Microsoft Defender for Identity (MDI, formerly Azure Advanced Threat Protection) is licensed five ways in 2026: as a standalone SKU at $5.50/user/month, bundled into Microsoft 365 E5 Security ($12/user/month), bundled into M365 E5 ($57/user/month), bundled into Microsoft 365 E7 Frontier ($99/user/month), or attached to Defender XDR via an EMS E5 step-up. The procurement question is rarely whether to buy Defender for Identity — the question is which entry vehicle, and what other security workloads you intend to consolidate into the same SKU. We map the five paths, the breakeven points, and the EA negotiation levers below.
What Defender for Identity actually is
Defender for Identity is the on-prem and hybrid identity threat-detection product in the Microsoft Defender XDR suite. It deploys sensors on domain controllers and ADFS / Entra Connect servers, ingests authentication telemetry, and detects lateral-movement, credential-theft, and reconnaissance behaviour against Active Directory. It is the only Defender product that requires server-side sensor deployment; every other Defender component is cloud-side. From a licensing perspective MDI is a per-user SKU, not a per-server SKU, and the licensing requirement applies to every user account whose authentication telemetry will be monitored.
The product replaced the legacy Advanced Threat Analytics (ATA) on-prem product, which reaches end of support in January 2026. Customers still on ATA are by definition migrating to MDI in 2026 — this is the lever that drives most of the negotiation activity we see this year. Microsoft knows the ATA migration deadline; the LSP knows it; the buyer who treats this as a routine SKU purchase pays full list.
The five licensing paths in 2026
- Standalone Defender for Identity. $5.50/user/month. Available on EA, MPSA, CSP, and MCA-E. The cheapest single-product entry. Useful when MDI is the only Defender workload the customer wants.
- Microsoft 365 E5 Security add-on. $12/user/month on top of E3. Includes Defender for Identity, Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Defender for Cloud Apps, and Entra ID P2. The natural home for MDI if multiple Defender workloads are in scope.
- Microsoft 365 E5 (full suite). $57/user/month. Includes everything in E5 Security plus Purview, Power BI Pro, Teams Premium components. The procurement decision is rarely "buy E5 to get MDI" — it is "is the rest of E5 worth $45 of incremental spend."
- Microsoft 365 E7 Frontier. $99/user/month. Adds Sentinel-as-a-service, Copilot for Security entitlement, and the broader frontier stack. MDI is included but is a small slice of the E7 value. See our E5-vs-E7 comparison for the structural detail.
- EMS E5 step-up. $15/user/month on top of EMS E3. Includes Entra ID P2, Defender for Identity, Defender for Cloud Apps, Intune. A pre-2020 packaging that is still on the price list and occasionally remains the cheapest path for organisations sitting on EMS E3 rather than M365 E3.
The breakeven arithmetic
| Workloads needed | Cheapest path | All-in per user |
|---|---|---|
| MDI only | Standalone | $5.50 |
| MDI + Defender for Endpoint P2 | Standalone MDI + MDE P2 ($5.20) | $10.70 |
| MDI + MDE P2 + MDO P2 | M365 E5 Security add-on | $12.00 |
| MDI + MDE P2 + MDO P2 + MDCA | M365 E5 Security add-on | $12.00 |
| MDI + full Purview + Power BI Pro | M365 E5 | $57 over $36 E3 |
| MDI + Sentinel + Copilot for Security | M365 E7 Frontier | $99 over $36 E3 |
The breakeven for E5 Security add-on against the à-la-carte stack lands at exactly three Defender products. The breakeven for E5 (full suite) against E3 plus E5 Security plus Purview add-ons lands at five workloads. The breakeven for E7 against E5 lands at two of: Sentinel, Copilot for Security, and the frontier compliance set. Anchor every Defender for Identity negotiation to one of these thresholds — not to the standalone price.
The ATA migration lever
Customers still on Advanced Threat Analytics need to migrate to MDI before ATA reaches end of support in January 2026. Microsoft has a structured migration play for ATA customers including a no-charge MDI overlap period and migration-services credits. Two negotiation rules apply: extend the overlap to cover your actual cutover timeline (often 6–9 months, not the 90 days the LSP first offers), and capture the migration credits in writing in the EA amendment rather than letting them sit as a verbal commitment from the account team. Verbal commitments from the Microsoft account team do not survive account-rep turnover, which is high.
EA negotiation levers specific to MDI
- Standalone-to-bundle migration window. If you bought standalone MDI and now want to consolidate into E5 Security, Microsoft will frequently waive the unused portion of the standalone commitment as a goodwill credit. Ask for it — do not pay twice.
- Coverage scope. MDI is licensed per user whose AD account is monitored. Service accounts, generic mailboxes, and decommissioned-but-not-deleted accounts inflate the licence count. A pre-renewal AD hygiene exercise typically trims 4–9% of the licensed population.
- Sensor count vs licence count. Microsoft sometimes proposes licensing tied to sensor count rather than monitored users. Reject this framing — the SKU is per user.
- Price protection. Lock the per-user MDI price across the EA term with explicit anti-uplift language. Defender SKU repricing has been a feature of every EA renewal cycle for the last four years.
- Frontline carve-out. F1 and F3 Frontline users typically do not need full MDI coverage. Carve them out of the licensed population at renewal — see our coverage of F1/F3 Frontline pricing in 2026.
Anonymised case study: $312K MDI rebuild
A 14,000-employee logistics firm was running ATA on-prem with 16,200 licensed AD users. The Microsoft account team proposed a standalone Defender for Identity rollout at $5.50 per user across all 16,200 accounts ($1.07M annualised). We audited the AD inventory: 1,840 service accounts and 720 stale leaver accounts that HR had not propagated to AD deletion. The licensable population dropped to 13,640. We re-modelled the path against the customer’s pipeline for Defender for Endpoint and Defender for Office 365 Plan 2 already on the 18-month roadmap and recommended the E5 Security add-on at $12 per user for the office-worker subset (8,200 users) plus standalone MDI for the warehouse / frontline cohort (5,440 users). Net annualised licensing cost: $759K — $312K below the LSP-proposed path. The ATA-to-MDI migration credits were captured in the EA amendment and reduced year-one spend by a further $74K.
Defender for Identity is a five-path procurement decision masquerading as a single-SKU purchase. Map the path against your broader security workload roadmap, capture the ATA migration credits in the EA amendment, and use the breakeven thresholds — not the standalone price — as the negotiation anchor. Pair the analysis with the full Defender licensing landscape and the 2026 EA tier-collapse context, and Defender for Identity stops being a routine add-on and starts being a negotiation lever.