Licensing for Microsoft Enterprise Mobility + Security (EMS):
- Available as standalone or bundled with Microsoft 365
- Licenses include EMS E3 and EMS E5 plans
- Per-user subscription model
- Offered through Enterprise Agreements, CSP, or Open License
Licensing for Microsoft Enterprise Mobility + Security (EMS)
Microsoft Enterprise Mobility + Security (EMS) is a powerful suite of cloud-based tools that help organizations secure their data, enable workforce mobility, and simplify IT management.
EMS is particularly valuable in a modern workplace where critical requirements include remote access, secure data handling, and cross-platform device management.
This guide will cover the different licensing options available for EMS, key features, and considerations for choosing the best fit for your organization.
Overview of EMS Licensing Options
Microsoft EMS is available in two primary licensing tiers: EMS E3 and EMS E5. Each tier provides different levels of features and security, enabling organizations to choose an option that best suits their needs and budget.
- EMS E3 Focuses on providing essential security and management capabilities suitable for organizations with standard security requirements.
- EMS E5 builds on the E3 offering by adding advanced security and management features. It is ideal for enterprises with more complex security needs and compliance requirements.
EMS E3 Licensing: Core Security and Management
EMS E3 is the base tier, priced at $8.80 per monthly user. It provides fundamental tools for managing security, users, and devices, which makes it an attractive option for businesses that need reliable security without advanced features.
Key Features Included in EMS E3:
1. Azure Active Directory Premium P1
- Identity and Access Management: Azure AD Premium P1 provides robust identity management features, including multi-factor authentication (MFA), conditional access, and self-service password reset. These features help organizations secure user identities and access to company resources. Example: A company can use conditional access policies to ensure that only users connecting from trusted locations can access critical applications. Azure Active Directory (Azure AD) Premium P1 also supports Single Sign-On (SSO), enabling employees to use a single set of credentials to access multiple applications seamlessly. This improves user productivity by minimizing the number of passwords users must remember while maintaining security.
2. Microsoft Intune
- Device and Application Management: Intune is a powerful tool for managing company-owned and personal devices. It supports mobile device management (MDM), mobile application management (MAM), and integrated PC management. Example: IT administrators can use Intune to enforce security policies on employee devices, such as requiring devices to be encrypted and enforcing compliance with security standards. With Intune, organizations can enforce policies such as conditional access to ensure that only compliant devices can access company resources. This ensures that data remains secure, even from personal or remote devices. Additional Capabilities: Intune also enables application wrapping and data loss prevention (DLP) policies for mobile apps, which ensures that corporate data remains protected even when accessed through employee-owned devices. Organizations can define which apps can access corporate data and restrict actions such as copy-pasting between personal and corporate apps.
3. Azure Information Protection P1
- Data Protection: Azure Information Protection P1 offers basic document protection and encryption capabilities to ensure sensitive information is only accessible by authorized users. Example: A company can apply labels to documents that automatically encrypt them, ensuring only designated employees can open them. Azure Information Protection P1 allows for manual document labeling, allowing users to classify data based on sensitivity. This feature ensures that sensitive information is adequately protected when shared within and outside the organization. Additional Benefits: Azure Information Protection P1 integrates with Microsoft Office applications, allowing users to classify and label documents directly from familiar interfaces like Word, Excel, and PowerPoint. This seamless integration encourages users to apply proper protection without disrupting their workflow.
4. Advanced Threat Analytics (ATA)
- Threat Detection: ATA helps detect suspicious activities in the organization, such as unusual logins or potential credential theft. This feature ensures that security threats can be identified and mitigated early. Example: ATA can detect unusual behavior, such as a user logging in from an unfamiliar location or device, which may indicate a compromised account. This allows IT teams to take immediate action to mitigate potential security breaches. Additional Capabilities: ATA uses behavioral analytics to establish a baseline of normal activities for each user and then detect deviations that may indicate a threat. This helps identify external attackers and potential insider threats, providing organizations with early warnings and detailed alerts.
Read if you qualify for government Microsoft licensing.
EMS E5 Licensing: Advanced Security and Enhanced Capabilities
EMS E5 is the premium tier, priced at $14.80 per monthly user. It builds upon EMS E3 by adding advanced security features that help organizations better protect their data and improve their ability to manage security threats.
Key Features Included in EMS E5:
1. Azure Active Directory Premium P2
- Advanced Identity Protection: Azure AD Premium P2 includes all the features of P1, along with additional advanced capabilities like risk-based conditional access and Privileged Identity Management (PIM). Example: With risk-based conditional access, an organization can automatically challenge high-risk logins with additional security steps, such as multi-factor authentication or blocking access entirely. Azure AD Premium P2 also includes Identity Protection, which uses machine learning to detect suspicious activities and potential vulnerabilities. This proactive approach to identity security helps organizations prevent identity theft and unauthorized access. Privileged Identity Management (PIM): PIM allows organizations to manage, control, and monitor access to important resources. It provides just-in-time (JIT) access to administrators, which minimizes the risk of privileged accounts being compromised by limiting the duration and scope of their access.
2. Azure Information Protection P2
- Enhanced Data Protection: Azure Information Protection P2 provides automatic document classification, enhanced encryption, and content labeling based on machine learning. This ensures that documents are automatically protected according to their sensitivity. Example: Sensitive documents containing financial information can automatically be labeled and encrypted based on the content detected by Azure’s AI capabilities. Azure Information Protection P2 also includes tracking and revocation capabilities, which allow document owners to track how their files are being used and revoke access if needed. This feature is especially useful when dealing with confidential information shared with external partners or clients. Content Marking and Labeling: Azure Information Protection P2 can also apply visual markings, such as headers, footers, and watermarks, to sensitive documents. This indicates the document’s classification and sensitivity level, helping employees handle information appropriately.
3. Cloud App Security
- Cloud Security Management: EMS E5 also includes Microsoft Cloud App Security, a tool that provides visibility into cloud apps, allowing organizations to monitor and manage shadow IT, protect sensitive information, and ensure compliance with security policies. Example: IT teams can use Cloud App Security to detect and block risky activities in cloud applications, such as unauthorized data downloads. Cloud App Security also discovers cloud applications employees use, which helps organizations identify unsanctioned apps and assess the associated risks. This enables IT teams to manage cloud usage effectively and implement security controls where necessary. Data Loss Prevention (DLP): Cloud App Security integrates with DLP policies to monitor and protect sensitive information shared in cloud apps. This ensures data complies with corporate policies, even when shared across various platforms.
4. Microsoft Defender for Identity
- EMS E5 includes Microsoft Defender for Identity (formerly Azure Advanced Threat Protection), which helps identify and investigate advanced threats, compromised identities, and malicious insider actions. Example: Defender for Identity can detect anomalies in user behavior, such as unusual access to sensitive files or attempts to escalate privileges, which may indicate a compromised user account. Real-Time Alerts: Defender for Identity provides real-time alerts to IT administrators, enabling them to quickly respond to potential threats. This proactive approach to threat management ensures that issues are addressed before they escalate.
Comparison of EMS E3 vs. EMS E5
To summarize the differences between EMS E3 and EMS E5, here’s a quick comparison:
Feature Category | EMS E3 | EMS E5 |
---|---|---|
Azure Active Directory | Premium P1 | Premium P2 |
Microsoft Intune | Yes | Yes |
Azure Information Protection | P1 | P2 |
Advanced Threat Analytics | Yes | Yes |
Cloud App Security | No | Yes |
Microsoft Defender for Identity | No | Yes |
Integration and Licensing Options
Microsoft EMS can be purchased in different ways, allowing organizations to choose the option that best fits their needs:
- Microsoft 365 Integration: EMS can be purchased as part of Microsoft 365 enterprise subscriptions, providing a comprehensive solution for productivity and security.
- Microsoft 365 E3: Includes EMS E3.
- Microsoft 365 E5: Includes EMS E5. By purchasing EMS as part of a Microsoft 365 subscription, organizations can access additional tools such as Office 365, Teams, and SharePoint, which help streamline productivity while ensuring robust security. Cost-Effective Bundling: Organizations that need a comprehensive suite of productivity and security tools often find Microsoft 365 integration cost-effective, as it combines collaboration, communication, and security in one package.
- Standalone Purchase: EMS can also be purchased independently of Microsoft 365. This can be particularly advantageous for organizations that are using different productivity solutions but need EMS for security and device management.
Example: A company that uses Google Workspace for productivity but wants to use Microsoft Intune for device management can purchase EMS separately without switching productivity platforms.
Standalone EMS can also be a suitable option for organizations with unique requirements that may not need the entire Microsoft 365 suite, allowing for greater flexibility in security and management.
Scalable Licensing: Standalone EMS licensing is also scalable. It allows organizations to start with EMS E3 and upgrade to EMS E5 as their security needs evolve, ensuring they pay only for the features they need.
Licensing Considerations and Value-Added Features
EMS licensing also comes with several value-added features that provide additional benefits to organizations:
1. Windows Server CAL Rights
- Client Access License (CAL) Windows Server rights are included with EMS E3 and E5. This means organizations can provide employees with access to Windows Server without purchasing separate CAL licenses. For example, an organization using Windows Server to host its internal applications can leverage EMS licensing to provide access for all its users without incurring additional CAL costs, reducing the overall cost of ownership.
2. System Center Configuration Manager (SCCM) Client Management License
- The EMS bundle includes the SCCM Client Management License for managed devices, enabling better device management and monitoring integration. Example: Using SCCM alongside Microsoft Intune, organizations can create a unified solution for managing on-premises and cloud-based devices, allowing consistent policy enforcement across all endpoints. Unified Device Management: Combining SCCM with Intune allows for the co-management of devices, meaning that IT administrators can leverage cloud-based and on-premises management tools to support a diverse range of devices and use cases.
Choosing Between EMS E3 and EMS E5
The decision between EMS E3 and EMS E5 comes down to an organization’s specific needs and security requirements.
Here are some guidelines to help with the decision-making process:
- EMS E3 is suitable for organizations that:
- Need basic security, identity, and device management.
- Have standard compliance requirements without the need for advanced cloud app security.
- They are primarily focused on securing user access and managing devices effectively.
- We seek cost-effective solutions to manage user identities and secure devices without additional advanced capabilities. Example: A small business with a limited IT budget that needs to manage employee devices and ensure secure access to applications would benefit from EMS E3. Scalability: EMS E3 can be an ideal starting point for smaller organizations, with the potential to scale to EMS E5 as security needs become more complex.
- EMS E5 is recommended for organizations that:
- It requires advanced security capabilities, including cloud app security and enhanced threat detection.
- Have strict compliance requirements that necessitate automated document classification and advanced encryption.
- Want to leverage risk-based conditional access and privileged identity management to reduce security risks associated with administrative roles?
- Advanced threat detection capabilities, such as Microsoft Defender for Identity and Cloud App Security, are needed to protect against sophisticated cyber threats.
- They are in regulated industries where data protection and compliance are critical, such as finance, healthcare, or government. Example: A financial institution with strict compliance requirements and a need for comprehensive threat detection would benefit from EMS E5 to protect sensitive customer data and meet regulatory standards. Future-Proofing: EMS E5 provides access to the latest security innovations from Microsoft, ensuring that organizations are always equipped with the most advanced tools to combat emerging threats.
Cost Optimization Tips
Licensing for EMS can be cost-effective if approached strategically. Here are some tips for cost optimization:
- Bundle Savings: Purchasing EMS as part of a Microsoft 365 bundle often provides significant cost savings compared to acquiring individual components separately. For example, an organization purchasing Microsoft 365 E5 gets EMS E5 included, along with other productivity tools like Office 365, Teams, and SharePoint. Example: An organization planning to adopt multiple Microsoft services can save significantly by opting for Microsoft 365 E5, which includes EMS E5 and other essential tools. Streamlined Billing: Bundling EMS with Microsoft 365 simplifies billing, as organizations have a single invoice for all productivity and security tools, making financial management more straightforward.
- Licensing Assessment: Before making a decision, organizations should:
- Evaluate current security needs: Determine the most important features, such as cloud app security or advanced threat detection.
- Consider future scalability: Choose a licensing tier to accommodate future growth without requiring frequent upgrades.
- Review existing subscriptions: Analyze current Microsoft subscriptions to avoid overlapping licenses and to identify potential savings.
- Assess compliance requirements: Determine if your organization requires advanced capabilities like automated document classification. For example, a healthcare organization may need to comply with HIPAA regulations, making EMS E5 more suitable for ensuring data security and compliance. Cost-Benefit Analysis: Organizations should perform a cost-benefit analysis to determine whether the additional features of EMS E5 justify the higher cost, considering factors like compliance needs, risk tolerance, and the potential cost of a security breach.
- Trial Period Utilization: Take advantage of the 90-day trial to evaluate whether EMS E3 or EMS E5 fits your organization. This trial period allows organizations to explore EMS’s full capabilities before committing to a specific licensing plan. Proof of Concept (PoC): Conducting a proof of concept during the trial period can help demonstrate EMS’s value to key stakeholders and justify the investment in advanced security features.
Trial Options
Microsoft offers a 90-day EMS trial, allowing organizations to test the capabilities before committing. This trial period is particularly helpful for IT teams to evaluate whether EMS E3 or EMS E5 meets their needs.
Example: An organization concerned about compliance can use the trial to explore Azure Information Protection’s data protection capabilities and decide if EMS E5 provides the additional level of security it needs.
During the trial period, IT teams can also evaluate the integration of EMS with their existing infrastructure, ensuring that the chosen licensing tier aligns well with the organization’s security policies and requirements.
User Feedback: Gathering employee feedback during the trial can provide valuable insights into how EMS impacts productivity and whether any adjustments are needed to ensure a smooth deployment.
Implementation Considerations
Deploying Microsoft EMS requires careful planning to maximize its benefits:
1. Deployment Planning
- Assess Current Infrastructure: Understand your security setup to determine how EMS can fill existing gaps.
- Identity and Access Management Integration: Plan how Azure Active Directory will integrate with existing identity solutions.
- Mobile Device Management Strategy: Define which devices will be managed and establish policies for company-owned and personal devices.
- Information Protection Policies: Set up data classification and labeling policies to protect sensitive information. Example: An organization with a bring-your-own-device (BYOD) policy should develop a clear strategy for managing personal devices using Microsoft Intune to ensure data security without compromising employee privacy. Change Management: Implementing EMS requires change management practices to ensure employees understand new policies and procedures. Training sessions and clear communication can help reduce resistance and ensure a smooth transition.
2. Future-Proofing Your Organization
- The EMS platform continues to evolve as Microsoft enhances its security offerings. Choosing EMS E5 provides organizations access to the latest security innovations as they become available. This can be valuable in keeping up with emerging threats and ensuring compliance with evolving industry standards. Example: An organization in the financial sector may choose EMS E5 to ensure access to the latest features for meeting compliance requirements like GDPR or CCPA. EMS also provides flexibility for hybrid environments, supporting cloud and on-premises infrastructures. This ensures that organizations can maintain consistent security across all environments as they transition to the cloud, helping to future-proof their IT strategy. Integration with Third-Party Tools: EMS integrates with various third-party security tools, allowing organizations to build a comprehensive security framework that includes their existing solutions. This flexibility ensures that EMS can adapt to the unique needs of different organizations.
Read about CSP program for government.
FAQ: Licensing for Microsoft Enterprise Mobility + Security (EMS)
What is Microsoft EMS?
Microsoft Enterprise Mobility + Security (EMS) is a suite of tools providing identity, device management, and security.
What licensing options are available for EMS?
EMS offers two main licensing plans: EMS E3 and EMS E5, which are standalone or bundled with Microsoft 365.
What’s the difference between EMS E3 and EMS E5?
EMS E5 includes advanced security and analytics features beyond those in EMS E3.
Can I buy EMS as part of Microsoft 365?
EMS is included in several Microsoft 365 plans, offering greater service integration.
Is EMS licensed per user or device?
EMS is licensed per user, covering multiple devices for each user.
What is the minimum number of licenses I need to purchase?
The minimum license purchase depends on your subscription type, such as an Enterprise Agreement or CSP.
How can I scale EMS licenses as my organization grows?
You can add more user licenses easily through your licensing provider or Microsoft portal.
Does EMS licensing include support for all user devices?
Yes, EMS per-user licensing covers managing and securing multiple devices per user.
Can EMS licenses be used for remote employees?
EMS licensing supports remote work scenarios by managing users and devices regardless of location.
How do I purchase EMS through a CSP?
You can purchase EMS through a Cloud Solution Provider (CSP) who can manage subscriptions on your behalf.
What compliance features does EMS offer?
EMS provides tools like Conditional Access and Azure Information Protection to help meet regulatory compliance needs.
Do I need EMS if I already have Microsoft 365?
Depending on the plan, EMS may already be included in the Microsoft 365 plan, especially in the E3 or E5 suites.
What advanced features are included with EMS E5?
EMS E5 offers advanced threat protection, identity governance, and enhanced information security features.
Can EMS licenses be mixed within an organization?
Yes, you can assign different licenses, like EMS E3 or E5, to different users based on their needs.
How can I determine the right EMS plan for my organization?
Consider your organization’s security, compliance, and device management requirements to decide between EMS E3 or E5.