The standalone SKU map for Defender, Entra, Purview, Intune, and Sentinel. The escape route from the Microsoft 365 E5 trap and the buyer side guide to right size the security stack.
Microsoft sells the security stack two ways. As the Microsoft 365 E5 bundle. Or unbundled across Defender, Entra, Purview, Intune, and Sentinel. The bundle wins on simplicity. The unbundled route wins on right sizing the spend for the actual security control coverage in use.
This guide reads as a buyer side framework. Use it with the security licensing guide, the E5 versus E3 comparison, the EA negotiation guide, and the Azure cost optimization article.
Microsoft 365 E5 anchors the security pitch. The bundle ships eight to ten security products under one SKU. The standalone route prices the same products as discrete add ons over Microsoft 365 E3. The decision is not theoretical. The unbundled path routinely lands 12 to 34 percent below the bundle on the same effective coverage.
The E5 trap sits in the bundle math. The bundle prices below the sum of the parts at sticker. Most buyers stop reading there. The trap is the coverage assumption. The bundle pays only when the buyer uses six or more of the included security products at meaningful depth.
A buyer with three of eight bundle products in production pays for five products that do nothing. The unbundled route at the same scope routinely lands 18 to 26 percent below the bundle and locks the standalone SKU price for the negotiation horizon.
The map below is the buyer side reference. Read it before quoting any renewal. The standalone SKUs price below the bundle on partial coverage and above the bundle only on full coverage at four plus products at depth.
| Product | Standalone SKU | Bundled in | Typical use case |
|---|---|---|---|
| Defender for Endpoint | Plan 1, Plan 2 | M365 E3 has P1, E5 has P2 | Endpoint EDR and threat intelligence |
| Defender for Office 365 | Plan 1, Plan 2 | M365 E5 | Email threat protection, attack simulation |
| Defender for Identity | Standalone | M365 E5 | On premises Active Directory threat detection |
| Defender for Cloud Apps | Standalone | M365 E5 | CASB, SaaS posture |
| Entra ID P2 | Standalone | M365 E5 | Identity Protection, PIM, access reviews |
| Purview Information Protection | P1, P2 | M365 E3 has P1, E5 has P2 | Sensitivity labels, DLP |
| Purview eDiscovery Premium | Standalone | M365 E5 | Legal hold, advanced eDiscovery |
| Purview Insider Risk | Standalone | M365 E5 | Insider threat detection |
| Intune | Plan 1 in E3, Plan 2 standalone | M365 E3 has P1 | Mobile and endpoint management |
| Sentinel | Consumption SKU on Azure | Not bundled | SIEM, log ingestion, automation |
The Defender family is the largest standalone surface. Plan 1 and Plan 2 split the endpoint product. The Office 365 product is sold separately. The Identity product runs against Active Directory. The Cloud Apps product is the CASB.
Entra ID P2 carries the Identity Protection engine, Privileged Identity Management, and the access review workflow. The standalone SKU runs alongside the M365 E3 baseline. The bundle does not deliver Entra benefits beyond what the standalone provides.
Purview is the most modular family. Information Protection P1 sits in M365 E3. The advanced Information Protection P2 sits in E5. The eDiscovery Premium and Insider Risk products are bundled in E5 but each carries a standalone SKU. The unbundled route is often the right answer.
Intune Plan 1 ships with Microsoft 365 E3. The Intune Plan 2 standalone covers advanced endpoint management. Sentinel is the SIEM. The Sentinel product is consumption priced on Azure outside the seat license entirely.
| Product | Pricing model | Buyer side action |
|---|---|---|
| Intune Plan 1 | Per user, bundled in M365 E3 | No action, already covered |
| Intune Plan 2 | Per user standalone | Add only on populations needing advanced endpoint management |
| Microsoft Sentinel | Per GB ingested plus per GB retained | Use commitment tiers, route log sources selectively |
The math depends on the depth of use across the eight security products. The table below is the rough cost comparison for a 5,000 seat estate at typical mid market Microsoft pricing. Use it as a starting frame, not a quote.
| Coverage profile | M365 E5 path | E3 plus standalone path | Buyer side winner |
|---|---|---|---|
| Three products in production | $57 per user month | $36 to $42 per user month | Unbundled wins by 26 to 36% |
| Five products in production | $57 per user month | $48 to $54 per user month | Unbundled wins by 5 to 16% |
| Seven products at depth | $57 per user month | $60 to $66 per user month | Bundle wins by 5 to 14% |
| Selective on small population | Full E5 across estate | E3 plus targeted E5 add ons | Targeted E5 add on wins on most estates |
Microsoft 365 E5 Security add on prices below the full M365 E5 SKU. A buyer can run M365 E3 across the estate and add the E5 Security add on to the population that needs the full security stack. The targeted path is the most common winner across mid market buyers in 2026.
The seven step checklist below moves a Microsoft security estate from bundle inertia to a defensible unbundled or hybrid stack. Open it 6 to 9 months before the EA anniversary.
No. Every product in the M365 E5 security bundle is available as a standalone SKU. The unbundled path is the right answer when the buyer uses three to five of the eight security products at meaningful depth. The bundle pays only when seven or more products run in production at depth.
Yes. The M365 E5 Security add on sits over Microsoft 365 E3. It ships the Defender suite plus Entra ID P2. The add on is the most common path for buyers running E3 across the estate who need the full security stack on a subset of users.
No. Microsoft Sentinel is consumption priced on Azure. The SIEM sits outside the seat license entirely. Commitment tiers reduce the per gigabyte rate. Log source selection drives the realized cost more than any commit discount.
Entra ID P2 is sold per user. The standalone SKU has no enrollment minimum on the CSP route. On the EA route the standard volume bands apply. Buyers commonly run Entra P2 on the privileged user layer only and run Entra P1 across the wider population.
Smaller regulated entities often unbundle. The bundle ships products that may not be required for the compliance scope. The unbundled path covers the regulated controls at lower cost and leaves the optional products for later add. A targeted E5 Security add on layer is often the cleanest answer.
Microsoft revises the security SKU map two to three times a year. The product names, the inclusion in bundles, and the standalone availability move. Confirm the SKU map at the time of quote. The standalone SKUs in this guide reflect the May 2026 catalog.
Redress runs the Microsoft security unbundling assessment as a four to six week workstream. The work pulls the production tooling inventory, scores depth of use, prices the three paths side by side, and lands the negotiation envelope on the standalone SKUs.
Read the related Vendor Shield, the Renewal Program, the Benchmark Program, the Software Spend Assessment, the Benchmarking framework, the about us page, the management team page, the locations page, and the contact page.
A buyer side framework for the next Microsoft renewal cycle. M365 E5 versus E3, standalone security SKU math, Entra and Purview posture, and the residual clause checklist.
Used across five hundred plus enterprise software engagements. Independent. Buyer side. Built for Microsoft customers running EA, CSP, or MCA Enterprise routes.
Open the white paper in your browser. Corporate email only.
Open the Paper →We mapped the eight E5 security products to production use across 14,800 seats. Three products ran at depth. Two ran at basic. Three sat dormant. The targeted E3 plus E5 Security add on path landed 23 percent below the bundle quote on the same effective coverage.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Security SKU movement, E5 versus E3 tier rationalization, Entra and Purview unbundling patterns, Sentinel commit math, and the wider Microsoft commercial leverage signals across every renewal cycle.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
