|
Compliance Advisory Microsoft 365 E5 → E7 Upgrade Mixed-Tier Licensing: 300 E7 + 700 E5 (with Entra Suite) Prepared: May 2026 |
Introduction
This advisory covers the key compliance considerations for a 1,000-user organisation moving 300 users from Microsoft 365 E5 to the new E7 Frontier Suite, while the remaining 700 users stay on E5 — optionally with the Microsoft Entra Suite add-on. It addresses two distinct scenarios:
- Scenario A: 300 users on E7, 700 users on E5 (baseline mixed-tier)
- Scenario B: 300 users on E7, 700 users on E5 + Entra Suite add-on
| Key finding: E7 does not replace E5 — it extends it with AI governance, Copilot, and the full Entra Suite. The compliance stack (Purview, Defender, Entra ID P2) is identical between tiers. The new compliance surface is AI agents and Copilot interactions. |
Section 1: What Changes Between E5 and E7
1.1 The Core Compliance Architecture
The security and compliance stack between E5 and E7 is identical. Every Purview, Defender, and Entra ID P2 capability in E5 carries over unchanged into E7. The difference is additive, not substitutive: E7 wraps E5 with three significant additions.
| E7 Addition | What It Does | Compliance Relevance |
| Microsoft 365 Copilot | AI assistant embedded across Word, Excel, PowerPoint, Outlook, Teams | New auditable data surface: Copilot prompts, responses, and interactions subject to Purview retention and eDiscovery |
| Agent 365 | Governance and identity control plane for AI agents | Agents get Entra identities, Purview audit trails, Defender signals |
| Full Entra Suite | Extends Entra ID P2 with Zero Trust Network Access (ZTNA), Secure Web Gateway (web filtering), Identity Governance, enhanced identity risk detection across hybrid environments, and Face Check identity verification (via Entra Verified ID). | Stronger Zero Trust posture, automated lifecycle governance, consistent access risk signals |
From a compliance perspective, E7 primarily introduces new governance requirements for AI-driven activity while extending identity controls already present in E5, rather than fundamentally changing the underlying compliance architecture.
Reference: Microsoft Enterprise Security Plans
1.2 What the Entra Suite Adds Over Entra ID P2 (Already in E5)
Microsoft 365 E5 includes Microsoft Entra ID Plan 2 (P2), which provides Conditional Access, Privileged Identity Management (PIM), and core Identity Protection capabilities.
The Microsoft Entra Suite — included in E7 or available as an add-on — does not replace these capabilities. Instead, it extends identity security, access control, and governance beyond Entra ID P2, particularly in the areas of Zero Trust network access and lifecycle automation.
It introduces five additional capability areas:
- Microsoft Entra Private Access — Provides Zero Trust Network Access (ZTNA) to private applications, replacing traditional VPNs with identity-aware, Conditional Access-driven connectivity and continuous risk evaluation.
- Microsoft Entra Internet Access — Delivers a cloud-based Secure Web Gateway (SWG), including web filtering (secure web gateway capabilities), traffic inspection, and policy enforcement for internet-bound traffic via Microsoft’s global network.
- Extended Identity Protection Coverage — Builds on Entra ID P2 by enhancing identity risk signals and detection coverage, including broader integration across hybrid environments (e.g. on-premises Active Directory and Microsoft security signals).
This is an extension of existing Identity Protection, not a separate product. - Entra ID Governance — Adds automated identity lifecycle management (joiner–mover–leaver), access reviews, entitlement management, and policy-driven controls to prevent over-permissioning and enforce least privilege at scale.
- Face Check with Entra Verified ID — Enables high-assurance identity verification using facial matching via Microsoft Authenticator, supporting scenarios such as onboarding, step-up authentication, and sensitive access requests.
Section 2: Scenario A — 300 E7 + 700 E5 (Baseline Mixed-Tier)
2.1 AI Governance and Agent 365
Agent 365 is the most significant new compliance surface in E7. It is not included in E5 but can be added as an add-on licence. Agent 365 introduces a more explicit governance model for AI agents as first-class entities, rather than relying solely on the controls applied to the underlying user or service principal.
- Agent 365 introduces a more explicit governance model for AI agents as first-class entities, rather than relying solely on the controls applied to the underlying user or service principal.
- AI agents operate at machine speed, accessing data and invoking tools autonomously. While these activities remain subject to existing Entra ID, Purview, and Defender controls, they introduce new governance challenges due to their scale, autonomy, and persistence.
- A critical policy question arises: can E5 users (without Agent 365) consume or trigger agents built by E7 users? If so, their interactions lack a dedicated governance layer for managing AI agents with lifecycle control, policy enforcement, and centralised visibility.
| Action required: Define and document a policy governing which users can interact with AI agents, and how agent-triggered activity by non-E7 users is audited. |
Reference: Microsoft Agent 365 Licensing FAQ
2.2 Copilot Data, Retention and eDiscovery Asymmetry
The 300 E7 users generate Copilot interaction data (prompts, responses, and agent actions) that does not exist for E5 users. This creates a structural asymmetry in your compliance data landscape:
- Copilot interactions (prompts and responses) are captured and made available for Purview retention, audit, and eDiscovery — but only for E7 users. Legal hold strategies must explicitly account for this split.
- In regulated industries (financial services, healthcare, legal), consistency of data capture is itself a compliance requirement. A two-tier eDiscovery scope requires documented justification.
- Copilot-generated content shared from E7 users into shared workspaces (SharePoint, Teams channels) is accessible to E5 users — ensure DLP policies are configured to inspect this content regardless of which tier produced it.
Copilot does not introduce new data access pathways but amplifies access to existing content based on user permissions. As a result, over-permissioned data estates become a compliance risk multiplier, particularly where E7 users surface sensitive content to broader audiences.
Reference: Microsoft 365 Compliance Licensing Comparison
2.3 Identity Posture Asymmetry
In Scenario A, the 700 E5 users have Entra ID P2 (Conditional Access, PIM, Identity Protection) but lack the five additional Entra Suite capabilities available to the 300 E7 users. This creates a split Zero Trust posture:
- E7 users access on-premises applications via Entra Private Access (ZTNA). E5 users may still rely on legacy VPN or less granular access controls — a material inconsistency for Zero Trust frameworks.
- Entra ID Governance lifecycle automation applies only to E7 users. The JML process for 700 users remains more manual or reliant on existing tooling.
- Identity risk signals from E5 users are less rich, potentially creating blind spots in Sentinel or your SIEM/XDR correlation rules.
Audit log completeness should be reviewed to ensure that Copilot interactions and agent activity are consistently captured, retained, and accessible for investigation across licence tiers
| Key risk: Auditors and regulators evaluating Zero Trust compliance expect consistent access controls across populations. A documented rationale for the split posture is essential. |
2.4 Mixed-Tier Purview Policy Consistency
Purview compliance policies operate at the tenant level but their scope and enforcement can be affected by licence differences:
- Sensitivity labels and DLP policies apply across the tenant, but label-based agent data security (label honoring, inheritance, agent-driven DLP) requires appropriate E3/E5 or above licences for grounding data.
- Communication Compliance and Insider Risk Management policies should be reviewed to confirm they capture relevant signals from both E7 and E5 users consistently. AI-assisted content generation and summarisation may alter user behaviour patterns, which should be considered in Insider Risk Management policies and alert tuning.
- Retention policies should be extended to cover Copilot interaction history for E7 users, clearly scoped by licence assignment.
2.5 Licence Assignment Policy and EA True-Up
Mixed-tier deployments introduce an ongoing governance obligation that is often underestimated:
- A documented licence assignment policy must map job function to tier, defining the criteria for E7 vs E5 assignment. Without this, tier creep occurs — managers request E7 for their teams and cost savings erode within 6–12 months.
- Microsoft Enterprise Agreements require an annual True-Up. Mixed-tier deployments require per-tier usage data, not just total M365 user count. Tooling to track this accurately is required from day one.
- The JML process should trigger automatic licence tier review when roles change, supported by Entra ID Governance entitlement management policies.
Section 3: Scenario B — 300 E7 + 700 E5
3.1 What the Entra Suite Add-On Resolves
Adding the Entra Suite to the 700 E5 users substantially closes the identity governance gap from Scenario A. The result is identity parity across all 1,000 users.
| Compliance Risk Area | Scenario A (E5 only) | Scenario B (E5 + Entra Suite) |
| Zero Trust network access consistency | ❌ Split posture | ✅ Uniform across all 1,000 users |
| Identity lifecycle governance (JML) | ❌ Split — E7 users only automated | ✅ Uniform across all 1,000 users |
| Conditional Access risk signal coherence | ⚠️ Inconsistent telemetry | ✅ Consistent across tenant |
| Audit trail coherence (SIEM/Sentinel) | ⚠️ Partial — lower-fidelity E5 signals | ✅ Full-fidelity across tenant |
| Agent 365 governance | ❌ E7 users only | ❌ E7 users only (unchanged) |
| Copilot eDiscovery scope | ❌ E7 users only | ❌ E7 users only (unchanged) |
| Over-permissioning prevention | ❌ E7 users only | ✅ Entitlement management for all |
3.2 What the Entra Suite Does Not Resolve
The Entra Suite add-on significantly strengthens the identity posture, but two fundamental compliance gaps from Scenario A remain unresolved:
Agent 365 Governance Remains E7-Only
The 700 E5+Entra users have no agent governance framework. Agent 365 is not included in E5 and cannot be unlocked by the Entra Suite add-on. If E5 users interact with or trigger AI agents deployed by E7 users, that activity remains ungoverned on their side.
| If the organisation’s AI strategy expands beyond the initial 300 E7 users, Agent 365 will need to be added as a standalone or users will need to step up to E7. |
Copilot eDiscovery and Retention Asymmetry Remains
In this scenario, only E7 users generate Copilot interaction data. The addition of the Entra Suite to E5 users does not change this. Legal teams, compliance officers, and eDiscovery workflows must continue to account for the two-tier data landscape explicitly. Copilot interactions are governed by the same Purview compliance framework (retention, eDiscovery, audit) but introduce new considerations around completeness and consistency of captured user activity.
3.3 Why Scenario B Is the Stronger Compliance Posture
Adding the Entra Suite to E5 users addresses the most structurally significant gap in a mixed-tier deployment: inconsistent identity governance. Regulators and auditors evaluating Zero Trust, ISO 27001, Cyber Essentials+, or NIST alignment expect:
- Consistent access controls and network security policies across all user populations — Entra Private Access and Internet Access deliver this.
- Auditable identity lifecycle management for all users — Entra ID Governance delivers this via automated JML workflows.
- Coherent risk telemetry feeding into SIEM and incident response — extended Entra ID Protection delivers this for hybrid environments.
Scenario B means your 700 E5 users are governed as well-managed human workers, with a Zero Trust access posture equivalent to your E7 users. The remaining gap is AI-specific: agent governance and Copilot data capture. These are new compliance domains that require separate planning regardless of which scenario is chosen.
Section 4: Recommended Compliance Actions
4.1 Immediate Actions (Pre-Deployment)
- Document the licence assignment policy: map each job function to E7 or E5, with explicit tier criteria and a JML trigger process.
- Review and extend Purview retention policies to cover Copilot interaction history for E7 users, scoped by licence assignment.
- Define agent interaction policy: which users can consume or trigger AI agents, and how cross-tier agent interactions are audited.
- Confirm Copilot data residency meets GDPR, UK DPA, and any sector-specific obligations (FCA, ICO, etc.) before enabling for E7 users.
4.2 Ongoing Governance
- Implement per-tier licence tracking tooling to support EA True-Up with accurate E7 vs E5 usage data.
- Run quarterly access reviews via Entra ID Governance (Scenario B) to prevent licence tier creep and over-permissioning.
- Update eDiscovery runbooks to include Copilot interaction history as a distinct data type in scope for E7 users.
- Review DLP and Communication Compliance policies to confirm they inspect Copilot-generated content shared into the wider tenant.
4.3 Strategic Planning
- Monitor AI agent adoption among E7 users. If agent usage grows, evaluate whether E5 users interacting with agents require Agent 365 licences.
- Track Microsoft’s E5 roadmap: Security Copilot (400 SCUs per 1,000 licences) is being added to E5 from April–June 2026, and the Intune Suite is being included from July 2026. These reduce the gap between tiers.
- Revisit the E7 cohort definition at each EA renewal cycle against actual Copilot and agent adoption data.
Reference: Why E7 Is More Than Licensing — Directions on Microsoft
| This document reflects publicly available information as of May 2026. Microsoft pricing, feature availability, and licensing terms are subject to change. |