18 pages. Microsoft's security portfolio — Defender, Sentinel, Purview, and Entra — has expanded dramatically since 2020, and with it the complexity of the licensing model. Many enterprises are paying separately for security capabilities already included in their M365 E3 or E5 licences. Others are on E5 primarily for security but haven't activated half the capabilities they're paying for. This guide resolves both problems.
Essential reading for CISOs, IT security leads, and procurement teams managing Microsoft security licences. No spam. Unsubscribe anytime.
Enter your details for immediate access. Your information is never shared or sold.
Joined 2,200+ security, IT, and procurement professionals who have downloaded this guide
Microsoft's security licensing strategy is built around the E5 upgrade path. Understanding what each security product requires — and what it doesn't — allows you to construct the minimum licence footprint that delivers your required security posture.
Microsoft 365 E3 includes Defender for Office 365 Plan 1, Entra ID P1, Intune, and basic Information Protection. E5 adds Defender for Office 365 Plan 2, Defender for Identity, Microsoft Sentinel integration, Entra ID P2, and full Purview Information Protection. The complete capability matrix — what you get at each tier, what requires add-ons regardless of tier, and the licensing configurations most commonly missing from E3 deployments.
The Microsoft Defender brand covers six distinct products: Defender for Office 365, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, Defender for Cloud, and Defender for IoT. The licensing requirements vary significantly by product. Defender for Endpoint Plan 2 is included in E5; Defender for Cloud requires an Azure subscription and is priced per server. The full product-by-product licensing requirements and the bundles that reduce add-on costs.
Sentinel is Microsoft's cloud-native SIEM, priced on data ingestion (GB/day) rather than per user. The free data sources (first-party Microsoft security signals are ingested at no charge), the paid data connectors, the commitment tiers that reduce per-GB pricing by up to 65%, and the capacity reservations versus pay-as-you-go trade-offs. The cost modelling framework for enterprise Sentinel deployments of 50GB/day to 2TB/day.
Microsoft Purview (formerly Microsoft Compliance) covers Information Protection, eDiscovery, Audit, Insider Risk Management, and Communication Compliance. The E3 tier includes basic capabilities; E5 Compliance (available as an add-on to E3) or E5 delivers the advanced features. The capability-by-capability licensing map, the E5 Compliance add-on economics versus full E5 upgrade, and the specific Purview features that require standalone add-ons even with E5.
Microsoft Entra (formerly Azure AD) has four licence tiers: Free, P1 (included in E3), P2 (included in E5), and the new Entra Suite (2024) which bundles Identity Protection, Verified ID, Internet Access, and Private Access. The P1 vs. P2 capability delta, the specific P2 features (Privileged Identity Management, Conditional Access with Identity Protection) that drive the upgrade justification, and the Entra Suite economics versus individual add-ons.
Microsoft's preferred outcome is E5 for all users. The alternative — E3 with targeted security add-ons (E5 Security, E5 Compliance, specific Defender licences) — is almost always cheaper for organisations that need specific security capabilities rather than the full E5 suite. The cost comparison at different user scales, the add-on combinations that replicate E5 security functionality at 60–70% of E5 cost, and how to negotiate add-on pricing within the EA framework.
Each pattern is documented in the guide with the correct licensing alternative, the cost comparison, and the procurement approach to restructure within your existing EA.
Microsoft's standard EA renewal proposal positions E5 for the entire workforce. In most enterprises, 20–35% of users are information workers who genuinely benefit from E5 security capabilities. The remaining 65–80% can be effectively secured with E3 plus targeted security add-ons at materially lower cost. The failure to challenge the full-E5 position — typically because security teams and procurement aren't aligned on the capability-by-capability requirement — is the largest single source of Microsoft security overspend.
Enterprises that purchased CASB tools, DLP solutions, email security gateways, and identity threat detection products before 2020 frequently continue to renew these contracts after migrating to E3 or E5 — unaware that their M365 licence now includes equivalent capabilities. The tool-by-tool capability overlap analysis between common third-party security products and the Microsoft Defender and Purview suite is covered in detail in this guide.
Organisations that deploy Sentinel on pay-as-you-go data ingestion pricing are typically paying 40–65% more than they would under Sentinel commitment tier pricing. At 100GB/day ingestion, the difference between pay-as-you-go ($5/GB) and the 100GB/day commitment tier ($3.10/GB equivalent) represents $70K annually. Most organisations can predict their ingestion volumes within 20% — making commitment tier pricing structurally superior for any established Sentinel deployment.
The Microsoft Security Licensing Guide is written for CISOs, IT security leaders, and procurement teams who need to make cost-effective decisions about Microsoft's security portfolio — without being guided by Microsoft's account team toward the highest-cost configuration.
This 2026 edition covers the Microsoft Entra Suite launched in 2024, the updated Defender for Cloud pricing following the 2025 model change, the Purview Data Security Posture Management capabilities added in E5 Compliance, and the latest Sentinel commitment tier pricing effective from January 2026.
Related resources: E3 vs. E5 Cost Comparison, M365 License Optimization service, EA Negotiation Playbook, and EA Negotiation service.
"We were paying E5 pricing for 8,000 users. After a capability-by-capability audit using this guide's framework, we identified 5,200 users who needed E3 Security add-on rather than full E5 — and 1,100 who only needed E3. The restructure saved $2.3M annually without reducing our security posture by a single capability."
CISO, Global Financial Services CompanyMost enterprises are. The question is how much. A 30-minute consultation will identify whether your current E3/E5 mix, Sentinel pricing model, and third-party security tool overlap create material savings opportunities in your next EA renewal.