Appendix D: Licensing & Compliance Matrix
The choice between Microsoft 365 G3 (E3) and G5 (E5) is not merely a feature decision—it is a "manual effort vs. automated enforcement" decision for compliance. For an executive-level overview of the CRAWL-WALK-RUN licensing path and when to upgrade, see License Tiers: G3 vs. G5 Decision Guide.
- GCC High
- Commercial
G3 vs. G5 for CMMC Level 2
While a CMMC Level 2 assessment can be passed on a G3 license, it requires significant manual overhead for evidence collection (audit logs) and administrative gating (privileged access). G5 "auto-satisfies" several high-friction practices through automation and advanced telemetry.
In GCC High, the primary difference is the Purview Compliance and Defender XDR suites. Note that Defender for Endpoint Plan 2 is uniquely included in G3 GCC High, whereas it is a G5/add-on feature in Commercial.
| CMMC Practice | Capability | M365 GCC High G3 | M365 GCC High G5 | Compliance Impact |
|---|---|---|---|---|
| AC.L2-3.1.5 (Least Privilege) | Privileged Identity Management (PIM) | No (Manual admin accounts) | Yes (JIT Elevation) | G5 automates "Just-in-Time" access, removing standing admin risk. |
| AC.L2-3.1.1 (Authorized Access) | Entitlement Management | No (Manual invitations) | Yes (Access Packages) | G5 provides self-service access requests with automated expiry. |
| AU.L2-3.3.1 (System Auditing) | Audit Log Retention | 90 Days (Standard) | 1 Year (Premium) | Critical: CMMC typically requires 1 year of logs. G3 requires manual export to Sentinel/Storage. |
| AU.L2-3.3.5 (Audit Analysis) | Purview Audit Premium | No | Yes | G5 includes MailItemsAccessed events, a key requirement for forensics. |
| SC.L2-3.13.16 (CUI at Rest) | Information Protection | Manual Labeling Only | Auto-Labeling | G5 can automatically encrypt CUI based on content scan (SITs). |
| SI.L2-3.14.7 (Identify Unauthorized) | Defender for Identity / Cloud Apps | Add-on Required | Included | G5 provides behavioral analytics across identity and SaaS apps. |
| IR.L2-3.6.1 (Incident Handling) | Automated Investigation (AIR) | No | Yes | G5 "self-heals" common alerts (e.g., auto-isolating a compromised user). |
The "E5 Security" Middle Ground
For organizations on G3 that need the security features but not the compliance features (Audit Premium/Insider Risk), the M365 G5 Security Add-on is the most common path. It includes the full Defender XDR suite and Entra ID P2 (PIM), but excludes the advanced Purview compliance tools.
E3 vs. E5 for NIST SP 800-171 Rev. 3
While NIST SP 800-171 compliance can be achieved on an E3 license, it requires significant manual overhead for audit log retention and privileged access gating. E5 automates several high-friction requirements through advanced telemetry, behavioral analytics, and automated enforcement.
In Commercial tenants, the gap between E3 and E5 is wider because Defender for Endpoint Plan 2 (EDR) is an E5-level feature. E3 includes only Plan 1 (Basic protection).
| NIST 800-171 Requirement | Capability | M365 Commercial E3 | M365 Commercial E5 | Compliance Impact |
|---|---|---|---|---|
| 3.14.1 / 3.14.3 (EDR/Flaw Remediation) | Defender for Endpoint | Plan 1 (Basic) | Plan 2 (Full EDR) | E3 lacks full behavioral EDR and automated remediation required for modern 171 Rev 3. |
| 3.1.5 (Least Privilege) | Entra ID P2 (PIM) | No | Yes | E3 requires separate "Admin-only" accounts with standing access. |
| 3.3.1 / 3.3.2 (Audit Retention) | Purview Audit Premium | 90 Days | 1 Year | E3 requires a custom Log Analytics / Sentinel strategy to meet retention. |
| 3.13.16 (Data Confidentiality) | Purview Auto-labeling | No | Yes | E5 automatically finds and encrypts data, reducing "human error" risk. |
| 3.11.2 (Vulnerability Scan) | Defender Vulnerability Mgmt | No | Yes | E5 provides real-time vulnerability tracking for endpoints. |
| 3.1.2 (Transaction Recovery) | Insider Risk Management | No | Yes | E5 detects data exfiltration patterns (USB copy, large downloads) natively. |
Decision Summary: When to Upgrade
- Stay on E3 if: You have a small user count and a robust SIEM (Sentinel) strategy to handle log retention and manual account gating.
- Move to E5 if: You have a distributed workforce, handle high volumes of CUI/PII, and want to reduce "Total Cost of Compliance" by automating incident response and access reviews.
Technical Comparison Reference
| Feature | G3 / E3 | G5 / E5 / G5 Security |
|---|---|---|
| Entra ID P2 (PIM, Identity Governance) | — | ✅ |
| Defender for Endpoint (EDR) | GCCH: ✅ / COMM: ⚠️ | ✅ |
| Defender for Office 365 Plan 2 | — | ✅ |
| Defender for Identity (MDI) | — | ✅ |
| Defender for Cloud Apps (MDA) | — | ✅ |
| Purview Audit Premium (1-year logs) | — | ✅ |
| Purview Auto-labeling | — | ✅ |
| Insider Risk Management | — | ✅ |
| Endpoint Privilege Management (EPM) | — | ✅ (Starting July 2026) |
Note: ✅ = Included | — = Add-on Required | ⚠️ = Plan 1 only (no EDR)
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.