cost."

The correct answer is Option B. E5 is a bundle, but individual add-ons (Entra ID P2, Defender for Endpoint P2) can be licensed separately. Recommend the highest-impact add-on first, with a roadmap to full E5 as budget allows. This pragmatic approach is more likely to get approved than an all-or-nothing request.

Try it: Draft your E5 business case

Using your program summary (Section 9 — Known Gaps) and your quarterly report data:

1. List each E5-only feature gap with evidence from your monitoring data 2. Calculate the E5 cost for your user count 3. Estimate the risk reduction (incidents prevented, detection improvement) 4. Draft the recommendation paragraph: "Our E3 program is operational. E5 closes [X] gaps. Cost: £[X]/year. Recommendation: [full E5 / selective add-on / defer]." 5. Save as E5-Business-Case.docx for the next budget conversation

You don't need to present this immediately — have it ready for when the budget conversation naturally occurs (annual planning, post-incident review, management request for "what else should we do?").

What makes your E5 business case more effective than a vendor's E5 pitch deck?
Nothing — the vendor's materials are more professional — Professional marketing doesn't beat specific, quantified data from your own environment.
Your business case is cheaper — The cost is the same. The justification is different.
Your business case uses YOUR operational data: your incident count, your monitoring gaps, your label adoption metrics, your after-hours detection delay. Every gap is evidenced by data your management has already seen in the quarterly report. The vendor's pitch uses industry averages and theoretical benefits. Your management trusts data from their own environment more than data from a vendor's slide deck — Correct. The quarterly reports you've produced (AD7.5) established the data credibility. The E5 business case builds on that credibility with specific, evidenced gaps.
The vendor doesn't know your environment — True, but the key advantage is that YOUR data is more persuasive to YOUR management than generic data.
Operational Artifact — E5 Business Case Template
Data-driven E5 upgrade analysis: gaps identified from program summary Section 9 and quarterly report data, cost calculated per user count, benefit measured against incident history, recommendation with phased approach (selective add-ons vs full E5). Present alongside the quarterly report during annual planning. Alternative: Entra ID P2 add-on as highest-impact first step. Have the document ready — don't wait to be asked. When management says "what else should we do?", the E5 business case is your answer.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →