Microsoft Enterprise Agreement | Security LicensingWhite Paper

Unbundle the Microsoft Security Stack and Stop Overbuying E5

M365 E5 lists at $57 per user per month and rises to $60 on 1 July 2026. Across a modeled 12,000 seat estate, persona segmentation cut security licensing about 19 percent, near $1.54 million a year.

Prepared by Redress Compliance · June 2026 · Representative Microsoft estate scenario (benchmark scenario, not a quote).

Executive summary

Microsoft sells its security capabilities twice. They sit inside M365 E5, and they sell standalone. The bundle hides the unit economics, so most buyers never test whether the whole population consumes the E5 security stack.

It usually does not. In the estates we benchmark, 30 to 50 percent of seats never touch advanced Defender, Purview, or Sentinel features. The E5 Security add on delivers the Defender suite and Entra ID P2 on an E3 base for about $12 per user per month, against an E5 over E3 delta near $21.

The real decision is not bundle versus unbundle. It is persona segmentation. Buy E5 where it is consumed, E3 plus targeted security everywhere else. The window to act is the Enterprise Agreement anniversary, because seat reductions land only at renewal.

$57
M365 E5 list price per user per month. Rises to $60 on 1 July 2026.
19%
Annual security licensing saving in the segmented 12,000 seat scenario. Benchmark scenario, not a quote.
$4.63M
Three year overspend from blanket E5 versus the segmented path across the modeled estate.
$12
E5 Security add on per user per month. The Defender suite and Entra ID P2 on an E3 base.
1

Why M365 E5 bundling hides the security economics

E5 carries the full Microsoft security stack: Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, Entra ID P2, Microsoft Sentinel access, Purview compliance, and Intune Plan 2. None of it is priced on your invoice. You see one number.

That one number defeats scrutiny. When security and productivity sit in one SKU, nobody asks whether the security half is used. The E5 over E3 premium is about $21 per user per month, near $252 a year. Across an estate, that bundled security line is one of the largest unexamined items in the IT budget.

Priced a la carte, the same capabilities tell a different story. The E5 Security add on carries the Defender suite and Entra ID P2 on an E3 base and lists near $12. What pushes E5 past the add on price is Sentinel, Purview, and Intune Plan 2, and most seats use none of the three.

CapabilityIn M365 E5Standalone list price
Defender for Endpoint Plan 2Included$5.20 per device per month
Defender for Office 365 Plan 2Included$5.00 per user per month
Entra ID P2Included$9.00 per user per month
Microsoft SentinelAccess, no free ingestion$4.30 to $5.59 per GB ingested
Purview advanced complianceIncludedE5 Compliance add on, near $12 per user per month
Intune Plan 2Included$4.00 per user per month add on

List prices are current as at the Microsoft public pricing pages, April to June 2026. Defender for Identity and Defender for Cloud Apps are not sold as separate retail SKUs at scale; they reach an E3 estate through the E5 Security add on.

USD per user per year $0 $240 $480 $720 $684 $576 $462 $432 Add on path: $108 below E5 M365 E5 E3 + E5 Security E3 + Defender P1 E3 base

Per user annual list cost by licensing path. Numbers match the segmentation table. Benchmark scenario, not a quote.

The non obvious point. The cheapest route to the Defender suite is not E5. It is E3 plus the E5 Security add on at about $576 a year, roughly $108 below E5. You give up Sentinel, Purview, and Intune Plan 2, which most users never open.
2

How does the Defender suite license outside the E5 bundle

Every Defender product has a standalone or add on path. You do not have to buy E5 to run Microsoft endpoint, email, identity, and SaaS security. You can assemble exactly the tier each population needs.

The add on is the lever. It requires an E3 or Office 365 E3 plus EMS E3 base and cannot sit on top of an E5 base. That packaging rule is what makes the E3 plus add on path cheaper than E5 for security heavy users who still do not need Sentinel or Purview.

Contract mechanic. The July 2026 move of Defender for Office 365 Plan 1 into E3 changes the a la carte math mid cycle. If you priced an E3 plus standalone email security plan before the change, re run it. The Plan 1 line you budgeted is now inside the base.
3

What does Microsoft Sentinel cost once it leaves the E5 bundle

Sentinel is the component buyers misread most. It is not seat priced. It is priced on data ingestion, so the cost driver is log volume, not licenses. E5 grants access to Sentinel, not free ingestion, which means the bill arrives through Azure either way.

The analytics tier prices pay as you go between $4.30 and $5.59 per GB by region. Commitment tiers reserve daily capacity and cut the effective rate sharply.

TierEffective rate per GBSaving versus pay as you go
Pay as you go$4.30Baseline
100 GB per day commitment$2.9631 percent
500 GB per day commitment$2.5341 percent
50,000 GB per day commitment$2.0552 percent
Effective USD per GB ingested, analytics tier $0 $2 $4 $6 $4.30 $2.96 $2.53 $2.05 Up to 52% below pay as you go Pay as you go 100 GB/day 500 GB/day 50,000 GB/day

Effective Sentinel analytics tier rate per GB by commitment tier. Numbers match the Sentinel tier table.

Two mechanics matter here. A commitment tier can be raised at any time but lowered only after a 31 day minimum, so over committing is a one way door for a month. And Sentinel ingestion draws down your Azure MACC, so moving Sentinel outside E5 shifts the cost onto Azure consumption rather than removing it.

Where the common advice on Sentinel is wrong. The standard pitch is that pulling Sentinel out of E5 saves money. We disagree. The licence was never the cost. In the estates we benchmark, the savings come from log volume engineering and a right sized commitment tier, not from the SKU choice. Cut ingestion first, then commit.
4

How do you match the Purview compliance tier to real requirements

Purview is the second capability where E5 oversells. The full Purview suite that justifies E5 includes advanced eDiscovery, advanced data loss prevention, insider risk management, communication compliance, and records management. Most organizations need a subset, scoped to regulated populations.

The honest test is scope. Map which roles carry a real eDiscovery, retention, or insider risk obligation, then license the E5 Compliance add on for that population on an E3 base. Blanket Purview across every seat funds capabilities that legal will never invoke for a warehouse worker.

Contract mechanic. Microsoft historically gated higher retention security and audit logs behind E5 and Purview. After 2023 scrutiny it widened default audit log access. Confirm what your current tier now grants before you buy a compliance add on to recover a log feature you may already hold.
5

What is the BATNA at every Microsoft security capability

Microsoft prices security aggressively because most buyers have no walk away. Build one. A credible alternative at each capability is what converts a list price into a negotiated price, even if you never switch.

Microsoft capabilityCredible alternativeCommercial effect
Defender for EndpointCrowdStrike Falcon, $60 to $185 per device per yearCaps the endpoint line and forces a Defender discount
Microsoft SentinelSplunk or an alternative SIEMIngestion leverage and a multi year price hold
Purview complianceOneTrust or alternative compliance toolingRight sizes the compliance tier to regulated roles
Entra ID P2Okta or Ping identityPressure on the identity premium and conditional access lock in

You do not need to deploy the alternative. You need it priced, scoped, and on the desk before the renewal. An account team that knows you have a real CrowdStrike quote treats the Defender line very differently from one that assumes you are captive.

The contrarian position. The reseller line is that E5 is the cheapest way to get the stack because the parts cost more a la carte. We disagree. The parts cost more only if every seat needs every part. When 30 to 50 percent of seats do not, the blanket bundle is the expensive option, and the BATNA is what proves it in the room.
6

What does persona segmentation save on a 12,000 seat estate

Take a representative estate. Meridian Health Network runs 12,000 M365 seats, today all on E5. Split the population by actual security consumption, then license each segment to its need.

SegmentSeatsLicensing pathPer user per yearAnnual cost
Privileged and compliance heavy3,000M365 E5$684$2,052,000
Security heavy knowledge worker4,000E3 + E5 Security add on$576$2,304,000
Frontline and light user5,000E3 + Defender for Endpoint P1$462$2,310,000
Segmented total12,000Mixed·$6,666,000
Blanket E5 today12,000M365 E5$684$8,208,000
Annual saving···$1,542,000 (19%)
Annual cost, USD millions, 12,000 seats $0 $3M $6M $9M $8.21M $6.67M Saving $1.54M (19%) Blanket E5 today Persona segmented Current state Segmented state

Annual security licensing cost, blanket E5 versus persona segmented. Numbers match the segmentation table. Benchmark scenario, not a quote.

30–50%
Seats that do not consume the full E5 security stack

Across Microsoft estates we benchmarked in 2024 to 2025, this share of seats never used advanced Defender, Purview, or Sentinel features.

41%
Median Sentinel commitment saving at 500 GB per day

The 500 GB per day tier prices near $2.53 per GB against pay as you go around $4.30, a 41 percent reduction.

The three year gap is the headline. At $1.542 million a year, the segmented path runs $4.63 million below blanket E5 across the model. That is the overspend buying E5 for security 9,000 seats never fully use.

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025. Worked figures use Microsoft list prices and are a benchmark scenario, not a quote.

7

How do you sequence the unbundling before renewal

Unbundling is a renewal window move, not an anytime one. Under an Enterprise Agreement, you add seats through annual true ups, but you cannot reduce committed quantities mid term. Reductions and step downs land only at the anniversary order or renewal. Sequence backward from that date.

Phase 1 · Weeks 1 to 6

Map entitlement to consumption

Pull M365 usage plus Defender, Purview, and Sentinel telemetry. Label every seat full E5, security heavy, or light. The split usually lands near 25 / 33 / 42.

Phase 2 · Weeks 6 to 12

Price standalone and the BATNA

Quote E3 plus the E5 Security add on, standalone Defender, and a right sized Sentinel commitment. Get CrowdStrike, a SIEM, and a compliance tool priced as real alternatives.

Phase 3 · At anniversary

Execute the step down

Lodge the segmented mix in the anniversary order. Hold a multi year price protection on the E5 population and the Sentinel commitment tier.

Miss the anniversary order deadline and the step down waits a full year, so the calendar, not the analysis, is the binding constraint. Start the mapping at least one quarter before the date on the agreement.

Recommendation: segment the estate, then step down at the anniversary.

  • Map entitlement to real consumption. Pull usage telemetry and label every seat full E5, security heavy, or light, then license each segment to its need rather than to the bundle.
  • Hold a credible BATNA on the desk. Price CrowdStrike, a third party SIEM, and an alternative compliance tool before renewal so the Defender, Sentinel, and Purview lines all face external pressure.

We are glad to tie a meaningful part of the fee to delivered value.

Prepared by Redress Compliance · redresscompliance.comMicrosoft list prices, April to June 2026.

Now that you have the framework

Apply it to your Microsoft situation.

25 minute call with our Microsoft practice lead. We will walk through your specific renewal, audit, or contract and tell you what we would do next. No follow up sales pressure unless you ask for one.

Skyscraper
Ready?

Stop overpaying. Start negotiating.

Independent. Buyer side. The advisory firm enterprise software vendors do not want you to hire.

The Licensing Insider

Vendor intelligence, audit alerts, and negotiation insights once a month. No spam.