VDI, BYOD, Windows 365, Azure Virtual Desktop, RDS, Teams Rooms, Conditional Access, and every licensing trap in the distributed workforce. Six licensing layers in a single remote session. Most enterprises are getting at least two of them wrong.
This guide is part of the Microsoft Knowledge Hub. For the comprehensive licensing reference, see the Microsoft Licensing Guide 2026. For plan selection, see Microsoft 365 E3 vs E5 vs F3. For the existing VDI playbook, see the CIO Playbook for Remote Work and VDI.
When an employee works in the office on a company-owned Windows device, the licensing is simple: one Microsoft 365 licence (E3 or E5) covers the Office applications, email, Teams, and most of the security tools. The device came with a Windows Pro licence. One user, one device, one licence.
Remote and hybrid work breaks this model. The same user now touches multiple licensing layers simultaneously.
The user still needs their M365 licence for Office, Exchange, Teams, and SharePoint. This layer does not change regardless of where the user works or what device they use.
If the user is on a company-owned Windows device, the Windows licence came with the hardware. If the user is on a personal device (BYOD), the Windows licence belongs to the user. If the user connects to a virtual desktop, a separate Windows licence covers the virtual environment.
Azure Virtual Desktop, Windows 365, Citrix Virtual Apps and Desktops, or VMware Horizon each have their own licensing model for the Windows session, the hosting infrastructure, and the management layer.
If the enterprise uses RDS for application delivery or session-based desktops, RDS CALs (Client Access Licences) are required per user or per device accessing the RDS host. These are separate from Windows Server CALs and M365 licences.
Conditional access policies, Intune device compliance, Defender for Endpoint, and Azure AD P1/P2 features used to secure remote access are licensed through the M365 plan or as add-ons.
Teams Rooms devices, Teams Phones, and shared-space technology in meeting rooms require their own licences, separate from user licences.
Six layers. Six licensing models. Six opportunities to overpay or under-license. Microsoft's audit teams have identified remote work licensing as a growth area for non-compliance findings since 2022. The compliance exposure is real. The cost optimisation opportunity is equally real.
Virtual Desktop Infrastructure (VDI) is the most licensing-intensive decision in remote work architecture. The enterprise must choose between four approaches, each with fundamentally different licensing economics. For the foundational overview, see the CIO Playbook for Remote Work and VDI.
Azure Virtual Desktop is Microsoft's cloud-hosted virtual desktop platform with the most favourable licensing model of any VDI option, by design, because Microsoft wants you on Azure.
What you need to license: A qualifying M365 licence (E3, E5, F3, Business Premium) or a Windows Enterprise E3/E5 per-user subscription includes the right to access AVD at no additional Windows licensing cost. The enterprise pays only for the Azure compute and storage consumed by the session hosts. No separate VDI licence, no RDS CAL, no additional per-user fee.
The economics: For an enterprise already paying for M365 E3, AVD adds only Azure infrastructure cost. A typical session host running Windows 11 multi-session for 10–15 users costs approximately $200–$400/month in Azure compute. That translates to $13–$40/user/month for infrastructure, with the Windows licence already included. With Azure Reserved Instances (30–72% savings) and Azure Hybrid Benefit, costs drop further.
Unique advantage: AVD is the only VDI solution supporting Windows 10/11 Enterprise multi-session, allowing multiple concurrent user sessions on a single VM. This dramatically reduces VMs needed. Multi-session is exclusive to AVD and not available on Citrix or VMware.
The catch: AVD runs exclusively on Azure. If your organisation has a multi-cloud strategy or regulatory requirements preventing certain workloads from running on Azure, AVD is not an option.
Windows 365 is Microsoft's fixed-price cloud desktop offering. Unlike AVD (consumption-based), Windows 365 provides each user with a dedicated Cloud PC at a predictable monthly per-user price.
What you need to license: A Windows 365 subscription ($28–$158/user/month depending on configuration: vCPUs, RAM, storage). The subscription includes the Windows licence, Azure compute, and management layer. A qualifying M365 licence (E3/E5/Business/F3) is a prerequisite. An Intune licence is required (included in M365 E3/E5 and Business Premium).
The economics: A Windows 365 Enterprise 2 vCPU / 8 GB / 128 GB configuration costs approximately $40/user/month. The equivalent AVD configuration might cost $15–$25/month (multi-session, optimised, reserved instances). Windows 365 is more expensive per user, but the cost is fixed, predictable, and requires minimal Azure expertise.
When it makes sense: Optimal for small to medium remote user populations (50–500) needing persistent, dedicated desktops. Particularly effective for contractors or temporary workers who need secure corporate desktops without corporate hardware. Less cost-effective at scale (1,000+ users) where AVD's multi-session delivers significantly lower per-user costs.
Enterprises with existing Citrix Virtual Apps and Desktops or VMware Horizon investments can run these platforms on Azure while leveraging some Microsoft licensing benefits.
What you need to license: The M365 or Windows E3/E5 per-user licence provides Windows access rights. Azure infrastructure is billed on consumption. On top of this, the enterprise needs Citrix or VMware licences (per-user or per-concurrent-user). RDS CALs may be required depending on architecture.
The economics: This is the most expensive VDI option from a licensing perspective because you pay for three layers: Microsoft licensing (M365 + potentially RDS CALs), Azure infrastructure, and the third-party VDI platform licence.
Critical detail: When running Citrix or VMware on Azure, the Windows multi-session benefit is NOT available. Multi-session is exclusive to AVD. Each user requires either a dedicated VM (single-session VDI) or an RDS-based session host with RDS CALs. Per-user infrastructure cost is significantly higher than AVD.
Running VDI on-premise with Citrix or VMware in the enterprise's own data centre has a different licensing structure entirely.
What you need to license: Windows Server licences for each physical host (Datacenter Edition for unlimited VMs, Standard with stacking for limited VMs). RDS CALs for every user or device. VDA (Virtual Desktop Access) subscriptions for users accessing from non-Windows or personal devices, unless the user's primary device is a company-owned Windows device with Software Assurance. Plus the Citrix/VMware platform licences.
The VDA trap: If a user accesses a virtual Windows desktop from a personal device, the enterprise needs either a Windows VDA subscription ($10–$12/user/month), or the user's primary device must be company-owned Windows with active Software Assurance. M365 E3 and E5 include Windows Enterprise rights that satisfy VDA, which is one of the strongest arguments for M365 E3 in VDI environments.
VDI licensing summary: AVD with multi-session delivers the lowest per-user cost ($13–$25/month infrastructure on top of existing M365). Windows 365 delivers predictable cost ($28–$158/month all-in). Citrix/VMware on Azure is the most expensive (M365 + Azure + platform licence). On-premise VDI requires the most licensing layers (Windows Server + RDS CALs + VDA + platform licence). The right choice depends on scale, existing investments, and Azure maturity.
Bring Your Own Device (BYOD) is the default reality for most hybrid workforces. Employees use personal laptops, tablets, and phones to access corporate resources. The licensing implications are more extensive than most organisations realise.
The M365 licence follows the user, not the device. An employee with M365 E3 can install Office on up to 5 personal PCs/Macs, 5 tablets, and 5 phones. Accessing Exchange Online, Teams, SharePoint, and OneDrive from a personal device is covered by the user's M365 licence. No additional per-device licence is needed for cloud services.
Four areas activate additional licensing considerations: device management (Intune for BYOD App Protection Policies), virtual desktop access (VDA required if BYOD users connect to virtual desktops), conditional access (requires Azure AD P1, included in E3/E5), and endpoint security (Defender for Endpoint, E5 only or add-on to E3).
Managing personal devices through Intune requires an Intune licence (included in M365 E3/E5 and Business Premium). On BYOD devices, enterprises typically deploy Intune App Protection Policies (APP) rather than full device enrollment. APP protects corporate data within managed apps (Outlook, Teams, OneDrive) without requiring the user to enroll their personal device. The APP approach is covered by the standard Intune licence at no additional cost.
If BYOD users access a virtual Windows desktop (AVD, Windows 365, or on-premise VDI), the VDA licensing question activates. M365 E3/E5 includes the Windows Enterprise rights that satisfy VDA. Enterprises on Business plans or with users who only have M365 F3 licences need separate VDA subscriptions ($10–$12/user/month) for BYOD users accessing virtual desktops.
Enforcing security policies on BYOD devices through conditional access (requiring device compliance, MFA, approved apps, or managed browsers) requires Azure AD P1 at minimum. Azure AD P1 is included in M365 E3/E5 and Business Premium. Organisations on Business Basic or Standard lack conditional access and have limited ability to enforce security policies on personal devices.
M365 E3/E5 covers nearly every BYOD requirement out of the box: Office app installation on personal devices, Intune APP for data protection, conditional access through Azure AD P1, VDA rights for virtual desktop access, and Defender for Endpoint (E5 only, or add-on to E3). Organisations on Business Standard or below face a patchwork of add-ons. See Business vs Enterprise plans.
RDS CALs are the licensing requirement that generates the most audit findings in remote work environments. Remote Desktop Services (RDS) is the Windows Server role that enables session-based remote desktops and RemoteApp delivery. Every user or device that connects to an RDS session host needs an RDS CAL, and it is separate from the Windows Server CAL, separate from the M365 licence, and separate from any VDI licence.
Any time a user connects to a Windows Server running the Remote Desktop Session Host role to access a desktop session or published application. This includes Citrix XenApp/Virtual Apps environments using RDS session hosts (most do), VMware Horizon session-based desktops, and direct RDP connections to terminal servers. Azure Virtual Desktop does NOT require RDS CALs, a deliberate Microsoft incentive to drive AVD adoption.
RDS User CALs are assigned to a specific user and allow connection from any device. RDS Device CALs are assigned to a specific device and allow any user on that device. For remote/hybrid work where users connect from multiple personal devices, User CALs are almost always the correct choice. A single User CAL covers the employee from home laptop, tablet, or phone. Device CALs make sense only in shared-device scenarios (call centres, nursing stations).
RDS CALs are frequently under-purchased because the licensing requirement is invisible to the user experience. No licence key is checked. No access is blocked. RDS gracefully allows unlicensed connections for a 120-day grace period and then simply logs a warning that most administrators never see.
Microsoft audit teams, however, compare RDS connection logs against RDS CAL purchases with precision. The gap between actual connections and purchased CALs is invoiced at list price during the audit settlement.
See common Microsoft audit findings and the audit CIO playbook.
The conference room down the hall has a 65-inch display, a camera, a speaker bar, and a touch console running Microsoft Teams Rooms. That system needs its own licence, and it is not covered by any user's Microsoft 365 subscription.
Teams Rooms Basic (free, limited to 25 rooms per tenant) provides basic meeting join and calendar capabilities. Teams Rooms Pro (~$40/device/month) provides advanced features: intelligent audio and video, front-row layout, cloud-managed updates, dual-screen support, and advanced analytics. For enterprises with more than 25 meeting rooms, Teams Rooms Pro is the only option with full functionality.
Common-area phones (lobby phones, breakroom phones, reception desks) need Microsoft Teams Phone licences. The Common Area Phone licence (~$8/device/month) provides basic calling capabilities for shared phones. If the phone needs a calling plan (PSTN connectivity), an additional calling plan or Operator Connect subscription is required.
Shared-space devices are physical things in the building, not people in Active Directory. They are easily overlooked in licence counts, true-up reporting, and renewal planning. An enterprise with 200 meeting rooms and 50 common-area phones has $108,000/year in Teams Rooms and phone licensing that has nothing to do with per-user M365 costs. Ensure these device licences are tracked separately and included in the EA or CSP agreement.
Remote work expands the attack surface. Users connect from unmanaged networks, personal devices, and locations outside the corporate perimeter. The security tools that protect them are licensed through the M365 plan or as add-ons.
Azure AD P1 (conditional access, MFA enforcement, self-service password reset), Intune (device compliance, app protection), Microsoft Defender Antivirus (managed through Intune), Azure Information Protection P1 (sensitivity labels, basic classification), and Data Loss Prevention for Exchange, SharePoint, and Teams. For most remote work security requirements, E3 is sufficient.
Azure AD P2 (risk-based conditional access, automatically blocking or requiring step-up authentication for risky sign-ins based on location, device, or behaviour), Microsoft Defender for Endpoint P2 (endpoint detection and response), Defender for Office 365 Plan 2 (advanced anti-phishing), Cloud App Security (CASB for detecting shadow IT), and Defender for Identity (detecting compromised credentials).
The remote-work-specific security gap: The single most valuable E5 security feature for remote work is risk-based conditional access through Azure AD P2. This analyses every sign-in and assigns a risk score based on impossible travel, anonymous IPs, atypical travel, malware-linked IPs, and unfamiliar sign-in properties. High-risk sign-ins are automatically blocked. For a workforce distributed across home networks, coffee shops, and co-working spaces, this is the primary defence against credential theft. If full E5 is not justified, the Azure AD P2 add-on can be applied to E3 licences. See maximising security with E5 add-ons.
Remote work creates data governance challenges that have direct licensing implications. Corporate data now lives on personal devices, in personal cloud storage, and in screenshots taken on unmanaged screens. The Microsoft tools that address these challenges are plan-gated.
Preventing users from sharing sensitive data through unauthorised channels is available in M365 E3 for Exchange, SharePoint, and Teams. E5 extends DLP to endpoint devices (Endpoint DLP), monitoring and blocking sensitive data transfers on the device itself: copy to USB, print, upload to personal cloud storage. For remote workers handling sensitive data on managed devices, Endpoint DLP provides protection that network-based DLP cannot match outside the corporate network.
Preventing communication between groups that should not interact (legal and trading, research and sales) is an E5-only feature. For regulated industries with remote workers, Information Barriers are a compliance necessity, not a convenience feature.
Monitoring for anomalous data exfiltration behaviour (a departing employee downloading unusual volumes of data before their last day) is an E5-only capability that becomes more critical when employees work remotely and physical observation of workplace behaviour is impossible.
Monitoring Teams chats and emails for regulatory compliance (required in financial services for communication surveillance) is an E5-only feature. Remote work means more communication happens in Teams chat rather than in-person, increasing the volume requiring surveillance in regulated environments.
For regulated industries with remote workforces, E5 Compliance features are not optional. They are the licensing equivalent of regulatory infrastructure. The E5 add-on strategy allows targeted deployment to user populations subject to these requirements without upgrading the entire organisation.
The single most effective cost optimisation in remote/hybrid licensing is matching the licence to the user's actual work pattern rather than defaulting everyone to the same plan.
Office-primary users (4–5 days/week in office) need standard M365 E3 and no VDI licence. Hybrid users (2–3 days remote) need M365 E3 on a company device. VDI is rarely necessary if the device is managed through Intune. Remote-first users (4–5 days remote) may benefit from AVD or Windows 365 if the organisation requires a controlled virtual desktop. Frontline workers on shared devices need M365 F3 and potentially a shared device licence.
M365 E3 includes Intune, conditional access, and VDA rights. If you are paying for a separate Intune licence, a separate Azure AD P1 subscription, or a separate VDA subscription for users who already have E3, you are paying twice. Audit your licence assignments against add-on purchases. See eliminating redundant licensing.
AVD multi-session: $13–$25/month infrastructure on top of M365. Windows 365: $28–$158/month all-in, minimal management. Citrix/VMware on Azure: Highest cost (M365 + Azure + platform licence). On-premise VDI: Most licensing layers (Windows Server + RDS CALs + VDA + platform licence). Generally the most expensive when all layers are properly accounted for.
Remote work licences (Windows 365, Teams Rooms Pro, RDS CALs, Intune add-ons) should be included in the EA negotiation rather than purchased separately at list price. Bundling provides volume pricing and locks in favourable terms. See key leverage points for Microsoft deals.
Teams Rooms, common-area phones, shared desktops, and kiosk devices each have device-based licensing separate from per-user M365. Create a separate licence inventory for shared-space devices and include them in true-up reporting. These device licences are frequently missed, creating compliance gaps that surface at audit.
The most common licensing mistake in remote work is treating it as a simple extension of office licensing. A remote worker on a personal device connecting to a virtual desktop in Azure through a Citrix gateway, joining a Teams meeting on a Teams Room, and accessing SharePoint on a personal phone touches six different Microsoft licensing models in a single workday. Enterprises that map these models once, comprehensively and accurately, avoid years of compliance exposure and cost leakage. Those that do not discover the gaps when Microsoft's audit team maps them instead.
No. If the employee is using a company-owned Windows device with a valid Windows licence, accessing M365 cloud services (Exchange, Teams, SharePoint, OneDrive) remotely, no additional VDI licence is required. VDI licensing only applies when the employee accesses a virtual Windows desktop hosted on a server or in the cloud. A company laptop connecting directly to M365 services via the internet is the simplest and lowest-cost remote work model from a licensing perspective.
No. Azure Virtual Desktop does not require RDS CALs. The Windows access rights required for AVD are included in qualifying M365 licences (E3, E5, F3, Business Premium) or Windows Enterprise E3/E5 per-user subscriptions. This is a deliberate Microsoft incentive to encourage AVD adoption over on-premise or third-party VDI solutions, which do require RDS CALs for session-based desktops.
For organisations with existing M365 E3 licences, Azure Virtual Desktop with Windows 11 Enterprise multi-session is the lowest-cost option. The M365 E3 licence includes Windows access rights at no additional cost. The only expense is Azure compute and storage, which can be optimised through Reserved Instances (30–72% savings), auto-scaling (shutting down session hosts outside business hours), and right-sizing VM configurations. The effective per-user cost is typically $13–$25/month for infrastructure.
The M365 licence covers Office app installation on personal devices (up to 5 PCs/Macs, 5 tablets, 5 phones per user) and access to all M365 cloud services. No separate per-device licence is needed. However, if BYOD users access virtual desktops and their M365 plan does not include Windows Enterprise rights (e.g., F3 or Business Basic), a separate VDA subscription is required. M365 E3 and E5 include VDA rights, eliminating this cost.
Yes. Teams Rooms devices require a separate licence not covered by any user's M365 subscription. Teams Rooms Basic (free, limited to 25 rooms) provides basic meeting functionality. Teams Rooms Pro (~$40/device/month) provides the full feature set including intelligent audio/video, cloud management, and advanced analytics. Common-area phones similarly require their own licences (~$8/device/month).
Microsoft 365 E3 is the best starting point for a fully remote workforce. It includes Office desktop apps for installation on personal or company devices, Intune for device management and app protection on BYOD, Azure AD P1 for conditional access and MFA, Windows Enterprise rights (including VDA for virtual desktop access), DLP for data protection, and eDiscovery for compliance. If the organisation faces advanced threats or regulatory surveillance requirements, E5 or targeted E5 add-ons (E5 Security, E5 Compliance) address the gaps.