Part of the Microsoft 365 E3 vs E5 series. Sub-page of our Microsoft 365 E3 vs E5 Comparison. Related: E3 vs E5 Pricing 2026, Microsoft E5 Security Analysis.
What is the Microsoft 365 E3 vs E5 security feature delta? E3 includes Defender for Office 365 P1, Defender for Endpoint P1, Entra ID P1, and Purview Information Protection P1. E5 adds Defender for Office P2, Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps (CASB), Purview P2, Insider Risk Management, Communication Compliance, Records Management, Entra ID Governance P2, and Advanced eDiscovery. The E5 stack is a SOC-grade security and compliance bundle; E3 is endpoint-and-email protection.
Why it matters: If your security maturity supports operating the E5 stack, the consolidated bundle is cheaper than separate tools and reduces vendor sprawl. If it doesn't, you'll pay for shelfware. The decision turns on operational maturity, not just licence economics.
The Microsoft 365 E3 vs E5 security decision determines whether the renewal lands at $30/user/month or $48/user/month effective — a difference of $1.8M annually for every 10,000 users. The decision should be driven by which specific security capabilities your SOC operationalises, not by the marketing pitch that E5 is "the secure tier". Many E5 customers use less than 30% of the E5 security feature surface. For the broader pricing breakdown see our E3 vs E5 pricing guide.
Per the official Microsoft Defender documentation, the E3 and E5 plans include distinct sub-products: Defender for Office 365 (email), Defender for Endpoint (devices), Defender for Identity (on-prem AD), Defender for Cloud Apps (SaaS CASB). Each has its own Plan 1 and Plan 2 split.
Defender for Office 365 — P1 (E3) vs P2 (E5)
| Capability | E3 (Defender for O365 P1) | E5 (Defender for O365 P2) |
|---|---|---|
| Safe Attachments | Yes | Yes |
| Safe Links | Yes | Yes |
| Anti-phishing protection | Standard | Advanced (impersonation, intelligence) |
| Threat Explorer | No | Yes |
| Real-time detections | No | Yes |
| Threat Tracker | No | Yes |
| Attack Simulator | No | Yes |
| Automated Investigation & Response (AIR) | No | Yes |
| Campaigns view | No | Yes |
The big deltas: Threat Explorer, real-time detections, Attack Simulator and Automated Investigation. If your SOC operates AIR for email threat response, this is a material capability gap. If it doesn't, the Defender for O365 step-up from P1 to P2 is largely shelfware.
Defender for Endpoint — P1 (E3) vs P2 (E5)
| Capability | E3 (Defender for Endpoint P1) | E5 (Defender for Endpoint P2) |
|---|---|---|
| Next-gen antivirus | Yes | Yes |
| Attack Surface Reduction (ASR) | Yes | Yes |
| Web content filtering | Yes | Yes |
| Application control | Yes | Yes |
| Endpoint Detection & Response (EDR) | No | Yes (block mode) |
| Automated investigation & remediation | No | Yes |
| Threat & Vulnerability Management (TVM) | No | Yes |
| Advanced hunting (KQL queries) | No | Yes |
| Threat experts / threat intelligence | No | Yes (add-on) |
| Microsoft Threat Experts on-demand | No | Yes (add-on) |
The endpoint delta is where the most enterprise budget-vs-capability conversations land. P2 unlocks the SOC-grade capabilities — EDR, automated remediation, threat & vulnerability management, advanced hunting. P1 is essentially next-gen AV with hardening features. For a 5,000-user enterprise running a mature SOC, P2 is operational necessity. For a smaller security team, P1 plus a managed-detection-and-response partner often beats unutilised P2.
Defender for Identity (E5 only)
Defender for Identity (formerly Azure ATP) is not in E3 at all. It monitors on-premises Active Directory for compromise indicators — Pass-the-Hash, Pass-the-Ticket, Golden Ticket, lateral movement, reconnaissance. For any organisation with on-premises AD (which is most large enterprises), this is one of the most operationally-valuable items in E5.
Standalone add-on price: approximately $5/user/month. If on-premises AD is in scope and your security strategy includes AD compromise detection, this alone is roughly 25% of the E5 step-up justification.
Defender for Cloud Apps — CASB (E5 only)
Defender for Cloud Apps is the Microsoft CASB (Cloud Access Security Broker). It discovers shadow IT, applies session and access policies to SaaS apps, and provides DLP across non-Microsoft SaaS. Standalone add-on price: approximately $3.50/user/month.
Not to be confused with Defender for Cloud, which is the Azure workload-protection product. Defender for Cloud Apps is in E5; Defender for Cloud is NOT in E5 (it's a per-Azure-resource SKU).
Purview Information Protection & Compliance
| Capability | E3 (Purview P1) | E5 (Purview P2) |
|---|---|---|
| Manual sensitivity labels | Yes | Yes |
| Basic DLP (email, files, Teams) | Yes | Yes |
| Standard eDiscovery | Yes | Yes |
| Audit log retention | 90 days | 1 year (10 years with add-on) |
| Automated sensitivity labelling | No | Yes |
| Trainable classifiers (ML) | No | Yes |
| Endpoint DLP | No | Yes |
| Advanced eDiscovery (case management) | No | Yes |
| Insider Risk Management | No | Yes |
| Communication Compliance | No | Yes |
| Records Management / retention | Basic | Advanced |
| Customer Lockbox | No | Yes |
| Privileged Access Management | No | Yes |
Free Guide
Microsoft EA — 25 Negotiation Tactics
How to negotiate E5 Security step-up cost on your next Microsoft EA renewal.
The Purview / Compliance side is where the most-overlooked E5 capability lives. Insider Risk Management, Communication Compliance and Records Management are typically driven by regulatory and HR requirements rather than by SecOps. Organisations in financial services, healthcare, defence, and public sector are the most common buyers of E5 specifically for the Compliance side.
Entra ID — P1 (E3) vs P2 + Governance P2 (E5)
| Capability | E3 (Entra ID P1) | E5 (Entra ID P2 + Governance P2) |
|---|---|---|
| Multi-factor authentication | Yes | Yes |
| Conditional Access | Yes | Yes (with risk-based) |
| Self-service password reset | Yes | Yes |
| Identity Protection (risk-based CA) | Basic | Full (risk scores, sign-in risk) |
| Privileged Identity Management (PIM) | No | Yes |
| Access Reviews | No | Yes |
| Entitlement Management | No | Yes |
| Lifecycle Workflows | No | Yes |
| App-governance dashboards | No | Yes |
The Entra ID Governance P2 inclusion in E5 is one of the recent (2024) additions and is consistently underweighted in E3 vs E5 analyses. PIM, Access Reviews and Entitlement Management are the IAM-governance triad for any large enterprise. Standalone Entra ID Governance P2 add-on is approximately $9/user/month.
Add-On Stack vs E5 — The Numbers
For buyers who don't need everything, the question is "which add-ons are cheaper than the full E5 step-up?". Below is the consolidated math.
| Path | Approximate list ($/user/month) | Notes |
|---|---|---|
| E3 alone | $36 | Baseline |
| E3 + Defender for Endpoint P2 | $41.20 | If EDR is the only gap |
| E3 + E5 Security add-on | ~$48 | Defender P2 components + Defender for Identity + Defender for Cloud Apps |
| E3 + E5 Compliance add-on | ~$48 | Purview P2 + Insider Risk + Comms Compliance + Records Mgmt |
| E3 + E5 Security + E5 Compliance | ~$60 | Above the full E5 step-up — switch to E5 |
| E5 | $57 | All-inclusive |
Decision rule: if you need both E5 Security and E5 Compliance add-ons, E5 is cheaper. If you need only one or only EDR specifically, the targeted add-on is cheaper.
The Operationalisation Question
The E5 security capability inventory is impressive on paper and consistently under-utilised in practice. Three questions a CISO should answer before committing to E5:
- Does the SOC have the headcount to operationalise EDR and AIR? Defender for Endpoint P2 EDR and Defender for O365 P2 AIR both require SOC analysts capable of triaging alerts, tuning policies, and acting on automated investigations. Without that capability, the tools produce noise, not protection.
- Are Insider Risk Management and Communication Compliance regulatory requirements? These are the most operationally-demanding Purview features. Organisations adopt them under regulatory pressure (financial services, healthcare, public sector); without that pressure, they sit unused.
- Is on-premises AD compromise detection in scope? Defender for Identity is consistently the highest-ROI single component in E5 for enterprises with on-prem AD. If on-prem AD is going away in 12 months, Defender for Identity is less load-bearing.
"We were sold E5 across 22,000 users on the security pitch. Six months in, the audit showed we were using Defender for Endpoint P2 fully, Purview P1 features, and basically nothing else from the E5 stack. IT Negotiations re-architected the mix: E3 + targeted Defender for Endpoint P2 add-on for 18,000 users; full E5 for 4,000 security and compliance personas. Net annual saving: $2.7M without losing the capability we actually operated."
— CISO, Fortune 500 InsuranceOur advisors handle Microsoft EA security tier analysis inside Microsoft advisory engagements. See documented outcomes in our case studies including Microsoft EA $8M saving.
Decision Framework
Related Reading
- Pillar: Microsoft 365 E3 vs E5 Comparison
- E3 vs E5 Pricing 2026
- Microsoft E5 Security Analysis
- Microsoft EA Negotiation Guide
- Microsoft CSP vs EA
- White Paper: Microsoft EA — 25 Negotiation Tactics
Frequently Asked Questions
What security features does Microsoft 365 E3 include?
Defender for O365 P1, Defender for Endpoint P1, Entra ID P1, Purview Information Protection P1, Windows 11 Enterprise security baselines. Does NOT include EDR, automated investigation, Defender for Identity, Defender for Cloud Apps, Insider Risk Management, Communication Compliance.
What additional security features does E5 add over E3?
Defender for O365 P2 (Threat Explorer, AIR, Attack Simulator), Defender for Endpoint P2 (EDR, TVM, hunting), Defender for Identity, Defender for Cloud Apps; Purview P2, Insider Risk Management, Communication Compliance, Records Management, Advanced eDiscovery, Customer Lockbox; Entra ID P2 + Governance P2 (PIM, Access Reviews, Entitlement Management).
Do I need E5 if I already have Defender?
Defender for Endpoint P1 (E3) covers next-gen AV + ASR. P2 (E5) adds EDR, automated remediation, threat hunting. If your SOC operates EDR, P2 is justified. If you use Defender as basic AV, P1 covers it. The question is operational maturity.
Is the E5 security stack worth the upgrade premium?
Worth it when you'd otherwise buy Defender Endpoint P2 + Defender for Identity + Defender for Cloud Apps + Purview P2 separately (~$19/user/month); your SOC can operationalise the full stack; compliance requirements drive Insider Risk / Comms Compliance. NOT worth it when the SOC won't operationalise the tools.
Can I buy E5 security features as add-ons to E3?
Yes — E5 Security add-on (~$12/user/month, Defender components) and E5 Compliance add-on (~$12/user/month, Purview components). Stacking both exceeds full E5 step-up cost — if both needed, E5 is cheaper. If only one needed, the add-on is cheaper.
What is the difference between Defender for Cloud and Defender for Cloud Apps?
Different products. Defender for Cloud Apps (in E5) is the CASB for SaaS discovery and control. Defender for Cloud (NOT in E5) is the Azure workload-protection product, sold per Azure resource separately.
Sizing E5 Security for Your Renewal?
IT Negotiations works buyer-side only across Microsoft 365 E3, E5, E5 Security add-on, E5 Compliance add-on, and Defender for Cloud. We benchmark feature utilisation against 200+ Microsoft EA renewals.
Book a Free Consultation Free Microsoft AssessmentStay Ahead of Vendors
Get Negotiation Intel in Your Inbox
Monthly briefings on vendor pricing changes, audit trends, and contract tactics.