Tenant-Wide Services Licensing Guide

Introduction

Microsoft 365 offers a broad range of tenant-wide services that enhance security, compliance, and productivity, particularly in Microsoft 365 E5, which includes advanced features not available in E3. This guide focuses on how tenant-level services can be managed, with options to control and optimize licensing at the user level and reduce costs.

Understanding Tenant-Wide Services

Tenant-wide services, by Microsoft's definition, are online services that, upon activation, become operational across the entirety of a Microsoft 365 tenant. This means the service’s foundational infrastructure and certain core functionalities are inherently enabled for all users within the organization's digital environment, regardless of individual license assignments.

"Microsoft define a tenant-level service [as] an online service that is activated in part or in full for all users across the tenant enabled by a standalone plan(s) and/or as part of a Microsoft 365 or Office 365 suite."

While some administrative controls exist to manage aspects of these services (such as configuring Conditional Access policies, implementing group-based licensing for role-specific feature enhancements, or leveraging Microsoft Entra ID for role-based access control) such mechanisms do not fundamentally alter the tenant-wide deployment model. For example, while Data Loss Prevention (DLP) policies can be scoped to specific user groups for targeted enforcement actions, the underlying engine and data scanning capabilities operate tenant-wide.

The defining characteristic of tenant-wide services, particularly prevalent in security and audit functionalities, is a technical design to safeguard the entire tenant environment and its data assets comprehensively. This inherent breadth of deployment introduces unique licensing management considerations, especially when seeking to optimize costs and align licensing with feature utilization.

Licensing Implications and Scoping Challenges

Microsoft's own guidance acknowledges the inherent licensing management complexities associated with tenant-wide services:

"Appropriate subscription licenses are required for customer use of online services. Some tenant services aren't currently capable of limiting benefits to specific users. Efforts should be taken to limit the service benefits to licensed users. This will help avoid potential service disruption."

This definition from Microsoft underscores the significant challenges of managing tenant-wide services licensing, especially given that some services can be scoped while others cannot. While compliance and fair use remain crucial, the current limitations in tenant-level service controls are evident.

The complexity of managing tenant-wide services licensing becomes particularly apparent when considering Microsoft 365 E5 or P2 (Plan 2) services, which are often not available to organizations with E3 or P1 (Plan 1) level license plans. These higher-tier services are designed to operate across the entire tenant but lack sufficient scoping capabilities for organizations that don’t have consistent coverage of Microsoft 365 E5 across all users.

For organizations on E3, there is no straightforward way to restrict services to only those users with appropriate licensing. The inability to scope a service simply results in a mismatch between the level of protection provided and the licensing tier, complicating compliance and increasing the risk of over-provisioning, as unlicensed users may inadvertently ‘benefit’ from enterprise-level security features.

The implication is a potential compliance gap, and also the risk of unintentional “benefit” being derived by unlicensed users from enterprise-grade security or compliance features, while simultaneously complicating licensing cost optimization.

The difficulty to enforce granular controls and scoping for E5/P2 services in tenant-wide environments leads to significant complexity and raises the risk of compliance issues. For customers on E3-level licenses, these challenges highlight the need for more flexible, user-level licensing controls that can better align service access with the capabilities granted by specific license tiers. Without such controls, managing and securing services becomes a far more cumbersome process, potentially leaving gaps in coverage and creating financial risk.

List of Tenant-Wide Services

The list below provides an overview of tenant-wide services available within the Microsoft 365 E5 stack. While I have endeavored to provide a reasonably comprehensive list, please do not consider this exhaustive.

Scoping Tenant-Wide Services

Navigation of the licensing landscape for these features requires understanding how they operate -whether services are tenant-wide by default, or if they can be scoped to specific users or groups. Properly aligning feature activation withing associated licensing plans is critical to maintaining compliance and optimizing costs.

Microsoft 365 E5, or Security and Compliance E5 suites include advanced features that may:

1. Operate as tenant-wide services, benefiting all users by default and requiring licensing for the entire organization.

2. Offer scoping options, where advanced capabilities can be restricted to specific users or groups, enabling selective licensing.

3. Combine both scenarios, where tenant-wide “base” features still require broad licensing while additional scoped features can apply to specific subsets of users.

The list below provides an overview of tenant-wide services and scoping mechanisms available within the Microsoft 365 E5 stack. While I have endeavored to provide a reasonably comprehensive list, please do not consider this exhaustive.  

Products and Features with Scoping Capabilities

Microsoft Defender Services

Microsoft Defender for Cloud Apps

Behavior: Defender for Cloud Apps enhances visibility into cloud application usage, risk monitoring, and compliance enforcement. It helps control shadow IT and protect sensitive data by identifying and managing risky app behaviors.

• Tenant-wide foundational features: Shadow IT discovery (Plan 1 license required for all users).

• Plan 2-specific features: Scoped enforcement policies (DLP, anomaly detection) for SaaS apps.

Licensing Note:

• Plan 1 is tenant-wide for Shadow IT Discovery. All users must be licensed with Plan 1 for foundational Shadow IT discovery features to function technically across the tenant.

• Plan 2 is scopable for enforcement policies. Advanced enforcement policies (Plan 2 features) are applied only to licensed users, enabling targeted application to specific user groups requiring advanced controls and optimizing costs.

• Foundational Shadow IT discovery operates tenant-wide technically, while monitoring and deployment of Plan 2 features can be scoped.

How to Apply Scoping:

1. Activate Tenant-wide App Discovery (Plan 1): In the Defender for Cloud Apps portal, enable 'Cloud Discovery' to gain visibility into cloud application usage across all users. This action establishes the baseline Shadow IT discovery functionality, requiring Plan 1 licenses for all users.

2. Configure Scoped Plan 2 Policies: Within the Defender for Cloud Apps portal, create and configure enforcement policies (e.g., DLP, anomaly detection, access controls).

3. Target Plan 2 Policies to Scopes: During policy configuration, specifically target enforcement policies to defined user groups, organizational units (OUs), or specific SaaS applications that require stricter app governance. Plan 2 licenses are necessary only for users within these targeted scopes.

4. Integrate with Conditional Access (Complementary): Utilize Conditional Access policies within Microsoft Entra ID to further refine app usage restrictions based on user group membership, device compliance, or other conditions, complementing Defender for Cloud Apps policies.

Microsoft Defender for Endpoint P2 – Threat Intelligence Scoping

Behavior: Defender for Endpoint P2 Threat Intelligence provides proactive security insights, threat analysis, and enhanced attack vector visibility, benefiting licensed users and devices.

• P1 (Foundational): Basic endpoint protection and device monitoring.

• P2 (Advanced): Threat Intelligence, EDR, AIR, and advanced analytics.

Licensing Note:

• P2 Features require P2 licenses. Threat Intelligence and other advanced P2 capabilities are available only for licensed users or devices.

• P2 Licensing is scopable to users/devices. Defender for Endpoint P2 licenses can be assigned to specific users or devices that require Threat Intelligence and advanced features, optimizing licensing costs.

• P1 foundational features are tenant-wide (if onboarded). Core monitoring and basic protection (P1 features) are enabled for all onboarded devices, even unlicensed ones, and cannot be partially excluded if devices are onboarded into Defender for Endpoint.

How to Apply Scoping:

1. Identify Scope for Advanced Protection: Determine which users or devices specifically require Threat Intelligence and advanced P2 features. Consider roles like security teams and devices handling highly sensitive data.

2. Create Device Groups: In the Microsoft Defender Security Center, create device groups based on relevant attributes (e.g., OS, location, device tags like "Executive Devices," "Security Team Workstations").

3. Target Licensing to Device Groups: Assign Defender for Endpoint P2 licenses only to users primarily associated with the created device groups requiring advanced protection.

4. Apply Targeted Policies and Configurations: Within Defender for Endpoint, configure more stringent security policies and settings specifically for the created device groups, leveraging P2 features.

5. Manage via Group-Based Licensing: Utilize group-based licensing in the Microsoft 365 Admin Center for efficient and automated management of P2 license assignments to the targeted user groups.

Microsoft Defender for Identity P2 – Threat Intelligence Scoping

Behavior: Defender for Identity P2 Threat Intelligence enhances detection of suspicious user and entity behavior in Active Directory using threat feeds and advanced analytics for investigations.

• P1 (Foundational): Core AD activity monitoring.

• P2 (Advanced): Threat Intelligence integration, advanced analytics, enriched investigation tools.

Licensing Note:

• P2 Threat Intelligence requires P2 licenses. Advanced Threat Intelligence features are accessible only to licensed users or entities monitored by Defender for Identity P2.

• Core AD Monitoring Licensing is Scope-Dependent. Foundational Active Directory monitoring requires licensing for all users associated with monitored domain controllers.

• Scoping Monitoring Limits Licensing. Limiting core AD monitoring to specific domain controllers reduces the required licenses, as only users authenticating to/from those DCs need licenses. Tenant-wide licensing is not mandatory if monitoring is scoped.

How to Apply Scoping:

1. Define Monitoring Scope (Domain Controllers): Determine which domain controllers and their associated users require advanced threat detection. Prioritize DCs in sensitive locations or managing critical assets.

2. Scope Defender for Identity Deployment: Configure Defender for Identity sensors to monitor only the selected domain controllers. Avoid tenant-wide sensor deployment for cost optimization if full coverage is not required.

3. Target P2 Licensing to Scoped Users: Assign Defender for Identity P2 licenses only to users associated with accounts managed or authenticated by the scoped domain controllers.

4. Utilize Group-Based Licensing: Employ group-based licensing for efficient management of P2 license assignments for targeted users.

5. Tailor Detection Policies: Within Defender for Identity, customize detection and investigation policies to prioritize and focus on threats detected within the scoped monitoring environment.

Microsoft Defender for Office 365 P2 – Threat Intelligence Scoping

Behavior: Defender for Office 365 P2 Threat Intelligence enhances email security against advanced threats (phishing, malware) with real-time threat feeds and advanced tools.

• P1 (Foundational): Protection against common email threats.

• P2 (Advanced): Threat Explorer, Automated Investigation and Response (AIR), Attack Simulation Training, Threat Intelligence.

Licensing Note:

• P2 Threat Intelligence requires P2 licenses. Threat Intelligence features, Threat Explorer, AIR, and Attack Simulation are only for users with Defender for Office 365 P2 licenses.

• P2 Licensing is scopable to users. P2 licenses can be assigned to specific users requiring advanced threat protection, optimizing costs by applying P1 to the broader user base.

• P1 provides foundational email protection tenant-wide. Even users not licensed for P2 still receive Plan 1 level email protection features tenant-wide if Defender for Office 365 is enabled.

How to Apply Scoping:

1. Identify High-Risk User Scopes: Determine user groups or roles that are at higher risk of advanced email threats (e.g., executives, public-facing roles, finance, legal departments).

2. Target P2 License Assignment: Utilize the Microsoft 365 Admin Center to assign Defender for Office 365 P2 licenses only to these identified high-risk users or groups.

3. Employ Group-Based Licensing: Implement group-based licensing for streamlined and efficient management of P2 license assignments.

4. Configure Targeted Policies (P2 Features): Customize Defender for Office 365 policies to actively leverage P2 features specifically for licensed users. Foundational P1 protection remains broadly applied, while P2 features become active only for licensed users.

5. Focus Attack Simulation Training: Utilize Attack Simulation Training (a P2 feature) primarily for the scoped P2 licensed users to maximize the proactive security benefits of Threat Intelligence for this targeted group.

Defender for Endpoint P2 (General Scoping - Beyond Threat Intelligence)

Behavior: Defender for Endpoint P2 provides comprehensive endpoint protection against malware, ransomware, and advanced threats with EDR and AIR capabilities, focused on monitored devices.

• P1 (Foundational): Basic endpoint protection and response.

• P2 (Advanced): Automated Investigation and Remediation (AIR), Endpoint Detection and Response (EDR), advanced capabilities.

Licensing Note:

• Monitoring requires licenses. Licenses are required only for devices actively onboarded and monitored by Defender for Endpoint.

• Tenant-wide policies may apply for onboarding but advanced features are restricted. While tenant-wide policies can facilitate onboarding, advanced P2 features are functionally restricted to licensed devices only. Unlicensed onboarded devices will receive P1 level capabilities.

How to Apply Scoping:

1. Define Device Groups by Scope: In Microsoft Defender Security Center, create device groups segmented by organizational structure, risk level, or device sensitivity (e.g., "High-Value Servers," "Executive Laptops," "BYOD - Limited Protection"). Use dynamic rules or tags for automated group management.

2. Implement Selective Onboarding by Scope: Onboard only the devices that require Defender for Endpoint protection into the service. Exclude devices needing only basic protection or alternative security solutions from onboarding to optimize license consumption.

3. Assign Licenses by Device Group: Assign Defender for Endpoint P2 licenses primarily to device groups requiring advanced EDR and AIR capabilities.

4. Tailor Policies and Features by Group: Apply specifically tailored policies and security configurations to each device group, reflecting their unique risk profiles and protection requirements.

5. Regularly Review and Adjust Scope: Establish a process to regularly review and adjust device group memberships and licensing assignments to maintain optimal coverage and cost efficiency as organizational needs evolve.

Defender for Office 365 (Plan 1 & Plan 2 Combined Scoping)

Behavior: Defender for Office 365 protects emails and collaboration tools from malicious content. Scoping allows targeted protection levels based on user risk, with tenant-wide foundational protection.

• Tenant-wide foundational features (Plan 1): Safe Attachments scanning (requires Plan 1 licensing for all users).

• Plan 2-specific features: Safe Links policies (scoped), advanced reporting, Automated Investigation and Remediation (AIR).

Licensing Note:

• Plan 1 is tenant-wide for Safe Attachments. Plan 1 licensing for all users is mandatory for enabling the foundational Safe Attachments scanning feature tenant-wide.

• Plan 2 is scopable for Safe Links and advanced features. Safe Links policies and advanced features (reporting, AIR) can be scoped and require Plan 2 licenses only for the users to whom these features are applied.

• Scoping optimizes Plan 2 licenses. Organizations can significantly reduce Plan 2 licensing needs by targeting Safe Links and advanced features to high-risk users, while leveraging tenant-wide Plan 1 for baseline protection.

• Licensing optimization for Plan 1 is not possible. The tenant-wide nature of Safe Attachments prevents licensing optimization at the user level for the foundational Plan 1 requirement.

How to Apply Scoping:

1. Ensure Tenant-wide Plan 1 Enablement: Verify that Defender for Office 365 Plan 1 (or an equivalent suite license including Plan 1 features) is assigned to all users to activate Safe Attachments tenant-wide.

2. Identify Scopes for Advanced Protection (Plan 2): Determine user groups that require enhanced URL protection and advanced security features (e.g., executives, finance department, security teams).

3. Scope Plan 2 Safe Links Policies: In the Microsoft 365 Defender portal, create and configure Safe Links policies, and specifically target these policies to the identified high-risk user groups.

4. Assign Plan 2 Licenses to Targeted Users: Assign Defender for Office 365 Plan 2 licenses only to the user groups targeted by the Safe Links policies and requiring advanced features. Recognize that Plan 1 licensing for all users is a prerequisite.

5. Utilize Advanced Plan 2 Features: Leverage Plan 2 features like Threat Explorer and Automated Investigation & Response primarily for the Plan 2 licensed users, providing them with enhanced security tools and insights.

Defender for Identity (P2 - General Scoping - Beyond Threat Intelligence)

Behavior: Defender for Identity detects advanced threats in Active Directory by monitoring AD activities for lateral movement, privilege escalation, and domain dominance attempts. Scoping focuses monitoring and licensing on high-risk entities.

Licensing Note:

• Monitoring requires licenses. Licenses are required only for users and devices whose activities are actively monitored by Defender for Identity.

• Core monitoring is scope-dependent. Core monitoring does not mandate tenant-wide licensing unless the monitoring scope encompasses all users and devices.

• Scoping optimizes licensing. By focusing monitoring on specific high-risk users, privileged accounts, or critical domain controllers, organizations can minimize the number of licenses required, achieving cost optimization without compromising security for critical assets.

How to Apply Scoping:

1. Identify Scoped Entities for Monitoring: Pinpoint high-risk users (e.g., privileged accounts, executives) and critical domain controllers (managing sensitive organizational units or assets) that warrant enhanced monitoring.

2. Scope Detection Policies to Entities: In Microsoft Defender for Identity, configure detection policies to prioritize monitoring and alerts specifically related to the identified high-risk users and domain controllers.

3. Deploy Sensors for Targeted Monitoring: Deploy Defender for Identity sensors strategically to monitor only the identified critical domain controllers and associated network segments. Avoid unnecessary sensor deployment across the entire domain infrastructure if full coverage is not required for your security objectives.

4. Assign Licenses Based on Monitored Entities: Assign Defender for Identity licenses only to users and devices associated with the scoped monitoring entities (e.g., users authenticating to/from scoped DCs, privileged account owners).

5. Manage Licenses via Groups: Utilize group-based licensing for efficient management of licenses assigned to scoped user groups and entities.

Defender for Office 365 (Plan 2 - Safe Links Scoping Focus)

Behavior: Defender for Office 365 protects against email threats (phishing, malware, BEC). Key features include Safe Links (URL scanning, scoped policies possible) and Safe Attachments (attachment scanning, tenant-wide).

• Tenant-wide foundational features: Safe Attachments scanning (Plan 1 license for all users).

• Plan 2-specific features: Safe Links policies (scoped), advanced reporting, AIR (licensed users only).

• Scoping Example: Safe Links policies can be configured to apply only to the "Executive Team" user group.

Licensing Note (Safe Links Specific):

• Tenant-wide Plan 1 for Safe Attachments is mandatory. Due to the tenant-wide Safe Attachments scanning, Plan 1 (or equivalent suite license) is required for all users in the tenant.

• Plan 2 scoping is limited to Safe Links policies and advanced features. Scoping policies allows targeting Safe Links and advanced features to specific users, potentially reducing the additional Plan 2 licenses needed. However, the underlying Plan 1 requirement for all users due to Safe Attachments remains.

• Licensing optimization for Plan 1 is not possible. The tenant-wide nature of Safe Attachments prevents licensing optimization at the user level for the foundational Plan 1 requirement.

How to Apply Scoping (Safe Links Specific):

1. Ensure Tenant-wide Plan 1 Enablement: Confirm that Defender for Office 365 Plan 1 (or equivalent) is licensed for all users to activate tenant-wide Safe Attachments scanning.

2. Scope Safe Links Policies (Plan 2): In the Microsoft 365 Defender portal, configure Safe Links policies. Target these Safe Links policies specifically to chosen user groups who require enhanced URL protection (e.g., "Executive Team," "High-Risk Users").

3. Assign Plan 2 Licenses for Safe Links Users: Assign Defender for Office 365 Plan 2 licenses only to the users who are targeted by the scoped Safe Links policies. It's crucial to remember that Plan 1 licensing for all users is already a prerequisite due to Safe Attachments.

Defender for Cloud Apps (Scoping for Enforcement Policies Focus)

Behavior: Defender for Cloud Apps provides cloud app visibility, risk detection, and policy enforcement. Key features: Shadow IT Discovery (tenant-wide), Policy Enforcement (scoped).

• Tenant-wide foundational features: Shadow IT discovery (Plan 1 license required for all users).

• Plan 2-specific features: Scoped enforcement policies for SaaS applications (DLP, anomaly detection).

• Scoping Example: Enforcement policies, such as DLP for file sharing in SaaS applications, can be scoped to the "Marketing Department" user group.

Licensing Note (Enforcement Policies Specific):

• Tenant-wide Plan 1 for Shadow IT Discovery is mandatory. Plan 1 (or equivalent suite license) is required for all users to enable Shadow IT discovery functionality tenant-wide.

• Plan 2 scoping is specifically for enforcement features. Plan 2 licenses are only needed for users to whom you apply advanced enforcement policies. However, this Plan 2 scoping does not reduce the Plan 1 licensing requirement for all users.

• Limited licensing optimization for Plan 1. While Plan 2 licensing can be optimized via scoping, the prerequisite Plan 1 licensing for all users due to tenant-wide Shadow IT discovery remains unavoidable for technical functionality.

How to Apply Scoping (Enforcement Policies Specific):

1. Ensure Tenant-wide Plan 1 for Discovery: Verify that Plan 1 (or equivalent) is licensed for all users and enable Shadow IT discovery in Defender for Cloud Apps to gain tenant-wide visibility of cloud application usage.

2. Scope Plan 2 Enforcement Policies: Configure policy enforcement features (e.g., DLP, access controls, anomaly detection) within Defender for Cloud Apps. Target these policies specifically to user groups or SaaS applications that require enhanced governance and control (e.g., "Marketing Department," "Finance Department," specific critical SaaS apps).

3. Assign Plan 2 Licenses for Targeted Enforcement: Assign Defender for Cloud Apps Plan 2 licenses only to the user groups who are targeted by the advanced enforcement policies. Keep in mind that Plan 1 licensing is already a tenant-wide requirement for Shadow IT discovery.

Microsoft Purview Services

Microsoft Purview Data Loss Prevention (DLP)

Behavior: DLP policies prevent unauthorized sharing of sensitive information across Microsoft 365 workloads. Scoping allows targeted data protection for specific user groups.

Licensing Note:

• Monitored users require licenses. Licenses are required for all users whose activities are subject to DLP policies within supported workloads (Exchange, SharePoint, OneDrive, Teams).

• Scoping policies optimizes licensing. By carefully scoping DLP policies to user groups or departments that handle sensitive data (e.g., legal, finance, HR), you can restrict the number of users requiring licenses, optimizing costs while ensuring data protection for high-risk areas.

• Licensing is driven by policy application, not just potential access to sensitive data. Assess users actively covered by policy controls.

How to Apply Scoping:

1. Identify Sensitive Data Handlers: Determine user groups or departments that regularly handle sensitive or regulated data (e.g., Finance, Legal, R&D, HR).

2. Define Scoped DLP Policies: In the Purview Compliance Portal, create DLP policies tailored to protect specific types of sensitive information (e.g., financial data, PII, trade secrets, health records).

3. Target Policies to Specific Scopes: When configuring DLP policies, specify the "Locations" (e.g., Exchange, SharePoint, OneDrive, Teams) and, critically, the "Users and Groups" to which the policy applies. Target policies only to the user groups identified in step 1.

4. Assign Licenses Based on Policy Scope: Assign Microsoft Purview Compliance licenses (or appropriate suite licenses including DLP capabilities) only to the users included in the "Users and Groups" scope of your DLP policies.

5. Utilize Group-Based Licensing: Employ group-based licensing to streamline and automate the process of assigning licenses to users within DLP policy scopes.

Microsoft Purview Information Protection (Sensitivity Labels)

Behavior: Sensitivity labels in Microsoft Purview Information Protection classify, label, and protect sensitive data with encryption and access controls. Scoping labels ensures targeted data governance.

• P1 (Plan 1): Basic sensitivity labeling and manual application, basic encryption.

• P2 (Plan 2): All P1 features + automatic labeling, advanced encryption, integration with Purview Information Protection.

Licensing Note:

• Users interacting with protected data require licensing. Users who apply, consume, or interact with sensitivity labels (especially those applying encryption or access restrictions) require Microsoft Purview Information Protection licenses. This includes users classifying, labeling, protecting, and consuming protected content.

• P1 for basic labeling, P2 for advanced features. Plan 1 covers manual labeling and basic encryption. Plan 2 enables automatic labeling, advanced encryption, and broader governance features.

• Scoping label publishing optimizes licensing. By publishing specific sensitivity labels only to user groups that need to classify and protect data with those labels, you can limit licensing to users actively engaging in data protection processes, optimizing costs. Users who only consume labeled content might not always need a license, depending on the protection actions applied by the label.

How to Apply Scoping:

1. Define User-Specific Labels: Create sensitivity labels tailored to different types of data sensitivity and departmental needs (e.g., "Highly Confidential - Legal," "Internal Use - Marketing," "Public"). Configure appropriate protection actions within each label (e.g., encryption, permissions, content markings).

2. Scope Label Publishing to User Groups: In the Purview Compliance Portal, when publishing sensitivity labels, carefully select "Users and groups" to target the label availability only to relevant user groups. For example, publish the "Legal Documents" label only to the Legal Team, and "Marketing Materials" label only to the Marketing Team.

3. Assign Licenses Based on Label Scope: Assign Microsoft Purview Information Protection licenses (Plan 1 or Plan 2 as needed) only to users within the groups to whom you've published sensitivity labels. This aligns licensing directly with users actively classifying and protecting data.

4. Utilize Registry-Based Scoping (Advanced, Policy Features): For advanced policy features (excluding scanner functionalities), utilize registry edits as documented by Microsoft to further restrict classification and labeling features from unlicensed users. This is an advanced technique for strict license enforcement in specific scenarios.

Microsoft Purview Advanced Message Encryption

Behavior: Advanced Message Encryption encrypts sensitive emails based on predefined conditions, protecting email communications.

Licensing Note:

• Users whose emails are encrypted require licenses. The sender or recipient of emails encrypted by Advanced Message Encryption (depending on the specific encryption applied and licensing model) requires appropriate licensing. Typically, the sending user initiating the encryption action or policy trigger is licensed.

How to Apply Scoping:

1. Define Scoped Encryption Policies: In the Purview Compliance Portal, create Advanced Message Encryption policies that automatically trigger encryption based on specific conditions. Conditions can include sensitive information types, keywords in email content, or recipient domains.

2. Target Policies to Specific Scopes: When configuring encryption policies, specify the "Users or groups" for whom these policies should apply. Target policies to user groups that frequently handle sensitive communications (e.g., Legal, Executive Communications, HR, Finance departments).

3. Assign Licenses Based on Policy Scope: Assign licenses required for Advanced Message Encryption only to the users who are within the "Users or groups" scope of these defined encryption policies.

4. Utilize Group-Based Licensing: Employ group-based licensing for efficient and streamlined management of licenses for users in scope of Advanced Message Encryption policies.

Microsoft Purview Insider Risk Management

Behavior: Insider Risk Management detects and mitigates potential insider threats by monitoring user activities and identifying risky behavior patterns. Scoping focuses monitoring on high-risk groups.

Licensing Note:

• Monitored users require licenses. Licensing is required for each user whose activities are monitored by Insider Risk Management policies.

• Scoping policies optimizes licensing. By scoping Insider Risk Management policies to specific user groups that hold sensitive data, intellectual property, or are in positions of trust (e.g., executives, R&D, security administrators), organizations can minimize licensing costs by focusing monitoring on the highest-risk segments of their workforce.

How to Apply Scoping:

1. Identify High-Risk User Groups: Determine user groups within your organization with elevated insider risk profiles. This might include those with privileged access, access to highly sensitive data, critical infrastructure, or intellectual property (e.g., R&D, Engineering, Executives, System Administrators, departing employees).

2. Create Scoped Insider Risk Policies: In the Purview Compliance Portal, create Insider Risk Management policies that define specific indicators of risky behavior. Examples include unusual file exfiltration, suspicious data access patterns, or policy violations.

3. Target Policies to High-Risk Scopes: When creating Insider Risk Management policies, under the "Users and groups" setting, specifically select the high-risk user groups identified in step 1 as the scope for monitoring.

4. Assign Licenses Based on Policy Scope: Assign licenses for Insider Risk Management only to the users who are included in the "Users and groups" scope of your Insider Risk Management policies. This directly aligns licensing with active monitoring.

5. Utilize Group-Based Licensing: Employ group-based licensing to efficiently manage license assignments for users targeted by Insider Risk Management policies.

Microsoft Purview Compliance Manager

Behavior: Compliance Manager assesses and helps manage organizational compliance posture by tracking progress against regulatory requirements and providing improvement recommendations. Scoping allows focusing on specific compliance needs per department.

Licensing Note:

• Users involved in compliance assessments need licenses. Licenses are required for users who are actively involved in managing and interacting with Compliance Manager assessments. This includes those assigned assessment tasks, reviewing progress, and implementing improvement actions (e.g., compliance officers, IT administrators, department heads responsible for specific compliance areas).

• Scoping assessments optimizes licensing. By scoping Compliance Manager assessments to specific business units, departments, or regulatory frameworks relevant to those groups (e.g., HIPAA for healthcare, GDPR for EU operations, PCI DSS for payment processing), organizations can limit licensing to the personnel directly involved in managing compliance for those specific areas, rather than requiring tenant-wide licensing.

How to Apply Scoping:

1. Define Scoped Assessments by Area: In the Purview Compliance Portal, access Compliance Manager and identify or create compliance assessments that are directly relevant to specific departments, business units, or regulatory frameworks. Examples include "GDPR Compliance Assessment - Marketing Department," "HIPAA Compliance Assessment - Clinical Operations," "PCI DSS Compliance - Finance."

2. Assign Scoped Assessments to Relevant Users: Within Compliance Manager, assign the scoped assessments only to the users who are directly responsible for managing and contributing to compliance within the targeted departments or business units. This includes assigning users to appropriate roles within the assessment, such as testers, reviewers, implementers, and managers.

3. Assign Licenses Based on Assessment Scope: Assign licenses for Compliance Manager only to the users who are assigned roles within the scoped Compliance Manager assessments. This method ensures licensing is directly tied to active participation in specific compliance management activities.

4. Regularly Review Assessment Scopes and User Assignments: Establish a process to regularly review and adjust assessment scopes and user assignments within Compliance Manager to ensure licensing remains aligned with current compliance management responsibilities and organizational structure changes.

Microsoft Purview eDiscovery (Premium)

Behavior: Microsoft Purview eDiscovery (Premium) enables the discovery, preservation, collection, review, and analysis of electronic records for legal and compliance investigations and litigation.

Scoping Example: eDiscovery (Premium) cases can be scoped to target custodians, specific mailboxes, SharePoint sites, and Teams locations relevant to a legal matter.

Licensing Note:

• Tenant-wide Licensing for Audit Logs is required for eDiscovery. Licensing for audit logging (often included in base Microsoft 365 subscriptions or via add-ons) is a prerequisite for using eDiscovery. This licensing typically applies to all users in the tenant as audit logging is a tenant-wide service that underpins eDiscovery functionality.

• eDiscovery (Premium) licensing is for users involved in cases. eDiscovery (Premium) licensing is generally needed for users performing eDiscovery activities, such as case administrators, reviewers, and legal hold custodians. However, the foundational licensing for the tenant-wide audit logs is still required to enable eDiscovery functionality for anyone in the organization.

• Licensing optimization limited to eDiscovery (Premium) feature licenses. While you can scope eDiscovery cases and might not need eDiscovery (Premium) licenses for all users, the licensing for the underlying tenant-wide audit logs cannot be scoped and applies to all users.

How to Apply Scoping:

1. Ensure Tenant-wide Audit Log Enablement: Verify that tenant-wide audit logging is properly enabled for your Microsoft 365 tenant. This typically requires a base level of Microsoft 365 licensing that includes audit logging capabilities for all users.

2. Scope eDiscovery Cases to Relevant Data: In the Microsoft Purview compliance portal, create and manage eDiscovery (Premium) cases, scoping them to specific custodians, and relevant data locations. Data locations can include mailboxes, SharePoint sites, OneDrive accounts, and Teams locations that are demonstrably relevant to each specific case. This strategic scoping optimizes the data volume to be searched, preserved, and reviewed within each case.

3. Assign eDiscovery (Premium) Licenses to Case-Specific Users: Assign eDiscovery (Premium) licenses only to the legal teams, investigators, compliance officers, and case managers who are actively working with and managing specific eDiscovery cases.

4. Recognize Foundational Licensing Requirement: Remember that while scoping eDiscovery cases and targeting eDiscovery (Premium) licenses to case users optimizes costs for advanced eDiscovery features, the tenant-wide audit log licensing remains a separate, broader, and unavoidable licensing requirement for eDiscovery functionality in general.

Microsoft Entra Services

Microsoft Entra ID (P2) - Conditional Access Policies

Behavior: Conditional Access enforces access control requirements based on user context (location, device, role, app). Scoping policies allows targeted security requirements.

Licensing Note:

• Impacted users require licenses. Licenses for Entra ID P2 (or equivalent suite licenses) are required for users who are subject to Conditional Access policies. This means users who are prompted for MFA, have access restricted based on location, or are otherwise affected by a Conditional Access policy configuration.

• Scoping policies optimizes licensing. By carefully scoping Conditional Access policies to specific user groups, applications, or conditions that truly require enhanced security controls, organizations can limit the number of users requiring Entra ID P2 licenses, optimizing costs while enforcing strong authentication and authorization where needed.

How to Apply Scoping:

1. Identify Scenarios for Enhanced Security: Determine specific user groups, applications, or access scenarios that require stricter security controls. Examples include remote access scenarios, access to critical applications or data, and privileged accounts.

2. Create Scoped Conditional Access Policies: In the Entra Admin Center, create Conditional Access policies specifically designed to address the identified scenarios. Define precise conditions within each policy, including the "Users or groups" to be targeted, the "Cloud apps or actions" to be protected, "Conditions" such as location or device state, and the desired "Grant" access controls (e.g., MFA, compliant device, block access).

3. Target Policies to Defined Scopes: When configuring Conditional Access policies, in the "Assignments" section, specifically target the policies to the identified "Users and groups" and "Cloud apps or actions" that demonstrably necessitate the enhanced security controls.

4. Assign Licenses Based on Policy Scope: Assign Entra ID P2 licenses (or equivalent suite licenses) only to the users who are explicitly included in the "Users and groups" assignments of your Conditional Access policies.

5. Regularly Review Policy Scope: Establish a process to regularly review and refine the scope of Conditional Access policies to ensure they remain aligned with current security needs and user access requirements, optimizing ongoing licensing.

Microsoft Entra ID (P2) - Identity Protection

Behavior: Identity Protection detects, investigates, and remediates risky sign-ins and compromised accounts using risk-based policies. Scoping allows focusing protection on high-value accounts.

Licensing Note:

• Users benefiting from risk mitigation require licenses. Licenses for Entra ID P2 (or equivalent suite licenses) are required for users who are subject to Identity Protection policies and directly benefit from its risk detection and mitigation capabilities. This includes users whose sign-ins are evaluated for risk, who are prompted for MFA due to risk, or whose accounts are automatically remediated based on risk levels.

• Scoping policies optimizes licensing. By scoping Identity Protection policies to focus on specific user groups with demonstrably higher security needs (e.g., administrators, executives, users handling sensitive data), organizations can optimize licensing costs by applying Entra ID P2 only to those users who directly benefit from the advanced identity protection features.

How to Apply Scoping:

1. Identify High-Risk User Scopes: Determine specific user groups or individual accounts that are demonstrably at higher risk of compromise or would cause greater organizational impact if compromised. Examples include administrators, executives, security personnel, and users with access to critical systems or highly sensitive data.

2. Configure Scoped Risk Policies: In the Entra Admin Center, access Identity Protection and configure both the "User risk policy" and the "Sign-in risk policy." Within these policies, carefully define the specific risk levels (Low, Medium, High) that will trigger automated actions (e.g., MFA prompt, password reset requirement, session block).

3. Target Policies to High-Risk Users: In the "Assignments" section of both User and Sign-in risk policies, specifically target these policies to the identified "Users and groups" that are deemed to need enhanced identity protection based on their risk profile and potential impact.

4. Assign Licenses Based on Policy Scope: Assign Entra ID P2 licenses (or equivalent suite licenses) only to the users who are explicitly included in the "Users and groups" assignments of your Identity Protection risk policies.

5. Monitor Risk Detections and Refine Scope: Actively monitor Identity Protection risk detections and incident reports. Regularly review and refine the scope of your risk policies and user group assignments to ensure they remain effective and licensing is optimized based on evolving threat landscapes and user risk profiles.

Microsoft Entra ID (P2) - Privileged Identity Management (PIM)

Behavior: PIM provides just-in-time (JIT) privileged access to minimize standing admin rights, reducing the attack surface for privileged accounts.

Licensing Note:

• Users assigned to privileged roles need licenses. Licenses for Entra ID P2 (or equivalent suite licenses) are required for users who are eligible for or actively assigned privileged roles through Privileged Identity Management. This definitively applies to users managing roles like Global Administrator, Exchange Administrator, SharePoint Administrator, etc.

• Scoping PIM optimizes licensing. PIM licensing is inherently scoped because it is directly based on role eligibility and assignment. By strategically implementing PIM and granting privileged role eligibility only to a demonstrably limited set of administrators who actively require those roles for specific tasks, organizations naturally optimize licensing costs by minimizing the number of users needing Entra ID P2 licenses.

How to Apply Scoping:

1. Conduct Role-Based Access Review (PIM Readiness): Conduct a thorough review of current administrator role assignments across your Entra ID and Microsoft 365 environment. Identify administrative roles that are suitable for management through PIM and clearly document the users who truly require standing or just-in-time eligibility for those privileged roles.

2. Implement Just-In-Time Role Activation (PIM Enforcement): In the Entra Admin Center, implement Privileged Identity Management for the administrative roles identified in step 1. Configure each PIM-managed role to mandate Just-In-Time activation, require Multi-Factor Authentication (MFA) during activation, and necessitate a justification for each role activation request.

3. Scope Role Eligibility (Least Privilege): For each PIM-managed role, rigorously scope eligibility for the role assignment only to the smallest necessary set of administrators who demonstrably and legitimately need that specific level of elevated privilege. Avoid granting standing role assignments; rigorously enforce the principle of Just-In-Time (JIT) access.

4. Assign Licenses to Eligible Users (PIM Scope): Assign Entra ID P2 licenses (or equivalent suite licenses) only to the users who are explicitly made eligible for privileged roles within Privileged Identity Management. Licensing is directly tied to PIM role eligibility.

5. Regularly Audit Role Assignments and PIM Configuration: Establish a schedule to regularly audit privileged role assignments and PIM configurations. Review user eligibility for privileged roles, PIM policy settings, and role activation logs to ensure ongoing adherence to least privilege principles and optimal license utilization within PIM.

Microsoft Entra ID (P2) - Access Reviews

Behavior: Access Reviews automate periodic verification of user access to resources (groups, applications). Reviews can be scoped to specific groups or applications.

Licensing Note:

• Users undergoing access reviews require licenses. Entra ID P2 licenses are required for all users who are part of an access review. This definitively includes reviewers, users being reviewed for access, and potentially administrators who are actively setting up and managing the access reviews.

• Scoping reviews reduces the number of licenses needed, but not necessarily per-user cost. Scoping access reviews to specific groups or applications allows you to review access for a smaller subset of users at any given time, which can reduce the immediate number of Entra ID P2 licenses required compared to initiating reviews for everyone simultaneously. However, if you strategically intend to review all users and resources eventually across different scoped reviews over time, the total licensing cost may still be substantial.

• Licensing is driven by review scope, not just policy scope. If a user is included in any active access review (either as a designated reviewer or as a user whose access is being reviewed), they generally require an Entra ID P2 license during that specific review period.

How to Apply Scoping:

1. Identify Critical Resources and Groups for Review (Prioritization): Determine which applications, groups, or roles pose the most significant organizational risk if user access is not regularly verified and reviewed for appropriateness. Prioritize resources like administrator roles, access to sensitive financial systems, access for external contractors or partners, and applications with high-impact data.

2. Create Scoped Access Reviews for Critical Resources: In the Entra Admin Center, configure Access Reviews, carefully selecting the "Scope" of each review to target the prioritized critical resources identified in step 1. Scope reviews to specific application access, membership of privileged groups, or access to sensitive SharePoint sites.

3. Target Review Assignments to Relevant Reviewers: Assign the created access reviews to relevant and appropriate reviewers (e.g., managers of users being reviewed, application owners, resource owners, data owners). Ensure that the defined review scope accurately includes only the necessary users whose access to the targeted resources needs to be reviewed at this time.

4. Allocate Licenses Based on Active Review Scope: Assign Entra ID P2 licenses to users who are explicitly designated as reviewers or are actively included as users being reviewed within currently active Access Reviews.

5. Monitor Active Reviews and Optimize License Usage: Actively monitor the status and progress of ongoing access reviews. Track license assignments and usage closely. Continuously optimize license allocation based on the actual scope of active reviews at any given time, de-allocating licenses from users when they are no longer actively participating in a review (either as a reviewer or being reviewed in an active campaign).

Microsoft Entra ID Governance

Behavior: Microsoft Entra ID Governance provides identity governance for user lifecycle management, access reviews, and privileged access management delegation. It automates identity lifecycle processes and enhances access security.

Licensing Note:

• Users benefiting from governance features require licenses. Licensing for Microsoft Entra ID Governance is required for users who benefit from or are actively managed by the governance features. This includes users undergoing automated lifecycle management workflows (like automated provisioning/de-provisioning), users participating in access reviews (as reviewers or being reviewed), and users delegating or receiving delegated administrative rights.

• Governance features often target specific user populations, enabling scoping. Entra ID Governance features are designed to be applied to specific user groups, roles, or organizational units, which inherently allows for licensing to be scoped. Organizations can optimize licensing by strategically targeting governance features to user populations that require enhanced identity lifecycle management and access control, rather than tenant-wide deployment.

How to Apply Scoping:

1. Identify User Groups for Governance: Determine specific user groups or roles within your organization that will most benefit from automated identity governance features. Examples include new employee onboarding workflows, contractor lifecycle management, users requiring regular access reviews for sensitive applications, and delegated administrative scenarios for specific departments.

2. Implement Scoped Lifecycle Management Policies: In the Entra Admin Center, configure lifecycle management policies, such as automated provisioning and de-provisioning workflows. Target these policies to the identified user groups (e.g., new hires, contractors, department-specific users) to automate identity lifecycle processes specifically for these scoped populations.

3. Create Scoped Access Reviews and Delegated Admin Roles: Configure Access Reviews and delegated administrative roles within Entra ID Governance, carefully scoping these features to relevant user groups and resources. For example, scope access reviews to specific applications or groups containing sensitive data, and delegate administrative roles only to users who demonstrably need those specific administrative permissions for defined scopes.

4. Assign Licenses to Governed Users: Assign Microsoft Entra ID Governance licenses (or equivalent suite licenses) only to the users who are included within the scope of the implemented governance features. This includes users targeted by lifecycle management policies, users participating in access reviews, and users involved in delegated administration scenarios.

5. Utilize Group-Based Licensing for Efficient Management: Employ group-based licensing to efficiently manage license assignments for users within the scope of Entra ID Governance features, ensuring automated and streamlined license allocation and de-allocation based on user group memberships and governance policy scopes.

Microsoft Priva Services

Microsoft Priva (P2) - Subject Rights Requests (SRRs)

Behavior: Priva Subject Rights Requests (SRRs) streamlines GDPR and similar data privacy compliance by facilitating data collection, review, and export in response to user data requests.

Licensing Note:

• Users whose data may be processed through SRRs require licenses. Licensing for Microsoft Priva is generally required for all users whose data could potentially be processed as part of Subject Rights Requests, even if not every user will actively have their data processed in every request. The licensing model often assumes broader coverage to account for the potential scope of SRR data processing across the entire user population within the organization.

• Limited Licensing Optimization through Request Scoping. While Subject Rights Requests (SRRs) within Priva can be scoped to search within specific data repositories or to focus on particular individuals within a given request, this strategic scoping primarily affects the operational efficiency of the SRR process itself (significantly reducing search time, minimizing processed data volume, improving review efficiency). This request-level scoping does not fundamentally reduce the broader, tenant-level licensing requirement for Microsoft Priva, as the underlying potential for processing any user's data during SRRs still exists.

• Licensing focuses on potential data processing scope, not just active requests. Licensing for Microsoft Priva, especially for SRR capabilities, is typically based on the potential user base that could be subject to Subject Rights Requests, rather than solely on the users actively involved in current, specific SRR workflows.

How to Apply Scoping:

1. Strategic Data Repository Selection within SRRs (Operational Efficiency): When processing Subject Rights Requests using Microsoft Priva, strategically scope the SRR search queries to include only the demonstrably necessary data repositories and specific data locations where the relevant user data is likely to reside. Examples include targeting specific Exchange mailboxes, SharePoint sites known to contain relevant data, or OneDrive accounts based on user roles and departments. This highly targeted approach significantly reduces the amount of data processed per individual SRR, improving efficiency and review workload. However, be aware this primarily optimizes operations, not licensing.

2. Targeted User Identification within SRRs (Privacy Compliant Refinement): If demonstrably possible and fully compliant with all applicable privacy regulations (GDPR, CCPA, etc.) and internal data governance policies, further refine the SRR scope to focus on specific user accounts or unique identifiers directly relevant to the user data subject request. This granular refinement further minimizes the data search scope to only the necessary user data within the pre-selected repositories. Ensure this user-level scoping strictly adheres to privacy regulations and internal legal counsel guidance. Again, note this is primarily for operational efficiency, not license optimization.

3. Understand Broader Licensing Model (Limited Optimization): Fully understand that the licensing model for Microsoft Priva, especially for Subject Rights Request (SRR) capabilities, is intentionally designed for broader tenant coverage. It proactively anticipates the inherent organizational need to be able to process data for any user within the tenant as part of ongoing data privacy compliance obligations and potential future Subject Rights Requests. Direct, granular user-level licensing optimization based solely on individual SRR scope or active SRR usage is inherently limited by the fundamental, tenant-focused licensing structure of the Priva SRR capabilities. Focus scoping efforts on operational efficiency and data minimization within SRR workflows, recognizing the broader licensing coverage model.

Microsoft Teams

Microsoft Teams Premium - Advanced Meeting Features

Behavior: Teams Premium enhances meeting experiences with branded lobbies, advanced analytics, and live translation, available to licensed users.

Licensing Note:

• Licensed users get premium features. Teams Premium features are exclusively available only to users who are explicitly assigned a Teams Premium license.

• Scoping licenses enables feature targeting. By strategically assigning Teams Premium licenses only to specific users who demonstrably need and will actively utilize the advanced meeting features on a regular basis (e.g., event organizers, global sales leaders, trainers, executives who frequently host external meetings), organizations can effectively optimize licensing costs. This approach provides premium features precisely where they are most needed and actively utilized, rather than implementing tenant-wide licensing.

How to Apply Scoping:

1. Identify Users Benefiting from Premium Features: Determine specific user groups or individual users across your organization who would derive the most significant benefit and actively utilize Teams Premium advanced meeting features in their regular workflows. Examples include event organizers, corporate trainers, executive leadership teams, sales and marketing teams frequently conducting external presentations and client meetings, and global project teams requiring live translation capabilities.

2. Targeted License Assignment to Benefit-Driven Users: In the Microsoft 365 Admin Center, strategically assign Teams Premium licenses only to the identified user groups or individual users who were determined in step 1 to actively benefit from the advanced meeting capabilities.

3. Utilize Group-Based Licensing for Efficient Management: Employ group-based licensing within the Microsoft 365 Admin Center for streamlined and efficient management of Teams Premium license assignments to the targeted user groups, simplifying ongoing administration and adjustments as user needs evolve.

4. Promote Feature Utilization and Configure Policies (Licensed Users): Proactively educate all Teams Premium licensed users on the specific advanced meeting features that are now available to them. Configure Teams meeting policies within the Teams Admin Center to further tailor and optimize the Teams Premium meeting experience specifically for these licensed users. This may include leveraging features like custom branded meeting templates, enabling advanced meeting options by default for licensed users, and providing training resources on utilizing premium analytics and reporting.

Microsoft Viva Insights

Microsoft Viva Insights

Behavior: Microsoft Viva Insights provides workplace insights to improve productivity and wellbeing at personal, manager, and organizational levels. Scoping allows targeted insights for specific groups or individuals.

Licensing Note:

• Users benefiting from insights require licenses. Licenses for Viva Insights are required for users who are intended to benefit from the insights and features provided. This can include individuals accessing personal insights, managers using manager insights, and leaders utilizing organizational insights dashboards. Licensing models can vary depending on the level of insights and features accessed (e.g., basic vs. advanced).

• Scoping license assignment is common based on role and need. Organizations often scope Viva Insights license assignments to specific user groups or roles that are prioritized to benefit from workplace analytics and productivity enhancements. This allows for targeted deployment and cost optimization, rather than tenant-wide licensing, especially for advanced features.

How to Apply Scoping:

1. Identify User Groups for Insights: Determine specific user groups or roles within your organization that are prioritized to benefit from workplace insights and productivity enhancements. Examples include leadership teams, managers seeking to improve team collaboration, employees focused on personal productivity and wellbeing, and departments targeted for digital transformation initiatives.

2. Select Appropriate Viva Insights Plan (Basic vs. Advanced): Evaluate the specific insights features needed by the identified user groups (e.g., personal wellbeing insights, manager connection insights, leader-level organizational trends). Select the appropriate Viva Insights plan (often distinguishing between basic included features and advanced add-on capabilities) that aligns with these needs.

3. Target License Assignment to Identified Groups: In the Microsoft 365 Admin Center, assign Viva Insights licenses only to the identified user groups and roles who are prioritized to receive insights.

4. Configure Privacy Settings and Access (Granular Control): Configure Viva Insights privacy settings to align with organizational policies and user expectations. Manage access to different levels of insights (personal, manager, leader dashboards) based on user roles and data sensitivity considerations, further refining the scope of data visibility within the licensed user base.

5. Promote Insight Utilization and Training: Proactively promote the value and utilization of Viva Insights features among licensed users. Provide training and guidance on how to access, interpret, and act upon the insights to improve productivity, wellbeing, and team effectiveness within the scoped user groups.

Microsoft Viva Insights Advanced

Behavior: Microsoft Viva Insights Advanced offers deeper analysis tools, custom queries, predefined Power BI templates, and advanced reporting for KPI tracking. It provides more granular and customizable insights compared to the standard Viva Insights.

Licensing Note:

• Viva Insights Advanced is an add-on license. Microsoft Viva Insights Advanced is typically offered as an add-on license to existing Microsoft 365 or Viva Insights subscriptions. It's not usually a standalone license.

• Advanced features are targeted at specific roles. Viva Insights Advanced features are designed for roles requiring deeper data analysis and reporting capabilities, such as analysts, HR business partners, and organizational leaders focused on data-driven decision-making and strategic workforce planning.

• Scoping Advanced licenses is highly recommended. Due to its advanced nature and add-on licensing model, Viva Insights Advanced licenses should be strategically scoped only to users who demonstrably require and will actively utilize the advanced analysis, reporting, and Power BI integration features. Tenant-wide licensing of Advanced Insights is typically not necessary or cost-effective.

How to Apply Scoping:

1. Identify Roles Requiring Advanced Analysis: Determine specific roles within your organization that demonstrably require advanced analysis tools, custom queries, and in-depth reporting capabilities related to workplace insights data. Examples include HR analysts, business intelligence teams, organizational effectiveness consultants, and executive leadership needing detailed workforce analytics for strategic planning.

2. Assess Need for Advanced Features vs. Standard Insights: Clearly differentiate between users who can effectively utilize standard Viva Insights features versus those who have a demonstrated need for the advanced capabilities offered by Viva Insights Advanced (custom queries, Power BI templates, advanced reporting, KPI tracking). Justify the need for advanced licenses based on specific user roles and data analysis requirements.

3. Target Advanced License Assignment to Specific Roles: In the Microsoft 365 Admin Center, assign Microsoft Viva Insights Advanced add-on licenses only to the identified roles and users who have a clear and justifiable need for these advanced features. This should be a highly targeted license allocation.

4. Provide Training on Advanced Feature Utilization: Offer specialized training and resources to Viva Insights Advanced licensed users, focusing on how to effectively utilize the advanced analysis tools, custom query functionalities, predefined Power BI templates, and advanced reporting features. Maximize the value and adoption of the advanced features among the scoped user base.

5. Monitor Advanced Feature Usage and License ROI: Actively monitor the utilization of Viva Insights Advanced features among licensed users. Track the return on investment (ROI) of these advanced licenses by evaluating the impact of data-driven insights on organizational decision-making, strategic initiatives, and overall business outcomes. Regularly reassess the scope of Advanced license assignments based on actual utilization and demonstrated business value.

Non-Scopable Products

Some Microsoft products cannot be scoped by specific users or groups for licensing purposes. From a solution design perspective, the service is tenant-wide, often enabling a tenant-wide or site-wide capability or infrastructure, rather than being strictly tied to individual user actions or policy application. Optimization is limited to deciding whether to license the tenant/site at all, rather than scoping users within the licensed entity.

Microsoft Defender Services

Microsoft Defender for IoT

• Behavior: Microsoft Defender for IoT secures IoT/OT devices by providing threat detection and vulnerability management. Licensing is site-based.

• Licensing Note:

  • Site-based licensing, no user scoping. Licensing for Microsoft Defender for IoT is based on the number of licensed sites. There is no user-level or device-level scoping within a site.

  • All devices at a licensed site are covered. Once a site is licensed, Microsoft Defender for IoT protection applies to all IoT/OT devices within that defined site, regardless of the specific users who interact with or manage those devices.

  • Licensing optimization is site-level, not user-level. Licensing optimization must focus on licensing only the sites that require IoT/OT security, rather than attempting to scope licensing to specific users or devices within a site.

• How to Apply Scoping:

  1. Site-Based Licensing Strategy: Identify the specific physical sites or operational technology (OT) environments that require Microsoft Defender for IoT protection.

  2. License per Site: Procure Microsoft Defender for IoT licenses based on the number of sites you have identified as needing coverage.

  3. Site-Wide Deployment: Deploy Microsoft Defender for IoT sensors and configure the service to protect all eligible IoT/OT devices within each licensed site. User-level scoping within a site is not applicable, as the protection is site-wide.

Microsoft Purview Services

Audit (Premium)

• Behavior: Audit (Premium) provides extended retention of audit logs and faster access to critical events, capturing user and admin actions across Microsoft 365 workloads tenant-wide.

• Licensing Note:

  • Tenant-wide licensing, no user scoping. Licensing for Audit (Premium) applies to the entire tenant. There is no user-level scoping possible for this feature.

  • All users within the tenant are licensed. When Audit (Premium) is licensed, the enhanced audit log retention and faster access benefits are available for audit logs generated by all users and activities across the Microsoft 365 tenant.

  • Filtering logs is not licensing scoping. While you can filter audit logs by user or event for investigation purposes, this filtering is for log analysis and does not constitute licensing scoping. The licensing requirement remains tenant-wide regardless of how logs are filtered or analyzed.

• How to Apply Scoping:

  1. Tenant-wide Licensing Decision: The decision to license Audit (Premium) is a tenant-wide choice. If the organization requires extended audit log retention and faster access to logs for compliance or security reasons, Audit (Premium) licensing must be acquired for the entire tenant.

  2. Tenant-wide Enablement (if licensed): If licensed, Audit (Premium) features are automatically enabled tenant-wide for all users and activities. No user-level configuration or scoping is needed for licensing.

  3. Log Filtering for Analysis: For specific investigations or compliance reviews, utilize the filtering and search capabilities within the Audit log interface to narrow down logs based on user, activity, date range, etc. This is for operational use of the logs, not for licensing scoping.

Customer Key

• Behavior: Customer Key provides enhanced data encryption at-rest by allowing organizations to use their own encryption keys for data across Microsoft 365 services tenant-wide.

• Licensing Note:

  • Tenant-wide licensing, no user scoping. Licensing for Customer Key is for the entire tenant. User-level or workload-level scoping is not available.

  • Encryption applied tenant-wide. When Customer Key is implemented, the enhanced encryption is applied to data across the entire Microsoft 365 tenant for the selected workloads (Exchange Online, SharePoint Online, Teams).

  • Licensing is for tenant-wide data encryption, not user actions. Licensing is based on enabling tenant-wide enhanced data encryption, not on specific user actions or data access patterns.

• How to Apply Scoping:

  1. Tenant-wide Licensing Requirement: If the organization's security and compliance policies mandate Customer Key level encryption, licensing must be procured for the entire tenant. There is no option for user-based or scoped licensing.

  2. Tenant-wide Configuration: Once licensed, Customer Key implementation involves configuring the encryption keys and enabling Customer Key for the desired Microsoft 365 workloads at the tenant level. User-level configuration for licensing scope is not applicable.

  3. Workload Selection (limited scope): While user-level scoping is not available, you can choose to enable Customer Key for specific Microsoft 365 workloads (e.g., Exchange Online and SharePoint Online, but not Teams). This workload selection offers a limited form of scope, but the licensing still applies tenant-wide even if Customer Key is enabled for only some workloads.

Customer Lockbox

• Behavior: Customer Lockbox provides an approval workflow for Microsoft support engineers to request access to customer data during support incidents, giving organizations control over data access.

• Licensing Note:

  • Tenant-wide licensing, no user scoping. Customer Lockbox licensing is for the entire tenant. There is no user-level scoping for licensing purposes.

  • Tenant-wide control for data access. When Customer Lockbox is enabled, the approval workflow applies to all Microsoft support requests that might involve accessing customer data within the tenant. This is a tenant-wide governance feature.

  • Licensing is for tenant-wide control, not individual requests. Licensing is based on enabling the tenant-wide control mechanism of Customer Lockbox, not on the frequency or scope of individual support requests or user actions.

• How to Apply Scoping:

  1. Tenant-wide Licensing Decision: If the organization requires the data access control provided by Customer Lockbox for support scenarios, licensing must be acquired for the entire tenant. User-level scoping for licensing is not an option.

  2. Tenant-wide Enablement: Once licensed, Customer Lockbox is enabled at the tenant level. The approval workflows and controls are then in place for all applicable Microsoft support interactions across the tenant. No user-level configuration is needed for licensing scope.

  3. Configure Approval Workflow (tenant-wide): Customize the Customer Lockbox approval workflow settings to define who within the organization can approve Microsoft data access requests. These workflow settings apply tenant-wide to all support requests, reflecting the tenant-wide licensing model.

Communication Compliance

• Behavior: Communication Compliance monitors communications (email, Teams, etc.) for policy violations (e.g., inappropriate language, data leaks). Policies can be scoped to groups, but scanning is tenant-wide.

• Licensing Note:

  • Tenant-wide scanning, licensing per monitored user. Communication Compliance scans communication data across the tenant to detect policy violations. However, licensing is based on the number of users who are monitored by Communication Compliance policies.

  • Policy scoping targets monitoring, not licensing optimization. While you can scope Communication Compliance policies to specific user groups (e.g., trading floor staff, HR department), the tenant-wide scanning infrastructure means that licensing is still required for all users whose communication data is potentially processed by the service, even if not explicitly targeted by a specific policy. The service needs to be licensed for the potential scope of its scanning operations.

  • Licensing challenge: Tenant-wide scan, user-based license. The challenge is that while policies can target specific users for focused monitoring, the underlying scanning capability is tenant-wide and likely necessitates licensing for a broader user base than just those explicitly targeted by policies to ensure license compliance and service functionality.

• How to Apply Scoping:

  1. Identify High-Risk Groups for Monitoring: Determine user groups or roles that present a higher risk of communication compliance violations (e.g., regulated industries, financial services, public-facing roles).

  2. Create Scoped Communication Compliance Policies: In the Purview Compliance Portal, configure Communication Compliance policies focused on detecting specific types of violations (e.g., offensive language, sensitive data sharing, conflicts of interest).

  3. Targeted Policy Application: When defining Communication Compliance policies, under "Users and groups," target policies to the identified high-risk user groups for more focused and detailed monitoring.

  4. License Assignment for Potentially Monitored Users: Assign Communication Compliance licenses to all users whose communication data could potentially be scanned by the service. While policies may be scoped to specific groups for active monitoring and reporting, the broader scanning capability means licensing is likely required for a wider user base to ensure compliance and full service functionality. Consider licensing all users or a significant portion to align with the tenant-wide scanning architecture.

Licensing Logic

For professionals in licensing, particularly those within the Microsoft reseller ecosystem, as well as IT Asset Management and FinOps practitioners, a robust understanding of user-based scoping is essential. The efficacy and justification for this approach are firmly rooted in Microsoft's licensing framework, as detailed in the Product Terms and supporting documentation. A clear grasp of these principles is not only essential for ensuring license compliance but also for implementing strategic licensing optimization that aligns with organizational needs.

Microsoft's official Product Terms delineate the licensing requirements that underpin the functionality of Microsoft 365 services. These terms should in principle, be technically manifested in the service architecture, enabling user-based scoping and providing a mechanism for organizations to enforce license validation and control feature access. This inherent link between licensing policy and technical implementation is crucial to for effective license management.

Key Licensing Principles

The core principles, derived from Microsoft’s licensing framework, include:

Feature Access Governed by License Assignment

• Principle: Microsoft Product Terms stipulate that access to premium features within Microsoft 365 services is dependent upon the assignment of a valid license. Licensing is typically applied on a per-user basis. This license assignment serves as the primary control point for accessing advanced features. The intended design is that premium feature access is granted only to licensed users.

• Licensing Implication for Scoping: This principle is foundational to user-based scoping. By strategically assigning licenses to users who require specific premium features, organizations can technically control feature availability, enabling targeted deployment and potentially optimizing licensing costs.

• Example Reference: Microsoft Defender for Endpoint Licensing Requirements

  "Microsoft Defender for Endpoint (Plan 2) capabilities are enabled through licensing. You can get Defender for Endpoint through one of the following: Microsoft Defender for Endpoint Plan 2 or Microsoft 365 E5... " […] "To onboard servers to Defender for Endpoint, server licenses are required...Each User accessing or benefiting from the Microsoft Defender for Endpoint Service must be properly licensed."

Intended Technical Restriction for Unlicensed Users

• Principle: Microsoft solution design aims to technically restrict the premium functionalities of Microsoft 365 services for users and devices without appropriate licenses. While the intent is to make these capabilities largely inaccessible to unlicensed entities, licensing professionals should understand that this restriction is a goal of the system, enforced through license validation.

• In practice, while access to core premium features is intended to be controlled, unlicensed users may still have limited visibility in certain reporting or administrative interfaces. Organizations should primarily focus on ensuring licensed users are correctly configured to ‘benefit’ from the advanced features they are entitled to.

• However, even if unlicensed users are blocked from using premium features (the core intent), they might still be visible in reports or admin consoles.

  • For example:

    • Defender for Endpoint: A device without a P2 license might still be on-boarded (visible in the device inventory) and get basic P1-level protection/visibility. It just won't get P2's Threat Intelligence or AIR. An admin might see all devices, licensed or not, in the console for management purposes.

    • Defender for Cloud Apps: Shadow IT discovery might identify apps used by all users (requiring Plan 1 for everyone). Even if only some users have Plan 2 for enforcement policies, the Shadow IT discovery data itself might be broadly visible.

    • Purview Compliance: Audit logs might capture actions of all users, even if only a subset are licensed for Audit (Premium). Admin interfaces for DLP or Information Protection policy management might show all users, even though policies themselves are scoped to licensed users.

  • It is recommended licensing professionals should not assume that "no license = invisible in every way." Providing visibility for management is sometimes separate from access to premium functionality. Visibility doesn't automatically imply a licensing violation. The license is for the premium features and benefits, not necessarily for simply being listed in a report or admin interface.

• Licensing Implication for Scoping: This principle reinforces the validity of scoping strategies. If premium features are intended to be functionally limited for unlicensed users, organizations should in principle, confidently deploy policies and configurations leveraging these features specifically to licensed users.

License Validation as a Core Enforcement Mechanism

• Principle: Microsoft utilizes license validation as a significant technical control to help enforce licensing compliance within its cloud services. These validation mechanisms are designed to verify license status before granting access to premium features and functionalities. License validation serves as a core technical component supporting the broader licensing compliance framework.

• Licensing Implication for Scoping: The presence of license validation as a technical mechanism strongly supports user-based scoping for licensing optimization. It provides assurance that technical controls implemented through scoping policies are underpinned by Microsoft's license management infrastructure. This offers a level of confidence that license-based access control is a practically enforceable technical control within the Microsoft ecosystem.

• The Microsoft Product Terms and the underlying technical architecture demonstrably support user-based scoping as a valid and valuable strategy licensing optimization. This approach facilitates a move away from tenant-wide, blanket licensing models towards a more granular, cost-effective, and business requirements-aligned approach to Microsoft 365 security and compliance licensing.

Recommendations

To effectively manage licensing and optimize costs for Microsoft 365 tenant-wide services, licensing professionals should adopt the following actionable strategies:

1. Prioritize Understanding Service Architecture and Licensing Models: Thoroughly analyze each Microsoft 365 service to differentiate between tenant-wide foundational features and user-scopable advanced capabilities. Clearly understand the licensing implications of each feature set as defined in Microsoft Product Terms.

2. Strategically Leverage Scoping Where Available: Actively implement user-based or device-based scoping for services and features that offer this capability. Utilize group-based licensing and dynamic groups to streamline the assignment and management of scoped licenses.

3. Optimize Licensing for Foundational Tenant-Wide Features: Acknowledge that certain foundational features of tenant-wide services require broad licensing (e.g., Defender for Office 365 Plan 1 for Safe Attachments, Defender for Cloud Apps Plan 1 for Shadow IT Discovery). Plan budgets accordingly for these tenant-wide licensing prerequisites and explore cost-effective suite licensing options where feasible.

4. Implement Robust Monitoring and Reporting: Establish ongoing monitoring of license utilization and feature adoption, particularly for scoped services. Leverage reporting within Microsoft 365 Admin Center and service-specific portals to track license assignments, policy effectiveness, and potential areas for optimization.

5. Regularly Review and Adapt Licensing Strategies: Tenant needs and the Microsoft 365 service landscape evolve. Conduct periodic reviews of licensing assignments, scoping policies, and feature utilization to adapt strategies, optimize costs, and maintain continuous compliance. Stay informed about updates to Microsoft Product Terms and service capabilities.

Conclusion

Navigating the licensing of Microsoft 365 tenant-wide services requires a holistic understanding of Microsoft service architecture, licensing models, and available scoping capabilities. While tenant-wide services offer significant enhancements to security, compliance, and organizational capabilities, their inherent broad deployment introduces licensing complexity. Actual effective management hinges on a strategic approach that prioritizes a detailed understanding of service features, leverages scoping mechanisms where technically feasible and supported by licensing. By embracing user-based scoping where possible, and diligently managing licensing for essential tenant-wide components, organizations can strive for an optimal balance between robust security and compliance posture and efficient, cost-conscious Microsoft 365 licensing strategy.

About Tony Mackelworth

Tony Mackelworth is a recognized leader in Microsoft Advisory Services and FinOps, with a proven track record in service leadership, product management and consulting. He has built and scaled global service portfolios in Microsoft consulting and FinOps, driving innovation, efficiency, and tangible results for global organizations.

With extensive experience delivering consulting services and leading practices, Tony combines strategic vision with hands-on expertise to help organizations maximize value from their Microsoft investments. This website serves as a resource for the licensing community and a platform to share insights, empowering businesses to navigate Microsoft software and licensing with confidence.

Learn more about his work and insights via Softspend.

Disclaimer

This article is intended for informational purposes only and does not constitute legal, financial, or licensing advice. Microsoft licensing and feature availability can vary by region, subscription type, and contract terms.

Please be aware that nothing on this website constitutes specific technical advice. Some of the material on this website may have been prepared some time ago and therefore may have been superseded. Specialist advice should be taken in relation to specific circumstances.

The contents of this website are for general information purposes only. Whilst the author(s) endeavour to ensure that the information on this website is correct, no warranty, express or implied, is given as to its accuracy and the primary author and website owner or it’s contributing Authors do not accept any liability for error or omission.

The contributing authors and owner of the website shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this website or any material contained in it, or from any action or decision taken as a result of using this website or any such material.

This Disclaimer is not intended to and does not create any contractual or other legal rights. This website is not run by Microsoft and the opinions are the author’s own.

All content on this website created by the author is subject to copyright with all rights reserved.