Home  ›  Blog  ›  Microsoft Security Licensing
Microsoft · Security Licensing Pillar

Microsoft security licensing — one stack, four ways to overpay.

Microsoft sells its security estate as one seamless stack — E5 Security, Intune, Purview, Sentinel — and prices it four different ways: per-user add-on, suite, standalone SKU, and data ingestion. In our 340+ engagements the firms that buy the stack as one line item routinely carry 20–35% of duplicated entitlement: full E5 where E3 plus an add-on would do, standalone Defender already inside E5 Security, and Sentinel paying to ingest logs that are now free. This pillar maps how each piece is licensed, where the overlap hides, and the sequence that resets the bill.

Updated: June 2026 Reading time: 15 min Audience: CISO, CIO, IT Procurement, Security Architecture
Cyber security operations screens
The answer, first

How does Microsoft security licensing actually work in 2026?

Microsoft security is licensed in four distinct ways, and knowing which applies to each capability is the whole game. Identity and threat protection (Entra ID P2, Defender for Endpoint, Office 365, Identity, Cloud Apps) is sold either inside Microsoft 365 E5 at about $57 per user per month or as the E5 Security add-on on top of E3 at about $12. Endpoint management (Intune) ships inside E3/E5 and EMS, with an Intune Suite add-on at about $10. Data security and compliance (Purview) is bundled in E5 or sold as the E5 Compliance add-on at about $12. Sentinel, the SIEM, is not per-user at all — it is priced on data ingested, around $2.46 per GB pay-as-you-go before commitment discounts. The overpayment almost always comes from mixing these models without mapping them: buying full E5 for security alone, stacking standalone Defender on top of an E5 that already includes it, or paying Sentinel ingestion on logs that are free under E5.

The practitioner rule: license the security stack by capability and by user persona, not by suite. Map who genuinely needs E5-grade protection, attach add-ons to the E3 base for the rest, and size Sentinel on ingested GB after you have excluded the free E5 logs — in that order.

This guide is the pillar for our Microsoft security-licensing cluster. It links down to three deep-dive sub-guides — Intune and EMS licensing, Microsoft Purview licensing, and Microsoft Sentinel pricing — and sits alongside our Microsoft vendor practice and Microsoft EA optimization service. It pairs closely with our Defender licensing breakdown and the E3 vs E5 decision.

What does the Microsoft security stack actually contain?

The "security stack" is a marketing umbrella over four product families that are licensed separately. The table below is the map we hand every client at the start of a security renewal: what each family does, how it is licensed, and the 2026 list reference point. Treat the prices as benchmark references, not quotes — Microsoft list moves and your discount applies on top.

FamilyCore productsLicensing model2026 list reference
Identity & threat protectionEntra ID P2, Defender for Endpoint / Office 365 / Identity / Cloud AppsPer-user (E5 or E5 Security add-on)~$12 add-on / in E5
Endpoint managementIntune, Intune SuitePer-user (in E3/E5/EMS; Suite add-on)Included / ~$10 Suite
Data security & compliancePurview (DLP, IP, eDiscovery, Insider Risk)Per-user (E5 or E5 Compliance add-on)~$12 add-on / in E5
Security analytics (SIEM/SOAR)Microsoft SentinelConsumption — per GB ingested~$2.46/GB PAYG

The pattern that matters: three of the four are per-user and overlap heavily with the E5 suite, while the fourth — Sentinel — is metered on data and behaves like an Azure consumption line. Mixing a per-user mental model onto Sentinel, or a consumption model onto the Defender SKUs, is how budgets blow out. Each gets its own sub-guide because each has its own trap.

Security renewal inside 12 months?

We persona-map your security entitlement against actual usage before the E5 count hardens — typically inside three weeks.

Contact Us →

E5, E5 Security add-on, or standalone — which path is cheapest?

For organisations that want Microsoft-grade security but not the full E5 productivity and compliance suite, the E5 Security add-on on top of E3 is almost always the cheapest path to the same protection. Full E5 lists around $57 per user per month; E3 plus the E5 Security add-on lands near $48 and delivers identical security entitlements, while standalone assembly of the same Defender and Entra components runs $25–30 on top of E3 — more than the add-on for the same coverage. The only reason to buy full E5 is if you also need the E5 compliance and analytics value; if security is the driver, the add-on wins.

PathWhat you get~Per user / monthBest for
Microsoft 365 E5 (full)Productivity + security + compliance + analytics~$57Whole-suite standardisation
E3 + E5 Security add-onE3 base + full identity/threat stack~$48Security without full E5
E3 + standalone Defender/EntraSame security, assembled SKU-by-SKU~$61+Partial / targeted coverage
E3 onlyProductivity + baseline security~$36Low-risk personas

The deeper move is persona segmentation: not every user needs E5-grade protection. Frontline and low-risk personas can sit on E3 or F-SKUs while privileged and high-risk users get the E5 Security add-on. We cover the full decision tree in the E3 vs E5 guide and the component detail in the Defender licensing breakdown.

Where does Intune fit, and what is EMS?

Intune is the endpoint-management engine; EMS (Enterprise Mobility + Security) is the legacy suite that bundles it with Entra ID and, at the E5 tier, Defender for Identity and Cloud App Security. Intune Plan 1 is already included in Microsoft 365 E3, E5 and both EMS tiers, so the common error is buying EMS or the Intune Suite add-on on top of an E5 that already carries the entitlement. The Intune Suite add-on (~$10 per user per month) adds advanced features — Remote Help, Endpoint Privilege Management, advanced analytics — that are genuinely valuable for a subset of admins and frontline devices but rarely justified estate-wide.

The full EMS-versus-E5 overlap analysis, the Intune Suite cost-benefit, and the device-versus-user licensing rules are in the Intune and EMS licensing deep-dive.

BundleIntune included?Adds~Per user / month
Microsoft 365 E3 / E5Yes (Plan 1)In suite
EMS E3YesEntra ID P1~$10.60
EMS E5YesEntra ID P2, Defender for Identity, Cloud App Security~$16.40
Intune Suite add-onAdvancedRemote Help, EPM, advanced analytics~$10

Get the Microsoft E5 Security Stack Licensing Guide.

The full persona-mapping model, the E5-vs-add-on math, the Purview overlap map, and the Sentinel sizing checklist — in one research paper.

Get the guide →

How is Microsoft Purview licensed?

Purview is Microsoft's data-security and compliance brand — DLP, Information Protection, eDiscovery, Insider Risk Management, Communication Compliance and the rest. Most of it is bundled into Microsoft 365 E5 or sold as the E5 Compliance add-on (~$12 per user per month) on top of E3. The trap is twofold: organisations buy the E5 Compliance add-on on top of a full E5 that already includes it, and they license Purview estate-wide when only a regulated subset of users actually triggers the advanced features. Premium capabilities like Insider Risk and Communication Compliance carry the heaviest list weight and are the easiest to over-deploy.

The component-by-component map, the E5 Compliance overlap check, and the regulated-persona scoping model are in the Purview licensing deep-dive.

Purview capabilityEntitlementTypical over-deploy risk
DLP, Information Protection (basic)In E3 / E5Low
eDiscovery (Premium)E5 / E5 ComplianceMedium
Insider Risk ManagementE5 / E5 ComplianceHigh
Communication ComplianceE5 / E5 ComplianceHigh

Why is Microsoft Sentinel priced so differently?

Because Sentinel is a SIEM, not a productivity SKU — it is metered on the volume of log data ingested, the way Azure compute is metered on consumption. Pay-as-you-go runs about $2.46 per GB into the analytics tier, and commitment tiers from 100 GB/day cut the effective rate 15–65%. Two 2025 changes reshaped the math: eligible Microsoft 365 E5 security logs now ingest free, and auxiliary or data-lake logs price an order of magnitude lower (cents per GB) than analytics logs. The result is that the same SOC can pay wildly different amounts depending on how it tiers its log sources — which is exactly the lever most teams never pull.

The full ingestion-tier model, the commitment-tier break-even table, and the free-E5-log exclusions are in the Sentinel pricing deep-dive. Sentinel also interacts with the broader Azure consumption picture covered in our Azure FinOps guide.

Sentinel tierPricing basis~Effective rateUse for
Analytics — PAYGPer GB ingested~$2.46/GBHigh-value detection logs
Analytics — commitmentPer day, tiered15–65% lowerPredictable volume
Auxiliary / data lakePer GB (low)~$0.10–0.15/GBVerbose, low-query logs
Eligible E5 security logsFree$0M365 audit/security data

Not sure where the overlap is?

We run a security-stack entitlement triage — your licence file in, the duplicated-spend map out, typically inside two weeks.

Contact Us →

Where does the overlap actually hide?

In four predictable places, and across our engagements they total 20–35% of security-stack spend. First, suite-versus-add-on: full E5 bought where E3 plus the E5 Security add-on would deliver the same protection. Second, standalone-on-suite: individual Defender or Entra SKUs purchased on top of an E5 that already includes them. Third, compliance double-buy: the E5 Compliance add-on stacked on full E5. Fourth, Sentinel ingestion paid on logs that are free under E5 or that belong in the cheap auxiliary tier. None of these are exotic — they accrete because security, identity and SOC budgets are owned by different teams who never reconcile the entitlement.

Overlap patternHow it happensTypical recoverableOwner
Full E5 for security-only personasSuite default vs add-on path15–25% of those seatsProcurement
Standalone Defender on top of E5SOC buys what E5 already has5–12% of stackSecurity + SAM
E5 Compliance add-on on full E5Double-counted entitlementWhole add-on lineCompliance
Sentinel ingesting free/cheap logsNo log-source tiering20–40% of SentinelSOC / FinOps

"The Microsoft security stack is the one estate where four teams each buy a slice and nobody reconciles the whole — which is exactly why the overlap is so reliably 20-plus percent."

When should a security-licensing review start?

Nine to twelve months before the Enterprise Agreement or M365 renewal. The reason is the same as for the rest of the Microsoft estate: the entitlement count and usage telemetry that justify a right-sizing need a few quarters to mature, and the E5 seat count Microsoft anchors on is set in the months before signing. Start the persona mapping and the Sentinel log-tiering early and you negotiate against a defensible, evidence-backed number; start late and you are accepting the count Microsoft proposes. The security stack also co-terms with the EA, so it should be sequenced inside the broader renewal rather than negotiated as an afterthought.

For Microsoft estates above $10M annually, an independent buyer-side security-stack review typically captures total-security-cost reduction equal to five to fifteen times the advisory fee — and the reduction holds because it is structural entitlement cleanup, not a one-time discount. The full renewal calendar is in our complete Microsoft EA guide; this pillar is the security lens over the top of it, and it interlocks with the cost levers in our Microsoft cost optimization pillar.

Go deeper

The three security-licensing sub-guides.

Paying for a security stack you've bought twice?
The overlap rarely runs less than 20 percent.

$1.8B+ in documented client savings across 340+ engagements. Buyer-side only since 2016. Gartner recognised.

The Compliance Brief

Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.