Microsoft sells its security estate as one seamless stack — E5 Security, Intune, Purview, Sentinel — and prices it four different ways: per-user add-on, suite, standalone SKU, and data ingestion. In our 340+ engagements the firms that buy the stack as one line item routinely carry 20–35% of duplicated entitlement: full E5 where E3 plus an add-on would do, standalone Defender already inside E5 Security, and Sentinel paying to ingest logs that are now free. This pillar maps how each piece is licensed, where the overlap hides, and the sequence that resets the bill.
Microsoft security is licensed in four distinct ways, and knowing which applies to each capability is the whole game. Identity and threat protection (Entra ID P2, Defender for Endpoint, Office 365, Identity, Cloud Apps) is sold either inside Microsoft 365 E5 at about $57 per user per month or as the E5 Security add-on on top of E3 at about $12. Endpoint management (Intune) ships inside E3/E5 and EMS, with an Intune Suite add-on at about $10. Data security and compliance (Purview) is bundled in E5 or sold as the E5 Compliance add-on at about $12. Sentinel, the SIEM, is not per-user at all — it is priced on data ingested, around $2.46 per GB pay-as-you-go before commitment discounts. The overpayment almost always comes from mixing these models without mapping them: buying full E5 for security alone, stacking standalone Defender on top of an E5 that already includes it, or paying Sentinel ingestion on logs that are free under E5.
The practitioner rule: license the security stack by capability and by user persona, not by suite. Map who genuinely needs E5-grade protection, attach add-ons to the E3 base for the rest, and size Sentinel on ingested GB after you have excluded the free E5 logs — in that order.
This guide is the pillar for our Microsoft security-licensing cluster. It links down to three deep-dive sub-guides — Intune and EMS licensing, Microsoft Purview licensing, and Microsoft Sentinel pricing — and sits alongside our Microsoft vendor practice and Microsoft EA optimization service. It pairs closely with our Defender licensing breakdown and the E3 vs E5 decision.
The "security stack" is a marketing umbrella over four product families that are licensed separately. The table below is the map we hand every client at the start of a security renewal: what each family does, how it is licensed, and the 2026 list reference point. Treat the prices as benchmark references, not quotes — Microsoft list moves and your discount applies on top.
| Family | Core products | Licensing model | 2026 list reference |
|---|---|---|---|
| Identity & threat protection | Entra ID P2, Defender for Endpoint / Office 365 / Identity / Cloud Apps | Per-user (E5 or E5 Security add-on) | ~$12 add-on / in E5 |
| Endpoint management | Intune, Intune Suite | Per-user (in E3/E5/EMS; Suite add-on) | Included / ~$10 Suite |
| Data security & compliance | Purview (DLP, IP, eDiscovery, Insider Risk) | Per-user (E5 or E5 Compliance add-on) | ~$12 add-on / in E5 |
| Security analytics (SIEM/SOAR) | Microsoft Sentinel | Consumption — per GB ingested | ~$2.46/GB PAYG |
The pattern that matters: three of the four are per-user and overlap heavily with the E5 suite, while the fourth — Sentinel — is metered on data and behaves like an Azure consumption line. Mixing a per-user mental model onto Sentinel, or a consumption model onto the Defender SKUs, is how budgets blow out. Each gets its own sub-guide because each has its own trap.
We persona-map your security entitlement against actual usage before the E5 count hardens — typically inside three weeks.
For organisations that want Microsoft-grade security but not the full E5 productivity and compliance suite, the E5 Security add-on on top of E3 is almost always the cheapest path to the same protection. Full E5 lists around $57 per user per month; E3 plus the E5 Security add-on lands near $48 and delivers identical security entitlements, while standalone assembly of the same Defender and Entra components runs $25–30 on top of E3 — more than the add-on for the same coverage. The only reason to buy full E5 is if you also need the E5 compliance and analytics value; if security is the driver, the add-on wins.
| Path | What you get | ~Per user / month | Best for |
|---|---|---|---|
| Microsoft 365 E5 (full) | Productivity + security + compliance + analytics | ~$57 | Whole-suite standardisation |
| E3 + E5 Security add-on | E3 base + full identity/threat stack | ~$48 | Security without full E5 |
| E3 + standalone Defender/Entra | Same security, assembled SKU-by-SKU | ~$61+ | Partial / targeted coverage |
| E3 only | Productivity + baseline security | ~$36 | Low-risk personas |
The deeper move is persona segmentation: not every user needs E5-grade protection. Frontline and low-risk personas can sit on E3 or F-SKUs while privileged and high-risk users get the E5 Security add-on. We cover the full decision tree in the E3 vs E5 guide and the component detail in the Defender licensing breakdown.
Intune is the endpoint-management engine; EMS (Enterprise Mobility + Security) is the legacy suite that bundles it with Entra ID and, at the E5 tier, Defender for Identity and Cloud App Security. Intune Plan 1 is already included in Microsoft 365 E3, E5 and both EMS tiers, so the common error is buying EMS or the Intune Suite add-on on top of an E5 that already carries the entitlement. The Intune Suite add-on (~$10 per user per month) adds advanced features — Remote Help, Endpoint Privilege Management, advanced analytics — that are genuinely valuable for a subset of admins and frontline devices but rarely justified estate-wide.
The full EMS-versus-E5 overlap analysis, the Intune Suite cost-benefit, and the device-versus-user licensing rules are in the Intune and EMS licensing deep-dive.
| Bundle | Intune included? | Adds | ~Per user / month |
|---|---|---|---|
| Microsoft 365 E3 / E5 | Yes (Plan 1) | — | In suite |
| EMS E3 | Yes | Entra ID P1 | ~$10.60 |
| EMS E5 | Yes | Entra ID P2, Defender for Identity, Cloud App Security | ~$16.40 |
| Intune Suite add-on | Advanced | Remote Help, EPM, advanced analytics | ~$10 |
The full persona-mapping model, the E5-vs-add-on math, the Purview overlap map, and the Sentinel sizing checklist — in one research paper.
Purview is Microsoft's data-security and compliance brand — DLP, Information Protection, eDiscovery, Insider Risk Management, Communication Compliance and the rest. Most of it is bundled into Microsoft 365 E5 or sold as the E5 Compliance add-on (~$12 per user per month) on top of E3. The trap is twofold: organisations buy the E5 Compliance add-on on top of a full E5 that already includes it, and they license Purview estate-wide when only a regulated subset of users actually triggers the advanced features. Premium capabilities like Insider Risk and Communication Compliance carry the heaviest list weight and are the easiest to over-deploy.
The component-by-component map, the E5 Compliance overlap check, and the regulated-persona scoping model are in the Purview licensing deep-dive.
| Purview capability | Entitlement | Typical over-deploy risk |
|---|---|---|
| DLP, Information Protection (basic) | In E3 / E5 | Low |
| eDiscovery (Premium) | E5 / E5 Compliance | Medium |
| Insider Risk Management | E5 / E5 Compliance | High |
| Communication Compliance | E5 / E5 Compliance | High |
Because Sentinel is a SIEM, not a productivity SKU — it is metered on the volume of log data ingested, the way Azure compute is metered on consumption. Pay-as-you-go runs about $2.46 per GB into the analytics tier, and commitment tiers from 100 GB/day cut the effective rate 15–65%. Two 2025 changes reshaped the math: eligible Microsoft 365 E5 security logs now ingest free, and auxiliary or data-lake logs price an order of magnitude lower (cents per GB) than analytics logs. The result is that the same SOC can pay wildly different amounts depending on how it tiers its log sources — which is exactly the lever most teams never pull.
The full ingestion-tier model, the commitment-tier break-even table, and the free-E5-log exclusions are in the Sentinel pricing deep-dive. Sentinel also interacts with the broader Azure consumption picture covered in our Azure FinOps guide.
| Sentinel tier | Pricing basis | ~Effective rate | Use for |
|---|---|---|---|
| Analytics — PAYG | Per GB ingested | ~$2.46/GB | High-value detection logs |
| Analytics — commitment | Per day, tiered | 15–65% lower | Predictable volume |
| Auxiliary / data lake | Per GB (low) | ~$0.10–0.15/GB | Verbose, low-query logs |
| Eligible E5 security logs | Free | $0 | M365 audit/security data |
We run a security-stack entitlement triage — your licence file in, the duplicated-spend map out, typically inside two weeks.
In four predictable places, and across our engagements they total 20–35% of security-stack spend. First, suite-versus-add-on: full E5 bought where E3 plus the E5 Security add-on would deliver the same protection. Second, standalone-on-suite: individual Defender or Entra SKUs purchased on top of an E5 that already includes them. Third, compliance double-buy: the E5 Compliance add-on stacked on full E5. Fourth, Sentinel ingestion paid on logs that are free under E5 or that belong in the cheap auxiliary tier. None of these are exotic — they accrete because security, identity and SOC budgets are owned by different teams who never reconcile the entitlement.
| Overlap pattern | How it happens | Typical recoverable | Owner |
|---|---|---|---|
| Full E5 for security-only personas | Suite default vs add-on path | 15–25% of those seats | Procurement |
| Standalone Defender on top of E5 | SOC buys what E5 already has | 5–12% of stack | Security + SAM |
| E5 Compliance add-on on full E5 | Double-counted entitlement | Whole add-on line | Compliance |
| Sentinel ingesting free/cheap logs | No log-source tiering | 20–40% of Sentinel | SOC / FinOps |
"The Microsoft security stack is the one estate where four teams each buy a slice and nobody reconciles the whole — which is exactly why the overlap is so reliably 20-plus percent."
Nine to twelve months before the Enterprise Agreement or M365 renewal. The reason is the same as for the rest of the Microsoft estate: the entitlement count and usage telemetry that justify a right-sizing need a few quarters to mature, and the E5 seat count Microsoft anchors on is set in the months before signing. Start the persona mapping and the Sentinel log-tiering early and you negotiate against a defensible, evidence-backed number; start late and you are accepting the count Microsoft proposes. The security stack also co-terms with the EA, so it should be sequenced inside the broader renewal rather than negotiated as an afterthought.
For Microsoft estates above $10M annually, an independent buyer-side security-stack review typically captures total-security-cost reduction equal to five to fifteen times the advisory fee — and the reduction holds because it is structural entitlement cleanup, not a one-time discount. The full renewal calendar is in our complete Microsoft EA guide; this pillar is the security lens over the top of it, and it interlocks with the cost levers in our Microsoft cost optimization pillar.
$1.8B+ in documented client savings across 340+ engagements. Buyer-side only since 2016. Gartner recognised.
Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.