Microsoft's identity and Zero Trust licensing landscape is among the most complex in the enterprise software market — spanning six Entra product families, seven Defender components, the Entra Suite bundle, Security Copilot SCU model, and Microsoft Sentinel consumption billing. This guide provides the authoritative licensing framework for enterprise buyers navigating this landscape in 2026, with specific cost models, negotiation tactics, and architecture guidance.
The Microsoft Identity & Zero Trust Stack
Microsoft's identity and Zero Trust portfolio has expanded dramatically since the Azure AD rebranding to Microsoft Entra in 2022. The full Entra product family now spans six product lines, each with independent licensing:
| Product | Function | Standalone Price | Bundle Availability |
|---|---|---|---|
| Entra ID (Free) | Basic SSO, MFA, app provisioning | $0 | Included with M365 |
| Entra ID P1 | Conditional Access, SSPR, hybrid identity | $6/user/month | M365 E3+ |
| Entra ID P2 | Identity Protection, PIM, Access Reviews | $9/user/month | M365 E5, Entra Suite |
| Entra Private Access | ZTNA — VPN replacement | $3/user/month | Entra Suite |
| Entra Internet Access | SWG — secure web gateway | $5/user/month | Entra Suite |
| Entra ID Governance | IGA — lifecycle, entitlement, reviews | $7/user/month | Entra Suite |
| Entra Verified ID Premium | Decentralised credential issuance | $3/user/month | Entra Suite |
| Entra Permissions Management | CIEM — cloud infrastructure entitlement | $8/resource/month | Entra Suite (limited) |
| Entra Suite | P2 + Private Access + Internet Access + Governance + Verified ID | $12/user/month | Standalone bundle |
Read the full analysis: Microsoft Entra Suite Complete Licensing Guide
Zero Trust Network Access: Entra Private Access
Entra Private Access at $3/user/month is the lowest-price enterprise ZTNA solution in the market for organisations already on M365 E3 or E5. It replaces VPN for per-app access to private corporate resources and integrates natively with Conditional Access for continuous verification. The three-year TCO advantage over traditional VPN infrastructure typically reaches 44–60% for organisations over 500 users.
Key licensing requirements: Entra ID P1 (for Conditional Access, included in E3), plus Entra Private Access ($3 standalone) or Entra Suite ($12). The Global Secure Access client and Private Network Connectors are included at no additional cost.
For complete pricing, VPN TCO comparisons, and deployment architecture: Microsoft Entra Private Access Licensing Guide
For ZTNA market comparisons and migration strategy: Zero Trust Network Access Licensing: ZTNA vs VPN Guide
Microsoft 365 Defender: The XDR Licensing Model
Microsoft 365 Defender (now Defender XDR) is not a single product — it is a unified portal surfacing signals from six distinct Defender products. Each requires separate licensing. The E3/E5 decision determines your baseline coverage; individual add-ons are cost-effective when fewer than four Defender products are needed.
The E3-to-E5 break-even analysis: if you need Defender for Endpoint P2 + Defender for Office 365 P2 + Defender for Identity + Cloud App Security, the E5 upgrade at $21/user/month is cheaper than buying all four as standalone add-ons ($19.20/user/month), and also includes Purview compliance, Entra P2, and Sentinel data ingestion credits.
Full comparison table and build-vs-bundle analysis: Microsoft 365 Defender Licensing Comparison 2026
Get the Complete Guide
Download the full 7-chapter PDF with cost models, negotiation tactics, and decision frameworks for Microsoft Identity & Zero Trust licensing.
Download Free →Microsoft Security Copilot: SCU Licensing Model
Security Copilot at $4/SCU/hour is the only Microsoft security product billed on provisioned AI capacity rather than per-user. A single SCU costs $2,920/month whether fully utilised or idle. For SOC teams with 150+ monthly incidents, the ROI is positive from month one. For lighter-usage environments, over-provisioning is the primary cost risk.
SCU capacity planning framework, embedded experience prerequisites, and enterprise negotiation tactics: Microsoft Security Copilot Licensing Guide
Microsoft Sentinel: Consumption Cost Management
Microsoft Sentinel charges per GB of data ingested. The M365 E5 data ingestion credit (approximately 5 MB/user/day for M365 security data) offsets a meaningful portion of the Sentinel bill for E5 customers, but most enterprise deployments ingest 3–8x more data than the credit covers. Three-tier strategies for managing Sentinel costs: data source prioritisation, Commitment Tier pricing (30–65% below PAYG at 100+ GB/day), and analytics workspace optimisation.
Complete Sentinel cost optimisation guide: Microsoft Sentinel Cost Optimisation
Detailed licensing model: Microsoft Sentinel Licensing Guide
Microsoft Defender Threat Intelligence
MDTI premium is included in M365 E5 and Microsoft Defender XDR at no incremental cost, yet 60–70% of E5 customers have not activated MDTI access. For organisations paying separately for commercial TI platforms (Recorded Future, Mandiant, Intel 471), MDTI enables elimination or reduction of those contracts while providing superior infrastructure intelligence for Microsoft-ecosystem threats.
MDTI free vs premium comparison, Sentinel integration costs, and TI platform replacement analysis: Microsoft Defender Threat Intelligence Licensing Guide
EA Negotiation Framework for Identity & Security
The single most impactful negotiation lever for the Microsoft security and identity portfolio is the competitive comparison. Documented evaluations of Zscaler, Okta, CrowdStrike, or Palo Alto consistently generate 12–25% discounts beyond standard EA levels. Present the alternative evaluation before the account team opens their final proposal — once they present numbers, the flexibility to move is significantly reduced.
Key Negotiation Principles
- Bundle security with identity: Negotiate the Entra Suite, Defender XDR, Sentinel, and Security Copilot as a unified security package. Microsoft's security team has joint commercial authority across the Azure-billed and M365-billed portfolio.
- MACC for Azure-billed workloads: Security Copilot SCUs, Sentinel consumption, and Entra Domain Services are Azure-billed and apply against MACC commitment. Include them in your Azure consumption forecast to accelerate MACC burn-down and qualify for higher-tier discounts.
- Phased deployment commitments: Offer named deployment milestones for Entra Suite and Defender XDR in exchange for year-one pricing concessions. Microsoft's activation rate metrics mean they value committed deployments above dormant licences.
- FastTrack for identity products: Microsoft FastTrack provides free deployment support for Entra ID, Entra Suite, and Defender XDR for qualifying EA customers. This is worth $40,000–$120,000 in implementation services — always request it and document the commitment in the EA.
Full negotiation playbooks: Microsoft Identity & Zero Trust Licensing — Complete Guide
Need Independent Guidance?
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services → Request a Consultation →