One of the most commercially significant changes within the July 2026 Microsoft 365 packaging update is not the price increase itself. It is the addition of Microsoft Defender for Office 365 Plan 1 to Microsoft 365 E3 and Office 365 E3. This change, which began rolling out in June 2026 and will be complete by 1 August 2026, adds genuine email and collaboration security capability to the E3 tier that was previously only available by purchasing Defender for Office 365 Plan 1 as a separate add-on or by upgrading to E5.
For organisations currently on E3, this is a meaningful feature addition. For organisations that were purchasing Defender for Office 365 Plan 1 as a standalone add-on on top of E3, it creates a consolidation opportunity that changes the commercial calculation at the next renewal. And for organisations that were paying for E5 primarily because they needed Defender for Office 365 email security and did not require the broader E5 capability set, it raises a genuine question about whether their tier justification still holds. This blog examines exactly what Defender for Office 365 Plan 1 provides, what changes commercially for different customer profiles, and what the practical governance steps are.
What Defender for Office 365 Plan 1 Actually Provides
Microsoft Defender for Office 365 Plan 1 provides two core capabilities: Safe Links and Safe Attachments. These two features address specific and significant email security risks that standard Office 365 email protection does not cover.
Safe Links provides real-time URL verification at the time a user clicks a link in an email or a Teams message, rather than at the time the email was received. This distinction matters because phishing campaigns increasingly use delayed link replacement, where a URL is benign at the time of delivery but is redirected to a malicious site shortly afterwards. Standard email filtering checks URLs at delivery time and will not detect this technique. Safe Links checks the URL at the moment of click, which closes this specific attack vector.
Safe Attachments detonates email attachments in a sandboxed environment before they are delivered to the recipient, analysing their behaviour for malicious activity such as macro execution, code injection, or network callbacks. Attachments that exhibit malicious behaviour in the sandbox are blocked before they reach the recipient’s inbox. For organisations that receive significant volumes of email from external senders, this pre-delivery detonation provides meaningful protection against the malware delivery techniques that bypass signature-based detection.
These are not decorative features. They address real attack vectors that are routinely exploited in business email compromise campaigns, and their inclusion in E3 represents a genuine uplift in the security baseline that Microsoft 365 E3 provides.
VentureBeat covers enterprise Microsoft security product developments and the commercial and technical implications of Microsoft 365 packaging changes, including independent analysis of the Defender for Office 365 Plan 1 addition to E3 and what it means for enterprise security strategy. Their VentureBeat enterprise Microsoft security and licensing update coverage provide market context on how organisations are responding to the July 2026 Microsoft 365 packaging changes and the security value that the Defender for Office 365 Plan 1 inclusion delivers relative to its previous add-on cost.
The Commercial Impact for Different E3 Customer Profiles
E3 Customers Currently Purchasing Defender for Office 365 Plan 1 as an Add-On
For organisations paying for Defender for Office 365 Plan 1 as a standalone add-on on top of E3, the July 2026 update creates a direct consolidation opportunity. Defender for Office 365 Plan 1 is priced at approximately $2.00 per user per month as a standalone add-on. The E3 increase is $3.00 per user per month. For organisations removing the separate Defender for Office 365 Plan 1 add-on at renewal, the net commercial impact of the E3 update is closer to $1.00 per user per month rather than the headline $3.00 increase. This is still a price increase, but a significantly smaller effective increase than the list price movement suggests.
E3 Customers Not Currently Using Dedicated Email Security Add-Ons
For E3 customers who were relying on standard Exchange Online Protection for email security and had not purchased any dedicated email security add-on, the July 2026 update is a straightforward improvement in the security baseline they are paying for. The $3.00 per user per month increase comes with Safe Links and Safe Attachments capability that was previously not part of their plan. Whether this represents good value depends on the organisation’s threat profile, but the capability is genuinely useful and was previously only accessible through additional spend.
E5 Customers Evaluating Whether E3 Is Now Sufficient
The addition of Defender for Office 365 Plan 1 to E3 is the most commercially interesting for organisations that are currently on E5 and are evaluating whether their E5 licence investment is justified by genuine usage of E5-specific capabilities. Defender for Office 365 Plan 1 being included in E3 removes one of the email security arguments for E5. However, it is important to note that E5 includes Defender for Office 365 Plan 2, which extends the Plan 1 capabilities with additional features including Attack Simulation Training, Automated Investigation and Response, and Threat Analytics. Plan 2 provides investigation and response capabilities that Plan 1 does not. Organisations evaluating a downgrade from E5 to E3 need to assess whether their security team is actively using the Plan 2 capabilities beyond Plan 1, not simply whether they are using email security features generically.
What E3 Does Not Include With the July Update
Being precise about what is and is not included is important for avoiding the assumption that E3 is now a comprehensive security tier. Following the July 2026 update, E3 includes Defender for Office 365 Plan 1 for email and collaboration security, the expanded Intune capabilities including Plan 2, Remote Help, and Advanced Analytics, and Copilot Chat enhancements. E3 does not include Microsoft Defender for Endpoint Plan 2, which provides advanced endpoint detection and response. It does not include Microsoft Defender for Identity, which provides identity-based threat detection. It does not include Microsoft Sentinel SIEM. It does not include the advanced compliance capabilities including Insider Risk Management and Communication Compliance. And it does not include Security Copilot access beyond what may be introduced in future packaging changes.
Organisations making tier decisions based on the July 2026 update need to evaluate their complete security capability requirements rather than responding to the headline addition of Defender for Office 365 Plan 1 in isolation.
ZDNet covers Microsoft security product developments and the commercial implications of packaging changes for enterprise organisations evaluating their Microsoft security stack. Their ZDNet Microsoft security and enterprise licensing coverage provide independent analysis of the security capability changes within the July 2026 M365 update, helping organisations form a balanced view of the security value delivered alongside the price increase.
Governance Steps for E3 Customers
For organisations whose E3 licences are receiving Defender for Office 365 Plan 1 capability during the June to August 2026 rollout period, there are specific governance activities that should happen before broad user exposure to the new features.
First, review existing email security configurations. If the organisation was previously relying on third-party email security tooling or had deployed Defender for Office 365 Plan 1 as an add-on with specific configurations, the activation of the bundled Plan 1 within E3 needs to be integrated with existing security policies rather than running in parallel with them. Duplicate security scanning can create operational issues and should be resolved before rollout.
Second, verify that Security and Compliance Centre policies are configured correctly for the new capabilities. Safe Links policies need to be reviewed to ensure that the URL scanning scope, the user notification configuration, and the handling of blocked links reflect the organisation’s specific security requirements. Safe Attachments policies need to be reviewed to confirm that the scanning mode, bypass settings for specific senders, and notification approach are appropriate.
ISACA’s IT governance and compliance frameworks provide structured approaches to managing security technology changes in enterprise environments, including the policy review, testing, and change management disciplines that the activation of new security capabilities in Microsoft 365 requires. Their ISACA IT governance and security compliance management frameworks offer governance checklists and process frameworks applicable to the controlled activation of Defender for Office 365 Plan 1 across an enterprise Microsoft 365 E3 estate.
What to Do With Existing Add-On Licences
For organisations that were purchasing Defender for Office 365 Plan 1 as a standalone add-on on top of E3, the immediate commercial action is to assess at what point those add-on licences can be removed without creating a capability gap. The bundled Defender for Office 365 Plan 1 is rolling out between June and August 2026, so the transition point should be confirmed before the add-on renewal to avoid paying for duplicated capability. The removal of the standalone add-on at renewal should be planned in conjunction with the review of Security and Compliance Centre policies described above, to ensure that the transition from add-on to bundled coverage does not create a gap in protection.
InfoWorld covers enterprise Microsoft security product management and the commercial and technical implications of Microsoft 365 packaging changes for IT and security teams. Their InfoWorld enterprise Microsoft security and licensing change management coverage provide practical guidance on managing the technical transition when Microsoft 365 packaging updates change the security capabilities available within existing licence tiers.
Conclusion
The inclusion of Defender for Office 365 Plan 1 in Microsoft 365 E3 is one of the most commercially meaningful capability additions in this update for the large proportion of enterprise organisations running E3 as their primary Microsoft 365 tier. It provides genuine email security improvement, creates consolidation opportunities for organisations paying for the add-on separately, and changes the E3 versus E5 security capability comparison in ways that merit re-evaluation at the next renewal. The key is to approach that re-evaluation with accurate information about which Defender for Office 365 capabilities are actually being used, not simply with a list of capabilities that are technically available in the licence.