Why Security Licensing Is the Most Commercially Complex Part of the Microsoft EA
Microsoft security licensing has become, in most enterprise EA renewals, the single most commercially complex component of the negotiation. In 2019, a typical enterprise EA included Windows Defender (included in Windows) and maybe Azure AD Premium P1. In 2026, a mature Microsoft security deployment includes Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Microsoft Sentinel, Microsoft Purview (Information Protection, Compliance, and Audit), Microsoft Entra ID P1/P2, Microsoft Intune, and potentially Microsoft Defender for Cloud for the Azure workload estate. Each product has its own tier structure, its own M365 bundle interaction, and its own EA negotiation dynamics.
The commercial problem this creates is systematic overspend through three mechanisms: (1) bundle inclusion blindness — purchasing standalone security add-ons that are already included in the organisation's M365 E5 or E3+Security add-on licences; (2) tier over-provisioning — deploying P2-tier capabilities (Defender for Endpoint Plan 2, Entra ID P2) across populations that only use P1-tier features; (3) Sentinel consumption over-estimation — committing to data ingestion tiers in Microsoft Sentinel that are materially above actual log data volumes. The average security licence overspend in enterprise EA renewals where security was not independently audited runs to 31% of the security line — which in a $5M/year security commitment represents $1.55M in annual waste.
What M365 E3 and E5 Include — And What They Don't
The foundational step in any security licence audit is mapping what is already included in the organisation's M365 base licence against what is being purchased as standalone security add-ons. This mapping is routinely incomplete in enterprise EA renewals because the M365 security inclusions change with each product update, and many organisations purchase security licences against specifications written 2–3 years earlier without re-evaluating the inclusion picture.
M365 E3 Security Inclusions
Microsoft 365 E3 includes: Microsoft Defender for Office 365 Plan 1 (anti-phishing, safe links, safe attachments for Exchange Online, SharePoint, Teams), Microsoft Entra ID P1 (Conditional Access, SSPR, MFA, group-based access management, application proxy), Microsoft Intune Plan 1 (device management for all OS, mobile application management, basic compliance policies), Microsoft Purview Information Protection (sensitivity labels, manual classification, basic DLP for Exchange and SharePoint), and Azure AD Application Proxy for on-premises application publishing.
What E3 does not include: Defender for Endpoint (neither Plan 1 nor Plan 2 at EA-equivalent tier), Defender for Identity (requires separate licence or E5), Defender for Cloud Apps (requires separate licence or E5), Microsoft Sentinel (always consumption-based, never included in M365), Microsoft Purview Compliance Manager advanced features, Entra ID P2 (requires E5 or standalone P2), and Defender for Office 365 Plan 2 (E3 includes Plan 1 only).
M365 E5 Security Inclusions
Microsoft 365 E5 extends E3 with: Defender for Office 365 Plan 2 (automated investigation and response, attack simulation training, priority account protection), Defender for Endpoint Plan 2 (full EDR, threat and vulnerability management, advanced hunting, device-based conditional access), Defender for Identity (on-premises identity threat detection via Active Directory sensor), Defender for Cloud Apps (CASB functionality, OAuth app governance, session controls), Microsoft Entra ID P2 (PIM, Identity Protection with risk-based conditional access, access reviews), and Microsoft Purview Compliance (advanced eDiscovery, advanced audit, communication compliance, insider risk management).
| Security Capability | M365 E3 | M365 E5 | Standalone Price* |
|---|---|---|---|
| Defender for Office 365 Plan 1 | Included | Plan 2 | ~$2/user/mo (P1) |
| Defender for Office 365 Plan 2 | Not included | Included | ~$5/user/mo |
| Defender for Endpoint Plan 2 | Not included | Included | ~$5.20/user/mo |
| Defender for Identity | Not included | Included | ~$5.20/user/mo |
| Defender for Cloud Apps | Not included | Included | ~$3.50/user/mo |
| Microsoft Entra ID P1 | Included | Included | ~$6/user/mo |
| Microsoft Entra ID P2 | Not included | Included | ~$9/user/mo |
| Microsoft Intune Plan 1 | Included | Included | ~$8/user/mo |
| Purview Information Protection P2 | P1 only | P2 Included | ~$3.20/user/mo (P2) |
*Indicative EA rates; actual negotiated pricing varies.
The E3 vs E5 Security Decision
The M365 E5 premium over E3 is approximately $35–$45/user/month at EA rates (list differential is $57/user/month; negotiated EA gap typically runs $35–$45). When you evaluate the security capabilities included in E5 against their standalone equivalents — Defender for Endpoint P2 ($5.20), Defender for Identity ($5.20), Defender for Cloud Apps ($3.50), Entra ID P2 ($3 premium over P1), Purview P2 ($3.20) — the standalone equivalent sum is approximately $20/user/month. E5 also includes the E3 productivity upgrades (advanced Teams Phone, Viva Insights, advanced compliance) and Power BI Pro. The security-only ROI case for E5 at a $35–$45 premium does not arithmetic — unless your organisation is actually deploying and using the full E5 security capability set.
In practice, most enterprises that renew at M365 E5 use fewer than 60% of the security capabilities included. The correct commercial structure for most organisations is a mixed deployment: E5 for the subset of users who are genuine E5 consumers (security operations centre staff, privileged identity users, compliance-intensive roles, executives on enhanced protection) and E3 with targeted standalone security add-ons for the remainder. See our detailed guide on M365 E3 vs E5 comparison for the full decision framework.
The Microsoft Defender Suite: Product-by-Product Commercial Analysis
Defender for Endpoint (MDE)
Defender for Endpoint is available in Plan 1 (~$3/device/month) and Plan 2 (~$5.20/user/month or device/month at EA). Plan 1 covers next-generation antivirus, attack surface reduction rules, device control, and basic endpoint firewall policy. Plan 2 adds Endpoint Detection and Response (EDR), threat and vulnerability management, automated investigation and response (AIR), advanced hunting with KQL queries, and threat analytics. Plan 2 is included in M365 E5 and Microsoft 365 Defender.
The commercial trap is purchasing Plan 2 for the full user population when the EDR and threat hunting capabilities are only used by the security operations team. For a 5,000-user enterprise where 20 SOC staff conduct active threat hunting and EDR response, Plan 2 for the 20 SOC users plus Plan 1 for the remaining 4,980 users saves approximately $11,000/month vs Plan 2 for all 5,000 — $132,000/year. This segmentation is operationally manageable through Intune or Group Policy-based MDE configuration.
Microsoft Sentinel
Microsoft Sentinel is consumption-based, priced per GB of log data ingested and retained in the Log Analytics workspace. Sentinel pricing has two models: Pay-As-You-Go (~$2.46/GB ingested at standard rate) and Commitment Tiers (100 GB/day at ~$96/day = $0.96/GB; 200 GB/day at ~$192/day = $0.96/GB, with lower effective rates at higher tiers). The EA negotiation question for Sentinel is whether to commit to a Capacity Reservation tier or remain on PAYG — and at which tier.
The systematic Sentinel overspend pattern is committing to a Capacity Reservation tier based on log volume estimates that turn out to be materially lower than projected. A 200 GB/day commitment at $192/day = $70,080/month; if actual ingestion is 130 GB/day, the effective rate is $192/130 = $1.48/GB vs the $0.96/GB committed rate — 54% more expensive than the best-available PAYG equivalent. The correct approach is running on PAYG for 90 days after initial deployment to establish actual log volumes before committing to any Capacity Reservation tier. Our guide to Microsoft security add-ons provides additional detail on the Sentinel ingestion economics.
Microsoft Entra ID (Formerly Azure Active Directory)
Microsoft Entra ID is available at Free (included with any Azure subscription), P1 (~$6/user/month, included in M365 E3/E5), and P2 (~$9/user/month, included in M365 E5). The P1 to P2 upgrade ($3/user/month) adds Privileged Identity Management (PIM), Identity Protection (risk-based conditional access with real-time sign-in and user risk signals), and Access Reviews (automated access certification campaigns).
PIM and Identity Protection are genuinely high-value security controls — PIM for privileged access governance, Identity Protection for blocking compromised credential attacks at sign-in. But they are controls that matter primarily for the privileged and high-risk user populations, not the full enterprise user base. An organisation that licenses Entra ID P2 for 10,000 users when only 500 privileged users require PIM and 1,000 high-risk users are targeted with Identity Protection policies is paying $3 × 10,000 = $30,000/month for a capability that is operationally deployed to 1,500 users. Entra ID P2 for the targeted population of 1,500 costs $4,500/month — a saving of $25,500/month or $306,000/year.
Intune and Purview: The Hidden Overspend Areas
Microsoft Intune
Microsoft Intune Plan 1 is included in M365 E3/E5, EMS E3/E5, and as a standalone at ~$8/user/month. Intune Plan 2 (~$10/user/month standalone) adds advanced endpoint analytics, advanced Microsoft Tunnel, and specialised device scenarios. Intune Suite (~$10/user/month as an add-on to Plan 1 or bundled with certain SKUs) adds remote help, endpoint privilege management, and advanced analytics.
The commercial trap with Intune is purchasing Intune Plan 2 or Intune Suite add-ons for the full user population when the advanced scenarios are limited to a specific device population. Remote Help (Intune Suite) is relevant for the managed device population that requires IT-assisted remote sessions — typically 20–30% of the total licence base. Purchasing Intune Suite for 100% of users when Remote Help is the primary differentiator represents a 70–80% over-purchase on that add-on line.
Microsoft Purview
Microsoft Purview encompasses Information Protection (sensitivity labels, encryption, DLP), Compliance Manager (regulatory compliance assessment), eDiscovery (legal hold and search), Audit (activity logging and investigation), and specialised compliance tools (Communication Compliance, Insider Risk Management, Information Barriers). The commercial landscape here is defined by two tiers: Purview A1/M365 E3 (basic sensitivity labels, standard DLP, standard audit) and Purview included in M365 E5 Compliance (advanced eDiscovery, premium audit with 10-year retention, communication compliance, insider risk management).
The E5 Compliance add-on standalone costs approximately $12/user/month at EA. For organisations that need advanced eDiscovery for legal purposes or communication compliance for regulatory requirements, the E5 Compliance add-on for the affected user population (legal team, compliance officers, regulated business units) is commercially rational. For organisations purchasing E5 Compliance for the full enterprise user base because the legal team requested it, the cost allocation problem is identical to every other full-population add-on purchase: the cost is 100%, the deployment is 5–15% of the population.
Four EA Negotiation Tactics for Microsoft Security
1. Bundle Inclusion Audit as the Opening Position
Before any price negotiation, produce a complete mapping of the security capabilities included in your current M365 licence against every standalone security line in your EA. In a significant proportion of large enterprise EA renewals, this exercise identifies $200,000–$600,000 in annual spend on standalone security products that are included in the M365 E3/E5 licence already being paid. The correction is straightforward — remove the redundant standalone lines at the next renewal amendment — but it requires the mapping exercise to be performed by someone who understands both the M365 inclusion list and the standalone product equivalencies.
2. Population Segmentation for P2 and Suite Add-Ons
For every P2-tier security product (Defender for Endpoint P2, Entra ID P2, Purview E5 Compliance, Intune Suite), produce a deployment validation showing which users actually consume P2-tier features. This is not a theoretical exercise — it requires sign-in and usage data from the respective admin portals. The validated population deployment becomes your negotiating anchor against Microsoft's renewal proposal, which will default to maintaining the existing full-population P2 count. Position the corrected deployment count as the renewal baseline and defend it with usage data rather than a desire to reduce spend.
3. Sentinel Ingestion Right-Sizing
For organisations committed to a Sentinel Capacity Reservation tier, pull the actual ingestion data from the Log Analytics workspace for the last 90 days. If actual ingestion is consistently below the committed tier, negotiate a tier reduction at the next renewal amendment — or, if mid-term, propose a tier correction in exchange for a 12-month extension commitment. The Sentinel team has commercial flexibility on tier adjustments that is not typically available for per-user product pricing, particularly when the alternative is a customer moving their SIEM workload to a third-party product. CrowdStrike LogScale and Splunk Cloud are credible competitive alternatives that carry weight in Sentinel pricing conversations.
4. Security as a Separate Negotiation Track from the Core EA
Microsoft's field teams prefer to negotiate security as part of the consolidated EA renewal — it obscures the individual product pricing and makes it harder to isolate security-specific discount opportunities. In the last three years, Microsoft has designated security as a high-priority growth area with dedicated security specialists in the field team structure. The security specialist's discount authority is often separate from the core EA account team's authority. Negotiate the security stack as an independent track — starting 12 months before renewal, with dedicated stakeholder involvement from the CISO organisation — rather than letting it be absorbed into the consolidated renewal process. Our guide to EA negotiation tactics covers the track separation mechanics in full.
1. Map M365 bundle inclusions against every standalone security line in your EA — identify redundant spend before any negotiation begins.
2. Run population deployment validation for every P2-tier security product — Defender P2, Entra P2, Purview E5 Compliance — and validate against actual feature activation data.
3. Pull 90 days of Sentinel ingestion data and compare against committed Capacity Reservation tier — right-size to the P80 actual daily volume plus 20% buffer.
4. Segment Intune and Purview add-ons to the user populations that actually require the advanced features, not the full enterprise user base.
5. Initiate security-track negotiation 12 months before renewal — engage the Microsoft security specialist team separately from the core EA account team, with CISO stakeholder involvement and a competitive signal on SIEM and EDR alternatives.
Security Licensing in the Context of the Full EA
Microsoft security licensing does not exist in commercial isolation. The security product decisions interact with three other major EA components: the M365 suite tier (E3 vs E5 — driving whether standalone Defender/Entra products are redundant or genuinely needed), the Azure MACC (Sentinel, Defender for Cloud, and Entra Workload ID are Azure-billed and consume MACC — see our MACC negotiation guide), and the overall EA discount architecture (security spend increases the total EA value, which can improve tier positioning for discounts across the whole estate). The strongest commercial outcome requires treating security licensing as part of the integrated EA negotiation, not as a separate procurement exercise handled by the security team in isolation from the EA commercial process. Our guide to the complete EA negotiation process provides the integrated framework for coordinating security, productivity, and Azure components into a single commercial strategy.