Operating Microsoft 365 E5 Properly: Why Most Organisations Still Don’t

Many organisations have invested in Microsoft 365 E5 to simplify their technology stack, improve security, and strengthen governance. Yet in many environments, E5 is assigned to users while key capabilities across identity, endpoint, data protection, compliance, and investigation remain only partially deployed. 

The result is a familiar problem for CIOs and IT management — higher licence spend without a clear view of realised value, reduced risk, or operational maturity. 

The scale of the problem is significant: 29% of SaaS licences in the average enterprise are unused or underutilised, contributing to a global cloud spending figure that now exceeds $679 billion. (Medha Cloud / Gartner, 2026) 

E5 is powerful, but its outcomes are not automatic. The real value only appears when the capability is designed, implemented, owned, measured, and adopted across the business. 

 Where the Value Gap Starts 

 

Most organisations arrive at E5 gradually. They start with Office 365 for email, Office apps, Teams, SharePoint, and OneDrive. Over time, they add endpoint management, identity controls, security tooling, compliance requirements, and eventually broader governance expectations. 

That growth path makes sense, but it often creates a fragmented operating model. Some teams are focused on productivity. Others are managing endpoint security. Compliance may be looking at data protection. Procurement sees the licence renewal. The CIO sees the total spend. 

This is where the E5 value gap starts. The organisation may own a broad set of Microsoft capabilities, but no one has a single view of what is being used, what is duplicated, what is underused, and what outcomes the licence is delivering. 

Key gap statistics:   

1. 29% of SaaS licences in the average enterprise are unused or underutilised. (Medha Cloud / Gartner, 2026) 

1. 20–40% of devices in enterprise environments are not enrolled in Microsoft Defender for Endpoint — the most commonly observed endpoint gap in E5 deployments. (EPC Group Enterprise Audit Data, 2026) 

1. Microsoft raised M365 prices by 9–20% for select plans in 2025, increasing the cost of underutilisation. (InvGate / Microsoft, 2025) 

1. Microsoft’s security services now have over 1.2 million customers, yet many E5 tenants still run third-party tools in parallel with Microsoft Defender workloads. (StatsUp / Microsoft, 2024) 

For many businesses, the question is no longer “Do we have the right licence?” It is “Are we getting the right value from the licence we already have?” 

What E5 Is Supposed to Unlock 

 

Microsoft 365 E5 is designed to bring advanced identity, endpoint, email and collaboration security, SaaS visibility, information protection, compliance, investigation, and response capability together across the Microsoft 365 ecosystem. 

Core E5 capabilities include: 

1. Advanced identity controls through Microsoft Entra ID P2, including risk-based Conditional Access and Privileged Identity Management (PIM) 

1. Identity threat detection through Microsoft Defender for Identity, using on-premises AD signals to surface compromised identities and insider threats 

1. Endpoint detection and response through Microsoft Defender for Endpoint Plan 2, with automated investigation and response that resolves the majority of endpoint alerts without analyst intervention when configured correctly 

1. Email and collaboration security through Microsoft Defender for Office 365 Plan 2, including attack simulation training 

1. SaaS visibility and control through Microsoft Defender for Cloud Apps, which can assess over 90+ risk factors across more than 31,000 cloud-based applications 

1. Cross-domain investigation and response through Microsoft Defender XDR 

1. Data governance and compliance through Microsoft Purview, covering sensitivity labelling, DLP, retention, audit, eDiscovery, insider risk management, and compliance workflows 

The value is not simply that these capabilities exist under the licence. The value comes when they are configured, integrated, and operated together. Identity risk can inform access decisions. Endpoint signals can support investigations. Email threats can be correlated with user, device, and application activity. Sensitive data can be discovered, labelled, protected, monitored, and governed. 

Important licensing note: On 1 October 2025, Microsoft renamed its E5 mini-suites. Microsoft 365 E5 Security is now the Microsoft Defender Suite, and Microsoft 365 E5 Compliance is now the Microsoft Purview Suite. Functionality remains unchanged, but organisations should verify their procurement and renewal documentation reflects the new naming. Additionally, since September 2025, the E5 Compliance add-on is no longer available for purchase by new customers. (HBS.net / Noraa, 2025) 

It is also important to distinguish Microsoft 365 E5 from adjacent Microsoft security services. E5 can significantly strengthen the Microsoft 365 security and compliance foundation, but services such as Microsoft Sentinel and Microsoft Defender for Cloud have separate deployment, licensing, and consumption considerations. 

Why E5 Becomes Shelfware 

 E5 often becomes underused because it is purchased as a commercial decision, not delivered as a security and governance program. 

A business may buy E5 to consolidate selected third-party security tools, improve cyber resilience, or prepare the Microsoft 365 data, access, and governance foundation for Microsoft Copilot. Without a roadmap, the same gaps remain. 

Common deployment gaps observed in E5 environments: 

1. Defender workloads partially deployed: 20–40% of devices typically not onboarded to Defender for Endpoint. Workloads may be deployed but not tuned, integrated into response processes, or producing quality telemetry. (EPC Group, 2026) 

1. Purview maturity low: Purview capabilities are available under E5, but gaps persist in labelling non-Office files and content nested in Teams or SharePoint. Most organisations have not reached a level of Purview maturity sufficient to support real classification, sensitivity labelling, DLP, retention, eDiscovery, or records management workflows. (Knostic / Microsoft, 2026) 

1. Conditional Access incomplete: Policies may exist, but often do not reflect risk, device compliance, location, session controls, or privileged access scenarios. 

1. PIM not operationalised: Privileged Identity Management is licensed through Entra ID P2 in E5, but privileged roles in many tenants are still permanently assigned rather than governed through just-in-time elevation and access reviews. 

1. Third-party tool overlap: Existing tools continue to run alongside Microsoft Defender capabilities, creating duplication rather than consolidation. 

This is not usually a technology problem. It is an ownership problem. Security owns part of the platform. IT operations owns another part. Compliance owns another. Procurement owns the renewal. But the business outcome sits between them. 

Why This Matters More Now: The Copilot Factor 

 The E5 conversation is becoming more important as organisations move toward Microsoft Copilot and broader AI adoption. 

Copilot does not grant users new access to content, but it can make existing access issues more visible because it grounds responses in content the user is already permitted to access. If SharePoint permissions are overly broad, sensitive data is unlabelled, stale content is unmanaged, or access controls are inconsistent, AI can surface those weaknesses faster. 

The data is concerning: 

1. 16% of an organisation’s business-critical data is overshared on average, adding up to approximately 802,000 files at risk per organisation. (Concentric AI, 2026) 

1. 60% of businesses will fail to realise the anticipated value of their AI use cases by 2027 due to incohesive data frameworks. (Gartner, cited by Microsoft Tech Community) 

1. The most common Copilot risk is not AI misuse but existing oversharing across SharePoint, OneDrive, and Teams. Copilot can surface and summarise overshared content instantly. (Valence Security, 2026) 

1. Microsoft has published an Oversharing Blueprint to help organisations remediate permissions before Copilot deployment, powered by Microsoft Purview and SharePoint Advanced Management. (Microsoft Ignite, November 2025) 

That changes the conversation. E5 is no longer just a security licence uplift. It becomes part of the foundation for safe AI adoption, data governance, and modern risk management. 

How Organisations Can Realise the Value 

 Getting more from E5 does not mean turning on every feature at once. It means building a practical roadmap that links Microsoft capability to business outcomes. 

That starts with understanding what is currently licensed, what is assigned, and what is actively being used. From there, organisations can identify overlapping tools, underused features, maturity gaps, and areas where Microsoft capability can either replace, strengthen, or complement existing platforms. 

A useful E5 review should assess: 

1. Identity controls and Conditional Access maturity 

1. Privileged access governance and PIM operationalisation 

1. Endpoint onboarding completeness and Defender for Endpoint configuration 

1. Defender workload coverage and XDR signal quality 

1. Alerting, investigation, and response process integration 

1. Purview maturity: DLP readiness, sensitivity labelling, retention, eDiscovery 

1. Insider risk management configuration and thresholds 

1. SaaS visibility through Defender for Cloud Apps 

1. Oversharing exposure and permission hygiene ahead of Copilot 

1. Tool overlap with third-party security and compliance products 

1. Operational reporting and licence utilisation visibility 

The output should not just be a licence usage report. It should be a prioritised plan that shows where the business can reduce risk, simplify operations, improve governance, and get better value from existing spend. 

Oreta’s View 

At Oreta, we see this as a practical opportunity for organisations to get more value from the Microsoft investment they have already made. 

For many customers, the answer is not immediately to buy more technology. It is to step back and assess whether the existing Microsoft capability is being used properly, whether it is aligned to risk, and whether the operating model is mature enough to support it. 

E5 works best when it is treated as an ongoing capability, not a one-off licence upgrade. It needs defined ownership, governance, technical configuration, workload onboarding, telemetry validation, reporting, operational processes, and adoption across IT, security, compliance, and the business. 

When that happens, E5 can help organisations reduce tool sprawl, improve security visibility, strengthen data governance, prepare for AI, and show clearer value from their Microsoft spend. 

The Bottom Line 

 Microsoft 365 E5 is powerful, but it is not magic. 

Buying it does not automatically improve security posture, clean up data, replace legacy tools, or prepare the business for AI. Those outcomes only happen when the licence is backed by design, governance, ownership, technical implementation, operational integration, measurement, and adoption. 

Key takeaway: For organisations already paying for E5, the opportunity may not be to spend more. It may be to finally operate what they already have properly. With 29% of enterprise SaaS licences sitting unused and prices rising, the cost of inaction is no longer abstract. 

References 

1. Medha Cloud / Gartner. Microsoft 365 Statistics 2026: Market Share, Adoption & Pricing Data. https://medhacloud.com/blog/microsoft-365-statistics-2026 

1. O365 Cloud Experts. Microsoft 365 Security Statistics: 50+ Stats Every IT Manager Should Know in 2026 (April 2026). https://www.o365cloudexperts.com/blog/microsoft-365-security-statistics/ 

1. EPC Group. Microsoft Defender 365: Enterprise Security Guide 2026. https://www.epcgroup.net/microsoft-defender-365-enterprise-security-guide-2026 

1. Microsoft Learn. Microsoft Entra ID P2 and Privileged Identity Management. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure 

1. Microsoft Learn. Enable Passkeys in Authenticator for Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey 

1. Microsoft. Enterprise Security Suites: Microsoft 365 E3 and E5. https://www.microsoft.com/en-us/security/pricing/enterprise/security-suites 

1. Microsoft. Microsoft 365 E5 for Enterprise. https://www.microsoft.com/en-us/microsoft-365/enterprise/e5 

1. HBS.net. Microsoft 365 Business Premium: New Add-Ons & Suite Names — Defender Suite and Purview Suite (October 2025). https://www.hbs.net/blog/microsoft-365-security-smbs 

1. Noraa. Microsoft Purview Updates 2024–2026: Full Implementation Guide (March 2026). https://www.noraa.ca/blog/microsoft-purview-major-updates-2024-2026-implementation-guide 

1. Concentric AI. 2026 Microsoft Copilot Security Concerns Explained: Oversharing Statistics. https://concentric.ai/too-much-access-microsoft-copilot-data-risks-explained/ 

1. Microsoft Tech Community. Mitigate Oversharing to Govern Microsoft 365 Copilot and Agents (Gartner citation, September 2025). https://techcommunity.microsoft.com/blog/microsoft365copilotblog/mitigate-oversharing-to-govern-microsoft-365-copilot-and-agents/4448744 

1. Microsoft Tech Community. Security and Governance Innovations for Microsoft 365 Copilot and Agents from Ignite 2025 (December 2025). https://techcommunity.microsoft.com/blog/microsoft365copilotblog/security-and-governance-innovations-for-microsoft-365-copilot-and-agents-from-ig/4476172 

1. Valence Security. Microsoft Copilot Security: Managing AI Exposure Across Microsoft 365. https://www.valencesecurity.com/saas-security-terms/microsoft-copilot-security-managing-ai-exposure-across-microsoft-365 

1. Helloitsliam. Mitigating Oversharing Risks in Microsoft 365 with Copilot (December 2025). https://helloitsliam.com/2025/12/10/fix-oversharing-in-sharepoint-and-onedrive-before-copilot-deployment/ 

1. Microsoft Learn. Get Ready for Microsoft 365 Copilot with SharePoint Advanced Management. https://learn.microsoft.com/en-us/sharepoint/get-ready-copilot-sharepoint-advanced-management 

1. Knostic. Microsoft Copilot Data Security and Governance: A Practical Guide for CISOs (January 2026). https://www.knostic.ai/blog/microsoft-copilot-data-security-governance 

1. Microsoft Tech Community. Beyond Visibility: The New Microsoft Purview Data Security Posture Management Experience (December 2025). https://techcommunity.microsoft.com/blog/microsoft-security-blog/beyond-visibility-the-new-microsoft-purview-data-security-posture-management-dsp/4470984 

1. InvGate. Microsoft Licensing Changes: What to Expect in 2025. https://blog.invgate.com/microsoft-licensing-changes 

1. SQ Magazine. Microsoft 365 Statistics 2026: Global Growth Facts. https://sqmagazine.co.uk/microsoft-365-statistics/