Microsoft Intune has become the default endpoint management platform for enterprises invested in the Microsoft ecosystem. It manages Windows, macOS, iOS, Android, and Linux devices. It enforces compliance policies, deploys applications, configures security settings, and serves as the cornerstone of Zero Trust conditional access. And its licensing is a maze that traps enterprises into paying twice for capabilities they already own, purchasing add-ons they do not need, or under-licensing scenarios that leave devices unmanaged and unprotected. The core confusion: Intune is included in Microsoft 365 E3 and E5. But which Intune? Plan 1 only. Plan 2 capabilities — endpoint privilege management, advanced endpoint analytics, firmware management — require an add-on. The Intune Suite bundles all add-ons at a discount but costs an additional $10/user/month on top of your M365 subscription. Meanwhile, standalone Intune Plan 1 exists for organisations that do not have M365 E3/E5, and device-only licensing exists for scenarios where users do not need a full M365 licence. This guide maps every Intune licensing path, every add-on, every inclusion, and every cost trap — so that your enterprise pays for the endpoint management capabilities it actually needs and nothing more.
Microsoft has restructured Intune licensing several times in recent years, and the 2026 model is the result of that evolution. Understanding the current structure requires mapping four distinct licensing paths and how they intersect with Microsoft 365 subscriptions.
Path 1 — Included in Microsoft 365. Intune Plan 1 is included in Microsoft 365 E3, E5, F1, F3, Business Premium, and the standalone Enterprise Mobility + Security (EMS) E3 and E5 suites. If your users have any of these plans, they already have Intune Plan 1 at no additional cost. This is the path most enterprises follow, often without realising how much Intune capability they already own. For more detail, see our M365 add-on licensing guide.
Path 2 — Standalone Intune Plan 1. For organisations that do not have M365 E3/E5 or EMS — perhaps they use Google Workspace for productivity and only need Microsoft for device management — Intune Plan 1 is available as a standalone subscription at approximately $8/user/month.
Path 3 — Intune Plan 2 and individual add-ons. Advanced capabilities beyond Plan 1 are available as add-ons, purchased individually or bundled. Intune Plan 2 ($4/user/month add-on) provides advanced endpoint analytics, firmware management over the air, and specialised device management for mission-critical and VR/AR devices. Individual add-ons for specific capabilities (endpoint privilege management, remote help, enterprise application management) are each priced separately.
Path 4 — Intune Suite. The Microsoft Intune Suite bundles all Plan 2 capabilities and all individual add-ons into a single $10/user/month add-on. For enterprises that need three or more individual add-ons, the Suite is typically cheaper than purchasing them separately.
An enterprise with 10,000 M365 E3 users already has Intune Plan 1 for all of them at no incremental cost. If that enterprise needs advanced endpoint analytics and endpoint privilege management for all users, the options are: Intune Plan 2 ($4 × 10,000 = $40,000/month) plus Endpoint Privilege Management add-on ($3 × 10,000 = $30,000/month) = $70,000/month total for the two capabilities, or the Intune Suite ($10 × 10,000 = $100,000/month) which includes everything. The Suite costs $30,000/month more but includes remote help, enterprise application management, advanced analytics, and Microsoft Cloud PKI — capabilities the enterprise may or may not need. The commercial decision depends on which specific add-on capabilities are required, for how many users, and whether the Suite’s bundle discount justifies paying for capabilities that are not immediately needed.
Intune Plan 1 is the base tier of Intune and provides a comprehensive endpoint management platform that covers the majority of enterprise device management requirements.
Multi-platform enrollment and management: Windows 10/11 (automatic enrollment through Azure AD join, bulk enrollment, Windows Autopilot), macOS (enrollment profiles, Apple Business Manager integration, platform SSO), iOS/iPadOS (supervised and unsupervised enrollment, Apple Business Manager, DEP integration), Android (Android Enterprise work profile, fully managed, dedicated devices, COPE), and Linux (Ubuntu and other supported distributions for basic compliance and configuration).
Device compliance policies: Define compliance rules (minimum OS version, encryption required, password complexity, jailbreak/root detection, threat level from Defender) and mark non-compliant devices. Compliance status integrates with Azure AD conditional access — non-compliant devices can be blocked from accessing corporate resources automatically. This integration is the foundation of Zero Trust device posture assessment.
Device configuration profiles: Deploy settings across the device fleet: Wi-Fi profiles, VPN configurations, email profiles, certificate deployment, Windows Hello for Business configuration, BitLocker encryption, firewall rules, and hundreds of other settings managed through configuration profiles.
Application management: Deploy applications to managed devices (Win32 apps, MSI, MSIX, LOB apps, Microsoft Store apps, iOS/Android store apps, web apps). Application configuration policies for managed apps. Application protection policies (MAM) for protecting corporate data within applications on both managed and unmanaged (BYOD) devices.
Windows Autopilot: Zero-touch provisioning that transforms a new device from factory state to fully configured corporate device without IT physically touching the hardware. The user powers on the device, signs in with corporate credentials, and Autopilot handles the rest: Azure AD join, Intune enrollment, policy application, application installation. For remote and hybrid workforces, Autopilot eliminates the need to ship devices through IT for imaging. See the remote and hybrid work licensing guide.
Endpoint security: Security baselines (pre-configured security settings aligned with Microsoft best practices), antivirus policy management, disk encryption management, firewall management, endpoint detection and response (EDR) policy deployment (when used with Defender for Endpoint), and attack surface reduction rules.
Conditional access integration: Intune device compliance status feeds directly into Azure AD conditional access policies (Azure AD P1, included in M365 E3/E5). This enables policies such as “only compliant devices can access Exchange Online” or “require MFA when accessing from an unmanaged device.” The Intune + conditional access combination is the operational backbone of Microsoft’s Zero Trust implementation for devices.
Reporting and analytics: Device inventory, compliance reports, application installation status, configuration profile deployment status, and operational dashboards. Plan 1 includes standard reporting; advanced analytics require Plan 2 or the Suite.
Plan 1 is comprehensive for standard device management, but several advanced capabilities are explicitly excluded and require add-on licensing: Endpoint Privilege Management (managing local admin rights without giving users permanent admin access), advanced endpoint analytics (proactive remediations, custom device scopes, enhanced anomaly detection), Microsoft Tunnel for MAM (VPN-like connectivity for unmanaged devices without full device enrollment), remote help (IT helpdesk remote control of managed devices through Intune), enterprise application management (advanced application lifecycle management), firmware-over-the-air management (managing device firmware updates remotely), Microsoft Cloud PKI (cloud-based certificate issuance without on-premise PKI infrastructure), and specialised device management for mission-critical, VR, and AR devices.
The add-on ecosystem beyond Plan 1 is where the licensing complexity — and the cost — escalates.
Intune Plan 2 is an add-on to Plan 1 that provides advanced endpoint analytics with proactive remediations (automated scripts that detect and fix common device issues before users report them), firmware-over-the-air management (remotely managing BIOS/UEFI settings on supported devices, critical for security configuration management), and specialised device management for mission-critical devices (ruggedised devices in field operations), AR/VR headsets (HoloLens, Meta Quest for business), and purpose-built devices.
Who needs Plan 2: Enterprises with large Windows device fleets benefit most from advanced analytics and proactive remediations — the automated issue detection and resolution reduces helpdesk ticket volume by 10–25% in well-implemented deployments. Firmware management is essential for organisations with strict security requirements that mandate BIOS-level controls (secure boot configuration, TPM management) across the fleet. Specialised device management is relevant only for organisations deploying mission-critical or AR/VR devices at scale.
Endpoint Privilege Management (EPM) addresses one of the most persistent security challenges: managing local administrator rights on Windows devices. EPM allows standard users to perform specific elevated actions (installing approved applications, changing specific system settings) without granting permanent local admin access. When a user needs elevation, EPM can automatically approve based on policy, require business justification, or require IT approval.
Why it matters commercially: Many enterprises grant local admin rights to 30–60% of their knowledge workers because removing admin rights breaks too many workflows (application installations, printer configuration, VPN troubleshooting). Each local admin account is an attack surface. EPM provides the middle ground: remove permanent admin rights, reduce the attack surface, and grant temporary elevation for specific actions. Organisations with mature security postures or compliance requirements (NIST, CIS, ISO 27001) that mandate least-privilege access find EPM essential.
Remote Help provides IT helpdesk agents with the ability to remotely view and control managed devices directly through the Intune console. Unlike third-party remote access tools (TeamViewer, AnyDesk, LogMeIn), Remote Help integrates with Intune’s device management context: the helpdesk agent sees the device’s compliance status, installed applications, and recent events alongside the remote session. Role-based access controls determine which agents can view vs control, and audit logging tracks every session.
The replacement calculation: If the enterprise currently pays for a third-party remote support tool ($3–$8/agent/month or $15–$40/device/year), Remote Help may eliminate that cost while providing tighter integration with the Intune management platform. However, Remote Help currently supports Windows and Android only — organisations needing remote support for macOS and iOS must retain a third-party tool or accept that coverage gap.
Enterprise Application Management provides an enterprise app catalog with advanced application lifecycle capabilities: auto-update management for third-party applications (beyond the standard Win32 app deployment in Plan 1), application discovery (identifying applications installed on devices that are not managed through Intune), and streamlined packaging and deployment for common enterprise applications. This add-on targets organisations managing hundreds of applications across thousands of devices where the standard Plan 1 application deployment tools require excessive manual effort.
Cloud PKI provides a cloud-based Public Key Infrastructure for issuing certificates to managed devices and users without requiring on-premise PKI infrastructure (Active Directory Certificate Services). For organisations deploying certificate-based authentication (Wi-Fi authentication, VPN authentication, S/MIME email encryption) to their managed device fleet, Cloud PKI eliminates the operational complexity and cost of maintaining on-premise certificate authorities, certificate revocation lists, and the associated Windows Server infrastructure.
The cost trade-off: On-premise PKI requires Windows Server licences, dedicated servers (or VMs), Active Directory Certificate Services configuration, certificate templates, revocation infrastructure, and ongoing operational management. For a small-to-mid-size enterprise, the fully loaded cost of on-premise PKI can be $2,000–$10,000/month when accounting for server licensing, infrastructure, and administration time. Cloud PKI at $2/user/month may be cheaper for organisations with fewer than 2,000–5,000 users, more expensive for very large organisations with amortised on-premise PKI infrastructure.
Microsoft Tunnel for MAM provides per-app VPN-like connectivity for unmanaged (BYOD) devices without requiring full device enrollment. Standard Microsoft Tunnel (included in Plan 1) requires the device to be enrolled in Intune. Tunnel for MAM allows unmanaged devices running corporate apps (Outlook, Teams, Edge, LOB apps protected by MAM policies) to securely access on-premise resources through a managed tunnel — without the user enrolling their personal device. For BYOD-heavy organisations where employee resistance to device enrollment is a barrier, Tunnel for MAM provides secure access without the enrollment friction. See the BYOD licensing analysis in the remote work guide.
The Microsoft Intune Suite bundles all Plan 2 capabilities and all individual add-ons into a single per-user subscription at $10/user/month. The Suite includes: Intune Plan 2 (advanced analytics, firmware management, specialised devices), Endpoint Privilege Management, Remote Help, Enterprise Application Management, Microsoft Cloud PKI, and Microsoft Tunnel for MAM.
Purchasing every add-on individually costs approximately $17.50/user/month ($4 Plan 2 + $3 EPM + $3.50 Remote Help + $3 Enterprise App Mgmt + $2 Cloud PKI + $2 Tunnel for MAM). The Suite at $10/user/month provides a 43% discount over individual add-on pricing. The Suite is cost-effective if you need three or more of the individual add-ons for the same user population.
The bundling trap: The Suite’s attractiveness depends on whether you actually need most of its capabilities. An enterprise that only needs Endpoint Privilege Management ($3/user/month) and advanced analytics from Plan 2 ($4/user/month) pays $7/user/month for those two capabilities individually. The Suite at $10/user/month costs $3 more per user for capabilities the enterprise may never deploy. Across 10,000 users, that $3 difference is $30,000/month or $360,000/year in unnecessary spend. The Suite is a good deal only if you will deploy the majority of its capabilities.
A critical licensing optimisation: the Intune Suite and individual add-ons do not need to be deployed to every user. They can be assigned to specific user groups based on role and need. Endpoint Privilege Management for 5,000 knowledge workers who currently have local admin rights (not for 2,000 frontline workers on shared kiosks who never had admin access). Remote Help for 8,000 users managed by the helpdesk (not for 500 executives whose devices are managed by white-glove support). Enterprise Application Management for the 3,000 users in departments with complex application portfolios (not for 7,000 users who only use M365 applications).
Targeted deployment reduces add-on costs by 40–70% compared to enterprise-wide deployment. The licensing permits per-user assignment; take advantage of it.
The most common Intune licensing mistake is purchasing standalone Intune for users who already have it through their M365 subscription. Here is the complete entitlement map:
Microsoft 365 E3: Includes Intune Plan 1, Azure AD P1, Windows Enterprise upgrade rights. Full device management, compliance, configuration, application management, Autopilot, endpoint security baselines, conditional access integration. This is the most common path to Intune for enterprise knowledge workers.
Microsoft 365 E5: Everything in E3 plus Azure AD P2 (risk-based conditional access, Privileged Identity Management). Intune capabilities are identical to E3 — M365 E5 does not include Intune Plan 2 or any Intune add-ons. The E5 premium goes to security (Defender for Endpoint P2, Cloud App Security), compliance (eDiscovery Premium, Insider Risk), and analytics (Power BI Pro, Viva Insights), not to Intune advanced features.
Microsoft 365 F1: Includes Intune Plan 1 for device management of frontline worker devices. F1 does not include Office desktop apps or full Exchange mailbox, but does include Intune for managing the devices these workers use. This is critical for retail, manufacturing, and healthcare organisations managing shared devices and kiosks assigned to frontline staff.
Microsoft 365 F3: Includes Intune Plan 1 with the same capabilities as F1 but with additional M365 services (web/mobile Office, 2GB mailbox, Teams). F3 is the standard frontline worker plan with full Intune device management included.
Microsoft 365 Business Premium: Includes Intune Plan 1 with a simplified management experience designed for small and mid-size businesses (300-user cap). The Intune capabilities in Business Premium are functionally equivalent to Plan 1 in the Enterprise plans, though the admin experience is streamlined. Organisations approaching or exceeding 300 users should plan the transition to Enterprise plans. See Business vs Enterprise plans.
Enterprise Mobility + Security E3 (EMS E3): A standalone suite that includes Intune Plan 1, Azure AD P1, Azure Information Protection P1, and Microsoft Defender for Cloud Apps (discovery only). EMS E3 is relevant for organisations that have Office 365 (not Microsoft 365) and need to add device management without upgrading to a full M365 plan. EMS E3 costs approximately $11/user/month.
Enterprise Mobility + Security E5 (EMS E5): EMS E3 plus Azure AD P2, Azure Information Protection P2, and Microsoft Defender for Cloud Apps (full). Approximately $16.40/user/month. Relevant for organisations needing the advanced identity and security capabilities alongside Intune without committing to a full M365 E5 subscription.
Microsoft 365 Business Basic ($6/user/month): No Intune. No device management beyond basic mobile device policies via Basic Mobility and Security (a limited, legacy MDM capability that is not Intune). Organisations on Business Basic that need device management must either upgrade to Business Premium or purchase standalone Intune.
Microsoft 365 Business Standard ($12.50/user/month): No Intune. Same limitation as Business Basic. Business Standard provides desktop Office apps and cloud services but no device management. The upgrade to Business Premium ($22/user/month) adds Intune, Defender for Business, Azure AD P1, and Azure Information Protection P1 — a $9.50/month premium that is almost always justified if device management is needed.
Office 365 E1, E3, E5: The legacy Office 365 plans (as distinct from Microsoft 365 plans) do not include Intune. Organisations still on Office 365 plans need standalone Intune or EMS to add device management. Microsoft has been encouraging migration from Office 365 to Microsoft 365 plans, which bundle Intune, Azure AD P1, and Windows Enterprise rights into the subscription.
Standalone Intune Plan 1 is available for approximately $8/user/month for organisations that do not have a qualifying M365 or EMS subscription. This is the appropriate path for enterprises using Google Workspace or another productivity suite that need Microsoft-based device management, or for organisations licensing Intune for contractors, temporary workers, or partners who do not have corporate M365 licences.
Intune offers a device-only licensing model for scenarios where devices need management but are not associated with specific users. Typical scenarios include shared kiosks, digital signage, conference room devices, and industrial IoT-adjacent devices. Device-only licensing provides device enrollment, compliance policies, configuration profiles, and application deployment — but does not include user-based capabilities like conditional access (which requires a user identity with Azure AD P1), user-targeted application deployment, or MAM policies.
When device-only makes sense: A retail enterprise with 2,000 kiosk devices in stores that rotate through many part-time employees. User-based licensing would require Intune licences for every part-time employee (potentially 8,000+ users at $8 each = $64,000/month). Device-only licensing covers 2,000 devices at $4 each = $8,000/month. The 8x cost difference makes device-only the correct choice for shared-device scenarios.
When device-only does NOT make sense: Any scenario requiring conditional access, user-based compliance, or MAM policies. If the device management use case includes “block non-compliant devices from accessing Exchange Online” or “protect corporate data in Outlook on personal devices,” user-based licensing is required because these capabilities depend on user identity and Azure AD integration that device-only licensing does not provide.
Many enterprises have invested heavily in System Center Configuration Manager (SCCM, now Microsoft Endpoint Configuration Manager/MECM) for Windows device management. The transition from SCCM to Intune is rarely a clean cutover — it is typically a co-management period where both platforms manage the device fleet simultaneously, with workloads gradually shifting from SCCM to Intune.
Co-management requires both SCCM/MECM licensing (System Center licences or equivalent) and Intune licensing. Users in a co-managed environment need Intune Plan 1 (through M365, EMS, or standalone) for the Intune side, and the organisation needs System Center licences for the SCCM side. There is no co-management discount or bundled pricing — both licensing costs run in parallel during the transition period.
The transition economics: The operational case for co-management is strong (gradual migration reduces risk), but the licensing case requires planning. Enterprises should define a co-management timeline with clear workload migration milestones. Each workload migrated from SCCM to Intune (compliance policies, Windows Update management, device configuration, application deployment) reduces the dependency on SCCM infrastructure. When all workloads are fully managed by Intune, the SCCM/System Center licences can be retired — eliminating the System Center licensing cost (approximately $5–$24/server/month for System Center Datacenter in SPLA, or the equivalent EA cost) and the on-premise infrastructure cost for SCCM servers, distribution points, and management points.
Timeline recommendation: Plan a 12–24 month co-management period with quarterly workload migration gates. At each gate, assess which workloads have been migrated, which SCCM infrastructure can be decommissioned, and what System Center licensing can be retired. The licensing savings from retiring SCCM often offset a significant portion of the Intune add-on costs that the enterprise may choose to invest in during the same period. See Windows Server and System Center SAM guidance.
Intune’s licensing model distinguishes between managed devices (enrolled in Intune with full device management) and unmanaged devices (personal devices where only corporate applications are protected). This distinction has direct licensing implications.
Intune’s Mobile Application Management without enrollment (MAM-WE) protects corporate data within managed applications (Outlook, Teams, OneDrive, Edge, LOB apps) on personal devices without enrolling the device in Intune. App Protection Policies (APP) enforce data protection rules: prevent copy-paste of corporate data to personal apps, require PIN/biometric to open corporate apps, wipe corporate data remotely without affecting personal data, and block screenshots of corporate content.
Licensing requirement: MAM-WE requires an Intune Plan 1 licence for each user, even though the device is not enrolled. The licence is user-based, not device-based. A user with M365 E3 already has this licence. A user on M365 Business Standard (which does not include Intune) would need a standalone Intune licence or an upgrade to Business Premium to use MAM-WE.
The BYOD licensing optimisation: MAM-WE is the most cost-effective approach for BYOD because it requires only the per-user Intune licence (which M365 E3/E5 users already have) without any device-specific licensing. Full device enrollment of BYOD devices provides additional management capability but does not require additional Intune licensing beyond the same per-user Plan 1 licence. The choice between MAM-WE and full enrollment is an operational and privacy decision, not a licensing cost decision (assuming the user already has M365 E3/E5).
Enforcing conditional access policies on BYOD devices (requiring device compliance, approved client app, app protection policy, or managed browser before granting access) requires Azure AD P1 — included in M365 E3/E5 and Business Premium. Organisations on M365 Business Basic or Standard cannot enforce conditional access because Azure AD P1 is not included. For BYOD security, M365 E3 or Business Premium is the minimum viable plan: it provides both Intune (for MAM policies) and Azure AD P1 (for conditional access enforcement). See the remote and hybrid work licensing guide for the complete BYOD analysis.
Frontline workers — retail staff, manufacturing operators, healthcare workers, field service technicians — create specific Intune licensing considerations because they often share devices, use devices intermittently, and do not need the full M365 knowledge worker experience.
M365 F1 (~$2.25/user/month) and F3 (~$8/user/month) both include Intune Plan 1 for device management. F1 provides device management for users who do not need Office apps or a full mailbox — ideal for workers who use shared devices to clock in, access shift schedules, or view training materials. F3 adds web/mobile Office apps, a 2GB mailbox, and Teams — suitable for frontline workers who need basic communication and collaboration tools alongside their managed device.
Shared device mode: Intune supports shared device mode on Android and iOS, which allows multiple frontline workers to sign in and out of a single device with their individual identities. When a worker signs out, their session data is cleared and the device is ready for the next worker. Shared device mode is included in Intune Plan 1 and is particularly valuable for healthcare (clinical devices shared across shifts), retail (POS and task management devices), and manufacturing (ruggedised devices on the factory floor). Each worker who uses the shared device needs their own M365 F1/F3 licence; the device itself does not need a separate device licence when users are licensed.
Device-only for kiosks: Devices that do not require user sign-in (digital signage, informational kiosks, single-purpose devices) should use device-only licensing ($4/device/month) rather than attempting to assign user licences. This avoids both over-licensing (assigning user licences to a device that has no specific user) and under-licensing (managing the device without any licence).
The most common waste: standalone Intune licences purchased for users who already have Intune through M365 E3/E5. Pull the Intune licence assignment report and cross-reference against M365 licence assignments. Every user with both M365 E3 (which includes Intune) and a standalone Intune licence is double-licensed. Remove the standalone licence and save $8/user/month. In enterprises that adopted Intune before migrating to M365 E3/E5, duplicate licences can affect 10–20% of the user base.
Intune Plan 2, EPM, Remote Help, and other add-ons should be assigned based on role and need, not blanket-deployed. Endpoint Privilege Management for users who currently have local admin rights (typically 30–60% of the workforce, not 100%). Remote Help for users supported by the helpdesk (may exclude VIP users with white-glove support, and shared devices managed on-site). Advanced analytics for the Windows fleet (not iOS/Android devices where the analytics capabilities are less relevant). Targeted deployment typically reduces add-on costs by 40–70%.
Map the add-ons you actually need and their per-user prices. If the individual add-on total exceeds $10/user/month, the Intune Suite is cheaper. If the total is below $10, individual add-ons are cheaper. Common crossover: needing Plan 2 ($4) + EPM ($3) + one more add-on ($2–$3.50) = $9–$10.50 individually vs $10 for the Suite. At three or more add-ons, the Suite is almost always the better deal. At one or two add-ons, individual purchasing is usually cheaper.
Every shared kiosk, digital signage display, or unattended device that is managed through user-based licensing is over-licensed. Device-only licensing at $4/device/month is the correct and cheaper choice. For a retail enterprise with 3,000 shared devices and 15,000 rotating frontline workers, device-only licensing for the shared devices saves thousands of dollars monthly compared to licensing every worker for device management.
Intune add-ons may replace existing third-party tools: Remote Help replaces TeamViewer/AnyDesk/LogMeIn ($3–$8/agent/month or $15–$40/device/year). Endpoint Privilege Management replaces CyberArk EPM, BeyondTrust, or Thycotic ($2–$6/endpoint/month). Cloud PKI replaces on-premise Active Directory Certificate Services (operational savings of $2,000–$10,000/month for server infrastructure and administration). Enterprise Application Management may reduce dependency on third-party application packaging and deployment tools. Calculate the all-in cost: Intune add-on pricing minus retired third-party licensing minus infrastructure savings = net cost impact.
For co-managed environments, every month that SCCM and Intune run in parallel is a month of dual licensing cost. Define workload migration milestones with quarterly reviews. Track System Center licence costs, SCCM infrastructure costs (servers, distribution points, SQL Server back end), and operational costs (SCCM administration FTE time). Map these costs against the Intune add-on investments to demonstrate that the migration is cost-neutral or cost-positive when SCCM retirement savings are factored in.
Intune Plan 2 and Suite licences purchased as part of an EA renewal provide more negotiation leverage than mid-term add-on purchases. Bundle Intune add-ons with the M365 renewal, Azure commitments, and any Copilot purchases to maximise the commercial conversation. Volume commitments for Intune Suite across a large user base may secure discounts of 10–20% below list pricing. See key leverage points for Microsoft deals.
“Most enterprises already own Intune and do not know it. M365 E3 includes Intune Plan 1, which covers 80–90% of endpoint management requirements for the majority of organisations. The add-on ecosystem — Plan 2, EPM, Remote Help, the Suite — addresses genuine advanced capabilities, but the licensing complexity invites over-purchasing. The enterprises that manage Intune licensing well start with a clear inventory of what their M365 subscriptions already include, deploy add-ons to targeted user groups based on demonstrated need, and evaluate the Suite crossover point with actual numbers rather than bundle enthusiasm. The ones that manage it poorly purchase the Suite for everyone because the per-user price looks reasonable, only to discover that 60% of the capabilities go unused and 40% of the users never needed them.” — Fredrik Filipsson, Co-Founder, Redress Compliance
Yes. Microsoft 365 E3 includes Intune Plan 1 at no additional cost. Plan 1 provides comprehensive device management: multi-platform enrollment, compliance policies, device configuration, application management, Windows Autopilot, endpoint security baselines, and conditional access integration. Plan 2 and advanced add-ons (Endpoint Privilege Management, Remote Help, etc.) require additional licensing.
Plan 1 covers standard device management (enrollment, compliance, configuration, applications, Autopilot, security baselines). Plan 2 ($4/user/month add-on) adds advanced endpoint analytics with proactive remediations, firmware-over-the-air management, and specialised device management for mission-critical and AR/VR devices. Plan 1 is included in M365 E3/E5. Plan 2 is always an add-on, even for E5 users.
The Microsoft Intune Suite costs $10/user/month as an add-on to Plan 1 (which is included in M365 E3/E5). It bundles all Plan 2 capabilities plus Endpoint Privilege Management, Remote Help, Enterprise Application Management, Microsoft Cloud PKI, and Microsoft Tunnel for MAM. Purchasing all add-ons individually would cost approximately $17.50/user/month, so the Suite provides a 43% discount. It is cost-effective if you need three or more of the individual add-ons.
Yes. Intune Plan 1 is available as a standalone subscription at approximately $8/user/month without requiring an M365 or Office 365 subscription. This is appropriate for organisations using Google Workspace or other productivity suites that need Microsoft-based device management. Intune device-only licensing ($4/device/month) is also available for shared devices without associated users.
If you are applying Intune App Protection Policies (MAM without enrollment) to protect corporate data on personal devices, each user needs an Intune Plan 1 licence. Users with M365 E3/E5 already have this licence. Users on M365 Business Standard or below would need standalone Intune or an upgrade to Business Premium. The device itself does not need a separate licence for MAM — the per-user licence covers any number of the user's devices.
No. M365 E3 and E5 both include the same Intune Plan 1. E5 does not include Intune Plan 2 or any Intune add-ons. The E5 premium provides advanced security (Defender for Endpoint P2, Cloud App Security), advanced identity (Azure AD P2), and advanced compliance (eDiscovery Premium, Insider Risk) — not advanced Intune capabilities. Intune Plan 2 and the Intune Suite are separate add-on purchases regardless of whether the user has E3 or E5.
Redress Compliance provides independent Intune licensing assessments: duplicate licence identification, add-on vs Suite analysis, SCCM retirement planning, BYOD licensing optimisation, and EA negotiation support. We help enterprises pay for the endpoint management they need and stop paying for the capabilities they do not.