Microsoft Cloud Security Licenses and pricing – What is the purpose for different licenses?

Update, Jun 28th, 2023:
SKUs raised in price approx. 11% starting from April 1, 2023! The blog has been updated to reflect the new pricing.

Update, Apr 26th, 2023:
“App Governance add-on will be included in Defender for Cloud Apps at no additional cost. On June 1, 2023, new and existing customers will be able to start the opt-in process to begin using these capabilities.” says Microsoft in M365 Defender blog article.

Figuring out proper licensing for Microsoft products can be tricky. Features might be included in multiple license bundles but can also be acquired as a standalone licences.

In this blog we’re boldly going to unravel Microsoft licensing for cloud security products and features.
Read e.g. what kind of features different licenses offer to your organization and get to know the differences and pricing between different license levels.

Here we go…

Contents:

SKU and plans

Security features included in M365 Enterprise SKUs

Security features included in M365 Business SKUs

Standalone Security SKUs

Azure AD

Microsoft Entra family

Defender family

Other resources


SKU and plans

SKU is license for single product or bundle of licenses for multiple products/services, sold as one unit. SKU includes one or more service plans. For example, “EMS E3” is a SKU including service plans for Azure AD, Intune, MFA (multi-factor authentication), etc.

Licensing data sheet for Microsoft 365 enterprise plans matrix (pdf):
https://aka.ms/M365EnterprisePlans

Most common SKUs for full* featured security licensing:
– Microsoft 365 E5, including all* security and compliance features
– Microsoft E5 Security (add-on for Microsoft 365 E3 or Office 365 E3)
– Microsoft F5 Security (add-on for Microsoft 365 F3 or Office 365 F3)

Important: all SKU/add-on prices as annual commitment (EUR per month per user when purchased for 12 months). Prices and availability are subject to change without notice. Always check current availability and pricing with your Microsoft license vendor! We can of course help you with this, get to know our license services and contact us.

*excluding current or future add-ons on top of the E5, like “Workload Identities” add-on.


Security features included in M365 Enterprise SKUs

Here’s the list of security related service plans for each commonly used M365 SKU.

Azure Active Directory Premium P1 – 5,60 € /month

Azure Active Directory Premium P1
Cloud App Security Discovery
Microsoft Azure Multi-Factor Authentication

Azure Active Directory Premium P2 – 8,40 € /month

Azure Active Directory Premium P1
Azure Active Directory Premium P2
Cloud App Security Discovery
Microsoft Azure Multi-Factor Authentication

Enterprise Mobility + Security E3 – 9,90 € /month

Azure Active Directory Premium P1
Cloud App Security Discovery
Microsoft Azure Multi-Factor Authentication

Enterprise Mobility + Security E5 – 15,40 € /month

Azure Active Directory Premium P1
Azure Active Directory Premium P2
Microsoft Azure Multi-Factor Authentication
Office 365 Cloud App Security
Microsoft Defender for Identity

Microsoft 365 E3 – 37,70 € /month

Azure Active Directory Premium P1
Microsoft Azure Multi-Factor Authentication
Microsoft Defender for Cloud Apps Discovery
Microsoft Defender for Endpoint Plan 1

Microsoft 365 E5 – 59,70 € /month

Azure Active Directory Premium P1
Azure Active Directory Premium P2
Microsoft 365 Defender
Microsoft Azure Multi-Factor Authentication
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365 (Plan 1)
Microsoft Defender for Office 365 (Plan 2)
Office 365 Cloud App Security
Office 365 Privileged Access Management
Office 365 SafeDocs

Microsoft 365 E5 Compliance – 11,20 € /month

Microsoft Defender for Cloud Apps
Office 365 Privileged Access Management

Microsoft 365 E5 Security – 11,20 € /month

Azure Active Directory Premium P2
Microsoft 365 Defender
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365 (Plan 1)
Microsoft Defender for Office 365 (Plan 2)
Office 365 SafeDocs

Microsoft 365 F1 – 2,10 € /month

Azure Active Directory Premium P1
Cloud App Security Discovery
Microsoft Azure Multi-Factor Authentication

Microsoft 365 F3 – 7,50 € /month

Azure Active Directory Premium P1
Microsoft Azure Multi-Factor Authentication
Microsoft Defender for Cloud Apps Discovery

Microsoft 365 F5 Security + Compliance Add-on – 12,20 € /month

Azure Active Directory Premium P2
Microsoft 365 Defender
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365 (Plan 1)
Microsoft Defender for Office 365 (Plan 2)
Office 365 Privileged Access Management
Office 365 SafeDocs

Microsoft 365 F5 Security Add-on – 7,50 € /month

Azure Active Directory Premium P2
Microsoft 365 Defender
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365 (Plan 1)
Microsoft Defender for Office 365 (Plan 2)

Office 365 E5 – 41,50 € /month

Microsoft 365 Defender
Microsoft Defender for Office 365 (Plan 1)
Microsoft Defender for Office 365 (Plan 2)
Office 365 Advanced Security Management
Office 365 Privileged Access Management

Windows 10 Enterprise E5 – 12,00 € /month

Microsoft Defender for Endpoint

Souce: Product names and service plan identifiers for licensing – Azure AD – Microsoft Entra | Microsoft Learn


Security features included in M365 Business SKUs

Microsoft 365 Business Basic – 5,60 € /month

Azure AD Free edition, Security defaults only*

Microsoft 365 Business Standard – 11,70 € /month

Azure AD Free edition, Security defaults only*

Microsoft 365 Apps for business – 9,80 € /month

Azure AD Free edition, Security defaults only*

Microsoft 365 Business Premium – 20,60 € /month

Azure Active Directory Premium P1
Microsoft Azure Multi-Factor Authentication
Microsoft Defender for Business
Microsoft Defender for Cloud Apps Discovery
Microsoft Defender for Office 365 (Plan 1)

Microsoft Defender for Business (standalone) – 2,80 € /month

Azure Active Directory Premium P1
Microsoft Azure Multi-Factor Authentication
Microsoft Defender for Business
Microsoft Defender for Cloud Apps Discovery
Microsoft Defender for Office 365 (Plan 1)

*on/off -type control for security hardening, missing granular controls like Conditional Access policies.

Source: Compare security features in Microsoft 365 plans for small and medium-sized businesses | Microsoft Learn


Standalone Security SKUs

Microsoft Defender for Endpoint P1 2,80 € /month
Microsoft Defender for Endpoint P2 4,90 € /month
Microsoft Defender for Identity 5,10 € /month
Microsoft Defender for Office 365 (Plan 1) 1,87 € /month
Microsoft Defender for Office 365 (Plan 2) 4,70 € /month
Microsoft Defender for Endpoint Server Via Azure
Microsoft Defender for Business servers 2,80 € /month

Microsoft Entra Permissions Management Add-On 9,80 € /month
Workload Identities Premium Add-On 2,80 € /month
App governance add-on for Microsoft Defender for Cloud Apps Add-On
will be included in Defender for Cloud Apps starting from Jun 1st, 2023
3,40 € /month
Defender Vulnerability Management add-on 1,87 €/ month


Azure AD

Azure AD is a foundation for Microsoft 365 services and Azure AD integrated apps and works as identity and access management solution. Azure AD comes in many editions:

  • Azure AD Free
  • Azure AD Microsoft 365 Apps edition
  • Azure AD Premium Plan 1
  • Azure AD Premium Plan 2

Azure Active Directory Pricing | Microsoft Security

Azure AD Free

Azure AD Free is the most basic tier, including base functionality for Azure Active Directory: single sign-on (limited to 10 apps), user and security group management, 3rd party IdP integration, self-service password resets (for cloud users only), per-user MFA, password protection (for cloud only users) and reports.

AAD Free includes “security defaults” which can be used for enforcing MFA for all and for blocking basic authentication for all users.

On premises directory synchronization (Azure AD Connect or Cloud Sync) is also available at the free tier.

Azure AD – Microsoft 365 Apps edition

This version of Azure AD comes with F1, E1, E3 and E5 licenses. Office licenses add SLA and company branding.

Azure AD – Premium Plan 1 (AADPP1)

AADPP1 is the most used tier of Azure AD since it’s included in
Microsoft 365 E3 and EMS E3 SKUs. AADPP1 can also be purchased as a standalone license. This tier of Azure AD adds the following features:

  • custom banned passwords for password protection,
  • self-service password reset for synced users (password writeback),
  • dynamic groups,
  • delegated group management,
  • group naming/expiration policies,
  • application proxy,
  • conditional access policies,
  • terms of use,
  • SharePoint access control (or limited access),
  • multi-factor authentication,
  • unlimited SSO,
  • MIM user CAL,
  • SCIM group provisioning for SaaS apps,
  • information protection,
  • advanced reports,
  • custom security attributes and
  • Azure AD Connect Health

For field users (e.g. technicians, installers, construction workers) AADPP1 adds SMS sign-in, shared device sign-out and user management delegation (My Staff).

Azure AD – Premium Plan 2 (AADPP2)

AADPP1 is the most advanced tier of Azure AD and it’s included in the Microsoft 365 E5, EMS E5 and Microsoft E5 Security SKUs. AADPP2 can also be purchased as a standalone license. AADPP2 adds the following features, in addition to AADPP1:

  • Identity Protection (user and sign-in risk, MFA registration policy, risk-based conditional access policies),
  • Identity Governance (access packages, access reviews),
  • Privileged Identity Management (PIM) for just-in-time access and
  • Lifecycle management for identities


Microsoft Entra family

Microsoft Entra wraps all identity related features together.

Azure Active Directory

– Safeguard your organization with the identity and access management solution that connects people to their apps, devices, and data.

– Licensed as standalone or part of Microsoft 365 licenses (see previous Azure AD topics)

Microsoft Entra Permissions Management

– Discover, remediate, and monitor permission risks across your multicloud infrastructure with a cloud infrastructure entitlement management (CIEM) solution.

– Licensed as an add-on, “Microsoft Entra Permissions Management”

– Pricing calculated per resource per month

– Resources supported are compute resources, container clusters, serverless functions, and databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Microsoft Entra Verified ID

– Create, issue, and verify privacy-respecting decentralized identity credentials with an identity verification solution that helps you enable more secure interactions with anyone or anything.

– Included with any Azure Active Directory subscription, including Azure AD Free.

Microsoft Entra Workload Identities

– Manage and help secure identities for digital workloads, such as apps and services. Control their access to cloud resources with risk-based policies and enforcement of least-privileged access.

– Licensed as an add-on: “Workload Identities Premium”

– Pricing per workload identity per month

– Workload identity is an identity used by a software workload (such as an application, service, script, or container) to authenticate and access other services and resources. In Azure Active Directory (Azure AD), workload identities are applications, service principals, and managed identities.

Microsoft Entra Identity Governance

– Simplify operations, meet regulatory requirements, and consolidate multiple point solutions with a complete solution across on-premises and cloud-based user directories.

– Included with an Azure AD Premium P2 subscription

Sources:

Microsoft Entra – Secure Identities and Access | Microsoft Security
Microsoft Entra Permissions Management | Microsoft Security
Microsoft Entra Workload Identities | Microsoft Security
Workload identities – Microsoft Entra | Microsoft Learn


Defender family

Microsoft 365 E5 and Microsoft E5 Security includes:
– Microsoft Defender for Identity (MDI)
– Microsoft Defender for Endpoint P2 (MDE)
– Microsoft Defender for Office 365 P2 (MDO)
– Microsoft Defender for Cloud Apps (MDCA, previously known as MCAS)

Microsoft Defender for Cloud (for Azure resources) is priced by resource consumption, not included in M365 SKUs.

Defender for Identity

Defender for Identity detects known malicious attacks and techniques, security issues, and risks against your network.

Defender for Identity is available as part of Microsoft 365 E5, Microsoft E5 Security, Enterprise Mobility + Security E5 suite (EMS E5), F5 Security, and as a standalone license.

Souce: https://learn.microsoft.com/en-us/defender-for-identity/technical-faq

Defender for Endpoint P1

Included in Microsoft 365 E3.

Microsoft Defender for Endpoint P1 offers a foundational set of capabilities, including industry-leading antimalware, attack surface reduction, and device-based conditional access. Available as part of Microsoft 365 E3, and as a standalone license.

  • Unified security tools and centralized management
  • Next-generation antimalware
  • Attack surface reduction rules
  • Device control (such as USB)
  • Endpoint firewall
  • Network protection
  • Web control / category-based URL blocking
  • Device-based conditional access
  • Controlled folder access
  • APIs, SIEM connector, custom threat intelligence
  • Application control

Source: https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint/

Defender for Endpoint P2

Included in Microsoft 365 E5 and Microsoft E5 Security.

Microsoft Defender for Endpoint P2 offers the complete set of capabilities, including everything in P1, plus endpoint detection and response, automated investigation and incident response, and threat and vulnerability management. Available as part of Microsoft 365 E5, E5 Security, F5 Security, F5 Security and Compliance, and as a standalone license.

  • Includes everything in Endpoint P1, plus:
  • Endpoint detection and response
  • Automated investigation and remediation
  • Threat and vulnerability management
  • Threat intelligence (threat analytics)
  • Sandbox (deep analysis)
  • Microsoft Threat Experts
    ○ Includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD).
    ○ Customers must apply for TAN and EOD is available for purchase as an add-on.

Source: https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint

Microsoft Defender for Endpoint for Servers

To onboard servers to those plans, you’ll need either
– Microsoft Defender for Endpoint for Servers (standalone)
– Or Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering

Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide

Microsoft Defender for Office 365 Plan 1

Defender for Office 365 Plan 1 offers protection against advanced attacks across email and collaboration tools in Office 365. Available as part of Microsoft 365 E3, and as a standalone license.

  • Protection against advanced attacks, such as phishing, malware, spam, and business email compromise
  • Protection beyond email (Microsoft Teams, SharePoint, OneDrive, and Office apps)
  • Internal email protection
  • Detailed reporting

Source: Microsoft Defender for Office 365 | Microsoft Security

Microsoft Defender for Office 365 Plan 2

Defender for Office 365 Plan 2 offers everything in Plan 1 plus advanced threat hunting, automation, attack simulation training, and cross-domain XDR capabilities. Available as part of Microsoft 365 E5, E5 Security, Office 365 E5, F5 Security, F5 Security and Compliance, and as a standalone license.

  • Protection against advanced attacks, such as phishing, malware, spam, and business email compromise
  • Protection beyond email (Microsoft Teams, SharePoint, OneDrive, and Office apps)
  • Internal email protection
  • Detailed reporting
  • Advanced threat hunting
  • Automated investigation and response
  • Attack simulation training
  • Microsoft 365 Defender (XDR) capabilities, such as cross-domain hunting and incident correlation

Source: Microsoft Defender for Office 365 | Microsoft Security

Defender for Cloud Apps

Identify and combat cyberthreats across your cloud services with Defender for Cloud Apps, a cloud access security broker (CASB) solution that provides multifunction visibility, control over data travel, and sophisticated analytics.

Included as part of Microsoft 365 E5, E5 Security, E5 Compliance, F5 Security, F5 Compliance, F5 Security and Compliance SKUs, and as a standalone license.

  • Discover and manage your apps: Streamline cloud access security with native integration. Control and audit your apps and resources.
  • Govern access to apps and resources: Discover shadow IT in your organization. Understand and control your digital information estate.
  • Assess the compliance of your apps: Evaluate against compliance standards, prevent leaks, and limit access to regulated data.

Source: Microsoft Defender for Cloud Apps | Microsoft Security

Microsoft Defender for Cloud Apps – App Governance Add-On

The app governance add-on feature to Defender for Cloud Apps is a security and policy management capability designed for OAuth-enabled apps registered on Azure Active Directory (Azure AD). App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions.

Updated Apr 26th, 2023: “App Governance add-on will be included in Defender for Cloud Apps at no additional cost. On June 1, 2023, new and existing customers will be able to start the opt-in process to begin using these capabilities.” says Microsoft in M365 Defender blog article.

App governance is an add-on feature for Defender for Cloud Apps, “App governance add-on for Microsoft Defender for Cloud Apps”, and so to activate the app governance license Defender for Cloud Apps must be present in your account as either a standalone product or as part of the various license packages.

To use app governance in compliance with the terms of service, purchase an add-on license for each protected user. Each protected user must have both the app governance add-on license and one of the Defender for Cloud Apps licenses.

Source: https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started
Source: https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance

Microsoft Defender for Business

Microsoft Defender for Business includes selected features of Defender family mentioned above.

  • Antivirus, antimalware, and ransomware protection for devices
  • Next-generation protection (antivirus/antimalware protection on devices together with cloud protection)
  • Attack surface reduction (network protection, firewall, and attack surface reduction rules) [a]
  • Endpoint detection and response (behavior-based detection and manual response actions)
  • Automated investigation and response (with self-healing for detected threats)
  • Microsoft Defender Vulnerability Management (view exposed devices and recommendations)
  • Cross-platform support for devices (Windows, Mac, iOS, and Android) [b]
  • Centralized management and reporting (Microsoft 365 Defender portal)
  • APIs for integration (for Microsoft partners or your custom tools and apps)

Source: Compare security features in Microsoft 365 plans for small and medium-sized businesses | Microsoft Learn

Defender for Cloud (Azure Resources, multi-cloud)

Microsoft Defender for Cloud is a Cloud Security Posture Management and workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multi-cloud and hybrid environments from evolving threats.

Approximate pricing for Europe West (as per Jan 10th 2023).

Microsoft Defender for Servers Plan 1 €4.620/Server/month
Microsoft Defender for Servers Plan 2 €13.750/Server/month (Included data – 500 MB/day)
Microsoft Defender for Containers €6.4692/vCore/month 4
Microsoft Defender for SQL on Azure-connected databases €14.127/Instance/month2
Microsoft Defender for SQL outside Azure €10.313/vCore/month3
Microsoft Defender for MySQL €14.127/Instance/month
Microsoft Defender for PostgreSQL €14.127/Instance/month
Microsoft Defender for MariaDB €13.888/Instance/month
Microsoft Defender for Azure Cosmos DB5, 6 €0.0012 per 100 RUs/hour
Microsoft Defender for Storage1 €9.2123 per storage account/month7
Microsoft Defender for App Service €13.750/App Service/month
Microsoft Defender for ARM €3.768/1M API calls
Microsoft Defender for DNS €0.660/1M Queries

Source: Pricing—Microsoft Defender | Microsoft Azure


Other resources

Need a visual reference? There’s an excellent Microsoft 365 licensing matrix, “M365 Maps”, done by Aaron Dinnage:
Feature Matrix | M365 Maps

Need help?

Take advantage of our help and expertise for security, compliance and licenses!

Sulava as a license partner offers customers occupancy monitoring, monthly reporting, and we give our recommendations for optimizing the whole. This helps keep costs optimal and you don’t pay unnecessarily for unused services. Sulava’s experts will, of course, consult the customer on all matters related to licensing, such as licensing requirements or activation of new services.

Microsoft 365 customers have the best chance of ensuring the safe management of Azure, endpoint security, end-user identities and the safe use of M365 services and other enterprise applications. Read more about our security services, get in touch with us and start leveraging the security of the cloud in your environment!

Written by: Petri Helin, solution area architect for Security at Sulava & Kristian Kallio