Microsoft Defender licensing in 2026 spans seven distinct products with overlapping but non-identical entitlements: Defender for Endpoint P1 and P2, Defender for Office 365 P1 and P2, Defender for Identity, Defender XDR (formerly 365 Defender), Defender for Cloud Apps, and Defender for Cloud (the Azure workload protection product). The May 2026 bundle changes brought Defender for Office 365 P1 into E3 and moved several P2 capabilities up into E5. The buyer-side question is no longer “which Defender do I need” but “which Defender capabilities am I now paying for twice.” The decision map below resolves the seven products against the E3/E5 base and the standalone path.
Microsoft Defender licensing in 2026 — the seven products
Microsoft has consolidated security branding under the Defender name but kept the licensing model fragmented. The seven products with their 2026 list pricing:
| Defender product | What it does | 2026 list (PUPM) | Bundled in |
|---|---|---|---|
| Defender for Endpoint P1 | EDR, attack surface reduction, web protection | $3 | E3, Business Premium |
| Defender for Endpoint P2 | Adds threat hunting, threat intel, sandboxing, Microsoft experts | $5.20 | E5 |
| Defender for Office 365 P1 | Safe Attachments, Safe Links, anti-phishing | $2 | E3 (as of May 2026), Business Premium |
| Defender for Office 365 P2 | P1 plus attack simulation, automated investigation, threat trackers | $5 | E5 |
| Defender for Identity | On-prem AD threat detection, lateral movement | $5 | E5 |
| Defender for Cloud Apps (formerly MCAS) | SaaS posture, shadow IT, CASB | $5 | E5 |
| Defender XDR (formerly 365 Defender) | Unified incident view across the suite | Free with any P2 | E5 |
| Defender for Cloud (Azure workload) | CSPM/CWPP for Azure resources | Per-resource, usage-based | Not bundled in M365 |
The May 2026 change to note: Defender for Office 365 P1 is now bundled into Microsoft 365 E3 as part of the security stack refresh. Organisations that bought Defender for Office 365 P1 standalone alongside E3 should drop the standalone immediately. See our bundle change analysis for the impact on existing contracts.
The P1 vs P2 decision — what actually changes
The P1-to-P2 step-up adds three categories of capability and one operational reality:
- Threat hunting. Advanced hunting queries across endpoint and Office signals. The hands-on threat-hunting capability assumes you have a SOC to run it — without one, P2 hunting capability sits unused.
- Microsoft Threat Experts. Optional Microsoft-staffed threat hunting service. Available only with P2.
- Sandbox detonation. Automated detonation of suspicious attachments and URLs. The default mode in P2; in P1 it relies on signature-based detection.
- Automated investigation and response. The AIR engine that auto-triages incidents and recommends remediation. Available in P2; absent in P1.
The discipline question for P1 vs P2: do you have the team to use the P2-only capabilities? If you do not have a SOC, do not have a hunting practice, and do not run AIR, then P2 buys $2.20 per user per month of capability you will not exercise. The right answer for many mid-market enterprises is P1 with a managed-detection-and-response partner for the threat-hunting layer — cheaper than P2 with no internal hunting capability.
Defender XDR (the SIEM-adjacent unified incident view, not to be confused with Defender for Cloud or the older Microsoft 365 Defender branding) requires at least one P2 product on the tenant. Defender XDR itself does not have a separate licence cost. Buying P2 unlocks XDR; buying XDR “standalone” is not a thing — it bundles in with P2 entitlement.
Defender for Cloud — the Azure-side cost
Defender for Cloud is the workload-protection product for Azure resources (and for AWS and GCP in multi-cloud configurations). It is licensed by Azure resource, not by user, and the cost falls on Azure consumption, not M365 spend. The 2026 list pricing by resource type:
- Servers Plan 2: $15/server/month. Bundles Defender for Endpoint P2 onto the protected servers — eliminates the need to separately licence DfE for server workloads.
- SQL servers: $15/server/month.
- Storage: $0.02/10K transactions.
- Key Vault: $0.02/10K transactions.
- Container registries: per-image-scan rate.
- Kubernetes: per-vCore on protected clusters.
- APIs (API Center): per-request-rate model.
The Defender for Cloud cost flows through the MACC and benefits from the EA Azure discount stack — not the M365 discount. Treat it as Azure spend, not M365 spend, for benchmarking purposes. See our Azure commit discount stack analysis for how this surfaces in renewal.
Overlap and double-pay traps
The recurring patterns we see in 2026 Defender audits:
- Defender for Office 365 P1 standalone on top of post-May-2026 E3. Bundled-in already. Drop the standalone immediately.
- Defender for Endpoint P1 standalone on top of E3. Same pattern, longstanding.
- Defender for Identity standalone on top of E5. Bundled in E5. Drop the standalone.
- Defender for Cloud Apps standalone on top of E5. Bundled in E5. Drop the standalone.
- DfE P2 on servers protected by Defender for Cloud Servers Plan 2. Servers Plan 2 includes DfE P2 for the server — do not also pay for DfE P2 user licences for server admin accounts.
- E5 Security step-up on E3 estate. The $12 PUPM E5 Security step-up bundles Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, and Entra P2 step-up. For users who would need three or more of these standalone, the step-up is cheaper than the standalone stack.
Defender at EA renewal in 2026
The renewal levers worth pulling specifically on Defender:
- Re-baseline the post-May-2026 bundle. Any Defender for Office 365 P1 standalone is recoverable. Any E5 Security step-up assigned to users without three real P2 entitlement needs is rationalisable.
- Negotiate component step-ups, not the full security suite step-up. Microsoft will push the $12 E5 Security step-up as a package. Component pricing is usually cheaper for the user populations that actually need step-up.
- Co-term Defender for Cloud with the MACC. If you are running Defender for Cloud, push the consumption under the MACC for the Azure discount benefit rather than letting it sit on PAYG rate.
- Negotiate MDR partner rights into the EA. Microsoft increasingly tries to gate third-party MDR access to Defender data behind partner agreements. Push for unconstrained MDR partner access to your Defender APIs.
Anonymised case study: $1.1M annualised on a 9,400-seat estate
A 9,400-employee logistics firm operated a Defender stack of: E3 base for all users, Defender for Office 365 P1 standalone for 9,400 (in place since 2022), E5 Security step-up for 1,200 (the IT and admin population), Defender for Identity standalone for 200, Defender for Cloud Apps standalone for 800, and Defender for Cloud Servers Plan 2 across 480 Azure VMs. Total Defender spend: $2.8M annually. The May 2026 bundle change put Defender for Office 365 P1 into E3 — eliminating the standalone need. Defender for Identity standalone was duplicative of the E5 Security step-up coverage on the 200 admin users. Defender for Cloud Apps standalone overlapped with the E5 Security step-up too. Rationalisation: dropped Defender for Office 365 P1 standalone (saving $226K), dropped Defender for Identity standalone for users already on E5 Security step-up (saving $12K), reduced Defender for Cloud Apps standalone to the 600 users without E5 Security step-up (saving $144K), reconfigured Defender for Cloud Servers Plan 2 with the MACC for the Azure discount stack (saving $240K from PAYG to commit), and consolidated alerts under Defender XDR. Net annualised saving: $1.1M. Security posture improved — the consolidation eliminated three redundant alerting paths and tightened the incident mean-time-to-acknowledge by 38%.
Microsoft Defender licensing rewards the buyer who audits the bundle map every release cycle. The 2026 changes are favourable to E3-base enterprises in particular — the bundle-in of Defender for Office 365 P1 is the single biggest free upgrade Microsoft has shipped to E3 in three years. Capture it, drop the redundant standalones, and use the saving to fund the E5 Security step-up for the populations who actually need P2 capability. Layer this with the M365 add-on rationalisation and the Intune optimisation and the security spend turns into a managed renewal lever.