The Question Every Enterprise Licensing Team Gets Wrong
When Microsoft presents the E5 upgrade proposal at EA renewal, the pitch is seductive: a single licence that consolidates your entire security stack, eliminates point-product procurement, and delivers enterprise-grade protection at a bundled price. What the proposal doesn't tell you is that E5's security value is highly dependent on actual deployment — and in the average enterprise, fewer than 40% of E5 security capabilities are actively used within 18 months of purchase.
The commercial question isn't whether Microsoft E5 security licensing is technically superior to E3. It almost always is. The question is whether the $38–57/user/month premium over M365 E3 (depending on your EA pricing tier and negotiation outcome) delivers sufficient deployed value to justify the cost across your entire licensed population. That answer varies significantly by organisation type, security maturity, and how honestly you assess current deployment against theoretical capability.
This article maps precisely what E5 security includes, what it doesn't, how the arithmetic works against standalone security alternatives, and the three scenarios where E5 security genuinely justifies the premium — and three where it doesn't.
What E5 Security Actually Includes
M365 E5 includes the full Microsoft security stack bundled into a single per-user licence. It is important to map this at the product and tier level — not the marketing level — because deployment decisions live at the product tier, not the bundle label.
Defender Suite — E5 Tier
Microsoft Defender for Endpoint Plan 2 is included in E5. This is the full EDR/XDR tier including advanced threat hunting, six months of raw timeline data retention, device discovery, vulnerability management (basic), and Attack Surface Reduction (ASR) policy enforcement. E3 includes Defender for Endpoint Plan 1, which covers next-gen antivirus and basic attack surface reduction but excludes EDR, threat hunting, and the extended data retention. The Plan 2 premium over Plan 1 is approximately $5.20/user/month standalone.
Microsoft Defender for Office 365 Plan 2 is included in E5. This adds attack simulation training, threat tracker, threat explorer, and Campaign Views on top of the Plan 1 capabilities (Safe Links, Safe Attachments, anti-phishing) included in E3. Plan 2 adds approximately $2/user/month over Plan 1 standalone.
Microsoft Defender for Identity is included in E5 — not in E3. This product monitors Active Directory Domain Controllers for lateral movement, credential theft, and identity-based attack indicators. For organisations with significant on-premises AD infrastructure, this represents genuine standalone value of approximately $5.50/user/month.
Microsoft Defender for Cloud Apps (formerly MCAS) is included in E5 — not in E3. This Cloud Access Security Broker (CASB) function provides application visibility, shadow IT detection, and session controls for SaaS applications. Standalone price approximately $3.50/user/month.
Microsoft Entra ID — E5 Tier
E5 includes Microsoft Entra ID P2 (formerly Azure AD P2). E3 includes Entra ID P1. The P2 tier adds Privileged Identity Management (PIM), Identity Protection with risk-based conditional access, and Access Reviews. For organisations managing privileged access governance and requiring identity risk scoring for conditional access policies, P2 is the correct tier. For organisations whose identity governance requirements are met by P1 (MFA, conditional access, single sign-on, application proxy), P2 adds approximately $6/user/month in standalone cost for capabilities that may not be deployed.
Microsoft Purview — E5 Compliance Add-On
It is critical to note that E5 (the base SKU) does not include the full E5 Compliance add-on. M365 E5 includes Purview Information Protection P2, Audit (Premium), and eDiscovery (Premium). The M365 E5 Compliance add-on ($12/user/month approximately) adds Insider Risk Management, Communication Compliance, Information Barriers, Records Management, and Advanced Audit. Many enterprise EA proposals conflate E5 and E5 Compliance; they are separate SKUs with separate pricing.
Microsoft Sentinel — Not Included in E5
Despite frequent conflation in Microsoft sales materials, Microsoft Sentinel is not included in M365 E5. Sentinel is Azure-consumption-based SIEM/SOAR pricing and is billed separately based on data ingestion volume. E5 users do benefit from free Sentinel data ingestion for specific Microsoft 365 data sources (Exchange, SharePoint, Teams, Entra ID logs, Defender for Office 365 logs, Defender for Identity logs, and Defender for Endpoint alerts) — but the Sentinel workspace itself carries separate Log Analytics and Sentinel capacity pricing for all other log sources.
| Security Capability | M365 E3 | M365 E5 | E5 Premium Value (Standalone) |
|---|---|---|---|
| Defender for Endpoint | Plan 1 | Plan 2 | ~$5.20/user/mo |
| Defender for Office 365 | Plan 1 | Plan 2 | ~$2.00/user/mo |
| Defender for Identity | Not included | Included | ~$5.50/user/mo |
| Defender for Cloud Apps | Not included | Included | ~$3.50/user/mo |
| Microsoft Entra ID | P1 | P2 | ~$6.00/user/mo |
| Purview Info Protection | P1 | P2 | ~$3.50/user/mo |
| Microsoft Purview Audit | Standard | Premium | ~$2.00/user/mo |
| Microsoft Sentinel | Not included | Not included | Consumption-based |
| E5 Compliance add-on | Not included | Separate SKU | ~$12.00/user/mo |
The E5 Security Arithmetic
To evaluate whether E5 security delivers commercial value, compare the cost of obtaining equivalent security capabilities through standalone add-on licences against the incremental E5 cost over E3.
At typical EA pricing for a mid-market enterprise (3,000–10,000 users, no special pricing tier), the incremental cost of E5 over E3 is approximately $38–45/user/month. The security-specific components of this premium — setting aside the E5 productivity features (Power BI Pro, Phone System, advanced eDiscovery) — represent approximately $22–28/user/month of the increment.
The standalone cost of equivalent security capabilities (Defender for Endpoint P2 upgrade, Defender for Identity, Defender for Cloud Apps, Entra ID P2) runs approximately $20–24/user/month. This produces a fairly narrow arbitrage — E5 is approximately cost-neutral or slightly cheaper than assembling equivalent capabilities standalone, before accounting for the productivity features included in E5 that may or may not deliver value.
The problem with this arithmetic is that it assumes full deployment of all security capabilities. In practice, Defender for Identity requires Domain Controller sensor deployment across your entire on-premises AD estate, which is a non-trivial infrastructure project. Defender for Cloud Apps requires integration work and policy configuration to deliver value beyond shadow IT visibility. Entra ID P2 requires PIM configuration and Access Review processes that many organisations lack the operational capacity to run. If you are purchasing E5 for 10,000 users but only 30% of those users have AD-joined devices and active identity governance processes, the Defender for Identity and Entra P2 components deliver value for 3,000 users — but you are paying for all 10,000.
When E5 Security Genuinely Justifies the Premium
E5's security premium is well-justified in three specific organisational profiles:
1. Regulated Industries with Demonstrated Threat Surface
Financial services, healthcare, and defence contractors typically have active identity-based attack surface, regulatory requirements for audit and eDiscovery (Purview Premium audit is genuinely needed), and security operations teams that actively consume EDR telemetry from Defender for Endpoint P2. In these environments, full E5 deployment is achievable within 12 months and the combined security + compliance capability justifies the cost at the organisation-wide level.
2. Organisations Replacing Legacy Point Products
If your current security environment includes third-party CASB (Netskope, Zscaler for M365 traffic), standalone identity governance (SailPoint for lifecycle management, CyberArk for privileged access management), and separate EDR (CrowdStrike, SentinelOne), the displacement arithmetic changes significantly. Where E5 can displace $15–25/user/month in third-party licence costs, the E5 premium becomes commercially justified — provided the displacement is actually executed and contracts are terminated. The failure mode is purchasing E5 for the displacement opportunity and then retaining legacy products due to transition complexity, resulting in double-spend.
3. Mature Microsoft Security Operations
Organisations with existing Microsoft Security Operations Center (SOC) workflows — particularly those already running Microsoft Sentinel, using Defender XDR for cross-product correlation, and actively operating PIM for privileged access — derive full E5 value because the operational infrastructure is in place to consume what E5 provides. These organisations also benefit most from the M365 Defender free data ingestion in Sentinel, which can represent $8–15K/month in Sentinel consumption savings at enterprise scale.
When E5 Security Doesn't Justify the Premium
Three scenarios where the E5 security premium is not commercially justified:
Cloud-first organisations with minimal on-premises AD. If your identity estate is predominantly Entra ID-native (Azure AD-joined devices, no on-premises AD DC infrastructure), Defender for Identity delivers minimal value — the product monitors Domain Controllers and detects lateral movement in AD environments. Entra ID P2's PIM is valuable, but at $6/user/month standalone it is cheaper than the full E5 premium. Cloud-first organisations should evaluate standalone Entra ID P2 rather than full E5 if security is the driving rationale.
Small security teams that cannot operationalise E5 capabilities. Defender for Endpoint P2's value is in the EDR telemetry, threat hunting, and timeline analysis — which require security analysts to consume it. Organisations with a 2–3 person security team running in reactive mode will not extract meaningful incremental value from P2 over P1. The threat hunting and advanced investigation capabilities require dedicated analyst time that does not exist in these organisations.
Organisations with locked-in third-party security contracts. If you have 3 years remaining on a CrowdStrike contract, 2 years on a Netskope contract, and 18 months on a SailPoint contract, the E5 displacement value is theoretical — you cannot actualise it for 18–36 months. Purchasing E5 now for displacement savings that materialise in 2028 is a commercial decision that deserves explicit NPV analysis, not an automatic yes at renewal.
One of the most powerful EA negotiation positions is a segmented E5 deployment: E5 for the 20–30% of users who are power users with active security, compliance, and productivity use cases (executives, finance, legal, IT, regulated function staff), and E3 with targeted add-ons for the remaining population. Microsoft will resist this because it reduces E5 volume — but our benchmark data shows that segmented E5+E3 deployments save an average of $340K annually per 5,000-user organisation vs full-population E5, with minimal operational impact.
How to Negotiate E5 Security Pricing
If you determine that E5 is the right licence for some or all of your population, the negotiation approach determines how much you pay. Three levers matter most:
Population segmentation as the primary anchor. Before any pricing discussion, define precisely which user populations require E5 security capabilities and which can be served by E3 with targeted add-ons. A validated segmentation analysis — mapping user roles to capability requirements — gives you a defensible counter-position to a full-population E5 proposal and demonstrates commercial sophistication that elevates you above the average buyer.
Deployment roadmap as the E5 commitment signal. Microsoft's internal pricing approval process for E5 discounting requires a deployment roadmap. Entering the negotiation with a documented 18-month deployment plan for Defender for Identity, Entra ID P2, and Defender for Cloud Apps — with specific milestones — unlocks higher discount authority than a purchase without deployment commitment. The roadmap doesn't need to be binding, but it needs to be credible.
Competitive evaluation as the discount unlock. The most effective lever for E5 pricing is a credible evaluation of competitive alternatives — CrowdStrike + Okta + Netskope at an equivalent price point demonstrates that you are a buyer with options. This evaluation doesn't need to result in a competitive win; it needs to demonstrate that you have done the analysis and can make a credible alternative case to your security leadership. For more on this, see our guide to Microsoft Security Licensing.
For the complete EA negotiation framework, see our EA Negotiation Playbook and our M365 Optimization service page.
5-Step E5 Security Evaluation
Step 1: Map current security spend against E5 inclusions. Extract every standalone security licence in your current estate — CASB, EDR, identity governance, email security — and map each against its E5 equivalent. Quantify the current standalone cost per user per month.
Step 2: Assess deployment feasibility by capability. For each major E5 security capability (Defender for Identity requiring DC sensors, Defender for Cloud Apps requiring app integration, Entra P2 requiring PIM operational process), assess whether your security team has the capacity to deploy and operationalise within 12 months of licence acquisition.
Step 3: Segment your population by security profile. Identify the subset of users who demonstrably need E5-tier security: privileged users, regulated-function employees, executives, and IT operations staff. For the remainder, assess whether E3 with targeted add-ons meets requirements at lower cost.
Step 4: Calculate the arithmetic for each scenario. Full-population E5, segmented E5+E3, and E3 with standalone add-ons — with full deployment assumptions and third-party displacement credit where applicable.
Step 5: Use the analysis as the negotiation anchor. Enter the EA renewal negotiation with the segmented proposal as your opening position. The analysis itself demonstrates the commercial sophistication that unlocks higher Microsoft discount authority. Contact our team via the assessment page to validate your analysis against our benchmark data from 500+ EA engagements.