What Microsoft Intune Is
Microsoft Intune is a cloud-based endpoint management platform that provides Mobile Device Management (MDM) and Mobile Application Management (MAM) capabilities for Windows, macOS, iOS, and Android devices. As part of the Microsoft Endpoint Manager suite (which also includes Configuration Manager, formerly SCCM), Intune enables organisations to enrol, configure, secure, and manage the full device fleet from a single cloud-based management plane.
Core Intune capabilities include device enrolment and inventory, compliance policy enforcement (requiring devices to meet security standards before accessing corporate resources), configuration profile deployment (Wi-Fi, VPN, certificate, and security settings), app deployment and management (including MAM for BYOD scenarios where full MDM is not desired), conditional access integration with Entra ID (requiring compliant devices as a condition of M365 resource access), and Windows Autopilot for zero-touch device provisioning.
Intune has undergone substantial development since its early cloud-only incarnation. As of 2026, it manages device configurations and deployments at a depth that was previously only achievable with on-premises tools like Configuration Manager — while adding cloud-native capabilities in areas where on-premises management is structurally limited, including BYOD MAM, iOS/Android management, and geographically distributed workforce management without VPN dependencies.
Intune Plan 1 vs Plan 2: What's Different
| Feature | Intune Plan 1 | Intune Plan 2 (Add-on) |
|---|---|---|
| MDM/MAM (all platforms) | ✓ Included | Already in Plan 1 |
| Compliance policies | ✓ Included | Already in Plan 1 |
| App deployment & management | ✓ Included | Already in Plan 1 |
| Windows Autopilot | ✓ Included | Already in Plan 1 |
| Conditional access integration | ✓ Included | Already in Plan 1 |
| Microsoft Tunnel (VPN gateway) | ✗ Not included | ✓ Plan 2 feature |
| Endpoint privilege management | ✗ Not included | ✓ Plan 2 feature |
| Remote Help (cloud remote assist) | ✗ Not included | ✓ Plan 2 feature |
| Advanced endpoint analytics | Basic only | ✓ Advanced in Plan 2 |
| Specialised device management | Standard | ✓ Enhanced frontline scenarios |
| Approx. cost | Included in M365 E3/E5 or ~$8/user/month standalone | ~$4/user/month add-on to Plan 1 |
The decision on Intune Plan 2 should be driven by specific use case requirements rather than a general "more is better" posture. The three Plan 2 features most commonly cited as driving the upgrade are: Microsoft Tunnel (which eliminates the need for a traditional per-app VPN infrastructure for mobile devices — relevant for organisations with zero-trust network access initiatives); Endpoint Privilege Management (which manages local administrator rights granularly without requiring full admin elevation — relevant for organisations eliminating local admin broadly); and Remote Help (which replaces third-party remote support tooling with a native Intune integration — relevant for organisations currently paying separately for TeamViewer, BeyondTrust Remote Support, or Bomgar).
Most enterprise Intune deployments we assess are running on Plan 1 features only — without Microsoft Tunnel, Endpoint Privilege Management, or Remote Help. If none of these three features are in your roadmap, Plan 2 is not yet justified for your organisation.
Which M365 Plans Include Intune
Intune Plan 1 is included in the following Microsoft plans (at no additional cost):
Microsoft 365 E3 — includes Intune Plan 1, Entra ID P1, and Defender for Business. This is the most common enterprise plan for general information workers and the baseline for Intune entitlement in most enterprise environments.
Microsoft 365 E5 — includes Intune Plan 1 (E5 does not automatically include Intune Plan 2 — that remains an add-on even for E5 customers). Also includes Entra ID P2, Defender for Endpoint P2, and the full security and compliance suite.
Microsoft 365 Business Premium — includes Intune Plan 1 for SMB organisations below 300 seats.
EMS E3 / EMS E5 — the Enterprise Mobility + Security add-on bundles (Intune + Entra ID P1/P2 + Azure Information Protection), available separately for organisations that want these capabilities without upgrading from Office 365 to Microsoft 365 plans.
NOT included in: Office 365 E1, Office 365 E3, Office 365 E5, Microsoft 365 F1. Organisations running O365 plans rather than M365 plans need to either upgrade to M365 or add EMS to gain Intune entitlement. This is a frequent discovery in Microsoft estate assessments — Intune is being used (the product is activated) without the underlying licence entitlement, creating compliance exposure.
Device-Based Licensing: When to Use It
Standard Intune licensing is per-user, with each user licence entitling enrolment of up to 15 devices. For most information worker populations, this model is appropriate. However, three scenarios justify considering device-based licensing:
Kiosk and shared devices: Point-of-sale terminals, shared workstations, reception kiosks, and manufacturing floor devices that are not assigned to individual users cannot be licensed under the per-user model. For these devices, Intune standalone device licences (approximately $2/device/month) or Microsoft 365 F1/F3 frontline plans (which include Intune device management for shared devices) are the appropriate licensing route.
IoT and specialised devices: Network-enrolled IoT devices, ruggedised Android devices, and medical/industrial endpoints may require Intune management but may not have an associated user identity. Device-based licensing is the correct model here.
High device-to-user ratios: Organisations in healthcare, retail, or field service with multiple enrolled devices per user (field workers with phone, tablet, and laptop all enrolled) should verify that the standard 15-device-per-user limit is not being exceeded, as this creates compliance exposure at the per-user rate.
Displacing Third-Party MDM: The TCO Case
For organisations with M365 E3 or E5 licences, Intune is already paid for — the marginal cost of using it versus a third-party MDM is the migration cost and operational transition, not ongoing licence cost. The comparison is between paying $0/user/month incremental for Intune (already in M365) versus continuing to pay $6–$15/user/month for VMware Workspace ONE, Jamf, IBM MaaS360, or other MDM platforms.
The TCO case for consolidating to Intune is straightforward for Windows-dominant device estates: Intune's Windows management depth, Autopilot integration, and Entra ID conditional access native integration make it the functionally superior choice for Windows-centric organisations. For organisations with a significant macOS estate, Jamf Pro retains depth advantages in configuration management, software deployment, and MDM-exclusive macOS features — though a hybrid model (Intune for Windows/iOS/Android, Jamf for macOS) can eliminate third-party MDM cost for the majority of the estate while retaining specialist macOS management.
The migration from a third-party MDM to Intune typically takes 8–16 weeks for a 2,000-device estate and requires careful parallel management during the transition to avoid compliance policy gaps. Organisations should budget for the one-time migration professional services cost and offset it against the annual third-party MDM licence saving — which typically recovers the migration investment within 6–9 months for mid-size organisations.
Compliance Risks in Mixed Deployments
The most common Intune compliance issue in enterprise deployments is using Intune without the correct underlying licence entitlement — typically O365-licensed users using Intune without an EMS or M365 plan that includes Intune. Microsoft's licence compliance tools do not automatically flag this; it surfaces in EA audits and licence true-up reviews when Intune device enrolment counts exceed the number of M365-licensed users.
A secondary compliance risk is shared device deployments where devices are enrolled as user-assigned but should be device-licensed — creating a scenario where enrolment counts technically comply with the per-user model but the underlying usage pattern (multiple users per device) is not what the per-user licence contemplates. Documenting shared device deployment architecture and confirming the appropriate licensing model with Microsoft's licensing desk before deployment prevents these issues from becoming audit findings.
Intune Within EA Negotiations
For organisations on M365 E3 or E5, Intune Plan 1 is a bundled inclusion — it is not a separate negotiation lever. The EA negotiation focus should be on the M365 plan pricing overall and the decision between E3 and E5 rather than Intune specifically. However, several Intune-related considerations do appear in EA negotiations:
If your organisation is evaluating M365 E5 Security (a subset E5 bundle) versus full M365 E5 partly because of Defender for Endpoint P2, the comparison should include whether Intune Plan 2 features are needed and whether purchasing them as an add-on to M365 E3 is more cost-effective than the full E5 price delta. Plan 2 at $4/user/month plus E3 is often more economical than E5 for organisations that use 2 or fewer E5-exclusive feature sets.
For organisations consolidating from a third-party MDM to Intune as part of an EA renewal, the licence saving from decommissioning the third-party MDM should be explicitly factored into the EA negotiation — demonstrating that the Microsoft relationship is growing in value (consolidation of endpoint management) is a commercial argument that Microsoft's account team should compensate in the EA pricing discussion. See the complete Microsoft EA negotiation guide and our Microsoft spend reduction guide for the full framework.