Microsoft E5 Shelfware:
You’re Paying for 62 Products and Using 7
The upgrade from E3 to E5 is Microsoft’s most profitable upsell — and most enterprises cannot justify the ROI. This paper provides a shelfware audit methodology, quantifies the typical waste in E5 deployments across 200+ enterprise benchmarks, and presents three alternative licensing architectures that deliver the security and compliance features you actually need at 30–45% less cost.
Executive Summary
Microsoft 365 E5 is a 62-product bundle priced at approximately $57 per user per month. The E3-to-E5 upgrade adds roughly $20 per user per month — a 54% cost increase. For a 10,000-user organisation, this represents $2.4M in additional annual spend. The question every CFO should ask is simple: are you using enough of those 62 products to justify the premium?
Key Findings
Anatomy of the Microsoft 365 E5 Bundle
Microsoft 365 E5 bundles productivity, security, compliance, analytics, and voice capabilities into a single per-user subscription. Understanding what E5 includes — and what E3 already provides — is the prerequisite for any shelfware assessment.
What E3 Already Includes. Microsoft 365 E3 provides the core productivity and security stack that the vast majority of enterprise users require: Office desktop applications (Word, Excel, PowerPoint, Outlook), Exchange Online, SharePoint Online, OneDrive, Teams, Azure AD Premium P1 (Entra ID P1), Microsoft Intune, Azure Information Protection P1, Data Loss Prevention (basic), and Windows Enterprise E3. E3 is a comprehensive enterprise platform that satisfies the productivity and baseline security requirements of 80–90% of enterprise users.
What E5 Adds. The E5 premium adds approximately 30 products and features across four capability categories. Security: Microsoft Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, Azure AD Premium P2 (Entra ID P2), and Microsoft Sentinel (limited). Compliance: Microsoft Purview Advanced Compliance, Advanced eDiscovery, Insider Risk Management, Communication Compliance, Information Barriers, and Customer Lockbox. Analytics: Power BI Pro (now included in E3 as well in many agreements), Viva Insights, and MyAnalytics. Voice: Phone System and Audio Conferencing. The critical question is not whether these features have value — they do — but whether your organisation deploys them at sufficient scale to justify paying the E5 premium for every user.
| Capability Category | E3 Included | E5 Premium (Additional) | Standalone Add-On Price |
|---|---|---|---|
| Identity & Access | Entra ID P1 (Conditional Access, MFA) | Entra ID P2 (PIM, Identity Protection, Access Reviews) | $9/user/mo |
| Endpoint Security | Microsoft Intune, Windows E3 | Defender for Endpoint P2, Windows E5 | $5.20/user/mo (MDE P2) |
| Email Security | Exchange Online Protection | Defender for Office 365 P2 | $5/user/mo |
| Cloud App Security | Basic MCAS discovery | Defender for Cloud Apps (full CASB) | $3.50/user/mo |
| Information Protection | AIP P1, Basic DLP | Advanced DLP, Auto-labelling, Exact Data Match | Included in Purview add-ons |
| Compliance | Basic retention, eDiscovery Standard | Advanced eDiscovery, Insider Risk, Communication Compliance | $12/user/mo (Purview bundle) |
| Voice | Teams (chat, meetings) | Phone System, Audio Conferencing | $8–$15/user/mo |
| Analytics | Basic usage analytics | Viva Insights, Power BI Pro | $6–$10/user/mo |
The E5 premium is approximately $20/user/month over E3. The standalone add-on cost of the three most commonly required E5 features (Defender for Endpoint P2 + Entra ID P2 + Defender for Office 365 P2) is approximately $19.20/user/month — but only for the users who actually need them. If only 30% of your workforce requires these capabilities, the add-on approach costs $5.76/user/month blended, versus $20/user/month for wall-to-wall E5. This is the shelfware gap.
The Shelfware Data: What 200+ Enterprises Revealed
Redress has conducted E5 shelfware assessments across 200+ enterprise organisations. The data reveals a consistent pattern: organisations purchase E5 for a narrow set of features and leave the majority of the bundle unused.
E5 Utilisation Benchmarks — Redress Assessment Data (200+ Enterprises)
actively used (of 62)
per E5 seat
alternative architectures
1–3 specific features
The Most-Used E5 Features. Across the benchmark population, seven E5-specific features account for the vast majority of actual utilisation: Microsoft Defender for Endpoint P2, Entra ID P2 (Privileged Identity Management and Identity Protection), Defender for Office 365 P2, Phone System, Audio Conferencing, Auto-labelling for sensitivity labels, and Advanced eDiscovery. Everything else in the E5 bundle is shelfware for the majority of organisations.
The Least-Used E5 Features. The following E5-specific capabilities show less than 10% active utilisation across the benchmark population: Communication Compliance, Information Barriers, Customer Lockbox, Advanced Message Encryption, Microsoft Viva Topics (now retired), MyAnalytics/Viva Insights (advanced), Defender for Identity (in organisations without on-premises AD), and Power BI Pro (in organisations with existing Power BI Premium capacity). These products are included in the E5 price but deliver zero value for most subscribers.
| E5 Feature Category | Utilisation Rate | Waste Classification | Standalone Alternative Cost |
|---|---|---|---|
| Defender for Endpoint P2 | 78% | Low waste | $5.20/user/mo add-on |
| Entra ID P2 | 64% | Low waste | $9/user/mo add-on |
| Defender for Office 365 P2 | 71% | Low waste | $5/user/mo add-on |
| Phone System | 42% | Medium waste | $8/user/mo add-on |
| Advanced eDiscovery | 18% | High waste | Part of Purview bundle |
| Insider Risk Management | 12% | High waste | Part of Purview bundle |
| Communication Compliance | 6% | High waste | Part of Purview bundle |
| Customer Lockbox | 4% | High waste | Part of Purview bundle |
| Information Barriers | 3% | High waste | Part of Purview bundle |
| Viva Insights (Advanced) | 8% | High waste | $6/user/mo add-on |
For a 10,000-seat E5 deployment with median utilisation (7 of 62 products), the annual shelfware cost is approximately $1.7M — the difference between what the organisation pays for E5 and what it would pay for E3 plus the add-ons covering the features it actually uses. Over a 3-year EA term, that is $5.1M in waste.
The E5 Shelfware Audit Methodology
A structured shelfware audit produces the data-driven evidence required to right-size the Microsoft estate. The methodology operates across four assessment layers.
Layer 1: Licence Assignment vs. Active Use. The first layer distinguishes between licences assigned (users who have an E5 licence in their tenant) and licences actively used (users who interact with E5-specific features). Microsoft’s admin centre reports licence assignment, not utilisation. A user with an E5 licence who only uses Outlook, Teams, and Word is consuming E3-level value at E5 pricing. This layer identifies the gap between what is licensed and what is consumed, typically revealing that 40–65% of E5 seats show no engagement with E5-specific features beyond what E3 provides.
Layer 2: Feature-Level Adoption Analysis. The second layer examines each E5-specific feature individually. For every E5 product (Defender for Endpoint, Entra ID P2, Phone System, Purview capabilities, etc.), the audit measures active deployment, active user count, policy configuration status, and data throughput. Features that are licensed but not deployed, deployed but not configured, or configured but not generating actionable output are classified as shelfware. This analysis produces a feature-by-feature utilisation matrix that drives SKU right-sizing decisions.
Layer 3: User Segmentation. The third layer segments the user population by E5 feature requirement. Not all users need the same capabilities. IT administrators, security teams, and compliance officers may genuinely require E5-level features. Knowledge workers may need only E3. Frontline workers may need only F3 or F1. The audit produces a segmented user model with recommended SKU assignments for each segment, preserving security and compliance requirements while eliminating unnecessary E5 seats.
Layer 4: Cost Impact Modelling. The fourth layer translates the utilisation data and user segmentation into financial impact. The model compares the current cost (wall-to-wall E5) against alternative architectures (E3 + add-ons, mixed SKU, third-party alternatives) to quantify the savings opportunity. The cost model includes Microsoft pricing, third-party alternatives where applicable, migration effort, and any incremental procurement required. This financial model becomes the negotiation basis for the next EA/MCA renewal.
In 91% of E5 shelfware audits, the organisation had no prior visibility into feature-level utilisation. Microsoft’s admin centre reports licence assignment, not feature adoption. Without the audit, organisations were making multi-million-dollar renewal decisions based on what they had licensed rather than what they were using.
Why Organisations Buy E5 (And Shouldn’t)
The E5 upsell is Microsoft’s most successful commercial motion. Understanding why organisations agree to the upgrade — and why those reasons rarely justify the cost — is essential for any rationalisation strategy.
1. The Security Fear Sell
Microsoft positions E5 as the “security-first” licence. Account Executives frame the E3-to-E5 upgrade as a security investment, implying that organisations on E3 are inadequately protected. In reality, E3 includes substantial security capabilities (Intune, Conditional Access, MFA, AIP P1, Basic DLP, Windows E3). The incremental security value of E5 is concentrated in 3–4 features that are available as add-ons at lower cost — and often only required for a subset of users.
2. The Bundle Economics Illusion
Microsoft presents E5 as a “discount” versus purchasing every included product individually. This is technically true — if you need every product. Since the average organisation uses 7 of 62 E5 products, the “bundle savings” argument is inverted. You are paying $20/user/month for 62 products to avoid paying $12–$15/user/month for the 7 you actually need. The bundle is a premium, not a discount.
3. The Compliance Mandate Misinterpretation
Organisations with regulatory compliance requirements (GDPR, HIPAA, SOX, DORA) are told they need E5 for Advanced eDiscovery, Insider Risk Management, and Communication Compliance. While these are genuine E5 features, they are typically required for a small subset of users (legal, compliance, HR), not the entire workforce. Licensing E5 for all users to provide compliance tools for 5% of them is the most common shelfware pattern.
4. The Phone System Bundling Trap
Organisations migrating from traditional PBX to Microsoft Teams Phone System are steered to E5 because it includes Phone System licensing. The standalone Phone System add-on costs $8/user/month on E3, and is only required for users who make or receive PSTN calls. Licensing E5 for the entire workforce to provide phone capabilities for 30–50% of users is a common and expensive misalignment.
5. The “Future-Proofing” Argument
Microsoft sellers argue that E5 “future-proofs” the organisation by providing access to features they may need later. This argument converts uncertain future value into certain present cost. Organisations pay for capabilities they may or may not deploy, at a price that escalates annually. A more rational approach is to procure features when they are needed, not years before they deliver value.
6. The Seller Incentive Alignment
Microsoft Account Executives earn higher commissions on E5 seat conversions than on E3 renewals or add-on sales. The seller’s financial incentive is to recommend E5 regardless of whether it represents the best commercial outcome for the customer. This incentive misalignment is the underlying driver of every pattern described above.
Three Alternative Licensing Architectures
Organisations that cannot justify wall-to-wall E5 have three licensing architectures that deliver equivalent security and compliance outcomes at 30–45% less cost. Each architecture is validated across multiple Redress client deployments.
E3 + Targeted Security Add-Ons
The most common optimised architecture. All users receive Microsoft 365 E3. E5-level security features (Defender for Endpoint P2, Entra ID P2, Defender for Office 365 P2) are procured as add-ons for the users who require them — typically IT administrators, security staff, and high-risk roles (20–40% of the workforce). Compliance features (Purview add-ons) are licensed for legal, compliance, and HR teams only (3–8% of the workforce). Phone System is added for users who require PSTN calling.
Blended cost: E3 ($36/user/mo) + security add-ons for 30% of users (~$5.76/user/mo blended) = $41.76/user/mo blended versus $57/user/mo for E5. Annual savings for 10,000 users: $1.83M.
E3 + Third-Party Security Stack
An alternative for organisations that prefer best-of-breed security or have existing investments in third-party security tools. All users receive E3. Endpoint security is provided by CrowdStrike, SentinelOne, or the existing EDR platform rather than Defender for Endpoint. Email security is provided by Proofpoint, Mimecast, or equivalent. Identity governance uses existing IAM platforms (Okta, SailPoint, CyberArk). This architecture eliminates the E5 security premium entirely and leverages best-of-breed tools that may already be licensed and deployed.
Blended cost: E3 ($36/user/mo) + existing third-party security stack (already budgeted) = $36/user/mo Microsoft cost. Annual savings for 10,000 users: $2.52M (Microsoft savings only; third-party costs already in budget).
Mixed-SKU Architecture (E5 + E3 + F3)
For organisations that want to retain E5 for specific user populations. Security and compliance teams receive E5 (typically 10–20% of users). Knowledge workers receive E3 (60–70% of users). Frontline workers, shared mailboxes, and limited-access roles receive F3 or F1 (15–25% of users). This architecture preserves E5 capabilities for the users who need them while eliminating the premium for users who do not. Requires careful user segmentation and SKU assignment governance to prevent drift.
Blended cost: E5 for 15% ($57 × 15%) + E3 for 65% ($36 × 65%) + F3 for 20% ($8 × 20%) = $33.55/user/mo blended versus $57/user/mo for wall-to-wall E5. Annual savings for 10,000 users: $2.81M.
Microsoft’s EA/MCA terms may include minimum E5 seat commitments or bundle discount structures that penalise SKU downgrades. Any architecture change must be negotiated as part of the broader renewal. Organisations that attempt to downgrade mid-term without contractual provision will face Microsoft repricing on remaining subscriptions. Architecture changes must be executed at renewal, with negotiated downgrade rights documented in the agreement.
Common Rationalisation Traps
Organisations that attempt E5 rationalisation without structured support encounter six predictable obstacles that Microsoft’s renewal team is trained to exploit.
1. The “You’ll Lose Security” Counter
Microsoft’s first response to E5 downgrade proposals is that the organisation will “lose security coverage.” This is technically true — and strategically misleading. The organisation loses access to features it was not using. Features it was using are reprovisioned through targeted add-ons or alternatives. Net security posture is unchanged; cost is reduced.
2. The Bundle Discount Repricing Threat
Microsoft warns that reducing E5 seats will trigger repricing of remaining subscriptions at higher per-unit rates, as the volume discount threshold changes. This is a negotiable contractual provision, not an immutable commercial law. Organisations with negotiated SKU downgrade rights are protected from repricing. Those without must negotiate this protection as part of the rationalisation.
3. The Copilot Dependency Lock
Microsoft requires E5 (or E3 + specific add-ons) as the base subscription for Copilot for Microsoft 365. Organisations that have deployed Copilot on E5 seats may face complexity in transitioning those seats to E3 + add-ons. This dependency should be mapped before any rationalisation, and Copilot seat assignments should be decoupled from the base SKU decision.
4. The Mid-Term Downgrade Penalty
Microsoft’s standard EA/MCA terms do not permit mid-term SKU downgrades. Organisations that attempt to reduce E5 seats outside the renewal window face contract penalties or are told downgrades are “not possible.” Rationalisation must be timed to coincide with the renewal event, when contractual flexibility is greatest.
5. The Usage Data Gap
Microsoft’s admin centre does not provide granular feature-level utilisation data in a format that supports SKU right-sizing decisions. Organisations that attempt rationalisation without independent usage analysis rely on incomplete data that Microsoft can challenge. A comprehensive shelfware audit using third-party tools or API-driven analysis is essential.
6. The Internal Resistance Problem
IT security teams that have deployed E5 security features may resist rationalisation, perceiving it as a reduction in their security toolset. Effective rationalisation requires demonstrating that the alternative architecture provides equivalent security coverage for deployed features — not removing capabilities that are actively used, but eliminating the premium for capabilities that are not.
Contract Protections for SKU Rationalisation
Six contractual protections that preserve the right to right-size the Microsoft estate at each renewal without commercial penalty.
1. Annual SKU Downgrade Rights
Negotiate the explicit right to downgrade subscription SKUs (E5 to E3, E3 to F3) at each annual review within the EA/MCA term, without triggering repricing of remaining subscriptions. This is the most important single protection for any E5 rationalisation strategy.
2. Add-On Procurement Flexibility
Secure the right to procure E5-level features as standalone add-ons to E3 at negotiated rates comparable to (or better than) the E5 premium pro-rated to the specific feature. Microsoft’s standard add-on pricing is list-based; negotiated add-on pricing should be part of the renewal agreement.
3. Mixed-SKU Discount Preservation
If adopting a mixed-SKU architecture, negotiate a volume discount that applies to the total seat count across all SKUs, not per-SKU. Microsoft’s standard discount structure applies volume thresholds per SKU, which penalises diversification. A cross-SKU volume discount preserves pricing as the E5/E3/F3 mix shifts.
4. Bi-Directional Seat Adjustment
Ensure the agreement permits both upward and downward seat adjustment across all SKUs at each annual review. Standard terms permit upward-only adjustment. Bi-directional rights are essential for ongoing optimisation as usage patterns evolve.
5. Copilot Decoupling
Decouple Copilot licensing from the base E5/E3 SKU decision. Negotiate Copilot on a standalone basis with independent seat counts, pilot provisions, and opt-out rights that do not affect base subscription terms.
6. Price Protection on Architecture Changes
Negotiate a provision that any architecture change (E5-to-E3 downgrade, add-on substitution, mixed-SKU transition) executed within the contractual framework does not trigger repricing, penalty fees, or loss of volume discount eligibility.
Recommendations
Seven priority actions for organisations with Microsoft 365 E5 deployments approaching EA/MCA renewal.
Conduct an E5 Shelfware Audit Before Renewal
Map feature-level utilisation across every E5-specific product. Identify which features are deployed, actively used, partially configured, or completely dormant. This assessment is the single highest-ROI activity in any Microsoft optimisation programme and typically reveals that 65–72% of the E5 premium is shelfware.
Segment Users by Actual E5 Feature Requirement
Not every user needs E5. Produce a user segmentation model: E5-required roles (security, IT admin, compliance), E3-sufficient roles (knowledge workers), and F3/F1-appropriate roles (frontline, shared mailboxes). This segmentation drives the alternative architecture selection and quantifies the savings opportunity.
Model Three Alternative Architectures
Cost-model the three alternatives (E3 + targeted add-ons, E3 + third-party security, mixed-SKU) against your current wall-to-wall E5 cost. Include Microsoft pricing, add-on costs, third-party alternatives, and migration effort. Present the model that delivers the greatest savings while preserving security and compliance requirements.
Negotiate SKU Downgrade Rights at Renewal
Before discussing pricing, secure the contractual right to downgrade E5 seats to E3 or F3 at each annual review without repricing penalties. This protection is the prerequisite for ongoing optimisation and prevents Microsoft from locking the SKU composition for the full term.
Challenge the “Security Premium” Narrative
Do not accept that E5 is required for adequate security. E3 includes substantial security capabilities. The incremental E5 security features are valuable but narrow, and available as targeted add-ons. Your security posture should drive your licensing architecture, not the other way around.
Time Architecture Changes to EA/MCA Renewal
SKU rationalisation is a renewal-event activity. Microsoft’s standard terms do not permit mid-term downgrades. Begin the shelfware audit 12–18 months before renewal so the data, architecture model, and negotiation strategy are complete before Microsoft’s renewal team engages.
Engage Specialist Advisory Support
Microsoft’s E5 upsell and retention motions are sophisticated commercial operations backed by seller incentives, bundle economics, and contractual structures designed to prevent rationalisation. Independent advisory support provides the utilisation data, benchmark pricing, alternative architecture models, and negotiation expertise required to execute rationalisation successfully against Microsoft’s commercial resistance.
How Redress Compliance Can Help
Redress Compliance’s Microsoft Practice provides end-to-end advisory support for Microsoft 365 licence rationalisation, E5 shelfware assessment, alternative architecture design, and renewal negotiation. Our team has conducted 200+ E5 shelfware audits, with an average cost reduction of 32% and zero degradation in security or compliance posture.
Microsoft Licence Rationalisation Services
- E5 shelfware audit & feature-level utilisation analysis
- User segmentation & SKU right-sizing
- Alternative architecture modelling (3 options)
- Third-party security stack evaluation
- Copilot ROI assessment & pilot structuring
- Mixed-SKU governance framework design
- Independent benchmark pricing analysis
- EA/MCA renewal negotiation & contract review
- SKU downgrade protection negotiation
- Ongoing Microsoft cost governance programme
Get In Touch
Paying for Wall-to-Wall E5?
Contact us for a confidential E5 shelfware assessment. Most organisations discover 30–45% savings potential within the first 2 weeks of engagement.
Book a Meeting
Paying for E5 and wondering if you should be? Request a confidential call with our Microsoft Practice team.
Request a Meeting
Fill in your details and suggest times. We’ll confirm within 24 hours.
Meeting Request Sent
Thank you. Our Microsoft Practice team will confirm within 24 hours.
What to Expect
30-minute NDA-protected call. We’ll review your Microsoft 365 estate, E5 seat count, and renewal timeline to scope the shelfware audit.
Based on our 200+ benchmark database, we’ll provide a preliminary estimate of your E5 shelfware exposure and potential savings range.
You’ll leave with a clear plan for the shelfware audit, timeline to results, and expected commercial outcomes — no obligation.
100% Confidential. Everything discussed is NDA-protected. We never share client data with Microsoft or any vendor.
No Obligation. If we can help, we’ll explain how and what it costs. If your E5 utilisation is strong and justified, we’ll tell you that directly.
This document has been prepared by Redress Compliance for informational purposes. Redress Compliance is a fully independent software licensing advisory firm with zero vendor affiliations — including zero Microsoft partnership. We do not resell Microsoft products, hold Microsoft competencies, or receive Microsoft partner incentives. Benchmark data is based on anonymised Microsoft 365 E5 shelfware assessments. Past results are not a guarantee of future outcomes.
© 2026 Redress Compliance. All rights reserved.