The question I hear most often from SA businesses reviewing their IT spend is a variation of this: "We're already paying for Microsoft 365. Do we really need to pay separately for an antivirus, an MDM tool, and an email security product on top of that?"
Usually the answer is no — but only if they're on Business Premium and have actually configured the security features that come with it. That second condition is where most businesses are getting caught out.
What's actually included in Business Premium
Microsoft 365 Business Premium is currently priced at $34.55 AUD per user per month on an annual commitment (as of mid-2026). The plan most SA SMBs are on, Business Standard, is $16.10 per user per month on the same commitment. That $18.45/user/month gap is where the conversation needs to start, because Business Premium bundles the following security products that most businesses are buying separately:
- Microsoft Defender for Business — This is a genuine endpoint detection and response (EDR) product, not a basic antivirus. It replaces standalone products like Sophos Intercept X or CrowdStrike Falcon for most SMB use cases. At typical per-device pricing for those products, the cost saving for a 20-user business is material.
- Microsoft Intune — Device management and MDM. Intune lets you enforce encryption, push configuration policies, manage software, and wipe or lock devices remotely. Standalone Intune licensing is $10–12 AUD per user per month. Inside Business Premium, it costs you nothing extra.
- Entra ID P1 — Previously Azure AD P1. This unlocks conditional access policies, which means you can enforce MFA properly, restrict logins by location or device compliance, and block legacy authentication protocols. Without Entra ID P1, your MFA enforcement has meaningful gaps.
- Microsoft Defender for Office 365 Plan 1 — Safe Links and Safe Attachments for email and Teams, anti-phishing policies, and spoof intelligence. This directly replaces third-party email security gateways for most SMBs.
- Azure Information Protection Plan 1 — Sensitivity labels and basic data loss prevention policies. You can classify documents, restrict printing or forwarding, and detect when sensitive data like tax file numbers is being shared outside the organisation.
- Intune MAM (Mobile Application Management) — Manages work data on personal devices without requiring full MDM enrolment. Useful for BYOD policies where staff use personal phones for work email.
The cost comparison is straightforward. Price up a 30-user business running Business Standard, a standalone EDR product, a standalone MDM solution, and a third-party email security gateway, then compare it to Business Premium. In most cases, upgrading to Premium and retiring the separate products comes out cheaper — sometimes significantly cheaper.
The catch: out of the box, these tools are not protecting you
This is the part that matters. Business Premium gives you access to all of those security tools. It does not configure them for you. The default state of a new Microsoft 365 tenant is not secure — Microsoft sets conservative defaults to avoid breaking things, not to maximise your protection.
Specifically: Defender for Business needs to be deployed and onboarded to your endpoints. Conditional access policies in Entra ID need to be designed and activated. Safe Links and Safe Attachments in Defender for Office 365 need to be turned on and tuned. Intune needs enrolment profiles created and policies applied. Azure Information Protection needs sensitivity labels defined and published.
None of this is automatic. If you're on Business Premium but no one has touched the security configuration, you have paid for a security stack that is sitting idle. This is more common than most businesses realise — and it's part of what our Microsoft 365 management work typically surfaces when we take over from another provider or run an initial assessment.
Essential Eight alignment
If your business is working toward ACSC Essential Eight compliance, Business Premium properly configured addresses several controls directly:
- Multi-factor authentication — Entra ID P1 conditional access policies enforce MFA correctly, including blocking legacy protocols that bypass it.
- Patch applications — Intune can enforce patching schedules and report on patch compliance across your device fleet.
- Microsoft Defender — Defender for Business satisfies the Microsoft Defender control at ML1 and with additional configuration at ML2.
- Restricting admin privileges — Entra ID P1 supports privileged identity management and time-limited admin access.
- Application hardening — Defender Application Control policies can be deployed via Intune.
It doesn't cover everything. Application control and backup sit outside what Business Premium handles natively. But for a business starting from scratch on Essential Eight, Business Premium is the most efficient foundation we've found at this price point.
When Business Premium isn't enough
There are businesses where sticking with — or investing in — a separate security stack makes sense:
- Organisations with specific compliance requirements that mandate particular products (some government contracts, some financial services regulators)
- Larger environments, typically 300+ seats, where enterprise-tier licensing changes the economics
- Businesses that have already invested significantly in alternative tools and have them configured and working well
- Mixed environments where a meaningful portion of endpoints are non-Windows and Defender for Business coverage is partial
For everyone else — which is most SA businesses in the 5 to 200 seat range — the question is worth asking before you renew that Sophos or Acronis contract.
The practical starting point
If you're currently on Business Basic or Business Standard and paying separately for security tools, the first thing to do is price up the upgrade. The delta is around $10/user/month. Then add up what you're currently spending on Sophos, Webroot, a standalone MDM, or whatever email security product you're running. In most cases, the maths tells you to upgrade.
If you're already on Business Premium, the question is whether those security features are actually deployed. A managed services review can tell you in a few hours. We run a standard configuration assessment as part of onboarding that checks Defender deployment status, conditional access policies, Safe Links and Safe Attachments activation, and Intune enrolment coverage. Most of the time, something is missing.
The licensing cost is the easy part. Getting it configured correctly is where the value is.
Working toward Essential Eight compliance? See how Business Premium fits into an ACSC Essential Eight maturity program, or talk to us about a managed services arrangement that handles the configuration and ongoing monitoring for you.