Microsoft Defender XDR: What It Is and How It's Licensed
Microsoft Defender XDR (Extended Detection and Response) is not a product you buy. It is a unified security operations portal — the interface through which you manage and correlate signals from Microsoft's five core Defender security products. Understanding this distinction is essential for commercial conversations: there is no "Defender XDR licence." You licence the individual products that feed into the XDR platform.
The five products that collectively constitute the Microsoft Defender XDR platform are:
Microsoft Defender for Endpoint (MDE) — endpoint detection and response (EDR) for devices. Plan 1 for prevention-focused protection; Plan 2 for full EDR and threat hunting capability.
Microsoft Defender for Office 365 (MDO) — email, SharePoint, OneDrive, and Teams threat protection. Plan 1 for Safe Links and Safe Attachments; Plan 2 for investigation, AIR, and attack simulation.
Microsoft Defender for Identity (MDI) — on-premises Active Directory monitoring for credential-based attacks and lateral movement.
Microsoft Defender for Cloud Apps (MDCA) — Cloud Access Security Broker (CASB) for shadow IT discovery, conditional access for cloud apps, and data protection in SaaS applications.
Microsoft Entra ID Protection — cloud identity risk detection for Microsoft Entra ID (Azure AD), including risky sign-in detection and automated remediation policies.
Accessing the Defender XDR portal (security.microsoft.com) and its unified incident management, cross-product correlation, and threat hunting capabilities requires having the appropriate licences for the individual products. The more products you have licensed, the more signals feed into the platform and the more powerful the cross-product detection becomes.
The XDR Licensing Architecture: Products and Plans
| XDR Component | Licence Required | Standalone Price | Included In |
|---|---|---|---|
| Defender for Endpoint Plan 1 | MDE P1 add-on or M365 E3 | ~£2.00/user/month | M365 E3, Business Premium |
| Defender for Endpoint Plan 2 | MDE P2 add-on | ~£4.50/user/month | M365 E5, E5 Security |
| Defender for Office 365 Plan 1 | MDO P1 add-on | ~£1.65/user/month | M365 Business Premium |
| Defender for Office 365 Plan 2 | MDO P2 add-on | ~£4.50/user/month | M365 E5, E5 Security |
| Defender for Identity | MDI add-on | ~£3.50/user/month | M365 E5, E5 Security, EMS E5 |
| Defender for Cloud Apps | MDCA add-on | ~£3.50/user/month | M365 E5, E5 Security (partial) |
| Entra ID Protection | Entra P2 / Microsoft Entra ID P2 | ~£6.50/user/month | M365 E5, E5 Security, EMS E5 |
At list price, if you independently purchased all five products at their full XDR capability tier (MDE P2 + MDO P2 + MDI + MDCA + Entra P2), the combined cost would be approximately £22.65/user/month on top of your existing M365 E3 base licence. This is the context that makes M365 E5 Security at approximately £10/user/month so commercially significant.
The Bundle Economics: E5 Security vs Standalone XDR Components
Microsoft 365 E5 Security is an add-on to M365 E3 (priced at approximately £10/user/month) that includes the full set of XDR components at their highest capability tier. This is the primary commercial vehicle for enterprises building out a Microsoft-native XDR capability.
| Component | E5 Security Includes? | Standalone Cost |
|---|---|---|
| Defender for Endpoint Plan 2 | Yes | ~£4.50/user/month |
| Defender for Office 365 Plan 2 | Yes | ~£4.50/user/month |
| Defender for Identity | Yes | ~£3.50/user/month |
| Defender for Cloud Apps | Yes (full MDCA) | ~£3.50/user/month |
| Microsoft Entra ID Plan 2 | Yes | ~£6.50/user/month |
| Total standalone | ~£22.50/user/month | |
| E5 Security bundle | ~£10.00/user/month | |
| Bundle saving | ~55% vs standalone |
The 55% bundle saving is the commercial argument for E5 Security that Microsoft's account teams lead with — and it is a genuine saving. The critical evaluation question is not whether the bundle saves money vs standalone (it does), but whether you would actually deploy and operationalise all five products. A 55% saving on products you deploy at 20% utilisation is not a saving — it is a different type of overspend.
XDR Correlation: The Platform Value Beyond Product Licensing
The commercial justification for acquiring multiple XDR components is not just the individual product value of each — it is the correlation value that the unified platform generates when multiple products are active simultaneously.
Defender XDR correlates signals across all licensed products to construct unified incidents. An attack that starts as a phishing email (MDO alert), executes a payload on an endpoint (MDE alert), steals credentials from memory, performs a pass-the-hash (MDI alert), and then accesses a cloud application with the stolen credentials (MDCA alert) generates one XDR incident — not four unrelated alerts in four separate consoles.
This correlation matters for three specific operational outcomes:
Faster detection: Individual product alerts may be below the alerting threshold (low confidence, low severity). When correlated across products, the combined signal exceeds the threshold and generates an incident. Attacks that fly under the radar of individual tools get caught by the correlated platform.
Automated investigation: Defender XDR's Automated Investigation and Response (AIR) can automatically remediate certain incident types — quarantining endpoints, removing malicious emails from all mailboxes, resetting compromised passwords — without requiring analyst intervention. This is only possible with the unified platform; siloed tools cannot take cross-product remediation actions.
Threat hunting scope: Advanced Hunting in Defender XDR (KQL-based threat hunting across all product data) allows analysts to search for indicators of compromise across endpoint, email, identity, and cloud app data in a single query. This is dramatically more efficient than hunting in five separate product consoles.
The platform value accrues progressively: three products integrated produce more correlation value than two, four more than three. This is why Microsoft prices the bundle to incentivise broad adoption.
Partial XDR Deployments: The Practical Reality
Most enterprises do not acquire or deploy all five XDR components simultaneously. The typical deployment pattern is sequential — often driven by compliance requirements, security maturity assessment, or a specific incident that highlights a capability gap.
The most common starting points are:
MDE P1 (already in E3) → MDO P1 add-on: This is the most common initial XDR configuration for E3 organisations. Endpoint protection (MDE P1 in E3) plus email threat protection (MDO P1 add-on at ~£1.65/user/month). This addresses the two highest-volume threat vectors — endpoint compromise and email-borne attacks — without requiring E5 Security.
Full E5 Security upgrade: Organisations with active SOCs, incident response programmes, or specific regulatory requirements (financial services, healthcare, critical infrastructure) typically upgrade to E5 Security to get the full XDR stack. The operational maturity to use all five products is the prerequisite.
E3 + selective add-ons: Organisations that need specific capabilities beyond E3 without a full E5 Security commitment — e.g., MDO P1 for email security, Entra P2 for PIM/Conditional Access — deploy selectively. This is a legitimate approach that avoids the full E5 Security cost but foregoes the bundle saving and full XDR correlation depth.
What E3 Already Includes for XDR
M365 E3 is not a blank security slate. Before evaluating E5 Security, understand what XDR capabilities are already in your E3 deployment:
Defender for Endpoint Plan 1: Included in M365 E3. This covers next-gen antivirus, attack surface reduction (ASR) rules, device health policies, and device firewall management. It does not include endpoint detection and response (EDR), threat and vulnerability management, or threat hunting — those require MDE P2 (E5 Security).
Exchange Online Protection: Included in all plans. Anti-spam, anti-malware (signatures), connection filtering. Not MDO — no Safe Links, Safe Attachments, or advanced anti-phishing. Many E3 organisations incorrectly believe they have MDO when they only have EOP.
Microsoft Entra ID Plan 1: Included in M365 E3. Conditional Access, Hybrid Azure AD Join, Self-Service Password Reset, Entra ID Application Proxy. Does not include Identity Protection (risky sign-in detection), Privileged Identity Management (PIM), or Access Reviews — those require Entra P2 (E5 Security).
Understanding the E3 baseline makes the E5 Security upgrade decision much clearer: you are specifically adding EDR, email investigation/AIR, on-premises AD monitoring, CASB, and cloud identity protection — the capabilities that address sophisticated, multi-vector attacks.
Defender XDR and Microsoft Sentinel: The SIEM Question
Defender XDR is not a SIEM (Security Information and Event Management) system. It is a detection and response platform for Microsoft's own product signals. Organisations with broader log management, compliance logging, or multi-cloud/multi-vendor security requirements typically use Microsoft Sentinel alongside Defender XDR.
Sentinel ingests the Defender XDR signals (free — Microsoft product data is ingested at no charge into Sentinel for E5 Security customers) alongside non-Microsoft data sources (network logs, firewall logs, third-party endpoint data, cloud provider logs). The Sentinel + Defender XDR combination is Microsoft's full SOC platform architecture.
From a licensing perspective, Sentinel is a separate consumption-based product (per GB ingested). Defender XDR data ingestion into Sentinel is free for E5 Security licenced customers — a material benefit that reduces Sentinel's operational cost significantly for Microsoft-first environments. The free ingestion benefit is worth £7,740/year for a 2,000-user E5 organisation (5 MB/user/day free), applying directly against Sentinel's consumption charges. For a full analysis of Sentinel's cost model, see our guide to Sentinel cost optimisation.
Negotiating the Defender XDR Stack in Your EA
Defender XDR licensing is typically negotiated as part of the broader M365 security stack — either as an E5 Security bundle or as individual product add-ons to E3. The following positions apply:
E5 Security Negotiation Positions
Deployment commitment in exchange for discount: Microsoft will offer better EA pricing for E5 Security if you commit to a deployment timeline and operational programme. A vague "we're interested in XDR" gets standard pricing; a "we commit to deploying MDE P2 and MDO P2 in Q1, MDI in Q2, and full MDCA/Entra P2 by Q3" with an implementation programme demonstrates genuine intent and creates a basis for pricing negotiation.
Phased seat count: Negotiate E5 Security for your highest-risk user population first (executives, IT admins, finance team, high-value IP holders) and expand over the EA term. Starting with 200 seats at higher discount rates for a defined expansion schedule is a legitimate EA structure that Microsoft will accommodate when there is credible deployment intent.
Use E3 MDE P1 as the baseline: E3 already includes MDE P1. In E5 Security negotiations, the incremental value you are buying is MDE P2 (EDR) not MDE entirely. Frame the security conversation as the delta between P1 and P2 capabilities and your specific threat model requirements — not as though you have no endpoint protection.
Add-On vs Bundle Decision
The general principle: if you need any two of the five E5 Security components, the bundle is almost certainly better commercial value than individual add-ons. If you only need one (e.g., MDO P1 for email security), the targeted add-on at £1.65/user/month is far cheaper than E5 Security at £10/user/month.
The calculation: E5 Security at £10/user/month provides all five components. The break-even against targeted add-ons is approximately MDE P2 (£4.50) + MDO P2 (£4.50) = £9.00 — already at the E5 Security threshold, and you haven't yet added MDI, MDCA, or Entra P2. Any requirement for three components makes E5 Security the unambiguous commercial choice.
XDR Deployment Maturity: The Operational Prerequisite
Microsoft Defender XDR is a powerful platform when operated by a capable security team. It is significantly less valuable when deployed without the operational capability to act on its outputs. Before committing to E5 Security, honestly assess your organisation's security operations maturity:
Who reviews the alerts? Defender XDR generates incidents that require analyst triage. If no one is actively monitoring the Defender portal, the platform's detection capability is wasted. A Managed Detection and Response (MDR) service or MSSP that monitors Defender XDR is a legitimate alternative to in-house SOC capability — but it is an additional cost that needs to factor into the total investment calculation.
Who tunes the policies? MDE attack surface reduction rules, MDO anti-phishing policies, MDCA conditional access app controls, and Entra Conditional Access policies all require ongoing tuning. Initial deployment without tuning generates excessive noise (false positives) that undermines the platform's effectiveness and SOC morale.
Who responds to incidents? Automated Investigation and Response (AIR) handles certain incident types automatically — but the threshold for automated action should be set conservatively, and the automated actions require human review. Incident response capability (defined playbooks, clear escalation paths, communication protocols) is the operational infrastructure that makes XDR commercially viable.
Organisations that deploy E5 Security without this operational infrastructure are paying for detection capabilities they cannot act on. A common pattern is acquiring E5 Security in an EA renewal based on security posture intent, then realising 12 months later that the deployment is incomplete and the operational programme is not in place. The financial commitment has been made; the security posture improvement has not materialised.
Defender XDR vs Third-Party XDR Platforms
| Dimension | Microsoft Defender XDR (E5 Security) | CrowdStrike Falcon Complete | Palo Alto Cortex XDR | SentinelOne Singularity |
|---|---|---|---|---|
| M365/Azure integration | Native | API integration | API integration | API integration |
| Endpoint detection quality | Excellent | Best-in-class | Excellent | Excellent |
| Identity protection | MDI + Entra P2 | Falcon Identity | Limited | Limited |
| Email security | MDO P2 | Via partner | Via partner | Via partner |
| Threat hunting | Advanced Hunting (KQL) | Overwatch/Threat Graph | XQL | Power Query |
| Managed service option | Via MSSP | Falcon Complete MDR | Via MSSP | Vigilance MDR |
| Bundle cost vs M365 E3 add-on | ~£10/user/month | ~£12–18/user/month | ~£10–15/user/month | ~£8–14/user/month |
For organisations already standardised on Microsoft 365, Defender XDR's native integration with the M365 data estate is a material advantage: no API bridging, no data export, no additional ingestion pipeline. All M365 activity data is natively correlated within the XDR platform. Third-party XDR vendors integrate through APIs, which works well for endpoint data but is less seamless for email, identity, and cloud app signals that live natively in the Microsoft stack.
CrowdStrike Falcon has a meaningful advantage in EDR depth and managed service quality (Falcon Complete) for organisations that need world-class endpoint protection and are willing to manage the M365 integration complexity. For organisations that are primarily Microsoft-centric and want a single vendor for their security stack, Defender XDR is a strong commercial and operational choice — particularly when the E5 Security bundle economics are factored in.
For context on the broader Microsoft security licensing landscape, see our Microsoft security licensing guide and the detailed analysis of whether E5 Security is worth it for your organisation.
Frequently Asked Questions
Is Defender XDR a separate licence purchase?
No. Microsoft Defender XDR is the unified portal experience — not a separate product or licence. You access Defender XDR capabilities by licencing the individual products (MDE, MDO, MDI, MDCA, Entra P2). The more products you have licensed, the richer the XDR platform experience. The most efficient way to acquire the full XDR stack is through Microsoft 365 E5 Security.
Does M365 E3 give any access to Defender XDR?
Yes, in limited form. M365 E3 includes Defender for Endpoint Plan 1, which gives access to some Defender XDR portal features for device management and basic endpoint protection. However, E3 does not include EDR, email threat investigation, identity monitoring, or CASB — so the XDR correlation capability is minimal. The full XDR platform value requires E5 Security or equivalent individual product licences.
What is the difference between Microsoft 365 Defender and Defender XDR?
Microsoft 365 Defender was the previous name for what is now called Microsoft Defender XDR. The rebranding (completed in 2023) reflected Microsoft's broader XDR market positioning — the product is the same unified security portal that correlates signals from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. All documentation referring to "Microsoft 365 Defender" now refers to Defender XDR.
Can I use Defender XDR with a third-party EDR instead of Defender for Endpoint?
Defender XDR primarily ingests signals from Microsoft's own Defender products. Some third-party integrations are available through the Microsoft Sentinel integration layer, but the native XDR correlation and automated response capabilities are designed for Microsoft's own products. Organisations using CrowdStrike, SentinelOne, or other EDR products alongside Microsoft's email and identity security tools typically use Sentinel as the aggregation layer rather than Defender XDR as the unified portal.
Is Defender for Cloud (formerly Azure Security Center) part of Defender XDR?
No. Defender for Cloud (Azure Security Center / Azure Defender) is a separate product focused on cloud workload protection — Azure VMs, containers, databases, storage, and Azure-hosted resources. It has its own licensing model (per-resource/per-hour) and integrates with Defender XDR for some alert correlation, but it is not one of the five core XDR components and is not included in M365 E5 Security. For Defender for Cloud licensing, see our guide to Defender for Cloud licensing.