M365 E5 lists at $57 per user per month and rises to $60 on 1 July 2026. Across a modeled 12,000 seat estate, persona segmentation cut security licensing about 19 percent, near $1.54 million a year.
Prepared by Redress Compliance · June 2026 · Representative Microsoft estate scenario (benchmark scenario, not a quote).
Microsoft sells its security capabilities twice. They sit inside M365 E5, and they sell standalone. The bundle hides the unit economics, so most buyers never test whether the whole population consumes the E5 security stack.
It usually does not. In the estates we benchmark, 30 to 50 percent of seats never touch advanced Defender, Purview, or Sentinel features. The E5 Security add on delivers the Defender suite and Entra ID P2 on an E3 base for about $12 per user per month, against an E5 over E3 delta near $21.
The real decision is not bundle versus unbundle. It is persona segmentation. Buy E5 where it is consumed, E3 plus targeted security everywhere else. The window to act is the Enterprise Agreement anniversary, because seat reductions land only at renewal.
E5 carries the full Microsoft security stack: Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, Entra ID P2, Microsoft Sentinel access, Purview compliance, and Intune Plan 2. None of it is priced on your invoice. You see one number.
That one number defeats scrutiny. When security and productivity sit in one SKU, nobody asks whether the security half is used. The E5 over E3 premium is about $21 per user per month, near $252 a year. Across an estate, that bundled security line is one of the largest unexamined items in the IT budget.
Priced a la carte, the same capabilities tell a different story. The E5 Security add on carries the Defender suite and Entra ID P2 on an E3 base and lists near $12. What pushes E5 past the add on price is Sentinel, Purview, and Intune Plan 2, and most seats use none of the three.
| Capability | In M365 E5 | Standalone list price |
|---|---|---|
| Defender for Endpoint Plan 2 | Included | $5.20 per device per month |
| Defender for Office 365 Plan 2 | Included | $5.00 per user per month |
| Entra ID P2 | Included | $9.00 per user per month |
| Microsoft Sentinel | Access, no free ingestion | $4.30 to $5.59 per GB ingested |
| Purview advanced compliance | Included | E5 Compliance add on, near $12 per user per month |
| Intune Plan 2 | Included | $4.00 per user per month add on |
List prices are current as at the Microsoft public pricing pages, April to June 2026. Defender for Identity and Defender for Cloud Apps are not sold as separate retail SKUs at scale; they reach an E3 estate through the E5 Security add on.
Per user annual list cost by licensing path. Numbers match the segmentation table. Benchmark scenario, not a quote.
Every Defender product has a standalone or add on path. You do not have to buy E5 to run Microsoft endpoint, email, identity, and SaaS security. You can assemble exactly the tier each population needs.
The add on is the lever. It requires an E3 or Office 365 E3 plus EMS E3 base and cannot sit on top of an E5 base. That packaging rule is what makes the E3 plus add on path cheaper than E5 for security heavy users who still do not need Sentinel or Purview.
Sentinel is the component buyers misread most. It is not seat priced. It is priced on data ingestion, so the cost driver is log volume, not licenses. E5 grants access to Sentinel, not free ingestion, which means the bill arrives through Azure either way.
The analytics tier prices pay as you go between $4.30 and $5.59 per GB by region. Commitment tiers reserve daily capacity and cut the effective rate sharply.
| Tier | Effective rate per GB | Saving versus pay as you go |
|---|---|---|
| Pay as you go | $4.30 | Baseline |
| 100 GB per day commitment | $2.96 | 31 percent |
| 500 GB per day commitment | $2.53 | 41 percent |
| 50,000 GB per day commitment | $2.05 | 52 percent |
Effective Sentinel analytics tier rate per GB by commitment tier. Numbers match the Sentinel tier table.
Two mechanics matter here. A commitment tier can be raised at any time but lowered only after a 31 day minimum, so over committing is a one way door for a month. And Sentinel ingestion draws down your Azure MACC, so moving Sentinel outside E5 shifts the cost onto Azure consumption rather than removing it.
Purview is the second capability where E5 oversells. The full Purview suite that justifies E5 includes advanced eDiscovery, advanced data loss prevention, insider risk management, communication compliance, and records management. Most organizations need a subset, scoped to regulated populations.
The honest test is scope. Map which roles carry a real eDiscovery, retention, or insider risk obligation, then license the E5 Compliance add on for that population on an E3 base. Blanket Purview across every seat funds capabilities that legal will never invoke for a warehouse worker.
Microsoft prices security aggressively because most buyers have no walk away. Build one. A credible alternative at each capability is what converts a list price into a negotiated price, even if you never switch.
| Microsoft capability | Credible alternative | Commercial effect |
|---|---|---|
| Defender for Endpoint | CrowdStrike Falcon, $60 to $185 per device per year | Caps the endpoint line and forces a Defender discount |
| Microsoft Sentinel | Splunk or an alternative SIEM | Ingestion leverage and a multi year price hold |
| Purview compliance | OneTrust or alternative compliance tooling | Right sizes the compliance tier to regulated roles |
| Entra ID P2 | Okta or Ping identity | Pressure on the identity premium and conditional access lock in |
You do not need to deploy the alternative. You need it priced, scoped, and on the desk before the renewal. An account team that knows you have a real CrowdStrike quote treats the Defender line very differently from one that assumes you are captive.
Take a representative estate. Meridian Health Network runs 12,000 M365 seats, today all on E5. Split the population by actual security consumption, then license each segment to its need.
| Segment | Seats | Licensing path | Per user per year | Annual cost |
|---|---|---|---|---|
| Privileged and compliance heavy | 3,000 | M365 E5 | $684 | $2,052,000 |
| Security heavy knowledge worker | 4,000 | E3 + E5 Security add on | $576 | $2,304,000 |
| Frontline and light user | 5,000 | E3 + Defender for Endpoint P1 | $462 | $2,310,000 |
| Segmented total | 12,000 | Mixed | · | $6,666,000 |
| Blanket E5 today | 12,000 | M365 E5 | $684 | $8,208,000 |
| Annual saving | · | · | · | $1,542,000 (19%) |
Annual security licensing cost, blanket E5 versus persona segmented. Numbers match the segmentation table. Benchmark scenario, not a quote.
Across Microsoft estates we benchmarked in 2024 to 2025, this share of seats never used advanced Defender, Purview, or Sentinel features.
The 500 GB per day tier prices near $2.53 per GB against pay as you go around $4.30, a 41 percent reduction.
The three year gap is the headline. At $1.542 million a year, the segmented path runs $4.63 million below blanket E5 across the model. That is the overspend buying E5 for security 9,000 seats never fully use.
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025. Worked figures use Microsoft list prices and are a benchmark scenario, not a quote.
Unbundling is a renewal window move, not an anytime one. Under an Enterprise Agreement, you add seats through annual true ups, but you cannot reduce committed quantities mid term. Reductions and step downs land only at the anniversary order or renewal. Sequence backward from that date.
Pull M365 usage plus Defender, Purview, and Sentinel telemetry. Label every seat full E5, security heavy, or light. The split usually lands near 25 / 33 / 42.
Quote E3 plus the E5 Security add on, standalone Defender, and a right sized Sentinel commitment. Get CrowdStrike, a SIEM, and a compliance tool priced as real alternatives.
Lodge the segmented mix in the anniversary order. Hold a multi year price protection on the E5 population and the Sentinel commitment tier.
Miss the anniversary order deadline and the step down waits a full year, so the calendar, not the analysis, is the binding constraint. Start the mapping at least one quarter before the date on the agreement.
Recommendation: segment the estate, then step down at the anniversary.
We are glad to tie a meaningful part of the fee to delivered value.
Independent. Buyer side. The advisory firm enterprise software vendors do not want you to hire.
Vendor intelligence, audit alerts, and negotiation insights once a month. No spam.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.