Microsoft Sentinel Cost 2026: Pricing per GB and M365 Free Tier

Microsoft Sentinel pricing is anchored on Azure consumption ($5.22/GB list) plus a critical Microsoft-shop discount: M365 logs are free to ingest. Here is the full TCO picture including commitment tiers, archive storage, and when Sentinel beats Splunk.

Quick Answer

Sentinel list price is $5.22/GB consumption, dropping to $3.20/GB at 1 TB/day commitment. M365 logs are free at source.

$15K - $80K

SMB Microsoft shop (under 30 GB/day non-M365)

$60K - $200K

Mid-market (50-100 GB/day commit)

$200K - $1.5M+

Enterprise (500+ GB/day commit)

Sentinel commitment tier pricing

Commitment	Indicative per-GB rate	Monthly cost (at commit)	Best fit
Pay-as-you-go	$5.22/GB	Variable	Sub-30 GB/day, variable volume
100 GB/day	~$4.50/GB	~$13.5K	Mid-market entry
200 GB/day	~$4.10/GB	~$24.6K	Mid-market mature
500 GB/day	~$3.50/GB	~$52.5K	Large mid-market / small enterprise
1 TB/day	~$3.20/GB	~$96K	Enterprise
2 TB/day	Custom	Custom	Large enterprise

Indicative rates per Microsoft Azure public pricing page. Subject to Microsoft enterprise agreement discounts and regional surcharges. Always verify with Azure cost management before committing.

M365 free-tier ingestion (the major Sentinel wedge)

Microsoft 365 logs are free to ingest into Sentinel for customers with active M365 / Azure AD / Defender licenses. The free-ingest log sources include:

Office 365 audit logs (Exchange Online, SharePoint Online, OneDrive, Teams)
Microsoft Entra ID (formerly Azure Active Directory) sign-in and audit logs
Microsoft 365 Defender alerts (Defender for Endpoint, Defender for Identity, Defender for Office 365)
Defender for Cloud Apps (formerly MCAS) logs
Defender for Cloud (formerly Azure Security Center) alerts

For Microsoft-shop SOCs where 60-80 percent of telemetry comes from these sources, the practical ingest cost can be 60-80 percent lower than a comparable Splunk or Elastic deployment ingesting the same logs at full per-GB rate. This is the structural reason Sentinel has won broad adoption in Microsoft-centric enterprises despite Splunk's deeper query language and longer market history.

When Sentinel is the right call

Sentinel wins when

Microsoft-shop estate (M365, Azure, Defender are bulk of telemetry)
Variable log volume and want pay-as-you-go without minimums
Azure-native infrastructure where Sentinel-Logic Apps-Notebooks integration replaces SOAR purchase
Strong Azure cost-management discipline and existing EA discount
Compliance archive needs (Sentinel archive tier is cost-efficient)

Look elsewhere when

AWS-shop or GCP-shop where Sentinel pulls cross-cloud data through brittle connectors
Splunk-skill team where Sentinel KQL retraining cost is significant
Heterogeneous non-Microsoft estate where free M365 ingest does not apply
High-query workloads where Splunk Workload Pricing fits better
Compliance regimes that require on-premises log control beyond Azure region residency

Related cost references

SIEM Cost Comparison

All vendors

Splunk Cost

$150+/GB ingest

IBM QRadar Cost

EPS pricing

SOC Cost Calculator

Full TCO model

Frequently Asked Questions

How much does Microsoft Sentinel cost?

Microsoft Sentinel uses Azure consumption pricing at $5.22 per GB ingested (US East list price). Volume commitment tiers discount this rate: 100 GB/day commitment around $4.50/GB, 200 GB/day around $4.10/GB, 1 TB/day around $3.20/GB. Critically, Microsoft 365 logs (Office 365, Microsoft Entra ID, Microsoft 365 Defender) are free to ingest, which is a major differentiator versus Splunk where the same logs would carry full ingest cost.

What logs are free to ingest in Microsoft Sentinel?

Microsoft 365 logs are free at source for licensed customers: Office 365 audit logs, Microsoft Entra ID sign-in and audit logs, Microsoft 365 Defender alerts, and Defender for Cloud Apps (formerly MCAS) logs. For Microsoft-shop SOCs where the majority of telemetry comes from M365 + Azure + Microsoft Defender, this free ingestion can cut the SIEM bill by 60-80 percent versus a third-party SIEM ingesting the same logs. Non-Microsoft logs (network appliances, third-party SaaS, on-prem servers) are at the standard $5.22/GB rate.

What are the Microsoft Sentinel commitment tiers?

Microsoft offers commitment tier pricing for predictable volumes: 100 GB/day, 200 GB/day, 300 GB/day, 400 GB/day, 500 GB/day, 1 TB/day, and 2 TB/day. Each tier discounts the per-GB rate progressively. Commitment is monthly and overage above the committed volume reverts to pay-as-you-go. Typical Microsoft-shop mid-market SOC commits at 100-200 GB/day; large enterprise commits at 1 TB/day.

Does Microsoft Sentinel include long-term storage?

Sentinel data retention is 90 days included with ingest cost, then $0.10/GB/month for archived (interactive) data and cheaper for archive tier. For PCI DSS 12-month retention or HIPAA 6-year retention, archive-tier storage is the cost-efficient path. Sentinel archive supports search and rehydration of archived data for incident response. Microsoft Defender XDR alerts have separate retention rules and feed into Sentinel without the standard ingest meter.

When does Microsoft Sentinel beat Splunk on total cost?

Sentinel beats Splunk on TCO in three patterns. (1) Microsoft-shop estates where M365 + Azure + Defender logs are the bulk of telemetry; free ingestion of those logs collapses the cost base. (2) SOCs that want consumption-billing predictability and have variable log volumes (Sentinel's pay-as-you-go has no minimum commitment, unlike Splunk Cloud). (3) Azure-native infrastructure where the Sentinel-Logic Apps-Sentinel Notebooks integration replaces a separate SOAR purchase. Sentinel loses to Splunk on non-Microsoft heterogeneous estates with high-query workloads where Workload Pricing fits.

Microsoft Sentinel pricing references cite Azure public pricing page and Microsoft Learn documentation. Commitment-tier indicative rates verified against Azure pricing calculator. No per-customer EA-discounted pricing cited. SecurityOperationsCost.com has no commercial relationship with Microsoft.