Who We Are
Get SupportContact Us

Reference Guide

Microsoft 365 Licensing — A Plain-English Guide

Microsoft renames things, bundles things, unbundles things, and quietly rewrites what's included in each plan. This page is our plain-English reference so you know what you're actually paying for — and more importantly, what you're not getting if you're on the wrong plan.

The Short Answer

The 30-Second Version

KeyStone recommends Microsoft 365 Business Premium for virtually every customer under 300 seats.

Business Premium is the only SMB plan that includes the full Microsoft security stack — device management, identity protection, endpoint detection, and advanced email threat protection. If you're on Business Standard or Business Basic and you don't have a third-party security stack bolted on, you have meaningful gaps in device control, identity, and threat protection.

For our managed customers, KeyStone handles the licensing procurement, tenant configuration, security policy deployment, and ongoing policy tuning as part of your service. You don't have to become a Microsoft licensing expert — that's what we're here for.

Plan Comparison

Microsoft 365 Business Tier

This covers the four Microsoft 365 plans designed for businesses under 300 employees. Enterprise SKUs (E1/E3/E5) are a separate conversation and fall outside the scope of this page.

CapabilityApps for BusinessBusiness BasicBusiness StandardBusiness Premium
Productivity
Desktop Office apps (Word, Excel, PowerPoint, Outlook)Web/mobile only
Web and mobile Office apps
Exchange email with 50 GB mailbox
Microsoft Teams
SharePoint + 1 TB OneDrive per user
Webinars with attendee reporting
Clipchamp, Loop, Bookings, Forms, PlannerPartial
Copilot Chat (web-grounded, no tenant data)
Identity & Access
Microsoft Entra ID (basic)
Entra ID P1 — Conditional Access policies
Entra ID P1 — Single Sign-On to SaaS apps
Self-service password reset
MFA enforcement via Conditional Access
Device Management
Intune Plan 1 — Windows, iOS, Android, macOS management
Mobile Application Management (MAM)
Autopilot zero-touch device provisioning
Remote wipe of company data
Endpoint Security
Defender for Business — next-gen antivirus
Defender for Business — Endpoint Detection & Response (EDR)
Defender for Business — threat & vulnerability management
Defender for Business — attack surface reduction rules
Email & Collaboration Security
Basic URL reputation check on links in email (new 2026)
Defender for Office 365 P1 — Safe Links (real-time URL scanning)
Defender for Office 365 P1 — Safe Attachments (sandbox detonation)
Defender for Office 365 P1 — advanced anti-phishing
Information Protection
Sensitivity labels for documents and email
Azure Information Protection P1
Data loss prevention for Exchange, SharePoint, OneDrive
Admin & Compliance
Microsoft 365 admin center
Litigation hold
Audit log retention (standard)
Unified security management portal
Who it's forUsers who already have email elsewhere and just need Office desktop apps.Frontline or shared-account workers using browsers only.Small teams without a security strategy (we'd still recommend Premium).Our recommended plan for any business that takes security seriously.

AI Add-On

Microsoft 365 Copilot — The AI Add-On

Copilot is a separate license that adds AI capabilities on top of an existing Microsoft 365 plan. Because Microsoft has released four different Copilot products with deliberately overlapping names, here's the translator.

ProductWhat It IsRequires M365 License?Touches Your Tenant Data?
Microsoft 365 Copilot ChatWeb-grounded chat inside Office apps. Included free with any Microsoft 365 license. Good starting point for teams new to AI.Yes (included) No
Copilot ProA consumer SKU for personal Microsoft accounts. Not designed for business use — ignore this one.No No
Microsoft 365 Copilot BusinessThe SMB AI license. Grounds AI on your tenant — your documents, email, Teams chats, SharePoint. For businesses under 300 seats.Yes Yes
Microsoft 365 Copilot (Enterprise)Same capabilities as Copilot Business, licensed for E3/E5 Enterprise tenants.Yes Yes

Should you buy Copilot?

Honest answer from us: not across your entire org, not yet. Our recommendation is to start with Copilot Chat (free) so your team can experiment, then identify 5–10 power users in finance, operations, marketing, or leadership who would benefit from tenant-grounded AI. Pilot Copilot Business with that group, measure the outcome, then expand based on real usage. Paying per seat for a tool nobody has been trained to use is how AI budgets disappear without a return.

FAQs

Frequently Asked Questions

Which Microsoft 365 plan should my business be on?
If you have fewer than 300 employees and you care about security, cyber insurance eligibility, or regulatory compliance, the answer is Business Premium. Business Standard is acceptable only if you already have a third-party stack handling device management, endpoint detection, conditional access, and advanced email threat protection — and most SMBs don't. Business Basic is web-only Office, so it fits frontline or shared-account scenarios but not knowledge workers.
What's the difference between Business Standard and Business Premium?
Standard gives you the productivity apps — Word, Excel, Outlook, Teams, SharePoint. Premium adds the entire Microsoft security stack: Intune for device management, Entra ID P1 for conditional access and single sign-on, Defender for Business for endpoint protection, and Defender for Office 365 P1 for email threat protection. For most customers, Premium replaces three to five third-party tools you're probably paying for separately.
We're a small team. Do we really need the security features in Business Premium?
Attackers don't skip small businesses — they target them because small businesses tend to have weaker defenses. Cyber insurance carriers increasingly require MFA, endpoint detection, and managed device controls to issue or renew policies. Business Premium is the easiest path to meeting those requirements on a single license.
Can we mix licenses across the company?
Yes. A common KeyStone recommendation is Business Premium for employees who handle email, customer data, finance, or administrative access, and Business Basic or Apps for frontline workers who only need a browser or a shared inbox. We help map the right license to each role during onboarding or any licensing review.
What's included in Microsoft 365 Business Premium security exactly?
Four Microsoft security products come bundled with the Business Premium license: Microsoft Entra ID P1 (conditional access, single sign-on, self-service password reset, MFA enforcement); Microsoft Intune Plan 1 (device management for Windows, iOS, Android, and macOS; mobile app management; Autopilot provisioning); Microsoft Defender for Business (next-gen antivirus, endpoint detection and response, threat and vulnerability management); and Microsoft Defender for Office 365 Plan 1 (Safe Links, Safe Attachments, advanced anti-phishing). These are the same underlying products Microsoft sells separately to Enterprise customers — just packaged at an SMB price point.
How does licensing work if we buy through KeyStone?
We procure Microsoft licenses through our CSP (Cloud Solution Provider) partnership. You get monthly invoicing, the ability to add seats mid-term, and direct escalation support from us when something breaks. Month-to-month terms carry Microsoft's standard premium over annual terms but give you full flexibility to drop seats. For managed customers, license management is part of your service — we watch for unused seats, upcoming renewals, and tier changes that would benefit you.
Do we need Copilot?
Not urgently, and not for everyone. Start with the free Copilot Chat experience included in your existing license. If specific roles — finance, operations, leadership, marketing — demonstrate clear productivity gains, Copilot Business ($18/user/month) is worth piloting for those users before a company-wide rollout. We can help identify the right pilot group and measure whether the AI is actually returning the investment.
What's the difference between Copilot Chat, Copilot Pro, Copilot Business, and Microsoft 365 Copilot?
Copilot Chat is free and web-grounded only — it never sees your company data. Copilot Pro is a consumer product for personal Microsoft accounts and isn't appropriate for business use. Copilot Business is the SMB license that grounds AI on your tenant data (your email, documents, Teams conversations). Microsoft 365 Copilot is the same capability set licensed for Enterprise E3/E5 customers.
Is Microsoft 365 HIPAA, SOC 2, or CMMC compliant?
The platform supports these frameworks; your configuration determines whether you actually are compliant. Business Premium is the minimum license tier we recommend for any regulated customer because it includes the identity, audit, retention, and access controls the frameworks require. Licensing is necessary but not sufficient — configuration, documentation, and ongoing management are what get you across the finish line. That's where we come in.
What happens if we downgrade from Business Premium to Business Standard?
Security policies stop applying the moment the Premium license is removed. Conditional Access rules, Intune device enrollment, Defender policies, and DLP rules all depend on Premium being in place for the user. Downgrades require a planned migration off those controls — otherwise users can lose access to resources or, worse, lose the protections without knowing it. We strongly discourage ad-hoc downgrades on managed tenants.
Can I bring my existing domain and email?
Yes. Domain cutover and email migration are part of our standard onboarding process.
What does KeyStone handle versus what do we manage ourselves?
For managed customers, KeyStone handles license procurement, tenant configuration, security policy design and deployment, ongoing policy tuning, monitoring, incident response, and user lifecycle management (onboarding, offboarding, role changes). You manage your people, your business processes, and any app-specific configuration inside the Microsoft apps themselves. The goal is that licensing and security are not things you have to think about.

Sources

Sources & Further Reading

The information on this page is drawn from Microsoft's official documentation and announcements. For the most up-to-date details directly from Microsoft, see:

Last updated: April 2026. Microsoft licensing changes frequently; contact KeyStone for the most current information specific to your tenant.

Get Started Today

Curious What Better IT Looks Like?

A free, honest conversation about what's working, what's not, and whether we're the right partner for your business. No pressure, no sales pitch — just straight talk.

Get a Free Assessment(423) 464-6424
MSP 501 — 3 Years Running
SOC 2 Compliant
HIPAA Compliant