Microsoft's Zero Trust licensing landscape is deliberately complex. The phrase "Zero Trust" does not correspond to a single SKU — it spans Entra ID (identity), Defender (endpoint and threat protection), Intune (device compliance), Purview (data), and Sentinel (SIEM). Enterprises implementing Zero Trust face licensing decisions that span 8–12 distinct product tiers, each with overlapping capabilities and bundle pricing that changes constantly. The average enterprise overpays by 20–30% on Zero Trust licensing either by purchasing E5 where targeted add-ons suffice, or by buying standalone add-ons where E5 would be more cost-effective. This guide provides the decision framework to optimise every dollar.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →Microsoft Identity & Zero Trust Licensing — Article Series
- → Zero Trust Licensing Framework Guide (this article)
- Entra Verified ID Licensing
- Entra Cross-Tenant Access Licensing
- Entra Certificate-Based Authentication
- Entra Private Access vs Global Secure Access
- Defender for Identity Licensing Deep-Dive
- Microsoft Defender XDR Complete Licensing
- Microsoft Sentinel Cost Optimisation Guide
- Defender for Business vs Defender for Endpoint
- Microsoft 365 Defender Licensing Comparison
The Zero Trust Licensing Stack: What Each Layer Costs
Zero Trust is an architectural approach requiring controls across five technology domains. Each domain maps to specific Microsoft licensing requirements. Understanding this mapping prevents the most common error: assuming that any single SKU delivers "Zero Trust" — it does not.
| Zero Trust Domain | Microsoft Product | Minimum Licence | Full Capability Licence | Cost (/user/month) |
|---|---|---|---|---|
| Identity verification | Entra ID (Conditional Access, MFA) | Entra ID P1 | Entra ID P2 | P1: $6, P2: $9 |
| Device health | Microsoft Intune | Intune Plan 1 | Intune Plan 2 / Suite | $8 / $10 |
| Endpoint threat protection | Defender for Endpoint | Defender for Endpoint P1 | Defender for Endpoint P2 | P1: $3, P2: $5.20 |
| Cloud app visibility | Defender for Cloud Apps | Defender for Cloud Apps (standalone) | Included in E5/E5 Security | $3.50 standalone |
| Identity threat detection | Defender for Identity | Defender for Identity | Included in E5/E5 Security | $2.50 standalone |
| Network access (ZTNA) | Entra Internet/Private Access | Entra ID P1 + Global Secure Access | Entra Suite | $12 (suite) |
| SIEM/SOAR | Microsoft Sentinel | Sentinel (pay-per-GB) | Microsoft 365 E5 + Sentinel | $2.46/GB or $7.50/user/month (UEBA) |
| Data protection | Microsoft Purview | M365 E3 (basic) | M365 E5 Compliance | $10 add-on to E3 |
Licence Bundle Analysis: E3 vs E5 vs Targeted Add-Ons
The central Zero Trust licensing decision for most enterprises is: E5 bundle vs E3 plus targeted security add-ons. The math depends entirely on which specific capabilities you need. Here is the breakdown across four common profiles.
Profile 1: Zero Trust Baseline (Conditional Access + Device Compliance + EDR)
Minimum viable Zero Trust: conditional access, device compliance policies, endpoint detection and response. Options:
- E3 ($36) + Defender for Endpoint P2 ($5.20) = $41.20/user/month
- Microsoft 365 E5 Security ($12 add-on to E3 for eligible customers) = $48/user/month
- Microsoft 365 E5 standalone ($57) = $57/user/month
Verdict: E3 + Defender P2 ($41.20) wins if you do not need E5's advanced compliance (Purview E5), advanced voice, or full Defender suite. At 500 users, savings vs E5: $93,600/year.
Profile 2: Zero Trust with Identity Protection (PIM + Risk Policies)
Adds Privileged Identity Management (just-in-time access), risk-based conditional access using real-time signals, and identity governance.
- E3 ($36) + Entra ID P2 upgrade ($3/user — from P1 to P2) + Defender P2 ($5.20) = $44.20/user/month
- Microsoft 365 E5 Security add-on to E3 = $48/user/month
- Microsoft 365 E5 = $57/user/month
Verdict: E3 + targeted add-ons ($44.20) still wins vs E5 Security ($48) if you do not need Defender for Cloud Apps or Defender for Identity. Savings vs E5: $76,800/year for 500 users.
Profile 3: Full Zero Trust (Identity + Endpoint + Cloud App + SIEM)
Complete Zero Trust stack including Defender for Identity (Active Directory threat detection), Defender for Cloud Apps (SaaS visibility), and Microsoft Sentinel.
- E3 ($36) + Entra P2 upgrade ($3) + Defender P2 ($5.20) + Defender for Identity ($2.50) + Defender for Cloud Apps ($3.50) = $50.20/user/month
- Microsoft 365 E5 Security add-on to E3 ($12) = $48/user/month (includes Defender for Identity + Cloud Apps)
- Microsoft 365 E5 ($57) adds compliance and voice on top
Verdict: M365 E5 Security add-on ($48) beats standalone add-ons ($50.20) once you need both Defender for Identity and Cloud Apps. For 500 users: $26,400/year savings vs piecemeal add-ons.
Profile 4: Zero Trust + Advanced Compliance + SIEM
Full security stack plus Purview eDiscovery Premium, Communication Compliance, advanced DLP, and Sentinel SIEM.
- E3 + E5 Security add-on ($12) + E5 Compliance add-on ($10) + Sentinel = $58+ /user/month
- Microsoft 365 E5 ($57) includes security + compliance without Sentinel data charges
Verdict: E5 ($57) is cost-competitive once both security and compliance E5 add-ons are needed. At 1,000 users needing full stack, E5 is typically the right vehicle — and provides the best negotiation basis as Microsoft's flagship SKU.
Get an Independent Second Opinion
Before committing to E5 or a security add-on stack, get an independent cost model built for your specific Zero Trust requirements and user population.
Request a Consultation →Entra ID Licensing Tiers: P1 vs P2 Decision Framework
Entra ID (formerly Azure Active Directory) has three relevant licensing tiers for Zero Trust implementation. The free tier (included in all Microsoft 365 plans) provides basic authentication. P1 provides conditional access and most Zero Trust controls. P2 adds identity protection and privileged identity management.
| Feature | Entra ID Free | Entra ID P1 ($6/user) | Entra ID P2 ($9/user) |
|---|---|---|---|
| Multi-factor authentication (per-user MFA) | ✅ Basic | ✅ | ✅ |
| Security defaults (MFA via Authenticator) | ✅ | ✅ | ✅ |
| Conditional access policies | ❌ | ✅ | ✅ |
| Device compliance-based access | ❌ | ✅ (with Intune) | ✅ |
| Named locations / IP ranges | ❌ | ✅ | ✅ |
| Sign-in risk (basic) | ❌ | ✅ (limited) | ✅ (full risk-based CA) |
| User risk policies | ❌ | ❌ | ✅ |
| Identity Protection (risky sign-in detection) | ❌ | Limited (no remediation) | ✅ Full |
| Privileged Identity Management (PIM) | ❌ | ❌ | ✅ |
| Access Reviews | ❌ | ❌ | ✅ |
| Entitlement Management (MyAccess portal) | ❌ | ❌ | ✅ |
| Verified ID (decentralised identity) | ❌ | ✅ | ✅ |
| B2B collaboration | ✅ (limited) | ✅ | ✅ |
| Application proxy | ❌ | ✅ | ✅ |
The P1 vs P2 decision reduces to one question: does your Zero Trust strategy require just-in-time privileged access (PIM) or risk-based automated remediation (Identity Protection)? If yes, P2 is necessary. If no — standard conditional access policies enforced through P1 suffice for 80% of enterprise Zero Trust implementations. P2 is essential for any organisation in regulated industries (financial services, healthcare, government) or with elevated privilege management requirements.
The Entra Suite: A New Licensing Bundle
In 2024, Microsoft introduced the Entra Suite at $12/user/month — a new bundle that consolidates identity, network access, and governance into a single SKU. Entra Suite includes: Entra ID P2, Entra Internet Access (SWG), Entra Private Access (ZTNA), Entra ID Governance, and Entra Verified ID. For organisations needing ZTNA network access controls in addition to identity, the Entra Suite is often more cost-effective than purchasing components separately.
| Product | Standalone Price | Included in Entra Suite ($12) |
|---|---|---|
| Entra ID P2 | $9/user/month | ✅ |
| Entra Internet Access | $3/user/month (est.) | ✅ |
| Entra Private Access | $3/user/month (est.) | ✅ |
| Entra ID Governance | $7/user/month | ✅ |
| Entra Verified ID (advanced) | Consumption-based | ✅ |
| Total if purchased standalone | ~$22/user/month | $12/user/month (45% saving) |
The Entra Suite is compelling for organisations building a ZTNA architecture to replace legacy VPN. The ZTNA value proposition — Private Access replaces corporate VPN at $3/user/month vs $8–$15/user/month for enterprise VPN infrastructure — funds a significant portion of the Entra Suite cost.
Zero Trust Deployment Sequencing and Licensing Phasing
Most enterprises cannot implement full Zero Trust in a single phase. A phased licensing approach reduces upfront commitment while building toward the target state:
Phase 1 (0–3 months): Identity foundation. Enable Entra ID P1 conditional access, MFA enforcement, and compliant device policies through Intune. This phase requires Entra ID P1 + Intune Plan 1 = $14/user/month. Deploy to all users before advancing. Cost baseline for 1,000 users: $14,000/month.
Phase 2 (3–9 months): Endpoint protection. Add Defender for Endpoint P1 (EDR blocking) across all endpoints, and upgrade high-privilege accounts to Entra ID P2 + PIM. Incremental cost: Defender P1 ($3/user) + P2 upgrade for ~15% of users ($3 × 150 = $450/month). Total: approximately $17,450/month for 1,000 users.
Phase 3 (9–18 months): Cloud and network visibility. Add Defender for Identity (AD threat detection), Defender for Cloud Apps (SaaS controls), and potentially Entra Internet Access for secure web gateway. If these three additions are needed, evaluate E5 Security add-on ($12/user/month) vs standalone pricing — E5 Security wins for 1,000+ users. Total: ~$30,000/month for 1,000 users.
Phase 4 (12–24 months): SIEM and compliance. Introduce Microsoft Sentinel for SIEM correlation and automated response, and Purview for data classification and DLP. At this stage, evaluate whether full E5 ($57/user) is more cost-effective than E3 + all add-ons. The answer is yes for most organisations at 500+ users needing both compliance and full security stacks.
📄 Free Guide: Microsoft Security Licensing Guide
Complete guide to Microsoft security licensing — Entra ID, Defender, Sentinel, Purview — with cost models and EA negotiation strategy.
Download Free Guide →EA Negotiation for Zero Trust Licensing
Zero Trust security is one of Microsoft's highest-priority sales themes for 2025–2026. This creates both risk and opportunity in negotiations.
The risk: Microsoft account teams are heavily incentivised to position E5 for all Zero Trust conversations, regardless of whether it is the most cost-effective solution for your requirements. "Microsoft recommends E5 for Zero Trust" is a sales motion, not an independent assessment. Always build a requirements-based model before allowing Microsoft to anchor to E5 pricing.
The opportunity: Because Microsoft prioritises Zero Trust security expansion, organisations actively deploying Zero Trust — and willing to commit to a multi-year implementation roadmap — can negotiate better pricing. Specific levers: commit to Defender for Endpoint P2 deployment across all managed devices (Microsoft rewards deployment commitments with price holds), link Entra ID expansion to Azure MACC commitment, and use competitive alternatives (CrowdStrike, Zscaler, Okta) as genuine pricing validation tools.
At 1,000-user scale, a well-structured Zero Trust licensing negotiation should achieve: 10–15% below list on Defender products, 10% below list on Entra ID P2, and 3-year price lock on the security stack. These savings add up to $48,000–$96,000/year for a full Zero Trust deployment.
Frequently Asked Questions
What licences are required for Microsoft Zero Trust?
The minimum viable Zero Trust stack requires Entra ID P1 ($6/user/month) for conditional access and MFA. Full Zero Trust including privileged identity management, risk-based policies, EDR, and cloud app visibility requires Entra ID P2 ($9/user) plus Defender for Endpoint P2 ($5.20/user), or Microsoft 365 E5 Security ($12/user add-on) which bundles both.
Is Entra ID P1 sufficient for Zero Trust conditional access?
Entra ID P1 provides the foundational Zero Trust controls: conditional access policies, MFA enforcement, compliant device requirements, named locations, and app-based access control. P2 adds risk-based conditional access, privileged identity management (just-in-time access), and access reviews. Most organisations implement effective Zero Trust perimeter controls on P1, reserving P2 for privileged access scenarios.
Does Microsoft 365 E3 include Zero Trust capabilities?
Microsoft 365 E3 includes Entra ID P1, basic Defender for Business (not Defender for Endpoint P2), and Intune — providing a functional Zero Trust baseline. E3 does not include Defender for Endpoint P2 EDR, identity protection risk policies (P2), or Sentinel. E5 adds all of these plus Defender for Identity and Defender for Cloud Apps.
What is the licensing cost difference between E3 and E5 for Zero Trust?
E3 costs ~$36/user/month, E5 costs ~$57/user/month. The $21/user/month premium adds Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, Purview E5 Compliance, and advanced voice. For 500 users, E5 vs E3 Zero Trust add-ons: evaluate whether $126,000/year incremental cost is justified by the bundled capabilities you actually need to deploy.
Can you implement Microsoft Zero Trust without E5?
Yes. E3 + targeted add-ons is viable and often cheaper. Defender for Endpoint P2 ($5.20) + Entra P2 upgrade ($3) added to E3 = $44.20/user/month vs $57/user/month for E5. Savings at 500 users: $76,800/year. This approach requires more licensing management overhead but is the right choice when full E5 compliance capabilities are not needed.
Related Microsoft Security & Identity Guides
- Microsoft Entra Private Access Licensing: ZTNA Guide
- Microsoft Entra Suite Complete Licensing Guide
- Microsoft 365 Defender Licensing Comparison 2026
- Microsoft Security Copilot Licensing Guide
- Zero Trust Network Access vs VPN: Licensing Guide
- Microsoft Defender Threat Intelligence Licensing
- Microsoft Entra Domain Services Licensing Guide
- Entra ID P1 vs P2: Licensing Comparison
- Microsoft Sentinel Licensing & Cost Guide
- Rationalise Microsoft Security Licensing