Microsoft Sentinel Licensing Pricing 2026: Consumption Model, Tiers and Total Cost

How Sentinel Pricing Works: The Fundamentals

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform deployed in Azure Log Analytics workspaces. Unlike Microsoft 365 products that carry a fixed per-user monthly cost, Sentinel's primary billing metric is data ingestion — the volume of log and telemetry data ingested into the Analytics tier of the workspace, measured in gigabytes per day.

This consumption model means Sentinel costs are directly proportional to how many data sources you connect and the volume those sources generate. A Sentinel deployment with five data sources ingesting 20 GB per day has fundamentally different economics from a production SOC deployment with thirty data sources ingesting 300 GB per day. Both are Microsoft Sentinel — the pricing difference between them is enormous.

Understanding Sentinel pricing requires mastering four distinct dimensions: the Analytics tier ingestion model (pay-as-you-go versus commitment tiers), the free data source grant for M365 E5 customers, retention pricing beyond the 90-day default, and the ancillary costs that sit outside the ingestion model (SOAR playbook execution, search job queries, data export).

Analytics Tier: Pay-As-You-Go vs Commitment Tiers

The Analytics tier is where real-time detection rules, workbooks, SOAR automation, and active investigations operate. It is the primary chargeable tier and the one that determines the majority of Sentinel costs for most organisations.

Pay-As-You-Go Pricing

Pay-as-you-go (PAYG) is the default pricing model when no commitment tier has been selected. PAYG pricing for the Analytics tier runs $2.46 per GB per day ingested. There is no minimum commitment and no penalty for variable volumes. PAYG is appropriate during initial Sentinel deployment and piloting, when data volumes are not yet stable enough to warrant a commitment tier, and for low-volume deployments below the 50 GB per day commitment tier threshold. For any production deployment exceeding 50 GB per day on a consistent basis, PAYG represents the most expensive possible pricing structure.

Commitment Tiers

Commitment tiers provide discounted per-GB pricing in exchange for a daily minimum ingestion commitment. Savings range from approximately 25 percent at the lowest tier to 52 percent at the highest tiers versus pay-as-you-go. Commitment tiers can be upgraded to a higher tier at any time without penalty. Downgrading requires a 31-day wait period after the downgrade request.

The available commitment tier structure for the Analytics tier as of 2026 begins at 50 GB per day (available with promotional pricing through June 2026 for customers who enrolled in the public preview), then steps to 100 GB, 200 GB, 300 GB, 400 GB, 500 GB, 1,000 GB, 2,000 GB, 5,000 GB, 10,000 GB, 25,000 GB, and 50,000 GB per day at the maximum tier. Each step up the commitment ladder carries a lower per-GB rate, with the savings accelerating at higher volume tiers.

The promotional 50 GB commitment tier introduced in October 2025 is particularly significant for mid-market organisations and enterprise deployments in early maturity. Customers who enrolled in the 50 GB tier promotional preview and locked in the promotional rate retain that pricing until March 2027 — providing both cost savings and pricing certainty through the next major renewal cycle for many organisations.

Overage Charges

If an organisation's daily ingestion volume exceeds the committed tier on a given day, the excess volume is charged at the next-tier per-GB rate — not at pay-as-you-go pricing. This means commitment tiers include a built-in buffer for volume spikes without reverting to the most expensive PAYG rate. Organisations that set commitment tiers conservatively at 80 to 90 percent of their average daily ingestion benefit from both the committed rate and the overage protection tier for routine volume variation.

Free Data Sources: What Doesn't Cost You Anything

Sentinel includes several data source categories that carry no Analytics tier ingestion charge. Maximising the use of free sources before adding chargeable ones is a fundamental cost management discipline for any Sentinel deployment.

The permanently free data sources include: Microsoft Defender XDR incidents and alerts (including incidents generated by Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), Microsoft Entra ID audit logs and sign-in logs at standard verbosity settings, Azure Activity logs, Microsoft Purview data governance events, Microsoft Defender for Cloud alerts, and Microsoft 365 Defender raw event tables when ingested through the M365 Defender connector.

The E5 and E7 Data Grant

Customers on Microsoft 365 E5, A5, F5, or G5 plans — or Microsoft 365 E7, the new top-tier Frontier Suite at $99 per user per month — receive a 5 MB per user per day Microsoft 365 data grant for Sentinel Analytics tier ingestion. This grant covers qualifying M365 telemetry ingested through the Microsoft 365 Defender connector and Compliance connector, including Office audit events, Teams activity, SharePoint audit logs, and Exchange audit logs.

For a 5,000-user E5 deployment, the daily grant equals 25 GB per day of free M365 data ingestion. At pay-as-you-go rates ($2.46 per GB per day), this represents $22,447 per year in avoided cost — and at commitment tier rates, the effective avoidance value is higher since the grant reduces the chargeable volume that determines tier sizing. E5 and E7 customers who have not activated their data grant and connected qualifying Microsoft data sources are leaving significant cost avoidance unrealised.

Retention Pricing: Beyond the 90-Day Default

The Analytics tier includes 90 days of interactive retention at no additional cost. Data remains fully queryable using KQL for 90 days from ingestion. After 90 days, data transitions automatically to the Archive tier unless a longer Analytics retention period has been configured.

Extended Analytics Retention

Analytics retention can be extended up to two years beyond the 90-day default. Extended Analytics retention pricing runs approximately $0.12 per GB per month for data stored in the active Analytics tier beyond the 90-day default. For a high-volume Sentinel deployment ingesting 200 GB per day, extending Analytics retention from 90 to 180 days adds approximately 18,000 GB (90 days × 200 GB/day) of extended retention data at $0.12 per GB per month — roughly $2,160 per month or $25,920 per year in additional retention costs. For most organisations, extending Analytics retention beyond 90 days is not operationally justified by investigation workflows, and compliance-driven retention requirements are better served by the Archive tier.

Archive Tier Retention

Data that ages past the Analytics retention period moves to the Archive tier at approximately $0.02 per GB per month. Archive provides up to seven years of total retention from ingestion date. Data in Archive is not interactively queryable but is searchable via Search Jobs (billed separately at a low cost per GB searched) and can be restored to the Analytics tier for full KQL access for a defined period. Organisations with two-year or seven-year compliance retention requirements for specific log types should configure Archive tier retention as the cost-effective solution rather than extended Analytics retention.

Ancillary Costs: What Else Generates Sentinel Charges

Beyond Analytics tier ingestion and retention, several Sentinel activities generate additional billing that organisations frequently omit from initial cost models.

Logic Apps (SOAR Playbook Execution)

Sentinel's SOAR capabilities run through Azure Logic Apps, which are billed separately from Sentinel ingestion. Logic Apps pricing uses a consumption-based model: standard actions are billed at approximately $0.000025 per action, with connector calls charged based on connector type (standard, enterprise, or integration account connectors carry different rates). A high-volume SOC running dozens of automated playbooks executing thousands of actions per day can generate $200 to $2,000 per month in Logic Apps charges above the Sentinel ingestion cost.

Search Jobs and Restore Jobs

Search Jobs run queries against Archive tier data, scanning through archived logs to retrieve matching events. Search Jobs are billed per GB scanned. Restore Jobs extract data from Archive back to an Analytics-tier restore table for full interactive query access; Restore is billed per GB per day for the duration of the restore table's active period. These costs are typically low but should be included in compliance investigation cost modelling for scenarios where Archive data retrieval is a regular workflow.

Data Export

Sentinel's Data Export feature streams log data from Log Analytics workspaces to Azure Storage or Azure Event Hub for long-term cold storage or external processing. Data Export is billed per GB exported at Azure data egress rates. Organisations using Data Export as an additional archive mechanism alongside Archive tier retention should factor egress costs into their total Sentinel spend calculation.

Total Cost Modelling: A Worked Example

A 3,000-user organisation on M365 E5 deploying Sentinel with a production data source set including Windows Security Events, Syslog from 50 Linux hosts, MDO P2 email alerts, Azure AD sign-in logs, and Defender for Endpoint telemetry, ingesting approximately 80 GB per day after applying the E5 free data grant:

E5 data grant: 3,000 users × 5 MB per day = 15 GB per day free. Chargeable ingestion = 80 GB per day less 15 GB per day = 65 GB per day chargeable volume. At the 100 GB per day commitment tier (appropriate given future growth), the effective per-GB rate is approximately $1.60 per GB per day. Daily charge: $104. Annual Analytics ingestion cost: approximately $37,960.

Retention beyond 90 days: Compliance requirement for 12-month retention for Exchange audit logs and Azure AD sign-ins. These tables generate approximately 5 GB per day. Archive tier cost for months 4 through 12 (270 days × 5 GB/day = 1,350 GB in archive): 1,350 × $0.02 = $27 per month, approximately $324 per year.

Logic Apps (SOAR playbooks): Twenty active playbooks running automated triage, enrichment, and notification workflows: approximately $300 per month = $3,600 per year.

Total annual Sentinel cost: approximately $41,884 — or roughly $13.96 per user per month for this deployment profile. This is representative of a mid-complexity Sentinel deployment and substantially higher than an estimate based on E5 list pricing alone, which makes no reference to Sentinel costs whatsoever.

Five Steps to Accurate Sentinel Budget Planning

1. Inventory every planned data source and estimate its daily volume before deployment. Measure current log volumes from your existing SIEM or network monitoring infrastructure as the baseline. Assume actual Sentinel volumes will be 20 to 30 percent higher than current SIEM volumes when additional Sentinel connectors are added.

2. Apply the E5 free data grant to reduce chargeable volume. Calculate the grant (user count × 5 MB per day), identify which data sources qualify for grant coverage, and subtract the grant volume from your chargeable ingestion estimate.

3. Select the appropriate commitment tier at 80 to 90 percent of expected chargeable daily volume. Do not select the exact expected volume — build in a 10 to 20 percent buffer for volume variation and growth without triggering a tier upgrade in the first quarter.

4. Model retention costs separately for each log type. Identify which log types have compliance retention requirements beyond 90 days. Calculate Archive tier costs for those tables. Do not extend Analytics retention for compliance purposes — Archive tier is significantly cheaper.

5. Add SOAR, search job, and export estimates. Survey your planned playbook automation, compliance investigation search frequency, and any data export configurations. Even rough estimates prevent budget surprises in the first 12 months of production operation.