Microsoft lets you use Purview features you aren't licensed for

Most software disables features you have not paid for. Greyed-out buttons, upgrade prompts, hard paywalls. Microsoft Purview does not do this.

If you have an E3 tenant and open the Purview portal, you can configure features that require E5 or add-on licenses. Exact-data matching, optical character recognition in DLP, advanced Insider Risk indicators - they are all clickable. You can build policies, deploy them, and they will run.

There is no warning banner. No pop-up saying you need a different licence. The feature just works.

Microsoft licenses capabilities, not features. Their licensing model assumes you are responsible for knowing what your agreement covers. The compliance portal surfaces everything available in the platform and trusts that your organisation will only use what you have paid for.

This is partly a design choice and partly a practical one. Purview features overlap and interact. Locking individual settings behind licence checks would be technically complex and constantly out of date as Microsoft adds new capabilities.

The result is that the portal gives you more rope than your licence agreement allows.

Microsoft runs licence compliance audits, either through their own team or through third-party audit firms. If an audit finds you using features outside your agreement, you will be asked to either purchase the correct licences retroactively or stop using the features.

This is not theoretical. Organisations have received audit findings for using E5-level Purview features on E3 licences. The cost of retroactive licensing can be significant, especially if you have been running those features for months.

Even without a formal audit, your Microsoft account team or partner may flag the discrepancy during licence renewal discussions.

E3 tenants using E5-only DLP features. Endpoint DLP, DLP for Teams messages, and exact data match all require E5 or the Information Protection and Governance add-on. You can configure all of them on E3.

Insider Risk Management without the right add-on. The full Insider Risk Management suite requires E5 or the Insider Risk Management add-on. E3 gives you limited access, but the portal does not tell you where that line is.

Auto-labelling policies. Service-side auto-labelling requires E5. You can create and deploy auto-label policies on E3 and they will process files.

Advanced audit. Longer retention periods and specific audit events require E5. The settings are available to configure on E3.

Start with the Microsoft 365 admin centre. Go to Billing and check your active subscriptions and the specific licence plans assigned to users.

Use the Microsoft Purview service description on Microsoft Learn. It lists which features require which licence tier. Cross-reference this against what you have configured.

Check the Purview Practitioner licensing page for a breakdown of what each tier includes and how Security Compute Units work for pay-as-you-go features.

Talk to your Microsoft partner or account team. If you are unsure, ask them to confirm what your current agreement covers. It is better to find out now than during an audit.

Do not assume that because a feature works, you are licensed to use it. Microsoft Purview gives you access to far more than your licence may cover. Before deploying any Purview capability, verify it against your licence tier.

If you have already configured features you are not licensed for, you have two options: purchase the correct licences or disable those features. Doing it proactively is significantly cheaper than doing it after an audit.