Home  ›  Blog  ›  Microsoft Defender Licensing
Microsoft · Security Licensing

Microsoft Defender licensing — the security stack designed to be re-bought every renewal.

Microsoft's Defender portfolio spans seven distinct products, three workload planes, two plan tiers per product, and entitlements that overlap with E5, EMS E5 and standalone purchase paths. The result is a licensing architecture in which most enterprises pay for the same security capability twice — once inside an E5 entitlement they are not fully consuming, and a second time as a standalone Defender SKU because nobody mapped the overlap. In 340+ engagements, the median saving from Defender entitlement mapping is 8–14% of the security line.

Updated: June 2026 Reading time: 11 min Audience: CISO, IT Procurement, Cloud FinOps
Cybersecurity
The Defender map

Seven Defenders, three planes, and a licensing architecture that rewards mapping.

The Defender portfolio is organised by what it protects: Defender for Endpoint (devices), Defender for Identity (Active Directory and Entra), Defender for Office 365 (email and Teams), Defender for Cloud Apps (SaaS posture and CASB), Defender for Cloud (Azure and multicloud workloads), Defender XDR (the unified incident plane), and Defender for IoT. Each has its own pricing model — per-user, per-asset, per-host, per-resource — and each has two plan tiers (Plan 1 / Plan 2) that differ on advanced hunting, automated investigation, and threat intelligence.

The overlap layer is where the spend leakage lives. Microsoft 365 E5 includes Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, and Defender XDR. EMS E5 standalone includes a similar but narrower set. Customers on E5 who buy Defender for Endpoint Plan 2 standalone, or Defender for Office 365 separately, are paying twice. The reverse is also common: E3 customers underestimate what is in the Defender for Endpoint Plan 2 add-on relative to buying Defender for Cloud Apps separately.

Defender footprint never mapped against your E5 / EMS entitlements?

The double-pay finding rate is well above 60% in our experience.

Contact Us →
Plan 1 vs Plan 2

The Plan 1 vs Plan 2 decision is rarely as clear as Microsoft presents.

For Defender for Endpoint, Plan 1 is roughly the EPP (next-gen AV) layer; Plan 2 is the EDR layer plus threat and vulnerability management, automated investigation, advanced hunting, and Microsoft Threat Experts access. The price delta is meaningful — Plan 2 runs roughly 4x Plan 1 standalone — and Microsoft sales motion universally pushes Plan 2 as the right tier for any business above mid-market.

The honest framing: Plan 2 is the right tier for an organisation with a SOC team that will operate the EDR signal. For organisations whose security operations are outsourced to an MSSP, or whose SOC is genuinely small, Plan 1 plus a focused third-party EDR can be more cost-effective and operationally cleaner. The wrong reason to buy Plan 2 is "everyone is on Plan 2."

Defender for Cloud — the resource-based pricing trap

Defender for Cloud is priced per protected resource (per VM, per database, per container, per storage account) with separate SKUs per resource class. For organisations with sprawl across Azure subscriptions and AWS accounts, the per-resource cost compounds quickly. The optimisation lever is workload classification: enabling Defender for Cloud only on the resource classes that warrant it (production databases, internet-facing VMs, key vaults) rather than blanket enablement across all subscriptions. The median saving from selective enablement runs 30–55% of Defender for Cloud spend — mapping that overlap against your E5 entitlements is core software license optimization work.

Download the Microsoft EA Negotiation Guide.

Includes the E5 / Defender entitlement map, the standalone-vs-suite math, and the security tier optimisation patterns.

Get the playbook →
Negotiation levers

Where Defender pricing actually moves.

Defender SKUs negotiate on the same EA discount tier as M365 base, but additional discount is achievable at the suite level when the customer commits to Microsoft as primary security vendor. The most consequential commitment is Microsoft Sentinel adoption alongside Defender XDR — the SIEM consolidation play that Microsoft pursues aggressively. Customers willing to commit to Sentinel as the SIEM of record typically capture an additional 5–12% on the Defender suite, plus material ECIF funding for the Sentinel migration.

Counter-leverage exists for customers maintaining best-of-breed: CrowdStrike, SentinelOne, Wiz, and Lacework are the four competitive references that move Microsoft renewal economics. The strongest negotiation position is one in which the security team has a credible alternative architecture costed and presented to the CFO, regardless of whether the alternative will actually be adopted.

Defender renewal or expansion under discussion?

The entitlement map and the competitive positioning need to be built before the renewal conversation.

Contact Us →

Defender stack approaching renewal?
The entitlement map is the optimisation.

We map Defender entitlements against deployment for every Microsoft EA we touch.

The Compliance Brief

Weekly compliance intelligence for IT leaders.