Microsoft 365 Licensing Explained for Small Business

Microsoft 365 licensing is confusing by design. There are three business plans, two enterprise tiers that some SMBs end up on by accident, add-ons that duplicate features already included in higher plans, and naming that has changed multiple times. The result is that most small businesses are either overpaying for features they do not use or underpaying and missing security features they genuinely need. This guide breaks down what each plan actually includes, who each one is designed for, where the security features kick in, and the common mistakes that cost small businesses money. If you are reading this as part of a broader cloud migration, see moving your business to the cloud: where to start for the order most SMBs should approach a full migration in – email and identity (which is what M365 covers) is almost always the first stage.

The three business plans

Microsoft sells three plans under the “Microsoft 365 Business” umbrella. All three include Exchange Online (email), OneDrive (file storage), SharePoint, and Teams. The difference is in the desktop apps, the security features, and the device management capabilities.

Business Basic – $6/user/month

Business Basic is the entry-level plan. It includes:

• Exchange Online email with a 50 GB mailbox
• OneDrive with 1 TB of storage per user
• SharePoint Online
• Microsoft Teams
• Web and mobile versions of Word, Excel, PowerPoint, and Outlook

What it does not include: desktop versions of Office apps. Users on Business Basic can only use Word, Excel, and PowerPoint through the browser or mobile apps. There are no installable desktop applications. For employees who live in spreadsheets or write long documents, the web versions are noticeably limited compared to the desktop apps.

Business Basic also does not include any advanced security features. No Defender for Office 365 (advanced email protection), no Defender for Business (endpoint protection), no Intune (device management), and no conditional access policies beyond security defaults. The email protection you get is Exchange Online Protection (EOP), which handles basic spam and malware filtering but does not catch targeted phishing, impersonation attacks, or malicious URLs that activate after delivery.

Who it is for: Employees who primarily use email, Teams, and basic file sharing, and who do not need desktop Office apps. Front-line workers, warehouse staff, or anyone whose work does not revolve around creating documents in Office applications. It is also appropriate for shared mailboxes and service accounts that need a mailbox but no desktop apps, though shared mailboxes do not require any license at all if they stay under 50 GB.

Business Standard – $12.50/user/month

Business Standard includes everything in Basic plus:

• Desktop versions of Word, Excel, PowerPoint, Outlook, and OneNote (installable on up to 5 PCs or Macs per user)
• Desktop versions of Access and Publisher (Windows only)
• Microsoft Bookings, Forms, Lists, and Planner
• Webinar hosting through Teams (up to 300 attendees)

The security features are identical to Business Basic. You still get only EOP for email, no Defender for Business, no Intune, and no conditional access beyond security defaults. The extra $6.50 per user per month buys you the desktop apps and a few collaboration tools. It does not improve your security posture at all.

This is the plan most small businesses default to because “we need Word and Excel on our computers.” That reasoning is valid, but it leaves a significant security gap that many businesses do not realize exists until something goes wrong.

Who it is for: Employees who need desktop Office applications for their daily work. This is the majority of knowledge workers in a small business: people who write documents, build spreadsheets, create presentations, and manage email through the Outlook desktop client.

Business Premium – $22/user/month

Business Premium includes everything in Standard plus:

• Defender for Office 365 Plan 1 (advanced email protection: Safe Links, Safe Attachments, anti-phishing, anti-impersonation)
• Defender for Business (endpoint detection and response for all devices)
• Microsoft Intune (mobile device management and mobile app management)
• Azure AD Premium P1 (conditional access policies, self-service password reset, dynamic groups)
• Azure Information Protection (data classification and protection)
• Compliance features (data loss prevention policies, sensitivity labels)

This is where the security features live. The jump from Standard to Premium is not an incremental improvement. It is a fundamentally different security posture.

With Premium, you get email protection that catches phishing attempts Basic and Standard miss entirely. You get endpoint protection that detects and responds to malware, ransomware, and fileless attacks on every managed device. You get conditional access policies that let you block logins from countries where you have no employees, require MFA on unmanaged devices, and restrict access to compliant devices only. And you get Intune, which lets you enforce encryption, require screen locks, push security policies, and remotely wipe lost or stolen devices.

Every one of these capabilities is something you would otherwise have to buy separately as a third-party add-on. Defender for Business alone costs roughly $3/user/month as a standalone product. Intune is $8/user/month standalone. Conditional access through Azure AD Premium P1 is $6/user/month standalone. Business Premium bundles all of them for $9.50 more than Standard.

Who it is for: Any business that takes security seriously. If you handle customer data, have remote or hybrid workers, need to meet compliance requirements, or want the ability to enforce security policies on devices that access company data, Premium is the plan. This is the plan we recommend to the majority of our clients at Sequentur because the security features it includes are not optional extras. They are baseline requirements for any business operating in the current threat landscape.

The licensing math that matters

The most common licensing mistake small businesses make is putting every user on Business Standard because they need desktop apps, and then discovering they need security features that only exist in Premium. At that point, upgrading means paying the full $22/user/month for everyone, even users who do not need desktop apps.

A smarter approach is to mix plans based on what each user actually needs:

• Employees who need desktop apps and security features: Business Premium ($22/user)
• Employees who need desktop apps but have lower security exposure (no email, no sensitive data access): Business Standard ($12.50/user)
• Employees who only need email and Teams with no desktop apps: Business Basic ($6/user)

You can assign different plans to different users in the same tenant. There is no requirement for everyone to be on the same plan. A 30-person company might have 15 users on Premium (admin, finance, executives, anyone handling sensitive data), 10 on Standard (staff who need desktop apps but have limited data access), and 5 on Basic (front-line workers who only check email and Teams).

This mixed approach often costs less than putting everyone on Standard while providing better security for the users who need it most.

The hidden cost of underbaying

The cheapest licensing option is not always the most cost-effective one. Here is a scenario that plays out regularly:

A business puts everyone on Business Standard at $12.50/user. Six months later, an employee clicks a phishing link that gets past EOP (which does not have the advanced anti-phishing features in Defender for Office 365). The attacker accesses the employee’s mailbox, creates a forwarding rule to an external address, and uses the compromised account to send business email compromise (BEC) messages to clients requesting payment changes.

The cost of the incident (forensics, legal, client notification, lost business) dwarfs what it would have cost to upgrade to Premium. The Defender for Office 365 features included in Premium, specifically Safe Links (which checks URLs at time of click) and anti-impersonation policies, would have caught the phishing email before it reached the inbox.

For a 30-person company, the difference between Standard and Premium is $285/month ($9.50 x 30 users). That is $3,420/year. A single BEC incident typically costs tens of thousands of dollars or more. The math is not close.

What is not included in any business plan

Even Business Premium has limits. Understanding what is excluded prevents surprises.

Phone System (Teams Phone). Making and receiving phone calls through Teams requires a separate Phone System license ($8/user/month) plus a calling plan or direct routing setup. Teams includes free voice and video calls between Teams users, but calling external phone numbers is an add-on.

Audio Conferencing. Dial-in phone numbers for Teams meetings require a separate Audio Conferencing add-on ($4/user/month). Meetings themselves are free, but the ability for participants to join by dialing a phone number costs extra.

Advanced compliance. Business Premium includes basic compliance features (DLP, sensitivity labels), but advanced capabilities like eDiscovery Premium, Advanced Audit, and Communication Compliance require Microsoft 365 E5 or add-on licenses.

Microsoft 365 Copilot (AI). The AI assistant for Word, Excel, Outlook, and Teams is a separate add-on at $30/user/month on top of any business plan. It requires Business Standard or Premium as a base. Before licensing it, audit your SharePoint and OneDrive permissions – Copilot sees everything the user can see, and an overshared tenant turns into an internal data exposure problem the moment Copilot is enabled. The full rollout sequence (product family, prerequisites, where Copilot stumbles, and the 90-day adoption review) is covered in Microsoft Copilot for small business: what it can do and what to watch out for.

Extended storage. OneDrive gives 1 TB per user on all plans. SharePoint storage is pooled across the organization (1 TB base + 10 GB per user). If you are migrating from a file server, audit your current data volume against these limits before starting. If a user needs more OneDrive storage, additional storage is available as an add-on, but it is not cheap compared to third-party cloud storage.

Most Azure services. Microsoft 365 includes the free tier of Entra ID and bundles Intune into Business Premium and certain E-tier plans, but Azure VMs, Azure Files, Azure Backup, Azure Virtual Desktop, and most other Azure services bill separately on usage and through a different agreement. SMBs are routinely surprised by their first Azure bill because they assumed M365 covered it – it does not. See what is Microsoft Azure and what can it do for a small business for the M365-vs-Azure distinction and which Azure services actually matter at SMB scale.

Business plans vs Enterprise plans

Microsoft also sells Enterprise plans (E1, E3, E5) that overlap significantly with the Business plans. Small businesses sometimes end up on Enterprise plans because a Microsoft reseller recommended them or because they were the default option during sign-up.

The key differences:

• Business plans are limited to 300 users. Enterprise plans have no user limit.
• Enterprise E3 and E5 include more advanced compliance and security features than Business Premium.
• Enterprise plans use a different licensing structure for some features (Azure AD P1 is included in E3, P2 is in E5).
• Enterprise plans cost more. E3 is $36/user/month. E5 is $57/user/month.

For businesses under 300 users, Business Premium covers almost everything Enterprise E3 offers at a significantly lower price point. The main reasons to consider Enterprise plans are specific compliance requirements (like Advanced eDiscovery or Information Barriers) that Business plans do not support, or if you have more than 300 users.

If you are currently on an Enterprise plan and have fewer than 300 users, it is worth reviewing whether Business Premium covers your needs. The savings can be substantial. A 50-person company moving from E3 to Business Premium saves $700/month ($8,400/year).

Security features by plan: a direct comparison

Feature	Basic	Standard	Premium
Exchange Online Protection (basic spam/malware)	Yes	Yes	Yes
Defender for Office 365 (Safe Links, Safe Attachments, anti-phishing)	No	No	Yes
Defender for Business (endpoint detection and response)	No	No	Yes
Intune (device management)	No	No	Yes
Conditional access policies	Security defaults only	Security defaults only	Full conditional access
Azure AD Premium P1	No	No	Yes
Data loss prevention	No	No	Yes
Sensitivity labels	No	No	Yes

This table is why the licensing conversation matters for security. The jump from Standard to Premium is not a marginal improvement. It is the difference between having no advanced security features and having a comprehensive security stack built into your existing subscription.

For a detailed walkthrough of what to configure once you have Premium, see our Microsoft 365 security hardening guide. Many of the features described there, including conditional access, Defender for Office 365, and Intune, require Premium licensing.

Common licensing mistakes

Buying Standard when you need Premium. This is mistake number one. Businesses buy Standard for the desktop apps and assume they have “Microsoft security.” They do not. They have basic spam filtering. Everything else, the features that actually protect against modern threats, requires Premium.

Buying Premium for users who only need Basic. The opposite mistake. A receptionist who checks email and joins Teams meetings does not need a $22/month license. Business Basic at $6/month covers that use case. Right-sizing licenses per user role saves money without reducing security for the users who need it.

Not removing licenses from departed employees. When someone leaves the company, their license should be removed without losing their data as part of the offboarding process. A $22/month Premium license left active for six months after someone leaves is $132 wasted. Across a few forgotten accounts, this adds up quickly.

Buying standalone add-ons that are already included in Premium. Businesses on Standard sometimes buy Defender for Office 365 as a standalone add-on ($2/user/month) when upgrading to Premium ($9.50 more/user) would give them Defender plus Intune, conditional access, and endpoint protection. Check what your current plan includes before buying add-ons.

Paying monthly instead of annual. Microsoft charges roughly 20% more for month-to-month billing compared to an annual commitment. For a stable workforce, annual billing is almost always the better choice. The monthly option makes sense only for seasonal workers or short-term contractors. For a complete list of cost-saving strategies, see How to reduce your Microsoft 365 costs without losing features.

Choosing the wrong platform entirely. Some businesses sign up for Microsoft 365 when Google Workspace would have been a better fit, or vice versa. The licensing investment, migration effort, and workflow retraining make switching platforms expensive. If you have not committed yet, compare Microsoft 365 and Google Workspace before choosing a plan. If you are mid-migration to M365 from another platform, license-tier changes are one of the line items the cloud migration checklist for small business flags as easy to under-budget. The license you pick at migration matters – see how to migrate email to Microsoft 365 from an old Exchange server or Gmail for why picking your long-term tier before cutover is cheaper than upgrading after.

How Sequentur handles licensing

Licensing decisions should be driven by what each user needs, not by guessing or defaulting to one plan for everyone. As part of our managed Microsoft 365 services, we review license assignments during onboarding and on an ongoing basis. We identify users who are over-licensed, under-licensed, or on the wrong plan entirely, and we recommend changes that balance cost with security requirements.

Most of our clients are on Business Premium for the majority of their users because the security features it includes are what we configure and manage as part of the service. The conditional access policies, Defender settings, and Intune device management that we set up during tenant hardening all require Premium licensing. Without it, those features simply are not available.

If you are not sure whether your current licensing matches what your business actually needs, or if you suspect you are paying for licenses that are unused or misassigned, reach out through our contact page and we can review your tenant.