The Microsoft Defender suite spans Defender for Endpoint, Identity, Office, Cloud Apps, Cloud and the XDR overlay. The Admodum read on the per-product licensing, the E5 versus add-on arithmetic, the seat-assignment hygiene and the renewal disposition.
The Defender suite is the Microsoft security overlay across the M365 and Azure surfaces. The six principal products are: Defender for Endpoint (workstation and server endpoint detection and response), Defender for Identity (identity attack detection against on-prem AD and Entra ID), Defender for Office 365 (mail and collaboration threat protection), Defender for Cloud Apps (the SaaS security and CASB surface), Defender for Cloud (the workload protection across Azure, AWS and Google Cloud) and Defender XDR (the cross-product aggregation, hunting and automated investigation surface).
The XDR is not separately licensed; it is the aggregation surface across the other Defender products plus Microsoft Sentinel (the SIEM). The buyer holding any of the principal Defender products holds the corresponding entry to XDR; the buyer's XDR usefulness scales with the breadth of the underlying Defender estate.
The wider EA framework sits at the Enterprise Agreement overview; the wider M365 plan framework sits at the Microsoft 365 plans spoke; the wider editorial sits in the Microsoft pillar.
The E5 plan absorbs the principal Defender products as part of the Security and Compliance overlay. The E5 seat carries Defender for Endpoint P2, Defender for Identity, Defender for Office 365 P2 and Defender for Cloud Apps as included entitlements. The seat does not include Defender for Cloud, which is a separate consumption surface, or third-party connectors into Sentinel, which are priced separately.
The E5 absorption is the principal commercial argument for the E3-to-E5 step-up. The Security and Compliance overlay (Defender suite, Entra ID P2, Purview, Insider Risk Management, Communication Compliance) is the bulk of the value differential between E3 and E5; the remainder (Power BI Pro, Phone System, Audio Conferencing) is meaningful but smaller in many enterprise contexts.
The wider E3-to-E5 step-up sits at the Microsoft 365 plans spoke; the wider Entra ID licensing sits at the Entra ID licensing spoke (forthcoming).
An E3 buyer carries the discrete add-on construct. Defender for Endpoint comes in two tiers: P1 (the EDR baseline) and P2 (the full XDR-feed bearer with attack-surface reduction, threat and vulnerability management, automated investigation and remediation). Defender for Office 365 comes in two tiers: P1 (Safe Links, Safe Attachments, anti-phishing) and P2 (Threat Trackers, Threat Explorer, Attack Simulation Training). Defender for Identity and Defender for Cloud Apps are single-tier add-ons.
The discrete add-on pricing varies. A typical enterprise pricing for an E3 buyer adding Defender for Endpoint P2, Defender for Identity, Defender for Office 365 P2 and Defender for Cloud Apps at discount frequently lands within 70 to 85 percent of the E3-to-E5 step-up; the gap closes further on a buyer that does not require the wider Security and Compliance overlay (Entra ID P2, Purview) or the wider productivity overlay (Power BI Pro, Phone System).
The wider Insider Risk Management and Purview surface sits in the Compliance overlay (separate from the Defender surface, but bundled together inside the E5 step-up); the wider Power BI surface sits at the Power BI Pro Premium spoke (forthcoming).
Defender for Cloud is not a per-user seat; it is the workload-protection surface, priced on a consumption basis. The principal billing units are: per-server-per-hour (Defender for Servers P1 and P2), per-database-per-hour (Defender for Databases on SQL, PostgreSQL, MySQL, Cosmos DB and Open-source), per-storage-account-per-hour (Defender for Storage), per-container-vCore-per-hour (Defender for Containers), per-Key-Vault-transaction (Defender for Key Vault), per-API-call (Defender for APIs).
The CSPM surface (Cloud Security Posture Management) is the cross-cloud reading and is free at the foundational tier; the Defender CSPM tier (paid) adds attack-path analysis, agentless container scanning, agentless machine scanning, regulatory compliance frameworks and the wider posture-management surface. The buyer with a multicloud estate (Azure plus AWS plus Google Cloud) holds the Defender for Cloud entitlement across all three; the connector to AWS and GCP is free, and only the per-resource Defender plans on the connected accounts carry a charge.
The wider Azure MACC framework against which Defender for Cloud burns sits at the Azure MACC design spoke; the wider Azure Hybrid Benefit on the Windows Server and SQL Server estate sits at the Azure Hybrid Benefit spoke.
Seat-assignment hygiene is the single largest false-positive driver in the Defender SAM scope. Every user with an assigned Defender entitlement that does not match a workload signal (no managed device under Defender for Endpoint, no mailbox under Defender for Office, no Entra ID sign-in under Defender for Identity) is a candidate for right-tiering at renewal.
The frequent patterns: a buyer on E5 across the entire workforce where 40 percent of the seats are frontline workers with no managed endpoint (the frontline F-series plus the discrete Defender for Endpoint P1 frequently comes back cheaper than E5 on those seats); a buyer with discrete Defender add-ons assigned by group rather than by workload (the assignment includes terminated users, shared mailboxes, service accounts); a buyer with Defender for Cloud Apps assigned across the workforce but with policies enforced against only a sub-set (the unenforced seats are a candidate for de-assignment).
The buyer-side artefacts to hold against the Defender portfolio are: the assigned-seat inventory (every Defender entitlement, every user, every group), the workload-signal reconciliation (every assigned seat against the corresponding managed device, mailbox, identity, sign-in signal), the Defender for Cloud consumption baseline (every protected resource, every Defender plan, every monthly burn), the E5 versus add-on arithmetic (the renewal-time decision to step up to E5, to retain the discrete add-on construct, or to right-tier seat by seat).
The renewal-time conversation is then a negotiation against artefacts. The publisher's renewal proposal carries the E5 step-up where the buyer is on E3 plus add-ons; the buyer's decision is per-workload and per-seat-class, against the artefacts; the step-up, the discrete-add-on retention and the seat-class right-tiering are taken on shared arithmetic.
The wider engagement sits in the Microsoft practice; the aggregated reading list sits in the Microsoft knowledge hub; active renewal moments route to the Renewal Programme; active audit moments route to Audit Defence. The wider M365 plans framework sits at the Microsoft 365 plans spoke; the wider SAM audit framework sits at the SAM audit anatomy spoke.
The plan framework against which the Defender suite either absorbs or attaches.
The audit phases against which seat-assignment hygiene is the principal posture.
A senior Admodum Microsoft advisor will read your Defender assigned-seat inventory against your workload-signal reconciliation and produce an E5-versus-add-on arithmetic on a private call. Active renewal moments route to the Renewal Programme.