The shift to remote and hybrid work did not just change where people work. It changed what they need to be licensed for. An employee in the office, on a company-owned laptop, connected to the corporate network, has a straightforward licensing profile. The same employee working from home, on a personal device, connecting through a VPN to a virtual desktop running in Azure, accessing Teams on a personal phone and a shared conference room system, has a licensing profile that touches six different Microsoft licensing models simultaneously — and most enterprises are getting at least two of them wrong. The compliance exposure is real: Microsoft’s audit teams have identified remote work licensing as a growth area for non-compliance findings since 2022. The cost optimisation opportunity is equally real: enterprises that understand the licensing mechanics of remote work avoid paying twice for capabilities that overlap, eliminate licences for access methods they do not use, and choose the right virtual desktop strategy based on licensing economics rather than marketing. This guide covers every Microsoft licensing dimension of remote and hybrid work — from the virtual desktop decision to the BYOD policy to the Teams Room in the conference room down the hall that nobody remembers to license.
When an employee works in the office on a company-owned Windows device, the licensing is simple: one Microsoft 365 licence (E3 or E5) covers the Office applications, email, Teams, and most of the security tools. The device came with a Windows Pro licence. The corporate network provides connectivity. One user, one device, one licence.
Remote and hybrid work breaks this model. The same user now touches multiple licensing layers simultaneously:
Layer 1 — The Microsoft 365 subscription. The user still needs their M365 licence for Office, Exchange, Teams, and SharePoint. This layer does not change.
Layer 2 — The device operating system. If the user is on a company-owned Windows device, the Windows licence came with the hardware. If the user is on a personal device (BYOD), the Windows licence belongs to the user — the enterprise has no control over its version, patch level, or security configuration. If the user connects to a virtual desktop, a separate Windows licence covers the virtual environment.
Layer 3 — The virtual desktop (if applicable). Azure Virtual Desktop, Windows 365, Citrix Virtual Apps and Desktops, or VMware Horizon each have their own licensing model for the Windows session, the hosting infrastructure, and the management layer.
Layer 4 — Remote Desktop Services. If the enterprise uses RDS for application delivery or session-based desktops, RDS CALs (Client Access Licences) are required per user or per device accessing the RDS host.
Layer 5 — Security and device management. Conditional access policies, Intune device compliance, Defender for Endpoint, and Azure AD P1/P2 features used to secure remote access are licensed through the M365 plan or as add-ons.
Layer 6 — Collaboration hardware. Teams Rooms devices, Teams Phones, and shared-space technology in meeting rooms require their own licences, separate from user licences.
Six layers. Six licensing models. Six opportunities to overpay or under-license. The rest of this guide works through each layer systematically.
Virtual Desktop Infrastructure (VDI) is the most licensing-intensive decision in remote work architecture. The enterprise must choose between four approaches, each with fundamentally different licensing economics. For the foundational overview, see the CIO playbook for remote work and VDI.
Azure Virtual Desktop is Microsoft’s cloud-hosted virtual desktop platform, and it has the most favourable licensing model of any VDI option — by design, because Microsoft wants you on Azure.
What you need to license: A qualifying Microsoft 365 licence (E3, E5, F3, Business Premium) or a Windows Enterprise E3/E5 per-user subscription includes the right to access Azure Virtual Desktop at no additional Windows licensing cost. The enterprise pays only for the Azure compute and storage consumed by the AVD session hosts. There is no separate VDI licence, no RDS CAL, and no additional per-user fee for the virtual desktop itself.
The economics: For an enterprise already paying for Microsoft 365 E3, AVD effectively adds only the Azure infrastructure cost. A typical AVD session host running Windows 11 multi-session for 10–15 users costs approximately $200–$400/month in Azure compute (depending on VM size, region, and reserved instance pricing). That translates to $13–$40/user/month for the infrastructure — with the Windows licence already included in the M365 subscription. When combined with Azure Reserved Instances (30–72% savings) and Azure Hybrid Benefit for the underlying Windows Server hosts, the effective per-user cost drops further.
The unique advantage: AVD is the only VDI solution that supports Windows 10/11 Enterprise multi-session — a special version of Windows that allows multiple concurrent user sessions on a single VM, similar to a terminal server but with a full Windows desktop experience. This multi-session capability dramatically reduces the number of VMs needed (and therefore the Azure compute cost) compared to single-session VDI where each user gets their own VM. Multi-session is exclusive to AVD and is not available on Citrix or VMware running on other cloud providers or on-premise.
The catch: AVD runs exclusively on Azure. If your organisation has a multi-cloud strategy or regulatory requirements that prevent certain workloads from running on Azure, AVD is not an option. The Azure consumption cost can also be unpredictable for organisations without mature Azure cost governance. For more detail, see our Microsoft Customer Agreement guide.
Windows 365 is Microsoft’s fixed-price cloud desktop offering. Unlike AVD (consumption-based), Windows 365 provides each user with a dedicated Cloud PC at a predictable monthly per-user price.
What you need to license: A Windows 365 subscription ($28–$158/user/month depending on configuration: vCPUs, RAM, and storage). The subscription includes the Windows licence, the Azure compute, and the management layer. A qualifying Microsoft 365 licence (E3/E5/Business/F3) is a prerequisite, but some Windows 365 SKUs include certain M365 components. Additionally, an Intune licence is required (included in M365 E3/E5 and Business Premium).
The economics: Windows 365 trades cost efficiency for simplicity. A Windows 365 Enterprise 2 vCPU / 8 GB / 128 GB configuration costs approximately $40/user/month. The equivalent AVD configuration for the same user might cost $15–$25/month (multi-session, optimised, with reserved instances). Windows 365 is more expensive per user, but the cost is fixed, predictable, and requires minimal Azure expertise to manage. For organisations without Azure infrastructure teams, the operational simplicity may justify the premium.
When it makes sense: Windows 365 is optimal for organisations with a small to medium number of remote users (50–500) who each need a persistent, dedicated desktop. It is particularly effective for contractors or temporary workers who need a secure corporate desktop without corporate hardware — the Cloud PC can be provisioned in minutes and deprovisioned when the engagement ends. It is less cost-effective at scale (1,000+ users) where AVD’s multi-session and consumption optimisation deliver significantly lower per-user costs.
Enterprises with existing Citrix Virtual Apps and Desktops or VMware Horizon investments can run these platforms on Azure while leveraging some Microsoft licensing benefits.
What you need to license: The Microsoft 365 or Windows E3/E5 per-user licence provides Windows access rights for the virtual desktop. The Azure infrastructure is billed on consumption. On top of this, the enterprise needs Citrix or VMware licences (per-user or per-concurrent-user, depending on the product and edition). RDS CALs may be required depending on the Citrix/VMware architecture (session-based desktops using RDS require CALs; VDI desktops typically do not).
The economics: This is the most expensive VDI option from a licensing perspective because you are paying for three layers: Microsoft licensing (M365 + potentially RDS CALs), Azure infrastructure, and the third-party VDI platform licence. However, for enterprises with deep Citrix/VMware expertise, existing management investments, and complex application delivery requirements that AVD cannot yet match (advanced load balancing, application layering, profile management), the operational value may justify the licensing premium.
The critical detail: When running Citrix or VMware on Azure, the Windows multi-session benefit is NOT available. Multi-session is exclusive to AVD. This means each user on Citrix/VMware on Azure requires either their own dedicated VM (single-session VDI) or an RDS-based session host with RDS CALs. The per-user infrastructure cost is significantly higher than AVD because you cannot share VMs across users through multi-session.
Running VDI on-premise with Citrix or VMware in the enterprise’s own data centre has a different licensing structure entirely.
What you need to license: Windows Server licences for each physical host (Datacenter Edition for unlimited VMs, or Standard Edition with stacking for limited VMs). RDS CALs for every user or device accessing the session-based desktops. VDA (Virtual Desktop Access) subscriptions for users accessing full VDI desktops from non-Windows devices or personal devices — unless the user’s primary device is a company-owned Windows device with Software Assurance, which includes VDA rights. Plus the Citrix/VMware platform licences.
The VDA trap: Virtual Desktop Access (VDA) is the licensing provision that catches more enterprises than any other in on-premise VDI. If a user accesses a virtual Windows desktop from a personal device (a home laptop, a tablet, a thin client running Linux), the enterprise needs either a Windows VDA subscription ($10–$12/user/month from Microsoft), or the user’s primary device must be a company-owned Windows device with active Software Assurance. Microsoft 365 E3 and E5 include Windows Enterprise rights that satisfy the VDA requirement, which is one of the strongest licensing arguments for M365 E3 in VDI environments — the VDA subscription alone costs $10–$12/month, and E3 includes it along with the entire Office/security/compliance suite. See Software Assurance benefits for the complete picture.
Bring Your Own Device (BYOD) is the default reality for most hybrid workforces. Employees use personal laptops, tablets, and phones to access corporate resources. The licensing implications are more extensive than most organisations realise.
The Microsoft 365 licence follows the user, not the device. An employee with an M365 E3 licence can install Office on up to 5 personal PCs/Macs, 5 tablets, and 5 phones. Accessing Exchange Online, Teams, SharePoint, and OneDrive from a personal device is covered by the user’s M365 licence. No additional per-device licence is needed for these cloud services.
Device management licensing: Managing personal devices through Intune requires an Intune licence (included in M365 E3/E5 and Business Premium). However, on BYOD devices, enterprises typically deploy Intune App Protection Policies (APP) rather than full device enrollment. APP protects corporate data within managed apps (Outlook, Teams, OneDrive) without requiring the user to enroll their personal device. The APP approach is covered by the standard Intune licence — no additional cost. But enterprises that require full device enrollment for BYOD (which is increasingly rare due to employee resistance) need to ensure their Intune licensing covers the additional device management complexity.
Virtual desktop access licensing: If BYOD users access a virtual Windows desktop (whether AVD, Windows 365, or on-premise VDI), the VDA licensing question activates. As described above, M365 E3/E5 includes the Windows Enterprise rights that satisfy VDA. Enterprises on Business plans or with users who only have M365 F3 licences need separate VDA subscriptions for BYOD users accessing virtual desktops.
Conditional access licensing: Enforcing security policies on BYOD devices through conditional access (requiring device compliance, MFA, approved apps, or managed browsers before granting access to corporate resources) requires Azure AD P1 at minimum. Azure AD P1 is included in M365 E3/E5 and Business Premium. Organisations on Business Basic or Standard lack conditional access and have limited ability to enforce security policies on personal devices.
The BYOD licensing checklist: M365 E3/E5 covers nearly every BYOD licensing requirement out of the box: Office app installation on personal devices, Intune APP for data protection, conditional access through Azure AD P1, VDA rights for virtual desktop access, and Defender for Endpoint (E5 only, or as an add-on to E3). Organisations on Business Standard or below face a patchwork of add-ons and third-party tools to achieve equivalent BYOD coverage. For the plan comparison, see Business vs Enterprise plans.
RDS CALs are the licensing requirement that generates the most audit findings in remote work environments. Remote Desktop Services (RDS) is the Windows Server role that enables session-based remote desktops and RemoteApp delivery. Every user or device that connects to an RDS session host needs an RDS CAL — and the RDS CAL is separate from the Windows Server CAL, separate from the Microsoft 365 licence, and separate from any VDI licence.
When RDS CALs are required: Any time a user connects to a Windows Server running the Remote Desktop Session Host role to access a desktop session or a published application. This includes Citrix XenApp/Virtual Apps environments that use RDS session hosts (which most do), VMware Horizon session-based desktops, and direct RDP connections to terminal servers. Azure Virtual Desktop does NOT require RDS CALs — this is a deliberate Microsoft incentive to drive AVD adoption.
User CAL vs Device CAL: RDS User CALs are assigned to a specific user and allow that user to connect from any device. RDS Device CALs are assigned to a specific device and allow any user on that device to connect. For remote/hybrid work where users connect from multiple personal devices, User CALs are almost always the correct choice — a single User CAL covers the employee regardless of whether they connect from their home laptop, a tablet, or a phone. Device CALs make sense only in shared-device scenarios (call centres, nursing stations) where multiple users share a single fixed device.
The compliance gap: RDS CALs are frequently under-purchased because the licensing requirement is invisible to the user experience. No licence key is checked. No access is blocked. RDS gracefully allows unlicensed connections for a 120-day grace period and then simply logs a warning that most administrators never see. Microsoft audit teams, however, compare RDS connection logs against RDS CAL purchases with precision. The gap between actual connections and purchased CALs is invoiced at list price during the audit settlement. See common Microsoft audit findings and the audit CIO playbook.
The conference room down the hall has a 65-inch display, a camera, a speaker bar, and a touch console running Microsoft Teams Rooms. That system needs its own licence — and it is not covered by any user’s Microsoft 365 subscription.
Teams Rooms licensing options: Microsoft Teams Rooms Basic (free, limited to 25 rooms per tenant) provides basic meeting join and calendar capabilities. Microsoft Teams Rooms Pro (~$40/device/month) provides advanced features: intelligent audio and video, front-row layout, cloud-managed updates, dual-screen support, and advanced analytics. For enterprises with more than 25 meeting rooms, Teams Rooms Pro is the only option with full functionality.
Teams Phone licensing: Common-area phones (lobby phones, breakroom phones, reception desks) need Microsoft Teams Phone licences. The Common Area Phone licence (~$8/device/month) provides basic calling capabilities for shared phones. If the phone needs a calling plan (PSTN connectivity), an additional calling plan or Operator Connect subscription is required.
The licensing oversight: Shared-space devices are physical things in the building, not people in Active Directory. They are easily overlooked in licence counts, true-up reporting, and renewal planning. An enterprise with 200 meeting rooms and 50 common-area phones has $108,000/year in Teams Rooms and phone licensing that has nothing to do with per-user Microsoft 365 costs. Ensure these device licences are tracked separately from user licences and included in the EA or CSP agreement. See true-up management.
Remote work expands the attack surface. Users connect from unmanaged networks, personal devices, and locations outside the corporate perimeter. The security tools that protect them are licensed through the Microsoft 365 plan or as add-ons.
M365 E3 provides the baseline: Azure AD P1 (conditional access, MFA enforcement, self-service password reset), Intune (device compliance, app protection), Microsoft Defender Antivirus (managed through Intune), Azure Information Protection P1 (sensitivity labels, basic classification), and Data Loss Prevention for Exchange, SharePoint, and Teams. For most remote work security requirements, E3 is sufficient.
M365 E5 adds the advanced layer: Azure AD P2 (risk-based conditional access — automatically blocking or requiring step-up authentication when a sign-in is flagged as risky based on location, device, or behaviour), Microsoft Defender for Endpoint P2 (endpoint detection and response for managed and, with limitations, unmanaged devices), Defender for Office 365 Plan 2 (advanced anti-phishing with detonation sandboxing), Cloud App Security (CASB — critical for detecting shadow IT used by remote workers), and Microsoft Defender for Identity (detecting compromised credentials).
The remote-work-specific security gap: The single most valuable E5 security feature for remote work is risk-based conditional access through Azure AD P2. This feature analyses every sign-in attempt and assigns a risk score based on impossible travel (user signs in from London and Tokyo within an hour), anonymous IP addresses, atypical travel, malware-linked IP addresses, and unfamiliar sign-in properties. High-risk sign-ins are automatically blocked or require additional verification. For a workforce distributed across home networks, coffee shops, and co-working spaces, risk-based conditional access is the primary defence against credential theft. If full E5 is not justified, the Azure AD P2 add-on can be applied to E3 licences for the users who need it. See maximising security with E5 add-ons.
Remote work creates data governance challenges that have direct licensing implications. Corporate data now lives on personal devices, in personal cloud storage, and in screenshots taken on unmanaged screens. The Microsoft tools that address these challenges are plan-gated.
Data Loss Prevention (DLP): Preventing users from sharing sensitive data through unauthorised channels is available in M365 E3 for Exchange, SharePoint, and Teams. E5 extends DLP to endpoint devices (Endpoint DLP) — monitoring and blocking sensitive data transfers on the device itself, including copy to USB, print, and upload to personal cloud storage. For remote workers handling sensitive data on company-managed devices, Endpoint DLP (E5 or E5 Compliance add-on) provides a level of data protection that network-based DLP cannot match when users are outside the corporate network.
Information Barriers: Preventing communication between groups that should not interact (legal and trading, research and sales) is an E5-only feature. For regulated industries with remote workers, Information Barriers are a compliance necessity, not a convenience feature.
Insider Risk Management: Monitoring for anomalous data exfiltration behaviour (a departing employee downloading unusual volumes of data before their last day) is an E5-only capability that becomes more critical when employees work remotely and the physical observation of workplace behaviour is impossible.
Communication Compliance: Monitoring Teams chats and emails for regulatory compliance (required in financial services for communication surveillance) is an E5-only feature. Remote work means more communication happens in Teams chat rather than in-person conversation, increasing the volume of communications that require surveillance in regulated environments.
For organisations in regulated industries with remote workforces, E5 Compliance features are not optional — they are the licensing equivalent of regulatory infrastructure. The E5 add-on strategy allows targeted deployment to the user populations subject to these requirements without upgrading the entire organisation.
The single most effective cost optimisation in remote/hybrid licensing is matching the licence to the user’s actual work pattern rather than defaulting everyone to the same plan.
Office-primary users (in the office 4–5 days/week) need standard M365 E3 and no VDI licence. Hybrid users (2–3 days remote) need M365 E3 on a company device — VDI is rarely necessary if the device is managed and secured through Intune. Remote-first users (4–5 days remote) may benefit from AVD or Windows 365 if the organisation requires a controlled virtual desktop for security or compliance reasons. Frontline workers (retail, manufacturing) on shared devices need M365 F3 and potentially a shared device licence rather than a per-user VDI solution.
M365 E3 includes Intune, conditional access, and VDA rights. If you are paying for a separate Intune licence, a separate Azure AD P1 subscription, or a separate VDA subscription for users who already have E3, you are paying twice. Audit your licence assignments against your add-on purchases to identify overlap. See eliminating redundant licensing.
AVD with multi-session: lowest per-user cost ($13–$25/month infrastructure on top of existing M365 licence), requires Azure expertise. Windows 365: predictable cost ($28–$158/month all-in), requires minimal management, best for small deployments. Citrix/VMware on Azure: highest licensing cost (M365 + Azure + platform licence), justified only when platform-specific features are required. On-premise VDI: requires Windows Server + RDS CALs + VDA (or M365 E3) + platform licence, generally the most expensive option when all licensing layers are properly accounted for.
Remote work licences (Windows 365, Teams Rooms Pro, RDS CALs, Intune add-ons) should be included in the EA negotiation rather than purchased separately at list price. Bundling remote work components into the EA provides volume pricing and locks in favourable terms for the EA duration. See key leverage points for Microsoft deals.
Teams Rooms, common-area phones, shared desktops, and kiosk devices each have device-based licensing that is separate from the per-user Microsoft 365 count. Create a separate licence inventory for shared-space devices and include them in true-up reporting. These device licences are frequently missed in true-up counts, creating compliance gaps that surface at audit.
“The most common licensing mistake in remote work is treating it as a simple extension of office licensing. It is not. A remote worker on a personal device connecting to a virtual desktop in Azure through a Citrix gateway, joining a Teams meeting on a Teams Room, and accessing SharePoint on a personal phone touches six different Microsoft licensing models in a single workday. Enterprises that map these models once — comprehensively and accurately — avoid years of compliance exposure and cost leakage. Those that do not discover the gaps when Microsoft’s audit team maps them instead.” — Fredrik Filipsson, Co-Founder, Redress Compliance
No. If the employee is using a company-owned Windows device with a valid Windows licence, accessing Microsoft 365 cloud services (Exchange, Teams, SharePoint, OneDrive) remotely, no additional VDI licence is required. VDI licensing only applies when the employee accesses a virtual Windows desktop hosted on a server or in the cloud. A company laptop connecting directly to M365 services via the internet is the simplest and lowest-cost remote work model from a licensing perspective.
No. Azure Virtual Desktop does not require RDS CALs. The Windows access rights required for AVD are included in qualifying Microsoft 365 licences (E3, E5, F3, Business Premium) or Windows Enterprise E3/E5 per-user subscriptions. This is a deliberate Microsoft incentive to encourage AVD adoption over on-premise or third-party VDI solutions, which do require RDS CALs for session-based desktops.
For organisations with existing Microsoft 365 E3 licences, Azure Virtual Desktop with Windows 11 Enterprise multi-session is the lowest-cost option. The M365 E3 licence includes the Windows access rights at no additional cost. The only expense is Azure compute and storage, which can be optimised through Reserved Instances (30–72% savings), auto-scaling (shutting down session hosts outside business hours), and right-sizing VM configurations. The effective per-user cost is typically $13–$25/month for infrastructure.
The Microsoft 365 licence covers Office app installation on personal devices (up to 5 PCs/Macs, 5 tablets, 5 phones per user) and access to all M365 cloud services. No separate per-device licence is needed. However, if BYOD users access virtual desktops and their M365 plan does not include Windows Enterprise rights (e.g., they are on F3 or Business Basic), a separate VDA subscription is required. M365 E3 and E5 include VDA rights, eliminating this cost.
Yes. Teams Rooms devices require a separate licence that is not covered by any user’s Microsoft 365 subscription. Teams Rooms Basic (free, limited to 25 rooms) provides basic meeting functionality. Teams Rooms Pro (~$40/device/month) provides the full feature set including intelligent audio/video, cloud management, and advanced analytics. Common-area phones similarly require their own licences (~$8/device/month).
Microsoft 365 E3 is the best starting point for a fully remote workforce. It includes: Office desktop apps for installation on personal or company devices, Intune for device management and app protection on BYOD, Azure AD P1 for conditional access and MFA, Windows Enterprise rights (including VDA for virtual desktop access), DLP for data protection, and eDiscovery for compliance. If the organisation faces advanced threats or regulatory surveillance requirements, E5 or targeted E5 add-ons (E5 Security, E5 Compliance) address the gaps.
Redress Compliance helps enterprises map their remote and hybrid work licensing requirements, identify compliance gaps, optimise VDI licensing costs, and negotiate the right Microsoft agreement structure for distributed workforces. Independent advisory. No Microsoft commercial relationship.