E5 shelfware is the security and compliance capability you bought and never turned on. This guide shows how to measure it, which features sit idle most, and how to reclaim the spend.
E5 shelfware is the advanced security, compliance, and analytics value inside Microsoft 365 E5 that an organisation pays for but never configures or adopts.
The E5 business case usually rests on capabilities the estate then leaves switched off.
This guide shows how to measure the gap, which features sit idle most, and how to convert shelfware back into budget.
Shelfware is capability you have licensed but never put into production. With E5 it is rarely the apps and almost always the advanced security and compliance stack.
The full set of E5 only capabilities is listed on the Microsoft 365 E5 Security page and across the Microsoft Defender XDR documentation. The compliance scope sits in the Microsoft Purview documentation.
Licences show as assigned, so finance sees full utilisation. Only adoption telemetry reveals that the capability was never switched on.
Measure deployment, not assignment. A seat with an E5 licence and no active advanced features is shelfware regardless of how the licence report reads.
Assignment versus adoption, the shelfware signal
| E5 capability | Assignment signal | Adoption signal |
|---|---|---|
| Defender for Endpoint P2 | Licence assigned | Devices onboarded and alerting |
| Defender for Identity | Licence assigned | Sensors on domain controllers |
| Purview eDiscovery | Licence assigned | Cases and holds in use |
| Power BI Pro | Licence assigned | Active reports published |
You have two honest routes. Drive adoption so the capability earns its cost, or right size the seat down to E3 plus only the add ons it uses.
If the security value is real, deploy it. An unconfigured Defender tenant is both wasted spend and an open risk, so adoption fixes two problems at once.
Where a seat will never use the E5 stack, move it to E3 and attach standalone add ons only as needed. Confirm the downgrade rules in the Microsoft Product Terms before the renewal.
The common advice is to keep E5 everywhere because you might deploy the security features later. We disagree. In roughly 22 of the 30 estates we audited, later never arrived, and the idle Defender and Purview entitlements were both wasted budget and an unmonitored risk surface. The buyer side move is to set a deployment deadline at the seat level, then right size any seat that misses it down to E3 plus targeted add ons. Holding a security capability you never configure does not make you safer. It makes you poorer and gives a false sense of coverage, which is worse than not owning it.
E5 shelfware is the advanced security, compliance, and analytics capability inside Microsoft 365 E5 that you pay for but never configure or adopt. It is a deployment gap, not a discount issue.
Defender for Identity, Purview insider risk and eDiscovery, and advanced voice are the most common idle entitlements. They are licensed but frequently never switched on.
Measure adoption, not assignment. Use the admin centre usage reports and Defender deployment data to flag every E5 only feature with no active signal, then attach the per seat premium.
Licences show as assigned, so utilisation looks complete. Only adoption telemetry reveals that the advanced capability was never deployed in the tenant.
Either drive adoption so the capability earns its cost, or right size the seat to E3 plus only the add ons it uses. Both convert idle entitlement back into budget or security value.
Yes. An unconfigured Defender or Purview deployment is wasted spend and an unmonitored risk surface, so adoption fixes both problems at once.
Yes, subject to the Microsoft Product Terms. Right sizing seats that will never use the E5 stack is a legitimate and common renewal move.
Before every renewal. A shelfware review is the cheapest cost lever an estate has, because it releases spend on capability that was never used.
A buyer side reference for the next Microsoft renewal. Mix shift, Copilot ramp, Defender stacking, true up timing, and the seven clause renewal levers that move the bill.
Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.
Microsoft EA Renewal Playbook
Open the white paper in your browser. Corporate email only.
Open the Paper →Source: Redress Compliance advisory engagement file, 2024 to 2025.
Holding a security capability you never configure does not make you safer. It makes you poorer.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Microsoft EA benchmarks, renewal cadence intelligence, Copilot ramp patterns, and Azure commitment math from every Microsoft engagement we run on the buyer side.
