Microsoft Defender XDR Licensing: What's Included in E5 Security vs What Costs Extra

The Defender XDR Licensing Confusion Problem

Microsoft's security product portfolio is one of the most complex licensing environments in enterprise technology. The rebranding of Microsoft 365 Defender to Microsoft Defender XDR, the consolidation of multiple point products under the XDR umbrella, and the simultaneous expansion of the security product catalogue through add-ons, standalone licences, and consumption-based services have created a landscape where even experienced IT buyers are uncertain about what they have and what they are missing.

The practical consequence of this confusion is overspending. Organisations purchase E5 Security believing they have purchased a comprehensive security platform, only to discover that their specific security requirements — SIEM capabilities, cloud workload protection, or identity governance — require additional spending that doubles or trebles the effective security licensing cost. Other organisations continue paying for standalone security tools they can decommission because the equivalent capability is already included in their M365 E3 or E5 subscription.

This analysis draws the line precisely: what Defender XDR includes within E5 Security, what remains separately purchased regardless of E5 status, and how the 2026 M365 SKU hierarchy — which runs from F1 and F3 through E3, E5, and the new E7 at the top — affects the security licensing calculation.

What Microsoft Defender XDR Actually Is

Microsoft Defender XDR is a unified extended detection and response platform that consolidates signals from multiple Microsoft security products into a single investigation and response portal at security.microsoft.com. XDR is not a separate product you purchase — it is the portal experience and the cross-product correlation layer that operates across the underlying Defender products.

The products that feed into and are accessible through the Defender XDR portal are the ones you need licences for. Access to the XDR portal is automatic if you have licences for any of the constituent products. The value of Defender XDR is the correlation and integration across products — a SOAR-like capability that surfaces incidents across identity, email, endpoint, and cloud applications in a single view, with automated investigation and response actions that span product boundaries.

What E5 Security Includes: The Definitive List

The Microsoft 365 E5 Security add-on, available at $12 per user per month on top of an M365 E3 licence, provides the following Defender XDR components. This is the authoritative inclusion list — everything on it is covered by the $12 add-on, and nothing not on this list is included regardless of marketing language suggesting otherwise.

• Microsoft Defender for Endpoint Plan 2 (P2) — Advanced endpoint detection and response, threat and vulnerability management, attack surface reduction, automated investigation, endpoint detection and response (EDR), and threat analytics for Windows, macOS, Linux, iOS, and Android devices. This is the full P2 licence; P1 (a more limited version covering next-generation protection and attack surface reduction only) is included in M365 E3.
• Microsoft Defender for Office 365 Plan 2 — Email security with Safe Attachments, Safe Links, anti-phishing, and zero-day protection, plus threat investigation capabilities, campaign views, threat trackers, and attack simulation training. Plan 1 is included in M365 E3.
• Microsoft Defender for Identity — Identity-based threat detection that monitors Active Directory domain controllers and Azure AD activity for lateral movement, pass-the-hash, golden ticket attacks, and suspicious authentication patterns. This is the on-premises AD threat detection layer.
• Microsoft Defender for Cloud Apps — Cloud Access Security Broker (CASB) functionality providing shadow IT discovery, API-based integration with sanctioned SaaS applications, conditional access app control, and session monitoring for data protection.
• Microsoft Entra ID Plan 2 — Privileged Identity Management (PIM), Identity Protection (risk-based conditional access), Access Reviews, and Entra ID governance features. This is the identity security component that enables risk-based authentication policies.

The cumulative value of these five products if purchased individually — where standalone licences are available — substantially exceeds $12 per user per month. Independent analysis places the individual component value at approximately $28 per user per month, making the E5 Security add-on a compelling consolidation for organisations that need the majority of these capabilities.

What E5 Security Does NOT Include: The Three Critical Gaps

The three most commonly misunderstood exclusions from E5 Security are also the three most expensive additional security purchases. Organisations that assume E5 Security provides a complete enterprise security platform are frequently surprised by the additional spend required to address these gaps.

Gap 1 — Microsoft Sentinel (SIEM and SOAR)

Microsoft Sentinel is not included in E5 Security, E5, or any M365 subscription regardless of tier. Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform priced on consumption of data ingested into the Sentinel workspace. The pricing model has two tiers: pay-as-you-go at $2.46 per GB ingested per day, or commitment tiers starting at 100 GB per day at $1.23 to $1.64 per GB depending on the tier.

For a 2,000-user organisation where each user generates an average of 5 GB of security-relevant log data per month, the monthly Sentinel data cost at pay-as-you-go rates is approximately $12,300 per month — $6.15 per user per month. Organisations with high Azure infrastructure footprints, complex hybrid environments, or significant third-party security tool telemetry ingested into Sentinel typically see average costs of $8 to $18 per user per month. This is a substantial addition to the E5 Security $12 per user per month and must be budgeted separately.

One important consideration: some Microsoft product data can be ingested into Sentinel at no additional charge under the "free data tier" for certain Microsoft security product logs, including Defender for Endpoint alerts, Defender for Office 365 alerts, and Entra ID audit logs. However, raw device event logs, network flow data, and third-party source ingestion all consume paid capacity. The free tier reduces but does not eliminate the Sentinel consumption cost.

Gap 2 — Microsoft Defender for Cloud (Cloud Workload Protection)

Microsoft Defender for Cloud provides cloud workload protection for Azure virtual machines, SQL databases, storage accounts, container registries, and other Azure services. It is not included in E5 Security or any M365 subscription. Defender for Cloud is priced per protected resource: $15 per server per month for virtual machines, with additional per-resource pricing for SQL ($15 per server per month), storage (consumption-based), containers ($7 per core per month), and other workload types.

For an organisation with 200 Azure virtual machines, the Defender for Cloud cost for servers alone is $3,000 per month — $1.50 per user per month for a 2,000-user organisation. Organisations with significant Azure infrastructure footprints can see Defender for Cloud costs that rival or exceed their entire M365 E5 Security spend.

Defender for Cloud is included in M365 Defender XDR's cross-product correlation — incidents detected by Defender for Cloud are surfaced in the Defender XDR portal. But the Defender for Cloud licence itself must be separately activated and billed. Many organisations confuse "integrated with XDR" with "included in E5 Security." These are not the same thing.

Gap 3 — Microsoft Entra ID Governance

Microsoft Entra ID Plan 2 (included in E5 Security) provides Privileged Identity Management, Identity Protection, and basic Access Reviews. Microsoft Entra ID Governance is an additional add-on at $7 per user per month that extends access governance with lifecycle workflows, entitlement management at scale, identity lifecycle integration with HR systems, and advanced access review capabilities beyond what Entra ID P2 provides.

The distinction between Entra ID P2 and Entra ID Governance is frequently misunderstood, partly because Microsoft's product naming has evolved over multiple rebranding cycles. The practical test: if your organisation needs automated user provisioning from Workday or SuccessFactors, complex access package management for external identities, or advanced identity lifecycle orchestration beyond the capabilities of standard Entra ID P2 — you need Entra ID Governance as a separate purchase. It is not in E5 Security, and it is not in E7. The Entra Suite (included in E7) is a bundled offering that includes Entra ID Governance alongside Entra Private Access and Entra Internet Access.

The Full Microsoft Security Stack Cost Reality

When all layers of the Microsoft security stack are fully deployed, the cumulative per-user cost significantly exceeds what M365 E5 alone suggests. Consider a 2,000-user organisation deploying the full Microsoft security architecture on an M365 E3 base:

• M365 E3: $39 per user per month (from July 2026)
• E5 Security add-on: $12 per user per month (Defender XDR + Entra ID P2)
• E5 Compliance add-on: $12 per user per month (Purview DLP, Insider Risk, eDiscovery)
• Microsoft Sentinel: approximately $8 per user per month (estimated average log volume)
• Entra ID Governance: $7 per user per month (if required)
• Defender for Cloud: approximately $2 per user per month (200 VMs, 2,000 users)

Total: $80 per user per month — $960 per user per year. For 2,000 users, the annual Microsoft security and productivity spend is $1.92 million. This compares to M365 E5 at $60 per user per month from July 2026, which includes E5 Security and E5 Compliance but not Sentinel, Defender for Cloud, or Entra ID Governance. The gap between "we are on E5" and "we have deployed the full Microsoft security stack" is $20 per user per month or more.

The E7 Security Consideration

Microsoft's E7 SKU at $99 per user per month (GA May 1, 2026) bundles E5 with Copilot, Agent 365, and the Entra Suite. The Entra Suite component includes Entra ID Governance, Entra Private Access, and Entra Internet Access — addressing the Entra ID Governance gap identified above.

However, E7 does not address the Sentinel or Defender for Cloud gaps. These remain consumption-based services outside the M365 SKU hierarchy regardless of whether the organisation is on E3, E5, or E7. Organisations evaluating E7 as a security-driven upgrade should ensure they are not confusing the Entra Suite inclusion with comprehensive security coverage — the SIEM and cloud workload protection gaps persist at E7.

The right security licensing framework is not "which M365 SKU" but rather: which baseline SKU (E3 vs E5 vs E7), plus which add-ons (E5 Security, E5 Compliance, Entra ID Governance), plus which consumption-based services (Sentinel, Defender for Cloud). The M365 SKU tier determines the foundation; the add-ons and consumption services determine the security coverage completeness. Organisations that approach this as a single SKU decision consistently either overspend on capabilities they do not deploy or underspend on capabilities they need.