The BYOD Licensing Error That Costs Enterprises $200K–$500K Annually
The most expensive mistake in enterprise Intune BYOD deployments is purchasing Intune licences for personal devices when the users already have M365 E3 or E5 — which includes the Intune MAM entitlement needed for the standard BYOD use case at no additional cost. This error persists because Microsoft's field teams rarely volunteer the information that the BYOD MAM scenario is already covered, and because procurement teams treat "BYOD = Intune licence per device" as a default assumption rather than validating the inclusion against the actual deployment architecture.
For a 5,000-user organisation with 3,000 BYOD users on M365 E3, purchasing standalone Intune Plan 1 for all 3,000 BYOD users at ~$8/user/month adds $288,000/year in completely redundant spend. That figure does not require heroic assumptions — it assumes list pricing and a straightforward MAM-WE deployment. In practice, organisations with aggressive BYOD policies and large user populations can exceed $500,000 in unnecessary Intune BYOD spend per year. The corrective action is a 10-minute licence inclusion audit, not a negotiation.
The Four BYOD Scenarios — and What Each One Actually Requires
Scenario 1: MAM Without Enrolment (MAM-WE) — No Additional Intune Licence Needed
MAM without enrolment — applying app protection policies to managed apps (Outlook, Teams, OneDrive, Edge) on personal devices without enrolling the device in MDM — is the standard enterprise BYOD architecture in 2026. The device remains unmanaged; the corporate data container within each app is managed. Users access corporate email and files through Microsoft apps configured with app protection policies, which enforce encryption, copy/paste restrictions, PIN requirements, and selective wipe on the app container.
What this requires from an Intune licence perspective: For users with Microsoft 365 E3, Microsoft 365 E5, EMS E3, EMS E5, or Microsoft 365 Business Premium, the MAM-WE entitlement is included. No standalone Intune licence is required. The Intune App Protection Policies can be configured and applied through the Microsoft Intune admin centre using the M365-included subscription. If every BYOD user in your organisation has M365 E3 or E5, your BYOD MAM deployment requires zero incremental Intune spend. This is the scenario that organisations most frequently purchase licences for unnecessarily.
Scenario 2: MDM Enrolment of Personal Devices — Intune Plan 1 Required
If your organisation requires personal devices to be fully enrolled in MDM — allowing IT to deploy device configuration profiles, manage updates, enforce device compliance policies beyond app-level controls, and remotely wipe the entire device — users need an Intune Plan 1 entitlement. For M365 E3/E5 users, this is already included. For users on M365 F1 (Firstline Worker) licences, the M365 E3/E5 suite inclusions do not apply and standalone Intune Plan 1 may be required depending on the specific F1 SKU variant. Validate the exact M365 SKU inclusion before purchasing standalone Intune for any user segment.
Enrolling personal (employee-owned) devices in full MDM creates significant user privacy and employment-relation concerns in many jurisdictions, particularly in GDPR-scope territories. Most enterprise legal and HR advisors recommend against full MDM enrolment for personal devices, which is a secondary reason why MAM-WE is the dominant BYOD architecture. If your EA carries Intune licences nominally for "personal device MDM," validate whether this deployment model is actually in production or whether the licences are legacy from a policy that was never fully executed.
Scenario 3: MAM Tunnel for BYOD — Intune Plan 2 or Intune Suite Required
MAM Tunnel is a specific capability that enables per-app VPN for unmanaged (BYOD) devices accessing on-premises corporate resources — for example, BYOD users connecting through Outlook on their personal iPhone to an on-premises Exchange or SharePoint environment via a VPN tunnel scoped to the Microsoft app container, without enrolling the device or requiring a full device VPN client. This is the scenario that requires Intune Plan 2 (~$4.50/user/month add-on over Plan 1) or Intune Suite (~$10/user/month add-on).
Critical qualification: MAM Tunnel is required only when BYOD users must access on-premises resources over an app-scoped VPN on an unenrolled device. If BYOD users access only cloud resources (Exchange Online, SharePoint Online, Teams, OneDrive) — the vast majority of modern enterprise BYOD deployments — MAM Tunnel is not needed and Plan 2 is not justified. If your on-premises infrastructure has been migrated to Azure or M365 cloud services, MAM Tunnel may have been purchased for a use case that no longer exists. This is one of the most common Plan 2 over-deployment scenarios we encounter.
Scenario 4: Frontline Worker BYOD — Licence Inclusion Varies by SKU
Microsoft 365 F3 (Firstline Worker) includes Intune Plan 1 coverage for device management. Microsoft 365 F1 does not include Intune Plan 1 — it includes Intune MAM for app protection policies only, not full MDM enrolment. For frontline BYOD deployments where workers use personal mobile devices for Teams calling, shift management (Teams Shifts), and light productivity on F1 licences, the MAM capability is included but full MDM enrolment is not. Most frontline BYOD deployments are MAM-only on F1 — matching the included entitlement exactly. Validate your frontline SKU split (F1 vs F3) before purchasing any standalone Intune lines for this population.
| BYOD Scenario | Intune Licence Required | M365 E3/E5 Covers It? | Additional Cost |
|---|---|---|---|
| MAM-WE (app protection, no device enrol) | Intune MAM entitlement | Yes — included in E3/E5 | $0 incremental |
| MDM enrolment of personal device | Intune Plan 1 | Yes — included in E3/E5 | $0 incremental |
| MAM Tunnel (per-app VPN, on-prem access) | Intune Plan 2 or Suite | No — add-on required | ~$4.50/user/mo (Plan 2) or ~$10 (Suite) |
| Frontline MAM only (F1 users) | Intune MAM entitlement | Yes — included in M365 F1 MAM | $0 incremental |
| Frontline MDM enrolment (F1 users) | Intune Plan 1 | F1 only covers MAM, not MDM | ~$8/user/mo standalone or upgrade to F3 |
App Protection Policies vs Device Compliance — The Distinction That Matters
Enterprise security teams sometimes conflate two different mechanisms — app protection policies (MAM) and device compliance policies (MDM) — when assessing whether BYOD users need Intune licences. They are distinct. App protection policies are applied at the application level, securing the corporate data container within each managed app on any device, enrolled or not. Device compliance policies assess the device's health and compliance status (OS version, PIN enforcement, jailbreak status) and feed into Conditional Access decisions.
For a BYOD user with M365 E3, the organisation can enforce both app-level data protection (MAM-WE) and a degree of device compliance signalling using Intune's app-based Conditional Access. This combination — MAM-WE with app-based CA — provides a strong BYOD security posture without requiring device enrolment or any licences beyond M365 E3. The scenario that requires device enrolment (and therefore Plan 1 beyond the MAM entitlement) is when the security team requires full device health compliance as the Conditional Access gate, not just app-level attestation. If your EA includes Intune Plan 1 as a standalone for BYOD users who are only using MAM-WE app protection policies and app-based CA, those licences are redundant.
EA Negotiation — Three BYOD Licence Positions
1. Remove Standalone Intune for M365 E3/E5 BYOD Users
If your EA carries a standalone Intune Plan 1 line for BYOD users who already have M365 E3 or E5, this is a straightforward removal — not a negotiation. Request an EA amendment removing the redundant Intune line and seek a credit for the historical overpayment period where commercially achievable. Microsoft's account team may resist this on the basis of "different workloads" or "deployment segmentation" — the inclusion is clear and documented in the Microsoft Product Terms. Any M365 E3 or E5 user has Intune Plan 1 included. There is no technical or commercial basis for paying for both.
2. Validate MAM Tunnel Deployment Before Accepting Plan 2
When Microsoft proposes Intune Plan 2 for your BYOD population — whether at renewal or in a new EA — require documented evidence of active MAM Tunnel deployment. Ask: how many BYOD devices have MAM Tunnel enrolled? Which on-premises resources are they accessing? What is the IT infrastructure architecture that requires MAM Tunnel rather than cloud-based access? If MAM Tunnel is not actively deployed, Plan 2 is not justified regardless of whether it appeared on a previous EA. The burden of justification for the add-on is on Microsoft's field team, not on you.
3. Structure Plan 2 or Suite Commitment Around BYOD MAM Tunnel Population
If MAM Tunnel is genuinely deployed, the Plan 2 or Suite commitment should be scoped to the validated BYOD population using MAM Tunnel — not the full BYOD population, and not the full enterprise user count. Obtain the MAM Tunnel enrolment data from the Intune admin centre (Device enrolment > Apple/Android enrolment > VPN profiles, or from the Intune audit logs for MAM Tunnel connection events) and use the active user count as your negotiation anchor. For a 5,000-user BYOD population where 400 users are actively using MAM Tunnel for on-premises SharePoint access, the Plan 2 commitment should be 400 seats — not 5,000.
1. Confirm M365 SKU inclusions — list every M365 SKU in your EA and the Intune entitlement each includes (E3/E5 = Plan 1; F1 = MAM only; F3 = Plan 1).
2. Identify standalone Intune lines — cross-reference users with both a standalone Intune licence and an M365 E3/E5 licence; these are redundant and removable.
3. Validate MAM Tunnel deployment — export MAM Tunnel connection logs from Intune admin centre; identify active MAM Tunnel user count; this is the only population that needs Plan 2 or Suite.
4. Map frontline SKU — confirm whether frontline workers are on F1 or F3 and whether MDM enrolment (requiring Plan 1 add-on for F1) is actually deployed for their devices.
BYOD Licensing in the Context of the Full Microsoft EA
BYOD licensing interacts with two other EA components that affect total cost. First, the Entra ID (Azure AD) Conditional Access configuration: MAM-WE BYOD with app-based CA requires Entra ID P1, which is included in M365 E3. Device-based CA with compliance signals from Intune also requires Entra ID P1. If your organisation is purchasing Entra ID P1 standalone alongside M365 E3 for BYOD CA policy enforcement, those Entra licences are also redundant — included in E3. Our Intune complete guide covers the full Intune licence architecture, and our security licensing guide covers how Intune and Entra interact in the full security stack.
Second, the Intune Suite add-on analysis is relevant if your organisation is evaluating Intune Suite for the BYOD MAM Tunnel scenario. MAM Tunnel is included in both Intune Plan 2 and Intune Suite. If MAM Tunnel is the only Suite driver, Plan 2 ($4.50 add-on) is the correct SKU — not Suite ($10 add-on). Suite is only justified when additional Suite features (Remote Help, EPM, Advanced Analytics, LAPS) are also being deployed to the relevant device population. For BYOD devices specifically, Remote Help and EPM are rarely deployed (Remote Help requires device enrolment, which BYOD MAM-WE does not have). The Suite for BYOD use case is narrow — validate carefully before accepting it in your EA.