Microsoft's security portfolio is the most powerful and the most confusing licensing labyrinth in enterprise IT. Four product families span 15+ individually licensable components, each available through a different combination of M365 bundles, EMS tiers, Azure consumption models, and standalone subscriptions. Most enterprises cannot answer a simple question: what security capabilities do we already own? This guide maps what each M365 tier includes, which capabilities are genuinely incremental purchases, where product overlaps create waste, and how to build a complete Microsoft security stack at the lowest defensible cost.
This is the security pillar within the Microsoft Licensing Knowledge Hub. For related guidance, see Intune Plan 1 vs Plan 2, Entra ID Licensing Guide, EA vs CSP Guide, and the Microsoft EA Optimisation Service.
The root cause of Microsoft security over-spending is structural. Microsoft sells security capabilities through three overlapping channels simultaneously: bundled within M365 E3 and E5 plans, standalone as individual product subscriptions, and consumption-based through Azure metering (Sentinel, Defender for Cloud). Each channel has its own pricing, its own sales motion, and its own account team incentives. The result is that security purchases are fragmented across three procurement streams, and nobody holds a unified view of what the organisation already owns.
A typical scenario: the CISO's team purchases Defender for Endpoint P2 as a standalone security product (USD 5.20/user/month). Three months later, IT negotiates an M365 E5 upgrade that includes Defender for Endpoint P2. The standalone subscription runs concurrently for 18 months before anyone notices. Meanwhile, the security operations team provisions Microsoft Sentinel in Azure and ingests Microsoft 365 audit logs at consumption rates, unaware that M365 E5 includes a free daily data allowance for Microsoft security data into Sentinel.
These overlaps compound. In a 10,000-user enterprise, the cumulative waste from duplicated security licences and unconsumed entitlements routinely exceeds USD 500,000 annually. This guide exists to make those overlaps visible. Every section is structured around a single question: what do you already have, and what is genuinely new? For the broader context on eliminating redundant Microsoft software, see our dedicated guide.
Before purchasing any standalone security product, every organisation must understand what security capabilities are already included in its existing Microsoft 365 licences. This inclusion map is the single most valuable tool for preventing over-spend. If you are still deciding between M365 tiers, see our E3 vs E5 vs F3 comparison.
| Security Component | M365 E3 | M365 E5 | Standalone Price (Approx.) |
|---|---|---|---|
| Defender for Endpoint P1 | Included | Included | Included in E3 |
| Defender for Endpoint P2 | No | Included | ~USD 5.20/user/mo |
| Defender for Office 365 P1 | No | Included | ~USD 2/user/mo |
| Defender for Office 365 P2 | No | Included | ~USD 5/user/mo |
| Defender for Identity | No | Included | ~USD 5.50/user/mo |
| Defender for Cloud Apps | No | Included | ~USD 3.50/user/mo |
| Entra ID P1 | Included | Included | ~USD 6/user/mo |
| Entra ID P2 | No | Included | ~USD 9/user/mo |
| Intune Plan 1 | Included | Included | ~USD 8/user/mo |
| Purview Information Protection (basic) | Included | Included | Included in E3 |
| Purview DLP (basic) | Included | Included | Included in E3 |
| Purview auto-labelling (advanced) | No | Included | E5 Compliance add-on |
| Purview Insider Risk Management | No | Included | E5 Compliance add-on |
| Purview eDiscovery (Premium) | No | Included | E5 Compliance add-on |
| Microsoft Sentinel | No | No (free data grant) | Azure consumption |
E3 security baseline: Defender for Endpoint P1 (prevention, no EDR), Entra ID P1 (conditional access, MFA), Intune Plan 1 (device management), Purview basic DLP and sensitivity labels. Solid foundation but lacks endpoint detection and response, advanced email protection, identity threat detection, and CASB. E5 security upgrade: Adds Defender for Endpoint P2 (full EDR), Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, Entra ID P2 (PIM, Identity Protection), and Purview advanced compliance. What E5 does NOT include: Microsoft Sentinel (Azure consumption), Defender for Cloud (Azure workload protection), Intune Plan 2, Entra ID Governance, and Copilot for Security. These remain separate purchases regardless of M365 tier.
Microsoft Defender is not one product. It is four distinct security products unified under a single brand. Each has its own capability set, its own standalone pricing, and its own inclusion rules within M365 bundles. The licensing decision is whether to purchase them individually or acquire them all through M365 E5.
P1 (included in M365 E3): Next-generation antimalware, attack surface reduction rules, device-based conditional access, and basic device control. P1 is prevention-focused: it stops known threats but does not detect or investigate advanced attacks. P2 (included in M365 E5, ~USD 5.20/user/mo standalone): Adds endpoint detection and response (EDR), automated investigation and remediation, threat hunting, threat analytics, and Microsoft Threat Experts access. P2 is the full EDR platform that security operations teams require. The P1-to-P2 upgrade is the most impactful single security licensing decision for most organisations. For device management integration, see our endpoint management licensing guide.
P1 (~USD 2/user/mo standalone): Safe Attachments (sandboxed attachment detonation), Safe Links (URL rewriting and time-of-click protection), and anti-phishing policies with mailbox intelligence. P1 addresses the most common email attack vector: malicious attachments and links. P2 (included in M365 E5, ~USD 5/user/mo standalone): Adds Threat Explorer (real-time email threat investigation), automated investigation and response (AIR), attack simulation training, and campaign views. P2 is essential for security operations teams that need to investigate email-borne attacks at scale. For related Teams licensing considerations, see the dedicated guide.
Defender for Identity (included in M365 E5, ~USD 5.50/user/mo standalone): Monitors Active Directory signals to detect lateral movement, compromised credentials, domain dominance attacks, and reconnaissance. Requires sensors on domain controllers. Critical for organisations with on-premises Active Directory. Defender for Cloud Apps (included in M365 E5, ~USD 3.50/user/mo standalone): Cloud Access Security Broker (CASB) providing shadow IT discovery, SaaS app governance, session controls, and data exfiltration detection. Essential for organisations with significant SaaS application usage beyond Microsoft 365. See our M365 add-on licensing guide for how these fit into the broader add-on landscape.
A 5,000-user organisation on M365 E3 (~USD 36/user/month) evaluates adding all four Defender products standalone. Defender for Endpoint P2: 5,000 x USD 5.20 = USD 26,000/month. Defender for Office 365 P2: 5,000 x USD 5.00 = USD 25,000/month. Defender for Identity: 5,000 x USD 5.50 = USD 27,500/month. Defender for Cloud Apps: 5,000 x USD 3.50 = USD 17,500/month. Total standalone: USD 96,000/month (USD 19.20/user/month). M365 E5 upgrade: ~USD 57/user/month total (USD 21/user incremental over E3). The E5 upgrade costs USD 1.80/user/month more than standalone Defender alone but includes Entra ID P2 (~USD 9 value), advanced Purview compliance, Power BI Pro, Phone System, and Audio Conferencing. For organisations that need three or more Defender products, E5 is almost always cheaper than a la carte. For organisations that need only Defender for Endpoint P2, the standalone add-on is significantly cheaper.
Entra ID (formerly Azure Active Directory) licensing determines the organisation's identity security capabilities: authentication strength, access control granularity, privileged access governance, and identity threat detection. The two tiers, P1 and P2, are clearly delineated, but most organisations on E3 significantly under-utilise their P1 entitlement before considering the P2 upgrade.
Entra ID P1 (included in M365 E3): Conditional access policies (the foundation of zero-trust: control access based on user, device, location, risk, and application), multi-factor authentication with conditional access enforcement, self-service password reset, group-based licence assignment, dynamic groups, application proxy for on-premises app access, and Microsoft Entra Connect for hybrid identity. P1 delivers the core identity security platform most organisations need. The most under-utilised capability: conditional access policies that enforce MFA, block legacy authentication, and require compliant devices, available in E3 but deployed by fewer than half of E3 organisations.
Entra ID P2 (included in M365 E5): Adds Privileged Identity Management (PIM) for just-in-time admin access, Identity Protection (risk-based conditional access using machine learning to detect impossible travel, anomalous sign-ins, and leaked credentials), access reviews (periodic recertification of user access), and entitlement management. P2 is most valuable for organisations with significant privileged admin accounts, regulatory access recertification requirements, or advanced identity threat concerns. The headline feature is PIM, which eliminates standing admin privileges, the single highest-risk identity configuration in most organisations.
Entra ID Governance (separate purchase, ~USD 7/user/month): Beyond P1 and P2, Microsoft offers Entra ID Governance as an additional premium SKU. Governance adds lifecycle workflows (automated onboarding/offboarding), machine-learning-based access recommendations, and advanced entitlement management features. Governance is separate from both P2 and M365 E5. It is a standalone add-on regardless of M365 tier. Organisations with complex joiner/mover/leaver processes and regulatory access governance requirements should evaluate Governance independently. For broader licensing model context, see our models guide.
Sentinel is the architectural outlier in Microsoft's security portfolio. While Defender, Entra, and Purview are per-user subscription products included in M365 bundles, Sentinel is an Azure consumption service billed by the volume of data ingested and retained. This makes Sentinel costs inherently variable, difficult to predict, and easy to underestimate.
Sentinel charges are based on data ingestion volume measured in GB per day, stored in a Log Analytics workspace. Two pricing tiers exist: Pay-As-You-Go (~USD 2.46/GB for the first 100 GB/day) and Commitment Tiers (discounted rates for pre-committed daily volumes: 100 GB/day at ~USD 196/day, 200 GB/day at ~USD 368/day, scaling up to 5,000 GB/day). Commitment Tiers deliver 30 to 50% savings versus Pay-As-You-Go for predictable workloads. Additionally, data retention beyond 90 days incurs storage charges. A mid-size enterprise ingesting 200 GB/day pays approximately USD 11,000/month on a commitment tier or USD 15,000/month without one.
Organisations with M365 E5, M365 E5 Security, or M365 E5 Compliance receive a free daily data ingestion allowance for Microsoft security data sources into Sentinel. This grant covers ingestion of specific Microsoft 365 data tables (SigninLogs, AuditLogs, SecurityAlert, SecurityIncident, and others) at no charge. The grant can represent a significant portion of a Sentinel deployment's total ingestion volume, often 30 to 50% of total data. Organisations on E5 that are not leveraging this grant are paying full consumption rates for data that should be free. The grant must be actively claimed and configured. It does not apply automatically.
Sentinel costs can spiral if data ingestion is not governed. Every new log source connected to Sentinel increases daily ingestion volume and cost. Common cost escalation triggers: connecting verbose log sources (Azure Activity, DNS, proxy logs) without evaluating data value, enabling verbose diagnostic logging on Azure resources, ingesting raw firewall or network flow data at full fidelity, and retaining data beyond 90 days without archival tiering. Without active governance, Sentinel costs typically double within 12 to 18 months of initial deployment as the security team connects additional data sources.
1. Select a commitment tier based on projected ingestion. Analyse current data volumes from all planned log sources before enabling Sentinel. Select the tier covering 80 to 90% of normal daily volume (with Pay-As-You-Go covering burst periods). Review and adjust quarterly. 2. Implement data collection rules and ingestion governance. Not every log event needs to reach Sentinel. Use data collection rules (DCRs) and transformations to filter, sample, or summarise verbose sources at ingestion time. Archive low-value data to basic logs rather than analytics logs. 3. Negotiate within the Azure commitment framework. EA negotiations can include Azure consumption commitments (MACC) that encompass Sentinel costs. Organisations negotiating Sentinel within the EA context typically achieve 10 to 20% better effective rates. See our Azure cost optimisation playbook for the full framework.
Microsoft Purview encompasses information protection, data loss prevention, compliance management, eDiscovery, insider risk management, and data lifecycle management. Its licensing is layered across M365 tiers in a way that makes it difficult to determine where basic capabilities end and premium capabilities begin.
Purview in M365 E3: Manual sensitivity labels (users apply labels to documents and emails), basic DLP (policies that detect and restrict sharing of sensitive data in Exchange, SharePoint, OneDrive, and Teams), Microsoft Purview Compliance Manager (compliance posture assessment), basic eDiscovery (content search across M365), manual data retention policies, and basic audit (standard audit log retention for 180 days). E3 Purview covers fundamental data governance needs for most organisations, particularly those without regulatory requirements for advanced eDiscovery or insider threat detection.
Purview in M365 E5: Automatic sensitivity labelling (server-side auto-classification based on content inspection), advanced DLP (endpoint DLP, exact data match, OCR scanning), eDiscovery Premium (custodian management, review sets, predictive coding, advanced analytics), Insider Risk Management (detection of data exfiltration, policy violations, risky user behaviour), Communication Compliance (monitoring for policy violations in Teams, email, and chat), advanced audit (1-year log retention, high-value audit events), and Records Management (file plan management, regulatory record retention). These capabilities are typically required by financial services, healthcare, government, and other regulated industries.
Purview beyond E5 (separate purchase): Even M365 E5 does not include every Purview capability. Microsoft Purview Data Governance (data cataloguing, data estate scanning, data quality rules for multi-cloud data) is a separate Azure consumption service. Purview Audit 10-year retention is an add-on for organisations with decade-long audit log requirements. Extra eDiscovery storage beyond included limits requires additional capacity purchases. These add-ons serve a narrow set of heavily regulated organisations and should not be conflated with E5-included Purview compliance capabilities. For the broader M365 add-on landscape, see our add-on guide.
The single most consequential Microsoft security licensing decision is whether to upgrade from M365 E3 to E5 for the full security bundle, or to remain on E3 and purchase only the specific security add-ons needed. This decision determines the organisation's security licensing cost for the three-year EA term.
The E5 security upgrade cost: M365 E5 is approximately USD 57/user/month. M365 E3 is approximately USD 36/user/month. The incremental E5 cost is approximately USD 21/user/month. For a 10,000-user organisation, the E5 security upgrade costs approximately USD 2,520,000 per year. This includes all Defender products, Entra ID P2, advanced Purview compliance, Power BI Pro, Phone System, and Audio Conferencing.
The M365 E5 Security add-on alternative: Microsoft offers an M365 E5 Security add-on (~USD 12/user/month) that adds the security components of E5 to an E3 base without the non-security features. This includes all four Defender products and Entra ID P2. Separately, the M365 E5 Compliance add-on (~USD 12/user/month) adds the advanced Purview capabilities. Organisations that need security but not telephony or Power BI Pro can achieve the same security posture at E3 + E5 Security (~USD 48/user/month) versus full E5 (~USD 57/user/month), saving USD 9/user/month.
Targeted add-ons for specific needs: If the organisation needs only one or two specific security capabilities (e.g., only Defender for Endpoint P2 and Entra ID P2), purchasing those standalone products is significantly cheaper than E5 or the E5 Security add-on. Defender for Endpoint P2 (~USD 5.20) + Entra ID P2 (~USD 9) = ~USD 14.20/user/month vs USD 21 for the E5 increment or USD 12 for E5 Security. However, if the organisation needs three or more Defender products plus Entra P2, the E5 Security add-on at USD 12 undercuts the combined standalone price of approximately USD 19 to 20.
| Security Requirement | Optimal Licensing Path | ~Cost Per User/Month (Incremental) |
|---|---|---|
| Defender for Endpoint P2 only | Standalone add-on to E3 | ~USD 5.20 |
| Defender for Endpoint P2 + Entra ID P2 | Standalone add-ons to E3 | ~USD 14.20 |
| All Defender products + Entra ID P2 | M365 E5 Security add-on | ~USD 12 |
| All security + advanced compliance | M365 E5 Security + E5 Compliance add-ons | ~USD 24 |
| All security + compliance + Power BI + telephony | Full M365 E5 upgrade | ~USD 21 |
| Defender for Endpoint P2 for 20% of users only | Standalone for security team; E3 for remainder | ~USD 1.04 blended |
Use our M365 Licence Optimisation Calculator to model these scenarios against your specific user population and requirements. For licensing fundamentals, see our beginner's guide.
Security licensing overlaps are the silent budget drain. They occur when the same capability is purchased through multiple procurement channels, when a bundled entitlement is not recognised as covering a requirement that was separately budgeted, or when a product upgrade renders a standalone subscription redundant. Our licence usage auditing guide provides the step-by-step process for identifying these overlaps.
EMS E5 + M365 E5 overlap: Enterprise Mobility + Security E5 includes Entra ID P2, Intune Plan 1, Azure Information Protection P2, Defender for Identity, and Defender for Cloud Apps. M365 E5 includes all of these. Organisations that hold both EMS E5 and M365 E5 licences are paying twice for the same identity and security capabilities. The fix: if the organisation upgrades to M365 E5, remove EMS E5 licences and save approximately USD 16/user/month. This is the single highest-value overlap elimination in most Microsoft estates.
Standalone Defender + E5 bundle overlap: Organisations that purchased individual Defender products (Endpoint P2, Office 365 P2, Identity, Cloud Apps) before upgrading to M365 E5 often continue paying for the standalone subscriptions. Each standalone subscription running concurrently with E5 is pure waste. A 10,000-user organisation with standalone Defender for Endpoint P2 overlapping with E5 wastes USD 624,000/year. Post-E5 upgrade, audit every standalone security subscription for bundle overlap and terminate duplicates immediately. See eliminating redundant Microsoft software.
Sentinel data grant not leveraged: M365 E5 includes a free Sentinel data ingestion grant for Microsoft security data. Organisations paying full consumption rates for data types covered by the grant are over-spending by 30 to 50% of their Sentinel bill. The grant must be actively claimed and configured. It does not apply automatically. If the organisation has M365 E5 and Sentinel, verify that the grant is applied to the Sentinel workspace and that eligible Microsoft data tables are ingesting under the grant rather than under consumption billing.
Purview add-on + E5 overlap: Organisations that purchased the M365 E5 Compliance add-on and subsequently upgraded to full M365 E5 may continue paying for the compliance add-on. Full E5 includes all E5 Compliance capabilities. The add-on becomes redundant upon E5 upgrade. Similarly, standalone Purview product purchases (Information Protection P2, eDiscovery Premium) may overlap with E5-included capabilities. Review every Purview-related subscription against the inclusion map and eliminate overlaps. For true-up governance that prevents these overlaps from recurring, see the dedicated guide.
Defender for Cloud is architecturally distinct from the rest of Microsoft's security portfolio. It protects Azure workloads (VMs, storage, SQL, containers, Kubernetes, App Service), multi-cloud resources (AWS, GCP), and on-premises servers. It is licensed per-resource through Azure consumption, not per-user through M365.
Foundational CSPM (free): Cloud Security Posture Management at the foundational tier is free for all Azure subscriptions. It provides a security score, basic recommendations, and asset inventory for Azure resources. No additional licence or enablement is required. Foundational CSPM does not include workload protection, advanced posture management, or multi-cloud coverage.
Defender for Cloud plans (per-resource consumption): Workload-specific Defender plans provide threat detection and protection for individual Azure resource types: Defender for Servers (~USD 15/server/month for P2), Defender for SQL (~USD 15/instance/month), Defender for Containers (~USD 7/vCore/month), Defender for Storage (~USD 10/storage account/month), Defender for Key Vault, Defender for DNS, Defender for App Service, and others. Each plan is enabled per-resource and billed through Azure consumption. The cost scales with the number of protected resources, not the number of users.
Defender CSPM (advanced, ~USD 5/billable resource/month): Adds attack path analysis, cloud security explorer, agentless scanning, governance rules, and multi-cloud posture management (AWS, GCP). CSPM is billed per billable resource, meaning every Azure VM, storage account, SQL instance, and other scanned resource incurs a charge. For large Azure estates, CSPM costs can be significant. A 500-resource Azure estate costs approximately USD 2,500/month for CSPM alone. Evaluate CSPM based on the number of billable resources, not just the per-resource rate. For Azure licensing and cost optimisation, see our CIO playbook. See also EA vs CSP for the agreement structure context.
Rather than purchasing every available Microsoft security product, organisations should build their security stack progressively based on maturity, threat landscape, and regulatory requirements. Each stage delivers measurable security improvement before the next investment is justified.
Stage 1, Foundation (M365 E3, no add-ons): Deploy all included security capabilities. Defender for Endpoint P1 (enable ASR rules, next-gen protection). Entra ID P1 conditional access (enforce MFA for all users, block legacy auth, require compliant devices). Intune Plan 1 (MDM, MAM, compliance policies, security baselines). Purview basic DLP (protect sensitive data in M365). Most organisations have not fully deployed their E3 security entitlements. Completing Stage 1 eliminates the majority of common attack vectors at zero incremental licensing cost.
Stage 2, Detection and Response (add Defender for Endpoint P2): The highest-impact single security add-on. Defender for Endpoint P2 adds EDR (detection of advanced threats that bypass prevention), automated investigation and remediation, threat hunting, and threat-based conditional access with Intune. Deploy as a standalone add-on to E3 (~USD 5.20/user/month) for the security operations team and high-risk user populations. Expand to all users if budget permits or E5 becomes cost-justified.
Stage 3, Full Threat Protection (M365 E5 Security add-on or E5): Add the remaining Defender products (Office 365 P2, Identity, Cloud Apps) and Entra ID P2. This stage delivers complete XDR (extended detection and response) across endpoints, email, identity, and SaaS applications. The E5 Security add-on (~USD 12/user/month) is the most cost-effective path if three or more Defender products are needed. Evaluate full E5 if Power BI Pro or telephony are also required.
Stage 4, SIEM/SOAR (add Microsoft Sentinel): Deploy Sentinel for centralised security event correlation, automated incident response, and long-term security data retention. Connect Microsoft Defender signals (free via E5 data grant) and third-party sources (firewalls, proxies, identity providers). Select a commitment tier based on projected daily ingestion. Sentinel completes the security operations architecture by providing the analytics layer above the Defender XDR telemetry.
Stage 5, Governance and Compliance (add Purview advanced): For regulated industries: add M365 E5 Compliance for Insider Risk Management, advanced eDiscovery, auto-labelling, communication compliance, and advanced audit. Add Entra ID Governance for lifecycle workflows and access governance. These capabilities are driven by regulatory requirements rather than threat detection. Deploy when compliance mandates justify the investment. For the MCA framework that may govern these purchases, see our guide.
Microsoft security licensing is among the most negotiable components of an Enterprise Agreement because Microsoft is competing directly with established security vendors (CrowdStrike, Palo Alto, Splunk, Okta, Zscaler) and is willing to offer significant incentives to win or retain the security estate within its platform.
1. Use competitive alternatives as leverage. Microsoft's security pricing is most negotiable when the organisation has credible alternatives. A CrowdStrike proposal for endpoint security, an Okta evaluation for identity, or a Splunk deployment for SIEM creates genuine competitive pressure. Present Microsoft with specific competitive pricing and ask them to match or undercut. Discounts of 15 to 30% on security add-ons are achievable with credible competitive positioning. See our contract negotiation service and the procurement manager's negotiation guide.
2. Negotiate E5 Security and E5 Compliance as separate line items. Rather than committing to full M365 E5 for all users, negotiate E5 Security and E5 Compliance as separate add-ons to your E3 base. This allows differentiated deployment: E5 Security for all users (or the security-relevant subset), E5 Compliance only for regulated user populations, and E3 base for users who need neither. Each add-on should be a separate negotiation line item with its own volume discount. See the contract terms negotiation guide.
3. Negotiate Sentinel commitment tier credits within the EA. Sentinel consumption (Azure billing) is typically negotiated separately from M365 licensing. However, EA negotiations can include Azure consumption commitments (MACC) that encompass Sentinel costs. Negotiate Sentinel commitment tier pricing as part of the overall Azure commitment, and ensure the M365 E5 Sentinel data grant is documented and activated. Organisations that negotiate Sentinel within the EA context typically achieve 10 to 20% better effective rates through combined Azure commitment discounts.
4. Conduct an overlap audit before the renewal. Before entering EA renewal negotiations, conduct a complete Microsoft security licence inventory: every standalone security subscription, every EMS licence, every M365 plan, every Azure Defender plan, and every Sentinel workspace. Map every security capability against its licence source to identify overlaps. Eliminate duplicates before the renewal to establish an accurate baseline. The savings from overlap elimination (often 20 to 40% of current security spend) can be redirected to fund genuinely incremental security capabilities in the new EA term. Use our licence audit survival checklist as the starting point. See also benchmarking EA discounts for pricing intelligence.
Microsoft security licensing is the area where independent advisory delivers the highest ROI because the overlap complexity, the bundling mathematics, and the EA negotiation dynamics create a landscape where procurement teams without deep Microsoft licensing expertise consistently overpay.
Security licence overlap assessment. Redress Compliance maps every Microsoft security capability against every licence in the organisation's estate: M365 plans, EMS plans, standalone subscriptions, Azure consumption services, and any third-party overlap. We identify every duplicate entitlement, every unconsumed inclusion, and every instance where a capability is purchased standalone that is already bundled. Our assessments typically identify 20 to 40% immediate savings through overlap elimination alone, before any EA optimisation begins.
E3/E5 decision modelling and EA negotiation. We build detailed financial models comparing every viable licensing path: E3 + individual add-ons, E3 + E5 Security, E3 + E5 Security + E5 Compliance, full E5, and hybrid deployments (E5 for subset, E3 for remainder). We identify the optimal path for the organisation's specific security requirements and user population, and then support the EA negotiation with market pricing intelligence, competitive positioning strategy, and Sentinel commitment tier optimisation. Our support consistently achieves 15 to 30% below-list pricing on security components.
Complete vendor independence. Redress Compliance has no Microsoft partnership, no CSP resale revenue, and no incentive to recommend E5 upgrades, Sentinel adoption, or any specific Microsoft security product. If CrowdStrike provides better endpoint protection, Okta provides better identity, or Splunk provides better SIEM for the organisation's requirements, we say so. Our assessment considers both Microsoft-native and third-party security options, ensuring the organisation invests in the security stack that delivers the best protection at the best price, regardless of vendor.
The most powerful Microsoft security licensing strategy is also the simplest: know what you already own. Most enterprises have 60 to 80% of their required security capabilities already included in their M365 licences but under-deployed. The highest-ROI security investment is not a new product purchase. It is full activation of existing entitlements. Conditional access in Entra ID P1. Attack surface reduction in Defender for Endpoint P1. DLP policies in Purview. Device compliance in Intune. These capabilities are in M365 E3, they cost nothing incremental, and they address the majority of common attack vectors. Only after these are fully deployed should the organisation evaluate which additional capabilities justify premium licensing, and the answer is almost never every capability for every user.
M365 E3 includes Defender for Endpoint Plan 1 (next-generation antimalware and attack surface reduction, but no EDR), Entra ID P1 (conditional access, MFA, self-service password reset), Intune Plan 1 (device management, app protection, compliance policies), and Purview basic capabilities (manual sensitivity labels, basic DLP, basic eDiscovery, standard audit). This is a substantial security foundation that addresses the majority of common threats. Most organisations have not fully deployed their E3 security entitlements before considering E5 upgrades.
It depends on how many security capabilities you need. If you need all four Defender products (Endpoint P2, Office 365 P2, Identity, Cloud Apps) plus Entra ID P2 plus advanced Purview, full E5 is typically the most cost-effective path because the incremental cost (~USD 21/user/month over E3) is less than purchasing these components standalone (~USD 30+/user/month combined). However, if you only need one or two capabilities, targeted add-ons to E3 are significantly cheaper. The M365 E5 Security add-on (~USD 12/user/month) offers a middle ground: all Defender products and Entra P2 without non-security E5 features. See our E3 vs E5 comparison for the complete analysis.
No. Sentinel is an Azure consumption service billed separately based on data ingestion volume, regardless of M365 tier. However, M365 E5 includes a free daily data ingestion allowance for specific Microsoft security data sources (sign-in logs, audit logs, security alerts) into Sentinel. This grant can cover 30 to 50% of a typical deployment's ingestion volume. The grant must be actively configured. It does not apply automatically. Organisations on E5 running Sentinel should verify the grant is applied to their workspace.
P1 (included in M365 E3) provides prevention-focused capabilities: next-generation antimalware, attack surface reduction rules, device-based conditional access, and network protection. P1 stops known threats but does not detect or investigate advanced attacks. P2 (included in M365 E5, ~USD 5.20/user/month standalone) adds endpoint detection and response (EDR), automated investigation and remediation, threat hunting, threat analytics, and threat-based conditional access. P2 is the full EDR platform required for security operations teams to detect, investigate, and respond to sophisticated threats.
No. M365 E5 includes everything in EMS E5: Entra ID P2, Intune Plan 1, Azure Information Protection P2, Defender for Identity, and Defender for Cloud Apps. Organisations holding both M365 E5 and EMS E5 are paying twice for the same capabilities. If you upgrade to M365 E5, remove EMS E5 licences immediately. This is the most common and most expensive Microsoft security licensing overlap, wasting approximately USD 16/user/month for every user holding both licences. See eliminating redundant Microsoft software.
Three primary strategies. First, select the appropriate commitment tier based on projected daily ingestion volume (30 to 50% discount versus pay-as-you-go). Second, implement data collection rules and transformations to filter verbose log sources at ingestion time, reducing volume without losing security-relevant signals. Third, use basic logs (lower-cost tier) for data sources that need retention but infrequent querying, and analytics logs (full-cost tier) only for data requiring frequent investigation. Additionally, claim the M365 E5 data grant for Microsoft security data sources and review Sentinel costs quarterly. See our Azure cost optimisation playbook.
Defender for Cloud protects Azure workloads (VMs, databases, containers, storage, app services) and multi-cloud resources (AWS, GCP). It is separate from M365 E5. It is an Azure consumption service billed per protected resource. Foundational cloud security posture management (CSPM) is free for all Azure subscriptions. Workload-specific Defender plans (Servers, SQL, Containers, Storage) and advanced CSPM require per-resource Azure consumption charges. Defender for Cloud should be evaluated separately from the M365 security licensing decision, based on the organisation's Azure and multi-cloud resource footprint. See managing Azure spend.
Redress Compliance delivers independent Microsoft security licensing assessments: overlap identification, E3/E5 decision modelling, Sentinel cost optimisation, EA negotiation support, and cross-product entitlement mapping. We identify 20 to 40% savings while ensuring every required capability is covered. Complete vendor independence. No Microsoft partnerships, no resale commissions.
Microsoft EA Optimisation ServiceIndependent Microsoft security licensing advisory. Overlap elimination, E3/E5 decision modelling, Sentinel optimisation, EA negotiation support. Fixed-fee. 100% vendor-independent.