Why Full-Population MDE Plan 2 Deployments Overspend by $132K Per Year
Microsoft Defender for Endpoint is the market's leading enterprise endpoint detection and response (EDR) platform. It is also one of the most systematically over-provisioned security products in enterprise Microsoft estates, because the Plan 2 tier — included in M365 E5 — is routinely deployed across entire user populations when Plan 1 capability is sufficient for 40–60% of that population.
The commercial mathematics are straightforward. Defender for Endpoint Plan 2 costs approximately $5.20/user/month as a standalone add-on over Plan 1. For a 5,000-user organisation where 3,000 users (60%) could be adequately protected by Plan 1, deploying Plan 2 across the full population costs an additional $156/month per over-provisioned user, or $561,600/year in unnecessary spend. Even partial segmentation — Plan 2 for 2,000 SOC-adjacent and privileged users, Plan 1 for the remaining 3,000 — saves $187,200/year. For a 10,000-user organisation, the saving is $374,400/year or more.
This article maps what Plan 1 and Plan 2 each provide, which user populations genuinely require Plan 2's EDR capabilities, and how to structure a segmented deployment in the context of your M365 EA negotiation.
Plan 1 vs Plan 2: What Each Actually Provides
Both plans provide next-generation antivirus (NGAV) protection — real-time protection, behavioral monitoring, cloud-delivered protection, and rapid response to emerging threats. The capability difference lies in the detection, investigation, and response tools that extend beyond prevention into active threat hunting and forensic investigation.
| Capability | Plan 1 | Plan 2 | Operational Requirement |
|---|---|---|---|
| Next-Gen Antivirus (NGAV) | Included | Included | Standard deployment |
| Attack Surface Reduction (ASR) rules | Included | Included | Standard deployment |
| Endpoint Firewall management | Included | Included | Standard deployment |
| Device health reporting | Included | Included | Standard deployment |
| EDR (Endpoint Detection & Response) | Not included | Included | Active SOC / analyst team |
| Advanced threat hunting (KQL) | Not included | Included | Threat hunter role |
| 6-month raw timeline data retention | Not included | Included | Forensic investigation |
| Vulnerability management (basic) | Not included | Included | Security hygiene programme |
| Device discovery | Not included | Included | Asset inventory programme |
| Automated investigation & remediation | Not included | Included | SOC automation capability |
| Live response | Not included | Included | IR/forensic capability |
| Microsoft Threat Experts access | Not included | Included | Managed detection escalation |
The critical observation from this capability table is that Plan 2's differentiating capabilities all require active consumption by security operations staff. EDR telemetry is only valuable if someone is monitoring it. Threat hunting requires KQL-proficient analysts with time allocated to proactive hunting. Six-month timeline retention is only relevant during incident investigation or regulatory review. Automated investigation and remediation requires configured security playbooks and alert triage workflows.
For users whose devices are protected against threat but who are not themselves subjects of active threat hunting, forensic investigation, or complex incident response — the broad population of knowledge workers, back-office staff, and field employees — Plan 1 provides functionally equivalent protection against the threats that will actually be encountered on those endpoints.
Where MDE Lives in Your M365 Licensing
The M365 licence tier that includes Defender for Endpoint determines your default plan. Understanding this is essential before purchasing add-ons:
M365 E3 includes Defender for Endpoint Plan 1. If your organisation is on E3 and wants Plan 2 EDR capabilities, the options are: (a) purchase the Defender for Endpoint Plan 2 standalone add-on at approximately $5.20/user/month; (b) purchase M365 E5 (which includes Plan 2 among many other capabilities); or (c) purchase the Defender for Endpoint Plan 2 standalone licence for only the user population that requires EDR, rather than upgrading all users to E5.
M365 E5 includes Defender for Endpoint Plan 2. Organisations on E5 should confirm that their security operations team is actually consuming Plan 2's EDR capabilities — if not, this is an indicator that the population could be served by E3 with Plan 1, with targeted Plan 2 add-ons for the smaller SOC-adjacent and privileged user population.
Microsoft 365 Business Premium (for smaller organisations, typically <300 users) includes Defender for Endpoint Plan 1. Defender for Business (a simplified EDR variant) is available as an upgrade option for Business Premium customers, but is outside the scope of enterprise EA discussions.
Population Segmentation: Who Needs Plan 2
The population segmentation question — which users require Plan 2 — is best answered by mapping user roles against the specific Plan 2 capabilities they need to consume, not against a general security tier.
Users Who Require Plan 2
Security Operations Center (SOC) analysts require Plan 2 regardless of device type — they need EDR telemetry, hunting, and investigation tools to do their jobs. IT administrators with privileged access — domain admins, Azure admins, system administrators — represent elevated threat targets where EDR provides meaningful additional detection capability for lateral movement and credential theft scenarios. Senior executives and board members are commonly targeted in spear-phishing and targeted attack campaigns where P2's advanced detection justifies the cost. Finance, M&A, and legal staff handling material non-public information represent regulated-function populations where forensic investigation capability is a compliance requirement.
Users Adequately Served by Plan 1
Knowledge workers in standard roles — marketing, HR, customer service, field sales, operations — who work on corporate-managed devices, access cloud SaaS applications, and do not handle sensitive data beyond normal business information are well-protected by Plan 1's NGAV, ASR, and firewall management capabilities. The threat scenarios that require Plan 2 EDR investigation — advanced persistent threats, living-off-the-land lateral movement, nation-state tooling — are disproportionately directed at privileged and high-value targets, not the broad knowledge worker population.
In a 10,000-user enterprise, the Plan 2 population typically comprises 800–1,500 users: SOC analysts (50–100), IT admins (200–400), executives (100–200), and regulated-function staff (500–800). The remaining 8,500–9,200 users can be adequately served by Plan 1, producing annual savings of $530,000–$574,000 per year (at $5.20/user/month Plan 2 differential for 8,500+ users).
EA Negotiation Positioning
Three negotiation tactics are most effective for Defender for Endpoint in enterprise EA discussions:
Segmentation as the primary counter-position. If Microsoft proposes full-population Defender for Endpoint Plan 2 (either standalone or as part of E5), counter with a validated segmentation analysis showing the SOC and privileged user population that requires Plan 2, and E3 + Plan 1 for the remainder. The segmentation analysis — showing roles mapped to capability requirements — is a strong negotiating position because it demonstrates analytical rigour that most buyers don't bring to security licence discussions.
CrowdStrike displacement as the negotiation lever. If your organisation has CrowdStrike Falcon deployed, you are paying for EDR capability that overlaps with MDE Plan 2. The competitive evaluation question — CrowdStrike contract renewal vs Microsoft EDR consolidation — creates significant discount pressure on Microsoft's EA pricing. Microsoft's internal pricing approval for high-volume MDE Plan 2 deployments requires competitive justification; a credible CrowdStrike evaluation provides that justification. See our guide to using competitive pressure in EA negotiations.
Vulnerability management as a separate track. Defender Vulnerability Management (the enhanced tier, separate from the basic vulnerability management in Plan 2) and the Defender for Endpoint Plan 2 add-on for vulnerability management can be positioned as separate commercial tracks from the core EDR capability. If your organisation has a mature Qualys or Tenable vulnerability management deployment, challenge the bundled vulnerability management component of Plan 2 pricing as partially redundant.
For the full security licensing context, see our Microsoft Security Licensing guide and our analysis of M365 E5 security value. For EA negotiation strategy, see our EA Negotiation service page and our guide to EA leverage points.
4-Step MDE Licensing Optimization
Step 1: Inventory current MDE deployment and plan assignments. Pull the Microsoft Defender portal's device inventory report. Identify which devices have Plan 2 assigned vs Plan 1. Cross-reference against the Microsoft 365 Admin Centre licence assignments to confirm whether Plan 2 is being consumed from E5 licences or standalone add-ons.
Step 2: Map users to privilege and threat profile. Segment your user population into Plan 2-required (SOC, IT admin, executive, regulated function) and Plan 1-adequate (broad knowledge worker). Use your HR system and Active Directory group structure as the data source for this segmentation.
Step 3: Model the cost scenarios. Calculate annual cost for (a) current deployment, (b) full-population Plan 2, (c) segmented Plan 2 + Plan 1, and (d) E3 with standalone Plan 2 add-on for Plan 2 population vs E5 for all. Identify the lowest-cost option that meets your security requirements.
Step 4: Use the segmentation analysis in your EA renewal. Present the segmented model as your opening position in EA renewal discussions. The documented segmentation analysis — not a vague request for a discount — is the credible counter-position that unlocks pricing authority. Contact our team via the assessment page to benchmark your segmentation against our data from 500+ comparable engagements.