Defender for IoT billing

As you plan your Microsoft Defender for IoT deployment, you typically want to understand the Defender for IoT pricing plans and billing models so you can optimize your costs.

OT monitoring is billed using site-based licenses, where each license applies to an individual site, based on the site size. A site is a physical location, such as a facility, campus, office building, hospital, rig, and so on. Each site can contain any number of network sensors, all of which monitor devices detected in connected networks.

Enterprise IoT monitoring supports 5 devices per Microsoft 365 E5 (ME5) or E5 Security license, or is available as standalone, per-device licenses for Microsoft Defender for Endpoint P2 customers.

Free trial

To evaluate Defender for IoT, start a free trial as follows:

Defender for IoT devices

We recommend that you have a sense of how many devices you want to monitor so that you know how many OT sites you need to license, or if you need any standalone licenses for enterprise IoT security.

  • OT monitoring: Purchase a license for each site that you're planning to monitor. License fees differ based on the site size, each which covers a different number of devices.


    When the license for one or more of your sites is about to expire, a note is visible at the top of Defender for IoT in the Azure portal, reminding you to renew your licenses. To continue to get security value from Defender for IoT, select the link in the note to renew the relevant licenses in the Microsoft 365 admin center.

  • Enterprise IoT monitoring: Five devices are supported for each ME5/E5 Security user license. If you have more devices to monitor, and are a Defender for Endpoint P2 customer, purchase extra, standalone licenses for each device you want to monitor.

Defender for IoT can discover all devices, of all types, across all environments. Devices are listed in the Defender for IoT Device inventory pages based on a unique IP and MAC address coupling.

Defender for IoT identifies single and unique devices as follows:

Type Description
Identified as individual devices Devices identified as individual devices include:
IT, OT, or IoT devices with one or more NICs, including network infrastructure devices such as switches and routers

Note: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.
Not identified as individual devices The following items aren't considered as individual devices, and do not count against your license:

- Public internet IP addresses
- Multi-cast groups
- Broadcast groups
- Inactive devices

Network-monitored devices are marked as inactive when there's no network activity detected within a specified time:

- OT networks: No network activity detected for more than 60 days
- Enterprise IoT networks: No network activity detected for more than 30 days

Note: Endpoints already managed by Defender for Endpoint are not considered as separate devices by Defender for IoT.

Next steps

For more information, see: