How to Rationalise Microsoft Security Licensing Spend: A 6-Step Framework

Pull every security product in your current EA Order Form. For each line, determine whether it is fully covered, partially covered, or not covered by your M365 E3 or E5 licence. The M365 inclusion list changes with each product update — do not rely on a mapping produced more than 12 months ago. The most common redundancies in 2026: Entra ID P1 standalone purchased alongside M365 E3 (P1 included in E3); Microsoft Defender for Office 365 Plan 1 standalone purchased alongside M365 E3 (P1 included in E3); Microsoft Intune Plan 1 standalone alongside M365 E3/E5 (included in both); Defender for Business or Defender for Endpoint P1 standalone alongside M365 E5 (P2 included in E5). Remove fully redundant lines immediately via an EA amendment request.

For every P2-tier security product in your EA — Defender for Endpoint Plan 2, Microsoft Entra ID P2, Purview Information Protection P2, Purview E5 Compliance, Intune Suite — pull the usage and feature activation data from the respective admin portals. Specifically: for MDE P2, which users are running active EDR queries and automated investigation workflows (not just benefiting from the NGAV that Plan 1 provides)? For Entra P2, which accounts have PIM role assignments activated and which users are targeted by Identity Protection risk-based conditional access policies? For Purview P2, which users are subject to auto-labelling policies (not manual label application)? The subset of users consuming P2-tier features is typically 10–25% of the licensed population. Segment the renewal to that population. Full-population P2 is only justified if the entire user base is operationally affected by P2-tier features. See our Defender P1 vs P2 analysis and Purview P2 guide for the feature-by-feature breakdown.

Export 90 days of ingestion data from your Log Analytics workspace — specifically the Usage table, filtered to BillableDataVolume by Table. Separate M365/Defender tables that are zero-cost under your E5 licence (SecurityEvent from MDE-covered devices, SigninLogs and AuditLogs for E5 users, OfficeActivity for E5 users) from the tables that generate Sentinel billing. The billable daily average at the 80th percentile is your right-sized Commitment Tier anchor. If you are committed above this level, negotiate a tier reduction at the next amendment — or propose a tier correction in exchange for a 12-month extension. If you are currently on PAYG, use the 90-day data to project whether any Commitment Tier generates savings. The Sentinel team has more commercial flexibility on tier adjustments than the account team on per-user products. See our Sentinel licensing guide for the commitment tier economics.

List every third-party security tool in your security budget — endpoint security, SIEM, identity, DLP, CASB, vulnerability management. For each, identify the Microsoft product that covers equivalent functionality and whether your current M365 licence includes it. Calculate the annual incremental cost of retaining the third-party tool vs the Microsoft included capability. Construct a retention justification that requires the security team to validate: (a) specific capability differentiators that the Microsoft product does not match, (b) deployment feasibility of the Microsoft alternative within the EA term, and (c) the total cost differential including migration. Tools without a documented retention justification are candidates for consolidation at next renewal. The incremental cost of retaining CrowdStrike, Splunk, and Okta alongside an M365 E5 estate that already includes equivalent capabilities can exceed $480,000/year for a 5,000-user organisation — all of which is recoverable through planned consolidation. Our security stack comparison guide provides the product-by-product overlap analysis.

Intune Suite add-ons (Remote Help, Endpoint Privilege Management, Advanced Analytics) and Purview E5 Compliance ($12/user/month) are the two most frequently over-provisioned security add-ons in enterprise EAs. Remote Help is relevant only to the managed device population that requires IT-assisted remote sessions — typically 20–30% of the total licence base, not 100%. Endpoint Privilege Management is relevant to the devices that have been targeted for standard user/least-privilege enforcement — again, a defined subset. Purview E5 Compliance is relevant to the user populations subject to legal hold, communication compliance requirements, or insider risk management investigations — typically legal, compliance, finance, and regulated business units, not the full enterprise. Pull the current deployment scope from the admin portals and re-scope each add-on to the validated deployment population before entering renewal negotiations.

Steps 1–5 produce the validated data that makes your security renewal negotiating position defensible. Step 6 is the negotiation itself. Present the security component of your EA renewal as a separate workstream from the core M365/productivity renewal — engage the Microsoft security specialist team directly (they carry separate discount authority from the core account team), and bring competitive pricing data for the Microsoft equivalents of any third-party tools you are evaluating for consolidation. A documented CrowdStrike vs MDE P2 comparison, a Splunk vs Sentinel SIEM evaluation, and an Okta vs Entra ID identity assessment — each with commercial pricing — generates 5–12 percentage points of additional discount authority on the Microsoft security lines, even if you ultimately renew entirely with Microsoft. The competitive signal is the mechanism that unlocks that authority. Our EA negotiation tactics guide and competitive pressure guide cover the mechanics in full.