Thank you for registering. Your copy of the Microsoft Security Licensing Guide has been prepared for immediate access. 18 pages covering the Microsoft Defender product family, Microsoft Sentinel SIEM licensing, Microsoft Purview compliance and data governance, Microsoft Entra identity licensing, the E3 versus E5 security feature comparison, and the add-on strategy for building a cost-optimised enterprise security stack.
A confirmation has also been sent to your registered email address. If you don't receive it within 10 minutes, check your spam folder.
Microsoft security licensing complexity has four primary dimensions: the Defender product family spanning endpoint, identity, email, cloud, and OT protection with different licensing models across each surface, Microsoft Sentinel where the consumption-based pricing model requires careful capacity planning, Microsoft Purview where the compliance and data governance features are split across E3, E5, and standalone add-ons in ways that create both gaps and duplication, and Microsoft Entra where the identity licensing tiers determine which zero-trust capabilities are available. The commercial question that sits underneath all four dimensions: is E5 a better economic choice than E3 plus selected security add-ons? The answer depends on your specific security requirements, and the guide provides the framework to calculate it accurately. Here is the preview of the most commercially significant areas.
Microsoft Defender is a product family — not a single product — covering six distinct security domains: Defender for Endpoint (EDR for Windows, Mac, Linux, iOS, Android), Defender for Identity (identity threat detection using Active Directory signals), Defender for Office 365 (email and collaboration threat protection), Defender for Cloud Apps (CASB and cloud application security), Defender for Cloud (cloud workload protection for Azure, AWS, and GCP), and Defender for IoT/OT (operational technology security). Each product is licensed separately in the standalone market, but significant Defender capabilities are included in Microsoft 365 E3, E5, and the specific E3/E5 add-ons. The critical issue for most organisations: they are paying for Defender capabilities that are already included in their M365 SKU, or missing Defender capabilities they need because they don't understand which SKU threshold activates the capability. The guide provides the complete Defender capability inclusion map across all M365 licensing tiers.
Microsoft Sentinel is licensed on a consumption basis — you pay for the data you ingest into the Sentinel workspace, measured in gigabytes per day. The default pricing (Pay-As-You-Go) charges approximately $2.46 per GB ingested. Commitment Tiers reduce the per-GB cost significantly: the 100 GB/day commitment tier prices at approximately $1.96/GB (20% below PAYG), the 500 GB/day tier at approximately $1.51/GB (39% below PAYG), and the 1000 GB/day and above tiers at further reductions. The primary Sentinel licensing risk: organisations that deploy Sentinel without modelling their log ingestion volume find their daily ingestion cost far exceeding budget assumptions, particularly when ingesting from high-volume sources (Azure Activity logs, Microsoft 365 audit logs, firewall logs, and endpoint security telemetry). A single M365 tenant with 5,000 users generating standard security audit logs typically ingests 15–35 GB per day — putting most enterprises in the commitment tier range within months of deployment.
Microsoft Purview (formerly Microsoft Information Protection and Compliance) covers four capability areas: Information Protection (sensitivity labels, classification, encryption), Data Loss Prevention (DLP policies across M365 and endpoints), Compliance Management (eDiscovery, audit, communication compliance, insider risk), and Data Governance (data catalogue, data lineage, data quality). The licensing split between E3 and E5 is commercially significant: E3 includes basic Information Protection and DLP capabilities, while E5 compliance adds advanced DLP with endpoint support, communication compliance, insider risk management, advanced eDiscovery (with hold and export), and advanced audit capabilities. The E5 Compliance add-on ($12/user/month) provides E5-level Purview capabilities on top of an E3 base — the most common path for organisations that need E5 compliance features but are not ready to upgrade the full user population to E5. The specific capabilities included in each tier are mapped in detail in the guide.
Microsoft Entra (the rebrand of Azure Active Directory and related identity products) is licensed in tiers that determine which zero-trust identity capabilities are available. Entra ID Free (included in all Microsoft 365 subscriptions) provides basic SSO and MFA. Entra ID P1 (included in E3, $6/user/month standalone) adds Conditional Access, hybrid identity management, self-service password reset, and dynamic groups. Entra ID P2 (included in E5, $9/user/month standalone) adds Identity Protection (risk-based Conditional Access using ML-based sign-in risk signals), Privileged Identity Management (PIM for just-in-time access to privileged roles), and Access Reviews. The commercial question for most organisations: P1 is included in E3, but P2 — which is included in E5 — represents the identity capabilities that security-focused organisations genuinely require for zero-trust implementation. The $3/user/month P2 add-on on top of E3 is available but is often overlooked as an alternative to the full E5 upgrade.
The Microsoft Security Licensing Guide is structured to address the two decisions that determine most organisations' security licensing cost: whether to upgrade from E3 to E5, and how to fill the specific capability gaps that remain with targeted add-ons rather than broad SKU upgrades. Both decisions are addressed with a clear analytical framework rather than a vendor recommendation.
Chapter 1 establishes the full map of Microsoft security products and their licensing relationships — from the M365 SKU inclusions through the E5 Security and E5 Compliance add-ons to the standalone product pricing. The chapter covers the Microsoft Security product taxonomy: Defender (endpoint and cloud security), Sentinel (SIEM and SOAR), Purview (compliance and data governance), Entra (identity and access), and the Defender XDR suite that bundles multiple Defender products. The E3 vs. E5 security comparison covers 22 specific capabilities across the five security domains, with each capability classified as included in E3, included in E5, available as an add-on, or available as standalone only. The chapter provides the analytical framework for calculating the E3-to-E5 upgrade economics for a specific organisation: the per-user cost of the E3-to-E5 upgrade compared to the per-user cost of building an equivalent capability stack through targeted E5 add-ons.
Key finding: For organisations that require all five major E5 security components (Defender for Endpoint P2, Entra ID P2, Defender for Identity, Defender for Office 365 P2, and E5 Compliance), the E5 upgrade is economically superior to standalone add-ons for user populations above 200 — saving an average of $8–$14/user/month versus buying equivalent capabilities separately.Chapter 2 covers the Microsoft Defender product family in depth, with the primary focus on the capability inclusion analysis that allows organisations to identify which Defender capabilities they are already entitled to through their M365 SKU. The chapter provides the Defender capability matrix — each Defender product, each major capability within that product, and the M365 SKU level at which it is included. The most commercially significant inclusions: Defender for Endpoint Plan 1 (basic EDR) is included in M365 E3, Defender for Office 365 Plan 1 (safe links and safe attachments) is included in M365 E3, and Defender for Endpoint Plan 2 (advanced EDR with threat analytics, automated investigation and response, and threat hunting) is included in M365 E5. The chapter covers the Defender XDR bundling — where purchasing Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps together as a bundle delivers significant cost reduction versus standalone pricing for each product.
Key finding: 48% of enterprise organisations purchasing standalone Microsoft Defender for Endpoint licences are already entitled to Defender for Endpoint Plan 1 through their M365 E3 licensing — representing $3–$5/user/month in avoidable spend that persists because IT procurement and security procurement operate without a unified licence position view.Chapter 3 provides the complete Microsoft Sentinel deployment licensing framework — from initial data ingestion modelling through commitment tier selection and the Microsoft 365 E5 data benefit that significantly reduces Sentinel costs for organisations with E5 licences. The chapter covers the data ingestion volume modelling methodology: how to estimate daily GB ingestion before deployment based on user population size, log source types, and retention requirements. The commitment tier selection framework covers the break-even analysis for each commitment tier level and the mechanism for adjusting commitment tiers as ingestion volumes change. The Microsoft Sentinel benefit for E5 customers is a commercial decision point most organisations miss: E5 customers can ingest data from specific Microsoft 365 data sources (Azure AD logs, M365 audit logs, Defender for Office 365 alerts, and others) without those data sources counting toward the billable Sentinel ingestion — reducing effective Sentinel costs by 20–40% for organisations with predominantly M365-sourced security data.
Key finding: Microsoft 365 E5 customers who activate the Sentinel M365 data benefit reduce their average Sentinel ingestion cost by 31% for standard enterprise deployments — making the combination of E5 and Sentinel materially cheaper than E3 plus Sentinel for organisations with security monitoring requirements that involve primarily M365 data sources.Chapter 4 covers the add-on strategy for organisations that need specific E5 security capabilities but are not ready for or do not require the full E5 upgrade across their user population. The primary add-ons covered: E5 Security add-on ($12/user/month on top of E3, providing Defender for Endpoint P2, Entra ID P2, Defender for Identity, and Defender for Cloud Apps), E5 Compliance add-on ($12/user/month on top of E3, providing advanced eDiscovery, communication compliance, insider risk, advanced audit, and advanced DLP), and Entra ID P2 standalone ($9/user/month, providing Identity Protection and PIM without the full E5 Security stack). The chapter provides the add-on selection decision tree — based on the specific security capabilities required, the proportion of users that require each capability, and the total cost comparison between the add-on approach and the full E5 upgrade at different user population sizes and add-on combinations.
Key finding: Organisations that require only two of the five major E5 security components should use targeted add-ons rather than upgrading to E5 — saving $6–$18/user/month versus the full E5 price for the non-required components. The E5 upgrade becomes economically superior only when an organisation genuinely needs four or more of the five major E5 security capability areas.Chapter 5 covers the EA negotiation strategy for Microsoft security commitments — both E3-to-E5 upgrade negotiations and standalone Defender/Sentinel/Purview/Entra add-on discussions. The chapter covers the specific timing dynamics for security licensing: the Microsoft fiscal year-end security incentives, the competitive security evaluation process that creates the strongest negotiating leverage (where a genuine evaluation of CrowdStrike, Palo Alto, or Splunk against Microsoft's security stack creates pricing pressure that mid-cycle security add-on purchases do not), and the enterprise deal structures that bundle security capabilities with EA renewal to achieve better overall economics. The Microsoft security discount authority structure is covered — security products have different pricing authority thresholds from M365 and Azure, with Sentinel in particular having CISO-level pricing approval paths that are not available for standard EA negotiations.
Key finding: Microsoft E3-to-E5 security upgrades negotiated as part of EA renewals (rather than mid-cycle amendments) achieve pricing 19–27% below the standard E5 upgrade price — and security upgrades that accompany a documented competitive security evaluation achieve an additional 8–15% beyond the renewal-cycle discount.Our advisory service provides the independent analysis that connects your security requirements to the optimal licensing structure — covering Defender capability inclusion audits, Sentinel deployment sizing, E3/E5 upgrade economics, and EA negotiation strategy for security commitments.
The full 22-dimension E3 vs. E5 comparison — covering every security, compliance, voice, and analytics feature differential, with the per-organisation financial model for making the upgrade decision correctly.
Download Free →The 8-chapter EA negotiation guide — including the security upgrade negotiation strategy, the competitive evaluation process that maximises pricing leverage, and the commitment structure for security add-ons.
Download Free →The Azure cost reduction playbook — covering Microsoft Sentinel consumption tier optimisation, Defender for Cloud pricing across Azure workloads, and the MACC framework for security product commitments within Azure spend.
Download Free →The frameworks in this guide work. They work better with 20 years of deal data behind them. If you have an upcoming EA renewal, true-up, or Microsoft audit — a 20-minute call with a senior advisor will tell you exactly where your exposure is and what you can negotiate.