Why Intune Licensing Produces Systematic Overspend
Microsoft Intune licensing appears straightforward on the surface — Plan 1 included in M365 E3/E5, Plan 2 and Suite as add-ons. In practice, enterprise Intune deployments produce systematic overspend through three patterns. First, organisations purchase Intune Plan 1 as a standalone even though it is already included in their M365 E3 or EMS E3 licence — a redundant line that persists through multiple renewal cycles because no one validates the inclusion. Second, organisations deploy Intune Suite add-ons (Remote Help, Endpoint Privilege Management, Advanced Analytics) for the full user population when the advanced scenarios apply to a specific device subset — a 70–80% over-purchase on the add-on lines. Third, organisations deploy Intune Plan 2 for scenarios that Plan 1 handles adequately, driven by Microsoft's field team positioning the higher tier as the default for "enterprise-grade" deployments.
The 26% average Intune licence overspend in enterprise EAs we have reviewed is not large in absolute terms compared to security or Azure spend — but it is consistent and correctable. For a 10,000-user organisation paying $8/user/month for standalone Intune Plan 1 on top of an existing M365 E3 licence, the annual redundant spend is $960,000. That is not a hypothetical; it is a pattern we encounter in roughly one in five initial EA assessments.
Intune Plan 1, Plan 2, and Intune Suite — What Each Tier Actually Covers
Microsoft Intune Plan 1 — The M365 E3/E5 Inclusion
Microsoft Intune Plan 1 (standalone ~$8/user/month at EA) is the foundational MDM/MAM platform. It covers: device enrolment and management for Windows, iOS, Android, and macOS; mobile application management (MAM) with and without enrolment; device compliance policies for Conditional Access enforcement; configuration profiles for device settings, Wi-Fi, VPN, and certificates; software update management and deployment rings; endpoint security policies (Firewall, BitLocker, Defender configuration); and basic endpoint analytics (device health, compliance trends). For the majority of enterprise MDM and MAM requirements — deploying managed devices, enforcing compliance for Conditional Access, configuring device settings — Plan 1 delivers the complete capability set.
Critical commercial fact: Intune Plan 1 is included in Microsoft 365 E3, Microsoft 365 E5, EMS E3, EMS E5, Microsoft 365 Business Premium, and as part of the Microsoft 365 F3 (Firstline Worker) suite. If your organisation has any of these licences, you do not need to purchase Intune Plan 1 as a standalone. This sounds obvious but is one of the most common duplicate licence errors in enterprise EAs — particularly in organisations that began with an Intune standalone deployment before subsequently upgrading to M365 E3/E5.
Microsoft Intune Plan 2 — The Advanced Specialised Scenarios Tier
Intune Plan 2 (~$4.50/user/month as an add-on to Plan 1, or ~$12.50/user/month standalone at EA) adds capabilities for specific advanced deployment scenarios: Microsoft Tunnel for Mobile Application Management (MAM Tunnel, enabling per-app VPN for managed and unmanaged devices without requiring full device enrolment); specialised device management for rugged devices, healthcare devices, and kiosk scenarios beyond the standard Plan 1 profile; and the foundational entitlement for certain advanced endpoint scenarios. Plan 2 is a legitimate tier for organisations with specific deployment requirements — specifically, those deploying MAM Tunnel for unmanaged BYOD devices accessing on-premises resources. For the majority of enterprise device management scenarios, Plan 1 covers the requirement.
Microsoft's field team often positions Plan 2 as the "enterprise tier" for large deployments. This framing is commercially motivated, not technically justified — Plan 1 manages enterprise environments at scale. Challenge any proposal that defaults to Plan 2 for the full device population without a specific capability justification for the Plan 2 additions.
Microsoft Intune Suite — The Add-On Trap
The Intune Suite (~$10/user/month as an add-on to Plan 1 at EA; cannot be purchased without Plan 1 or M365 E3/E5) bundles five advanced capabilities that Microsoft previously sold or is developing as separate products: Remote Help (IT-assisted remote sessions for managed devices), Endpoint Privilege Management (EPM — standard user enforcement with on-demand elevation), Advanced Endpoint Analytics (battery health, resource performance), Microsoft Tunnel for MAM (the Plan 2 MAM Tunnel capability included in the Suite), and Local Administrator Password Solution (LAPS) management. The Suite is positioned as the "complete Intune" bundle — but it is commercially a significant add-on relative to the Plan 1 base ($10 on top of Plan 1's $8 = a 125% price increase for the full Suite).
The commercial trap is purchasing Intune Suite for the full user/device population when only one or two Suite capabilities are being deployed. Remote Help, the most commonly deployed Suite component, is relevant to the managed device population that requires IT-assisted remote support sessions. For a 10,000-device estate where 3,000 devices are frontline/specialist devices that require frequent IT assistance, purchasing Remote Help for all 10,000 devices at $10/user/month = $1.2M/year. Purchasing Remote Help as a standalone capability (it was available separately before the Suite bundling — check current EA pricing for standalone availability or negotiate standalone carve-out) or segmenting Suite to the 3,000 managed devices that generate Remote Help workload = $360K/year. The $840K/year difference is not hypothetical. See our detailed analysis in Intune Suite add-on guide.
| Licence / Tier | Monthly Cost (EA) | M365 Inclusion | Key Additions Over Previous Tier |
|---|---|---|---|
| Intune Plan 1 | ~$8/user | Included in E3, E5, EMS E3/E5 | Core MDM/MAM, device compliance, config profiles, endpoint security, update management |
| Intune Plan 2 (add-on) | ~$4.50/user add-on | Not included in E3/E5 | MAM Tunnel for unmanaged devices, specialised device scenarios |
| Intune Suite (add-on) | ~$10/user add-on | Not included in E3/E5 | Remote Help, Endpoint Privilege Management, Advanced Analytics, LAPS, MAM Tunnel |
| EMS E3 (standalone) | ~$10.60/user | Includes Intune Plan 1 + Entra P1 + Defender for Identity | Bundle for orgs without M365 E3/E5 |
| EMS E5 (standalone) | ~$16.40/user | Includes Intune + Entra P2 + MIP P2 + MCAS | Full EMS capability set for non-M365 orgs |
BYOD Licensing with Intune — The MAM Without Enrolment Framework
BYOD (Bring Your Own Device) management is a common source of Intune licensing confusion. The question organisations face is: do BYOD users need an Intune licence if they are only accessing M365 apps on personal devices without enrolling the device in MDM? The answer is yes — but the licence requirement is for the user, not the device, and it is satisfied by the user's existing M365 licence if they have M365 E3/E5 or EMS E3/E5.
For MAM without enrolment (the standard BYOD scenario — Outlook, Teams, OneDrive with app protection policies applied to the app container without managing the device), the Intune MAM-WE licence is bundled in M365 E3/E5. Users on M365 E3/E5 can have app protection policies applied to their personal devices at no additional Intune licence cost. The scenario that does require additional licences is MAM Tunnel — enabling per-app VPN for unmanaged BYOD devices to access on-premises corporate resources. MAM Tunnel requires Intune Plan 2 or Intune Suite. For most BYOD deployments that do not involve accessing on-premises resources via VPN, Plan 1 covers the MAM-WE requirement at no incremental cost above the M365 E3/E5 base.
Co-Management: SCCM + Intune Licensing Interactions
Organisations with an existing Microsoft Endpoint Configuration Manager (SCCM/ConfigMgr) deployment that are adding Intune for co-management — managing Windows devices from both SCCM and Intune simultaneously — need to understand the licence interaction carefully. Co-management itself does not require a separate Intune licence beyond the Plan 1 included in M365 E3/E5. The co-management configuration is available to any tenant with an Intune subscription (including the M365-included licence) without additional per-device or per-user charges for the co-management workload split.
The commercial error pattern in co-management deployments is purchasing Intune Plan 1 as a standalone for all co-managed devices in addition to existing M365 E3 licences — again, the duplicate licence error. The second pattern is purchasing Intune Suite add-ons for co-managed devices where the advanced capabilities are being managed through SCCM rather than Intune — EPM deployed via SCCM does not require the Intune Suite add-on. Validate which Intune Suite capabilities are being delivered through which management channel before assuming full Suite licences are required for co-managed environments.
Intune EA Negotiation — Four Tactics
1. Validate M365 Inclusion Before Accepting Any Intune Line
Before any Intune line appears in your EA renewal, confirm whether your M365 or EMS licence already includes it. Ask the Microsoft account team to provide the inclusion confirmation in writing, cross-referenced against your specific M365 SKU. If you have M365 E3 or E5, Intune Plan 1 is included. Any EA that carries a standalone Intune Plan 1 line on top of M365 E3/E5 should have that line removed at the next amendment with a credit for the overpayment period where commercially achievable.
2. Challenge Intune Suite for the Full Population
When Microsoft proposes Intune Suite for the full organisation, require a capability-by-capability justification. Which specific Suite features are being deployed, to which device populations, and with what deployment timeline? For each Suite feature (Remote Help, EPM, Advanced Analytics, LAPS, MAM Tunnel), identify the subset of the device estate that actually consumes it. The validated deployment population is the correct licence count for the Suite — not the full estate. Position the segmented count as your renewal anchor and defend it with the deployment data.
3. Use VMware/Jamf as Competitive Signal for Intune Suite Pricing
VMware Workspace ONE UEM and Jamf Pro are credible Intune alternatives for specific device management scenarios — particularly macOS fleets (Jamf) and complex multi-platform enterprise mobility (Workspace ONE). In an EA negotiation context, a documented competitive evaluation of Workspace ONE for your mobile device management estate — or Jamf for your macOS deployment — generates pricing pressure on the Intune Suite add-on lines. The Microsoft EMM/UEM product team has separate pricing authority from the core account team and responds to competitive signals with discount flexibility on Suite add-on pricing that is not available for the Plan 1 base licence. Structure the competitive evaluation to cover the Suite features specifically, as those are where Microsoft has the most pricing flexibility.
4. Negotiate Intune Suite Deployment Milestones for Pricing Flexibility
If your organisation is committing to Intune Suite because EPM or Remote Help deployment is planned but not yet complete, negotiate staged deployment milestones into the EA — starting with a lower committed population and expanding as deployment proceeds. Microsoft will push for full-population commitment from day one; the commercial risk to you is paying for Suite licences against a device population where deployment has not been completed. A milestone-based ramp (start at 30% of final population, expand to 60% at 6 months, 100% at 12 months with proof of deployment) matches licence cost to actual consumption and preserves the deployment incentive without front-loading the full Suite cost.
1. Validate M365/EMS inclusions — confirm whether Intune Plan 1 is included in your current M365 or EMS licence and remove any redundant standalone Intune lines via amendment.
2. Map Intune Suite deployment — identify which Suite features (Remote Help, EPM, LAPS, Advanced Analytics, MAM Tunnel) are actually deployed and to which device populations.
3. Segment Suite to deployment population — scope the renewal licence count to validated deployment, not full estate, using deployment data as the anchor.
4. Validate Plan 2 requirement — confirm whether MAM Tunnel for unmanaged devices is actually deployed; if not, Plan 1 is sufficient and Plan 2 add-on should be removed.
5. Prepare competitive signal — document VMware Workspace ONE or Jamf pricing for your device estate and present in the EA negotiation to generate Suite add-on pricing flexibility.
Intune in the Context of the Full Microsoft EA
Intune licensing decisions interact with two other major EA components. First, the M365 suite tier: the Intune inclusion is a Plan 1 capability in E3/E5 — not Plan 2 or Suite. If your organisation is evaluating a Suite upgrade, the driver must be specific Suite feature requirements, not general device management expansion. Second, the Microsoft Security strategy: Intune is the device compliance enforcement mechanism for Conditional Access (Entra ID), the device health signal for Defender for Endpoint, and the configuration platform for Defender for Endpoint onboarding and security policies. These integrations mean Intune is foundationally connected to the M365 security stack — but they do not require Suite add-ons to function. Plan 1 provides all the device compliance, health signal, and Defender configuration integration that the security stack requires. Our security licensing guide covers how Intune sits in the full Microsoft security stack, and our EA negotiation guide covers the integrated framework for optimising all components of the Microsoft EA together.