All-Microsoft security is the right call for some businesses. Best-of-breed is right for the rest.

Every MSP has a version of the same slide: consolidate your security under Microsoft 365, because one vendor means one bill, one console, one throat to choke. It's not a bad pitch. E5 genuinely bundles a lot of capability, and if you're already paying for it, using it feels obvious. But security is the one part of a business where the instinct to consolidate for convenience deserves a second look — because the vendor you'd be consolidating around is also the thing most under attack right now.
Why security consolidation isn't like other consolidation
Everywhere else in IT, picking one vendor for everything is a reasonable simplification: fewer contracts, fewer consoles, fewer things that don't talk to each other. Security doesn't work the same way, and the reason is structural, not a matter of taste. The number one way businesses get breached in 2026 isn't a clever exploit. It's a stolen Microsoft 365 credential or session token, used to log in like anyone else. Which means that in an all-Microsoft build, the platform you're trying to protect and the platform doing the protecting are the same platform. If an attacker gets a foothold, the tools watching for them, and the backups meant to recover from them, can in principle be reached from inside the same compromised tenant.
What "independent" actually buys you
That's the argument for keeping part of the stack outside the tenant, and it's worth being precise about what "outside" delivers. An EDR tool like CrowdStrike Falcon or an identity-monitoring tool like Huntress ITDR watches your Microsoft 365 environment from its own infrastructure, under its own credentials — unreachable if your tenant is compromised. A backup product like Keepit copies your mailbox and SharePoint data to a location an attacker inside your tenant genuinely cannot touch. Microsoft's own backup product doesn't do this by design: Microsoft 365 Backup keeps your data, in Microsoft's own words, within the Microsoft 365 data trust boundary — precisely the boundary you'd be worried about failing. That's not a knock on the product. It just isn't independent recovery, and treating it as though it were is where the confusion creeps in.
Security is not the place you consolidate for convenience.
The part that's easy to miss: who's actually watching
The second piece is less about architecture and more about who's on the other end of the alert. Microsoft Defender is a genuinely capable platform, and it's still a platform — something that has to be operated. Alerts need triaging, false positives need tuning, a real incident needs a person to isolate a device at 2am on a Sunday. Out of the box, that person is you or your MSP. CrowdStrike Falcon Complete and Huntress build a 24/7 security operations centre into the product itself, humans hunting, triaging and responding, not just software generating alerts for someone else to act on. Microsoft has an equivalent, Defender Experts for XDR, but it's a separately priced add-on aimed at organisations that already have a security team to work alongside it. For a business with no security team, that's the whole difference: best-of-breed here isn't a sharper tool, it's a tool that comes with the humans already attached.
What that looks like, layer by layer
Set the two builds side by side and the pattern holds across every layer, not just backup and endpoint:
| Security layer | What Communicat deploys | The all-Microsoft equivalent |
|---|---|---|
| Endpoint management | NinjaOne (RMM) | Microsoft Intune |
| Endpoint detection & response | CrowdStrike Falcon Complete (MDR) | Microsoft Defender for Endpoint P2 |
| Email security | Proofpoint | Microsoft Defender for Office 365 |
| Identity threat detection | Huntress ITDR | Entra ID Protection / Defender for Identity |
| Security awareness training | Huntress SAT | Microsoft Attack Simulation Training |
| Microsoft 365 backup | Keepit — independent, outside the tenant | Microsoft 365 Backup — inside the tenant |
| Network / DNS | DNSFilter | Defender web filtering / Entra Internet Access |
| Network firewall & IPS | Cisco Meraki (IDS/IPS) | — no Microsoft equivalent |
Microsoft's stack is capable and consolidated. It's also, by row eight, missing a category entirely, because a network firewall was never something Microsoft built.
Depth, and the cost line that surprises people
The remaining argument sounds like a pricing pitch and isn't quite one. Consolidating under Microsoft is not the cheaper option once you price the equivalent build properly.
Add E5, the backup consumption cost and web filtering together, and the "it's already included" pitch turns into its own multi-line invoice, one that still needs a third-party firewall bolted on because, as the table above shows, Microsoft has never built one. Priced out in full, a fully managed best-of-breed stack lands in a comparable range. The choice isn't a premium tier bought at a discount. It's genuine depth at every layer, from specialists who live in that layer, instead of one vendor covering all of them reasonably well.
Which one are you?
None of this makes an all-Microsoft build the wrong call. For plenty of businesses it's exactly right: a lower risk profile, already committed to E5, a simple environment, an in-house team that already lives inside Defender day to day. The job isn't talking every client into the more elaborate stack. It's being honest about which business is actually in front of you.
We run both models at Communicat, deliberately, and the security work starts with the same question either way: not which vendor we'd rather sell, but what you're actually protecting, and how much of that risk you're comfortable putting in one basket. Some businesses get a straight answer of "stay on Microsoft, and here's how to use it properly." Others get told, honestly, that the convenient answer is the wrong one for what they're carrying. Both are the right answer to give, for the business in front of us.
Frequently asked questions
Is Microsoft 365 E5 enough security on its own?
For plenty of businesses, yes. E5 bundles genuinely capable tools — Defender for Endpoint P2, Defender for Office 365 P2, Entra ID Protection — and covers a lot of ground if your risk profile is lower or you already have a team running Defender. What it doesn't include is a true 24/7 SOC (Defender Experts is a separate paid add-on), a recovery copy independent of your tenant, or a network firewall — Microsoft doesn't make one.
What's the real difference between Microsoft Defender and CrowdStrike Falcon?
Both are capable platforms and Defender has improved a lot. The practical difference for most SMBs isn't detection quality, it's who's watching it. Falcon Complete bundles a 24/7 SOC that hunts and responds on your behalf. Defender is a platform someone else — you or your MSP — has to operate, unless you buy the separate Defender Experts for XDR add-on.
Why use a backup product outside Microsoft 365 instead of Microsoft 365 Backup?
Microsoft 365 Backup keeps your data inside what Microsoft calls the Microsoft 365 data trust boundary — the same tenant an attacker would compromise. An independent product like Keepit stores a copy outside that boundary entirely, so a tenant-wide compromise or a bad change can't reach your recovery copy.
Does best-of-breed security cost more than an all-Microsoft stack?
Not once you price the Microsoft build properly. A like-for-like all-Microsoft stack means E5 (rising to about $60/user/month from July 2026), separate paid add-ons for backup, web filtering and a managed SOC, plus a third-party firewall Microsoft doesn't offer at all. Priced out in full, a fully managed best-of-breed stack typically lands in the same range.

Written by
Managing Director
John Zammit is Managing Director at Communicat IT, a Melbourne MSP serving Victorian SMBs since 1987. He writes about cloud economics, infrastructure strategy, and the gap between sales narratives and operational reality.