Microsoft Defender for Office 365 (MDO) ships in two plans in 2026, with one structural change that rewrites the math: Defender for Office 365 Plan 1 is bundled into Microsoft 365 E3 from the 2026 anniversary onwards (a $2/user/month value at list), and Defender for Office 365 Plan 2 remains the gated SKU at $5/user/month standalone or bundled into M365 E5 Security ($12/user/month) and M365 E5 ($57/user/month). The procurement question for 2026 is not whether you need MDO — you have P1 already — the question is whether the threat-intel, attack-simulation, and automated-investigation capabilities of P2 justify the step-up for some or all of the population, and how to negotiate the P2 carve-out at renewal.
What Defender for Office 365 is, and what changed in 2026
Defender for Office 365 is the email and collaboration threat-protection layer in the Microsoft Defender XDR suite. It sits inline with Exchange Online Protection (which all M365 tenants already have) and adds Safe Links, Safe Attachments, anti-phishing intelligence, attack simulation training, automated investigation and response (AIR), threat explorer, and the email entity-graph view. From January 2026, Defender for Office 365 Plan 1 became a default inclusion in Microsoft 365 E3 (and Business Premium) — the structural change we cover in our analysis of the MDO P1 bundling change. Plan 2 remains the higher-tier offering with the threat-intel and attack-simulation surface.
The change is structurally negative for Microsoft’s standalone Defender revenue line and structurally positive for E3 adoption. From the buyer’s side it means the floor for email security inside the M365 estate is now "P1 at minimum." The procurement question is which subset of users genuinely needs P2.
Plan 1 vs Plan 2 — what each actually does
| Capability | Plan 1 | Plan 2 |
|---|---|---|
| Safe Links, Safe Attachments | Yes | Yes |
| Anti-phishing policies | Yes | Yes (with impersonation intel) |
| Real-time detections | Yes | Yes |
| Threat Explorer | Limited (last 7 days) | Full (30 days) |
| Threat Trackers | No | Yes |
| Attack Simulation Training | No | Yes |
| Automated Investigation & Response (AIR) | No | Yes |
| Campaign Views | No | Yes |
| Compromised User detection | No | Yes |
The P1-to-P2 gap is concentrated in two areas: threat-hunting depth (Threat Explorer 30-day, Trackers, Campaign Views) and proactive simulation (Attack Simulation Training). Organisations with a mature SOC use both. Organisations without a SOC capture limited value from P2 capabilities they will not operate.
The four SKU paths to P2 in 2026
- Standalone MDO Plan 2. $5/user/month. Adds to any qualifying M365 base. The cheapest single-product path.
- Microsoft 365 E5 Security add-on. $12/user/month on top of E3. Includes MDO P2, MDE P2, MDI, MDCA, and Entra ID P2. The natural home if more than one Defender workload is in scope.
- Microsoft 365 E5 (full suite). $57/user/month. Includes everything in E5 Security plus Purview, Power BI Pro, Teams Premium components.
- Microsoft 365 E7 Frontier. $99/user/month. Adds Sentinel and Copilot for Security. See our E7 Frontier suite guide for the structural detail.
Breakeven — when P2 is worth buying
The breakeven equation has changed in 2026 because P1 is now free. Pre-2026, the calculation was "$2 of P1 plus $3 to step up to P2" against the standalone price. In 2026 it is the $5 standalone vs the $0 default. The procurement bar is higher and the population that justifies P2 is smaller. The pattern we see across enterprise deployments in 2026:
- P2 for the full estate. Usual at financial services, healthcare, regulated industries with a 24/7 SOC running AIR and threat-hunting workflows.
- P2 for executives + finance + IT. Common at mid-market enterprises. The high-value attack surface gets P2; the rest of the estate runs on bundled P1.
- P2 via E5 Security add-on. The pattern when MDO P2 is part of a broader Defender consolidation (with MDI, MDE P2, MDCA in scope). The $12 add-on subsumes the standalone math.
- No P2. Increasingly common at organisations with strong third-party email security (Proofpoint, Mimecast) layered over EOP plus the new default MDO P1. The procurement save is real.
EA negotiation levers specific to MDO
- Standalone-to-bundle migration credit. Customers on standalone MDO P2 who consolidate into E5 Security at renewal should expect a credit for the unused tail of the standalone commitment. Microsoft will offer it unprompted on accounts with EA leverage and not at all on accounts without it — ask.
- P2 population segmentation. Microsoft prefers full-base P2 deployment because the math favours Microsoft. The buyer’s preference is segmentation by user role. Document the security-relevant user population (executives, finance, IT, legal) and negotiate P2 for that subset. The carve-out is rarely refused.
- Third-party email security overlap. If you run Proofpoint, Mimecast, or Abnormal Security, the duplicate-spend case is real. P1-default plus a third-party gateway covers most of the use cases P2 would otherwise serve. Use this as the leverage to keep P2 carve-outs tight.
- Attack Simulation Training spin-off. Microsoft sometimes offers ASA as an Office 365 standalone SKU. Where the only P2 use case is simulation training, this can be the path. Confirm current availability with the LSP at renewal.
- Price protection. Lock the per-user MDO P2 price across the EA term with explicit anti-uplift language. Defender SKU repricing is a feature of every recent EA renewal cycle.
Frontline and shared-mailbox considerations
F1 and F3 Frontline users have MDO licensing requirements that depend on whether they hold a qualifying user mailbox. Frontline users without a mailbox do not need MDO; Frontline users with a mailbox need MDO P1 minimum (already included in the M365 F3 SKU). Shared mailboxes do not require their own MDO licence under current Product Terms (Customer Use Rights for Exchange Online), but the user accounts authenticating into the shared mailbox do.
Anonymised case study: $480K P2 right-sizing
A 19,000-employee professional services firm renewed its EA in early 2026 with a Microsoft proposal for full-base Defender for Office 365 Plan 2 at $5/user/month ($1.14M annualised). We segmented the population against the actual SOC operating model: a 24/7 SOC covered the 4,200-user executive / finance / IT / legal cohort; the remaining 14,800 users were under standard help-desk security operations with no AIR workflow. We recommended P2 for the 4,200-user high-value cohort via the E5 Security add-on (already justified by MDI and MDE P2 also in scope) and the bundled P1 default for the rest. Net annualised licensing impact: $480K saved against the LSP-proposed full-base path, with no change to actual security posture for the 14,800-user cohort that the SOC was not actively threat-hunting.
Defender for Office 365 in 2026 is a different procurement decision than it was in 2025. P1 is free with E3; P2 is the negotiated population. Model the SOC operating model against the actual P2 capabilities, segment the population, and use the third-party email security overlap as the leverage where it applies. Layer the analysis with the broader Defender licensing landscape and the 2026 EA tier-collapse context, and MDO P2 stops being a default add-on and starts being a controlled negotiation.