Microsoft Sentinel charges on the volume of data you ingest and retain, not on user seats. This guide maps the commitment tiers, the E5 data grant, and the moves that cut the bill.
Microsoft Sentinel is priced on the volume of data ingested and retained, measured in gigabytes, which makes data engineering the real cost lever, not the licence.
Teams that treat Sentinel as a seat licence overspend within a quarter. The meter runs on every log you send it.
This guide shows the tiers, the data grant most enterprises forget to claim, and four moves that cut the bill.
Microsoft Sentinel charges for analysing data, and that charge sits on top of the Log Analytics workspace that stores it. The unit is the gigabyte ingested, not the user.
The authoritative breakdown is in the Microsoft Sentinel billing documentation, and the current rates are on the Sentinel pricing page.
There is no per analyst Sentinel fee. A team of three can run a bill larger than a team of thirty if they ingest more data. Manage the data, not the headcount.
Commitment tiers let you pledge a daily ingestion volume in exchange for a lower effective rate. The trade is predictability and discount against flexibility.
Pay as you go versus commitment tier logic
| Model | Best when | Risk |
|---|---|---|
| Pay as you go | Volume is small or erratic | Highest unit rate |
| Commitment tier | Volume is steady and predictable | Pay for pledged volume even if unused |
| Mixed with basic logs | High volume low value sources exist | Limited query features on basic logs |
Measure a stable thirty day baseline before you commit. Pledge slightly below your steady median, because overage above a tier still bills at the tier rate, not the higher pay as you go rate.
Customers with Microsoft 365 E5 receive a per user daily data grant that offsets ingestion of certain Microsoft 365 security logs into Sentinel. Many teams never claim it.
The scope of the grant and the eligible data types are documented in the Sentinel billing reference, and the wider security entitlements sit on the Microsoft 365 E5 Security page.
The common advice is to ingest everything because storage is cheap and you might need the data later. We disagree. In roughly 18 of the 25 Sentinel deployments we benchmarked, a quarter or more of ingested volume never touched a detection rule yet billed at the full analytics rate. The buyer side move is to classify every source by detection value first, route low value high volume sources to basic or auxiliary logs, and archive cold data outside hot retention. Ingest everything is a slogan that suits the meter, not the budget, and disciplined data engineering cuts the bill without losing a single detection.
Sentinel is priced on data ingested and retained, measured per gigabyte, plus the underlying Log Analytics charge. There is no per user or per seat Sentinel fee.
A commitment tier is a pledged daily ingestion volume that lowers the effective per gigabyte rate. It suits steady predictable volume and bills for the pledge even if you ingest less.
Yes. E5 includes a per user daily data grant that offsets ingestion of certain Microsoft 365 security logs. Many teams never claim it, so check your entitlement.
Basic logs are a lower cost ingestion tier for high volume low value data, with reduced query and retention features. They suit verbose sources that do not drive detections.
Filter verbose data at the collector, route low value sources to basic logs, claim the E5 grant, size a commitment tier, and archive cold data. Coverage is set by detection rules, not by raw volume.
No. Ingesting data that never feeds a detection rule bills at the full rate for no security value. Classify sources by detection value before you connect them.
Yes. Data kept beyond the included window incurs a separate retention charge. Archive tiers are cheaper than hot analytics retention for data you rarely query.
Monthly. New connectors and noisy sources raise the meter quietly, so a recurring review keeps ingestion aligned with detection value.
A buyer side reference for the next Microsoft renewal. Mix shift, Copilot ramp, Defender stacking, true up timing, and the seven clause renewal levers that move the bill.
Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.
Microsoft EA Renewal Playbook
Open the white paper in your browser. Corporate email only.
Open the Paper →Source: Redress Compliance advisory engagement file, 2024 to 2025.
Ingest everything is a slogan that suits the meter, not the budget.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Microsoft EA benchmarks, renewal cadence intelligence, Copilot ramp patterns, and Azure commitment math from every Microsoft engagement we run on the buyer side.
