Microsoft Intune has evolved from a basic mobile device management (MDM) tool into a comprehensive endpoint management licensing management platform — and Microsoft has restructured its licensing to match. What was once a single Intune licence is now a tiered model: Intune Plan 1 (included in Microsoft 365 E3 and E5) provides core device management and security, while Intune Plan 2 (a paid add-on) unlocks advanced capabilities including endpoint privilege management, advanced endpoint analytics, firmware-over-the-air updates, Microsoft Tunnel for mobile application management, and enterprise application management. The Intune Suite bundles Plan 2 with additional premium capabilities at a package price. For CIOs and IT procurement teams, the challenge is clear: Plan 1 is already included in most enterprise M365 agreements, making it effectively free — but Microsoft is positioning an increasing number of critical endpoint security features behind the Plan 2 paywall. This guide provides a complete feature-by-feature comparison, explains exactly what each plan includes and excludes, identifies the organisational profiles that genuinely need Plan 2, and delivers strategies for optimising Intune licensing within your Enterprise Agreement.
Until 2023, Microsoft Intune was a single product with a single licence. Every Intune capability — device management, application management, compliance policies, conditional access integration, endpoint analytics — was included in one subscription that came bundled with Microsoft 365 E3, E5, Enterprise Mobility + Security (EMS) E3 and E5, and as a standalone purchase. Then Microsoft restructured Intune into a tiered model, creating a base plan (Plan 1) that retained most existing capabilities, and a premium tier (Plan 2) that gated new advanced features behind an additional per-user monthly fee.
The restructure matters for two reasons. First, it means that organisations on M365 E3 or E5 already have Intune Plan 1 at no additional cost — but the advanced features Microsoft is now marketing most aggressively (endpoint privilege management, advanced analytics, firmware management) require a separate purchase. Second, it creates a new licensing optimisation challenge: organisations must determine which users genuinely need Plan 2 capabilities and which are fully served by Plan 1, because deploying Plan 2 to all users when only a subset needs it wastes USD 4–10 per user per month across the entire user population.
For a 10,000-user organisation, the difference between deploying Plan 2 to everyone versus deploying it to only the 2,000 users who need it is USD 384,000 per year. Understanding the feature boundaries between the plans is not an academic exercise — it is a high-stakes financial decision.
The core endpoint management platform. Plan 1 covers everything most organisations associate with Intune: mobile device management (MDM) for Windows, macOS, iOS, and Android, mobile application management (MAM) for app-level data protection without device enrolment, compliance policies and conditional access integration with Entra ID, application deployment and management, configuration profiles, Windows Autopilot for device provisioning, endpoint security baselines, and basic endpoint analytics. For most organisations, Plan 1 is the complete device management solution — it covers the full device lifecycle from provisioning through retirement.
The advanced capabilities tier. Plan 2 adds features that address specific enterprise security and management challenges beyond core MDM/MAM: Microsoft Tunnel for MAM (VPN connectivity for managed apps on unmanaged devices), advanced endpoint analytics (device query, enhanced anomaly detection, battery health reporting), and specialised device management for mission-critical or purpose-built hardware. Plan 2 is designed for organisations with specific advanced requirements — not as a universal upgrade for every Intune user. It requires Plan 1 as a prerequisite.
The all-inclusive premium bundle. The Intune Suite packages Plan 2 with all individual Intune premium add-ons into a single subscription: Endpoint Privilege Management (EPM), Enterprise Application Management (EAM), Advanced Analytics, Remote Help, Firmware-over-the-Air (FOTA), and Microsoft Cloud PKI. The Suite is priced at approximately USD 10/user/month — less than purchasing individual add-ons separately. For organisations that need three or more premium capabilities, the Suite is typically more cost-effective than à la carte.
Each premium capability can be purchased individually as an add-on to Plan 1, without requiring Plan 2 or the full Suite. This à la carte model allows organisations to purchase only the specific capabilities they need. Endpoint Privilege Management, Remote Help, Enterprise Application Management, Advanced Analytics, and other premium features each have individual per-user monthly pricing (typically USD 2–4 each). The à la carte approach is optimal when the organisation needs only one or two premium capabilities for a specific user population.
The feature boundaries between Intune tiers determine which plan each user needs. This comparison covers every significant capability and its licence requirement.
| Feature | Plan 1 (Included) | Plan 2 Add-on | Suite / Individual Add-on |
|---|---|---|---|
| MDM (Windows, macOS, iOS, Android) | ✅ | — | — |
| MAM (app protection without enrolment) | ✅ | — | — |
| Compliance policies & conditional access | ✅ | — | — |
| Application deployment & management | ✅ | — | — |
| Configuration profiles & security baselines | ✅ | — | — |
| Windows Autopilot | ✅ | — | — |
| Basic endpoint analytics | ✅ | — | — |
| Microsoft Tunnel (enrolled devices) | ✅ | — | — |
| Microsoft Tunnel for MAM (unenrolled devices) | ❌ | ✅ | ✅ Suite |
| Advanced endpoint analytics (device query, anomaly detection) | ❌ | ❌ | ✅ Add-on or Suite |
| Endpoint Privilege Management (EPM) | ❌ | ❌ | ✅ Add-on or Suite |
| Remote Help | ❌ | ❌ | ✅ Add-on or Suite |
| Enterprise Application Management (EAM) | ❌ | ❌ | ✅ Add-on or Suite |
| Firmware-over-the-Air (FOTA) | ❌ | ❌ | ✅ Add-on or Suite |
| Microsoft Cloud PKI | ❌ | ❌ | ✅ Add-on or Suite |
Before evaluating Plan 2 or the Suite, every organisation should assess whether it is fully utilising Plan 1 capabilities that are already included in its M365 licence. Most organisations use less than 60% of Plan 1’s functionality, meaning the most impactful “upgrade” is often deeper adoption of existing capabilities rather than purchasing additional tiers.
Full lifecycle management for Windows, macOS, iOS, iPadOS, Android, and Linux devices. MDM provides device enrolment (manual, bulk, zero-touch via Autopilot or Apple Business Manager), configuration profiles (Wi-Fi, VPN, email, certificates, restrictions), compliance policies (encryption, OS version, password requirements, jailbreak detection), and remote actions (wipe, retire, lock, restart, rename). Plan 1 MDM covers every device management scenario that most organisations encounter. The capability is identical to what enterprise MDM competitors charge USD 5–8/device/month for as standalone products.
App-level data protection without requiring device enrolment. MAM policies control how corporate data is handled within managed applications: prevent copy/paste to personal apps, require PIN or biometric authentication, encrypt app data at rest, and selectively wipe corporate data without affecting personal content. MAM is critical for BYOD scenarios where employees use personal devices and the organisation cannot (or chooses not to) enrol the entire device. Plan 1 MAM covers the full app protection policy framework — the only Plan 2 MAM addition is Tunnel for MAM (VPN for unenrolled devices).
Automated device provisioning that configures new Windows devices directly from the factory or from a reset state, delivering them to users fully configured with applications, policies, and settings — without IT touching the physical hardware. Autopilot integrates with Entra ID for identity, Intune for configuration, and Microsoft 365 for application deployment. For organisations with distributed or remote workforces, Autopilot eliminates the logistics and cost of manual device imaging. This is a Plan 1 capability that many organisations have not yet deployed, representing significant operational savings.
Pre-configured security baseline profiles for Windows, Microsoft Edge, Microsoft Defender for Endpoint, and other components. Security baselines implement Microsoft’s recommended security configurations as Intune policies that can be deployed to all managed devices. Compliance policies define the minimum security requirements a device must meet (encrypted, current OS, no jailbreak, compliant password) to access corporate resources via conditional access. Together, baselines and compliance policies form the foundation of zero-trust device security — all included in Plan 1.
The premium capabilities gated behind Plan 2 and individual add-ons address specific enterprise challenges. Each capability has a defined use case — and a defined user population that benefits from it. Understanding these use cases is essential for determining which users need premium licensing and which do not.
EPM enables standard (non-admin) users to perform specific tasks that would normally require local administrator rights — installing approved applications, running specific executables, or configuring certain system settings — without granting them full admin access. IT defines elevation rules that control which applications can be elevated, under what conditions (automatic, user-confirmed, or support-approved), and for which users. EPM addresses the fundamental tension between security (removing local admin rights) and productivity (users who need admin-level tasks to do their jobs). Available as an individual add-on (~USD 3/user/month) or included in the Suite.
Remote Help provides helpdesk technicians with the ability to remotely view and control users’ devices directly from the Intune admin console. Sessions are authenticated through Entra ID, logged for audit purposes, and governed by role-based access controls. Remote Help supports Windows and Android (with macOS in development), and integrates with Intune’s compliance data so technicians can see device health during the support session. Available as an individual add-on (~USD 3.50/user/month) or included in the Suite. Most organisations evaluate Remote Help against existing remote support tools (TeamViewer, ConnectWise, BeyondTrust) for consolidation potential.
FOTA enables organisations to manage firmware updates on supported Android devices (primarily Samsung and Zebra) directly from Intune. This is critical for organisations with large fleets of Android rugged devices (warehousing, logistics, field services) where firmware updates must be controlled to prevent compatibility issues with line-of-business applications. FOTA allows scheduling firmware deployments, enforcing firmware versions, and preventing users from updating firmware outside of the managed process. Available as an individual add-on or included in the Suite. Organisations without significant Android device fleets do not need this capability.
Extends the basic endpoint analytics in Plan 1 with device query (real-time KQL queries against managed devices), enhanced anomaly detection (AI-powered identification of unusual device behaviour), battery health reporting, and custom device scopes for targeted analysis. Advanced Analytics enables IT teams to proactively identify failing hardware, performance degradation, and security anomalies before they cause incidents. Available as an add-on or included in the Suite. Most valuable for organisations with 5,000+ managed endpoints where proactive analytics reduces support costs and improves uptime.
EAM provides a curated catalogue of pre-packaged, enterprise-ready Win32 applications that IT can deploy directly from Intune without manual packaging. Microsoft maintains the application packages, handles updates, and ensures compatibility. EAM reduces the application packaging burden on IT teams — instead of manually downloading, packaging, testing, and deploying applications like 7-Zip, Zoom, Chrome, or Adobe Reader, IT selects them from the EAM catalogue and deploys with a few clicks. Available as an add-on or included in the Suite. Most valuable for organisations with limited application packaging resources.
A cloud-based certificate authority integrated with Intune that eliminates the need for on-premises PKI infrastructure (Active Directory Certificate Services). Cloud PKI issues, renews, and revokes certificates for managed devices — used for Wi-Fi authentication (802.1X), VPN authentication, S/MIME email encryption, and other certificate-based scenarios. For organisations still running on-premises ADCS infrastructure solely for device certificates, Cloud PKI can eliminate that infrastructure entirely. Available as an add-on or included in the Suite.
Extends Microsoft Tunnel VPN connectivity to managed applications on unenrolled (BYOD) devices. Standard Microsoft Tunnel (Plan 1) provides VPN for fully enrolled devices. Tunnel for MAM allows users on personal devices — without device enrolment — to access on-premises resources through protected applications. This is a Plan 2 capability (not a separate add-on). Critical for organisations with significant BYOD populations that need access to on-premises line-of-business applications. Organisations that are fully cloud-native with no on-premises resources do not need this capability.
Intune Plan 1 is included in multiple Microsoft licensing bundles. Understanding where it is already included prevents duplicate purchases and informs the incremental cost calculation for Plan 2 and the Suite.
The most expensive Intune licensing mistake is deploying Plan 2 or the Suite to all users when only a subset needs the premium capabilities. The decision should be made at the user-segment level, not the organisation level.
Knowledge workers on corporate devices (Windows/macOS): Plan 1 covers 90% of requirements — MDM enrolment, compliance policies, application deployment, security baselines, Autopilot. Add EPM (as individual add-on or via Suite) only for users in roles where local admin removal creates documented productivity blockers. Add Remote Help only if replacing an existing third-party remote support tool creates cost savings.
BYOD users (personal iOS/Android): Plan 1 MAM covers app-level data protection without enrolment. Add Plan 2 only if BYOD users need VPN access to on-premises resources via Tunnel for MAM. Fully cloud-native organisations with no on-premises applications do not need Plan 2 for BYOD users.
Frontline workers with rugged Android devices: Plan 1 covers device management. Add FOTA (individual add-on or Suite) for Samsung and Zebra fleet firmware management. Add Advanced Analytics for large device fleets (5,000+) where proactive hardware health monitoring reduces field service costs.
The financial impact of Intune plan selection scales linearly with user count. Small differences in per-user pricing multiply into significant annual costs at enterprise scale.
For organisations on M365 E3 or E5, Plan 1 has no incremental cost. The entire core Intune platform — MDM, MAM, Autopilot, compliance, analytics, security baselines — is included in the M365 subscription. The only cost decision is whether to activate and deploy capabilities that are already licensed. For a 10,000-user organisation, Plan 1 delivers enterprise-grade endpoint management at zero additional cost beyond the existing M365 investment.
Redress Compliance provides independent Microsoft licensing advisory — fixed-fee, no vendor affiliations.
Explore Microsoft Advisory Services →Plan 2 adds Tunnel for MAM and specialised device management. At USD 4/user/month, deploying Plan 2 to 10,000 users costs USD 480,000/year. But if only 2,000 BYOD users need Tunnel for MAM, the targeted deployment costs USD 96,000/year — an 80% saving versus universal deployment. Always calculate Plan 2 cost based on the specific user population that requires Tunnel for MAM or the specialised scenarios Plan 2 addresses, not the total Intune user population.
Individual add-ons (EPM, Remote Help, Advanced Analytics, EAM, FOTA, Cloud PKI) range from approximately USD 2 to USD 4 per user per month each. For organisations that need only one or two premium capabilities, à la carte is cheaper than the Suite. Example: an organisation that needs only EPM (~USD 3/user/month) for 1,000 users pays USD 36,000/year. The same organisation purchasing the Suite for those users would pay USD 120,000/year — paying for five premium capabilities it does not use.
The Suite includes Plan 2 plus all individual add-ons. At USD 10/user/month, the Suite is cost-effective only when the organisation needs three or more premium capabilities for the same user population. The break-even depends on which add-ons are needed: EPM (~USD 3) + Remote Help (~USD 3.50) + Advanced Analytics (~USD 3) = ~USD 9.50 à la carte versus USD 10 for the Suite with additional capabilities included. For users needing three or more add-ons, the Suite saves money and simplifies licence management.
| Scenario | Users | Licensing Model | Annual Cost |
|---|---|---|---|
| Core endpoint management only | 10,000 | Plan 1 (included in M365 E3) | USD 0 incremental |
| EPM for desktop support team | 500 | EPM add-on for 500 users | ~USD 18,000 |
| Tunnel for MAM for BYOD users | 2,000 | Plan 2 for 2,000 users | ~USD 96,000 |
| Full premium for IT team | 150 | Suite for 150 users | ~USD 18,000 |
| EPM + Remote Help for all staff | 10,000 | À la carte (~USD 6.50/user) | ~USD 780,000 |
| Suite for all staff (mistake) | 10,000 | Suite for 10,000 users | ~USD 1,200,000 |
| Targeted mix (optimised) | 10,000 total | Plan 1 all + EPM 500 + Plan 2 2,000 + Suite 150 | ~USD 132,000 |
Intune licensing mistakes follow predictable patterns that are easy to prevent once identified. The tiered model is relatively new, and most organisations have not yet optimised their Intune licensing to match the restructured product.
The most expensive mistake. Microsoft’s account teams position the Intune Suite as the “complete” endpoint management solution and recommend organisation-wide deployment. For a 10,000-user organisation, the Suite costs USD 1.2 million annually. In reality, most users need only Plan 1 (included free in M365), and premium capabilities are relevant for specific user segments. A targeted deployment — Plan 1 for all, add-ons for specific populations — typically costs 85–90% less than universal Suite deployment while delivering identical security outcomes.
Plan 2’s primary unique capability is Microsoft Tunnel for MAM (VPN for unenrolled devices). Organisations that are fully cloud-native — with no on-premises applications requiring VPN access — gain minimal value from Plan 2. If the organisation’s BYOD users access only cloud services (Microsoft 365, SaaS applications), Plan 1 MAM provides complete app protection without Plan 2. Plan 2 is only justified when BYOD users genuinely need VPN access to on-premises resources.
Remote Help is a capable remote support tool integrated into Intune, but many organisations already have remote support solutions (TeamViewer, ConnectWise ScreenConnect, BeyondTrust, Splashtop) under existing contracts. Purchasing Remote Help as an Intune add-on without evaluating whether the existing remote support tool can be retired creates duplicate costs. Remote Help is a cost-effective replacement if the existing tool’s per-user cost exceeds the Intune add-on price and consolidating into a single Microsoft-integrated platform reduces operational complexity.
This is the opposite mistake: under-investing by not purchasing EPM when it would deliver significant security and operational value. Organisations that grant local admin rights to knowledge workers because removing admin creates too many helpdesk tickets should evaluate EPM. The EPM add-on (~USD 3/user/month) may cost less than the security risk and helpdesk burden of widespread local admin accounts. EPM should be evaluated based on security ROI, not just as a licensing cost.
Organisations with both M365 E3/E5 and EMS E3/E5 licences sometimes purchase Intune separately or add Plan 2 without recognising that Intune Plan 1 is already included in both M365 and EMS. Cross-reference all Microsoft licences before purchasing any Intune subscription. Duplicate Intune entitlements are surprisingly common in organisations that have accumulated Microsoft licences through multiple procurement cycles.
Intune Plan 1 integrates deeply with Microsoft Defender for Endpoint (included in M365 E5) for threat-based conditional access and device risk scoring. Organisations on M365 E5 that have not activated this integration are missing a significant security capability that is already licensed and requires no additional purchase. Before investing in Intune premium add-ons, ensure that Plan 1 capabilities — including Defender integration — are fully deployed and utilised.
The Enterprise Agreement is the optimal vehicle for Intune premium licensing because it provides volume pricing, bundling opportunities with M365, and the negotiation leverage to secure favourable terms on add-ons that are not discountable through CSP or MCA channels.
If the organisation is moving from M365 E3 to E5 (or renewing E5), use the E5 commitment as leverage for Intune add-on pricing. Microsoft account teams are incentivised to close E5 deals — conditioning the E5 commitment on favourable Intune add-on pricing (EPM, Remote Help, Suite) at 15–25% below list price is a common and effective negotiation tactic. The incremental value of Intune add-ons in the EA is modest compared to the E5 commitment value, making it an easy concession for the account team.
Plan 1 or Plan 2 — which Intune tier is right? Our free assessment models the cost and feature trade-offs.
Take the Free Assessment →Unlike M365 E3/E5 (which is typically deployed organisation-wide), Intune add-ons can and should be deployed to specific user populations. Negotiate per-segment pricing in the EA: EPM for 500 desktop users, Remote Help for 200 helpdesk technicians, Plan 2 for 2,000 BYOD users, Suite for 150 IT administrators. Present Microsoft with the segmented requirement and negotiate each line item independently. This approach is more complex than a single Suite commitment but typically saves 70–85% versus universal deployment.
For each user segment, calculate whether individual add-ons or the Suite is more cost-effective. The Suite (~USD 10/user/month) includes all premium capabilities. If a user segment needs three or more add-ons (combined à la carte cost exceeding ~USD 9–10/month), the Suite is cheaper. If a segment needs only one or two add-ons, à la carte is cheaper. Perform this calculation for each user segment — the IT administrator segment may justify the Suite while the broader knowledge worker segment justifies only a single add-on.
Intune premium adoption often expands during the EA term as organisations discover additional use cases. Negotiate the right to add Intune add-ons or Suite licences mid-term at the EA-negotiated price (not list price), convert between individual add-ons and the Suite as requirements evolve, and extend add-on coverage to additional user segments without renegotiating the EA. These flexibility provisions protect against the cost escalation that occurs when mid-term Intune expansion is purchased at standard rates.
Intune does not operate in isolation — it integrates with Entra ID, Microsoft Defender for Endpoint, Microsoft Purview, and Conditional Access to form a unified zero-trust security architecture. Understanding these integrations affects both the Intune licensing decision and the broader M365 security investment.
Intune Plan 1 integrates with Defender for Endpoint to enable threat-based conditional access: devices flagged as high-risk by Defender are automatically blocked from accessing corporate resources via Intune compliance policies. This integration is included in M365 E5 (which includes both Intune Plan 1 and Defender P2) at no additional cost. Organisations on M365 E3 can add Defender for Endpoint P2 to achieve the same integration. This Intune-Defender combination is one of the highest-value security capabilities in the M365 stack — and it requires no Intune premium licensing.
Intune compliance data feeds directly into Entra ID Conditional Access policies, enabling device-state-based access control: only devices that meet Intune compliance requirements (encrypted, up-to-date, not jailbroken) can access corporate applications. This is the foundation of zero-trust device security and is fully available in Plan 1 with Entra ID P1 (included in M365 E3). No Intune premium licensing is required for conditional access integration. Organisations that have not implemented Intune-based conditional access are underutilising capabilities they already own.
Intune device compliance data integrates with Microsoft Purview for data loss prevention (DLP) and information protection. Sensitive data policies can be conditioned on device management state — for example, blocking downloads of sensitive documents to unmanaged devices. This integration extends the organisation’s data protection posture without requiring Intune premium licensing. For organisations evaluating DLP and information protection investments, the Intune Plan 1 + Purview integration delivers significant value within existing licensing.
Intune licensing sits within the broader M365 security stack, and optimisation requires understanding not just Intune’s tiers but how they interact with M365 plans, EMS bundles, Defender licensing, and EA negotiation dynamics. Independent advisory ensures Intune investment is precisely targeted at the capabilities and user populations that deliver measurable security and operational value.
Redress Compliance conducts Intune licensing assessments that segment the user population by device type, enrolment model (MDM vs MAM/BYOD), security requirements, and operational needs. We identify which users are fully served by Plan 1 (typically 80–90% of the population), which need specific add-ons, and which justify the Suite. Our assessments typically reduce Intune premium spend by 70–85% versus the universal deployment model Microsoft promotes, while maintaining identical security coverage for users who genuinely need premium capabilities.
We integrate Intune licensing into the broader EA negotiation, linking Intune add-on pricing to M365 E5 commitments, Defender investments, and overall EA value. Our EA negotiation support achieves 15–25% below-list pricing on Intune add-ons and Suite subscriptions while securing the flexibility provisions that protect against mid-term expansion at standard rates. We ensure every Intune line item in the EA is data-justified and competitively priced.
Redress Compliance has no Microsoft partnership, no CSP revenue, and no incentive to recommend specific Intune tiers. Our assessment identifies whether the organisation’s security requirements are best served by Intune premium features, third-party alternatives (VMware Workspace ONE, Jamf, CrowdStrike), or deeper adoption of Plan 1 capabilities already included in M365. This independence is critical given Microsoft’s strong incentive to drive Suite adoption regardless of individual organisational requirements.
“Intune Plan 1 is one of the most valuable capabilities already included in Microsoft 365 E3 and E5 — and most organisations use less than 60% of what it offers. Before investing in Plan 2, the Suite, or individual premium add-ons, the highest-impact action is ensuring Plan 1 is fully deployed: Autopilot for zero-touch provisioning, security baselines for endpoint hardening, MAM for BYOD protection, and conditional access integration for zero-trust device security. Only after Plan 1 is fully utilised should the organisation evaluate which specific user segments genuinely need premium capabilities — and the answer is almost always a targeted deployment of specific add-ons for 10–20% of the user population, not an organisation-wide Suite commitment.”
Redress Compliance delivers independent Intune licensing assessments — user segmentation, Plan 1 vs Plan 2 vs Suite analysis, add-on break-even calculations, EA negotiation support, and integration with your broader M365 security investment. We reduce Intune premium spend by 70–85% versus universal deployment while maintaining full security coverage. Complete vendor independence.
Book a free consultation with our licensing specialists. No obligations, no vendor ties — just independent advice tailored to your situation.
Book Your Free Consultation →