Shared device deployments are the most cost-sensitive architecture in the Microsoft frontline licensing model. The ratio of physical devices to user licences — typically 1:3 to 1:6 — means your hardware CapEx and licence OpEx move in opposite directions: more workers sharing fewer devices reduces hardware cost but maintains or increases user licence count. Getting this architecture right requires understanding not just the licence mechanics, but the operational constraints that determine whether a shared device model is viable for your specific workforce. This guide covers both.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We have designed shared device architectures for manufacturing, retail, healthcare, and logistics clients at scale.
View Advisory Services →The Shared Device Licensing Principle: Licences Follow Users, Not Devices
Microsoft's licensing model for M365 is unambiguously per-user. A shared device does not have its own M365 licence. Every individual who accesses M365 services through that device must have their own licence. If 40 workers rotate through 8 shared devices across three shifts, you need 40 user licences — not 8 device licences.
This is the fundamental economics of shared device deployments: the licence cost is a function of your workforce headcount, not your device count. The hardware cost is a function of your device count. A shared device strategy reduces hardware cost — and the device-to-user ratio determines how much. It does not reduce the licence cost below the per-user minimum.
The practical implication: a shared device strategy is cost-effective when devices are expensive relative to licences, or when the organisational preference is to minimise physical device count for operational reasons (security, hygiene, maintenance). For a 1,000-worker warehouse, the difference between issuing 1,000 individual smartphones ($200 each = $200,000 CapEx) and deploying 200 shared devices ($500 each = $100,000 CapEx) is $100,000 in hardware. The 1,000 F1 licences ($27,000/year) are required in both scenarios.
Azure AD Shared Device Mode: The Technical Foundation
Azure AD Shared Device Mode is the identity and authentication layer that makes secure shared device deployments possible at enterprise scale. It enables the "sign in, work, sign out — cleanly" experience that multi-shift environments require. Understanding its architecture is essential for designing a compliant, secure shared device strategy.
How Azure AD Shared Device Mode Works
When a device is configured in Azure AD Shared Device Mode, it joins the Azure AD tenant as a shared device rather than a dedicated user device. Applications that support Shared Device Mode (Microsoft Teams, Edge, and select third-party apps that use the Microsoft Authentication Library) become "shared app aware": they participate in a coordinated sign-in and sign-out experience.
When a worker signs in — typically by scanning a badge, entering a PIN, or using QR authentication — all shared-device-aware apps on the device sign in under that worker's identity simultaneously. The worker accesses Teams with their channels and notifications, SharePoint with their permissions, and any other supported M365 apps. When they sign out (or the inactivity timer triggers), all shared-device-aware apps sign out simultaneously and clear session data, credentials, and personal information. The device is immediately ready for the next worker.
Prerequisites for Azure AD Shared Device Mode: The device must be enrolled in Intune (or another supported MDM) and registered to the tenant as a shared device via device configuration profile. Azure AD P1 is required for conditional access policies — included in M365 F1 and F3. The Microsoft Authenticator app or another supported broker app must be installed to coordinate the multi-app sign-in/sign-out.
Deployment Architecture Options
| Architecture | Description | Identity Model | Licence per Worker | Best For |
|---|---|---|---|---|
| Dedicated device (1:1) | One device permanently assigned to one worker | User-registered device | F1, F3, or E3 | Knowledge workers, supervisors, field engineers |
| Shared device (1:N) | One device shared by N workers across shifts | Azure AD Shared Device Mode | F1 per worker | Warehouse, retail floor, clinical support |
| Kiosk — single account | Device always signed into one account | Dedicated service account | F1 for the account (1 licence only) | Fixed-function terminals, reception kiosks |
| BYOD (personal device) | Workers use their personal smartphones | Personal device + MAM policies | F1 per worker (MAM-only, no enrollment) | Organisations wanting zero device CapEx |
| Hybrid | Mix of above based on role | Mixed | Varies by cohort | Large organisations with diverse worker profiles |
Shared Device Mode Configuration: Step-by-Step
Deploying shared devices in Microsoft's stack requires coordination across four technology layers:
1. Intune device enrollment: Enroll devices using Android Enterprise Dedicated Device enrollment (for Android) or Apple DEP/ADE (for iOS/iPadOS). This creates the MDM-managed foundation. Configure a Shared Device profile in Intune — this sets the device as a shared device type in Azure AD.
2. Azure AD Shared Device Mode enablement: Push the Shared Device Mode configuration to enrolled devices via an Intune configuration profile. This activates the shared-app-aware sign-in/sign-out coordination across supported apps.
3. Teams configuration for Shared Device: Deploy Teams with the "Shared Device" Teams configuration policy applied. This policy disables personal calling features (workers cannot receive personal calls on the shared device), enables the streamlined sign-in UI optimised for shared device workflows, and configures inactivity timeout (recommended: 1-4 hours for shift environments).
4. Authentication method: Configure how workers authenticate on shared devices. Options include: Azure AD-integrated QR code (workers scan a QR printed on their badge or displayed at a sign-in station), PIN sign-in for workers without smartphones, or FIDO2 security key for high-security environments. Each method has different friction levels and appropriate deployment contexts.
Per-Worker Licence Count vs Device Count: The Cost Model
For a 3-shift manufacturing operation with 1,200 workers across 400 shared devices (3:1 ratio):
| Cost Component | Shared Device Model | 1:1 Dedicated Device Model |
|---|---|---|
| M365 F1 licences | 1,200 × $2.25/month = $32,400/month | 1,200 × $2.25/month = $32,400/month |
| Device hardware (smartphone equivalent) | 400 × $250 = $100,000 CapEx | 1,200 × $250 = $300,000 CapEx |
| MDM management (Intune included in F1) | $0 additional | $0 additional |
| Inactivity-driven data clearing overhead | Low (automated via Shared Device Mode) | None |
| Device replacement cycle (3 years) | 400 devices × $83/year = $33,333/year | 1,200 devices × $83/year = $100,000/year |
The shared device model saves $200,000 in upfront device CapEx and $66,667/year in replacement cost — while the licence cost is identical. Over a 3-year EA term, the shared device hardware saving is $400,000 compared to 1:1 dedicated devices.
BYOD Strategy: Zero Device CapEx with MAM-Only Intune
A BYOD approach using Intune Mobile Application Management (MAM) without device enrollment offers a zero-CapEx alternative to both dedicated and shared device hardware. Workers use their personal smartphones. The company deploys Teams, SharePoint, and other M365 apps via app-based MAM policies that protect company data without enrolling the personal device in Intune.
MAM-only protection means: company data in M365 apps is encrypted and isolated from personal apps, copy-paste between M365 apps and personal apps is blocked by policy, remote wipe of company data (not the entire device) is possible if a worker leaves, and app access is conditional on the device meeting minimum security baseline (PIN/biometric, screen lock).
The BYOD model has real adoption constraints in frontline environments: workers in some regions can refuse company app installation on personal devices, workers in certain industries (healthcare, some manufacturing) cannot carry personal phones on the floor, and the absence of device enrollment limits some security policy enforcement. BYOD works best for deskless workers in retail, hospitality, and office-adjacent frontline roles.
For the complete frontline licensing picture including F1/F3 comparison, see our Frontline Worker licensing pillar guide. For kiosk-specific architecture, see our kiosk licensing complete guide. For the F1 vs F3 decision, see our F1 vs F3 decision guide.
Get an Independent Second Opinion
We design shared device architectures for large-scale frontline deployments across manufacturing, retail, and healthcare — with the licence strategy to match.
Request a Consultation →EA Negotiation for Shared Device Deployments
Microsoft's EA teams are accustomed to frontline licensing discussions but frequently attempt to add licence complexity that is not required for shared device architectures. Watch for these common upsell attempts:
Unnecessary Intune standalone add-ons: Intune is included in F1 and F3. You do not need an additional Intune Plan 1 or Plan 2 licence for shared device management unless you require specific capabilities only in higher Intune tiers (such as Endpoint Privilege Management or Remote Help, which are Intune Suite features). Audit any proposed Intune add-on against your actual device management requirements.
Windows 365 Frontline for shared devices: Microsoft markets Windows 365 Frontline as a shared PC solution where workers access a Cloud PC on shared physical devices. The cost model ($38/month for a 3-user shared licence) is higher than F1 and appropriate only for scenarios where workers need a full personalised Windows desktop experience on a shared device — not for Teams/mobile-first frontline use cases where F1 covers requirements at a fraction of the cost.
Microsoft Entra ID P2 for shared devices: Entra ID P1 (included in F1) covers conditional access policies, which are sufficient for shared device security. Entra ID P2 adds Privileged Identity Management and Identity Protection — features relevant for admin accounts, not frontline workers. If Microsoft proposes Entra P2 for your shared device deployment, challenge the justification.
📄 Free Guide: Microsoft Frontline Worker Licensing Guide 2026
Complete shared device architecture, F1/F3/E3 framework, kiosk licensing, and EA negotiation playbook for large-scale frontline deployments.
Download Free Guide →Frequently Asked Questions
How many licences are needed for shared devices?
One M365 licence per worker who accesses Microsoft services — regardless of how many workers share the same physical device. For 40 workers sharing 8 devices, you need 40 F1 licences. Microsoft licensing is per-user, not per-device. The physical device count affects hardware CapEx, not the licence count.
What is Azure AD Shared Device Mode?
Azure AD Shared Device Mode is a device configuration that coordinates identity across all supported apps (Teams, Edge, MSAL-based apps) on a shared device. When a worker signs in, all apps sign in under their identity. When they sign out, all apps sign out and clear credentials and personal data simultaneously. It requires Intune enrollment and Azure AD P1 (included in M365 F1).
Can frontline workers use personal (BYOD) devices?
Yes. Intune MAM-only (without device enrollment) applies app protection policies to company apps on personal devices, securing company data without requiring full device management. BYOD workers still need individual M365 licences. BYOD works best where workers can carry personal devices and in roles with moderate compliance requirements.
Does Intune require a separate licence for shared device management?
No. Intune is included in M365 F1 (limited) and F3 (full Plan 1). There is no additional per-device Intune licence for shared device management. The Intune licence attaches to the user, so as long as each worker has F1 or F3, shared device MDM is covered within that licence cost.
What is the optimal device-to-user ratio for shared device deployments?
Optimal ratios depend on shift patterns: for three 8-hour shifts with clean handoff, 1:3 is the minimum (one device per shift). For roles with more device overlap or break periods, 1:4 to 1:6 is common. Healthcare environments often maintain closer to 1:2 ratios for hygiene and device availability reasons. The ratio drives hardware cost; licences remain per-user regardless of ratio.
Related Frontline Worker Licensing Guides
- Microsoft Frontline Worker Licensing: Complete Enterprise Guide
- Microsoft Kiosk Licensing Complete Guide
- M365 F1 vs F3 Licensing Decision Guide
- M365 F3 vs E3 for Deskless Workers
- Teams Shared Devices Licensing: Common Area Phones and Device Accounts
- M365 Frontline Licensing: F1, F3, and E3 Compared
- Microsoft 365 Kiosk Licensing Overview