The Microsoft Security Upsell Machine
Microsoft's security portfolio has expanded dramatically since 2020. Defender, Purview, Entra, Sentinel — each product family contains multiple tiers, add-ons, and plan configurations. Microsoft's account teams now routinely present security as the primary justification for E3-to-E5 upgrades, and the pitch is often compelling: "consolidate your security vendors into the Microsoft stack."
The problem is that E5's security stack — while genuinely capable — contains capabilities that most enterprises do not fully deploy, capabilities that overlap with existing investments they have already made, and capabilities that are priced well above the point-solution market. When we audit M365 security licensing, we find that enterprises overpay by 35–55% against what their actual security programme requires. The gap is not because the capabilities are bad — it is because the licence tier was driven by Microsoft's sales motion, not by a security programme design exercise.
This guide maps the M365 security licence landscape — what E3 includes, what E5 adds, where standalone Defender/Purview/Entra/Sentinel add-ons fit, and how to make a defensible, security-programme-led decision rather than an account team-led one. For context on the E3 vs E5 financial mechanics, see our E3 vs E5 comparison.
What M365 E3 Includes: The Security Baseline
M365 E3 is frequently underestimated as a security platform. The security capabilities included in E3 are substantial — sufficient for many organisations whose security programme does not require the advanced threat detection and compliance capabilities bundled in E5:
| Security Capability | Included in E3 | Notes |
|---|---|---|
| Microsoft Defender for Office 365 (Plan 1) | ✓ | Anti-phishing, safe links, safe attachments for email and Teams |
| Entra ID (Azure AD) P1 | ✓ | Conditional access, MFA, SSPR, group-based licensing |
| Microsoft Intune (Device Management) | ✓ | MDM and MAM for corporate and BYOD devices |
| Microsoft Purview (Compliance Manager) | Basic | Core DLP for Exchange/SharePoint/Teams; basic sensitivity labels |
| Microsoft Defender Antivirus | ✓ | Endpoint protection for Windows 10/11 |
| Audit log (90-day retention) | ✓ | Standard audit log; advanced audit requires E5/add-on |
| eDiscovery (Core) | ✓ | Basic search and export; Premium requires E5/add-on |
| Information Barriers | ✕ | Requires Compliance E5 or add-on |
| Insider Risk Management | ✕ | Requires Compliance E5 or add-on |
For most mid-market enterprises (1,000–5,000 seats) with standard security posture requirements, M365 E3's security baseline is sufficient as the Microsoft-native layer. It delivers conditional access, endpoint protection, email security, DLP for M365 workloads, and device management. Organisations that require more advanced capabilities should evaluate whether targeted add-ons are more cost-effective than E5 for the full estate.
What E5 Adds: The Advanced Security Layer
M365 E5 Security adds four major capability areas beyond E3. These are genuine capabilities — the question is whether your security programme requires them and, if so, whether you deploy them:
Microsoft Defender for Identity (MDI)
MDI monitors on-premises Active Directory for identity-based attacks — lateral movement, privilege escalation, Pass-the-Hash, credential stuffing. For organisations with significant on-premises AD footprint (common in manufacturing, government, and financial services), MDI fills a real gap. For organisations that have substantially completed their Entra ID (cloud identity) migration, MDI's on-premises focus provides diminishing returns. MDI standalone is priced at approximately £4.00/user/month — material savings versus E5 for the subset of users where it is genuinely needed.
Microsoft Defender for Endpoint (Plan 2)
E3 includes Defender Antivirus, which is the base EDR capability. E5 adds Defender for Endpoint Plan 2 — advanced threat hunting, attack surface reduction rules, endpoint behavioural detection, Microsoft Threat Intelligence integration, and automated investigation and response. For organisations with a mature SOC capability that can operationalise these tools, MDE P2 is valuable. For organisations without SOC resources, MDE P2 generates alerts that go unreviewed — you are paying for capability you cannot consume. MDE P2 standalone is approximately £5.40/user/month.
Microsoft Purview Compliance (E5)
E5 Compliance adds advanced eDiscovery Premium, Insider Risk Management, Communication Compliance, Advanced Audit (180-day log retention + critical event logging), and advanced information protection (trainable classifiers, exact data match, double-key encryption). These capabilities are primarily required by organisations with substantial legal, compliance, or regulatory obligations: financial services, healthcare (clinical data), legal firms, and public sector entities subject to FOI or regulatory examination requirements. For standard commercial enterprises, E3's core DLP and basic sensitivity labels are frequently sufficient.
Entra ID Plan 2
E5 includes Entra ID P2 (versus P1 in E3). P2 adds Privileged Identity Management (PIM), Identity Protection (risk-based conditional access), and Entitlement Management. PIM — just-in-time privileged access for admin roles — is a meaningful security capability and is genuinely worth the premium for all administrator accounts. The question is whether all E5 seats need P2, or whether PIM can be deployed selectively for privileged users (typically 5–15% of a workforce) while the remainder remain on E3.
The Standalone Add-On Model: The Middle Path
Microsoft's product architecture allows for a targeted add-on approach that avoids paying for E5 capabilities across your entire estate. The key standalone add-ons, their pricing, and their use cases are:
| Add-On | Approximate Price | Use Case | E5 Equivalent? |
|---|---|---|---|
| Microsoft Defender for Identity | £4.00/user/month | On-premises AD monitoring; hybrid environments | Included in E5 Security |
| Defender for Endpoint Plan 2 | £5.40/user/month | Advanced EDR/XDR for organisations with active SOC | Included in E5 Security |
| Entra ID Plan 2 | £6.70/user/month | PIM for privileged accounts; risk-based access | Included in E5/E5 Security |
| Microsoft Purview Compliance P2 | £8.80/user/month | Insider risk, advanced eDiscovery, advanced audit | Included in E5 Compliance |
| Microsoft Sentinel (per GB ingested) | Variable (~£1.80–£2.40/GB) | SIEM/SOAR; log aggregation and threat detection | Not in M365 — Azure service |
| Defender for Cloud Apps | £3.50/user/month | CASB; shadow IT discovery; SaaS app governance | Included in E5 Security |
The standalone model is compelling for organisations that need 1–2 E5 security capabilities but do not need the full E5 bundle. The break-even point versus E5 Security (approximately £10.10/user/month add-on, or £35.50 total for E5 vs £27.40 for E3) occurs when you need 3 or more of the significant standalone add-ons for a large fraction of your user population.
Microsoft E5 is priced at £35.50/user/month versus E3 at £27.40 — a premium of £8.10/user/month. This buys the full E5 security and compliance stack. If you need MDE P2 (£5.40) and Entra P2 (£6.70) for all users, the individual add-ons sum to £12.10 — making E5 the better deal. But if you only need Entra P2 for 300 admin accounts in a 5,000-seat estate, the individual add-on costs £24,120/year versus E5 for all users at £486,000/year premium. The calculation must be done at the level of actual user populations, not estate-wide averages.
Microsoft Sentinel: A Separate Commercial Decision
Microsoft Sentinel is frequently bundled into E5 security discussions but is fundamentally a different product on a different commercial model. Sentinel is an Azure service priced on data ingestion volume (GB per day), not on a per-user seat basis. It is the SIEM/SOAR layer that sits above the endpoint and identity security stack.
For organisations with M365 E5, Microsoft offers a Sentinel benefit — 50% discount on M365-sourced log ingestion for E5 subscribers. This is a meaningful cost reduction if you are actively using Sentinel, but it is not a reason to purchase E5 if Sentinel was not already in your security architecture plan. The 50% discount on log ingestion only applies to M365 logs — other data sources (on-premises, non-Microsoft SaaS, Azure workloads) are charged at full Sentinel rates regardless of E5 status.
Sentinel's commercial model is evaluated on its own merits — security programme requirements, log ingestion volumes, and operational SIEM resources — before the M365 licence tier is a factor in the decision.
The Security Licence Decision Framework
A defensible M365 security licence decision follows five steps, driven by your security programme rather than by Microsoft's sales motion:
Step 1: Map your security programme requirements
What controls does your security programme require that are relevant to M365? Start from your security framework (ISO 27001, NIST CSF, Cyber Essentials, CIS Controls) and identify the Microsoft-relevant controls. Do not start from the E5 brochure — start from your control requirements and work forward to the licence that satisfies them.
Step 2: Identify your existing investments
What security tooling do you already have that overlaps with M365 capabilities? Common overlaps: CrowdStrike or SentinelOne covering the endpoint (overlapping with MDE); CyberArk or BeyondTrust covering privileged access (overlapping with Entra PIM); Splunk or QRadar as SIEM (overlapping with Sentinel); Proofpoint or Mimecast for email security (overlapping with Defender for Office). E5 capabilities that duplicate existing investments are not incremental value — they are licence cost with no operational benefit.
Step 3: Identify genuine E5 capability gaps
After steps 1 and 2, identify the specific E5 capabilities that meet genuine programme requirements and are not covered by existing investments. This is typically a shorter list than Microsoft's E5 marketing suggests.
Step 4: Model standalone add-on economics
For each E5 capability gap identified, price the standalone add-on versus the full E5 premium, applied to the specific user population that requires the capability. Calculate the 3-year cost for standalone versus E5 across the whole estate.
Step 5: Factor in transition and operational costs
Mixed-licence environments (some users on E5, some on E3 + add-ons) create licensing management complexity. Factor in the operational overhead of managing multiple SKUs against the cost savings of the targeted approach. In our experience, the targeted approach is almost always net positive by a significant margin — but the governance framework needs to be in place.
Industries Where E5 Compliance Is Genuinely Required
Our analysis of security licence overpayment is not a blanket argument against E5. There are specific industries and regulatory contexts where E5 Compliance capabilities are genuinely required, not just commercially convenient:
- Financial services (FCA/PRA regulated entities): Advanced audit log retention (180+ days), eDiscovery Premium for regulatory examination, and Insider Risk Management for Conduct Risk programmes are often genuine requirements, not elective capabilities.
- Healthcare (NHS/HIPAA-covered entities): Sensitivity labels for patient data classification, advanced DLP for clinical data, and communication compliance for regulated communications warrant E5 Compliance evaluation.
- Legal and professional services: eDiscovery Premium for litigation hold, Advanced Audit for matter-level log review, and information barriers for ethical walls are meaningful capabilities at firm level.
- Government and public sector: OFFICIAL-SENSITIVE and above classification requirements, FOI-responsive audit trails, and government-mandated security controls may drive genuine E5 Security requirements beyond what E3 provides.
For organisations in these sectors, the question is not whether E5 is justified — it often is — but whether E5 is needed for all users or only for the subpopulation with the relevant compliance obligations. A financial services firm with 8,000 users may need E5 Compliance for 2,000 regulated front-office staff and E3 for 6,000 operational and technology staff. That distinction alone can save £580,800/year at the E3 vs E5 price differential.
Negotiating the Security Licence Position
The security licence decision directly affects your EA commercial structure. The relevant negotiation points are:
First, resist the E5 default in renewal proposals. Microsoft account teams routinely include E5 in renewal proposals for organisations on E3 "because security requirements have increased." Challenge this with a requirements-led counter-proposal: show the specific security capabilities you need, matched to specific add-ons or a targeted E5 population, with precise cost modelling. This converts a broad "upgrade everyone" conversation into a specific "what do you actually need" analysis — which almost always results in a lower total cost than the default E5 proposal.
Second, use the security investment map as leverage. If you have existing security investments (CrowdStrike, Proofpoint, Splunk), explicitly document the overlap with E5 capabilities in your negotiation position. Microsoft's argument that "you should consolidate on E5" requires them to demonstrate that their capabilities genuinely replace your existing investments at equivalent effectiveness — a claim that is contestable for most mature security programmes.
Third, negotiate E5 at pilot scale. If your security team genuinely wants to evaluate E5 capabilities, negotiate a time-limited E5 pilot for a defined user population (typically 500–1,500 users) rather than committing to E5 for the full estate. The pilot gives your security team the evidence they need to justify — or decline — the full rollout.
For the broader M365 optimisation context, see the M365 Enterprise Licensing Guide, the E3 vs E5 comparison, and our analysis of reducing M365 costs at renewal. For advisory on security licence rationalisation as part of an EA renewal, see our M365 Optimisation service.