Defender for IoT billing
As you plan your Microsoft Defender for IoT deployment, you typically want to understand the Defender for IoT pricing plans and billing models so you can optimize your costs.
OT monitoring is billed using site-based licenses, where each license applies to an individual site, based on the site size. A site is a physical location, such as a facility, campus, office building, hospital, rig, and so on. Each site can contain any number of network sensors, all which monitor devices detected in connected networks.
Enterprise IoT monitoring supports 5 devices per Microsoft 365 E5 (ME5) or E5 Security license, or is available as standalone, per-device licenses for Microsoft Defender for Endpoint P2 customers.
To evaluate Defender for IoT, start a free trial as follows:
For OT networks, use a trial license for 60 days. Deploy one or more Defender for IoT sensors on your network to monitor traffic, analyze data, generate alerts, learn about network risks and vulnerabilities, and more. An OT trial supports a Large site license for 60 days. For more information, see Start a Microsoft Defender for IoT trial.
For Enterprise IoT networks, use a trial, standalone license for 90 days as an add-on to Microsoft Defender for Endpoint. Trial licenses support 100 devices. For more information, see Securing IoT devices in the enterprise and Enable Enterprise IoT security with Defender for Endpoint.
Defender for IoT devices
We recommend that you have a sense of how many devices you want to monitor so that you know how many OT sites you need to license, or if you need any standalone licenses for enterprise IoT security.
OT monitoring: Purchase a license for each site that you're planning to monitor. License fees differ based on the site size, each which covers a different number of devices.
Enterprise IoT monitoring: Five devices are supported for each ME5/E5 Security user license. If you have more devices to monitor, and are a Defender for Endpoint P2 customer, purchase extra, standalone licenses for each device you want to monitor.
Defender for IoT can discover all devices, of all types, across all environments. Devices are listed in the Defender for IoT Device inventory pages based on a unique IP and MAC address coupling.
Defender for IoT identifies single and unique devices as follows:
|Identified as individual devices||Devices identified as individual devices include:
IT, OT, or IoT devices with one or more NICs, including network infrastructure devices such as switches and routers
Note: A device with modules or backplane components, such as racks or slots, is counted as a single device, including all modules or backplane components.
|Not identified as individual devices||The following items aren't considered as individual devices, and do not count against your license:
- Public internet IP addresses
- Multi-cast groups
- Broadcast groups
- Inactive devices
Network-monitored devices are marked as inactive when there's no network activity detected within a specified time:
- OT networks: No network activity detected for more than 60 days
- Enterprise IoT networks: No network activity detected for more than 30 days
Note: Endpoints already managed by Defender for Endpoint are not considered as separate devices by Defender for IoT.
For more information, see: