We review a lot of Microsoft 365 tenants. And one of the most common things we see — especially in co-managed environments — is a licensing mix that looks something like this:
- A handful of Business Premium seats for the leadership team
- A big block of Business Basic for "everyone else"
- Some Business Standard sprinkled in the middle
- One or two Enterprise E3 or E1 licenses bolted on for reasons nobody can quite remember
On the surface, it feels like smart cost optimization. In practice, it creates a security gap, an administrative headache, and often ends up costing more than a cleaner approach once you factor in add-ons and incident response.
This post breaks down why we recommend a different path — and why it matters from both a security and operational perspective.
Business Premium Should Be Your Anchor SKU
For any organization under 300 users, Microsoft 365 Business Premium at $23.10/user/month (annual commitment, paid monthly) is the single most cost-effective way to get a real security stack without bolting on third-party tools or chasing individual add-on licenses.
A note on pricing throughout this post: all prices reflect annual commitment, paid monthly billing — the model most SMBs use. This is 5% above the annual prepaid price but avoids the 20% premium of true month-to-month licensing.
Here's what Premium includes that Standard and Basic don't:
- Microsoft Defender for Business — Endpoint protection with EDR capabilities scoped for SMBs, including next-generation antivirus, attack surface reduction, threat and vulnerability management, and automated investigation and remediation. It's built on the same Defender for Endpoint engine used in enterprise environments but simplified for organizations up to 300 seats. It does not include the advanced threat hunting, custom detection rules, or full Sentinel/XDR integration found in Defender for Endpoint Plan 2 — but for most SMBs, it covers the endpoint protection fundamentals that Standard and Basic lack entirely.
- Intune (Endpoint Manager) — Device enrollment, compliance policies, conditional access enforcement, application management, and remote wipe. Without Intune, you're managing devices with GPO, third-party RMM, or hope.
- Entra ID P1 (formerly Azure AD P1) — Conditional access policies, which are the backbone of a Zero Trust posture. Want to block sign-ins from outside the US? Require MFA on unmanaged devices? Force compliant devices before granting access to SharePoint? This is how.
- Defender for Office 365 Plan 1 — Safe Links and Safe Attachments for email and Teams. This is real-time URL detonation and attachment sandboxing, not the basic Exchange Online Protection (EOP) that comes with every plan.
- Microsoft Purview Data Loss Prevention — Basic DLP policies to prevent sensitive data from leaving your environment via email or file sharing.
At $23.10/user/month, you're getting Defender for Business (~$3/user standalone), Intune (~$8/user standalone), Entra ID P1 (~$6/user standalone), and Defender for Office 365 P1 (~$2/user standalone) bundled together. Purchasing those components individually would run you roughly $19/user/month on top of your existing productivity license. Premium bundles it all for roughly $10 more than Standard.
The value is hard to argue with. And with Microsoft holding Premium's price flat through the July 2026 pricing changes (while Standard rises to $14.70/user/month), the gap between the two plans is narrowing to around $8.40/user/month. That's the cost of one large coffee per user per month for a dramatically better security posture.
If You Must Use Business Basic, Add Defender for Office 365 Plan 1
We understand that not every user needs desktop Office apps. Shared-space workers, frontline staff, and some roles genuinely only need web-based email and Teams. Business Basic at $6.30/user/month (rising to $7.35 in July 2026) covers that use case.
But here's the problem: Business Basic includes only Exchange Online Protection (EOP) for email security. EOP catches known spam and commodity malware, but it does not include Safe Links or Safe Attachments. That means no real-time URL detonation when a user clicks a link in an email or Teams message, and no attachment sandboxing to catch zero-day payloads. Basic also ships with no Intune, no conditional access, and no endpoint protection.
Email remains the number one attack vector for SMBs. Phishing campaigns, business email compromise, and weaponized attachments don't discriminate by license tier — every mailbox is a target. A Basic-licensed user with only EOP is relying on signature-based filtering against threats that are increasingly designed to bypass it.
At minimum, if you're assigning Business Basic licenses, you should be adding Defender for Office 365 Plan 1 as an add-on (~$2/user/month). That gives you Safe Links (real-time URL scanning and detonation at time of click) and Safe Attachments (sandboxing attachments in a virtual environment before delivery) across email and Teams. It's a targeted, cost-effective upgrade that closes the most critical gap on a Basic license — the email layer.
What it doesn't give you: Defender for Office 365 Plan 1 protects the email and collaboration layer only. It does not add endpoint detection and response (EDR), device management, or conditional access. Those require Defender for Business, Intune, and Entra ID P1 respectively — all of which are bundled in Business Premium.
The honest math: Business Basic ($7.35 post-July) + Defender for Office 365 P1 (~$2) = roughly $9.35/user/month for productivity plus advanced email protection. That's a meaningful upgrade over bare Basic, but you're still missing endpoint security, device management, and conditional access. Premium at $23.10 fills all of those gaps. Whether the ~$14/user delta is worth it depends on the role, but for anyone touching sensitive data, using a company-managed device, or working outside the office, the answer is almost always yes.
Why Standard-to-Premium Is the Right Jump
Business Standard is a great productivity license. You get full desktop Office apps, Exchange Online, Teams, SharePoint, and OneDrive. For someone who needs Word, Excel, and Outlook on their desktop, it does the job.
But Standard gives you the same security baseline as Basic — Exchange Online Protection and nothing else. No EDR. No device management. No conditional access. No Safe Links/Attachments.
This is the trap we see most often: an organization puts 60–70% of their users on Standard, thinking the desktop apps are the important upgrade, and never realizes they have no endpoint security, no device compliance enforcement, and no advanced email filtering.
With Standard rising to $14.70/user/month after July 2026 and Premium holding at $23.10, the gap is now $8.40/user/month. For that $8.40, you're adding the entire security and device management layer that transforms Microsoft 365 from a productivity suite into an actual managed platform.
If you're already paying $14.70 for Standard, paying $23.10 for Premium is not a cost increase — it's replacing the third-party security stack you'd need to buy anyway. Most organizations running Standard are spending $5–15/user/month on separate endpoint protection, MDM, and email filtering tools. Premium consolidates all of that into a single license, a single admin console, and a single pane of glass for your security team.
Why Enterprise E1 or E3 Doesn't Make Sense Under 300 Users
This is where we see licensing decisions go sideways. Someone on the team sees the E3 feature list — Windows 11 Enterprise, advanced compliance, eDiscovery — and decides that one or two users need it. Or they add an E1 license because it's cheaper than Standard for a user who only needs web apps.
Here's why mixing Enterprise SKUs into a sub-300-user Business tenant is almost always the wrong call:
E1 Is a Downgrade in Disguise
Office 365 E1 sits at $10.50/user/month. For that price, you get web-based Office apps, Exchange Online, Teams, SharePoint, and OneDrive — essentially the same feature set as Business Basic at $6.30–7.35/user/month, but at a higher price point. E1 exists for enterprise organizations that need to standardize on the E-series licensing model across hundreds or thousands of users. For an organization under 300 users, there's no feature in E1 that justifies the premium over Business Basic.
E3 Costs 64% More Than Premium With Less Relevant Security
Microsoft 365 E3 runs $37.80/user/month (rising to $40.95 in July 2026). That's roughly $15–18 more per user than Business Premium. What does that delta buy you?
- Windows 11 Enterprise — Relevant if you need Windows Autopilot, advanced Group Policy features, or Long-Term Servicing Channel. Most SMBs under 300 users don't.
- Client Access Licenses for on-premises workloads — Relevant if you're running Exchange Server or SharePoint Server on-prem. If you're fully cloud, this has no value.
- Advanced compliance tools — eDiscovery, advanced audit, information barriers. Unless you're in a heavily regulated industry with specific compliance mandates, Business Premium's Purview DLP is sufficient.
- No user cap — E3 removes the 300-user limit. If you're under 300 users, this is paying for a feature you don't need.
- Conditional access policies behave differently across SKU types. A policy that enforces device compliance on Premium users may not apply identically to E3 users, leading to gaps or unexpected lockouts.
- Defender configurations diverge. Defender for Business (Premium) and Defender for Endpoint (E3) use different default policy sets and different onboarding workflows. Running both in the same tenant means maintaining two security baselines.
- License management becomes a spreadsheet exercise. Who has what? Who's eligible for which features? When someone's role changes, which license do they move to? Clean, standardized licensing eliminates an entire category of administrative work.
- Support escalation gets complicated. When something breaks, troubleshooting a mixed-SKU tenant takes longer because you're ruling out licensing mismatches before you can diagnose the actual issue.
What E3 does not include that Premium does: Defender for Business is replaced by Defender for Endpoint P1 in E3 (similar but configured for enterprise-scale management), and the Intune profile is slightly different. The security outcomes are comparable, but E3's tooling assumes a dedicated IT security team and more complex policy architecture.
For a co-managed environment under 300 users, you're paying significantly more for enterprise-scale tooling that adds administrative complexity without proportional security benefit.
Office 365 E3 Is the Worst of Both Worlds
This is the SKU we see cause the most confusion. Office 365 E3 is not Microsoft 365 E3 — and the difference matters enormously.
Office 365 E3 at $24.15/user/month (rising to $27.30 in July 2026) is a productivity and compliance license. It includes desktop Office apps, Exchange Online with a 100GB mailbox, SharePoint, Teams, and advanced compliance tools like eDiscovery and Data Loss Prevention. What it does not include is the entire security and device management stack: no Defender for Business or Defender for Endpoint, no Intune, no Entra ID P1, no conditional access, and — until July 2026 — no Defender for Office 365 Plan 1. Microsoft is adding Defender for Office 365 Plan 1 to Office 365 E3 as part of the July 2026 packaging update, which adds Safe Links and Safe Attachments, but that still leaves you without endpoint protection, device management, or conditional access.
Put simply: Office 365 E3 costs more than Business Premium ($24.15 vs. $23.10) and gives you less security. You're paying a premium for advanced compliance features and a larger mailbox while getting no endpoint protection, no device management, and no identity-based access controls. For an SMB under 300 users that isn't in a heavily regulated industry requiring advanced eDiscovery or information barriers, this is paying more for features you don't need while missing the features you do.
If someone on the team has been assigned an Office 365 E3 license, the question to ask is: why? If the answer is mailbox size, the July 2026 update brings Business Premium mailboxes to 100GB — eliminating that gap. If the answer is compliance, evaluate whether the specific compliance features in E3 are actually in use. In most sub-300-user environments we review, they aren't.
SKU Mixing Creates Operational Friction
The real cost of mixing Business and Enterprise SKUs isn't just the per-user price — it's the management overhead:
- Conditional access policies behave differently across SKU types. A policy that enforces device compliance on Premium users may not apply identically to E3 users, leading to gaps or unexpected lockouts.
- Defender configurations diverge. Defender for Business (Premium) and Defender for Endpoint (E3) use different default policy sets and different onboarding workflows. Running both in the same tenant means maintaining two security baselines.
- License management becomes a spreadsheet exercise. Who has what? Who's eligible for which features? When someone's role changes, which license do they move to? Clean, standardized licensing eliminates an entire category of administrative work.
- Support escalation gets complicated. When something breaks, troubleshooting a mixed-SKU tenant takes longer because you're ruling out licensing mismatches before you can diagnose the actual issue.
The Recommendation
For most organizations under 300 users in a co-managed environment, the cleanest and most cost-effective approach is:
Business Premium for every user who touches a managed device or handles company data. At $23.10/user/month, you get productivity, security, device management, and identity protection in a single license. One SKU. One set of policies. One security baseline.
Business Basic + Defender for Office 365 Plan 1 for genuinely lightweight users — shared kiosks, frontline workers who only need web email and Teams, and roles with no access to sensitive data. This keeps cost low while closing the biggest security gap on a Basic license: the email layer.
No Enterprise SKUs unless you're over 300 users or have a specific compliance requirement that only E3/E5 can satisfy. If you're under 300 and considering E3, the better path is Business Premium plus the Defender Suite add-on ($12/user/month) if you need the advanced P2-level security features. That gives you more relevant security coverage at a lower total cost than E3.
The goal isn't to sell you more licenses. The goal is to eliminate the gaps that mixed licensing creates — because those gaps are where breaches happen, where incident response costs spike, and where co-management becomes crisis management.
Have questions about your current Microsoft 365 licensing? We review tenant configurations and can model the cost and security impact of a licensing consolidation. Reach out — we're happy to take a look.