Skip to main content

$12 Instead of $60: What the E5 Security Add-On Actually Buys Business Premium Tenants

Nick Ross3 min read

TL;DR

  • As of 2025, the Microsoft 365 E5 Security add-on gives Business Premium subscribers five standalone security products for $12 per user per month, versus $60 for full E5.
  • Automatic attack disruption correlates signals across email, endpoints, and identities, then blocks accounts, resets passwords, rotates sessions, and isolates devices with no human involvement.
  • Entra ID P2 extends Conditional Access to risk-based responses, automatically blocking or forcing password resets on users flagged as high risk.
  • Defender for Cloud Apps paired with Defender for Endpoint catalogs every app in use, including AI tools, and blocks unsanctioned apps in the browser immediately.
  • Entra ID P2 alone, with PIM, Access Packages, and access reviews, covers a large share of the add-on's value before the Defender products are counted.

For years, the licensing jump from Microsoft 365 Business Premium to E5 forced an awkward conversation: pay roughly five times more, or live without the advanced security stack. Earlier in 2025, Microsoft made the E5 Security add-on available for Business Premium subscribers (opens in new tab) and removed that dilemma. For $12 per user per month, against $60 for full E5, Business Premium tenants get the security features without the rest of the E5 bundle.

We think this is one of the most consequential SMB licensing moves Microsoft has made. Here is what is inside, and the six scenarios where the value shows up.

Five products in one SKU

Overview of the five products included in the E5 Security add-on

The add-on is made up of five standalone products. Entra ID P2 alone carries a large share of the value, and combined with the other plans the offer becomes hard to ignore.

Comparison of E5 Security add-on components and pricing

With full E5 costing $60 per user per month, getting the security features for $12 is the headline. And the standard comparison charts still undersell it:

Feature comparison chart for the E5 Security add-on

There is a long list of identity protections, PIM, Access Packages, and more, that do not even appear in the comparison above.

Where the add-on earns its $12: six scenarios

1. Attacks get disrupted without a human in the loop

Automatic attack disruption overview

There is a fundamental thesis here: when you layer many different security tools, you get siloed signals you have to stitch together yourself to understand a broader attack.

Siloed security signals across multiple tools

Typical attack chains flow through multiple domains: email, endpoints, identities. The attacker plans movement across systems to reach an outcome, whether that is ransom, wire fraud, or data exfiltration.

Attack chain flowing across email, endpoint, and identity domains

E5 Security correlates signals across email, devices, and users, and then takes automated action to break the attack with no human involvement: blocking user accounts, resetting passwords, rotating sessions, isolating devices from the network, and ZAPing emails out of user inboxes.

2. Conditional Access starts reacting to risk

Risk-based Conditional Access with Entra ID P2

Entra ID P2 extends Conditional Access to act on detected risk. If a user or sign-in is flagged at high risk, the policy can automatically block the account, force a password reset, or re-prompt for MFA. P2 also includes many more risk signals as part of its identity protection features, so detections fire on activity that lower tiers never see.

3. Access gets governed instead of granted forever

Entra ID P2 governance features including Access Packages and PIM

Entra ID P2 includes Access Packages, entitlement workflows, and access reviews, which streamline access controls across groups, apps, and roles, and can automate common tasks like user onboarding and offboarding. PIM (Privileged Identity Management) is included too, bringing just-in-time admin access for roles like Global Administrator instead of standing privilege.

4. Email and Teams threats investigate themselves

Automated investigation and response in Defender for Office 365 Plan 2

Defender for Office 365 Plan 2 includes Automated Investigation and Response (AIR), and those capabilities extend to suspicious or malicious behavior in Teams. That matters because Teams phishing is a rising threat as of 2025, and most SMB security programs still treat email as the only phishing channel.

5. Shadow IT and AI tools become visible, then blockable

Defender for Cloud Apps detecting AI tools and shadow IT

Defender for Cloud Apps is Microsoft's CASB (cloud app security broker). Combined with Defender for Endpoint, it detects applications on workstations and in the browser, automatically cataloging the app list by category. That makes it trivial to see, for example, exactly which AI apps users have adopted. As an admin you label apps sanctioned or unsanctioned, and unsanctioned apps are immediately blocked in the browser.

6. On-premises AD gets the same coverage

Defender for Identity extending protection to local Active Directory

Customers running hybrid environments can use Defender for Identity to extend protections to local Active Directory, with alerts triaged centrally in the Defender admin center alongside everything else.

What to do with this

If you manage Business Premium tenants, the E5 Security add-on changes the upsell math: the TCO story of consolidating third-party point tools into the Microsoft stack now works at SMB pricing. We will break these features down further in future posts, including how to position the add-on as an upsell to your customers.

The full presentation deck on enhancing Business Premium with E5 Security is available here: Enhance-Business-Premium-with-E5-Security (opens in new tab)

Frequently asked questions

What products are included in the Microsoft 365 E5 Security add-on?

Five standalone products, including Entra ID P2, Defender for Office 365 Plan 2, Defender for Endpoint, Defender for Cloud Apps, and Defender for Identity, layered on top of an eligible Business Premium subscription.

Is the E5 Security add-on cheaper than upgrading to E5?

Yes. Full Microsoft 365 E5 runs $60 per user per month, while the add-on delivers the security feature set on top of Business Premium for $12 per user per month.

Does the add-on help with hybrid Active Directory environments?

Yes. Defender for Identity extends protections to on-premises Active Directory, with alerts triaged centrally in the Defender admin center.

Sell the add-on with evidence, not a slide deck

The upsell conversation lands when you can show the gaps the add-on closes. CloudCapsule scans 250+ controls per tenant in about 60 seconds and produces the client-ready report that turns licensing talk into a security project.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading