Microsoft has consolidated its security portfolio under the Defender XDR umbrella — but the licensing model remains fragmented across six distinct product families, each with Plan 1/Plan 2 tiers, standalone add-ons, and bundle interdependencies. An enterprise of 5,000 users buying security reactively — adding Defender products one at a time as threats emerge — typically spends 40–60% more than an organisation that maps its security requirements to the correct licence tier at renewal. This guide provides the complete comparison framework.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →The Microsoft 365 Defender Product Family
Microsoft now uses "Microsoft Defender XDR" as the umbrella term for its unified security operations platform. The underlying products and their licensing requirements have not changed with the rebrand. The six core Defender components are:
| Product | Protects | Plan 1 | Plan 2 |
|---|---|---|---|
| Defender for Office 365 | Email, collaboration (Teams, SharePoint, OneDrive) | Included in M365 E3 | M365 E5 or add-on ~$5/user/month |
| Defender for Endpoint | Windows, macOS, Linux, iOS, Android endpoints | Included in M365 E3 (basic) | M365 E5 or add-on ~$5.20/user/month |
| Defender for Identity | On-premises Active Directory / Entra ID | N/A (no Plan 1) | M365 E5 or add-on ~$5.50/user/month |
| Defender for Cloud Apps | SaaS app access, Shadow IT discovery, CASB | Partial (Entra ID P1 provides App Proxy) | M365 E5 or add-on ~$3.50/user/month |
| Microsoft Sentinel | SIEM/SOAR — cross-signal analytics | N/A (consumption-based) | Separate consumption pricing; E5 credit offsets M365 data |
| Defender for Cloud (CSPM) | Azure, AWS, GCP cloud workloads | Free CSPM tier in Azure | $0.02/server/hour (Defender for Servers P2) |
M365 E3 vs E5: Security Coverage Comparison
The E3-to-E5 upgrade is the most common security licensing decision for large enterprises. At $57/user/month for E5 vs $36/user/month for E3, the $21/user/month delta buys a significant security uplift — but only if you actually deploy and use the E5 security features. Here is the precise capability difference:
| Security Capability | M365 E3 | M365 E5 |
|---|---|---|
| Defender for Office 365 — Safe Links, Safe Attachments | ✓ (Plan 1) | ✓ (Plan 2) |
| Defender for Office 365 — Attack Simulation Training | ✗ | ✓ |
| Defender for Office 365 — Advanced Hunting | ✗ | ✓ |
| Defender for Office 365 — Automated Investigation (AIR) | ✗ | ✓ |
| Defender for Endpoint — Next-gen AV, Attack Surface Reduction | ✓ (Plan 1) | ✓ (Plan 2) |
| Defender for Endpoint — EDR, Threat Analytics | ✗ | ✓ |
| Defender for Endpoint — Vulnerability Management | ✗ | ✓ |
| Defender for Identity (on-prem AD) | ✗ | ✓ |
| Microsoft Defender for Cloud Apps (full CASB) | ✗ | ✓ |
| Entra ID Protection (risk-based Conditional Access) | ✗ | ✓ (Entra P2) |
| Microsoft Purview compliance suite | Basic | Advanced (E5 Compliance) |
| Microsoft Sentinel data ingestion credit | ✗ | ~5 MB/user/day for M365 data |
| Microsoft Copilot for Security | ✗ (add-on) | ✗ (add-on, not in E5) |
Common misconception: Microsoft Copilot for Security is NOT included in M365 E5. It is an add-on priced per Security Compute Unit (SCU), currently $4/SCU/hour. An enterprise running Security Copilot for 40 hours/week at 4 SCUs would spend $3,328/month — well beyond any E5 credit.
Build vs Bundle: E3 + Add-Ons vs E5 Upgrade
The critical financial analysis is whether buying individual Defender add-ons on top of E3 is cheaper than upgrading to E5. The answer varies by what you actually need:
| Security Need | E3 + Add-On Cost | E5 Cost (delta vs E3) | Recommendation |
|---|---|---|---|
| Defender for Endpoint P2 only | ~$5.20/user/month | $21/user/month | Add-on wins |
| Defender for Office 365 P2 only | ~$5/user/month | $21/user/month | Add-on wins |
| Defender for Identity only | ~$5.50/user/month | $21/user/month | Add-on wins |
| DfE P2 + DfO365 P2 | ~$10.20/user/month | $21/user/month | Add-ons win |
| DfE P2 + DfO365 P2 + DfI | ~$15.70/user/month | $21/user/month | Add-ons win (barely) |
| DfE P2 + DfO365 P2 + DfI + Cloud Apps | ~$19.20/user/month | $21/user/month | E5 wins (add Purview + Sentinel credit) |
| Full security stack + compliance | ~$25+/user/month | $21/user/month | E5 wins clearly |
The inflection point is approximately four Defender products. If you need fewer than four, standalone add-ons deliver the same protection at lower cost. If you need four or more, E5 becomes the economically rational choice — and you get the compliance suite and Entra P2 included.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →Microsoft Defender XDR: The Unified Platform Licensing Model
The Defender XDR portal (formerly Microsoft 365 Defender) is available to any organisation that has at least one qualifying Defender licence. There is no separate "Defender XDR licence" — the unified portal is an operational layer over the individual Defender product licences. Specifically:
- Access to the Defender XDR portal requires one or more of: Defender for Office 365 P2, Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps (E5 tier)
- Defender XDR Advanced Hunting (cross-product query) requires all four Defender products in scope — you only see signals for products you are licensed for
- Defender XDR Incidents and Alerts correlate signals across licensed products — incomplete coverage creates blind spots, not platform failures
- Microsoft Sentinel integration into Defender XDR is available under the "unified SOC" platform, but requires Microsoft Sentinel licensing separately
Defender for Business vs Defender for Endpoint: What Changes at SMB Scale
Microsoft introduced Defender for Business for organisations under 300 users as a simplified, lower-cost endpoint security option:
| Feature | Defender for Business | Defender for Endpoint P1 | Defender for Endpoint P2 |
|---|---|---|---|
| List price | $3/user/month | ~$3/user/month (in E3) | ~$5.20/user/month |
| Seats limit | 300 users | None | None |
| EDR (Endpoint Detection & Response) | ✓ (simplified) | ✗ | ✓ (full) |
| Threat Analytics | ✗ | ✗ | ✓ |
| Vulnerability Management (MDVM) | ✓ (basic) | ✗ | ✓ (advanced) |
| Attack Surface Reduction rules | Simplified wizard | Manual configuration | Manual + advanced |
| Linux/macOS support | Limited | ✓ | ✓ |
| API access / custom integrations | Limited | ✓ | ✓ |
For organisations under 300 users, Defender for Business is the correct choice — it provides EDR capability at Defender for Business pricing, which is below Plan 2 list. Above 300 users, Defender for Endpoint Plan 2 is the required path. See the dedicated Defender for Business licensing guide for detailed cost scenarios.
The Sentinel Integration: When E5 Credits Actually Matter
Microsoft Sentinel bills primarily on data ingested. M365 E5 provides a data ingestion credit equivalent to approximately 5 MB/user/day for Microsoft 365 security data (Entra ID sign-in logs, Office 365 activity, Defender signals). At 5,000 users, that credit covers roughly 25 GB/day of M365 security data — worth approximately $125/day or $45,000/year at standard Sentinel pricing of $2.46/GB.
However, most enterprise Sentinel deployments ingest far more than M365 data. Adding Azure Activity logs, firewall logs, third-party security products, and on-premises infrastructure typically multiplies daily ingestion by 3–8x. The E5 credit offsets M365-specific ingestion but does not eliminate the Sentinel bill. Plan for $0.50–$1.50/user/month in residual Sentinel costs even with E5 licensing.
EA Negotiation Strategy for Microsoft Security Licensing
The Unified Security Pitch (Resist It)
Microsoft's commercial team is trained to pitch the full E5 security stack as a unified platform play. The pitch is compelling — single vendor, integrated telemetry, reduced operational complexity. But the commercial structure often obscures the fact that many enterprises need only two or three of the six Defender products. Before accepting an E5 upgrade, document exactly which Defender products you need, quantify the add-on cost, and compare against the E3+add-ons pathway.
Competitive Security Alternatives
CrowdStrike Falcon, SentinelOne, and Palo Alto Cortex XDR compete directly with Defender for Endpoint P2. Prices range from $8–$15/user/month for EDR+XDR capabilities. Defender for Endpoint P2 at $5.20 (or bundled in E5) has a clear price advantage, but Microsoft's commercial team needs to see evidence of competitive evaluation to sharpen the EA price. A documented CrowdStrike or SentinelOne proposal typically yields 12–20% additional EA discount on security-specific line items.
Phased Security Deployment Commitments
Negotiate deployment milestones in your EA for Defender products. Microsoft values activated licences — dormant E5 seats that are paying for Defender features not deployed represent zero adoption rate for Microsoft's security NPS metrics. Offering a 90-day activation commitment for Defender for Identity and Defender for Endpoint P2, in exchange for year-one pricing concessions, is a legitimate and frequently accepted negotiation position.
📄 Free Guide: Microsoft Security Licensing Guide
Comprehensive security licensing framework covering E3 vs E5, all Defender products, and cost optimisation strategies.
Download Free Guide →Common M365 Defender Licensing Mistakes
Mistake 1: Upgrading all users to E5 when only a subset needs the security uplift. Security requirements are not uniform across the workforce. A 10,000-user organisation typically has 500–1,500 high-value targets (executives, finance, IT, legal) who genuinely require E5 security features. The remaining 8,500+ users' security needs may be adequately met by E3. A tiered licensing model — E5 for high-value targets, E3 for standard users — saves $13–$18/user/month on 80% of the user base.
Mistake 2: Not accounting for the Defender for Identity server licence. Defender for Identity requires a sensor deployed on every Active Directory domain controller. There is a separate server-side pricing component for large AD deployments. Many security budgets account only for the per-user licence and miss the DC sensor cost.
Mistake 3: Treating the Defender XDR portal as validation of complete coverage. The portal displays the security posture for products you are licensed for. If you have not licensed Defender for Identity, your on-premises AD is invisible to the XDR platform — not protected by it. Missing product coverage creates false confidence in unified protection claims.
Mistake 4: Assuming the E5 Security add-on and M365 E5 have the same security coverage. Microsoft sells M365 E5 Security as a standalone security add-on to M365 E3 at approximately $12/user/month. It includes Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, and Defender for Office 365 P2 — but not the compliance suite, Purview, or the full Entra P2 identity features. It is not the same as a full M365 E5 licence.
Related Microsoft Security Licensing Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Microsoft Defender XDR Complete Licensing Guide
- Defender for Business vs Defender for Endpoint
- Microsoft Sentinel Licensing & Cost Guide
- Microsoft Security Copilot Licensing Guide
- Defender for Endpoint P1 vs P2: Decision Guide
- How to Rationalise Your Microsoft Security Spend
- Free Guide: Microsoft Security Licensing