How does Datadog defend against Microsoft Sentinel + Azure Monitor?

Direct Answer

Microsoft is the only competitor that can structurally damage Datadog, and the threat is not a product — it is a bundle. Sentinel + Azure Monitor + Defender + Copilot for Security ride into accounts at near-zero marginal cost on the back of M365 E5 and Azure consumption commits, while Datadog has to land net-new line-item budget every renewal. Datadog cannot win the price war and should stop trying — the defense is multi-cloud reality, Bits AI cross-signal reasoning, named complexity at 10K+ host scale, and vertical depth where Microsoft has no story. Olivier Pomel's job for the next 24 months is to make Datadog the obvious choice for any enterprise that runs even 30% of its workload outside Azure, and to make Sentinel feel like an Azure-only point tool whenever a CISO compares them side-by-side. The five defense levers are clear; the one risk Pomel has to actively manage is Microsoft sales weaponizing Azure consumption credits as a Sentinel discount mechanism inside accounts where Datadog already has APM — that is how the wedge actually widens. Get this wrong and Datadog becomes a premium add-on inside Microsoft accounts; get it right and Datadog stays the system of record for cross-cloud observability through 2030.

Why Microsoft Is The Real Threat

• M365 E5 install base is the trojan horse — over 300M paid commercial seats globally, and the E5 SKU bundles Defender XDR + Sentinel data ingestion benefits at an effective marginal cost of $10-20/user/month. CISOs who already pay for E5 perceive Sentinel as already paid for, even when Azure consumption ramps the real bill.
• Sentinel pricing is a discount engine, not a price — Microsoft routinely discounts Sentinel ingest 40-70% via Microsoft Azure Consumption Commitments (MACC), and Defender data sources flow into Sentinel free. This collapses the SIEM price floor in any account with an active EA renewal.
• Azure Monitor is no longer Azure-only — Azure Arc, Azure Monitor for containers (Container Insights), and the OpenTelemetry-native ingestion path now reach AWS and on-prem workloads. The product gap that protected Datadog in 2022 is closing.
• Copilot for Security matured fast — GA in April 2024, $4/SCU/hour pricing, and by 2026 it is the default AI SOC analyst experience for any Microsoft-anchored enterprise. It is not as polished as Bits AI for cross-signal observability, but it is good enough for SOC triage, which is where Sentinel buyers live.
• Microsoft sales motion is account-level, not product-level — when Microsoft renews a $50M EA, Sentinel + Defender + Copilot get bundled into the discount math. Datadog's $3M ARR line item gets compared against a perceived-free Microsoft alternative inside the same conversation.
• Procurement loves one bill — CFOs in 2026 are actively consolidating SaaS vendors, and Microsoft's EA gives them a politically easy answer: cut the Datadog renewal, expand the Microsoft contract.

Where Microsoft Beats Datadog

• Azure-only shops — if 95%+ of workload is on Azure, Sentinel + Azure Monitor + Application Insights is the obvious answer. Datadog has no economic story here.
• SMB and lower mid-market on E5 — under 500 employees with E5 already deployed, Sentinel is functionally free at low ingest volumes. Datadog cannot match the per-seat economics.
• SOC-led buying decisions in Microsoft-anchored enterprises — when the CISO is the buyer and the security operations center already runs Defender XDR, Sentinel wins on workflow continuity.
• Federal and regulated Azure Government deployments — Microsoft's Azure Government and Government Community Cloud (GCC High) have FedRAMP High and IL5 coverage that Datadog still lacks at parity.
• Greenfield Azure-native modernization projects — when a Fortune 1000 commits to Azure for a 3-year cloud migration, Sentinel and Azure Monitor get baked into the reference architecture before Datadog ever gets a meeting.

Where Datadog Beats Microsoft

• Multi-cloud reality at scale — 87% of Fortune 500 enterprises run workloads on at least two of AWS/Azure/GCP. Sentinel sees Azure clearly, AWS through connectors, and GCP barely. Datadog sees all three with the same agent, the same UI, and the same query language.
• AWS-native and AWS-first customers — Snowflake, Stripe, Airbnb, Robinhood, and most AI-native companies run AWS as primary. Microsoft has no credible play here, and Datadog dominates this segment.
• GCP-anchored AI and data customers — companies running Vertex AI, BigQuery, and GKE at scale will not buy Sentinel. Datadog is the default cross-cloud option.
• Named complexity at 10K+ host enterprise scale — Datadog handles cardinality, custom metric volume, and distributed trace fan-out at a scale where Sentinel + Azure Monitor visibly degrade. Reference customers: OpenAI, Anthropic, Samsung.
• Bits AI + LLM Observability depth — Bits AI reasons across metrics, logs, traces, and RUM in a single conversational thread. Copilot for Security is SOC-focused; it does not yet match Bits AI for cross-signal SRE workflows. LLM Observability (GA 2024) has no real Microsoft equivalent — Azure AI Foundry observability is fragmented across multiple tools.
• Named-vertical solutions — Datadog's financial services, healthcare, and AI-workload reference architectures are deeper than Microsoft's generic Azure Monitor docs. The vertical sales motion matters at the F500 level.

The 5 Defense Levers

1. Lead with multi-cloud — every deal, every demo. First slide in every Datadog enterprise pitch should be a side-by-side AWS + Azure + GCP dashboard. Make Sentinel's Azure-centricity visible immediately.
2. Bits AI as the cross-signal moat. Demo Bits AI reasoning across a metric anomaly → trace span → log line → RUM session in 90 seconds. Copilot for Security cannot do this today. Ship Bits AI Rooms (agentic incident response) into GA and price it as a renewal-defender, not an add-on.
3. LLM Observability as the AI-workload anchor. Every AI-native enterprise (OpenAI, Anthropic, Cohere, Mistral) runs on Datadog LLM Obs. Microsoft has Azure AI Foundry telemetry but it is fragmented. Datadog should publish a quarterly AI Workload Observability State of the Union to own the category narrative.
4. Cloud SIEM bundled into APM renewals at zero net-new line item. When Datadog renews a $5M APM contract, throw in Cloud SIEM at marginal cost to deny Sentinel a foothold. This is the only price war Datadog should fight, and only inside existing accounts.
5. Vertical reference architectures + named co-sell with AWS and Google. Deepen the AWS Marketplace and Google Cloud Marketplace co-sell motion — both hyperscalers want a non-Microsoft observability default. Datadog's AWS revenue commit grew to $50B over five years (announced 2024); operationalize that into account-level co-selling.

What Datadog Should NOT Do

• Do not compete on per-user or per-seat price. Microsoft will always win the bundle math inside an E5 account. Pricing parity is a losing game.
• Do not try to displace Sentinel at Azure-only shops. This is a wasted sales motion — concede the segment, focus on multi-cloud accounts where Datadog's value is structurally higher.
• Do not build an Azure Marketplace dependency. Listing on Azure Marketplace is fine, but do not let Microsoft become a primary distribution channel — they will throttle co-sell the moment Sentinel is in the same deal.
• Do not chase FedRAMP High parity at the cost of cloud-native velocity. Microsoft will win federal Azure Gov for the next three years. Datadog should pursue FedRAMP High but not at the expense of commercial multi-cloud roadmap.
• Do not let Bits AI become a paid add-on at low usage tiers. Bits AI is the single biggest visible differentiator vs Copilot for Security — it must be the default UX, not a SKU upgrade. Monetize at high-volume tiers only.

The 2027 Scorecard

• Azure-only enterprise SIEM — Microsoft Sentinel wins decisively.
• Multi-cloud observability at F500 scale — Datadog wins through 2027 if multi-cloud lead is preserved.
• AI workload observability (LLM Obs, agent telemetry) — Datadog wins unless Microsoft ships an integrated Azure AI Foundry observability suite by mid-2027.
• SMB and mid-market SIEM under 500 employees — Microsoft wins on E5 bundle economics.
• Cross-signal AI SRE assistant (Bits AI vs Copilot for Security) — Datadog wins on observability depth; Microsoft wins on SOC triage. Split decision.
• Federal civilian and DoD SIEM — Microsoft wins on Azure Gov + Sentinel + Defender bundle.
• AWS-native and GCP-native enterprises — Datadog wins decisively; Microsoft has no credible counter.
• Cloud SIEM inside existing Datadog APM accounts — Datadog wins if Cloud SIEM is bundled at marginal cost into APM renewals.

Battleground × Microsoft Strength × Datadog Strength × 2027 Winner × Defense Move

Threat → Defense Lever → Outcome

Bottom Line

Microsoft is not Datadog's biggest competitor on product — it is the only competitor that can structurally bend the market through bundle economics. Datadog cannot win the per-seat price war and should stop pretending it can. The defense is multi-cloud reality, Bits AI as the cross-signal moat, LLM Observability as the AI workload anchor, Cloud SIEM bundled into APM renewals, and named co-sell with AWS and Google. Concede Azure-only shops, concede SMB, concede federal Azure Gov — and dominate every multi-cloud, AI-native, F500 account where Microsoft's bundle math does not apply. The one risk Pomel must actively manage is Microsoft weaponizing Azure consumption credits as Sentinel discounts inside accounts where Datadog already has APM. If that wedge widens, Datadog becomes a premium add-on inside Microsoft accounts. If it does not, Datadog is the system of record for cross-cloud observability through 2030.

Related reading:

• [q1670 — Is Datadog overpriced for what it does?](/answers.html?id=q1670)
• [q1674 — Can Datadog hold its margins as AWS, Azure, and GCP build native observability?](/answers.html?id=q1674)
• [q1675 — How do you negotiate a Datadog renewal?](/answers.html?id=q1675)