Microsoft Security Licensing Guide 2026: E5, Defender, Sentinel and E7 Explained

The Microsoft Security Licensing Landscape in 2026

Microsoft has built one of the most commercially aggressive security licensing strategies in enterprise technology. The company offers dozens of security capabilities — from endpoint detection to cloud posture management — spread across multiple SKUs, add-ons, and consumption-based services. Understanding how these components map to your organisation's requirements, and what they actually cost at negotiated enterprise rates, is the foundation of any rational Microsoft security investment.

The core structure — documented in full in the Microsoft licensing knowledge hub — runs four M365 tiers: E1 (basic productivity), E3 (full productivity plus standard security), E5 (advanced security and compliance add-on content), and now E7 — the new top-tier Frontier Suite released in March 2026 at $99 per user per month. Microsoft field teams are actively moving E5 customers toward E7 at every renewal conversation. CIOs who do not understand what E7 includes — and what it excludes — are negotiating blind.

This guide covers every significant Microsoft security licensing component, how they are priced, where the costs are hidden, and what an independent engagement with our Microsoft EA advisory specialists typically finds when organisations have been managing Microsoft security licensing without independent oversight.

The M365 SKU Stack: E1 Through E7

Microsoft 365's licensing tiers determine which security capabilities are included by default and which require additional add-on spend. The four tiers carry very different security postures.

Microsoft 365 E1

E1 is the baseline cloud productivity SKU. Security features are minimal: Exchange Online Protection for email, basic Azure AD (Entra ID) Free for identity, and standard Intune device management. E1 includes no advanced threat protection, no Defender for Endpoint, and no Data Loss Prevention. Organisations relying on E1 for security need significant supplementary investment or must accept material security risk.

Microsoft 365 E3

E3 at approximately $36 per user per month delivers full Office 365, Windows Enterprise, Enterprise Mobility and Security E3, Entra ID P1 (conditional access, MFA), Intune device management, and basic Defender for Business-level endpoint protection for qualifying SMB configurations. E3 includes Microsoft Purview Information Protection (DLP and sensitivity labels at the basic tier) and standard eDiscovery. This is the correct baseline for most enterprise users who do not require advanced threat hunting, SIEM integration, or regulatory-grade compliance tooling.

Microsoft 365 E5

E5 at approximately $57 per user per month adds the Microsoft Defender Suite (formerly E5 Security) and Microsoft Purview Suite (formerly E5 Compliance) on top of the E3 productivity stack. The security uplift includes Defender for Endpoint P2 (advanced EDR with threat hunting), Defender for Office 365 P2 (anti-phishing, safe attachments, attack simulation), Defender for Identity (on-premises AD threat detection), Defender for Cloud Apps (CASB), and Entra ID P2 (Privileged Identity Management, Identity Protection, Access Reviews).

The compliance uplift adds Advanced eDiscovery, Insider Risk Management, Communication Compliance, Advanced Audit, and Customer Lockbox. Critically, E5 does not include Microsoft Sentinel, Defender for Cloud (server protection), Entra ID Governance, or Microsoft Copilot for Security. These are separate consumption or add-on costs on top of E5.

Microsoft 365 E7 — The New Top SKU

E7, announced in March 2026 and available for purchase from 1 May 2026, is the new top-tier M365 SKU at $99 per user per month. E7 bundles Microsoft 365 E5, Microsoft 365 Copilot (previously $30 per user per month as a standalone add-on), Agent 365, and Microsoft Entra Suite into a single subscription. The Entra Suite component adds Entra Internet Access, Entra Private Access, Entra ID Governance, and Entra Verified ID — capabilities that were previously sold as separate add-ons at $7 to $12 per user per month each.

E7 also includes advanced agentic AI governance through Agent 365, providing a unified control plane for AI agents that IT and security teams use to observe, govern, and secure AI agents across the organisation. Microsoft positions E7 as the natural progression for E5 customers who are already paying for Copilot and other add-ons separately. For organisations with Copilot, Entra Suite, and advanced security deployed, E7 consolidation can be cost-neutral or marginally positive — but the analysis requires independent modelling, not Microsoft's own calculator.

E5 Security Components in Detail

The Microsoft Defender Suite (E5 Security add-on) includes six core components. Understanding each one's capability scope and licensing boundaries prevents paying for capabilities you are not deploying and identifies gaps that require supplementary investment.

Defender for Endpoint Plan 2

MDE P2 provides enterprise endpoint detection and response, advanced threat hunting, 180-day data retention, live response, threat and vulnerability management, and automated investigation and remediation. MDE P2 is assigned per device but licensed per user in the E5 SKU. Key limitation: MDE P2's detection accuracy, particularly for novel threats and living-off-the-land techniques, consistently ranks below CrowdStrike Falcon and SentinelOne Singularity in independent MITRE ATT&CK evaluation cycles. For high-risk endpoints and critical infrastructure, supplementary or alternative EDR investment is a legitimate architectural consideration.

Defender for Office 365 Plan 2

MDO P2 provides anti-phishing, Safe Attachments, Safe Links, attack simulation training, automated investigation and response for email, and campaign views for coordinated threat tracking. MDO P2 integrates natively into Exchange Online mail flow, providing zero-latency inspection without the MX record re-routing required by third-party email security solutions. This native integration is a genuine competitive advantage. MDO P1 features are now included in M365 E3 plans as of early 2026, meaning E3 customers have a meaningful baseline email security uplift without requiring E5.

Defender for Identity

MDI monitors on-premises Active Directory for identity-based attacks — credential harvesting, pass-the-hash, lateral movement, and privilege escalation. MDI sensors deploy on domain controllers and ADFS servers. For organisations with substantial on-premises Active Directory infrastructure, MDI provides detection coverage that cloud-native identity solutions cannot replicate. As organisations migrate identity to Entra ID cloud-only, MDI's value diminishes proportionally.

Defender for Cloud Apps

MDCA is Microsoft's Cloud Access Security Broker, providing SaaS usage visibility, Shadow IT discovery, data governance policy enforcement, and session control for conditional access applications. Within the Microsoft 365 ecosystem, MDCA provides deeper integration and richer telemetry than third-party CASB solutions. For multi-cloud SaaS environments with significant non-Microsoft application footprints, third-party CASB solutions (Netskope, Zscaler) may provide better cross-platform coverage.

Entra ID Plan 2

Entra ID P2 adds Privileged Identity Management (just-in-time admin access, access reviews for privileged roles), Identity Protection (risk-based conditional access, user and sign-in risk detection), and Entra ID Access Reviews. For Microsoft-heavy environments, Entra ID P2 is arguably the highest-value security component in the E5 bundle, given how critical identity is as an attack surface and how deep Microsoft's telemetry on identity signals is across the M365 ecosystem.

Microsoft Purview Suite (E5 Compliance)

The compliance component adds Advanced eDiscovery with custodian-based collection and review workflows, Insider Risk Management with adaptive protection, Communication Compliance for regulatory monitoring, Advanced Audit with 180-day log retention and 10-year audit log add-on capability, and Customer Lockbox. These capabilities are primarily relevant for financial services, legal, healthcare, and regulated industry organisations. General enterprise users without compliance investigation workflows rarely derive value from the full Purview Suite and are paying a $12 per user per month compliance premium that has zero utilisation ROI for their user population.

What E5 Does Not Include

The single most dangerous assumption in Microsoft security licensing is that E5 provides a complete enterprise security stack. It does not. Four material capabilities sit outside E5 and require separate consumption or add-on spend.

Microsoft Sentinel

Sentinel is Microsoft's cloud-native SIEM and SOAR platform. It is priced entirely on data ingestion consumption — there is no per-user fee. Pay-as-you-go pricing runs $2.46 per GB per day for the Analytics tier. Commitment tiers starting at 50 GB per day (promotional pricing through June 2026) and scaling to 50,000 GB per day offer savings of up to 52 percent over pay-as-you-go. E5 customers receive a 5 MB per user per day Microsoft 365 data ingestion grant, which covers a portion of M365 telemetry but does not include Windows Security Events, Syslog, CEF, or non-Microsoft data sources — which are the most valuable SIEM data sources for threat detection.

Enterprise Sentinel deployments processing 200 GB per day at commitment tier pricing generate $102,000 per year in data ingestion costs before SOAR automation, extended retention, and data export fees. Organisations that accept Microsoft's Sentinel cost projections without independent modelling routinely exceed their initial budgets by 30 to 60 percent.

Defender for Cloud

Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP) for Azure, AWS, and Google Cloud resources. The Foundational CSPM tier is free, but Defender for Servers P1 costs $5 per server per month and Defender for Servers P2 costs $15 per server per month. Additional plans exist for databases, storage, containers, App Service, and Key Vault. For an organisation with 500 production servers, Defender for Servers P2 adds $90,000 per year before any database or container protection costs.

Entra ID Governance

Entra ID Governance adds lifecycle management workflows, entitlement management for access packages, access reviews at scale, and Privileged Access Workstation integration. It runs at $7 per user per month as a standalone add-on or is included in the Entra Suite (part of E7). Organisations managing complex access governance for regulated applications should evaluate whether E7 consolidation delivers better value than buying Entra ID Governance piecemeal alongside their existing E5 investment.

Microsoft Copilot for Security

Copilot for Security — Microsoft's AI-powered security analyst assistant — operates on a consumption model priced per Security Compute Unit (SCU). Standard pricing runs approximately $4 per SCU per hour, with dedicated capacity for production SOC deployments available through Azure. Copilot for Security is included in Microsoft 365 E7 for qualifying usage tiers. E5 customers accessing Copilot for Security pay consumption costs on top of their E5 subscription, which frequently surprises organisations that assumed AI security capabilities were included in their existing licensing.

The E5 Add-On Strategy vs Full E5

Many enterprise organisations do not need E5 capabilities for every user. Microsoft's licensing model allows E3 customers to acquire the Defender Suite and Purview Suite as standalone add-ons at $12 per user per month each, providing granular control over which users receive advanced security and compliance capabilities.

For a 10,000-user organisation where 3,000 users are in IT, finance, and executive roles requiring advanced security, and the remaining 7,000 are standard knowledge workers, licensing E5 for all 10,000 users costs $570,000 per month versus an E3-plus-selective-E5-add-on model at $360,000 plus $36,000 (add-on for 3,000 users) = $396,000 per month — saving $174,000 per month or $2.09 million per year. The analysis is straightforward when executed independently; Microsoft's own commercial teams are not incentivised to present it.

Defender XDR and the Unified Security Portal

Microsoft Defender XDR (Extended Detection and Response) is the unified security management portal that aggregates signals from Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Entra ID Protection into a single investigation and response interface. XDR does not carry separate licensing — it is the management layer for E5 Security component entitlements. However, organisations must understand that XDR's effectiveness is proportional to how many Defender components are deployed. Partial Defender deployments produce incomplete XDR visibility.

Defender Threat Intelligence (MDTI), previously available as a standalone premium feature, will be merged into Defender and Sentinel licenses after August 1, 2026. Organisations currently purchasing MDTI as a standalone service should factor this change into their renewal strategy — the capability will be included in qualifying E5 and Sentinel licenses without additional cost.

Microsoft EA Discounting for Security Licensing in 2026

Security add-ons and consumption services are subject to the same negotiation dynamics as core M365 licensing. Current EA discounts across M365 run 10 to 20 percent off Microsoft's list price — down from the historical 15 to 25 percent range as Microsoft's strategic leverage has grown with cloud subscription dependency. NCE (New Commerce Experience) monthly commit carries no discount, while NCE annual commit can achieve up to 5 percent off list. Three-year commit provides improved discounting but at the cost of flexibility if requirements change.

The most effective lever for security licensing negotiation is Microsoft's Q4 calendar. Microsoft's fiscal year ends June 30, making April through June the window of maximum field rep incentive to close and renew. Organisations with EA renewals in this window have demonstrably stronger negotiating positions than those renewing in Q1 or Q2. Combining the Q4 window with a credible multi-vendor security evaluation (showing that CrowdStrike, Sentinel alternatives, or E3 with selective add-ons are being seriously evaluated) creates the conditions for Microsoft's best commercial terms.

Sentinel commitment tiers, Defender for Cloud plans, and security add-on quantities should all be negotiated as line items within the broader EA, not procured separately. Bundled negotiation consistently achieves 15 to 25 percent better pricing than standalone security purchasing.

Common Security Licensing Mistakes

Licensing all users for E5 when role-based targeting reduces cost by 30 to 50 percent. Not every employee needs advanced threat hunting and eDiscovery. Identify the roles that genuinely require E5 Security and E5 Compliance capabilities and apply add-ons selectively.

Accepting Microsoft's Sentinel cost projections. Microsoft's initial Sentinel sizing is typically based on free data sources. Production deployments incorporating Windows Security Events, Syslog, and non-Microsoft telemetry increase data ingestion volumes by three to eight times compared to initial estimates.

Assuming E5 is a complete security stack. Sentinel, Defender for Cloud, Entra ID Governance, and Copilot for Security are all additional costs above E5. The total cost of a fully deployed Microsoft security architecture regularly exceeds E5 pricing by 40 to 80 percent.

Upgrading to E7 without independent modelling. E7 consolidation makes economic sense for organisations already paying for Copilot ($30 per user per month) and Entra Suite add-ons alongside E5. It does not make sense for organisations that have not deployed Copilot and do not have Entra Suite requirements. Microsoft field teams present the consolidation case regardless of whether it makes economic sense for the buyer.

Missing the negotiation window. Microsoft EA security discussions happen at renewal, but the optimal negotiation window is Q4 (April through June). Organisations that engage their EA renewal conversation outside this window leave discount potential on the table.

Not creating competitive pressure. Microsoft's licensing pricing reflects the buyer's perceived switching cost. Demonstrating genuine evaluation of best-of-breed alternatives — CrowdStrike, Splunk, Proofpoint, Okta — creates the commercial pressure that moves Microsoft to its best terms.

Eight Questions to Ask Before Your Next Microsoft Security Licensing Decision

1. What percentage of our users genuinely require E5 Security capabilities? Audit actual usage of Defender for Endpoint P2, advanced threat hunting, and Entra ID P2 across your user population. Role-based licensing requires honest usage data.

2. What is our actual Sentinel data ingestion volume and what does that cost at commitment tier? Model Sentinel costs using production log volumes from your current SIEM or network monitoring tools. Add 30 to 50 percent buffer for growth and non-Microsoft data source connection.

3. Are we already paying for Copilot and Entra Suite add-ons alongside E5? If yes, model the E7 consolidation economics independently before Microsoft does it for you.

4. When does our EA renew relative to Microsoft's Q4 window? If your renewal falls between April and June, you have leverage. If it falls outside this window, consider whether timing adjustments create value.

5. Are we getting independent competitive benchmarking? Microsoft's security TCO models compare their negotiated pricing against competitors' list pricing. Valid comparisons require negotiated enterprise rates for every vendor being evaluated.

6. What is the true cost of our full security stack? Add E5 or add-on cost plus Sentinel consumption plus Defender for Cloud plus Entra ID Governance plus Copilot for Security to get the real number. Most organisations underestimate total Microsoft security spend by 30 to 50 percent.

7. Does our SOC have the capacity to operationalise the security tools we are licensing? Licensing E5 Security for all users is wasted spend if your SOC team is not using threat hunting, SOAR automation, or automated investigation workflows. Shelfware in security licensing is a common and expensive outcome.

8. Have we engaged independent advisory before the renewal? Microsoft EA negotiation strategy, security licensing optimisation, and independent cost benchmarking require advisor expertise that is not available from Microsoft's own teams or from resellers whose compensation is tied to Microsoft revenue.