The Microsoft Security Portfolio Map
Microsoft's security portfolio spans five product families, each with multiple tiers, and multiple licensing entry points through M365 bundles, standalone SKUs, and Azure consumption pricing. Understanding how these products relate to each other — and to M365 E3 and E5 licensing — is the foundation of any rational security licensing decision.
The five Microsoft security product families are: Microsoft Defender (endpoint, identity, Office 365, cloud apps, cloud security posture management, and external attack surface management); Microsoft Sentinel (cloud-native SIEM and SOAR platform, consumption-priced by data ingestion); Microsoft Entra (identity and access management, including Entra ID formerly Azure AD, Entra Permissions Management, and Entra Verified ID); Microsoft Purview (information protection, compliance, and data governance); and Microsoft Intune (unified endpoint management for device and application management).
These product families intersect with M365 licensing at the bundle level: M365 E3 includes Entra ID P1, Intune (Plan 1), Defender for Office 365 Plan 1, and basic Purview capabilities. M365 E5 includes Entra ID P2, Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Defender for Cloud Apps (formerly MCAS), and advanced Purview capabilities. M365 E5 Security (an add-on to E3 at $12/user/month) provides the Defender and Entra P2 components of E5 without the productivity suite uplift.
E5 Security Bundle: Cost Analysis
The financial case for M365 E5 or E5 Security depends on which security products your organisation actually deploys and uses. The bundle provides substantial value when four or more security components are genuinely deployed at scale; it represents significant overpayment when organisations pay for E5 to access one or two specific capabilities that could be purchased more cost-effectively as standalone products.
| Security Product | E5 Security Bundle | Standalone List Price | Standalone Negotiated |
|---|---|---|---|
| Defender for Endpoint P2 | Included in E5 Security | $5.20/user/month | $4.40–$4.90/user/month |
| Defender for Office 365 P2 | Included in E5 Security | $5.00/user/month | $4.20–$4.60/user/month |
| Microsoft Entra ID P2 | Included in E5 Security | $6.00/user/month | $5.00–$5.50/user/month |
| Defender for Cloud Apps | Included in E5 Security | $3.50/user/month | $3.00–$3.20/user/month |
| Defender for Identity | Included in E5 Security | $5.50/user/month | $4.60–$5.00/user/month |
| E5 Security add-on total | $12.00/user/month | $25.20/user/month (sum of standalone) | $21.20–$23.20/user/month |
The E5 Security bundle delivers compelling value when all five components are deployed. For organisations deploying three or fewer components, standalone licensing is typically more cost-effective — even at list price, two standalone Defender products cost less than the E5 Security add-on. The procurement decision must be based on genuine deployment plans, not aspirational security architecture that may take 18–24 months to implement.
Microsoft Sentinel: The Hidden Cost Trap
Microsoft Sentinel is the Microsoft security product most prone to significant cost surprises in enterprise deployments. It is consumption-priced based on data ingestion volume — and the gap between estimated and actual ingestion volume at production scale is consistently larger than enterprise security teams anticipate.
Sentinel's pay-as-you-go ingestion rate is approximately $2.46 per GB per day. Commitment tiers provide progressive discounts: 100 GB/day saves 20%; 500 GB/day saves 30%; 1,000 GB/day saves 40%; 2,000+ GB/day saves 50%. For a typical mid-size enterprise ingesting 200 GB/day, the commitment tier discount reduces daily cost from approximately $492 to $394 — $35,700 annually. But the challenge is estimating ingestion volume accurately before committing to a tier.
Common sources of Sentinel ingestion underestimation include: all Windows Security Event logs from endpoints (typically 2–5 GB/endpoint/day in verbose configurations); network firewall and proxy logs (variable, often 10–50 GB/day for medium enterprises); cloud platform logs from Azure, AWS, and GCP (variable, scaling rapidly with cloud estate growth); and third-party security tool logs that Sentinel connectors ingest automatically. Enterprises that scope Sentinel solely based on M365 and Entra log volumes — which are partially subsidised in E5 licensing — routinely find that their actual production ingestion is 300–500% above the initial estimate.
Before committing to a Sentinel deployment, conduct a 30-day pilot with representative log sources and measure actual ingestion. Use this data to size the commitment tier and model the full Sentinel total cost of ownership — including ingestion, retention beyond 90 days (approximately $0.10/GB/month for extended retention), and playbook execution (Logic Apps pricing). Sentinel TCO frequently exceeds Splunk on-premises or cloud alternatives at equivalent log volumes once retention and playbook costs are included — a comparison that Microsoft's account teams do not volunteer.
Defender Product Comparison: P1 vs P2 vs E5
Microsoft Defender for Endpoint is available in two plans that differ significantly in capability and price. The choice between them is a security architecture decision as much as a commercial one, but the commercial implications are substantial at enterprise scale.
Defender for Endpoint Plan 1 ($3/user/month) provides core endpoint protection: next-generation anti-malware, attack surface reduction rules, device control and application control, and managed security intelligence integration. It does not include EDR (endpoint detection and response), automated investigation, or threat and vulnerability management. For organisations with a mature third-party EDR solution (CrowdStrike Falcon, SentinelOne, etc.), Plan 1 may provide adequate Microsoft-native endpoint protection while the third-party EDR handles investigation and response.
Defender for Endpoint Plan 2 ($5.20/user/month) adds full EDR capability, automated investigation and response, threat and vulnerability management (TVM), and Microsoft Threat Experts managed threat hunting. For organisations consolidating to a Microsoft-native security stack, Plan 2 is the minimum viable configuration for a production security operations centre. The $2.20/user/month premium over Plan 1 represents $13,200/year per 500 users — a modest cost relative to the operational capability difference.
Entra ID Licensing: P1 vs P2 vs Free
Microsoft Entra ID (formerly Azure Active Directory) licensing follows a three-tier structure that is frequently misunderstood in enterprise procurement. Entra ID Free — included with any Microsoft cloud subscription — provides basic authentication and directory services adequate for simple environments. Entra ID Plan 1 ($6/user/month standalone; included in M365 E3) adds conditional access, hybrid identity management, and self-service password reset. Entra ID Plan 2 ($9/user/month standalone; included in M365 E5) adds Privileged Identity Management (PIM), Identity Protection with risk-based conditional access, and access reviews.
The commercial decision point is typically Entra ID P2 versus P1. PIM — the most frequently cited P2 justification — is now considered a standard security hygiene requirement by most enterprise security frameworks, including NIST and CIS. Organisations without PIM for privileged accounts face audit findings and cyber insurance implications that may dwarf the P2 licensing cost. However, the P2 requirement applies only to users with privileged accounts — typically 5–15% of the total user base — making a tiered Entra licensing strategy (P2 for privileged users, P1 for standard users) commercially rational for most enterprises.
Using Security Competitors as Negotiation Leverage
Microsoft's security portfolio competes directly with best-of-breed alternatives across every product category, and this competitive landscape creates meaningful negotiation leverage that many enterprise buyers underutilise. CrowdStrike Falcon competes with Defender for Endpoint; Palo Alto Cortex XSIAM competes with Defender XDR plus Sentinel; Okta competes with Entra ID; Splunk competes with Sentinel. Microsoft tracks competitive win rates closely and applies commercial flexibility to retain accounts at risk of competitive displacement.
Documented competitive evaluation — not just verbal mention of alternatives — is required to access Microsoft's competitive pricing flexibility. For Defender for Endpoint negotiations, a written CrowdStrike or SentinelOne evaluation scope document that Microsoft's account team can escalate to their competitive desk consistently unlocks 12–20% pricing flexibility not available in standard EA conversations. For Sentinel negotiations, a Splunk Cloud or Elastic SIEM evaluation provides equivalent leverage. The competitive evaluation does not need to conclude in favour of the alternative — the documented evaluation itself creates the commercial pressure that drives Microsoft pricing movement.
Security Licensing Negotiation Benchmarks
Based on our enterprise security licensing engagement portfolio, the following benchmarks represent achievable outcomes for enterprises negotiating with market data and competitive pressure.
| Product | List Price | Standard EA Discount | Achievable with Competitive Leverage |
|---|---|---|---|
| M365 E5 Security add-on | $12/user/month | 5–8% | 12–20% off list |
| Defender for Endpoint P2 (standalone) | $5.20/user/month | 8–12% | 15–22% off list |
| Microsoft Sentinel (ingestion, 500GB+/day tier) | $1.72/GB/day | N/A (consumption) | Additional 10–15% with committed term |
| Entra ID P2 (standalone) | $9/user/month | 8–12% | 14–20% off list |
| Defender for Cloud Apps (standalone) | $3.50/user/month | 8–10% | 12–18% off list |
For the complete Microsoft security licensing framework and competitive positioning guide, access our Microsoft Enterprise Agreement Guide. See also: Microsoft EA Negotiation 2026 and Vendor Audit Defence Services.