Microsoft Defender has evolved from a single endpoint protection product into a sprawling family of security services covering endpoints, cloud workloads, identity, email, applications, and external attack surface management. The licensing model has grown with it — and it now represents one of the most confusing buying decisions in enterprise security procurement. This guide demystifies the Defender licensing family, explains the E5 Security bundle economics, and provides the commercial framework for making defensible decisions about Microsoft security investment.
The Defender Product Family: What Exists and How It's Licensed
The Microsoft Defender family consists of eight primary products, each with distinct licensing mechanisms. Understanding the full map is the first step in avoiding over-licensing or gap exposure.
| Product | Coverage | Licensing Mechanism | Included In |
|---|---|---|---|
| Defender for Endpoint P1 | Device endpoint protection | Per user/device | M365 E3, Business Premium |
| Defender for Endpoint P2 | EDR, threat hunting, vulnerability mgmt | Per user/device | M365 E5, E5 Security |
| Defender for Office 365 P1 | Email and collaboration security | Per user | M365 Business Premium, certain E3 add-ons |
| Defender for Office 365 P2 | Advanced email investigation, AIR | Per user | M365 E5, E5 Security |
| Defender for Identity | Active Directory / Entra ID threat detection | Per user | M365 E5, E5 Security |
| Defender for Cloud Apps | CASB, shadow IT, app governance | Per user | M365 E5, E5 Security |
| Defender for Cloud | Azure / multi-cloud workload protection | Per resource (Azure-billed) | Azure subscription (add-on) |
| Defender XDR | Unified XDR platform across above products | Bundled with E5/E5 Security | M365 E5, E5 Security |
E5 Security vs Standalone Licensing: The Core Commercial Decision
Microsoft E5 Security is a $12/user/month add-on to Microsoft 365 E3 that bundles Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, and Microsoft Sentinel consumption credits (500MB/user/day). This bundle represents Microsoft's most commercially effective security upsell motion.
The theoretical value proposition is compelling: if you purchased Defender for Endpoint P2 ($5.20/user/month), Defender for Office 365 P2 ($2/user/month), Defender for Identity ($3/user/month), and Defender for Cloud Apps ($3.50/user/month) as standalone licences, the combined list price would be approximately $13.70/user/month — more than the E5 Security bundle. Microsoft uses this "savings" framing to justify the bundle purchase.
Insider Perspective: The E5 Security bundle economics only hold if you activate and derive value from all included components. In our practice, we consistently find that enterprises purchasing E5 Security activate Defender for Endpoint P2 and Defender for Office 365 P2 — the two products they specifically needed — but leave Defender for Identity and Defender for Cloud Apps largely unused. For these organisations, the standalone cost for the two activated products ($7.20/user/month) is 40% less than the E5 Security bundle price. Leading advisory firms such as Redress Compliance and Atonement Licensing complete an activation analysis before recommending bundle vs standalone to every client.
Defender for Endpoint P1 vs P2: What's Actually Different
Defender for Endpoint Plan 1 is included in Microsoft 365 E3 at no additional cost and provides next-generation antivirus, attack surface reduction rules, and device-based conditional access. For most organisations with a primarily managed device fleet and existing endpoint protection tooling, Plan 1 provides a strong baseline that is frequently underutilised before Plan 2 is purchased.
Plan 2 adds Endpoint Detection and Response (EDR), automated investigation and remediation (AIR), advanced threat hunting with 180-day data retention, Microsoft Threat Experts access, and the Defender Vulnerability Management capability. The commercial justification for Plan 2 depends on whether your security operations team will actually use these capabilities — particularly the hunting and investigation features — or whether your security operations are handled by a managed service that brings its own tooling.
Enterprises using a managed detection and response (MDR) service should evaluate carefully whether their MDR provider's tooling overlap with Defender P2 creates redundant capability spend. In several cases we have reviewed, organisations were paying for Defender P2 while their MDR provider was using a competing EDR platform, making the P2 spend entirely redundant.
Defender for Cloud: The Azure Security Licensing Model
Defender for Cloud is architecturally distinct from the user-licensed Defender products — it is billed per Azure resource and delivered through Azure subscriptions rather than Microsoft 365. Defender for Cloud has a free tier (basic security posture management) and paid plans covering specific resource types: Defender for Servers ($15/server/month for Plan 1, $20/server/month for Plan 2), Defender for SQL ($15/SQL instance/month), Defender for Containers ($7/core/month), and Defender for Storage ($10/storage account/month).
The commercial trap with Defender for Cloud is scope creep: organisations that enable Defender plans for initial workloads find that the Azure Defender enablement is applied broadly across subscriptions, generating unexpected monthly costs as resource counts grow. Defender for Cloud costs are Azure-billed and may not be in the Microsoft 365 procurement team's view — creating a situation where security costs accumulate unmonitored in the Azure bill.
Defender for Cloud also qualifies for MACC drawdown as an Azure consumption item, which is commercially significant for organisations managing Azure commitment balances. See our Microsoft MACC Guide for how to integrate Defender for Cloud consumption into your Azure commitment strategy.
Microsoft Sentinel: The Licensing Interaction
Microsoft Sentinel — the cloud-native SIEM — has a complex pricing relationship with the Defender family. Sentinel is priced on data ingestion volume (approximately $2.46/GB for Pay-As-You-Go), with commitment tiers starting at 100GB/day ($123/day) that provide better unit economics for higher-volume ingestions.
The E5 Security bundle provides 500MB/user/day of Microsoft Sentinel data ingestion for free — covering the Microsoft 365 and Microsoft Defender logs that are typically the highest-volume data sources. For organisations where Sentinel ingestion is primarily Microsoft-sourced data, the E5 bundle effectively provides near-free Sentinel coverage for the Microsoft data plane.
The commercial risk is extending Sentinel to third-party data sources — cloud provider logs, firewall data, identity provider logs — without modelling the ingestion cost impact. Organisations that scope Sentinel as a Microsoft-only SIEM and then expand to a broader data source footprint regularly experience 3–5x budget overruns on their Sentinel line. For the complete Microsoft security licensing framework, see our dedicated Microsoft Security Licensing guide.
The Entra ID Licensing Interaction
Microsoft Entra ID (formerly Azure Active Directory) licensing intersects with Defender in ways that create both redundancy and compliance risks. Defender for Identity requires Entra ID Plan 2 (or equivalent Microsoft 365 E5 entitlements) for its full feature set, including Identity Protection risk policies and Privileged Identity Management. Organisations purchasing Defender for Identity without Entra ID P2 may find that the identity-related Defender capabilities they expected are incomplete.
Entra ID P2 is included in Microsoft 365 E5 and E5 Security but not in E3. It is available as a standalone add-on at approximately $6/user/month. The practical implication is that implementing Defender for Identity effectively — particularly for high-privilege user monitoring — often requires ensuring the Entra ID licensing tier across the relevant user population is Plan 2 rather than the Plan 1 included in E3. Our Entra ID Licensing guide covers this in detail.
Commercial Strategy: How to Buy Microsoft Defender
The optimal Defender procurement strategy depends on three factors: your current Microsoft 365 licensing tier, the specific security capabilities you require, and whether your EA renewal is imminent. For organisations on Microsoft 365 E3, the decision is whether to upgrade to E5 (gaining the full security suite plus Copilot features), purchase E5 Security as a targeted add-on, or purchase specific Defender components as standalone licences. The correct answer is different for every organisation and requires an activation analysis before a procurement decision is made.
For organisations approaching an EA renewal, the most important commercial move is conducting a Defender activation audit before the renewal meeting — not after. Microsoft account teams use renewal conversations to introduce E5 Security or E5 upsells as "natural" upgrades; having a clear activation-based view of your actual security requirements gives you the data to accept or reject these proposals from a position of understanding rather than assumption.
Our Software Licensing Advisory practice conducts Microsoft security licensing reviews as part of pre-renewal commercial assessments. Download our Microsoft EA White Paper for the complete framework covering Defender within the broader Microsoft commercial relationship. For comprehensive Microsoft cost strategy, see our guide to reducing Microsoft spend.