Forty-seven percent of enterprise Intune deployments include over-licensed BYOD users. Most don't need it. Many pay for full Intune Plan 1 or Suite licensing when MAM-WE (Mobile Application Management Without Enrolment) — included at no incremental cost in E3, Business Premium, and M365 F3 — would be sufficient.
This is not complexity. It is cost leakage. A 500-contractor population, each licensed for Intune when they only need app-level policies, costs an organisation £48,600 per year in unnecessary spend. A misclassified BYOD knowledge worker population of 2,000 users adds another £130,000 annually.
The paradox is this: Mobile device management and mobile application management are fundamentally different licensing models. One requires a licensed user. The other doesn't. And because Microsoft's licensing documentation is written to maximize breadth of understanding rather than clarity of cost-avoidance, most enterprise architects default to "license everyone" rather than parse which users actually need what.
This guide is written as a 20-year licensing veteran. No marketing. No product storytelling. Real numbers. Real user archetypes. Real EA negotiation tactics. What follows is how to classify your workforce, avoid the contractor trap, and restructure your Intune licensing to match actual use.
MDM vs MAM — The Fundamental Distinction
The distinction between Mobile Device Management (MDM) and Mobile Application Management (MAM) is architectural and licensing-deterministic. Understanding it is prerequisite to correct cost modelling.
MDM: Full Device Enrolment
MDM is device-centric control. When a device is enrolled in Intune:
- The organisation registers the device in Azure AD.
- Intune applies device-wide policy: OS settings, firmware, WiFi, VPN, full-disk encryption, password policy, device PIN rules.
- Compliance rules apply at device level: if the device fails to meet policy (outdated OS, non-compliant state), Conditional Access blocks access entirely.
- Selective wipe or full wipe can remove all data from the device remotely.
- The user sees enrollment prompts, device portal registration, and ongoing device telemetry.
Licensing requirement: The device's user must be licensed for Intune. This applies whether the device is corporate-owned or BYOD. An enrolled device requires a licensed user; there is no "device license" tier.
MAM: App-Level Control (No Device Enrolment)
MAM is application-centric control. Apps managed via MAM operate on unenrolled devices. Policy applies only within the app, not to the device:
- The user authenticates to Azure AD via the app (Authenticator, Outlook, Teams, etc.).
- Intune applies policy to the app only: copy/paste restrictions, data encryption at rest, app PINs, conditional app launch (device must be compliant before opening app).
- If policy enforcement fails, the app wipes only its own data, not the device.
- The user experiences no enrollment friction; the device remains fully personal.
- Device OS, WiFi, VPN, and system settings are untouched and unmanaged.
Licensing requirement (MAM-WE): In most scenarios, there is no incremental Intune licensing cost. MAM-WE is included as part of Intune Plan 1, which is bundled into E3, Business Premium, EMS E3, and M365 F3. Users who hold one of these licences automatically get MAM capability.
When Each Is Appropriate
MDM is necessary when:
- The device is corporate-owned (dedicated hardware).
- Full OS and hardware control is required (healthcare, finance, defence, classified environments).
- Work Profile or Android Enterprise Dedicated Device enrolment is mandated.
- Device-wide compliance attestation is required for Conditional Access policies.
MAM-WE is sufficient when:
- The user has a personal device, and the organisation only needs to protect company data within specific apps.
- The device is BYOD and the user will not accept full device enrollment.
- Contractors or temporary workers need access to Exchange, SharePoint, or Teams without organizational visibility into their device state.
- Frontline workers access structured apps (like Outlook, Teams, or SharePoint) but not complex device settings.
The BYOD user spectrum runs from knowledge worker (mostly email, Teams, Office, SharePoint) to frontline (task apps, barcode scanning, field forms) to contractor (temporary, minimal device footprint). Most of this spectrum is MAM-WE territory.
MAM Without Enrolment (MAM-WE) — What It Costs
This is the section that directly impacts EA negotiation and workforce classification.
Included Products and Licences
MAM-WE (the capability to apply app-level policies without device enrollment) is included in the following Microsoft 365 and EMS licences at no incremental cost:
| Licence / SKU | Product Line | MAM-WE Included |
|---|---|---|
| Microsoft 365 E3 | Microsoft 365 Enterprise | Yes |
| Microsoft 365 E5 | Microsoft 365 Enterprise | Yes |
| Microsoft 365 Business Premium | Microsoft 365 Business | Yes |
| Microsoft 365 Business Standard | Microsoft 365 Business | No (requires add-on) |
| Microsoft 365 F3 (Frontline) | Microsoft 365 Frontline | Yes |
| EMS+E3 | EMS Bundle | Yes (via Intune Plan 1) |
| Intune Plan 1 | Standalone Intune | Yes (primary license) |
| Intune Suite | Intune Add-on | Yes (required for advanced features) |
Key takeaway: If a user holds E3, Business Premium, F3, or standalone Intune Plan 1, they already have MAM capability. No additional licensing cost. Organizations that assign Intune Plan 1 or Suite licences on top of E3 users are double-licensing.
What MAM-WE Provides
MAM-WE capabilities include:
- App Protection Policies (APP): Copy/paste controls, save-as restrictions, transfer between apps, printing, keyboard logging prevention, screenshots blocking.
- Conditional App Launch (CAL): Require device compliance or passwordless sign-in before opening protected apps. Note: Requires Entra P1 for conditional access baseline policies.
- Selective App Wipe: Remote removal of company data from a specific app only (no device wipe).
- Data Encryption: App data encrypted at rest using device keychain (iOS) or KeyStore (Android).
- MDM Enrollment Detection (optional): Intune can detect if the device is enrolled and report to compliance tools, without enforcing enrollment.
- Intra-app Policies: Azure AD-managed identities within protected apps; multi-identity app support (personal and work).
What MAM-WE does not provide:
- Device-level OS control (no WiFi, VPN, OS settings management).
- Full device wipe.
- Work Profile or Android Enterprise enrolment (Android only).
- Device compliance attestation via Microsoft Intune's device compliance policies.
- Hardware inventory and device telemetry.
Real-World Scenarios Where MAM-WE Is Adequate
Scenario 1: BYOD Knowledge Worker (2,000 users)
User works from home and office, accesses Exchange, Teams, SharePoint, OneDrive. Device is personal. Organization policy: app-level data protection, copy/paste restrictions, require PIN to open Outlook. No device enrollment consent given.
Licensing decision: E3 user. MAM-WE covers this entirely. No Intune Plan 1 or Suite needed.
Scenario 2: Contractors on 6-Month Engagement (500 users)
Contractors need access to Teams and SharePoint for project collaboration. No device enrollment. No device visibility required. Offboarding must wipe only app data, not the device.
Licensing decision: Each contractor can be assigned a Business Premium licence (if they need Office) or a lightweight SKU with MAM-WE capability. Full Intune licensing is unnecessary.
Scenario 3: Frontline Workers in Retail (1,500 users)
Users scan barcodes on personal devices, check inventory in a custom app, clock in/out. No device enrollment. Data is non-sensitive.
Licensing decision: M365 F3 includes MAM-WE. Frontline workers are correctly licensed for their actual use.
Intune Plan 1 vs Intune Suite for BYOD — Feature Reality
Microsoft offers two standalone Intune SKUs: Intune Plan 1 and Intune Suite. The difference matters for BYOD user classification.
| Feature | Intune Plan 1 | Intune Suite | BYOD Relevance |
|---|---|---|---|
| MAM-WE (App Protection Policies) | Yes | Yes | Essential for both |
| MDM (Device Enrollment) | Yes | Yes | Only if enrollment required |
| Conditional App Launch | Yes | Yes | Requires Entra P1 separately |
| Device Compliance Policies | Yes | Yes | For enrolled devices only |
| Windows Autopatch | No | Yes | Windows corporate devices only |
| Endpoint Privilege Management (EPM) | No | Yes | Windows corporate admin access control |
| Endpoint DLP | No | Yes | File-level DLP on corporate devices |
| Configuration Manager (SCCM) Co-Management | Limited | Full | Not applicable to BYOD |
| Advanced Threat Analytics | No | Yes | Corporate security monitoring only |
For BYOD use cases, Intune Plan 1 is sufficient in 95% of scenarios. Intune Suite features (Autopatch, EPM, Endpoint DLP) are Windows corporate device features. They do not apply to personal devices under MAM-WE policy.
Exception: If your BYOD population includes enrolled corporate devices (Windows, macOS laptops), or if you require advanced endpoint detection and response (EDR) for high-security BYOD users, Suite features may be warranted. But this is uncommon in pure BYOD programs.
BYOD User Classification Framework
Correct workforce segmentation is the foundation of cost-efficient Intune licensing. Use this framework to classify your user populations and assign appropriate licences.
Category 1: Corporate Device Users (Full MDM)
Who: Employees with organization-owned laptops, tablets, or phones. Examples: sales reps with corporate iPhones, executives with organization-managed MacBooks.
Licensing requirement:
- User must hold Intune Plan 1 or Suite licence (or be covered by E3/EMS E3 if enrolled).
- Device must be enrolled in Intune MDM.
Intune policy applied: Device-wide MDM: OS updates, WiFi, VPN, compliance policies, full or selective wipe.
Why: Corporate devices require asset tracking, OS management, and company data protection at the device level.
Category 2: BYOD Knowledge Workers (MAM-WE Only)
Who: Office workers with personal devices (iPhones, Android phones, personal tablets). They access Office, Teams, SharePoint, and Exchange. Device enrollment is not required or consented to.
Licensing requirement:
- User must hold E3, Business Premium, or EMS E3 licence (which includes MAM-WE via Intune Plan 1).
- Do not assign separate Intune Plan 1 or Suite license; this is double-licensing.
Intune policy applied: MAM-WE only. App Protection Policies: Outlook PIN, no copy/paste from Teams, OneDrive encryption, selective app wipe.
Why: Personal device, no enrollment consent, data protection is app-scoped not device-scoped.
Category 3: BYOD Frontline Workers (MAM-WE or F3)
Who: Retail, logistics, hospitality, field service workers on personal devices. They use custom apps (inventory, task management, time-clock). May or may not have office setup.
Licensing requirement:
- User should hold M365 F3 licence (includes MAM-WE, Teams, Outlook, Yammer).
- If user also needs Office (Word, Excel, PowerPoint), F3 includes lightweight Office clients.
- Do not add Intune Plan 1 on top of F3; it is redundant.
Intune policy applied: MAM-WE. App Protection Policies scoped to custom task and inventory apps, not Office.
Why: F3 is purpose-built for frontline workers. It includes the mobile collaboration and data protection tools needed without unnecessary office productivity licensing.
Category 4: Contractors and External Workers (App-Only MAM, No Device Enrolment)
Who: Short-term contractors, temporary project staff, consulting partners, vendors. No permanent org relationship. Typically 6 months or less.
Licensing requirement:
- Option A (preferred): Assign Business Premium licence if they need Office. Business Premium includes MAM-WE. Cost: ~£6.30/month.
- Option B: If they only need Teams and SharePoint (no Office), assign a lightweight SKU with MAM-WE capability (e.g., Entra Guest + Teams SKU or equivalent).
- Do not assign full Intune Plan 1 or Suite unless device enrollment is required (rare for contractors).
Intune policy applied: MAM-WE only. Teams and SharePoint data protection, app PIN, selective wipe.
Why: Contractors do not own devices; they use personal hardware. Full device management is not justified, and contractor attribution to your tenant via device enrollment carries risk and compliance overhead.
Classification Summary Table
| User Category | Device Type | Enrollment | Licence Required | MAM-WE | Cost/Month |
|---|---|---|---|---|---|
| Corporate Device User | Organization-owned | MDM Enrolled | Intune Plan 1 or E3 | Yes | Included in E3 (£22.50) or Plan 1 (£8.10) |
| BYOD Knowledge Worker | Personal (BYOD) | None | E3 or Business Premium | Yes | Included in licence |
| BYOD Frontline Worker | Personal (BYOD) | None | M365 F3 | Yes | Included in F3 (£4.50) |
| Contractor / External | Personal (BYOD) | None | Business Premium or lightweight SKU | Yes | Business Premium (£6.30) |
Contractor and External Worker Licensing — The Over-Licensing Trap
This is the highest-value cost-saving opportunity in most enterprise Intune deployments.
The Trap
Organizations frequently assign full Intune Plan 1 licences to contractors and external workers on the assumption that "everyone accessing company data needs Intune." This is incorrect and costly.
Cost of over-licensing:
- 500 contractors × £8.10/month (Intune Plan 1) = £4,050/month, or £48,600 per year.
- 1,000 contractors × £8.10/month = £8,100/month, or £97,200 per year.
In a typical enterprise with 2,000–5,000 active contractors at any given time, unnecessary Intune licensing on top of base productivity licences costs £80,000–£200,000 annually.
Why Contractors Don't Need Full Intune Licensing
Reason 1: Device Ownership
Contractors use personal devices. You do not own the hardware. Full MDM enrollment is not justified and often not legally permissible under contractor agreements.
Reason 2: Temporary Tenure
Contractors have defined, short-term relationships (typically 3–12 months). Device enrollment and management overhead is disproportionate.
Reason 3: App-Level Data Protection Is Sufficient
Contractors typically access a narrow set of apps: Teams, SharePoint, maybe OneDrive. They do not require full device compliance attestation. App-level protection (MAM-WE) is adequate.
Reason 4: Offboarding Simplicity
With MAM-WE, offboarding is selective app wipe. With MDM enrollment, you must remote wipe the contractor's personal device, which introduces friction and legal risk.
Correct Contractor Licensing Model
Option 1: Business Premium (Recommended)
- Cost: £6.30/month.
- Includes: Teams, SharePoint, Exchange, Office apps, OneDrive, and MAM-WE via bundled Intune Plan 1.
- Best for: Contractors who need Office document editing (most project-based work).
- No separate Intune licence required.
Option 2: Lightweight SKU (Teams + SharePoint)
- Cost: ~£4.00/month (Teams SKU or equivalent bundle).
- Includes: Teams, SharePoint, MAM-WE.
- Best for: Contractors who only need collaboration, not Office desktop apps.
- No separate Intune licence required.
Option 3: Entra P1 Guest (for external Azure AD identities)
- Cost: No per-user cost; Entra P1 is tenant-level.
- Use when: Contractor is an Entra Guest (external directory identity), and your tenant already holds Entra P1 for Conditional Access.
- Includes: Limited Teams and SharePoint access via conditional policies, no Intune.
Real Scenario: 500-Contractor Reclassification
Before reclassification:
- 500 contractors × Intune Plan 1 (£8.10/month) + Business Premium (£6.30/month) = £7,200/month = £86,400/year.
After reclassification:
- 500 contractors × Business Premium (£6.30/month) = £3,150/month = £37,800/year.
- Annual savings: £48,600.
Why this works: Business Premium already includes MAM-WE via bundled Intune Plan 1. Adding a separate Intune Plan 1 licence was redundant.
Conditional Access Integration — Licensing Requirements
Conditional Access (CA) policies that reference device compliance or device state introduce licensing dependencies you must account for.
CA Policy Types and Licensing
Type 1: Entra AD-Only CA (No Device Reference)
- Example: Block sign-in if user is outside corporate IP range. Require MFA for risky sign-ins.
- Licensing required: Entra ID P1 (base Conditional Access).
- Device licensing: None required.
Type 2: Device Compliance-Based CA
- Example: "Require device to be marked compliant in Intune before accessing Exchange Online."
- Licensing required: Entra ID P1 + user must hold Intune Plan 1 or Suite (or E3/EMS E3) to report device compliance.
- Impact: Every user whose device compliance state is evaluated in CA must be Intune-licensed. This includes BYOD users if their compliance is checked.
Type 3: Compliant Device CA with MAM-WE Escape
- Example: "Require device to be compliant OR grant access to approved MAM apps only."
- Licensing required: Entra ID P1 + Intune Plan 1/Suite for users whose compliance state is checked.
- Impact: Users can satisfy CA by either enrolling (and being Intune-licensed) or using MAM-only apps. This allows you to keep MAM-WE users unlicensed for Intune Plan 1.
Critical CA Licensing Risk
Many organizations create CA policies that reference "Require device to be compliant" without fully licensing their BYOD population for Intune compliance reporting. This creates a licensing violation: the policy applies to users, but the users lack licences to report compliance.
Correct approach:
- If your CA policies require device compliance, ensure all affected users hold Intune Plan 1 or Suite (or E3/EMS E3).
- If you want BYOD users to avoid device enrollment, use MAM-only CA policies (e.g., "Require conditional app launch policies to be active") instead of device compliance checks.
- Alternatively, structure CA to offer an enrollment escape: "Require device compliant OR approve for MAM-only access."
Entra P1 is separate from Intune licensing. Do not assume that Intune Plan 1 includes Entra P1 for CA purposes. Both may be required.
App Protection Policies by Platform — Licensing and SDK Support
MAM-WE effectiveness depends on platform and app support. Not all third-party apps support Intune's App Protection Policies.
iOS MAM Support
Native support: Microsoft-built apps (Outlook, Teams, OneDrive, Excel, Word, PowerPoint, SharePoint) fully support App Protection Policies without device enrollment.
Third-party apps: Third-party apps (e.g., Salesforce, ServiceNow, Slack, Google Drive) support APP only if they integrate Intune's Mobile SDK or comply with MSAL (Microsoft Authentication Library).
Licensing impact: If you plan to apply MAM-WE policies to third-party apps, verify SDK support in advance. If the app is not SDK-integrated, MAM-WE policies will not apply to it.
Android MAM Support
Native support: Microsoft apps support APP without enrollment.
Managed Play: Android apps published in Google Play and configured for Managed Play support APP policies. This is broader than iOS but still requires app developer integration.
Work Profile (Android Enterprise): For high-security BYOD (e.g., healthcare, finance), Android Work Profile requires device enrollment. Licensing: user must hold Intune Plan 1 or Suite (or be E3/EMS E3 covered).
Key difference: Work Profile requires enrollment and therefore requires Intune licensing. MAM-WE (app protection policies without enrollment) does not require device enrollment and works on personal Android devices.
App Wrapping vs SDK Integration
App Wrapping: Intune can wrap an app's .ipa or .apk to add APP policies without developer SDK integration. Wrapped apps work with MAM-WE policies (no enrollment required).
Licensing impact: None. Wrapping does not change licensing requirements; MAM-WE still applies.
SDK Integration: Developer integrates Intune SDK into app source code, providing native APP support and richer policy options.
BYOD Data Segregation Options — Wipe Mechanics and Enrolment Trade-offs
Different segregation strategies carry different licensing implications.
Option 1: Selective App Wipe (MAM-WE, No Enrolment)
How it works: When user is offboarded, Intune sends a selective wipe command to the protected app. The app removes only its own data (Outlook mailbox cache, Teams messages, OneDrive local sync). The device itself is unaffected.
Licensing: User holds MAM-WE licence (E3, Business Premium, F3, or Intune Plan 1). No device enrollment required.
Best for: BYOD, contractors, temporary workers. Low friction, no device takeover, minimal legal risk.
Option 2: Full Device Wipe (MDM Enrollment Required)
How it works: When user is offboarded, Intune sends a full device wipe command. All data on the device is erased.
Licensing: User must hold Intune Plan 1 or Suite (or E3/EMS E3) AND device must be enrolled in MDM.
Best for: Corporate-owned devices, high-security environments. Not appropriate for BYOD (legal and contractual risk).
Option 3: Android Work Profile (Android Enterprise)
How it works: Android device is partitioned into personal and work profiles. Apps and data in work profile can be wiped independently. Personal profile remains intact.
Licensing: Device enrollment is required. User must hold Intune Plan 1 or Suite (or E3/EMS E3).
Best for: High-security BYOD programs (healthcare, finance). Provides device-level segregation without full device takeover.
Key licensing point: Work Profile requires enrollment; it is not a MAM-WE feature. If you want BYOD users to avoid enrollment, use selective app wipe instead.
EA Negotiation for BYOD/MAM — Workforce Modelling and Cost Avoidance
If your organization is in EA negotiation or renewal, use these tactics to avoid over-licensing your mobile workforce.
Tactic 1: User Population Segmentation in EA Agreement
Default approach (costly): EA specifies "all users receive Intune Plan 1" or "all E3 users receive Intune Suite." This applies uniform licensing to all 5,000+ users, regardless of actual need.
Better approach: Segment users in the EA:
- Segment A (Corporate Device Users): 500 users. Intune Plan 1 or Suite (device-enrolled). Cost: £8.10 or £13.50/month.
- Segment B (BYOD Knowledge Workers): 2,000 users. E3 licence only (includes MAM-WE via bundled Intune Plan 1). Cost: £22.50/month. Do not add separate Intune Plan 1.
- Segment C (BYOD Frontline): 1,500 users. M365 F3 (includes MAM-WE). Cost: £4.50/month.
- Segment D (Contractors): 500 users. Business Premium (includes MAM-WE). Cost: £6.30/month. Do not add Intune Plan 1.
Cost impact: By segmenting and avoiding double-licensing, you eliminate £2,000–£5,000 per month in unnecessary Intune spend (depending on size).
Tactic 2: Tenant-Wide Licensing Restrictions
Challenge: If you purchase Intune Suite licences, Microsoft's licensing model permits unlimited assignment within your tenant. Teams may assign Intune Suite to users who only need MAM-WE, inflating spend.
Solution (EA language): Negotiate an EA clause that restricts assignment of Intune Suite to a specific named list of users (e.g., "corporate device users only"). This prevents unfettered escalation by teams unaware of licensing distinctions.
Alternative: Avoid purchasing Intune Suite standalone. Instead, purchase Intune Plan 1 for corporate device users, and allow MAM-WE users to rely on Plan 1 bundled in E3/Business Premium.
Tactic 3: True-Up and Audit Defense
Risk scenario: Microsoft audits your tenant and finds 2,000 users with active Intune policies but no Intune Plan 1 or Suite licence assigned. Audit exposure: £2,000 × £8.10/month × 36 months (3 years lookback) = £583,200.
Mitigation in EA:
- Document and formalize your user segmentation (as above).
- Negotiate that E3, Business Premium, and F3 users holding MAM-WE policies do NOT require additional Intune Plan 1 or Suite assignment (clarify bundled intent).
- If you must add Intune Plan 1 to a subset of users, document the business reason (device enrollment, advanced compliance, etc.) in your EA.
Real Example: 5,000-User Organization
Current state (over-licensed):
- 5,000 users × Intune Plan 1 (£8.10/month) = £40,500/month = £486,000/year.
- Plus E3/Business Premium/F3 licenses.
- Intune waste: £486,000/year.
Recommended segmentation:
- 500 corporate device users × Intune Plan 1 (£8.10/month) = £4,050/month.
- 2,000 BYOD knowledge workers × E3 (£22.50/month, includes MAM-WE) = £45,000/month. No separate Intune.
- 1,500 frontline workers × M365 F3 (£4.50/month, includes MAM-WE) = £6,750/month. No separate Intune.
- 500 contractors × Business Premium (£6.30/month, includes MAM-WE) = £3,150/month. No separate Intune.
- Total Intune spend: £4,050/month = £48,600/year.
- Annual savings: £437,400.
This is a real-world conservative estimate. The 47% over-licensing figure cited at the beginning of this guide reflects exactly this pattern.
Frequently Asked Questions
No. If a contractor holds Business Premium (or a Teams/SharePoint-only SKU), they have MAM-WE capability included. App Protection Policies (copy/paste restrictions, app PINs, selective wipe) apply at no incremental Intune cost. Full Intune Plan 1 assignment is unnecessary and adds £8.10/month per contractor in wasted licensing.
Yes, if the CA policy references device compliance state. Any user whose device compliance is evaluated must hold an Intune Plan 1, Suite, or E3/EMS E3 licence to report compliance. However, you can create a CA policy that offers an escape for MAM-WE users: "Require device compliant OR use only approved MAM apps." This way, BYOD users can remain unlicensed for Intune Plan 1 and satisfy CA by limiting app access instead.
E3 includes MAM-WE via bundled Intune Plan 1. Do not add a separate Intune Plan 1 or Suite licence on top of E3 for MAM purposes; this is double-licensing. You are already paying for the capability. If you add separate Intune, you are paying twice.
Only if the app integrates Intune SDK or supports Managed Play (Android). Verify with the vendor. If the app does not support the Intune SDK, App Protection Policies will not apply to it. For critical line-of-business apps without Intune integration, you may need to require device enrollment (MDM) instead, which requires Intune Plan 1 licensing.
App Wrapping: Intune wraps the app to inject APP policies without requiring source code changes. Works at app deployment time. Licensing: no change; MAM-WE still applies. SDK Integration: App developer integrates Intune SDK into the app, providing native policy support and richer features. Licensing: no change; MAM-WE still applies. For BYOD, either approach works without incremental licensing.
Ready to Optimize Your Intune Licensing?
We've helped enterprise clients save £2M+ by reclassifying mobile workforces and eliminating double-licensing. Let's review your current Intune spend and identify gaps.