Microsoft 365 License Audit: Are You Overpaying?

Here's a number that should bother every CFO at a financial institution: 15-30% of your Microsoft 365 spend is probably wasted. Not "could be optimized." Wasted. Paying for licenses no one uses, features no one configured, and tiers no one needs.

We see this every time we run a Microsoft 365 license audit for a bank, credit union, or mortgage company. A 300-person organization paying for 320 licenses because 20 departed employees were never deprovisioned. An entire company on E5 when 80% of the staff only needs Business Premium. Security features that justified the E5 price tag sitting unconfigured for two years.

Microsoft 365 licensing for financial services carries extra complexity because compliance requirements dictate specific security features. You can't just downgrade everyone to the cheapest plan. But you also shouldn't be paying E5 rates for your entire workforce when only your security team and compliance officers need E5 capabilities.

This guide walks through the most common licensing waste, how to tell which plan each role actually needs, and how to run an M365 license review without accidentally breaking your security posture.

The Hidden Cost of Microsoft 365 Licensing at Financial Institutions

Microsoft 365 overspending at financial institutions follows a predictable pattern. Someone made a licensing decision three years ago. It was probably the right call at the time. Then the organization grew, Microsoft changed its plan structure, employees came and went, and nobody revisited the original decision.

The result is licensing sprawl. Consider what a typical 250-person mortgage company's license inventory looks like when we audit it:

• 267 licenses assigned but only 243 active employees. Those 24 extra licenses? Departed employees, shared mailboxes that don't need full licenses, and test accounts from an integration project that ended 18 months ago.
• 250 E5 licenses when the original purchase was driven by the compliance team's need for Microsoft Purview and Defender for Office 365 Plan 2. The other 210 users never touch those features.
• 35 add-on licenses for capabilities already included in E5. Power BI Pro purchased separately when it's bundled with E5. Visio Plan 2 for people who use it once a quarter.

At current E5 per-user pricing, the gap between what this company pays and what it should pay is $8,000-$12,000 per month. That's $96,000-$144,000 per year in Microsoft 365 overspending on licensing alone.

Multiply that across an institution with 500 or 1,000 users, and you're looking at six figures in annual waste that nobody has flagged because the monthly invoice just auto-renews.

Five Licensing Mistakes Costing You Money

After auditing Microsoft 365 environments for hundreds of financial institutions, these are the five mistakes we find in almost every engagement.

1. Everyone Gets the Same License Tier

This is the biggest single source of waste. The IT Director picks one plan for the whole company because it's easier to manage. Usually it's E3 or E5, and usually it's based on what the most demanding department needs.

Your loan officers don't need the same license as your chief information security officer (CISO). A teller processing transactions needs email, Teams, and basic Office apps. Your compliance team needs Purview eDiscovery, Advanced Audit, and Information Barriers. Those are different license tiers at different price points.

2. Departed Employees Keep Their Licenses

This sounds like it should be easy to catch. It isn't. Offboarding at financial institutions often involves regulatory holds on mailbox content, which means accounts stay active longer than at other companies. The problem is when "active for compliance hold" turns into "still paying for a full E5 license 14 months after the employee left."

A shared mailbox or inactive mailbox with litigation hold doesn't require a paid license in most cases. Your offboarding process should convert these accounts rather than leaving them on full licenses.

3. Paying for Add-Ons Already Included in Your Plan

Microsoft's licensing matrix is genuinely confusing. We regularly find organizations paying separately for:

• Power BI Pro when they already have E5 (which includes it)
• Azure AD P2 (now Entra ID P2) when they already have E5 (which includes it)
• Microsoft Defender for Endpoint Plan 2 when they have E5 Security (which includes it)
• Audio Conferencing when they already have E5 (which includes it)

Each of these duplicates adds $5-$12 per user per month. Across 200 users, one duplicate add-on costs $12,000-$28,800 per year.

4. Unused Licenses Sitting in Inventory

Bulk license purchases often leave unassigned licenses sitting idle. You bought 300 Business Premium licenses when you had 280 employees, expecting growth. The growth happened, but you bought E3 licenses for the new hires instead. Those 20 unassigned Business Premium licenses keep renewing.

5. Security Features Bought but Never Configured

This is the most expensive mistake because it combines overspending with a false sense of security. Many financial institutions upgraded to E5 specifically for the advanced security and compliance features. Then nobody configured them.

Buying E5 for Microsoft Defender for Office 365 Plan 2 doesn't protect you from phishing attacks if you haven't set up Safe Attachments policies and anti-phishing rules. Paying for Purview Information Barriers doesn't satisfy your examiner if the barriers aren't actually in place. You're paying the premium and getting none of the protection.

E3 vs. E5 vs. Business Premium: What Financial Services Actually Needs

The licensing decision in financial services comes down to one question: which users need advanced security and compliance features, and which users just need to do their jobs?

Business Premium: The Baseline for Most Staff

Business Premium includes the Office apps, email, Teams, SharePoint, OneDrive, Intune device management, and Defender for Business. For tellers, loan processors, administrative staff, and most operational roles, this is more than enough.

Business Premium also includes Conditional Access (through Entra ID P1), which means you can enforce MFA, block legacy authentication, and require compliant devices. These are the security controls that satisfy most day-to-day compliance requirements.

The limitation: Business Premium caps at 300 users per tenant and doesn't include the advanced compliance tools (eDiscovery, Information Barriers, Advanced Audit) that regulated institutions sometimes need. If you have more than 300 users or need those compliance features for specific roles, you'll need E3 or E5 for at least part of your workforce.

E3: The Middle Ground

E3 adds unlimited user count, larger mailboxes (100GB vs. 50GB), and some compliance features. For organizations over 300 users, E3 is the practical baseline. But E3 doesn't include the advanced security stack that makes E5 worth the price for your security and compliance teams.

E5: Worth It for the Right Roles

E5 adds Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Entra ID P2, Microsoft Purview (advanced compliance), Power BI Pro, and Audio Conferencing. These features matter for:

• Security team: Threat investigation, automated remediation, attack simulation
• Compliance officers: eDiscovery, Information Barriers, Advanced Audit, retention policies with adaptive scopes
• IT administrators: Identity Protection risk policies, Privileged Identity Management, Access Reviews
• Executives: Power BI for reporting and board-level dashboards

The key insight for Microsoft 365 license optimization: E5 is worth the price for 15-25% of your workforce. The other 75-85% are on a more expensive plan than they need.

How to Run a Microsoft 365 License Audit

A proper license audit takes your current spend, maps it against actual usage, and produces a right-sizing plan. Here's how to do it.

Step 1: Pull Your Current License Inventory

In the Microsoft 365 Admin Center, go to Billing > Your products. Export the full list of purchased licenses, assigned licenses, and available licenses. This gives you the baseline: what you're paying for vs. what's been assigned.

Already you'll probably find unassigned licenses generating monthly charges.

Step 2: Run Usage Reports

In the Admin Center under Reports > Usage, pull the last 180 days of activity data. You're looking for:

• Last activity date per user. Anyone who hasn't logged in for 90+ days needs investigation.
• App usage breakdown. Which users actually use the advanced features their license includes? If someone has E5 but only uses Outlook, Word, and Teams, they don't need E5.
• Defender activity. Are the advanced threat investigation and automated remediation features in E5 being used, or is the security team only using the basic Defender capabilities available in lower tiers?

Step 3: Map Users to Required Tiers

Build a spreadsheet with every user, their current license, their actual usage, and their role. Assign the minimum license tier that covers their requirements:

• Business Premium: Standard staff, operational roles, most of the workforce
• E3: Users who need larger mailboxes, specific compliance tools, or are in tenants over 300 users
• E5: Security team, compliance officers, IT admins, executives who need Power BI

Step 4: Identify and Eliminate Duplicate Capabilities

Cross-reference your add-on subscriptions against what's included in each tier. Every add-on that duplicates a bundled feature is money thrown away.

Step 5: Build a Migration Plan

Don't change 200 licenses on a Friday afternoon. License changes can affect Conditional Access policies, DLP rules, retention policies, and security configurations. A financial institution should phase these changes with testing, roll them department by department, and verify that all compliance-critical features remain functional after each change.

This is where many institutions get stuck. The audit identifies savings, but nobody wants to risk breaking security configurations. That's a valid concern, and it's why many banks and credit unions bring in a specialist for the migration itself. ABT's licensing team handles this for hundreds of financial institutions. They know which configurations break when you change tiers and how to preserve them.

Why Tier-1 CSP Pricing Matters for Your Microsoft 365 License Optimization

Where you buy Microsoft 365 licenses affects what you pay. There are three purchasing channels, and they're not equal.

Direct from Microsoft

Buying directly from Microsoft.com is the most expensive option. There's no volume discount negotiation, no dedicated account team, and no license management support. You pay list price and manage everything yourself.

Through a Reseller (Tier-2 CSP)

Many managed service providers (MSPs) resell Microsoft licenses as a Tier-2 or indirect CSP. They buy from a distributor (like Ingram Micro or TD SYNNEX), mark up the price, and pass it through. They have limited ability to negotiate pricing and no direct relationship with Microsoft for escalations.

Through a Tier-1 CSP (Direct Partner)

Tier-1 Cloud Solution Providers like ABT have a direct billing relationship with Microsoft. No middleman distributor. This matters for three reasons:

• Better pricing. Tier-1 CSPs negotiate directly with Microsoft on volume commitments. That pricing advantage gets passed to customers.
• Direct escalation path. When a licensing issue or service incident occurs, ABT goes directly to Microsoft engineering. Tier-2 CSPs go to their distributor, who then goes to Microsoft. That extra layer adds days to resolution time.
• License management expertise. Tier-1 CSPs manage thousands of seats across hundreds of tenants. They've seen every licensing scenario, every migration path, and every gotcha in Microsoft's plan structure. ABT manages Microsoft 365 licensing for hundreds of financial institutions through its Guardian platform, which includes license utilization tracking as part of ongoing tenant monitoring.

The pricing difference between buying through a Tier-1 CSP and buying direct can be 5-15% on the same licenses. Combined with right-sizing from a license audit, the total savings are substantial.

Compliance Guardrails: Don't Break Security to Save Money

The worst-case outcome of a Microsoft 365 license audit is saving $80,000 on licensing and then failing a regulatory examination because a critical security feature stopped working when you changed tiers.

Microsoft 365 licensing for financial services requires extra caution during any license change. Here's what to watch:

Conditional Access Policies

Some Conditional Access features require Entra ID P2 (included in E5, not in E3 or Business Premium). If your policies use Identity Protection risk-based conditions, sign-in risk policies, or Access Reviews, downgrading users from E5 to E3 will break those policies. The conditions stop evaluating. Users who should be blocked aren't.

Before downgrading any license, inventory every Conditional Access policy and verify which Entra ID features it depends on.

Data Loss Prevention Rules

DLP policies in Microsoft Purview have different capabilities depending on the license tier. Advanced DLP features (Endpoint DLP, exact data matching) require E5 Compliance or E5. If you've configured these, downgrading the user's license silently disables the policy for them. No error message. No alert. The rule just stops applying.

Retention Policies and Legal Holds

Financial institutions use retention policies and legal holds for regulatory compliance. Some advanced retention features (adaptive scopes, auto-applying retention labels with trainable classifiers) require E5. Downgrading a user who's subject to these policies can cause data governance gaps your compliance team won't know about until an examiner asks for records that no longer exist.

The Safe Approach

Run your audit. Identify the savings. Then have someone who understands both Microsoft licensing and financial services compliance execute the changes. ABT runs a free security assessment that includes a license utilization review alongside your security configuration audit. It tells you where you're overspending and where changing licenses would create compliance risk.

Next Steps: Stop Overpaying for Microsoft 365

Every month you wait to run a Microsoft 365 license audit is another month of paying for licenses, features, and tiers your institution doesn't need. The savings are real and the process doesn't have to put your compliance posture at risk.

Get your free security grade. ABT's security assessment reviews your Microsoft 365 environment, including license utilization, against 100+ security benchmarks. You'll see exactly where you're overspending and where your security configuration stands. Get your grade at getmygrade.myabt.com

Talk to a licensing specialist. If you already know your licensing needs attention, skip straight to a conversation with ABT's team. As a Tier-1 Microsoft CSP managing licenses for 750+ financial institutions, we've seen your exact situation before. Schedule a conversation at myabt.com/talk-to-an-expert

Technical Reference

The following tables define the Microsoft 365 licensing terms and compliance frameworks referenced in this article.

Licensing and Security Terms

Term	Definition
CISO	Chief Information Security Officer — the executive responsible for an organization's information security strategy and program.
Conditional Access	Microsoft Entra ID policies that enforce login requirements — such as multi-factor authentication, device compliance, and location-based restrictions — before granting access to Microsoft 365 resources.
CSP (Cloud Solution Provider)	Microsoft's partner program for selling and managing cloud licenses. Tier-1 CSPs have a direct billing relationship with Microsoft; Tier-2 CSPs purchase through a distributor.
DLP (Data Loss Prevention)	Microsoft Purview rules that detect and block sharing of sensitive data — such as Social Security numbers, account numbers, and loan data — outside the organization. Advanced DLP features require E5 licensing.
DMARC	Domain-based Message Authentication, Reporting, and Conformance — an email authentication standard that prevents attackers from spoofing your organization's email domain.
EDR (Endpoint Detection and Response)	Security software that continuously monitors devices for threats and provides automated investigation and remediation capabilities. Microsoft Defender for Endpoint Plan 2 (E5) includes advanced EDR.
Entra ID (formerly Azure AD)	Microsoft's cloud identity platform that manages user authentication, Conditional Access policies, and identity protection. P1 is included in Business Premium and E3; P2 is included in E5.
Microsoft Purview	Microsoft's compliance and data governance platform, including DLP, eDiscovery, Information Barriers, retention policies, and audit logging. Advanced features require E5 or E5 Compliance add-on.
SOC 2 Type II	An independent audit verifying that a service provider's security controls are designed properly and operating effectively over a sustained period (typically 6-12 months).