Home  ›  Blog  ›  Microsoft Sentinel Pricing
Microsoft · Security Analytics

Microsoft Sentinel pricing — you pay by the gigabyte, not the seat.

Microsoft Sentinel is the one piece of the security stack that is not licensed per user — it is metered on the volume of log data ingested, around $2.46 per GB pay-as-you-go before commitment discounts. Two 2025 changes reshaped the math: eligible Microsoft 365 E5 security logs now ingest free, and auxiliary or data-lake logs price an order of magnitude lower. Here is how the tiers work and how to size them so the SOC stops paying analytics rates for logs that belong in a cheaper tier.

Updated: June 2026 Reading time: 10 min Audience: CISO, SOC Lead, Cloud FinOps, IT Procurement
Data centre infrastructure
The answer, first

How is Microsoft Sentinel priced?

Sentinel is priced on data ingestion, not per user. The analytics tier — the searchable, alert-able log store — runs about $2.46 per GB ingested on pay-as-you-go, and commitment tiers from 100 GB/day cut the effective rate 15–65% in exchange for a daily volume pledge. Two things changed the picture in 2025: eligible Microsoft 365 E5 security logs now ingest into Sentinel free, and a low-cost auxiliary / data-lake tier prices verbose, low-query logs at roughly $0.10–0.15 per GB. The result is that two SOCs ingesting the same total volume can pay wildly different bills depending on how they tier their sources — which is the lever most teams never touch.

The core point: Sentinel cost is a data-engineering problem, not a licensing one. The savings come from excluding free E5 logs, routing verbose logs to the cheap tier, and only committing daily volume you reliably ingest.

This is a sub-guide in our Microsoft security licensing pillar. It pairs with the Intune and EMS and Purview licensing guides, sits under our Microsoft vendor practice, and connects to the wider consumption picture in our Azure FinOps guide.

What does each Sentinel tier cost?

Four ingestion tiers, four very different rates. The table is the 2026 reference; treat the figures as benchmark references, not quotes — Microsoft list moves and regional pricing varies. The decisive point is the spread between the analytics rate and the auxiliary rate, which is more than 15-fold.

TierPricing basis~Effective rateUse for
Analytics — pay-as-you-goPer GB ingested~$2.46/GBHigh-value detection logs
Analytics — commitmentPer day, tiered15–65% lowerPredictable daily volume
Auxiliary / data lakePer GB (low)~$0.10–0.15/GBVerbose, rarely-queried logs
Eligible E5 security logsFree benefit$0M365 audit / security data

The most common over-spend is ingesting everything into the analytics tier — firewall, proxy, DNS and verbose network logs that are queried once a quarter — at $2.46/GB when the auxiliary tier would hold them at a tenth of the cost. The detection and correlation value lives in a fraction of the total volume.

Sentinel bill climbing with the SOC?

We tier-map your log sources and model the commitment break-even — most clients cut Sentinel ingestion cost 20–40% with no loss of detection.

Contact Us →

When does a commitment tier beat pay-as-you-go?

As soon as your daily analytics ingestion is predictable above the tier floor. Commitment tiers pledge a fixed daily GB volume at a discounted rate; overage above the tier bills at the same discounted rate, so the only risk is committing higher than you ingest. The chart shows the effective per-GB rate falling as the commitment tier rises — the SOC that reliably ingests 200 GB/day should never be on pay-as-you-go.

Effective Sentinel analytics rate by commitment tier (illustrative)
Pay-as-you-go
$2.46
100 GB/day
~$1.92
500 GB/day
~$1.53
5000 GB/day
~$0.98
Daily ingestionBest tiervs PAYG saving
Under 100 GB/dayPay-as-you-go
100–500 GB/dayCommitment 100 GB15–25%
500–5,000 GB/dayCommitment 500 GB+30–50%
5,000+ GB/dayCommitment 5,000 GB+50–65%

Get the Microsoft E5 Security Stack Licensing Guide.

The Sentinel sizing checklist, the free-E5-log exclusions, and the commitment break-even model in one research paper.

Get the guide →

Which logs are free under E5 — and which are not?

Eligible Microsoft 365 E5 (and equivalent) security and audit logs ingest into Sentinel at no ingestion cost — this covers a defined set of Microsoft 365, Entra ID and Defender data. What is not free: third-party sources (firewalls, network appliances, SaaS apps), most Azure platform logs, and custom logs. The practical move is to map every connector against the free-eligible list before sizing the commitment, because counting free logs into your committed volume is paying for data Microsoft already gives away. Across our engagements, accounting for free E5 logs alone cuts the effective committed volume materially.

"The fastest Sentinel saving is not a discount — it is deleting the analytics-tier ingestion of logs that are either free under E5 or belong in the data lake."

How does Sentinel fit the wider Azure bill?

Sentinel runs on a Log Analytics workspace, so its consumption sits inside the same Azure cost surface as the rest of your platform — and the same FinOps disciplines apply: retention settings, archive tiers, and basic-versus-analytics log classification all move the bill. Because Sentinel is consumption-metered, it should be governed alongside Azure consumption, not treated as a fixed security licence. The retention and archive levers, and how Sentinel folds into Azure commitment sizing, are covered in our Azure FinOps guide and the broader Microsoft cost optimization pillar.

Get the Microsoft Unified Support & Azure Cost Playbook.

Sentinel sizing lives inside the Azure commitment — the playbook has the spend-band benchmarks, the commitment-tier model, and the renewal-timing calendar.

Get the playbook →

When should a Sentinel review happen?

Continuously, but with a hard checkpoint before any Azure commitment or EA renewal. Because Sentinel is metered, its cost drifts upward as the SOC onboards sources — so a quarterly tier-and-retention review keeps it honest, and a pre-renewal review ensures the committed volume reflects free-E5 exclusions and data-lake routing rather than raw ingestion. For a mature SOC the re-tiering typically recovers 20–40% of Sentinel spend with no reduction in detection coverage, because the cut comes from how data is stored, not whether it is collected. Sizing that committed volume against the rest of the Azure estate is exactly where our cloud contract advisory team adds leverage ahead of a commitment.

For the full picture, read the Microsoft security licensing pillar, then the Intune and EMS and Purview sub-guides, and see the Microsoft EA optimization case study for how security-stack right-sizing folds into a full renewal.

Paying analytics rates for data-lake logs?
Re-tier Sentinel before the SOC scales.

$1.8B+ in documented client savings across 340+ engagements. Buyer-side only since 2016. Gartner recognised.

The Compliance Brief

Weekly compliance intelligence for IT leaders.