Intune Plan 1 is already included in most M365 bundles. Yet thousands of organisations buy standalone Intune licences they don't need. This guide maps every entitlement so you know exactly what you own.
Microsoft Intune is Microsoft's cloud-based unified endpoint management (UEM) platform. It enables IT teams to manage and secure mobile devices (iOS, Android), desktop computers (Windows, macOS), and applications across the enterprise — without requiring on-premises infrastructure. Intune handles mobile device management (MDM), mobile application management (MAM), compliance policy enforcement, app deployment, and device configuration from a single cloud console.
For most enterprise IT environments, Intune serves as either a replacement or complement to legacy on-premises management tools like Microsoft Configuration Manager (formerly SCCM). Understanding Intune's licensing model is important because it is both bundled into several Microsoft 365 plans and available as a standalone product — creating significant risk of duplicate purchasing if entitlements are not mapped carefully. This guide provides the framework to avoid that waste as part of your broader Microsoft EA negotiation strategy.
The first and most important step in Intune licensing optimisation is understanding exactly which Microsoft 365 bundles already include Intune Plan 1. Many organisations purchase standalone Intune licences without realising their existing M365 subscriptions already provide Intune entitlements for all licensed users.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| Microsoft 365 Plan | Intune Plan 1 | Intune Plan 2 / Suite | Notes |
|---|---|---|---|
| M365 E3 | Included | Add-on required | Core MDM/MAM included |
| M365 E5 | Included | Add-on required | E5 Security adds Defender for Endpoint integration |
| M365 Business Premium | Included | Add-on required | Up to 300 users |
| M365 F1 | Included (limited) | Add-on required | Firstline worker licence — MAM without enrolment |
| M365 F3 | Included | Add-on required | Full MDM for frontline workers |
| Office 365 E3 / E5 | Not included | Not included | No Intune — must purchase separately |
| EMS E3 | Included | Add-on required | Enterprise Mobility + Security bundle |
| EMS E5 | Included | Add-on required | Adds Azure AD P2, Defender for Identity |
| Intune Plan 1 Standalone | $8/user/mo | Separate | Only buy if no M365 bundle entitlement exists |
| Intune Plan 2 Add-On | N/A | $10/user/mo | Requires Plan 1 as prerequisite |
| Intune Suite | N/A | $10/user/mo | Full suite; requires Plan 1 as prerequisite |
Organisations that upgraded from Office 365 E3 to Microsoft 365 E3 frequently continue paying for standalone Intune licences they purchased before the upgrade. The M365 E3 licence already includes Intune Plan 1 — the standalone subscription is pure waste. Audit and cancel standalone licences for any user already covered by an M365 E3 or above plan.
Microsoft restructured its Intune add-on portfolio in 2023, introducing Intune Plan 2 and the Intune Suite as the premium tier of endpoint management. Understanding the capability delta is essential for determining whether your organisation actually needs the upgrade.
| Capability | Plan 1 | Plan 2 / Suite |
|---|---|---|
| MDM for Windows, iOS, Android, macOS | ✓ Full | ✓ Full |
| MAM without enrolment (BYOD apps) | ✓ | ✓ |
| Conditional Access integration | ✓ | ✓ |
| App deployment and management | ✓ | ✓ |
| Endpoint analytics (basic) | ✓ | ✓ Advanced |
| Microsoft Tunnel VPN | MDM only | MDM + MAM |
| Endpoint Privilege Management | ✗ | ✓ |
| Remote Help (elevated) | ✗ | ✓ |
| Cloud PKI / certificate management | ✗ | ✓ |
| Firmware Over-The-Air (FOTA) | ✗ | ✓ (Android Enterprise) |
| Specialty device management | ✗ | ✓ |
The key differentiators in Plan 2 are Endpoint Privilege Management (EPM) — which allows users to run specific applications with elevated permissions without being full local admins — and Microsoft Tunnel for MAM, which extends containerised VPN access to unmanaged BYOD devices. For organisations with significant contractor or BYOD populations in regulated environments, these capabilities can justify the $10/user/month add-on cost.
The Intune Suite at $10/user/month bundles all Plan 2 capabilities plus Remote Help, Advanced Analytics, and Cloud PKI. If you need EPM plus Remote Help plus Tunnel for MAM, the Suite is more cost-effective than purchasing individual add-ons. However, if you only need one capability (e.g., Remote Help alone at $3.50/user/month), individual add-ons are cheaper.
Microsoft Intune is licensed on a per-user basis, with each user licence covering up to five devices. This model works well for knowledge workers with personal laptops, phones, and tablets — a single licence covers all their endpoints. However, for organisations with shared devices, kiosk terminals, or large non-user-affiliated device fleets, the per-user model can create unnecessary cost.
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
Microsoft offers a device-based Intune licence for scenarios where devices are not associated with a specific user. The Intune Plan 1 Device licence (approximately $2/device/month) is appropriate for shared workstations, kiosk devices, digital signage, and other endpoints that don't map to individual user identities. Using device licences for these scenarios instead of assigning full user licences typically reduces endpoint management costs by 60–75% for the non-user-affiliated device population.
The practical rule: user licences for all endpoints tied to individual users; device licences for shared, kiosk, or facility endpoints. Mapping your device inventory against this rule before your next M365 renewal — and presenting the optimised model to your Microsoft account team — is a straightforward cost reduction exercise that many organisations overlook.
Many enterprise organisations run both Microsoft Intune and Microsoft Configuration Manager (ConfigMgr / SCCM) simultaneously in a co-management configuration — gradually migrating workloads from ConfigMgr to Intune while maintaining both platforms during the transition. Co-management is a common source of licensing confusion and duplication cost.
| Scenario | Intune Required? | ConfigMgr Required? | Recommended Approach |
|---|---|---|---|
| Modern cloud-first (new devices only) | Yes — Plan 1 | No | Intune-only; eliminate ConfigMgr infrastructure |
| Hybrid (mix of legacy + modern devices) | Yes — Plan 1 | Yes — during migration | Co-management with migration timeline; retire ConfigMgr by year 2 |
| Complex legacy estate (imaging, OSD, complex distribution) | Yes — for mobile/modern | Yes — for legacy | Parallel management; evaluate ConfigMgr retirement at next refresh cycle |
| Air-gapped / regulated environments | Optional for cloud-connected | Yes — for on-prem | ConfigMgr primary; Intune only for internet-facing devices |
The licensing implication of co-management is that running both systems simultaneously does not require double-licensing users — Intune is included in M365 regardless of whether ConfigMgr is also in use. However, ConfigMgr is licensed through System Center or M365 E3 entitlements (for ConfigMgr Current Branch), so the question is really about infrastructure cost and IT operational overhead, not per-user licence cost. Retiring ConfigMgr typically saves $15–50K/year in infrastructure and IT management cost for mid-market organisations.
Intune licensing is typically a second-tier item in Microsoft EA negotiations — most teams focus on M365 and Azure and accept whatever Intune pricing Microsoft offers. This is a mistake. For organisations with complex endpoint estates, Intune-related spend (including the Intune Suite, co-management scenarios, and device licence pools) can represent a meaningful portion of total Microsoft annual spend.
The most effective approach is to present your total endpoint management cost picture to Microsoft — including Intune licences, any residual ConfigMgr infrastructure cost, and third-party endpoint tools being replaced — as a total cost of ownership argument. Microsoft is highly motivated to displace third-party MDM tools (Jamf, VMware Workspace ONE) with Intune. If you have third-party tools in your environment, using the "Intune consolidation" narrative can unlock migration incentive pricing, deployment acceleration credits, or favourable Intune Suite terms as part of your EA.
For the full EA negotiation framework — including how Intune pricing fits into the broader M365 negotiation structure — see our Microsoft EA negotiation guide. For right-sizing the broader M365 licence stack, see our Microsoft license right-sizing guide.
Unsure whether your Intune licensing is optimised?
Most organisations are overpaying for Intune through duplicate licences and sub-optimal add-on strategies. Expert audits typically recover 20–40% of endpoint management spend.