Microsoft 365 Licensing Optimisation Assessment
We audit your endpoint management licensing stack across Microsoft Intune licensing guide, Defender, Entra, Autopilot, and Autopatch — mapping what you're paying, what you're using, what's redundant, and what's missing. See our Microsoft audit compliance playbook.
1. The Endpoint Management Licensing Landscape
Microsoft's endpoint management portfolio is not a single product — it's an ecosystem of interlocking services, each with its own licensing model, each included in different M365 SKUs, and each sold as a standalone add-on for organisations that don't have the right base plan. Understanding the landscape requires mapping six product families that collectively constitute "endpoint management" in a modern Microsoft environment. For the broader M365 licensing context, see our M365 E3 vs E5 vs F3 comparison and enterprise plan selection playbook.
Microsoft Intune — the core device management and mobile application management platform. Enrolls devices, deploys policies, manages applications, enforces compliance. Three tiers: Plan 1, Plan 2, Intune Suite. Windows Autopilot — zero-touch device provisioning that configures new hardware automatically from cloud policy. Included partially in Intune Plan 1, fully in Plan 2/Suite. Microsoft Defender for Endpoint — endpoint detection and response (EDR), threat protection, and vulnerability management. Separate licence from Intune, included in M365 E5 but not E3. Microsoft Entra ID (formerly Azure AD) — identity and access management including conditional access policies that determine which devices can access which resources. P1 included in M365 E3; P2 (with risk-based conditional access) in E5. Windows Autopatch — automated Windows Update management. Included in specific M365 tiers. Windows 365 Cloud PC — cloud-hosted Windows desktops that replace physical endpoints. Separate per-user per-month subscription, not included in any M365 plan. See our Entra ID licensing guide.
The licensing complexity arises because these six product families are included in different M365 SKUs at different levels, creating a matrix where "what's included" depends on which base plan you have — and the answer is different for E3, E5, Business Premium, F1, F3, and standalone subscriptions. The result: most organisations have partial endpoint management coverage from their M365 subscription and don't know which capabilities are missing.
2. Microsoft Intune: Plan 1, Plan 2, and the Intune Suite
Microsoft restructured Intune licensing in 2023, splitting the product into three tiers. This restructuring is the single largest source of confusion in endpoint management licensing — because organisations that had "Intune" through their M365 E3 subscription now have "Intune Plan 1," which excludes capabilities that were previously included or that the organisation assumed were included.
Intune Plan 1 (Included in M365 E3, E5, Business Premium, F1, F3)
Plan 1 is the base tier — the Intune that comes with your M365 subscription. It covers the core device management scenarios that most organisations need for basic endpoint management. Mobile Device Management (MDM) for Windows, iOS, Android, and macOS — enrol devices, deploy configuration profiles, enforce compliance policies (PIN requirements, encryption, OS version). Mobile Application Management (MAM) — deploy and manage applications without requiring full device enrolment (critical for BYOD scenarios). Conditional access integration — devices must meet compliance policies before accessing M365 resources (requires Entra ID, included in E3/E5). Basic reporting and device inventory. App protection policies for Outlook, Teams, OneDrive on personal devices.
Plan 1 is sufficient for organisations that need to enrol devices, push basic policies, manage applications, and enforce compliance as a condition of M365 access. For many organisations — particularly those with a homogeneous Windows fleet managed primarily through Group Policy or SCCM, with Intune used for mobile device management — Plan 1 covers the requirement.
Intune Plan 2 ($4/User/Month Add-On to Plan 1)
Plan 2 adds capabilities that organisations managing complex or specialised device fleets need — and that many IT teams assume are included in Plan 1 because they were part of the pre-2023 "Intune" product. Microsoft Tunnel for Mobile Application Management — VPN capability for managed apps on iOS and Android without full device enrolment (MAM Tunnel). Critical for organisations that need secure access to on-premises resources from personal mobile devices without requiring MDM enrolment. Specialised device management — management of purpose-built devices: AR/VR headsets (HoloLens), large smart-screen devices, conference room hardware, and IoT-class devices running Windows IoT Enterprise. Linux endpoint management — enrolment and compliance policies for Linux desktops (Ubuntu). If your developer population uses Linux, Plan 1 doesn't cover their devices.
Plan 2 is not a mass-deployment tier — it's a targeted add-on for specific user populations. Most organisations don't need Plan 2 for all users; they need it for the 5–15% of users who have specialised device requirements (Linux developers, frontline workers with AR/VR, conference room managers). See our M365 add-on licensing guide.
Intune Suite ($10/User/Month Add-On to Plan 1)
The Intune Suite is Microsoft's premium endpoint management tier — and it contains capabilities that many security-conscious organisations need but don't know are separate from their E5 subscription. Remote Help — screen-sharing remote assistance for IT helpdesk to support enrolled devices (similar to TeamViewer/BeyondTrust functionality). Endpoint Privilege Management — allow standard users to perform specific elevated tasks (installing approved applications, running specific admin tools) without granting full local administrator rights. A critical zero-trust capability that most organisations implement through third-party tools (CyberArk, BeyondTrust) because they don't know Intune offers it. Advanced Endpoint Analytics — device performance scoring, anomaly detection, and proactive remediation scripts. Microsoft Cloud PKI — cloud-based certificate authority for issuing and managing certificates for device authentication without on-premises PKI infrastructure. Firmware-over-the-air (FOTA) — manage firmware updates on Android devices. Microsoft Intune Enterprise Application Management — curated catalogue of pre-packaged third-party Win32 applications with automated deployment and update management.
The Intune Suite is where Microsoft competes directly with third-party endpoint management vendors — privileged access management, remote support, certificate management. At $10/user/month, the Suite is a significant line item ($120/user/year, $600K annually for a 5,000-user organisation). But if it replaces standalone tools (CyberArk Endpoint Privilege Manager at $8–$15/user/month, BeyondTrust Remote Support at $5–$10/user/month, Venafi certificate management), the consolidation economics can be favourable.
| Capability | Plan 1 (in M365 E3/E5) | Plan 2 ($4/user/mo) | Intune Suite ($10/user/mo) |
|---|---|---|---|
| MDM for Windows/iOS/Android/macOS | ✅ | ✅ | ✅ |
| MAM / App protection policies | ✅ | ✅ | ✅ |
| Conditional access integration | ✅ | ✅ | ✅ |
| Linux endpoint management | ❌ | ✅ | ✅ |
| Specialised device management (AR/VR/IoT) | ❌ | ✅ | ✅ |
| MAM Tunnel (VPN without MDM) | ❌ | ✅ | ✅ |
| Remote Help | ❌ | ❌ | ✅ |
| Endpoint Privilege Management | ❌ | ❌ | ✅ |
| Advanced Endpoint Analytics | ❌ | ❌ | ✅ |
| Cloud PKI | ❌ | ❌ | ✅ |
| Enterprise App Management | ❌ | ❌ | ✅ |
3. Windows Autopilot: What's Included and What's Not
Windows Autopilot is Microsoft's zero-touch provisioning technology — the capability that lets an organisation ship a new laptop directly from Dell or Lenovo to an employee's home, and when the employee powers it on and signs in with their corporate credentials, the device automatically configures itself: enrolls in Intune, applies compliance policies, installs applications, and joins Azure AD/Entra ID. No imaging, no IT staging area, no USB keys. For organisations with distributed workforces, Autopilot transformed device provisioning from a 2–4 hour manual process per device to a 30-minute automated one.
Autopilot licensing: The base Autopilot experience (device registration, user-driven deployment, self-deploying mode for shared devices) is included in Intune Plan 1 — and therefore included in M365 E3/E5 at no additional cost. This is the Autopilot that most organisations use and that most organisations need. Autopilot device preparation (the newer, streamlined provisioning flow introduced in 2024) is also included in Plan 1. What requires additional licensing: Advanced Autopilot scenarios that depend on Intune Suite capabilities — specifically, pre-provisioning with Endpoint Privilege Management (allowing Autopilot-deployed devices to have granular admin rights without full local admin) requires the Intune Suite ($10/user/month). Organisations that use Autopilot for kiosk or shared device deployment at scale may also benefit from Plan 2 for specialised device management.
The practical licensing implication: most organisations get full Autopilot value from their M365 E3/E5 subscription. Autopilot is not a separate licence line item for the standard use case. The upsell to Plan 2 or Intune Suite is driven by the device management capabilities, not by Autopilot itself.
4. Defender for Endpoint: The Security Layer You Need to Budget Separately
This is where the endpoint management licensing conversation intersects with security licensing — and where the largest unplanned costs typically emerge. Microsoft Defender for Endpoint is the EDR (Endpoint Detection and Response) platform that provides advanced threat protection, vulnerability management, attack surface reduction, and automated investigation/remediation. It is not included in Microsoft 365 E3. See our M365 E5 security add-ons playbook for the complete security licensing analysis.
Defender for Endpoint Plan 1 (Included in M365 E3)
M365 E3 includes Defender for Endpoint Plan 1 — which provides next-generation anti-malware protection, attack surface reduction rules, device-based conditional access, and centralized management through the Microsoft Defender portal. Plan 1 is a solid baseline: it replaces traditional antivirus (Symantec, McAfee, Trend Micro) with cloud-delivered protection that integrates natively with Intune and Entra conditional access. However, Plan 1 does not include EDR (endpoint detection and response), automated investigation, threat analytics, or vulnerability management — the capabilities that security teams consider essential for modern threat detection.
Defender for Endpoint Plan 2 (Included in M365 E5, or $5.20/User/Month Add-On)
Plan 2 adds full EDR — the capability that detects, investigates, and responds to advanced threats that bypass prevention controls. Automated investigation and remediation (AIR), threat analytics, advanced hunting (KQL-based threat hunting across endpoint telemetry), endpoint vulnerability management, and attack simulation training. Plan 2 is what security teams mean when they say "Defender for Endpoint" — and it's included in M365 E5 but requires a separate add-on ($5.20/user/month) for organisations on M365 E3.
The licensing trap: organisations on M365 E3 that deploy Intune for device management and believe they have "endpoint security covered" because Defender Plan 1 is included. Plan 1 provides prevention; it does not provide detection and response. The gap between Plan 1 and Plan 2 is the gap between antivirus (blocking known threats) and EDR (detecting unknown threats, investigating incidents, responding automatically). For any organisation facing regulatory requirements for threat detection and incident response capabilities (PCI DSS, HIPAA, SOX, CMMC), Defender for Endpoint Plan 2 is not optional — and at $5.20/user/month, it's the single most expensive endpoint management add-on for E3 customers.
Defender for Endpoint Server
Defender for Endpoint licences cover client endpoints (Windows, macOS, iOS, Android, Linux). Server protection requires a separate licence — Microsoft Defender for Servers, available through Azure Defender (Plan 1 at ~$5/server/month, Plan 2 at ~$15/server/month) or through the Defender for Endpoint Server add-on in the EA. This is a frequently missed licensing requirement: organisations deploy Defender for Endpoint across their client fleet and assume it covers servers. It doesn't.
5. Entra ID (Azure AD): The Conditional Access Gate
Microsoft Entra ID (formerly Azure Active Directory) is the identity platform that underlies every endpoint management decision — because conditional access policies determine which devices can access which resources based on compliance state, location, risk level, and user identity. Entra ID licensing directly affects endpoint management capability.
Entra ID P1 (Included in M365 E3): Provides conditional access with basic policies — require MFA, require compliant device (via Intune), block access from untrusted locations. P1 conditional access is policy-based: you define rules, and they apply uniformly. This covers the majority of conditional access scenarios. Entra ID P2 (Included in M365 E5, or $9/User/Month Add-On): Adds risk-based conditional access — policies that adapt based on real-time risk signals. If Entra ID Identity Protection detects a sign-in from an impossible travel location or a credential leaked on the dark web, P2 conditional access can automatically require step-up authentication, block access, or force password reset. P2 also includes Privileged Identity Management (PIM) for just-in-time admin access and access reviews for periodic entitlement certification.
The endpoint management implication: risk-based conditional access (P2) makes Intune compliance policies dramatically more effective — because device compliance isn't evaluated in isolation but in combination with user risk signals. A compliant device used by a compromised identity still grants access under P1; under P2, the compromised identity triggers additional controls. For organisations building a zero-trust endpoint strategy, Entra ID P2 is a foundational requirement — and at $9/user/month as a standalone add-on, it's the most expensive component of the endpoint management stack for E3 customers.
6. Windows Autopatch and Update Management
Windows Autopatch is Microsoft's managed update service — automating Windows quality updates, feature updates, driver updates, and Microsoft 365 Apps updates using deployment rings, monitoring, and automated rollback. Autopatch addresses one of the most operationally expensive aspects of endpoint management: patch management, which typically consumes 15–25% of endpoint team capacity.
Need Expert Endpoint Licensing Advisory?
Redress Compliance provides independent Microsoft licensing advisory — fixed-fee, no vendor affiliations.
Explore Microsoft Advisory Services →Licensing: Windows Autopatch is included in M365 E3 and E5 (and Business Premium) at no additional cost. It's one of the few endpoint management capabilities that doesn't carry a separate licence line item. However, there is a requirements nuance: Autopatch requires Intune enrolment (devices must be Intune-managed), Entra ID joined or hybrid joined, and Windows 10/11 Enterprise or Education. Devices running Windows Pro (common in SMB and BYOD scenarios) are not eligible for Autopatch through M365 E3 — they require a Windows Enterprise E3/E5 upgrade, which is a separate add-on for organisations that purchased M365 Business Premium rather than M365 E3/E5.
The practical implication: if your device fleet is primarily Windows Enterprise (typical for organisations on M365 E3/E5), Autopatch is available at no additional cost and should be activated. If a portion of your fleet is Windows Pro (acquired through OEM, not upgraded to Enterprise through subscription), those devices need a licence upgrade before Autopatch can manage them.
7. Windows 365 Cloud PC: The Endpoint You Don't Own
Windows 365 represents a different model of endpoint management — instead of managing a physical device, you manage a cloud-hosted virtual Windows desktop. The Cloud PC runs in Microsoft's cloud, is accessed from any device (thin client, personal laptop, tablet), and is fully managed through Intune. The licensing model is entirely separate from M365.
Windows 365 pricing: Per-user per-month subscription based on the Cloud PC configuration — vCPU, RAM, and storage. Ranges from approximately $28/user/month (2 vCPU, 4 GB RAM, 64 GB storage — basic task worker) to $158+/user/month (8 vCPU, 32 GB RAM, 512 GB storage — power user/developer). These are significant per-user costs that sit outside the M365 subscription entirely. What's included: Windows Enterprise licence, Intune management, Entra ID join, and Microsoft-managed infrastructure. What's not included: M365 productivity apps (user still needs an M365 E3/E5/Business subscription for Outlook, Teams, Word), Defender for Endpoint (requires separate licence), and the Intune Suite capabilities (if needed, separate add-on).
The endpoint management licensing implication: Windows 365 shifts endpoint cost from CapEx (physical device hardware depreciated over 3–4 years) to OpEx (monthly subscription), but doesn't eliminate the rest of the licensing stack. A fully managed Windows 365 Cloud PC user still needs M365 E3/E5 (for productivity apps + Intune Plan 1), potentially Defender for Endpoint Plan 2 (for EDR), and potentially the Intune Suite (for privilege management and remote help). The Cloud PC subscription replaces the hardware cost, not the management and security licensing.
8. The Full Stack: What $47/User/Month Actually Buys
The fully loaded endpoint management cost for a single user — every tier, every add-on, every security layer — reveals the true per-user economics that most organisations have never calculated as a unified number.
| Component | Included In | Add-On Cost (if on E3) | Add-On Cost (if on E5) |
|---|---|---|---|
| Intune Plan 1 (MDM, MAM, compliance) | M365 E3/E5 | $0 | $0 |
| Intune Plan 2 (Linux, specialised devices) | Not included | $4/user/mo | $4/user/mo |
| Intune Suite (Remote Help, EPM, Cloud PKI) | Not included | $10/user/mo | $10/user/mo |
| Defender for Endpoint P2 (EDR) | M365 E5 | $5.20/user/mo | $0 |
| Entra ID P2 (risk-based conditional access) | M365 E5 | $9/user/mo | $0 |
| Windows Autopatch | M365 E3/E5 | $0 | $0 |
| Windows Autopilot (standard) | M365 E3/E5 | $0 | $0 |
| Windows 365 Cloud PC (4 vCPU/8 GB) | Not included | ~$41/user/mo | ~$41/user/mo |
Scenario 1 — M365 E3 base, maximum endpoint management: E3 ($36/user/mo) + Intune Plan 2 ($4) + Intune Suite ($10) + Defender P2 ($5.20) + Entra P2 ($9) = $64.20/user/month. The endpoint management add-ons ($28.20) cost 78% of the E3 base licence itself.
Scenario 2 — M365 E5 base, maximum endpoint management: E5 ($57/user/mo) + Intune Plan 2 ($4) + Intune Suite ($10) = $71/user/month. E5 absorbs Defender P2 and Entra P2, so the add-on cost drops to $14/user/month. The E5 upgrade from E3 costs $21/user/month but absorbs $14.20/user/month of add-ons — making the net cost of E5's additional security and compliance features only $6.80/user/month. For organisations that need both Defender P2 and Entra P2, the E3-to-E5 upgrade is cheaper than buying the add-ons separately.
Scenario 3 — M365 E3 base, practical endpoint management (most organisations): E3 ($36/user/mo) + Defender P2 ($5.20) = $41.20/user/month. This covers Intune Plan 1 (MDM/MAM), Defender for Endpoint with full EDR, Entra P1 conditional access, Autopilot, and Autopatch. For 80% of organisations, this is the practical stack — Plan 2, the Intune Suite, and Entra P2 are valuable but not universally required.
9. Optimisation Strategies: Reducing the Endpoint Management Bill
Strategy 1: The E5 Consolidation Play
If more than 60% of your user base needs Defender for Endpoint P2 and/or Entra ID P2, upgrading from E3 to E5 is almost always cheaper than buying add-ons. The breakeven: if you need 2+ security add-ons that are included in E5, the upgrade is cost-neutral or cost-positive. Model the comparison using our E5 security add-ons playbook. Critical negotiation point: the E3-to-E5 upgrade should be negotiated at EA renewal, not mid-term, to secure volume-based E5 pricing. Mid-term upgrades are typically priced at list; renewal upgrades can be discounted 15–25% in combination with other EA commitments.
📊 Free Assessment Tool
How optimized is your endpoint management licensing? Our free assessment identifies cost savings across Intune and related tools.
Take the Free Assessment →Strategy 2: Tiered Licensing by User Persona
Not every user needs the same endpoint management stack. The most cost-efficient approach is to define 3–4 user personas and map each to the minimum licensing required.
| Persona | Typical Role | Recommended Stack | Monthly Cost |
|---|---|---|---|
| Standard knowledge worker | Finance, HR, marketing, legal | M365 E3 + Defender P2 | $41.20 |
| Security-sensitive user | Executive, admin to sensitive data, IT admin | M365 E5 (or E3 + Defender P2 + Entra P2) | $57.00 (E5) |
| Developer / specialised device user | Software engineer, field tech, kiosk worker | M365 E3 + Intune Plan 2 | $40.00 |
| Frontline worker | Retail, warehouse, clinical | M365 F3 + Defender P1 (included) | $8.00 |
The savings from tiered licensing are substantial. A 5,000-user organisation with 3,000 standard workers, 500 security-sensitive, 500 developers, and 1,000 frontline workers pays approximately $196,000/month with tiered licensing vs $285,000/month with blanket E5 for all users — a 31% reduction. See our E3/E5/F3 guide for the frontline licensing analysis.
Strategy 3: Third-Party Replacement Audit
The Intune Suite ($10/user/month) is most valuable when it replaces third-party tools. Audit your current endpoint management tool inventory: if you're paying separately for remote support (TeamViewer, BeyondTrust), privileged access management (CyberArk EPM), certificate management (Venafi, DigiCert), or endpoint analytics (Nexthink, Lakeside), calculate the combined per-user cost of those tools. If the combined cost exceeds $10/user/month, the Intune Suite consolidation delivers savings plus tighter integration with the Microsoft stack. If the combined cost is below $10, or if your third-party tools serve use cases the Intune Suite doesn't cover, retain the existing stack.
Strategy 4: Negotiate Add-Ons at EA Renewal
Intune Plan 2, the Intune Suite, and Defender for Endpoint add-ons are all negotiable within the EA negotiation. Microsoft's list pricing is the starting point, not the final price — particularly when the add-ons are part of a larger EA commitment that includes base M365 licences, Azure consumption, and other workloads. Bundle endpoint management add-ons into the EA renewal negotiation to secure 10–20% discounts on list pricing. The add-ons should never be procured mid-term at list through the Microsoft admin portal when an EA renewal is within 12 months — the renewal is the negotiation event. See our EA price protections guide and Contract Negotiation Service.
Strategy 5: Audit Before You Buy
Before purchasing any endpoint management add-on, audit what you already have. Organisations that have acquired other companies, inherited different M365 tiers, or purchased security products at different times frequently discover that they already have licences for capabilities they're about to buy again. Run a licence entitlement audit across Intune, Defender, Entra, and M365 tiers to map exactly what each user is licensed for before ordering add-ons. Our EA Optimisation Service includes this entitlement audit as a standard first step. Visit the Microsoft Knowledge Hub for additional resources, or use our Microsoft Assessment Tools for self-service analysis.
10. Frequently Asked Questions
Intune Plan 1 is included in M365 E3, E5, Business Premium, F1, and F3. Plan 1 covers the core MDM, MAM, compliance, and conditional access integration that most organisations need. Intune Plan 2 ($4/user/month) and the Intune Suite ($10/user/month) are add-ons to any M365 plan — they are not included in E3 or E5. You only need to purchase these add-ons if you require the specific capabilities they include (Linux management, specialised devices, Remote Help, Endpoint Privilege Management, Cloud PKI). For most organisations, Plan 1 through M365 E3 is sufficient for standard endpoint management.
Yes — they serve different functions that work together. Intune manages the device (enrolment, configuration, compliance, application deployment). Defender for Endpoint protects the device (threat detection, EDR, vulnerability management). Intune can enforce that Defender is installed and running; Defender reports device risk signals to Intune and Entra conditional access. Without Intune, you can't enforce security policies or manage device compliance. Without Defender, you can't detect or respond to threats. They are complementary, not interchangeable. M365 E3 includes Intune Plan 1 and Defender Plan 1 (prevention only). M365 E5 includes Intune Plan 1 and Defender Plan 2 (prevention plus detection and response).
It depends on which add-ons you need — but if you need two or more of the security/compliance features included in E5, the upgrade is typically cheaper. The E3-to-E5 uplift is approximately $21/user/month. Defender for Endpoint P2 alone is $5.20, Entra P2 is $9, and Defender for Office 365 P2 is $5 — a combined $19.20 for just three add-ons. E5 includes all three plus Information Protection, eDiscovery, Compliance Manager, Audio Conferencing, and Power BI Pro. The incremental cost of all those additional E5 capabilities is effectively $1.80/user/month. For organisations on E3 that need advanced security, E5 is almost always the more cost-effective path. The key is to negotiate E5 pricing at EA renewal — mid-term upgrades at list pricing change the economics. See our E5 security add-ons playbook for the detailed comparison.
No — standard Windows Autopilot functionality (user-driven deployment, self-deploying mode, device registration, Autopilot device preparation) is included in Intune Plan 1, which is included in M365 E3/E5. There is no separate Autopilot licence. The only additional licensing arises when Autopilot workflows leverage capabilities from higher Intune tiers — for example, using Endpoint Privilege Management (Intune Suite) to configure granular admin rights during Autopilot provisioning. For the standard Autopilot use case (new device → user signs in → device self-configures), M365 E3 is all you need.
For any organisation with 1,000+ managed endpoints, the endpoint management licensing landscape is complex enough that independent independent Microsoft advisory services consistently identifies savings and security gaps. The value comes from three areas: identifying add-on overlap (organisations frequently purchase standalone Defender, Entra, or Intune add-ons that are already included in their M365 tier), modelling the E3-vs-E5 breakeven (determining whether upgrading is cheaper than add-ons, by user persona), and negotiating add-on pricing at EA renewal (Intune Suite, Defender P2, and other add-ons are negotiable when bundled with the broader EA commitment). At Redress Compliance, endpoint management licensing is analysed as part of our EA Optimisation Service — we map the full per-user cost stack, identify redundancies, model optimisation scenarios, and negotiate the optimal licensing structure at renewal. Our Microsoft Advisory Services cover the complete M365 licensing lifecycle.