Managed laptop and mobile device on a desk in an office
Intune Plan 1 vs Plan 2

Intune Plan 1 vs Plan 2. The 2026 feature gap.

A buyer side guide to Intune Plan 1 versus Plan 2 in 2026. What each plan covers, how the Intune Suite fits, and how to license the advanced tier only where it is needed.

Contact Us Microsoft Practice
500+Enterprise clients
$2B+Under advisory
The Microsoft EA Renewal Playbook · Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate. Download →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Microsoft Hub Intune Plan 1 vs Plan 2 Intune PlansSecurity LicensingMicrosoft PracticeVendor Shield
Portrait placeholder for Morten Andersen, Co Founder
Written by Morten Andersen Co Founder · ex IBM, ex Oracle
PublishedMay 6, 2026
Last updatedMay 8, 2026

Intune Plan 1 is the core endpoint management already inside Microsoft 365 E3 and E5, while Plan 2 is a per user add on for advanced features, so the buyer side job is to license Plan 2 only for the users who truly need it.

Key takeaways

  • Plan 1 is the core Intune included in Microsoft 365 E3 and E5.
  • Plan 2 is a per user add on for advanced features only.
  • The Intune Suite bundles Plan 2 plus the advanced add ons.
  • Most estates need Plan 2 for a subset of users, not everyone.
  • Confirm Plan 1 is already owned before buying anything new.

This guide is for IT and procurement leaders sizing Intune in 2026. Read it with the Microsoft security licensing guide and the Microsoft Practice page so the device strategy and the commercial design stay aligned.

What separates Intune Plan 1 from Plan 2?

Plan 1 is the baseline. Plan 2 adds a defined set of advanced capabilities on top, so the split is about features rather than core management.

What does Plan 1 cover?

Plan 1 covers the everyday work of endpoint management. It enrolls devices, pushes policy, and protects company data across Windows, macOS, iOS, and Android.

  • Device enrollment: manage Windows, macOS, and mobile.
  • Policy and compliance: configuration and compliance rules.
  • App protection: protect data inside managed apps.

What does Plan 2 add?

Plan 2 layers advanced features on the base. It is an add on, so you always pay it on top of a plan that already includes Plan 1.

  • Microsoft Tunnel: VPN gateway for mobile access.
  • Cloud PKI: certificate management in the cloud.
  • Advanced analytics: deeper endpoint insight and reporting.

How does the Intune Suite fit in?

The Suite is the broadest package. It bundles Plan 2 with the other advanced add ons into a single per user subscription priced above Plan 2 on its own.

Intune licensing paths compared

Path Best fit Watch out for
Plan 1 onlyStandard device managementAlready in E3 and E5
Plan 1 plus Plan 2Some users need Tunnel or PKILicense only those users
Intune SuiteBroad advanced feature needPay for features you skip

How does the stacking rule work?

Plan 2 and the Suite stack on a base plan, never replace it. The user must already hold Plan 1 through E3, E5, or a standalone plan before the add on applies. Microsoft documents the Intune add on structure that governs this.

How do you control Intune cost?

Cost control is about scope, not the list price. The base is usually already paid through M365, so the spend you control is the add on layer.

What should you map first?

Map each advanced feature to the users who actually need it. Microsoft Tunnel suits a mobile field workforce, while a desk based estate may need none of the Plan 2 features at all.

  1. Confirm the base: verify E3 or E5 already covers Plan 1.
  2. Scope the add on: list users needing Plan 2 features.
  3. Compare to the Suite: only if many add ons are needed.

What to do next

  1. Confirm Plan 1 entitlement through your existing E3 or E5 seats.
  2. List the advanced features your environment actually requires.
  3. Identify the specific users who need Tunnel, Cloud PKI, or analytics.
  4. License Plan 2 for that subset rather than the whole estate.
  5. Compare stacked Plan 2 add ons against the Intune Suite price.
  6. Take the scoped position into your next EA renewal as a lever.

Frequently asked questions

What is the difference between Intune Plan 1 and Plan 2?

Plan 1 is the core Intune endpoint management included in Microsoft 365 E3 and E5. Plan 2 is an add on that layers advanced features on top, including Microsoft Tunnel for mobile, Cloud PKI, and advanced endpoint analytics. Plan 2 only matters once you need those specific capabilities.

Is Intune Plan 1 included in Microsoft 365?

Yes. Intune Plan 1 is included in Microsoft 365 E3, E5, and the standalone Enterprise Mobility plans. Most organizations already own Plan 1 through their existing M365 licensing and do not need to buy it separately.

What does the Intune Suite include?

The Intune Suite bundles Plan 2 with the advanced add ons such as Remote Help, Endpoint Privilege Management, and advanced analytics into one per user subscription. It is the broadest package and is priced above Plan 2 alone.

Do you need Intune Plan 2?

Only if you need a feature it adds, such as Microsoft Tunnel, Cloud PKI, or advanced endpoint analytics. A standard estate that manages Windows and mobile devices is usually well served by Plan 1 inside E3 or E5.

How is Intune Plan 2 licensed?

Plan 2 is licensed per user as an add on to a base that already includes Plan 1. You cannot buy Plan 2 in isolation, so the math is always the base plan plus the Plan 2 increment per user who needs it.

How do buyers avoid overpaying for Intune?

License Plan 2 or the Intune Suite only for the users who need the advanced features, not the whole estate. Confirm Plan 1 is already covered by E3 or E5 before buying anything, and map each advanced feature to a real requirement.

Microsoft EA Renewal Playbook

The full microsoft ea renewal playbook framework from the Microsoft Practice.

Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.

Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.

No spam. We will only email you about this download. Privacy.
Run the Microsoft 365 license optimizer against your estate in under five minutes.
Open the Tool →
Plan 1
In E3 and E5
Plan 2
Advanced add on
Per user
Add on metric
100%
Buyer Side

The common error is buying Plan 2 for the whole base when only a slice needs Tunnel or Cloud PKI. The advanced features are paid for far more widely than used.

Morten Andersen
Co Founder. Ex IBM, ex Oracle.
Deep Library

More on this topic.

Microsoft Practice →
Laptop and mobile device under endpoint management
Microsoft
Intune Plan 1 vs Plan 2
The core comparison of the two Intune plans for endpoint management.
12 min read
Analyst comparing licensing tiers at a desk
Microsoft
Intune Plans 2026
A 2026 read on the Intune plan split and the Suite add on.
11 min read
Procurement team reviewing an enterprise agreement
Microsoft
Enterprise Agreement Guide 2026
How the Microsoft EA is structured and where the costs sit.
16 min read
Network security visualization on screens
Microsoft
Microsoft Security Licensing
A buyer side map of the full Microsoft security licensing stack.
15 min read
Modern corporate office building exterior
Microsoft
Microsoft Advisory Practice
How our buyer side Microsoft practice supports your negotiation.
8 min read
Editorial boardroom interior

The advisor your vendors do not want.

500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.

Contact Us Vendor Shield

Microsoft brief. Once a week.

One short note on Microsoft 365 and endpoint licensing, Intune tiers, EA renewals, and the buyer side moves we are running in client engagements.