Microsoft E5 Shelfware Guide 2026: What Enterprises Are Paying For and Not Using

Understanding the E5 Shelfware Problem

Microsoft 365 E5 sits between E3 and the newest top-tier E7 in the M365 SKU stack, packing in advanced security, compliance, voice, and analytics capabilities that E3 omits. At $57 per user per month at list price — compared to $36 per user per month for E3 — the E5 premium represents $21 per user per month, or $252 per user per year. For a 2,000-user organisation, that premium totals $504,000 per year. The economic justification for that premium requires that organisations actually deploy and use the security, compliance, voice, and analytics capabilities that are included in E5 and absent from E3.

The empirical reality is that most organisations do not come close to deploying E5's differentiated capabilities at meaningful scale. Research shows that across the enterprise population, approximately 23 percent of assigned E5 licences are functionally inactive — meaning the user assigned the licence is not meaningfully using the security, compliance, or advanced features that justify the E5 cost. A further 27 percent are completely unassigned — purchased but not even allocated to a user.

This shelfware problem has multiple causes. E5 is often purchased as a blanket upgrade — every user in the estate moved to E5 — rather than as a targeted allocation to users who genuinely require E5's advanced capabilities. Security and compliance features within E5 require active deployment, configuration, and integration with existing workflows; simply licensing E5 does not automatically activate Defender, Purview, Entra ID P2, or Sentinel. And organisations that moved to E5 during the 2020 to 2022 security-driven upgrade cycle often did not establish governance mechanisms to track whether deployments occurred.

The E5 SKU Stack Context: E1, E3, E5, E7

Before analysing the shelfware problem, it is important to understand the current M365 SKU landscape. The full SKU stack as of 2026 runs E1, E3, E5, and E7. E7 is the new top-tier SKU positioned above E5 — launched to bundle advanced AI capabilities including Microsoft 365 Copilot, advanced security add-ons, and compliance features that previously required separate purchases above E5. Microsoft's field teams are actively pushing E5 customers toward E7 at renewal, and the upsell motion is intensifying.

This context matters for E5 shelfware analysis for two reasons. First, organisations that are on E5 with low utilisation of E5's differentiated features have an even stronger argument against moving to E7 at renewal — adding Copilot and advanced AI features on top of a foundation where the core security and compliance features are already unused compounds the shelfware problem. Second, if the analysis reveals that the only E5 features with genuine value to your organisation are exactly those included in E7's incremental AI layer, the E7 transition conversation should be informed by an honest utilisation assessment — not driven by Microsoft's upsell narrative.

E5 Feature Categories and Their Utilisation Reality

E5 packages value across five primary capability domains beyond E3: security, compliance, identity, voice and telephony, and analytics. Each domain has its own deployment complexity and its own typical utilisation rate in enterprise deployments.

Security: Defender Suite and E5 Security

The security premium in E5 is primarily delivered through Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, and integration with Microsoft Defender XDR. These represent approximately $12 per user per month of the E5 premium (the standalone E5 Security add-on cost when purchased separately).

Defender for Endpoint P2 is the most commonly deployed of the E5 security features, but deployment quality varies widely. Many organisations that have onboarded endpoints to Defender for Endpoint P2 have not configured the advanced features that differentiate P2 from P1: automated investigation and remediation (AIR) workflows, advanced hunting queries, or integration with Threat and Vulnerability Management. The licence is active but the advanced capabilities are at default settings, providing minimal improvement over what P1 would have delivered.

Defender for Cloud Apps is one of the most consistently underutilised E5 security features. The Cloud Access Security Broker (CASB) capability requires active policy configuration, Shadow IT discovery enablement, and integration with Microsoft Entra ID Conditional Access to deliver value. Organisations that have not completed the Defender for Cloud Apps deployment and configuration phases often have the licence but none of the data loss prevention, risky behaviour alerting, or Shadow IT visibility that justifies the cost.

Defender for Identity, which monitors on-premises Active Directory and Entra ID for credential theft and lateral movement indicators, requires deploying a sensor on every Active Directory domain controller. Many organisations have purchased E5 — and therefore have Defender for Identity rights — but have not deployed the required sensors. The licence is idle because the deployment step was never completed.

Compliance: Microsoft Purview and E5 Compliance

The compliance premium in E5 is delivered through Microsoft Purview — specifically, the advanced compliance capabilities that require E5 Compliance: Advanced eDiscovery, Insider Risk Management, Communication Compliance, Advanced Audit, and Customer Lockbox. The standalone E5 Compliance add-on is $12 per user per month when purchased separately from E3.

Purview compliance capabilities are the most consistently underdeployed E5 features across the enterprise population. Advanced eDiscovery requires integration with your legal and compliance workflow and active configuration of custodian management, hold policies, and review sets. Insider Risk Management requires establishing baseline user behaviour, defining risk indicators, and configuring alert thresholds — a non-trivial deployment that requires both technical and HR policy alignment. Communication Compliance requires policy definition and integration with legal review workflows.

The practical result is that most organisations with E5 have Purview licences but are using E3-level compliance functionality — basic retention policies, basic DLP, and manual eDiscovery through the standard Content Search interface. The advanced Purview features that justify the E5 Compliance premium are genuinely deployed in a minority of E5 organisations.

There is an important distinction between E3 and E5 in Purview that even technically informed buyers often miss: E3 includes basic data loss prevention (DLP) policies for Exchange, SharePoint, and OneDrive. E5 adds DLP for Teams chat, which requires E5 to protect sensitive data in Teams conversations. For organisations where Teams is the primary communication platform and data leakage via Teams chat is a genuine risk, this E5 DLP capability is non-trivial — but its deployment requires specific policy configuration that is frequently absent.

Identity: Entra ID P2

Entra ID Plan 2 (formerly Azure AD P2) is included in M365 E5 and provides Privileged Identity Management (PIM), Identity Protection, and Access Reviews — capabilities absent from Entra ID P1 (included in E3). PIM enables just-in-time privileged access, requiring administrators to explicitly activate elevated roles for defined time windows rather than holding permanent admin assignments. Identity Protection provides risk-based Conditional Access, blocking or requiring step-up authentication for sign-ins that exhibit anomalous behaviour patterns. Access Reviews automates periodic entitlement reviews for group memberships and application access.

PIM adoption in E5 organisations is moderate — approximately 40 to 50 percent of E5 organisations have deployed PIM for at least some privileged roles. But the depth of implementation varies significantly: many organisations have enabled PIM for Azure AD roles but have not extended it to Azure resource roles, application registrations, or group ownership, leaving significant privileged access surface area uncontrolled despite holding the licences to control it.

Identity Protection adoption is higher — Conditional Access with risk-based policies is widely deployed — but the value derived from Entra ID P2's risk signal enhancements over P1 is often not fully leveraged. Many organisations run Conditional Access policies that do not distinguish between low, medium, and high user risk, effectively using P2 licences to run policies that P1 would have enabled.

Voice and Telephony: Teams Phone

Microsoft 365 E5 includes Teams Phone (formerly Phone System), which enables Teams as a PBX replacement with direct routing or Microsoft Calling Plan connectivity for PSTN calls. At a standalone value of approximately $8 per user per month, Teams Phone is a material E5 component for organisations that are actively replacing their PBX infrastructure with Teams voice.

However, Teams Phone is the most consistently unpurchased-for-its-intended-purpose E5 component in practice. A substantial proportion of E5 licence holders do not need PSTN calling capability — they use Teams for internal collaboration, video meetings, and messaging but retain a separate telephony system for external calls. For these users, the Teams Phone entitlement in E5 is pure shelfware — a capability with real standalone market value that is never deployed because the organisation's telephony strategy does not align with Microsoft's voice vision.

Importantly, Teams Phone is now available as a separate add-on from M365 E3 at approximately $8 per user per month for users who specifically need voice, rather than as a bundled E5 feature that everyone pays for regardless of need. This separation means that organisations whose primary E5 justification was voice should evaluate whether a mixed E3-plus-Teams-Phone strategy for voice users, combined with E3-only for non-voice users, is more economical than blanket E5.

Analytics: Power BI Pro and Advanced Analytics

M365 E5 includes Power BI Pro, which enables report publishing, collaborative dashboards, and data refresh at scale within Microsoft Fabric's Power BI service. E3 includes the Power BI free tier, which allows individual report creation but not distribution or collaboration features.

Power BI Pro utilisation within E5 deployments is typically low outside of data-intensive roles — finance, operations, and analytics teams. For users in knowledge worker roles who use Teams, Outlook, and SharePoint but do not create or distribute Power BI reports, the Power BI Pro entitlement in E5 is unused. Organisations should assess what percentage of their E5 population are active Power BI consumers before treating the included Power BI Pro as a value justification for the E5 premium across all users.

Quantifying the Financial Waste

The financial impact of E5 shelfware is straightforward to calculate once utilisation data is available. The framework uses three categories of E5 users: full utilisation (user genuinely uses E5 security, compliance, or voice features and the E5 premium is justified), partial utilisation (user uses some E5 features but not enough to justify the full E5 premium over a targeted E3-plus-add-ons approach), and zero utilisation (user uses only E3-equivalent features despite holding an E5 licence).

The E5-to-E3 differential is $21 per user per month at list price, or $252 per user per year. For a 5,000-user organisation where the utilisation audit reveals 30 percent zero-utilisation users (1,500 users), the annual cost of that shelfware is 1,500 times $252, or $378,000 per year. Over a three-year EA term, that is $1,134,000 in wasted licence premium — before considering that those users could have been on E3 at a lower negotiated rate, compounding the savings.

For partial utilisation users — those who use Defender for Endpoint P2 but nothing else above E3 — the calculation requires comparing the E5 premium ($21) against the cost of acquiring only the required features separately. If the user only needs Defender for Endpoint P2 (standalone approximately $5.20 per device per month), the comparison is $21 per user (E5 premium) versus $5.20 per device (standalone P2) — and the standalone approach may be cheaper for users with a single device, or E5 may be justified for users with five devices all requiring P2 coverage.

The Deployment Remediation Path: Activate What You're Paying For

For organisations where the underlying business need for E5 capabilities exists — meaningful security requirements, regulatory compliance obligations, active voice migration — the correct response to the shelfware problem is deployment remediation, not downgrading. Deploying what is already paid for delivers security value and eliminates the waste without incurring transition cost.

Phase 1: Security Quick Wins (30 Days)

Several E5 security features deliver significant value with relatively low deployment effort and should be the first target for organisations beginning a remediation programme. Enabling Defender for Endpoint P2's automated investigation and remediation (AIR) for the highest-confidence alert categories takes under four hours of configuration and immediately reduces analyst response burden. Enabling Defender for Identity sensors on Active Directory domain controllers requires a sensor download and deployment but delivers critical lateral movement visibility within 24 hours of deployment. Enabling risk-based Conditional Access policies using Entra ID P2's user risk and sign-in risk signals requires configuring two to four Conditional Access policies but provides immediate protection against compromised credentials.

Phase 2: Compliance Foundations (60–90 Days)

Purview compliance deployments require more stakeholder alignment but can deliver substantial value. Deploying Advanced Audit (which provides a 90-day audit trail retention upgrade to one year, and adds key events including mail items accessed and mail search performed) requires zero additional configuration beyond activating it — it is an immediate value add for any E5 organisation that has not activated it. Configuring Microsoft Purview Information Protection with sensitivity labels for the most common data categories (public, internal, confidential, highly confidential) provides data classification and DLP policy enforcement that E3 does not enable at the same depth. Insider Risk Management should be deployed for the highest-risk roles only — finance, executive, and privileged IT — as an initial scope, with broader rollout as the HR and legal policy framework matures.

Phase 3: Voice Assessment (90–180 Days)

For organisations where Teams Phone shelfware represents a significant cost, a structured voice migration assessment should determine whether the PSTN calling capability in E5 is deployable within the next renewal cycle. If the business case for Teams Phone migration exists, the E5 voice entitlement becomes real value. If the telephony roadmap does not include Teams Phone adoption within the current licence term, the voice component of E5 should be factored into the renewal negotiation as an argument for E5-to-E3 downgrade for non-voice users.

The Downgrade Decision: E3 Plus Targeted Add-Ons

For organisations where the deployment remediation path is not feasible — insufficient IT capacity, lack of business sponsorship for compliance programmes, or genuine absence of use cases for E5 features — the financially correct decision may be to downgrade affected users from E5 to E3 with targeted add-ons for the specific capabilities that are actually required.

The E3 plus targeted add-ons model works as follows. Deploy all users on E3 ($36 per user per month at list). Apply the E5 Security add-on ($12 per user per month) only to the subset of users who require advanced endpoint protection, Defender XDR signal depth, and Defender for Identity coverage — typically IT, security operations, finance, executive, and privileged roles, representing perhaps 20 to 30 percent of the total user population. Apply the E5 Compliance add-on ($12 per user per month) only to legal, compliance, and HR roles who require Advanced eDiscovery, Insider Risk Management, and Communication Compliance — typically 5 to 10 percent of users. Apply Teams Phone ($8 per user per month) only to users who actually need PSTN calling.

The mathematical result for a 5,000-user organisation: E3 for all 5,000 users ($180,000 per month) plus E5 Security for 1,000 users ($12,000 per month) plus E5 Compliance for 250 users ($3,000 per month) plus Teams Phone for 500 users ($4,000 per month) equals $199,000 per month, versus $285,000 per month for 5,000 E5 users — a saving of $86,000 per month or $1,032,000 per year at list prices, before negotiation.

E5 Shelfware and the E7 Upsell Problem

As of 2026, Microsoft's field teams are actively transitioning E5 customers to E7. E7 is positioned as the next evolution above E5, bundling Microsoft 365 Copilot ($30 per user per month as a standalone add-on) with advanced AI security features, enhanced compliance capabilities, and everything included in E5. The E7 upsell pitch is that it makes Copilot "free" by folding it into the E7 bundle at a lower effective per-user cost than E5 plus standalone Copilot.

The E5 shelfware problem makes the E7 upsell particularly problematic. If an organisation has not deployed the security and compliance features included in E5 — and is therefore paying for significant shelfware already — then accepting an E7 upgrade without remediating the existing shelfware compounds the problem by adding AI and Copilot features on top of a foundation of undeployed capabilities. The E7 upsell pitch does not address why the E5 features that justify the E5 premium are not deployed; it simply adds another layer of cost and capability over an existing deployment deficit.

Our Microsoft EA advisory specialists consistently advise clients facing E7 upsell proposals to complete an E5 utilisation review first. The review either validates that E5 features are genuinely deployed (supporting the E7 case if Copilot adoption is planned), or it reveals the shelfware extent (creating leverage to negotiate E7 pricing as a replacement for a reduced E5 footprint rather than an expansion of the existing E5 base).

The Shelfware Audit: How to Measure Your E5 Utilisation

Conducting a credible E5 utilisation audit requires data from three sources. Microsoft 365 Usage Analytics (available in the Microsoft 365 admin centre) provides user-level activity data across all M365 services, including which users are active in Defender, Purview, and other E5-specific services. Microsoft Entra ID Sign-In Logs provide data on Conditional Access policy application and identity protection events, allowing assessment of whether Entra ID P2 features are actively protecting user sign-ins. The Microsoft Defender portal provides telemetry on device onboarding status, alert volume by device, and AIR trigger rates — the last two metrics being particularly diagnostic of whether Defender for Endpoint P2's advanced features are deployed or dormant.

The audit should produce a per-user classification: E5 justified, E5 partially justified, E5 unjustified. The first category represents users whose genuine use of at least two to three E5-specific features at meaningful depth justifies the E5 premium. The second represents users who use one E5 feature that could be more cheaply delivered via a targeted add-on. The third represents users who show no E5-specific feature activity at all — pure shelfware.

The audit findings directly inform the pre-renewal negotiation position. An organisation that can demonstrate to Microsoft that 25 to 40 percent of its E5 users are shelfware has a documented basis for proposing a right-sizing of the E5 population at renewal — either to E3 with add-ons, or to a reduced E5 footprint — that Microsoft's account team will be motivated to address commercially rather than lose the renewal to a competitive restructuring.