What about DLP licensing?
Today, we will dive into the licensing requirements for Microsoft Purview Data Loss Prevention. As we all know, licensing at Microsoft is a complex topic, so let’s explore this together 😊. And so to say that the Data Loss Prevention licensing can be a rabbit hole when you dive into it :).
To start, one of the best resources for Microsoft licensing is m365maps. This site provides a comprehensive overview of what is possible per bundle or sub-bundle. You can click on the items to be redirected to the correct Microsoft page with an explanation about the product.
What's included in E3 licensing?
The first thing to notice is that the features of Purview are still divided into separate licenses. For example, the O365 E3 license includes the following Purview features:
- Audit (Standard)
- eDiscovery (Standard)
- Data Loss Prevention (we will explore this further later)
- Content search
- Compliance Manager
- Information Protection for M365
- Message Encryption (Basic)
- Retention Labels
- Retention Policies
Now, let’s examine the Enterprise + Mobility E3 license:
- Administrative Units (not really a Purview feature, but highly recommendable for certain scenario’s – I’ll blog about this later)
- Azure RMS
- Information Protection
With an M365 E3 license, you can start with some nice features available in Purview. Today, we will focus on Data Loss Prevention because there are only a few options available with this license type.
What's included in E5 licensing?
You can see that Microsoft Purview is fully accessible with this license, meaning all features of Purview E5 are readily available. The Purview features included are:
- 3 Premium Compliance Manager templates
- Audit (Premium)
- eDiscovery (Premium)
- Insider Risk Management
- Communication Compliance
- Customer Lockbox
- Data Lifecycle Management
- Double Key Encryption
- Exact Data Match
- Message Encryption (Advanced)
- Records Management
- Trainable Classifiers
- Teams DLP
- Teams DLP & Export Graph API
- Defender for Cloud Apps
One key difference in Data Loss Prevention between M365 E3 and M365 E5 is:
- Endpoint DLP
- Teams DLP
- Export Graph API
In an M365 E3 license, the following DLP features are present:
- Exchange Online DLP
- SharePoint Online DLP
- OneDrive for Business DLP
However, the official licensing sheet from Microsoft indicates that you may not have full DLP capabilities on OneDrive, Exchange Online, and SharePoint Online. You will be able to use it under certain conditions, which we will explore further.
First, let’s start with some useful info on Microsoft Learn:
Microsoft 365 guidance for security & compliance – Service Descriptions | Microsoft Learn
Here, we have different links pointing to the various DLP products. Let’s look at them one by one:
Endpoint Data Loss Prevention:
This is an M365 E5 feature, as confirmed above.
Microsoft Purview service description – Service Descriptions | Microsoft Learn
Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business:
This section doesn’t provide all the necessary details, so let’s dive further into the loophole 😊.
The loophole is in the policy tips for end users and the conditions that you can use in your DLP policies.
Data loss prevention policy tip reference for Outlook for Microsoft 365 | Microsoft Learn
Let’s first look at the policy tip references for Outlook:
Conclusion:
The loophole lies in the policy tips for end users and the conditions you can use in your DLP policies.
For example with M365 E5, you have full capabilities, but with M365 E3, you can only use certain conditions in your DLP policies:
- Content contains OOB/custom Sensitive Information Types (SITS)
- Content is shared from Microsoft 365
It’s important to note that you can’t use sensitivity labels in your DLP policies with M365 E3. Additionally, the supported SITs in your policy may vary between M365 E3 and M365 E5.
The second step is to look at the policy tip references for SharePoint Online and OneDrive for Business:
For SharePoint Online and OneDrive for Business, there are no clear differences in licensing for M365 E3 or M365 E5 users, so it should all be supported in M365 E3.
To conclude, when looking into features to use in M365 E3, make sure to do thorough research and test everything. You may need to upgrade to Compliance E5 or M365 E5 to be fully protected and use all
available features to safeguard your organization with DLP policies.
Remember, this is just my first blog post. We will dive deeper into this topic in the next post, where we will test if everything works in M365 E3.
My advice is that you can never be fully protected with DLP policies or Sensitivity Labels alone. Insider Risk Management is a must-have feature to complement these and follow up on data exfiltration. It’s one of my favorite topics in the Microsoft Purview stack, and we will explore it later.
Thanks for reading, and feedback is always welcome.
Cloud Boy
