Moving a user from Microsoft 365 E5 to E3 saves $252 per user per year. But it's not a blanket decision you can apply to an entire tenant. Some users genuinely rely on E5-exclusive features — and downgrading them without remediation first creates real problems: broken security policies, compliance gaps, and potentially audit failures.
Here are the five signals that block a safe E5-to-E3 downgrade, what each one means, and what you can do about it.
1. Privileged Identity Management (PIM) — Deduction: 40 points
What it is: Azure AD Privileged Identity Management (now Entra ID PIM) lets you assign just-in-time access to privileged roles — Global Admin, Exchange Admin, Security Admin, and hundreds more. Users can have roles that are "active" (always on) or "eligible" (activatable on demand for a time window).
Why it blocks E3: PIM is an Entra ID P2 feature. E3 includes Entra ID P1, which does not include PIM. Downgrading a user without removing their PIM assignments means their access to role activation breaks — they may lose the ability to perform their job or, worse, the role gets silently converted in a way that changes your security posture.
How to remediate:
- Identify which roles the user has via active and eligible assignments
- Determine if those roles are still needed
- If the user needs permanent access to a role, evaluate whether E3's always-on role assignment (without just-in-time lifecycle controls) is acceptable for your security model
- If the role is no longer needed, remove the assignment before downgrading
2. Risk-Based Conditional Access Policies — Deduction: 35 points
What it is: Risk-based Conditional Access evaluates Microsoft's identity protection signals — leaked credentials, anonymous IP addresses, atypical travel, impossible travel, suspicious browser activity — and enforces step-up authentication or blocks access automatically. These are distinct from standard Conditional Access policies, which any Entra ID P1 tenant can create.
Why it blocks E3: Risk-based CA policies use the Entra ID P2 Identity Protection risk engine. E3 includes Entra ID P1. If a risk-based CA policy applies to a user and you downgrade them to E3, the policy will fail to enforce because the user's license doesn't include the Identity Protection engine.
How to remediate:
- Audit which CA policies use "user risk" or "sign-in risk" conditions
- Determine which users are in scope for those policies
- For users you want to downgrade, either: remove them from the policy scope, or replace risk-based conditions with standard conditions that work with Entra ID P1 (e.g., MFA for all sign-ins, compliant device requirements)
3. eDiscovery Premium Custodianship — Deduction: 30 points
What it is: Microsoft Purview eDiscovery Premium (formerly Advanced eDiscovery) is the enterprise compliance feature for legal holds, document review, and regulatory investigations. In Premium eDiscovery, individuals whose content is under legal hold are called custodians. The system preserves their mailbox, OneDrive, and Teams content.
Why it blocks E3: eDiscovery Premium is a compliance feature that requires the E5 Compliance add-on or an E5 license. If a user is an active custodian in a Premium eDiscovery case and you downgrade their license, their custodianship and legal hold status may be invalidated — a potentially serious compliance and legal risk.
How to remediate:
- Work with your legal or compliance team to identify all active eDiscovery Premium cases
- Determine if the user is an active custodian
- If the case is closed or the legal hold is lifted, the user may be eligible for downgrade
- If the case is active, the user must retain E5 (or an E5 Compliance add-on) for its duration
4. Defender for Endpoint Plan 2 Device — Deduction: 20 points
What it is: Microsoft Defender for Endpoint (MDE) Plan 2 is the full enterprise EDR (Endpoint Detection and Response) solution — it includes advanced threat hunting, attack surface reduction, device investigation, and integration with Microsoft Sentinel. It's distinct from Defender for Business (for SMBs up to 300 seats) and Defender for Endpoint P1 (which is included with E3).
Why it blocks E3: MDE P2 is licensed per user, not per device. If a user's devices are onboarded to MDE P2 and you downgrade them to E3, the devices fall back to P1 coverage — losing EDR, advanced hunting, and 6-month data retention. For security-sensitive environments, this is often unacceptable.
How to remediate:
- Identify which users have devices enrolled in MDE P2
- Assess whether those users actually need P2 capabilities (most end users don't)
- If P2 is only needed for a subset of devices (e.g., admin workstations), consider using the standalone MDE P2 add-on for those users rather than keeping the full E5 license
5. Advanced Audit — Deduction: 10 points
What it is: Microsoft Purview Advanced Audit (formerly Advanced Audit in Microsoft 365) extends the standard audit log with 1-year retention (and optional 10-year retention with add-on), high-bandwidth API access, and intelligent audit insights for incident investigations. It covers events like MailItemsAccessed, Send, and SearchQueryInitiatedExchange.
Why it blocks E3: Advanced Audit is an E5 Compliance feature. E3 includes standard audit logging (90-day retention, limited event set). If you have regulatory requirements — HIPAA, FedRAMP, FINRA, SEC — that mandate extended audit retention for specific users, downgrading those users breaks compliance.
How to remediate:
- Identify which users are subject to extended audit retention requirements
- Determine if those requirements can be met with the E5 Compliance add-on (rather than the full E5 license)
- Review your regulatory obligations to confirm the minimum retention period required
Understanding the Risk Scoring
M365 Assist uses a deterministic scoring system that starts each user at 100 and deducts points for each detected dependency:
| Dependency | Deduction |
|---|---|
| PIM active or eligible role | −40 |
| Risk-based CA policy in scope | −35 |
| eDiscovery Premium custodian | −30 |
| Defender for Endpoint P2 device | −20 |
| Advanced Audit requirement | −10 |
The final classification:
- Safe (≥80, zero dependencies) — Downgrade directly. No remediation needed.
- Safe with Remediation (≥50, some dependencies) — Remediable path exists. Address the dependency, then downgrade.
- Not Safe (score below 50) — Multiple blocking dependencies. Keep on E5.
- Requires Review — Signals are ambiguous or incomplete. Manual review needed.
Annual savings projections ($252/user/year) are shown only for Safe and Safe with Remediation users — because those are the ones you can actually act on.
This article is for informational purposes only and does not constitute legal or financial advice. Microsoft product names, pricing, and licensing terms are subject to change. Verify all details against current Microsoft documentation and your specific agreement terms before making purchasing decisions.