There is a common and risky assumption in Microsoft Security Support belief I hear more often than I probably should, especially in large enterprise environments where a customer may have an Enterprise Agreement (EA):

I understand where that belief comes from. Enterprise Agreement sounds comprehensive...thorough, even. Enterprise Support sounds like you are covered no matter what. On paper, it feels like the safety net is already there. But when it comes to real security incidents, ransomware, identity compromise, or an active attacker inside your tenant, that assumption can break down fast.

So let’s talk about what those contracts actually mean, and just as importantly, what they do not.

What EA and Enterprise Support really give you

If you have an Enterprise Agreement paired with Enterprise Support, formerly Premier and now Unified Support, you absolutely get meaningful value. You get 24x7 coverage for critical issues, faster response times, defined escalation paths, and access to senior Microsoft engineers who understand the products deeply. You can also leverage proactive services like health checks, architectural reviews, and advisory hours that help keep environments stable and well-run.

When something goes wrong, including security-related issues, Microsoft Support can escalate internally, pull in subject matter experts, and help coordinate remediation steps across services. That is real support, and it matters.

But it is still support in the traditional sense.

Where the assumption starts to fall apart

What EA and Enterprise Support do not automatically give you is Microsoft’s elite security incident response capability. That is the part that often surprises people, usually at the worst possible time.

You are not automatically getting a dedicated breach response team. You are not automatically getting deep forensic analysis, attacker eviction, or a full reconstruction of how an adversary gained access and persisted. You are also not automatically getting legal-grade evidence handling or a post-incident hardening plan designed to prevent the same attack from happening again.

Those capabilities live under Microsoft Incident Response, which is the evolution of what many people still refer to as DART. That team exists for a very specific purpose, and it is not bundled into Enterprise Support by default.

Why Microsoft draws a hard line here

This separation is intentional, and it actually makes sense once you look at it through the right lens.

Enterprise Support is designed to help customers restore service, resolve product issues, and keep platforms operational. It assumes you are troubleshooting a problem within a known boundary. Incident response assumes something very different. It assumes an adversary is already inside your environment, moving laterally, establishing persistence, and actively trying not to be detected.

Those are two very different problems with two very different playbooks.

Incident response requires threat hunters, forensic specialists, and responders who operate under legal, compliance, and sometimes regulatory constraints. It is not just about fixing something that broke. It is about removing someone who should not be there and proving how they got in.

When Microsoft Incident Response actually shows up

There are really only a few scenarios where Microsoft’s incident response team is guaranteed to engage.

The cleanest option is a pre-purchased incident response retainer. This is the proactive approach. You buy access ahead of time so that if something happens, there is no scramble, no procurement delay, and no debate about scope while the incident is unfolding.

The second option is an ad hoc engagement during an active incident. This happens more than people like to admit. A security event starts, leadership realizes standard support is not enough, and Microsoft scopes and prices an incident response engagement while the organization is already under pressure. It works, but it is slower, more expensive, and significantly more stressful.

The third scenario is Microsoft-initiated escalation. This is rare and typically tied to large-scale or systemic threats that impact Microsoft’s broader ecosystem. It is not contractual and should never be assumed as part of a customer’s incident response strategy.

The belief that creates the most risk

The phrase that makes me most nervous is a simple one:

“We’re fine. We have Enterprise Support.”

Enterprise Support absolutely helps you escalate faster. What it does not do is replace incident response. If your identity plane is compromised, if tokens are being abused, if persistence mechanisms are in place, you are no longer dealing with a support issue. You are dealing with an adversary.

And adversaries do not go away because a support case was opened.

The reality, without the marketing spin

Here is the truth, stated plainly.

The takeaway

Enterprise Support is necessary. It is valuable. It is not sufficient when it comes to real security incidents.

If an organization believes that an EA means Microsoft will automatically handle a breach end to end, that assumption needs to be corrected before it becomes a very painful lesson. The right approach is understanding the gap, planning for it intentionally, and deciding ahead of time who owns incident response when things go wrong.

Because learning the limits of your support contract in the middle of an incident is the worst possible time to learn it.