What Defender for Business Actually Is
Defender for Business is Microsoft's enterprise-class endpoint security product for organisations with under 300 users. It is not a stripped-down SMB security tool — it delivers the core capabilities of Defender for Endpoint P2 (the enterprise product) in a package priced and simplified for small and mid-size organisations that lack the security operations infrastructure to manage a full enterprise deployment.
Understanding this positioning matters for commercial decisions. When a 250-person organisation evaluates security products, Defender for Business is not competing with Windows Defender Antivirus (which is free). It is competing with CrowdStrike Falcon Go, SentinelOne, Bitdefender GravityZone, and other commercial endpoint security platforms. Against that competitive field, Defender for Business — particularly when included in Business Premium — presents strong value.
The 300-user ceiling is a hard limit. Organisations over 300 users must use Defender for Endpoint P1 or P2. This boundary matters commercially: a 295-user organisation approaching growth should plan for the eventual migration to Defender for Endpoint P1 before it is forced, rather than discovering the product switch at renewal time.
Positioning summary: Defender for Business = enterprise endpoint security (next-gen AV + EDR + ASR + AIR) for ≤300 users. Available standalone at ~£2.50/user/month or included in Microsoft 365 Business Premium. Above 300 users, Defender for Endpoint P1 or P2 is required.
What Defender for Business Includes
Defender for Business delivers a comprehensive endpoint security stack that covers the core elements modern endpoint protection requires. The product includes next-generation antivirus (NGAV) with cloud-delivered protection, behaviour-based detection, and machine learning threat analysis. Endpoint Detection and Response (EDR) provides threat detection beyond malware, with investigation tools, device timeline analysis, and threat hunting capabilities. Attack Surface Reduction (ASR) rules reduce the exploitable attack surface through web content filtering, network protection, application control, exploit protection, and controlled folder access.
Automated Investigation and Remediation (AIR) automatically investigates triggered alerts, determines scope, and remediates confirmed threats without requiring a security analyst to intervene on each alert. Vulnerability Management provides device inventory, software vulnerability assessment, and security configuration scoring — giving organisations a view of their endpoint risk posture beyond active threats.
The management experience is simplified compared to Defender for Endpoint's full enterprise console. Business Premium and standalone Defender for Business users manage endpoint security through the Microsoft 365 Defender portal (now Defender XDR portal) with a simplified setup wizard designed for IT generalists rather than security operations specialists.
Plan Inclusion: Where You Get Defender for Business
| Plan / Licence | Includes Defender for Business | Approx. Price | Notes |
|---|---|---|---|
| Microsoft 365 Business Premium | Yes | ~£19.40/user/month | Max 300 users. Includes full M365 Business + Defender for Business + Intune + Entra P1 + Defender for Office 365 P1 + Azure AD P1 |
| Defender for Business standalone | Yes | ~£2.50/user/month | Endpoint security only. No M365 productivity apps. Max 300 users. |
| Microsoft 365 Business Basic | No | ~£4.90/user/month | No endpoint security. Standard AV only via Microsoft Defender Antivirus (free Windows component). |
| Microsoft 365 Business Standard | No | ~£9.90/user/month | No endpoint security beyond standard AV. Common oversight — organisations assume Standard includes endpoint protection. |
| Microsoft 365 E3 | No | ~£28–32/user/month (EA) | Includes Defender for Endpoint P1 only. For P2 (EDR), upgrade to E5 or add E5 Security. |
| Microsoft 365 E5 / E5 Security | No (not applicable) | ~£48–54/user/month (EA) | Includes Defender for Endpoint P2. Defender for Business is not relevant above 300 users. |
Common misconception: Microsoft 365 Business Standard does not include Defender for Business. Many SMB organisations assume their Business Standard subscription provides commercial endpoint protection. It does not — Business Standard includes only Windows Defender Antivirus, the free OS component, without EDR, AIR, or vulnerability management. Organisations on Business Standard that need commercial endpoint security must either add Defender for Business standalone or upgrade to Business Premium.
Defender for Business vs Defender for Endpoint P1 and P2
The relationship between Defender for Business, Defender for Endpoint P1, and Defender for Endpoint P2 is a frequent source of confusion. The products are distinct but related, and the capability differences matter for commercial and security decisions.
| Capability | Defender for Business | Defender for Endpoint P1 | Defender for Endpoint P2 |
|---|---|---|---|
| Next-gen AV (NGAV) | Yes | Yes | Yes |
| Attack Surface Reduction (ASR) | Yes | Yes | Yes |
| Endpoint Detection & Response (EDR) | Yes (simplified) | No | Yes (full) |
| Automated Investigation & Remediation (AIR) | Yes (simplified) | No | Yes (full) |
| Threat and Vulnerability Management | Yes (core) | No | Yes (full) |
| Advanced Hunting (KQL) | No | No | Yes |
| Custom threat detections | No | No | Yes |
| Endpoint forensics (live response) | No | No | Yes |
| Microsoft Threat Experts | No | No | Yes (add-on) |
| Max users (standalone) | 300 | Unlimited | Unlimited |
| Approx. standalone price | ~£2.50/user/month | ~£3.30/user/month | ~£5.80/user/month |
The key commercial insight from this comparison: Defender for Business and Defender for Endpoint P2 both include EDR and AIR — capabilities that Defender for Endpoint P1 (included in M365 E3) conspicuously lacks. This means that an organisation of 200 users on M365 Business Premium actually has more endpoint security capability than an organisation of 500 users on M365 E3 without an additional Defender for Endpoint P2 upgrade.
This is a significant M365 product positioning decision by Microsoft. E3 at £28–32/user/month includes Defender for Endpoint P1 (no EDR). Business Premium at £19.40/user/month (sub-300 users) includes Defender for Business (full EDR equivalent). The security capability argument for Business Premium over E3 — where headcount and feature requirements allow — is commercially strong.
The Business Premium Value Analysis
Microsoft 365 Business Premium is the primary commercial vehicle for Defender for Business. Understanding what Business Premium includes beyond endpoint security helps determine whether it represents the right commercial anchor for sub-300-user organisations.
Business Premium includes: M365 Apps for Business (full desktop and mobile Office applications including Outlook, Word, Excel, PowerPoint, Teams), Exchange Online Plan 1 (50GB mailbox), SharePoint Online, OneDrive for Business 1TB, Microsoft Teams, Defender for Business (full endpoint security as described above), Microsoft Intune Plan 1 (mobile device management and application management), Entra ID P1 (Azure AD Premium P1 — MFA, Conditional Access, SSPR), Defender for Office 365 Plan 1 (anti-phishing, safe links, safe attachments), and Azure Information Protection P1.
Assembled from individual components, this security and identity stack would cost approximately £12–15/user/month beyond the base productivity suite. Business Premium bundles it all at a combined £19.40/user/month. For a sub-300-user organisation with no pre-existing security investment, Business Premium is one of Microsoft's most commercially efficient plans.
Key commercial calculation: For a 200-user organisation choosing between Business Standard (£9.90) + Defender for Business standalone (£2.50) + Intune (£6.00) + Entra P1 (£4.90) + MDO P1 (£2.40) = £25.70/user/month versus Business Premium at £19.40/user/month — Business Premium saves approximately £6.30/user/month and delivers more integrated management.
The 300-User Ceiling: Planning the Transition
Organisations approaching the 300-user limit face a mandatory product transition. At 301 users, Defender for Business (standalone or via Business Premium) is no longer available, and the organisation must move to enterprise M365 plans with Defender for Endpoint P1 or P2.
The commercial implications are significant. Transitioning from Business Premium to M365 E3 at the 300-user boundary involves a price increase from £19.40 to approximately £28–32/user/month — a 45–65% uplift per user. The security capability change is counterintuitive: E3 includes Defender for Endpoint P1 (no EDR), whereas Business Premium included Defender for Business (with EDR equivalent). To maintain EDR capability after transition, E5 Security or Defender for Endpoint P2 add-on is required, adding further cost.
Organisations planning for growth past 300 users should begin the commercial modelling 12–18 months before the threshold. The questions to resolve: What M365 plan replaces Business Premium? Does Defender for Endpoint P1 (E3 included) meet security requirements, or does EDR capability require E5 or add-on? What is the three-year total cost comparison between paths?
Business Premium to Enterprise: Migration Options
When transitioning from Business Premium, three commercial paths exist. The first is M365 E3 with Defender for Endpoint P2 add-on (approximately £28–32/user + £5.80/user = ~£34–38/user), which maintains EDR capability while moving to the enterprise plan. The second is M365 E5 Security bundle (£28–32 base E3 + ~£10/user E5 Security = ~£38–42/user), which provides full Defender XDR stack including MDO P2, MDCA, and Entra P2 in addition to Defender for Endpoint P2. The third is a clean migration to M365 E5 (~£48–54/user), which provides maximum security capability at maximum cost.
See the Defender for Endpoint P1 vs P2 licensing guide for the detailed capability comparison that informs this transition decision.
Defender for Business Standalone: When It Makes Sense
Defender for Business standalone (£2.50/user/month) makes commercial sense in two scenarios. The first is organisations on Microsoft 365 Business Basic or Business Standard that need commercial endpoint security without upgrading to Business Premium. If the organisation's M365 productivity requirements are satisfied by Business Basic/Standard and they do not need the full Business Premium security stack, standalone Defender for Business delivers endpoint protection at a fraction of the full bundle cost.
The second scenario is organisations using non-Microsoft productivity suites (Google Workspace, for example) that want Microsoft endpoint security for their Windows device fleet without an M365 subscription. Defender for Business standalone is licensed independently of M365 plan and can be deployed on Windows, macOS, iOS, and Android devices regardless of the productivity platform.
The standalone option is also the correct choice when evaluating Defender for Business against CrowdStrike, SentinelOne, or other endpoint security platforms. At £2.50/user/month, Defender for Business is typically 40–60% lower cost than comparable commercial EDR platforms for sub-300-user deployments — a meaningful competitive advantage in security budget-constrained SMB environments.
Intune Integration: A Critical Business Premium Component
Business Premium includes Microsoft Intune Plan 1, which is the mobile device and application management platform required to fully configure and enforce Defender for Business policies. While Defender for Business can function with manual device onboarding, the full capability — particularly attack surface reduction rules, network protection policies, and web content filtering — requires Intune integration for policy enforcement.
For sub-300-user organisations that do not have Business Premium and are considering Defender for Business standalone, the Intune dependency is a hidden cost consideration. Intune Plan 1 standalone costs approximately £6/user/month. If Intune is required for full Defender for Business capability, the combined cost (£2.50 + £6.00 = £8.50/user/month) approaches the cost of Business Premium at £19.40 — which also includes the full productivity suite. This cost convergence is part of why Business Premium is often the most commercially rational choice for sub-300-user organisations rather than assembling the equivalent stack from components.
See the Intune licensing complete guide for full Intune capability and pricing analysis.
EA and CSP Purchasing: Commercial Considerations
Defender for Business and Business Premium are available through Microsoft 365 Business plans, which are sold via CSP (Cloud Solution Provider) channel rather than through the Enterprise Agreement. This is an important commercial distinction: organisations with fewer than 300 users are typically on CSP or Microsoft 365 Direct Billing rather than EA.
For organisations at or approaching 300 users, the EA becomes available for the first time. This transition is an opportunity to formally negotiate pricing terms rather than accepting CSP list prices. EA pricing for M365 E3 is typically 5–15% below CSP list price at volume, and the E3 EA structure provides three-year price protection that CSP does not offer in the same way.
For the commercial framework governing EA negotiations more broadly, see the Microsoft EA negotiation complete guide. For the Business Premium vs E3 decision at the product level, see the Business Premium vs E3 comparison.
Competitive Comparison: Defender for Business vs Third-Party EDR
For sub-300-user organisations evaluating Defender for Business against specialist endpoint security vendors, the commercial and capability comparison is favourable to Microsoft in most SMB scenarios.
CrowdStrike Falcon Go (their SMB product) typically costs £5–8/device/month for comparable EDR capability. SentinelOne's SMB offerings range from £4–7/endpoint. Bitdefender GravityZone Business Security costs £3–5/device/month for its endpoint security suite. Against these benchmarks, Defender for Business at £2.50/user/month is cost-competitive and delivers tighter Microsoft ecosystem integration — particularly relevant when the organisation uses Intune, Entra, and Defender for Office 365 (all included in Business Premium).
The scenario where third-party vendors retain advantage: organisations with mixed-OS environments (significant Linux or macOS fleets), organisations with existing SOC investments in third-party SIEM platforms that have better integrations with non-Microsoft vendors, and organisations whose security team prefers the investigation and threat hunting tools of CrowdStrike or SentinelOne over Microsoft's simplified console.
For enterprise-scale security licensing decisions above 300 users, see the Microsoft security stack vs third-party comparison guide.
Frequently Asked Questions
Can Defender for Business be used for servers?
Defender for Business includes server protection for up to 60 servers, allowing small organisations to protect Windows Servers alongside client devices without a separate Defender for Servers (Azure) licence. This is a valuable inclusion for SMB organisations running on-premises infrastructure. Above 60 servers, or for larger organisations, Defender for Servers in Microsoft Defender for Cloud is the appropriate product.
Does Defender for Business integrate with Microsoft Sentinel?
Defender for Business can send alerts and logs to Microsoft Sentinel, but this integration is primarily relevant for organisations with an existing Sentinel deployment. For most sub-300-user organisations, the cost and complexity of operating Sentinel is not justified. Defender for Business with its built-in investigation and AIR capabilities provides appropriate security operations capability without a SIEM.
What happens to Defender for Business data if we migrate to E3?
Migrating from Defender for Business to Defender for Endpoint (P1 or P2) does not automatically migrate your device configuration, policies, or historical alert data. Devices must be onboarded to the Defender for Endpoint environment, and policies must be recreated. This migration overhead is one reason to plan the Business Premium to Enterprise transition carefully rather than managing it under time pressure.
Can I mix Business Premium and E3 licences in the same tenant?
In principle, Microsoft allows Business and Enterprise plans in the same tenant, but this is generally discouraged and creates management complexity. Business plans are designed for sub-300-user tenants. If your organisation crosses 300 users, Microsoft expects migration to Enterprise plans. Operating mixed Business/Enterprise configurations during a transition period is manageable but should not become a permanent structure.