Microsoft Purview Licensing Explained: E3 vs E5 vs Add-Ons

If you’re an IT pro in a small or mid-sized business, you’re probably wearing three hats at once: securing SharePoint, rolling out Copilot responsibly, and keeping legal/regulatory stakeholders happy without going over budget. The catch is that “Purview” isn’t one product; it’s a family of data security, compliance, and governance capabilities whose entitlements vary by license.

This blog breaks down the differences between E3, E5, and E5 add-ons for Microsoft Purview, so you can confidently select the right solution to secure SharePoint, deploy Copilot responsibly, and meet legal and regulatory requirements, without overspending.

You’ll discover which features are included in each tier, hidden costs to watch for, and practical advice for optimizing compliance and data governance in your Microsoft 365 environment.

Why Purview Licensing Matters More When You Run SharePoint and Copilot

Two realities make licensing decisions material for SMBs.

1. Copilot respects your data security and compliance configuration:

• Sensitivity labels control what Copilot can read and summarize.
• Users need EXTRACT and VIEW rights for Copilot to summarize labeled content.
• SharePoint/OneDrive access policies further limit exposure.

2. Purview adds Copilot-specific policy surfaces:

• DLP rules can be applied directly to Copilot’s prompt/response pipeline to prevent labeled content from being used in summaries, while still allowing citations.
• Retain and audit Copilot interactions with the right licenses.

These levers sit across E3, E5, and add‑ons; the rest of this article maps what’s included, what’s missing, and when to step up.

Copilot‑Specific Licensing Nuances You Should Know

Two areas trip teams up during Copilot deployments.

DLP and Copilot:

• Write DLP policies specifically for Microsoft 365 Copilot.
• Example: Prevent Copilot from summarizing files with “Highly Confidential” labels but allow citations.

Retention & Audit for Copilot interactions:

• Retain versions of documents shared in Copilot interactions.
• Audit (Premium) coverage for Copilot requires E5 + Copilot or E3 + E5 Compliance + Copilot.

Practical Examples tied to SharePoint and Copilot

Scenario A: “Default label” libraries + Copilot guardrails

• Set default sensitivity label at SharePoint library.
• Apply Copilot DLP rule to prevent summarizing “Highly Confidential” file, while still allowing users to find and cite the file.
• E5 or E5 Compliance/IP&G enables scalable labeling and auto-labeling.

Scenario B: “Chatty Teams” finance channel

• E3 DLP does not cover Teams chat content.
• Add E5 Compliance for DLP in Teams chat and Endpoint DLP to curb clipboard/print/USB exfiltration.
• Use Audit (Premium) for 1-year retention of high-value audit events.

Scenario C: “We litigate a few cases a year.”

• E3 covers basic legal workflows.
• Add E5 eDiscovery & Audit for advanced case management.
• Move to E5 Compliance for Copilot interaction audit trails.

Overview of Microsoft Purview Capabilities and Licensing Tiers

Microsoft Purview unifies Information Protection (sensitivity labels and encryption), Data Loss Prevention, Audit, eDiscovery, Records/Data Lifecycle Management, Insider Risk Management, Communication Compliance, and more. Some foundational features live in E3 (and Business Premium), while advanced automation and analytics arrive with E5 or specific E5 add‑ons. The official Purview service description is the primary reference Microsoft keeps current.

E3: The “Secure‑by‑Default” Baseline for SMBs

Most SMBs start at Microsoft 365 E3 (or Business Premium under 300 users). With E3 you can:

• Label and protect content manually in Office apps and SharePoint/OneDrive; this is widely available across suites, including Business Premium.
• Use core DLP in Exchange, SharePoint, and OneDrive to detect and block oversharing of sensitive data. Microsoft’s service description lists E3 (and Business Premium) as eligible for core DLP coverage.
• Run Audit (Standard) and search audit logs for 180 days (Standard was extended from 90 to 180 days). For longer forensic windows or high‑value events, you’ll need Audit (Premium).
• Use eDiscovery (Standard) for cases, legal hold, and export. Premium analytics and review sets require a higher SKU.
• Not included in E3: Automatic sensitivity labeling, Endpoint DLP, DLP for Teams chat, Insider Risk Management, Communication Compliance, Audit (Premium).

E5: The “All‑in” Compliance and Risk Bundle

Microsoft 365 E5 wraps in the advanced compliance estate:

• Automatic sensitivity labeling in clients and services, default labeling for SharePoint libraries, dynamic watermarking, and authentication‑context protections. This is where labeling does the heavy lifting at scale.
• Endpoint DLP to control data‑in‑use on Windows/macOS devices.
• DLP for Teams chat messages, which is separate from file DLP.
• Audit (Premium) with a default 1‑year retention for Exchange, SharePoint/OneDrive, and Entra (Azure AD) audit records, and the option to extend via retention policies. It also unlocks high‑value events like Mail Items Accessed for investigations.
• eDiscovery (Premium) with custodian management, review sets, analytics, and predictive coding.
• Insider Risk Management and Communication Compliance for policy‑driven risk detection and supervisory review.

If you want “one answer” without fine‑grained licensing, E5 is the simplest, but for SMBs, add‑ons often make more sense.

E5 Add‑ons: Targeted Upgrades for E3 Tenants

If you’re on E3 and don’t want the full E5 suite, Microsoft offers modular add‑ons. Here’s what they do in practice for SharePoint/Copilot administrators:

• E5 Compliance (add‑on to E3). Adds automatic labeling, Endpoint DLP, Teams chat DLP, eDiscovery Premium, Audit Premium, Insider Risk, Communication Compliance, Customer Lockbox/Key, and more. Delivers E5 compliance features without E5 security.
• E5 eDiscovery & Audit (add‑on to E3). Includes eDiscovery Premium and Audit Premium for litigation/investigations. Does not cover Insider Risk, Communication Compliance, Endpoint DLP, or Teams chat DLP. Audit Premium for Copilot interactions is excluded.
• E5 Information Protection & Governance (add‑on to E3). Focuses on label automation and advanced information protection. Offers auto-labeling and related capabilities, but excludes eDiscovery Premium and Insider Risk.
• E5 Insider Risk Management (add‑on to E3). Provides targeted insider risk policies and case management for organizations needing focused risk controls.

Feature Comparison: What’s Included in E3, E5, and Add-Ons

‍

• Sensitivity Labels and Encryption:

Manual labeling is available in E3 and Business Premium. Automatic labeling, default library labels, dynamic watermarking, and authentication context require E5 or E5 Compliance/E5 Information Protection & Governance add-ons. These features control what Microsoft Copilot can access and summarize.

• Data Loss Prevention (DLP) Across Workloads:

E3 enforces DLP in Exchange, SharePoint, and OneDrive, covering files shared in Teams. For DLP on Teams chat messages and Endpoint DLP (blocking printing, clipboard, USB, browser uploads), upgrade to E5 or E5 Compliance.

• Audit:

Audit Standard in E3 offers 180-day searchable history. Audit Premium (in E5 or E5 Compliance) extends coverage to 1 year for Exchange, SharePoint, and Entra, adds premium events, and custom retention policies. For Copilot, Audit Premium coverage requires E5 + Copilot or E5 Compliance + Copilot.

• eDiscovery:

E3 provides eDiscovery Standard for cases, holds, searches, and export. eDiscovery Premium (in E5, E5 Compliance, or E5 eDiscovery & Audit add-on) adds custodian workflow, review sets, analytics, and predictive coding.

• Insider Risk Management & Communication Compliance:

Included in E5 and E5 Compliance add-on; not available in E5 eDiscovery & Audit add-on. Insider Risk Management is also sold as a standalone add-on.

• Records and retention:

E3 supports core retention policies and labels. Advanced retention features auto-apply with trainable classifiers, priority cleanup, and file-plan management are in E5 or E5 Compliance/E5 Information Protection & Governance add-ons. Adaptive scopes for Copilot interaction retention require these SKUs.

Cost Considerations and Common Pitfalls

Hidden Costs and “Gotchas” to Avoid

• License Requirements:

Every user benefiting from Microsoft Purview services needs the correct license, including SharePoint site owners/members and Microsoft 365 Group owners/members. Shared/resource mailboxes and role holders (e.g., Records Managers) also require licensing.

• Teams Chat vs. Teams Files:

DLP in E3 protects files shared in Teams (stored in SharePoint/OneDrive), but does not inspect Teams chat messages. DLP for Teams chat requires E5 or E5 Compliance. Misconfiguring this is a common mistake.

• Graph Metering for Teams APIs:

Microsoft ended metering for Teams APIs on August 25, 2025, eliminating extra consumption fees. Licensing for Microsoft Communications DLP is still required when using the security/compliance model.

• Copilot Analytics in Communication Compliance and Audit:

Prompt/response analysis in Communication Compliance and Premium audit coverage for Copilot interactions are available only in E5 or E5 Compliance, not in the narrower E5 eDiscovery & Audit add-on. Always verify Copilot governance needs against your chosen add-on.

Decision Guide for SMBs

• E3/Business Premium for Basic Guardrails:

For 50–300 user tenants, E3 or Business Premium supports manual sensitivity labels, Exchange/SharePoint/OneDrive DLP, core retention, and Audit Standard. Copilot DLP rules keep sensitive content out of summaries, and Copilot honors label encryption and access controls, ideal for organizations with modest compliance needs.

• Upgrade to E5 Compliance for Advanced Controls:

If you need endpoint controls, Teams chat DLP, auto-labeling at scale, or 1-year audit, add E5 Compliance to E3. This delivers Insider Risk Management and Communication Compliance without the full E5 security stack.

• E5 eDiscovery & Audit for Litigation:

For litigation-focused needs, E5 eDiscovery & Audit add-on provides targeted eDiscovery Premium and Audit Premium. Note: Copilot interaction audit and risk/communication features are not included.

• Full E5 for Comprehensive Coverage:

If you prefer simplicity or need E5 security (Defender XDR, Entra P2), choose full E5 for all compliance and security features.

Implementation and Next Steps

• Assess Copilot and SharePoint Risks:

Identify where Copilot summaries could pose risks, which SharePoint sites need default sensitivity labels, who requires 1-year audit, and if Teams chat inspection is necessary.

• Choose the Right Upgrade:

If advanced controls are needed, consider E5 Compliance on top of E3. For litigation-only needs, E5 eDiscovery & Audit is a precise fit. For scalable governance and AI readiness, E5 Information Protection & Governance adds automation without expanding your discovery footprint.

• Bookmark Key Microsoft Resources:

Regularly consult Microsoft Learn’s security & compliance licensing guidance and the Purview service description for up-to-date information.

Frequently Asked Questions

Does Business Premium include any Purview capabilities?

Yes. Business Premium supports manual sensitivity labeling and core DLP in Exchange/SharePoint/OneDrive, useful for SMBs under 300 seats. For automatic labeling, Endpoint DLP, Teams chat DLP, Insider Risk, Communication Compliance, and Audit (Premium), you step up to E5 or the relevant add‑ons described above. The Purview service description is your single source of truth.

What’s the difference between E5 Compliance and the E5 eDiscovery & Audit add‑on?

E5 Compliance is the broad bundle that includes advanced labeling/DLP, Insider Risk, Communication Compliance, eDiscovery (Premium), and Audit (Premium). The E5 eDiscovery & Audit add‑on is narrower, eDiscovery (Premium) + Audit (Premium), and notably doesn’t include Insider Risk, Communication Compliance, Endpoint DLP, or DLP for Teams chat; its Audit (Premium) also doesn’t add coverage for Copilot interactions.

Who needs a license when I apply retention to SharePoint?

Owners and members of sites targeted by retention policies/label policies require appropriate licenses; visitors do not. Group owners/members are in scope for policies that target Microsoft 365 Groups. Certain features also require licensing of shared/resource mailboxes.

How does Copilot interact with sensitivity labels?

Copilot enforces label encryption and rights. If a user doesn’t have permission to VIEW/EXTRACT from a labeled file, Copilot can’t summarize it. You can also use Purview DLP’s Microsoft 365 Copilot location to exclude labeled content from being used in responses, while permitting citations.

Are Teams compliance APIs still metered?

Microsoft ended metering for the listed Teams APIs on August 25, 2025. If you previously budgeted for Graph consumption to capture Teams chat for compliance, remove that cost line, but maintain the required Communications DLP license posture if you’re using the security/compliance model.