Microsoft Licensing · Guide

Microsoft Security Licensing

Licensing the Microsoft security stack — Defender XDR, Entra ID, Purview, and Sentinel. What's in E5, what's add-on, and where enterprises double-pay.

Quick Answer

Microsoft's security stack is bundled into E5 as a package, sold as standalone add-ons, and offered as industry suites — and those three paths rarely price the same. Enterprises routinely double-pay by buying E5 for 'security' and then purchasing Defender standalones on top, or by missing entitlements already included in their EA. Unify the licensing picture before the next renewal.

The Microsoft security product map

The stack, as of 2026: Microsoft Defender XDR (Endpoint, Office 365, Identity, Cloud Apps, Cloud, Vulnerability Management, Threat Intelligence). Microsoft Entra (ID P1, ID P2, ID Governance, Verified ID, External ID). Microsoft Purview (Information Protection, Data Loss Prevention, Insider Risk, eDiscovery, Compliance Manager, Audit Premium). Microsoft Sentinel (SIEM, SOAR, UEBA). Each has multiple license paths.

What's in E5 (and what's not)

E5 includes: Defender for Endpoint P2, Defender for Office 365 P2, Defender for Cloud Apps, Defender for Identity, Entra ID P2, most Purview advanced features, Audit Premium. E5 does not include: Defender for Cloud (that's Azure), Microsoft Sentinel (separate commercial), Defender External Attack Surface Management, or Defender Threat Intelligence standalone. Buyers regularly misread 'E5 includes security' as 'E5 includes all security.'

Defender suite vs. Defender standalones

Defender for Endpoint P2 is available three ways: in E5, in the Microsoft 365 E5 Security add-on, or as a standalone ($5.20/user/month). Price per user is similar; the differences are entitlements for other Defender products bundled and the minimum-seat thresholds. On a full user population, the E5 Security add-on on top of E3 is the right answer roughly two-thirds of the time.

Microsoft Sentinel licensing

Sentinel is consumption-priced based on data ingestion (GB/day). Commitment tiers offer significant discounts at 100GB+/day. Sentinel is not in E5 — this is where the double-pay lives, when customers assume Sentinel is security-bundled and find a separate Azure bill. Budget Sentinel against expected SIEM data volume, typically $60K–$2M/year in enterprise deployments.

Entra ID: P1 vs P2 decision

Entra ID P1 covers most enterprise needs (conditional access, SSPR, MFA, hybrid identity). Entra ID P2 adds Identity Protection (risk-based policies), Privileged Identity Management (PIM), and Access Reviews. For highly regulated or privileged-user-heavy environments, P2 is required. Mixed licensing is legitimate: P2 for privileged users, P1 for the rest. Many enterprises pay for P2 universally when 10%–20% coverage suffices.

Purview licensing: where it gets complex

Purview has four commercial layers: core (in E3), advanced (in E5), add-on capabilities, and separately-licensed Data Governance. Data classification, sensitivity labels, and DLP baseline are in E3. Advanced policies, insider risk, communication compliance, records management, and Audit Premium require E5 or the Compliance add-on. Purview Data Governance (catalog, lineage) is separate entirely — often bundled with Azure Purview for data-estate governance. Mis-mapping these layers is the #1 Purview cost mistake.

Industry-specific security SKUs

Microsoft offers industry-specific security suites for government (G5, DoD, GCC-High), education (A5), frontline (F5 Security), and first-line (F5 Compliance). Each has distinct data-handling and commercial terms. Government SKUs carry a 15%–25% premium. Frontline security SKUs (F5 Security, F5 Compliance) cover a subset of protections at a fraction of E5 Security cost — worth considering for frontline workforces under compliance requirements.

The common double-pay patterns

Four patterns cover 90% of double-payment in security licensing: (1) E5 + standalone Defender purchases; (2) E5 Security add-on + included-in-E5 entitlements not recognized; (3) Entra ID P2 universal when P2 is only needed for privileged users; (4) Purview capabilities paid separately when E5 includes them. Audit annually. Every pattern is preventable.

Put these principles to work

Every Microsoft Negotiations engagement is fixed-fee, senior-led, and independent. 500+ engagements. $2.1B managed. 32% average reduction against Microsoft's opening proposals.

Engage Our Firm Our Methodology

Frequently asked questions

Does E5 include all Microsoft security?

No. E5 includes the Defender endpoint, mail, identity, cloud apps components, plus Entra ID P2 and Purview advanced. It does not include Microsoft Sentinel, Defender for Cloud (Azure), or several standalone products.

Is Microsoft Sentinel included in E5?

No. Sentinel is an Azure consumption-priced service, separate from E5. This is the most common source of security double-payment — buyers assume E5 covers SIEM; it does not.

Do all my users need Entra ID P2?

Rarely. P2's differentiating features (Identity Protection, PIM, Access Reviews) are disproportionately valuable for privileged users. Mixed P1/P2 licensing is supported and usually cheaper.

What's the cheapest path to Defender for Endpoint?

Depends on mix. At 50%+ of users needing advanced endpoint protection, E5 or E5 Security add-on usually wins. Below that, standalone Defender for Endpoint P2 for the target user class is cheaper than upgrading everyone.

Is F5 Security a real product?

Yes. F5 Security and F5 Compliance are frontline-tier security add-ons, designed for frontline workers under compliance requirements. They cost a fraction of E5 Security and cover a proportional subset of protections.

Related reading

Ready for a specific answer on your EA, Azure, or Copilot?

A 30-minute call establishes fit, scope, and likely range of outcome. Fixed-fee engagement proposals within 5 business days.

Book a 30-Minute Call See Pricing

Est. 2016 · 500+ Engagements · $2.1B Managed · 32% Avg Reduction · 100% Independent