Microsoft’s security portfolio is the most powerful — and the most confusing — licensing labyrinth in enterprise IT. Four product families (Defender, Sentinel, Entra, Purview) span 15+ individually licensable components, each available through a different combination of Microsoft 365 bundles, Enterprise Mobility + Security tiers, Azure consumption models, and standalone subscriptions. The result is that most enterprises cannot answer a simple question: what security capabilities do we already own? Without that answer, organisations default to the most expensive path — purchasing standalone security products they already have through M365 E5, or upgrading entire user populations to E5 when targeted add-ons would deliver the same security outcome at a fraction of the cost. This pillar guide takes a different approach from typical product-by-product documentation. It is structured around the licensing decisions CISOs and procurement teams actually face: what is already included in each M365 tier, which security capabilities are genuinely incremental purchases, where product overlaps create waste, how to model the E3+add-ons vs E5 break-even, and how to build a complete Microsoft security stack at the lowest defensible cost.
The root cause of Microsoft security over-spending is structural. Microsoft sells security capabilities through three overlapping channels simultaneously: bundled within M365 E3 and E5 plans, standalone as individual product subscriptions, and consumption-based through Azure metering (Sentinel, Defender for Cloud). Each channel has its own pricing, its own sales motion, and its own account team incentives. The result is that security purchases are fragmented across three procurement streams, and nobody holds a unified view of what the organisation already owns.
A typical scenario: the CISO’s team purchases Defender for Endpoint P2 as a standalone security product (USD 5.20/user/month). Three months later, IT negotiates an M365 E5 upgrade that includes Defender for Endpoint P2. The standalone subscription runs concurrently for 18 months before anyone notices. Meanwhile, the security operations team provisions Microsoft Sentinel in Azure and ingests Microsoft 365 audit logs at consumption rates — unaware that M365 E5 includes a free daily data allowance for Microsoft security data into Sentinel. These overlaps compound. In a 10,000-user enterprise, the cumulative waste from duplicated security licences and unconsumed entitlements routinely exceeds USD 500,000 annually.
This guide exists to make those overlaps visible. Every section is structured around a single question: what do you already have, and what is genuinely new?
The threat protection family. Defender for Endpoint (device security), Defender for Office 365 (email and collaboration security), Defender for Identity (Active Directory threat detection), and Defender for Cloud Apps (shadow IT and SaaS security). These four products are individually licensable, but all four are included in Microsoft 365 E5. The most common over-spend: purchasing Defender products standalone while already on E5, or purchasing individual Defender products piecemeal when E5 would be cheaper.
The cloud-native SIEM/SOAR platform. Unlike Defender, Entra, and Purview, Sentinel is not included in any M365 plan. It is an Azure consumption service billed by data ingestion volume (per GB/day). However, M365 E5 provides a significant free data ingestion grant for Microsoft security data sources. Sentinel’s cost is highly variable and depends on log volume, retention period, and data sources connected. It is the only major Microsoft security product where costs are unpredictable without active management.
The identity security family (formerly Azure AD). Entra ID P1 (conditional access, MFA, group-based licensing, self-service password reset) and Entra ID P2 (Privileged Identity Management, Identity Protection, access reviews, entitlement management). P1 is included in M365 E3; P2 is included in M365 E5. The most common over-spend: purchasing EMS E5 for Entra ID P2 features that are already included in M365 E5.
The data governance and compliance family. Information Protection (sensitivity labels, encryption, DLP), Compliance Manager, eDiscovery, Insider Risk Management, Communication Compliance, Records Management, and Data Lifecycle Management. Basic capabilities are included in M365 E3; advanced capabilities (auto-labelling, advanced eDiscovery, Insider Risk) require M365 E5 Compliance or M365 E5. The most common over-spend: purchasing standalone Purview add-ons without recognising that the M365 E5 Compliance add-on bundles them all.
Before purchasing any standalone security product, every organisation must understand what security capabilities are already included in its existing Microsoft 365 licences. This inclusion map is the single most valuable tool for preventing over-spend.
| Security Component | M365 E3 | M365 E5 | Standalone Price (Approx.) |
|---|---|---|---|
| Defender for Endpoint P1 | ✅ | ✅ | Included in E3 |
| Defender for Endpoint P2 | ❌ | ✅ | ~USD 5.20/user/mo |
| Defender for Office 365 P1 | ❌ | ✅ | ~USD 2/user/mo |
| Defender for Office 365 P2 | ❌ | ✅ | ~USD 5/user/mo |
| Defender for Identity | ❌ | ✅ | ~USD 5.50/user/mo |
| Defender for Cloud Apps | ❌ | ✅ | ~USD 3.50/user/mo |
| Entra ID P1 | ✅ | ✅ | ~USD 6/user/mo |
| Entra ID P2 | ❌ | ✅ | ~USD 9/user/mo |
| Intune Plan 1 | ✅ | ✅ | ~USD 8/user/mo |
| Purview Information Protection (basic) | ✅ | ✅ | Included in E3 |
| Purview DLP (basic) | ✅ | ✅ | Included in E3 |
| Purview Information Protection (advanced auto-labelling) | ❌ | ✅ | E5 Compliance add-on |
| Purview Insider Risk Management | ❌ | ✅ | E5 Compliance add-on |
| Purview eDiscovery (Premium) | ❌ | ✅ | E5 Compliance add-on |
| Microsoft Sentinel | ❌ | ❌ (free data grant) | Azure consumption |
Microsoft Defender is not one product — it is four distinct security products unified under a single brand. Each has its own capability set, its own standalone pricing, and its own inclusion rules within M365 bundles. The licensing decision is whether to purchase them individually or acquire them all through M365 E5.
P1 (included in M365 E3): Next-generation antimalware, attack surface reduction rules, device-based conditional access, and basic device control. P1 is a prevention-focused product that stops known threats but does not detect or investigate advanced attacks. P2 (included in M365 E5, ~USD 5.20/user/mo standalone): Adds endpoint detection and response (EDR), automated investigation and remediation, threat hunting, threat analytics, and Microsoft Threat Experts access. P2 is the full EDR platform that security operations teams require for threat detection and incident response. The P1-to-P2 upgrade is the most impactful single security licensing decision for most organisations.
P1 (~USD 2/user/mo standalone): Safe Attachments (sandboxed attachment detonation), Safe Links (URL rewriting and time-of-click protection), and anti-phishing policies with mailbox intelligence. P1 addresses the most common email attack vector: malicious attachments and links. P2 (included in M365 E5, ~USD 5/user/mo standalone): Adds Threat Explorer (real-time email threat investigation), automated investigation and response (AIR), attack simulation training, and campaign views. P2 is essential for security operations teams that need to investigate and respond to email-borne attacks at scale.
Defender for Identity (included in M365 E5, ~USD 5.50/user/mo standalone): Monitors Active Directory signals to detect lateral movement, compromised credentials, domain dominance attacks, and reconnaissance. Requires sensors on domain controllers. Critical for organisations with on-premises Active Directory. Defender for Cloud Apps (included in M365 E5, ~USD 3.50/user/mo standalone): Cloud Access Security Broker (CASB) providing shadow IT discovery, SaaS app governance, session controls, and data exfiltration detection. Essential for organisations with significant SaaS application usage beyond Microsoft 365.
A 5,000-user organisation on M365 E3 (~USD 36/user/month) evaluates adding all four Defender products as standalone add-ons:
Defender for Endpoint P2: 5,000 × USD 5.20 = USD 26,000/month. Defender for Office 365 P2: 5,000 × USD 5.00 = USD 25,000/month. Defender for Identity: 5,000 × USD 5.50 = USD 27,500/month. Defender for Cloud Apps: 5,000 × USD 3.50 = USD 17,500/month. Total Defender standalone: USD 96,000/month (USD 19.20/user/month).
Entra ID (formerly Azure Active Directory) licensing determines the organisation’s identity security capabilities: authentication strength, access control granularity, privileged access governance, and identity threat detection. The two tiers — P1 and P2 — are clearly delineated, but most organisations on E3 significantly under-utilise their P1 entitlement before considering the P2 upgrade.
Conditional access policies (the foundation of zero-trust: control access based on user, device, location, risk, and application), multi-factor authentication (MFA) with conditional access enforcement, self-service password reset (SSPR), group-based licence assignment, dynamic groups, application proxy for on-premises app access, and Microsoft Entra Connect for hybrid identity. P1 delivers the core identity security platform that most organisations need. The most under-utilised capability: conditional access policies that enforce MFA, require compliant devices, and block legacy authentication — available in E3 but deployed by fewer than half of E3 organisations.
Adds Privileged Identity Management (PIM) for just-in-time admin access, Identity Protection (risk-based conditional access using machine learning to detect impossible travel, anomalous sign-ins, and leaked credentials), access reviews (periodic recertification of user access), and entitlement management (access packages for governed access provisioning). P2 is most valuable for organisations with significant privileged admin accounts, regulatory access recertification requirements, or advanced identity threat concerns. The headline feature is PIM, which eliminates standing admin privileges — the single highest-risk identity configuration in most organisations.
Beyond P1 and P2, Microsoft offers Entra ID Governance as an additional premium SKU (~USD 7/user/month). Governance adds lifecycle workflows (automated onboarding/offboarding), machine-learning-based access recommendations, and advanced entitlement management features. Governance is separate from both P2 and M365 E5 — it is a standalone add-on regardless of M365 tier. Organisations with complex joiner/mover/leaver processes and regulatory access governance requirements should evaluate Governance independently from the P1/P2 decision.
Sentinel is the architectural outlier in Microsoft’s security portfolio. While Defender, Entra, and Purview are per-user subscription products included in M365 bundles, Sentinel is an Azure consumption service billed by the volume of data ingested and retained. This makes Sentinel costs inherently variable, difficult to predict, and easy to underestimate.
Sentinel charges are based on data ingestion volume measured in GB per day, stored in a Log Analytics workspace. Two pricing tiers: Pay-As-You-Go (~USD 2.46/GB for the first 100 GB/day) and Commitment Tiers (discounted rates for pre-committed daily volumes: 100 GB/day at ~USD 196/day, 200 GB/day at ~USD 368/day, scaling up to 5,000 GB/day). Commitment Tiers deliver 30–50% savings versus Pay-As-You-Go for predictable workloads. Additionally, data retention beyond 90 days incurs storage charges. A mid-size enterprise ingesting 200 GB/day pays approximately USD 11,000/month on a commitment tier — or USD 15,000/month without one.
Organisations with M365 E5, M365 E5 Security, or Microsoft 365 E5 Compliance receive a free daily data ingestion allowance for Microsoft security data sources into Sentinel. This grant covers ingestion of specific Microsoft 365 data tables (SigninLogs, AuditLogs, SecurityAlert, SecurityIncident, and others) at no charge. The grant can represent a significant portion of a Sentinel deployment’s total ingestion volume — often 30–50% of total data. Organisations on E5 that are not leveraging this grant are paying full consumption rates for data that should be free.
Sentinel costs can spiral if data ingestion is not governed. Every new log source connected to Sentinel increases daily ingestion volume and cost. Common cost escalation triggers: connecting verbose log sources (Azure Activity, DNS, proxy logs) without evaluating data value, enabling verbose diagnostic logging on Azure resources, ingesting raw firewall or network flow data at full fidelity, and retaining data beyond 90 days without archival tiering. Without active governance, Sentinel costs typically double within 12–18 months of initial deployment as the security team connects additional data sources.
Analyse current data volumes from all planned log sources before enabling Sentinel. Calculate the expected daily ingestion in GB and select the commitment tier that covers 80–90% of normal daily volume (with Pay-As-You-Go covering burst periods). The commitment tier discount (30–50%) is the largest single Sentinel cost optimisation. Over-provisioning the commitment tier wastes money; under-provisioning forfeits the discount on predictable volume. Review and adjust the tier quarterly as log sources change.
Not every log event needs to reach Sentinel. Use data collection rules (DCRs) and transformations to filter, sample, or summarise verbose log sources at ingestion time, reducing volume and cost without losing security-relevant signals. Archive low-value data to basic logs (lower-cost storage tier with limited query capability) rather than analytics logs (full query capability at higher cost). Establish an ingestion governance policy: every new data source connected to Sentinel requires security team approval with a documented cost-benefit analysis.
Microsoft Purview encompasses information protection, data loss prevention, compliance management, eDiscovery, insider risk management, and data lifecycle management. Its licensing is layered across M365 tiers in a way that makes it difficult to determine where basic capabilities end and premium capabilities begin.
Manual sensitivity labels (users apply labels to documents and emails), basic DLP (policies that detect and restrict sharing of sensitive data in Exchange, SharePoint, OneDrive, and Teams), Microsoft Purview Compliance Manager (compliance posture assessment and recommendations), basic eDiscovery (content search across M365), manual data retention policies, and basic audit (standard audit log retention for 180 days). E3 Purview covers fundamental data governance needs for most organisations — particularly those without regulatory requirements for advanced eDiscovery or insider threat detection.
Automatic sensitivity labelling (server-side auto-classification based on content inspection), advanced DLP (endpoint DLP, exact data match, OCR scanning), eDiscovery Premium (custodian management, review sets, predictive coding, advanced analytics), Insider Risk Management (detection of data exfiltration, policy violations, and risky user behaviour), Communication Compliance (monitoring for policy violations in Teams, email, and chat), advanced audit (1-year log retention, high-value audit events), and Records Management (file plan management, regulatory record retention). These capabilities are typically required by financial services, healthcare, government, and other regulated industries.
Even M365 E5 does not include every Purview capability. Microsoft Purview Data Governance (data cataloguing, data estate scanning, data quality rules for multi-cloud data) is a separate Azure consumption service. Purview Audit 10-year retention is an add-on for organisations with decade-long audit log requirements. Extra eDiscovery storage beyond included limits requires additional capacity purchases. These add-ons are relevant for a narrow set of heavily regulated organisations and should not be conflated with the E5-included Purview compliance capabilities.
The single most consequential Microsoft security licensing decision is whether to upgrade from M365 E3 to E5 for the full security bundle, or to remain on E3 and purchase only the specific security add-ons needed. This decision determines the organisation’s security licensing cost for the three-year EA term.
M365 E5 is approximately USD 57/user/month. M365 E3 is approximately USD 36/user/month. The incremental E5 cost is approximately USD 21/user/month per user. For a 10,000-user organisation, the E5 security upgrade costs approximately USD 2,520,000 per year. This is a significant investment that includes all Defender products, Entra ID P2, advanced Purview compliance, Power BI Pro, Phone System, and Audio Conferencing. The security-specific value is substantial — but so is the total cost.
Microsoft offers an M365 E5 Security add-on (~USD 12/user/month) that adds the security components of E5 to an E3 base without the non-security features (Power BI Pro, Phone System, Audio Conferencing). This add-on includes all four Defender products and Entra ID P2. Separately, the M365 E5 Compliance add-on (~USD 12/user/month) adds the advanced Purview capabilities. Organisations that need security but not telephony or Power BI Pro can achieve the same security posture at E3 + E5 Security (~USD 48/user/month) versus full E5 (~USD 57/user/month) — saving USD 9/user/month.
If the organisation needs only one or two specific security capabilities (e.g., only Defender for Endpoint P2 and Entra ID P2), purchasing those standalone products is significantly cheaper than E5 or the E5 Security add-on. Defender for Endpoint P2 (~USD 5.20) + Entra ID P2 (~USD 9) = ~USD 14.20/user/month vs USD 21 for the E5 increment or USD 12 for E5 Security. However, if the organisation needs three or more Defender products plus Entra P2, the E5 Security add-on at USD 12 undercuts the combined standalone price of approximately USD 19–20.
| Security Requirement | Optimal Licensing Path | ~Cost Per User/Month (Incremental) |
|---|---|---|
| Defender for Endpoint P2 only | Standalone add-on to E3 | ~USD 5.20 |
| Defender for Endpoint P2 + Entra ID P2 | Standalone add-ons to E3 | ~USD 14.20 |
| All Defender products + Entra ID P2 | M365 E5 Security add-on | ~USD 12 |
| All security + advanced compliance | M365 E5 Security + E5 Compliance add-ons | ~USD 24 |
| All security + compliance + Power BI + telephony | Full M365 E5 upgrade | ~USD 21 |
| Defender for Endpoint P2 for 20% of users only | Standalone for security team; E3 for remainder | ~USD 1.04 blended |
Security licensing overlaps are the silent budget drain. They occur when the same capability is purchased through multiple procurement channels, when a bundled entitlement is not recognised as covering a requirement that was separately budgeted, or when a product upgrade renders a standalone subscription redundant.
Enterprise Mobility + Security E5 includes Entra ID P2, Intune Plan 1, Azure Information Protection P2, Defender for Identity, and Defender for Cloud Apps. M365 E5 includes all of these. Organisations that hold both EMS E5 and M365 E5 licences are paying twice for the same identity and security capabilities. The fix: if the organisation upgrades to M365 E5, remove EMS E5 licences and save approximately USD 16/user/month. This is the single highest-value overlap elimination in most Microsoft estates.
Organisations that purchased individual Defender products (Endpoint P2, Office 365 P2, Identity, Cloud Apps) before upgrading to M365 E5 often continue paying for the standalone subscriptions. Each standalone subscription running concurrently with E5 is pure waste. A 10,000-user organisation with standalone Defender for Endpoint P2 overlapping with E5 wastes USD 624,000/year. Post-E5 upgrade, audit every standalone security subscription for bundle overlap and terminate duplicates immediately.
M365 E5 includes a free Sentinel data ingestion grant for Microsoft security data. Organisations paying full consumption rates for data types covered by the grant are over-spending by 30–50% of their Sentinel bill. The grant must be actively claimed and configured — it does not apply automatically. If the organisation has M365 E5 and Sentinel, verify that the grant is applied to the Sentinel workspace and that eligible Microsoft data tables are ingesting under the grant rather than under consumption billing.
Organisations that purchased the M365 E5 Compliance add-on and subsequently upgraded to full M365 E5 may continue paying for the compliance add-on. Full E5 includes all E5 Compliance capabilities — the add-on becomes redundant upon E5 upgrade. Similarly, standalone Purview product purchases (Information Protection P2, eDiscovery Premium) may overlap with E5-included capabilities. Review every Purview-related subscription against the E5 inclusion map and eliminate overlaps.
Defender for Cloud is architecturally distinct from the rest of Microsoft’s security portfolio. It protects Azure workloads (VMs, storage, SQL, containers, Kubernetes, App Service), multi-cloud resources (AWS, GCP), and on-premises servers — and it is licensed per-resource through Azure consumption, not per-user through M365.
Cloud Security Posture Management at the foundational tier is free for all Azure subscriptions. It provides a security score, basic recommendations, and asset inventory for Azure resources. No additional licence or enablement is required — every Azure customer already has this. Foundational CSPM does not include workload protection (threat detection for servers, databases, containers), advanced posture management (attack path analysis, governance rules), or multi-cloud coverage.
Workload-specific Defender plans provide threat detection and protection for individual Azure resource types: Defender for Servers (~USD 15/server/month for P2), Defender for SQL (~USD 15/instance/month), Defender for Containers (~USD 7/vCore/month), Defender for Storage (~USD 10/storage account/month), Defender for Key Vault, Defender for DNS, Defender for App Service, and others. Each plan is enabled per-resource and billed through Azure consumption. The cost scales with the number of protected resources, not the number of users.
Defender CSPM is the advanced tier (~USD 5/billable resource/month) that adds attack path analysis, cloud security explorer, agentless scanning, governance rules, and multi-cloud posture management (AWS, GCP). CSPM is billed per billable resource — meaning every Azure VM, storage account, SQL instance, and other scanned resource incurs a charge. For large Azure estates, CSPM costs can be significant. Evaluate CSPM based on the number of billable resources, not just the per-resource rate. A 500-resource Azure estate costs approximately USD 2,500/month for CSPM alone.
Rather than purchasing every available Microsoft security product, organisations should build their security stack progressively based on maturity, threat landscape, and regulatory requirements. Each stage delivers measurable security improvement before the next investment is justified.
Microsoft security licensing is among the most negotiable components of an Enterprise Agreement because Microsoft is competing directly with established security vendors (CrowdStrike, Palo Alto, Splunk, Okta, Zscaler) and is willing to offer significant incentives to win or retain the security estate within its platform.
Microsoft’s security pricing is most negotiable when the organisation has credible alternatives. A CrowdStrike proposal for endpoint security, an Okta evaluation for identity, or a Splunk deployment for SIEM creates genuine competitive pressure. Present Microsoft with specific competitive pricing and ask them to match or undercut. Microsoft account teams have significant authority to discount E5 Security, E5 Compliance, and individual Defender products when the alternative is losing the security estate to a competitor. Discounts of 15–30% on security add-ons are achievable with credible competitive positioning.
Rather than committing to full M365 E5 for all users, negotiate E5 Security and E5 Compliance as separate add-ons to your E3 base. This allows differentiated deployment: E5 Security for all users (or the security-relevant subset), E5 Compliance only for regulated user populations, and E3 base for users who need neither. Each add-on should be a separate negotiation line item with its own volume discount. Bundling both into full E5 may or may not be cheaper — calculate both options and negotiate accordingly.
Sentinel consumption (Azure billing) is typically negotiated separately from M365 licensing. However, EA negotiations can include Azure consumption commitments (MACC) that encompass Sentinel costs. Negotiate Sentinel commitment tier pricing as part of the overall Azure commitment, and ensure the M365 E5 Sentinel data grant is documented and activated. Organisations that negotiate Sentinel within the EA context (rather than as a standalone Azure consumption item) typically achieve 10–20% better effective rates through combined Azure commitment discounts.
Before entering EA renewal negotiations, conduct a complete Microsoft security licence inventory: every standalone security subscription, every EMS licence, every M365 plan, every Azure Defender plan, and every Sentinel workspace. Map every security capability against its licence source to identify overlaps. Eliminate duplicates before the renewal to establish an accurate baseline. The savings from overlap elimination (often 20–40% of current security spend) can be redirected to fund genuinely incremental security capabilities in the new EA term.
Microsoft security licensing is the area where independent advisory delivers the highest ROI because the overlap complexity, the bundling mathematics, and the EA negotiation dynamics create a landscape where procurement teams without deep Microsoft licensing expertise consistently overpay.
Redress Compliance maps every Microsoft security capability against every licence in the organisation’s estate: M365 plans, EMS plans, standalone subscriptions, Azure consumption services, and any third-party overlap. We identify every duplicate entitlement, every unconsumed inclusion, and every instance where a capability is purchased standalone that is already bundled. Our assessments typically identify 20–40% immediate savings through overlap elimination alone — before any EA negotiation begins.
We build detailed financial models comparing every viable licensing path: E3 + individual add-ons, E3 + E5 Security, E3 + E5 Security + E5 Compliance, full E5, and hybrid deployments (E5 for subset, E3 for remainder). We identify the optimal path for the organisation’s specific security requirements and user population, and then support the EA negotiation with market pricing intelligence, competitive positioning strategy, and Sentinel commitment tier optimisation. Our EA negotiation support consistently achieves 15–30% below-list pricing on security components.
Redress Compliance has no Microsoft partnership, no CSP resale revenue, and no incentive to recommend E5 upgrades, Sentinel adoption, or any specific Microsoft security product. If CrowdStrike provides better endpoint protection, Okta provides better identity, or Splunk provides better SIEM for the organisation’s requirements, we say so. Our assessment considers both Microsoft-native and third-party security options, ensuring the organisation invests in the security stack that delivers the best protection at the best price — regardless of vendor.
“The most powerful Microsoft security licensing strategy is also the simplest: know what you already own. Most enterprises have 60–80% of their required security capabilities already included in their M365 licences but under-deployed. The highest-ROI security investment is not a new product purchase — it is full activation of existing entitlements. Conditional access in Entra ID P1. Attack surface reduction in Defender for Endpoint P1. DLP policies in Purview. Device compliance in Intune. These capabilities are in M365 E3, they cost nothing incremental, and they address the majority of common attack vectors. Only after these are fully deployed should the organisation evaluate which additional capabilities justify premium licensing — and the answer is almost never every capability for every user.”
Redress Compliance delivers independent Microsoft security licensing assessments — overlap identification, E3/E5 decision modelling, Sentinel cost optimisation, EA negotiation support, and cross-product entitlement mapping. We identify 20–40% savings in security licensing while ensuring every required capability is covered. Complete vendor independence. No Microsoft partnerships, no resale commissions.