The MSP License Ladder #6: The Full Picture
Most MSP customers think Business Premium or E3 means “fully covered.” In reality, those licenses leave five operational gaps that only become visible after an incident, an audit, or an escalation that nobody has the tooling to investigate properly.
This final post ties them together into a single reference you can use when scoping a customer, building a service tier, or answering the question every MSP eventually gets: “what are we actually missing?”
The five gaps
Each post in this series started with the same premise: Business Premium and E3 are solid baselines. They cover identity, device management, email protection, and basic compliance. But they stop short in five areas that matter the moment a customer moves past “good enough.”
#1 - The Hunting Gap
What’s missing: Business Premium and E3 alert on known threats but give you no way to hunt for the ones that haven’t triggered an alert yet. No Advanced Hunting, no KQL access to raw telemetry, no Custom Detection Rules.
What closes it: Defender for Endpoint Plan 2 - 30 days of queryable telemetry, custom detections that run continuously, and the ability to hunt across your entire customer fleet.
Why it matters: Reactive alerting catches known patterns. Hunting catches the setup step - the lateral movement, the staging, the persistence mechanism that hasn’t fired yet. Read the full post.
Most compromise starts long before the alert.
#2 - The Data Gap
What’s missing: Base Purview covers email and files in SharePoint/OneDrive. It does not cover endpoints, Teams chat, or cloud apps. A departing employee copies sensitive data to a USB drive or personal cloud storage, and base Purview never sees it.
What closes it: Purview Suite ($10/user/month) - endpoint DLP, Teams DLP, Insider Risk Management, eDiscovery Premium, and event-based retention.
Why it matters: Data protection that stops at email and documents misses the places data actually leaves - endpoints, messaging, and cloud apps. Read the full post.
#3 - The Identity Gap
What’s missing: Entra ID P1 covers MFA and Conditional Access. It does not cover risk-based decisions, just-in-time privileged access, automated access reviews, or on-prem Active Directory visibility.
What closes it: Entra ID P2 adds risk-based CA, PIM, and Access Reviews. Defender for Identity adds on-prem AD threat detection. Both are included in the Defender Suite for Business Premium ($10/user/month).
Why it matters: Standing admin privileges are the single most exploited pattern in identity attacks. PIM removes them. Risk-based CA adapts access decisions to real-time threat signals instead of static rules. Defender for Identity (DfI) sits on your on-prem domain controllers and detects identity attacks against AD itself, including Kerberoasting, DCSync, and lateral movement. Without it, you have full visibility into cloud identity and zero visibility into the on-prem AD that still holds most customers’ privileged accounts. Read the full post.
#4 - The Exposure Gap
What’s missing: Base SKUs prevent threats but cannot measure exposure. No post-delivery email investigation, no automated incident response for email, no visibility into shadow IT or shadow AI, no OAuth app governance.
What closes it: MDO P2 adds Threat Explorer, AIR, Campaign Views, and Attack Simulation Training. Defender for Cloud Apps adds shadow IT discovery, OAuth governance, session controls, and shadow AI detection. Both are in the Defender Suite.
Why it matters: Prevention without investigation is half the story. When a phishing campaign lands in 30 mailboxes, you need to scope it in minutes, not hours. When a former MSP leaves behind an OAuth app with Mail.ReadWrite, you need to find it before it is used. Read the full post.
#5 - The Endpoint Gap
What’s missing: Intune Plan 1 enrolls and configures devices. It does not give you least-privilege elevation, third-party app patching, device health analytics, or zero-trust remote support.
What closes it: The Intune Suite ($10/user/month) - EPM, EAM, Advanced Analytics, Remote Help, Cloud PKI, and Intune Plan 2 features. After July 2026, E3 gets Remote Help, Advanced Analytics, and Plan 2 for free. E5 gets everything. Business Premium gets nothing.
Why it matters: Every 15-minute remote session for an elevation request, every hour spent repackaging a Win32 update - that is operational cost the Intune Suite replaces with a predictable line item. Read the full post.
The licensing map
Three upgrade paths cover all five gaps. The right one depends on the customer’s base SKU.
Business Premium customers
| Add-on | List price | Gaps closed |
|---|---|---|
| Defender Suite for BP | $10/user/mo | Hunting, Identity, Exposure |
| Purview Suite for BP | $10/user/mo | Data |
| Defender + Purview bundle | $15/user/mo | Hunting, Identity, Exposure, Data |
| Intune Suite | $10/user/mo | Endpoints |
$25/user/month closes all five gaps on Business Premium. That is the ceiling. Not every customer needs all of it - start with the gaps that match their risk profile and compliance requirements.
E3 customers
| Add-on | List price | Gaps closed |
|---|---|---|
| E5 Security | $12/user/mo | Hunting, Identity, Exposure |
| Purview Suite | $10/user/mo | Data |
| Intune Suite | $10/user/mo | Endpoints (partial - July 2026 folds in Remote Help, Advanced Analytics, Plan 2) |
E5 customers
E5 includes E5 Security (Hunting, Identity, Exposure gaps closed). After July 2026, the full Intune Suite folds in automatically.
| Add-on | List price | Gaps closed |
|---|---|---|
| Purview Suite | $10/user/mo | Data |
| Intune Suite (until July 2026) | $10/user/mo | Endpoints |
The pattern across all five posts
Every post followed the same structure because the licensing problem is the same every time.
The base SKU covers the obvious use case. Alerts fire. Policies deploy. Compliance checks run.
The gap is in what happens next. Hunting after the alert. Investigating after the phish. Reviewing after the access grant. Patching after the enrollment.
The upgrade is not a feature purchase. It is an operational trade. You are replacing unpredictable manual work with a predictable per-user cost and a repeatable process.
That last point is the one that matters most for MSPs. Every gap in this series is also a service opportunity:
- Hunting: managed detection, KQL library, custom detection rule tuning
- Data: DLP policy authoring, Insider Risk triage, eDiscovery delivery
- Identity: PIM onboarding, access review cadence, hybrid identity hardening
- Exposure: phishing investigation, OAuth app governance, Shadow IT and AI review
- Endpoints: app lifecycle management, EPM policy tuning, third-party patching
Where to start
Do not try to close all five gaps at once. Pick the one that matches the customer’s most urgent risk or compliance requirement:
- Post-incident: start with #1 (Hunting) or #4 (Exposure) - the customer just had an incident and wants investigation capability
- Compliance audit: start with #2 (Data) - the auditor is asking about DLP, retention, and eDiscovery
- Admin sprawl: start with #3 (Identity) or #5 (Endpoints) - standing admin privileges are the problem
- Operational overhead: start with #5 (Endpoints) - too much time on manual packaging and elevation requests
Deploy in one tenant first. Validate the baseline. Then scale out.
Business Premium and E3 are not bad licenses. They are starting points. The moment a customer needs investigation, governance, automation, or operational scale, the real licensing conversation begins.
The series
| # | Gap | What closes it | Post |
|---|---|---|---|
| 1 | Hunting | MDE Plan 2 | The Hunting Gap |
| 2 | Data | Purview Suite | The Data Gap |
| 3 | Identity | Entra ID P2 + DfI | The Identity Gap |
| 4 | Exposure | MDO P2 + DfCA | The Exposure Gap |
| 5 | Endpoints | Intune Suite | The Endpoint Gap |
Last verified: May 2026