The Kiosk Licensing Problem That Costs Enterprises Millions

Manufacturing firms, retailers, logistics companies, and healthcare systems collectively employ hundreds of thousands of workers who access Microsoft 365 services from shared devices — production floor terminals, point-of-sale systems, nurse station computers, warehouse scanners. These workers do not need a dedicated device, an Office desktop suite, or the full Teams experience. They need structured access to task-specific applications, shift scheduling, safety communications, and basic collaboration tools.

The commercial failure mode we see repeatedly: enterprises license every worker at the same tier — typically M365 E3 or even M365 E5 — because the procurement team did not differentiate between knowledge workers with personal computers and frontline workers sharing a single terminal between four shifts. At £29/user/month (E3) versus £2/user/month (F1), the difference for 5,000 frontline workers is £1.62M per year. We have seen single engagements where this miscategorisation accounted for more savings than the entire EA negotiation discount.

This guide covers the Microsoft 365 frontline and kiosk licensing tiers precisely: what each plan includes, the shared device licensing model, when F1 is genuinely sufficient, when F3 is justified, when the M365 Kiosk standalone plan applies, and how to structure the EA negotiation to maximise savings on large frontline worker populations.

£1.62M
Annual overspend for a 5,000-person frontline workforce licensed on M365 E3 instead of M365 F1. This is one of the most common and most correctable licensing errors in enterprise Microsoft estates — and it compounds every year without intervention.

Plan Comparison: F1 vs F3 vs Kiosk

Microsoft offers three main licensing options for frontline and kiosk workers. Understanding where each one ends is as important as understanding what each one includes.

Plan List Price (per user/month) Teams Exchange SharePoint Office Apps Intune
M365 F1 £2.25 Yes (web & mobile only) 2GB mailbox (web only) Yes (web only) Web apps only — no desktop Yes (device management)
M365 F3 £7.60 Yes (including desktop) 2GB mailbox (desktop app) Yes Desktop apps (PC only, not Mac) Yes
M365 Kiosk (O365 K1) £1.75 No (Teams not included) 2GB mailbox (Outlook web) Yes (web) No Basic MDM via Intune for Education (limited)
Teams Essentials £3.40 Yes (full client) No No No No
Critical Distinction

M365 F1 includes a 2GB Exchange mailbox accessible only via Outlook on the web or the Outlook mobile app. It does not provide access to the Outlook desktop application. If your kiosk workers need Outlook desktop, they need F3 or higher — but most shared device scenarios do not require desktop Outlook, making F1 the correct tier in the majority of cases.

When F1 Is Genuinely Sufficient

M365 F1 is the correct licence for the majority of shared-device frontline worker scenarios. The key test is whether the worker's primary Microsoft 365 activities can all be completed in a browser or mobile app. In our experience, the following worker categories are well-served by F1:

  • Production floor workers using Viva Connections for shift updates and safety briefings (browser-based or mobile)
  • Retail staff accessing Teams for shift scheduling, store communications, and task management from a shared back-of-house terminal
  • Healthcare auxiliaries checking schedules, completing compliance training via SharePoint, and reading team communications
  • Logistics and warehouse staff using Teams walkie-talkie, shift management, and basic task notification workflows
  • Service desk and call centre staff who use a dedicated line-of-business application for their core work and need M365 only for communication and HR self-service functions

The critical question to ask for each frontline role is: Does this worker need to create or edit Office documents? If the answer is no — they consume documents, fill in forms, read communications, and use web-based tools — F1 is almost always the right answer. The moment a worker needs to create Excel spreadsheets, edit Word documents, or use a PowerPoint that cannot be accessed via the web-only apps, the case for F3 begins.

Shared Device Scenarios Under F1

F1 supports shared device usage natively. Multiple workers can use the same physical device with individual accounts — each logs into the Teams mobile app or browser with their own credentials, sees their own shift schedule and messages, and logs out when their shift ends. The 2GB mailbox is per user, not per device, so each worker has their own mail account even in a shared device environment.

Microsoft does not require a separate "shared device" licence for this model — the F1 (or F3) licence applies to the user, not the device. This is architecturally different from the Windows 365 or VDI model, where a persistent desktop is provisioned per device or per user. For true kiosk scenarios — no persistent sessions, no personal file storage, rotate between workers — F1 with Teams Shared Device Mode is the standard deployment model.

When F3 Is Justified

F3 is justified when frontline workers need one or more of the following capabilities that are not available in F1:

Capability Required F1 Support F3 Support Notes
Office desktop apps (Word, Excel, PowerPoint) Web only Desktop included Offline document editing requires F3
Teams desktop client (rather than web/mobile) Web/mobile only Full desktop client Teams calls with screen sharing require desktop in most cases
Power Apps (canvas apps) Limited — web-based Power Apps seeded plan Power Apps seeded plan Both include seeded rights; full Power Apps requires separate licence at both tiers
Intune full device management Intune included (Plan 1) Intune included (Plan 1) Both tiers include full Intune Plan 1 — same capability
Advanced compliance (DLP, retention) Basic only M365 F3 Compliance add-on available Compliance add-on for F-series users is available at reduced cost vs E-series equivalent
Common Overspec Warning

We frequently see F3 deployed for workers who need desktop Teams for video calls. Before upgrading to F3 for this reason, test whether Teams web app in the browser meets the use case. Modern browsers support full Teams video calling including screen sharing. The F1 restriction is the installed desktop application — the web Teams experience is functionally equivalent for most call scenarios.

The M365 Kiosk Standalone Plan (O365 K1)

The M365 Kiosk plan (internally still often referenced as O365 K1) is the most minimal Microsoft 365 offering at approximately £1.75/user/month. It predates the F-series plans and is increasingly being consolidated into the F1/F3 framework, but it persists in many enterprise agreements and is still the right answer for specific scenarios.

What the Kiosk Plan Includes

  • Exchange Online (web access only, 2GB mailbox)
  • SharePoint Online (web access)
  • Microsoft Forms (basic)
  • Yammer (basic)
  • Microsoft Stream (consumption only)

Notably absent from the Kiosk plan: Microsoft Teams, Office desktop or web apps (no Word, Excel, or PowerPoint even in the browser), Intune device management, and Viva apps. For workers who need only email and basic document access from a shared browser terminal — no Teams, no Office editing — the Kiosk plan is commercially the right choice. The difference between Kiosk (£1.75) and F1 (£2.25) is small in absolute terms but material at scale: 10,000 pure kiosk workers represents £60,000/year in unnecessary spend if licensed at F1 when Kiosk suffices.

When to Use Kiosk vs F1

Use the Kiosk plan when workers need only email and document reading — a retail changing room terminal for schedule access, a visitor management kiosk, a compliance-only access point. Use F1 when workers need Teams (even web or mobile) for any communication purpose. The presence or absence of Teams is the primary decision criterion.

Frontline worker licensing audit
We segment your frontline workforce by actual use case and build a licence map that matches each role to the correct tier. Typical outcome: 25–40% cost reduction on the frontline portion of your M365 estate.
Book a Frontline Review

Teams Shared Device Mode

Microsoft's Shared Device Mode is the technical deployment model for kiosk scenarios in Teams. It is enabled via Microsoft Entra ID and Intune, and it changes how Teams behaves on a shared device: no persistent sign-in, automatic sign-out after each shift, and suppressed personal notification settings between users.

Shared Device Mode is supported on iOS, Android, and Windows devices. It does not require a special licence beyond the standard F1 or F3 plan. The setup requires:

  • Entra ID (Azure AD) configured with shared device mode on the device object
  • Intune device enrolment (included in F1 and F3)
  • Microsoft Authenticator app on the device for authentication
  • Teams app configured in Shared Device Mode profile in Intune

One frequently missed point: Shared Device Mode enables single sign-out across all supported apps simultaneously. When a worker signs out of Teams, they are also signed out of Outlook, OneDrive, and any other Entra-integrated app on that device. This is the security-compliant behaviour for shared devices and eliminates the risk of one worker accessing another's data on a handover. If your deployment requires per-app independent sessions (unusual but occasionally requested), standard multi-user device configuration is used instead.

Add-Ons for Frontline Workers

Microsoft has released a growing portfolio of add-ons designed specifically for F-series licence holders at reduced prices compared to the equivalent capability in E-series. These are worth evaluating if your frontline deployment is mature enough to need extended capabilities:

Add-On What It Provides Approx. List Price/User/Month Notes
Microsoft Teams Shifts & Tasks Shift scheduling, task management, workforce management integration Included in F1/F3 No additional cost — part of Teams licence
Microsoft Viva (Frontline) Viva Connections, Learning, Engage for frontline workers £1.30 (reduced F-series rate) Significant discount vs full Viva Suite at E-tier pricing
Microsoft Defender for Business (Frontline) Endpoint security for F-series licensed devices £1.75 Lighter than Defender for Endpoint P2; adequate for most frontline device estates
M365 F1/F3 Compliance add-on Audit, eDiscovery, DLP, retention for frontline user accounts £7.00 Available only if you have sufficient E-series or E5 Compliance licences in the tenancy
Power Apps for Frontline Full Power Apps canvas + model-driven licence for F-series users £5.00 (reduced F-series rate) Standard Power Apps per-user licence is £16.40 — significant saving for frontline Power Apps deployments

Negotiating Frontline and Kiosk Licences in Your EA

Frontline worker volumes are a legitimate negotiating lever in your Enterprise Agreement. A large retail chain or manufacturer with 10,000+ frontline workers has genuine volume that Microsoft wants to capture — and that volume gives you pricing power if you position it correctly.

Positioning Frontline Volume as Incremental Commitment

The framing that works: you have a core E-series estate for knowledge workers that you are already committed to renewing. The frontline F-series population is incremental commitment — Microsoft only gets it if the price is right. Even a 15–25% discount on F1 from list price (moving from £2.25 to £1.70–£1.90/user/month) represents £30,000–£55,000/year at 10,000 users. It is not large enough to negotiate alone but material as part of an EA renewal where you are also expanding the E-series commitment.

Avoiding the Upgrade Upsell

Microsoft's account teams routinely propose upgrading frontline workers from F1 to F3 to "unlock the full Teams experience." Before accepting any upgrade proposal, run an F1 sufficiency test with a pilot group of 50–100 frontline workers. In our experience, 70–80% of kiosk and shared device scenarios are fully satisfied by F1. The Teams web experience, Outlook on the web, and SharePoint cover the vast majority of frontline worker needs. The remaining 20–30% who need desktop apps are typically supervisory roles or team leads who should be assessed for E3 rather than F3 (F3 is often a middle ground that satisfies neither pure frontline nor knowledge worker requirements cleanly).

Segmenting Your Frontline Population for True-Up Accuracy

Frontline worker populations are inherently volatile — seasonal hiring, high turnover, contractor populations that fluctuate significantly. Negotiate explicit provisions in your EA for frontline licence count adjustments at more frequent intervals than your standard annual true-up, or negotiate a broad band (e.g., ±20% of committed frontline count) within which you can flex without triggering an immediate true-up event. This is a standard provision that Microsoft account teams will accommodate for large frontline commitments.

Approaching your EA renewal?
Frontline worker licensing is one of the three areas we examine in every EA renewal engagement. We build the business case for tier segmentation before you enter negotiations — so you arrive with data, not assertions.
View EA Negotiation Service

Frequently Asked Questions

Can F1 users access Microsoft Teams?

Yes. M365 F1 includes Microsoft Teams, but access is limited to the Teams web app and Teams mobile app. F1 users cannot install the Teams desktop client. In practice, this distinction is less limiting than it sounds — the Teams web app in modern browsers supports full messaging, voice calls, video calls, and screen sharing. For workers operating from a shared browser terminal, the web-based experience is functionally equivalent for the vast majority of use cases.

How many workers can share one M365 licence?

In the shared device model, each worker still requires their own individual M365 licence. The licence is assigned to the user, not the device. What shared device mode provides is the ability for multiple licensed workers to use the same physical device securely in sequence — it is not a concurrent access or per-device licence model. Attempting to have multiple workers share a single account licence (e.g., a single F1 account used by an entire team) violates Microsoft's licence terms and creates a true-up liability.

Is M365 F1 sufficient for Viva Connections?

Yes. Viva Connections is included in M365 F1 and can be accessed via the Teams web app or the Teams mobile app. It is one of the primary use cases for frontline F1 deployment — a personalised company news feed, shift information, and communication portal accessible from any shared device. No additional Viva licence is required for the basic Connections experience.

What is the difference between M365 F3 and O365 E1?

They are similar in price but serve different purposes. O365 E1 (£5.10/user/month) includes Exchange Online Plan 1, SharePoint, Teams, and OneDrive — but no Intune and no advanced compliance. M365 F3 (£7.60/user/month) includes the same collaboration tools plus Intune device management and the Defender for Business basic tier. For frontline workers where device management is a priority, F3 often makes more commercial sense than E1 even at a slightly higher price. For knowledge workers who need core collaboration without device management, E1 or E3 is the appropriate tier.