In This Article
- How much your bank pays for Microsoft 365 E5 in 2026
- The nine security features E5 adds over E3
- How to verify each E5 feature is actually turned on
- The free Microsoft Sentinel benefit most E5 buyers don't claim
- The activation order: which features to turn on first
- How banks, credit unions, and mortgage companies deploy E5 in practice
- Frequently Asked Questions
If your institution moved from Microsoft 365 E3 to Microsoft 365 E5, you are paying Microsoft an additional $21 per user per month, every month, in exchange for a defined bundle of nine security and compliance features. None of those features turn themselves on. Each one requires a tenant configuration step inside the Microsoft Defender portal, Microsoft Entra admin center, or Microsoft Purview portal before it produces any value. Skip the configuration step, and the feature still costs you the same money.
This is one of the most common patterns we see at banks, credit unions, and mortgage companies that bought into the Microsoft 365 E5 promise: the license is on the invoice, the security stack is sitting in the tenant unused, and the team is still buying point products from third-party vendors to fill gaps that E5 already covers. The good news is that every E5 feature is verifiable. Your IT team can open the right Microsoft 365 admin console today and confirm whether each piece of the stack is active or sitting dormant.
The numbers matter, especially with the July 1, 2026 price increase only weeks away. Microsoft announced on December 4, 2025 that Microsoft 365 E5 list pricing rises from $57 to $60 per user per month, a roughly 5 percent increase. For a 100-employee community bank, credit union, or mortgage company that means the annual cost of E5 jumps from $68,400 to $72,000. If the security features are not active, that is $25,200 to $28,800 in unrealized value each year, sitting next to a security team that may be paying third-party vendors for capabilities the E5 license already includes.
TL;DR
Microsoft 365 E5 adds nine security features over E3: Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Defender for Identity, Defender for Cloud Apps, Microsoft Entra ID P2 (PIM and Identity Protection), and four Microsoft Purview Premium services (Information Protection, eDiscovery, Insider Risk Management, Communication Compliance). It also unlocks a free 5 MB per user per day Microsoft Sentinel data ingestion grant. None of these features auto-activate. Verify each one in your Microsoft 365 admin portals before the July 1, 2026 price increase to make sure the $25,200-plus annual upcharge a 100-employee bank, credit union, or mortgage company pays is actually buying activated security capability, not just license inventory.
How much your bank pays for Microsoft 365 E5 in 2026
Microsoft 365 E5 lists for $57 per user per month for commercial and enterprise customers with annual commitment, as of May 2026. Microsoft 365 E3 lists for $36 per user per month on the same terms. The differential, $21 per user per month, is the price tag on the E5 security and compliance stack. Microsoft published these prices on its commercial licensing news page and confirmed them in the December 4, 2025 announcement that previewed the July 2026 price adjustments.
For a financial institution running 100 Microsoft 365 seats, the E3 line item is $43,200 per year and the E5 line item is $68,400 per year. The $25,200 spread is what your CFO is approving each renewal to buy you nine extra security capabilities plus an extra Microsoft Sentinel data benefit. After July 1, 2026, those same 100 E5 seats list at $72,000 per year, putting the upcharge for the security stack at $28,800.
July 1, 2026 Microsoft 365 Price Adjustments
Microsoft 365 E5 moves from $57 to $60 per user per month. Microsoft 365 E3 moves from $36 to $39. Frontline workers see steeper hikes (F3 +25 percent). Microsoft announced the change on December 4, 2025; new and renewing subscriptions land on the new pricing starting July 1, 2026. Existing Enterprise Agreement customers may hold the prior pricing until their renewal date.
The internal question this article is built to answer is straightforward: are we activating the nine security features and the Sentinel benefit that justify the $21-per-user-per-month spend? If yes, E5 is a value-priced consolidation: one vendor, one bill, one identity, one set of controls, one audit trail. If no, your institution is buying license inventory and topping it up with third-party point products that duplicate features sitting unused inside your own tenant.
The nine security features E5 adds over E3
Microsoft 365 E3 already includes a baseline security stack: Microsoft Defender Antivirus, Microsoft Defender for Endpoint Plan 1 (next-generation antimalware plus attack surface reduction), basic Microsoft Purview Information Protection, basic data loss prevention, and Microsoft Entra ID Plan 1 with Conditional Access. When you upgrade to E5, you do not lose any of that. Instead, Microsoft adds nine distinct capabilities on top.
The most useful way to read the E5 stack is feature by feature, mapped to the Microsoft Learn page that documents what each capability does and to the admin portal where you can confirm whether it is active in your tenant.
| E5 feature (not in E3) | What it adds | Admin portal to verify |
|---|---|---|
| Microsoft Defender for Office 365 Plan 2 | Adds Automated Investigation and Response (AIR), Threat Explorer with 30-day historical data, advanced hunting with KQL queries, and attack simulation training on top of the Plan 1 link and attachment protection that comes with E3. | Microsoft Defender portal |
| Microsoft Defender for Endpoint Plan 2 | Full endpoint detection and response (EDR) with behavioral detections, automated remediation, advanced hunting, threat and vulnerability management, and Microsoft Threat Experts access. E3 includes only Plan 1, which is closer to a next-generation antivirus. | Microsoft Defender portal |
| Microsoft Defender for Identity | Detects identity-based attacks against on-premises Active Directory and hybrid environments: lateral movement, reconnaissance, golden-ticket use, and Kerberos abuse. Critical for institutions that still run AD alongside Microsoft Entra ID. | Microsoft Defender portal |
| Microsoft Defender for Cloud Apps | Cloud Access Security Broker (CASB) functionality: shadow IT discovery, cloud app risk scoring, OAuth app governance, and inline session controls. Identifies SaaS apps employees are using outside the sanctioned Microsoft 365 stack. | Microsoft Defender portal |
| Microsoft Entra ID P2 (PIM) | Privileged Identity Management gives just-in-time elevation, approval workflows, and time-boxed access for Global Admin and other privileged roles. Eliminates standing admin privileges, a core FFIEC and NCUA expectation for identity governance. | Microsoft Entra admin center |
| Microsoft Entra ID P2 (Identity Protection) | Risk-based Conditional Access using machine-learning signals: leaked credentials, atypical travel, anonymous IP, unfamiliar sign-in. Drives risk-based MFA and block decisions automatically. Pairs with phishing-resistant authentication policies. | Microsoft Entra admin center |
| Microsoft Purview Information Protection Premium | Automatic and recommended sensitivity labeling, auto-labeling for SharePoint and OneDrive, encryption tied to label, and trainable classifiers for financial-industry data (loan files, account numbers, member PII). E3 supports labels but requires manual application. | Microsoft Purview portal |
| Microsoft Purview eDiscovery Premium | Custodian management, legal hold orchestration, advanced search-and-analyze, and Customer Lockbox approval workflows. Important for litigation hold and regulatory inquiry response at banks, credit unions, and mortgage companies subject to subpoena. | Microsoft Purview portal |
| Microsoft Purview Insider Risk Management | Detects risky internal behavior: data exfiltration to personal email or USB, departing-employee data hoarding, suspicious access patterns. Generates auditable alerts that match the insider-threat expectations in FFIEC IT Examination Handbook and NCUA Letter 16-CU-04 successor guidance. | Microsoft Purview portal |
| Microsoft Purview Communication Compliance | Monitors Microsoft Teams chats, Exchange Online email, and Yammer for policy violations: harassment, conflict of interest, code-of-conduct breaches, regulated communication leakage. Built around financial-services and life-sciences scenarios in particular. | Microsoft Purview portal |
That table is the entire E5-over-E3 value proposition in one view. Ten line items if you split Entra ID P2 into PIM and Identity Protection (Microsoft sometimes counts them as one feature license, sometimes as two capabilities). The combined feature inventory is the same either way.
How to verify each E5 feature is actually turned on
Every feature in the E5 stack has a specific surface inside one of the three Microsoft 365 admin portals where its activation status is visible. The fastest way to inventory what is and is not active in your tenant is to walk through each portal once with this list in hand. It takes about an hour for a tenant under 250 seats, and the answers do not require deep configuration expertise. You are looking for a single question: does the feature show as active, or does it show as not configured?
Start with the Microsoft Defender portal at security.microsoft.com. The portal home page shows a tenant-wide Microsoft Secure Score along with security recommendations grouped by product family. If Defender for Office 365 Plan 2 is active, you will see Threat Explorer in the left navigation under Email and collaboration, and the Investigations area will list any auto-investigations the AIR engine has spun up in the last 30 days. If Defender for Endpoint Plan 2 is active, the Assets blade will show your enrolled devices and the Vulnerability management area will populate with a CVE inventory. If Defender for Cloud Apps is active, the Cloud apps area will list the SaaS apps discovered in your tenant.
Next, move to Microsoft Entra admin center at entra.microsoft.com. Privileged Identity Management appears in the left navigation under Identity governance. If PIM is active, you will see a list of eligible role assignments and recent activations. If you see a "Get started with PIM" splash and no role assignments, PIM is licensed but not configured. Identity Protection appears under Protection in the left navigation, and the dashboard shows recent risky users, risky sign-ins, and risk detections. A flat dashboard with no detections in a tenant of any size usually means the feature was never enabled, not that the tenant has zero risk.
Finish in Microsoft Purview portal at purview.microsoft.com. Each of the four Premium services has its own solution area in the left navigation: Information Protection, eDiscovery, Insider Risk Management, and Communication Compliance. For each one, look for an active policy or case list. Empty solution areas with no policies configured is the most common state at financial institutions that bought E5 but have not yet deployed the compliance stack.
Quick Verification Heuristic
If you open a Microsoft 365 admin portal solution area for the first time and see a "Get started" splash, it is licensed but not configured. If you see policies, cases, or detections, it is configured. If you see neither because the navigation item is missing, the license may not be assigned to the active user, or the feature requires a separate enablement step at the tenant level. All three states are recoverable, but each one points to a different next action.
Find out which E5 features your tenant has activated
Microsoft Secure Score in the Defender portal scores every E5 control individually and tells you which recommendations are unconfigured. ABT's Security Grade assessment walks through that scoring view for your tenant alongside the FFIEC, NCUA, and OCC examiner expectations that map to each E5 feature.
Get Your Security Grade Talk to an ABT ExpertThe free Microsoft Sentinel benefit most E5 buyers don't claim
Hidden inside the E5 license, alongside the nine features in the table above, is a separate benefit that Microsoft markets less aggressively: free Microsoft Sentinel data ingestion. The official Microsoft Learn billing page for Microsoft Sentinel documents the policy directly. Microsoft 365 E5, A5, F5, and G5 customers receive a data grant of up to 5 megabytes per user per day for Microsoft 365 data ingestion into Microsoft Sentinel, applied automatically with no separate sign-up.
Five megabytes per user per day does not sound like much in isolation. For a 100-employee credit union, however, it compounds to roughly 18 gigabytes of free Sentinel ingestion per month, or about 219 GB per year, depending on the data sources actually piped into Sentinel. At Microsoft's commercial Sentinel pay-as-you-go ingestion rate, that benefit is worth several thousand dollars annually in avoided ingestion cost, sitting unused on the same E5 license your institution already pays for.
The eligible data sources for the 5 MB-per-user-per-day grant are the high-value ones for FFIEC, NCUA, and OCC audit narratives: Microsoft Entra ID sign-in and audit logs (every authentication event, including risky sign-ins), Microsoft Defender for Cloud Apps Shadow IT discovery logs, Microsoft Purview Information Protection logs (every sensitivity-label application and DLP detection), and Microsoft 365 advanced hunting data. Those four sources, ingested into Sentinel, form a strong baseline for identity and data-loss telemetry that examiners increasingly expect to see correlated in a single SIEM view.
For institutions running a separate SIEM today (Splunk, Sumo Logic, LogRhythm, or a Sentinel competitor), the benefit becomes a real decision: keep paying a third-party for what is essentially the same data, or shift the four eligible Microsoft 365 sources to Sentinel and let the free grant absorb the ingestion cost. Either way, leaving the benefit unclaimed while paying for E5 is the worst outcome.
"Microsoft 365 E5, A5, F5, and G5 customers can get a data grant of up to 5 MB per user per day of Microsoft 365 data ingestion into Microsoft Sentinel. The data grant will be calculated automatically and applied to your bill, covering the cost of up to 5 MB of data ingestion per user per day."
The activation order: which features to turn on first
If your institution has not configured the E5 stack, do not try to enable everything in the same week. The features have dependencies, deserve different rollout cadences, and require different team skills to operate. The order below is the sequence that returns the most security and audit value the fastest, based on what we see banks, credit unions, and mortgage companies actually need most when their E5 stack is dormant.
Eliminates standing Global Admin and other privileged role assignments. Single highest-leverage configuration for both real-world breach reduction and FFIEC, NCUA, and OCC examiner alignment. Configure eligible role assignments, set approval and MFA requirements, and roll out to all privileged accounts before anything else.
Enables risk-based Conditional Access policies (block high-risk sign-ins, require MFA for medium-risk users). Pairs naturally with the PIM rollout. Use the audit-only mode for two weeks to baseline your tenant's risk volume, then move to enforcement.
Turn on Safe Links and Safe Attachments Plan 2 policies. Enable Threat Explorer for the security analyst seat. Set the AIR (Automated Investigation and Response) playbooks to investigate every reported phish. Targets the dominant attack vector against financial institutions: business-email-compromise and credential-harvesting phishing.
Onboard endpoints, turn on tamper protection, enable attack surface reduction rules, and activate Threat and Vulnerability Management. EDR alerts replace the legacy "the antivirus called us" loop with structured detections you can act on inside the Defender portal.
Roll out sensitivity labels with auto-labeling for member PII, loan files, and account numbers. Configure DLP policies that monitor first, block second. Microsoft Purview-tagged data flows feed directly into Microsoft Sentinel under the 5 MB-per-user-per-day grant.
Defender for Cloud Apps surfaces the shadow-IT inventory in 24 to 72 hours of running. Defender for Identity needs sensor deployment on domain controllers and a baseline window before detections light up. Both produce auditable evidence for OCC and FFIEC third-party risk reviews.
Last because these features need policy design conversations with HR, Legal, and Compliance before you turn them on. Configure with templates first (departing-employee data theft, harassment in Teams). Build out custom policies after two to three months of baseline operating data.
Connect the four eligible data sources (Entra ID logs, Defender for Cloud Apps Shadow IT, Purview Information Protection logs, Microsoft 365 advanced hunting) into a Sentinel workspace. The grant applies automatically. Build workbooks and analytic rules from Microsoft's templates for financial services scenarios.
The reason E5 looks expensive is that the bill arrives in full every month. The reason it stops looking expensive is when you do the activation work. Microsoft already paid for the engineering; you already paid for the license. The only thing left is the configuration.
How banks, credit unions, and mortgage companies deploy E5 in practice
The activation order above is the theoretical answer. In real-world Microsoft 365 tenants at community banks, credit unions, and mortgage companies, the deployment typically falls into one of three buckets. Knowing which bucket your institution lives in tells you where the biggest spending leak is and which features will produce the most audit-ready value the fastest once activated.
License-Only Tenants
E5 licenses assigned, none of the security stack configured. Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, and the four Microsoft Purview Premium services are all sitting at the "Get started" splash. Microsoft Sentinel either does not exist as a workspace, or exists but no Microsoft 365 connectors are turned on. The institution is paying for E5 and protecting itself with Plan 1 capability.
Likely security spend leak: $25,200 to $28,800 per year on a 100-seat license. Third-party EDR, SIEM, or DLP vendors filling the gap that E5 was bought to close.
Threat-Protection Tenants
Defender for Office 365 Plan 2 and Defender for Endpoint Plan 2 are active, ATP-style policies are deployed, and the security team uses the Microsoft Defender portal day-to-day. Identity governance, however, is partial: Entra ID Plan 2 is licensed, but PIM is still showing the "Get started" splash and Identity Protection is in audit-only mode. Purview is mostly unconfigured.
Likely security spend leak: Identity governance gap (PIM eliminates standing admin, a top FFIEC and NCUA examiner expectation), DLP/labeling gap, and the full Sentinel benefit either unclaimed or routed to a competing SIEM.
Fully-Deployed Tenants
All nine E5 features are active. PIM is approval-gated and audited. Identity Protection is in enforcement mode. Sensitivity labels with auto-labeling are deployed across Exchange, SharePoint, OneDrive, and Teams. Insider Risk Management policies are running, and Communication Compliance is reviewing flagged messages weekly. Microsoft Sentinel ingests the four free sources and is the institution's primary SIEM.
Outcome: The $25,200-to-$28,800 upcharge produces a defensible, examiner-ready security and compliance footprint. Third-party tooling spend shifts down. Tenant Secure Score climbs into the high range for the institution's size.
Most banks, credit unions, and mortgage companies we work with start the conversation at License-Only or Threat-Protection. Almost none start at Fully-Deployed without help. The activation gap is not a Microsoft engineering problem; the features work, the documentation exists, the controls are clear. It is a sequencing-and-skills problem, and it is the gap a Tier-1 Microsoft Cloud Solution Provider that specializes in financial services is built to close.
For institutions that want to move from License-Only or Threat-Protection up to Fully-Deployed, the practical path is to verify the tenant's current state first using Microsoft Secure Score and the portal walkthrough described earlier, then sequence the activation against the eight-step order in this article. Doing it inside a single quarter is realistic for a 100-employee bank, credit union, or mortgage company. Pairing the activation work with a managed-detection-and-response (MDR) operating model means the alerts and detections the new E5 stack starts producing actually get triaged and acted on, instead of piling up unread in the Defender portal.
For a deeper look at how the E5 stack sits next to E3 and Microsoft 365 Business Premium for community-sized financial institutions, the Microsoft 365 E3 vs E5 vs Business Premium companion article walks through the licensing decision. The Microsoft 365 license audit guide shows how to audit current license assignment for waste before adjusting upward or downward. And for the broader security control mapping to FFIEC, GLBA, and OCC expectations, see Microsoft 365 compliance for GLBA and OCC requirements at community banks.
Frequently Asked Questions
Microsoft 365 E5 lists for $57 per user per month as of May 2026 for commercial customers with annual commitment. On July 1, 2026, the list price moves to $60 per user per month, a roughly 5 percent increase that Microsoft announced on December 4, 2025. Microsoft 365 E3 moves from $36 to $39 on the same date. Existing Enterprise Agreement customers may hold prior pricing until their renewal date.
Microsoft 365 E5 adds nine security and compliance capabilities over E3: Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint Plan 2 (E3 includes only Plan 1), Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Microsoft Entra ID Plan 2 (Privileged Identity Management plus Identity Protection), Microsoft Purview Information Protection Premium, Microsoft Purview eDiscovery Premium, Microsoft Purview Insider Risk Management, and Microsoft Purview Communication Compliance. Each feature has its own admin portal where its activation status is visible.
Yes. Microsoft 365 E5, A5, F5, and G5 customers receive a free Microsoft Sentinel data ingestion grant of up to 5 megabytes per user per day, applied automatically with no separate purchase. The eligible data sources are Microsoft Entra ID sign-in and audit logs, Microsoft Defender for Cloud Apps Shadow IT discovery logs, Microsoft Purview Information Protection logs, and Microsoft 365 advanced hunting data. For a 100-employee bank, credit union, or mortgage company, the grant covers roughly 18 gigabytes of free ingestion per month.
Open the relevant Microsoft 365 admin portal and look for either an active policy list or a "Get started" splash. Microsoft Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Defender for Identity, and Defender for Cloud Apps all surface in the Microsoft Defender portal at security.microsoft.com. Privileged Identity Management and Identity Protection surface in the Microsoft Entra admin center at entra.microsoft.com. The four Microsoft Purview Premium services surface in the Microsoft Purview portal at purview.microsoft.com. Empty "Get started" splash means licensed-but-not-configured.
At the May 2026 list price, Microsoft 365 E3 is $36 per user per month and Microsoft 365 E5 is $57 per user per month. The differential is $21 per user per month, or $252 per user per year. For a 100-employee institution, that is $25,200 per year in additional spend. After the July 1, 2026 price adjustment, the upcharge widens to $21 per user per month at the new prices ($60 for E5, $39 for E3), bringing the annual differential for 100 users to $25,200, with the absolute E5 spend rising from $68,400 to $72,000 per year.
Activate Microsoft Entra ID Plan 2 Privileged Identity Management first. It eliminates standing Global Admin and other privileged role assignments, which is both the single highest-leverage real-world breach reduction and the most consistent FFIEC, NCUA, and OCC examiner expectation tied to the E5 stack. Identity Protection follows in second position, then Defender for Office 365 Plan 2 to address phishing, then Defender for Endpoint Plan 2 for EDR coverage. Microsoft Purview services and Microsoft Sentinel ingestion follow after the identity and threat protection foundations are in place.
Activate the Microsoft 365 E5 security stack your bank already pays for
ABT manages Microsoft 365 tenants for more than 750 banks, credit unions, and mortgage companies as a Tier-1 Microsoft Cloud Solution Provider. We help institutions move from License-Only and Threat-Protection tenants to Fully-Deployed E5 stacks, with the identity governance, data protection, and Microsoft Sentinel telemetry that FFIEC, NCUA, and OCC examiners expect.
Talk to an ABT Expert Get Your Security Grade