Skip to content
Cybersecurity

All-Microsoft security is the right call for some businesses. Best-of-breed is right for the rest.

John Zammit7 July 20266 min read
A single illuminated server unit glowing blue in an otherwise dark rack, evoking a system deliberately kept independent from the environment it protects.
Image: panumas nikhomkhai via Pexels

Every MSP has a version of the same slide: consolidate your security under Microsoft 365, because one vendor means one bill, one console, one throat to choke. It's not a bad pitch. E5 genuinely bundles a lot of capability, and if you're already paying for it, using it feels obvious. But security is the one part of a business where the instinct to consolidate for convenience deserves a second look — because the vendor you'd be consolidating around is also the thing most under attack right now.

Why security consolidation isn't like other consolidation

Everywhere else in IT, picking one vendor for everything is a reasonable simplification: fewer contracts, fewer consoles, fewer things that don't talk to each other. Security doesn't work the same way, and the reason is structural, not a matter of taste. The number one way businesses get breached in 2026 isn't a clever exploit. It's a stolen Microsoft 365 credential or session token, used to log in like anyone else. Which means that in an all-Microsoft build, the platform you're trying to protect and the platform doing the protecting are the same platform. If an attacker gets a foothold, the tools watching for them, and the backups meant to recover from them, can in principle be reached from inside the same compromised tenant.

What "independent" actually buys you

That's the argument for keeping part of the stack outside the tenant, and it's worth being precise about what "outside" delivers. An EDR tool like CrowdStrike Falcon or an identity-monitoring tool like Huntress ITDR watches your Microsoft 365 environment from its own infrastructure, under its own credentials — unreachable if your tenant is compromised. A backup product like Keepit copies your mailbox and SharePoint data to a location an attacker inside your tenant genuinely cannot touch. Microsoft's own backup product doesn't do this by design: Microsoft 365 Backup keeps your data, in Microsoft's own words, within the Microsoft 365 data trust boundary — precisely the boundary you'd be worried about failing. That's not a knock on the product. It just isn't independent recovery, and treating it as though it were is where the confusion creeps in.

Security is not the place you consolidate for convenience.

The instinct worth questioning

The part that's easy to miss: who's actually watching

The second piece is less about architecture and more about who's on the other end of the alert. Microsoft Defender is a genuinely capable platform, and it's still a platform — something that has to be operated. Alerts need triaging, false positives need tuning, a real incident needs a person to isolate a device at 2am on a Sunday. Out of the box, that person is you or your MSP. CrowdStrike Falcon Complete and Huntress build a 24/7 security operations centre into the product itself, humans hunting, triaging and responding, not just software generating alerts for someone else to act on. Microsoft has an equivalent, Defender Experts for XDR, but it's a separately priced add-on aimed at organisations that already have a security team to work alongside it. For a business with no security team, that's the whole difference: best-of-breed here isn't a sharper tool, it's a tool that comes with the humans already attached.

What that looks like, layer by layer

Set the two builds side by side and the pattern holds across every layer, not just backup and endpoint:

Security layerWhat Communicat deploysThe all-Microsoft equivalent
Endpoint managementNinjaOne (RMM)Microsoft Intune
Endpoint detection & responseCrowdStrike Falcon Complete (MDR)Microsoft Defender for Endpoint P2
Email securityProofpointMicrosoft Defender for Office 365
Identity threat detectionHuntress ITDREntra ID Protection / Defender for Identity
Security awareness trainingHuntress SATMicrosoft Attack Simulation Training
Microsoft 365 backupKeepit — independent, outside the tenantMicrosoft 365 Backup — inside the tenant
Network / DNSDNSFilterDefender web filtering / Entra Internet Access
Network firewall & IPSCisco Meraki (IDS/IPS)— no Microsoft equivalent

Microsoft's stack is capable and consolidated. It's also, by row eight, missing a category entirely, because a network firewall was never something Microsoft built.

Depth, and the cost line that surprises people

The remaining argument sounds like a pricing pitch and isn't quite one. Consolidating under Microsoft is not the cheaper option once you price the equivalent build properly.

~$60
per user/month for Microsoft 365 E5 from 1 July 2026, the licence needed to reach Defender P2, Entra ID P2 and Attack Simulation Training
Microsoft 365 enterprise pricing
$22
per user/month for Business Premium alone, before the E5 Security add-on (~$12) needed to close the gap
Microsoft 365 pricing
$5
per user/month for Entra Internet Access, Microsoft's web and DNS filtering layer
Microsoft 365 pricing

Add E5, the backup consumption cost and web filtering together, and the "it's already included" pitch turns into its own multi-line invoice, one that still needs a third-party firewall bolted on because, as the table above shows, Microsoft has never built one. Priced out in full, a fully managed best-of-breed stack lands in a comparable range. The choice isn't a premium tier bought at a discount. It's genuine depth at every layer, from specialists who live in that layer, instead of one vendor covering all of them reasonably well.

Which one are you?

None of this makes an all-Microsoft build the wrong call. For plenty of businesses it's exactly right: a lower risk profile, already committed to E5, a simple environment, an in-house team that already lives inside Defender day to day. The job isn't talking every client into the more elaborate stack. It's being honest about which business is actually in front of you.

We run both models at Communicat, deliberately, and the security work starts with the same question either way: not which vendor we'd rather sell, but what you're actually protecting, and how much of that risk you're comfortable putting in one basket. Some businesses get a straight answer of "stay on Microsoft, and here's how to use it properly." Others get told, honestly, that the convenient answer is the wrong one for what they're carrying. Both are the right answer to give, for the business in front of us.

Frequently asked questions

Is Microsoft 365 E5 enough security on its own?

For plenty of businesses, yes. E5 bundles genuinely capable tools — Defender for Endpoint P2, Defender for Office 365 P2, Entra ID Protection — and covers a lot of ground if your risk profile is lower or you already have a team running Defender. What it doesn't include is a true 24/7 SOC (Defender Experts is a separate paid add-on), a recovery copy independent of your tenant, or a network firewall — Microsoft doesn't make one.

What's the real difference between Microsoft Defender and CrowdStrike Falcon?

Both are capable platforms and Defender has improved a lot. The practical difference for most SMBs isn't detection quality, it's who's watching it. Falcon Complete bundles a 24/7 SOC that hunts and responds on your behalf. Defender is a platform someone else — you or your MSP — has to operate, unless you buy the separate Defender Experts for XDR add-on.

Why use a backup product outside Microsoft 365 instead of Microsoft 365 Backup?

Microsoft 365 Backup keeps your data inside what Microsoft calls the Microsoft 365 data trust boundary — the same tenant an attacker would compromise. An independent product like Keepit stores a copy outside that boundary entirely, so a tenant-wide compromise or a bad change can't reach your recovery copy.

Does best-of-breed security cost more than an all-Microsoft stack?

Not once you price the Microsoft build properly. A like-for-like all-Microsoft stack means E5 (rising to about $60/user/month from July 2026), separate paid add-ons for backup, web filtering and a managed SOC, plus a third-party firewall Microsoft doesn't offer at all. Priced out in full, a fully managed best-of-breed stack typically lands in the same range.

John Zammit

Written by

John Zammit

Managing Director

John Zammit is Managing Director at Communicat IT, a Melbourne MSP serving Victorian SMBs since 1987. He writes about cloud economics, infrastructure strategy, and the gap between sales narratives and operational reality.

Related Topics

best-of-breed vs Microsoft securityMicrosoft 365 E5 security costconcentration risk cybersecurityindependent Microsoft 365 backupmanaged SOC MelbourneCrowdStrike vs Microsoft DefenderEssential Eight Australiacybersecurity Victoria SMB

Need help with your IT?

Our Melbourne team has 37+ years of experience helping businesses like yours.