O365 license types

When investigating incidents in Microsoft 365 (M365), the type of license a user has will impact what data you can collect, search, and analyze. Here’s a high-level breakdown of M365 license types and their impact on forensic investigations:


1. Microsoft 365 Business Licenses

  • Common for: Small-to-medium businesses (SMBs)

  • Plans: Business Basic, Business Standard, Business Premium

  • Impact on Investigations:

    • Limited access to security logs: These licenses don’t provide advanced audit logs or long retention periods.

    • No access to advanced compliance features: Features like Advanced eDiscovery and Defender for Office 365 (which help track phishing, malware, etc.) are missing.

    • Basic mailbox and SharePoint logging: You can access basic logs via Microsoft Purview (Audit Logs), but retention is limited.


2. Microsoft 365 Enterprise Licenses

  • Common for: Large organizations with security & compliance needs

  • Plans: E1, E3, E5

  • Impact on Investigations:

    • E1: Limited logs, no Advanced Audit or eDiscovery. Basic logging is available via Microsoft Purview.

    • E3:Audit Logs (Standard) – 90-day retention ✅ Basic eDiscovery – Can search and export data ❌ No Advanced eDiscovery or long-term audit log retention

    • E5 (Best for Forensics):Advanced Audit Logs – Retains logs up to 1 year (or 10 years with add-ons) ✅ Advanced eDiscovery – Can search, tag, and hold data for investigations ✅ Microsoft Defender integration – Helps track compromised accounts, malware, etc.


3. Microsoft 365 Compliance & Security Add-ons

  • Common for: Organizations with strict security needs

  • Examples:

    • Microsoft Purview Compliance (Add-on to E3) → Enables longer audit log retention, more search capabilities

    • Microsoft Defender for Office 365 (P1/P2) → Adds email and threat protection logs

    • Defender for Endpoint (E5) → Provides device forensics beyond M365 (integrates with SIEM/XDR)


Key Takeaways for Investigations

E5 is the best license for digital forensics (Advanced Audit, eDiscovery, Defender tools) ✅ E3 is decent, but you’ll have shorter audit log retention (90 days) and no Advanced eDiscovery ❌ Business licenses are very limited, making forensic investigations harder

If you're dealing with an investigation, check what license the affected user has—this will dictate what logs, emails, SharePoint data, and Defender alerts you can retrieve.

Last updated

Was this helpful?