Microsoft 365 E5 is a powerful suite — but at $57 per user per month, it's also one of the most expensive per-seat licenses in the Microsoft ecosystem. E3, by contrast, sits at $36/user/month. That's a $21/month gap per seat, or $252/user/year.
For a 500-user organization, every 10% of users you can safely downgrade saves you over $12,600 annually. The question isn't whether the savings matter — it's whether the move is safe for each individual user.
What You Actually Get with E5 (vs E3)
Here's a focused comparison of the features that actually determine whether a user needs E5:
| Feature | E3 | E5 |
|---|---|---|
| Azure AD P2 / Entra ID P2 (PIM) | No | Yes |
| Microsoft Defender for Endpoint P2 | No | Yes |
| Microsoft Purview eDiscovery Premium | No | Yes |
| Risk-based Conditional Access | No | Yes |
| Microsoft Purview Advanced Audit | No | Yes |
| Microsoft Defender for Office 365 P2 | No | Yes |
| Power BI Pro | No | Yes |
E3 is not a stripped-down license — it includes Exchange Online, SharePoint, Teams, Intune, Azure AD P1, and Defender for Office 365 P1. For the majority of users in most organizations, E3 covers everything they do.
The 5 Signals That Block a Safe Downgrade
A user genuinely needs E5 if they rely on one or more of these:
1. Privileged Identity Management (PIM)
PIM is an Entra ID P2 feature that lets you assign time-limited, just-in-time privileged roles. If a user has an active or eligible PIM role assignment — whether for Azure AD, Azure resources, or Microsoft 365 groups — they need the P2 entitlement that comes with E5.
2. Risk-Based Conditional Access
Risk-based CA policies evaluate sign-in risk and user risk signals (leaked credentials, atypical travel, etc.) and enforce step-up authentication. These policies require Entra ID P2. If your security posture depends on these policies covering a user, that user needs E5.
3. eDiscovery Premium Custodianship
Microsoft Purview eDiscovery Premium (formerly Advanced eDiscovery) provides custodian-based legal hold and AI-driven document review. If a user is a custodian in an active eDiscovery Premium case, their license must include E5 compliance features.
4. Defender for Endpoint P2 Device
If a user's primary device is onboarded to Microsoft Defender for Endpoint Plan 2 — with EDR, attack surface reduction, and advanced hunting — that user requires a Defender P2 license. E3 only includes Defender for Business (up to 300 seats) or Defender P1.
5. Advanced Audit
Microsoft Purview Advanced Audit (formerly Advanced Audit in M365) provides 1-year audit log retention, 10-year retention with add-on, and intelligent insights for forensic investigations. Users who are the subject of compliance review or whose activity must be retained for regulatory reasons need this.
Who Is Safe to Downgrade?
A user is safe to move from E5 to E3 when:
- They have no active or eligible PIM role assignments
- They are not covered by risk-based CA policies (or those policies have been removed/reassigned)
- They are not a custodian in any eDiscovery Premium case
- Their device is not enrolled in Defender for Endpoint P2
- They are not subject to advanced audit requirements
For most organizations, this describes the majority of end users — people in roles like sales, marketing, finance, and general operations who use Microsoft 365 for email, documents, and collaboration, but aren't administrators, security staff, or legal custodians.
The Cost Math
| Scenario | Users | Savings |
|---|---|---|
| 100-user org, 50% safe to downgrade | 50 users | $12,600/year |
| 250-user org, 60% safe to downgrade | 150 users | $37,800/year |
| 500-user org, 70% safe to downgrade | 350 users | $88,200/year |
These numbers assume the full $252/user/year delta. In practice, you may negotiate volume pricing — but the proportional relationship holds.
The Hard Part: Knowing Who Is Actually Safe
The challenge is that determining downgrade safety manually requires correlating data across multiple Microsoft APIs:
- Entra ID for PIM role assignments
- Graph API for Conditional Access policy scoping
- Purview for eDiscovery custodian status
- Defender Security Center for MDE device enrollment
Most IT teams don't have a single report that combines all of these. That's the problem M365 Assist was built to solve — connect your tenant, run a scan, and get a per-user classification (Safe, Safe with Remediation, Not Safe, or Requires Review) in minutes.
This article is for informational purposes only and does not constitute legal or financial advice. Microsoft product names, pricing, and licensing terms are subject to change. Verify all details against current Microsoft documentation and your specific agreement terms before making purchasing decisions.