What is Microsoft Enterprise Mobility + Security (EMS)?

Microsoft Enterprise Mobility + Security (EMS) is an intelligent mobility management and security platform. What this means is that EMS helps protect and secure your organization with its products that act to increase security features of Windows 10 and Microsoft 365.

How do I get EMS?

Microsoft EMS can be purchased as a standalone product. EMS E3 is $8.80 USD/user/month while EMS E5 is $14.80 USD/user/month. A more detailed comparison can be found in the tables below which gives a breakdown on what applications and features are found in EMS E3 and EMS E5 to help you understand which subscription is best suited for your organization’s needs.

An alternative is to purchase a Microsoft 365 enterprise subscription – Microsoft 365 E3 or E5 which comes with Microsoft EMS. The Microsoft 365 Enterprise E3 and E5 solutions offer not only EMS, but Microsoft 365 Apps, unlimited OneDrive storage for subscriptions with 5 or more users, Microsoft Teams, and numerous other tools like Power Automate and Power Apps. The Microsoft 365 E3 plan is $32 USD/user/month and the Microsoft 365 E5 plan is $57 USD/user/month- both great prices for its offerings.

It is important to note that Office 365 E3 and E5 are other enterprise plans that Microsoft offers besides Microsoft 365 E3 and E5. However, the Office 365 E3 and E5 plans do not come with EMS unlike Microsoft 365 E3 and E5 and so EMS has to be purchased individually and added on to the Office 365 E3 and E5 plans.

The main difference between Office 365 E3 + EMS E3 and Microsoft 365 E3 would be that the Office 365 E3 + EMS E3 would not include Windows 10 Enterprise E3 which Microsoft 365 E3 has. Windows 10 gives your organization advanced security, deployment methods, compatibility methods and productivity features. Similarily with Office 365 E5 + EMS E5 and Microsoft 365 E5, the Office 365 plan doesn’t include the Windows 10 Enterprise E5 plan. Price wise Microsoft 365 E3/E5 plans would have the best deal if you wish to have Office 365 Enterprise E3/E5 + EMS E3/E5 + Windows 10 Enterprise E3/E5 instead of purchasing all the components individually.

EMS E3 vs. EMS E5 Comparison

Application Comparison

Apps Included Enterprise Mobility + Security E3 Enterprise Mobility + Security E5
Price $8.80 USD/user/month

($11.30 CAD)

$14.80 USD/user/month

($18.90 CAD)

Azure Active Directory Premium P1 (AADP P1) 

*This includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud. 

YES YES
Azure Active Directory Premium P2 

*All the features in AADP P1 plus  

  • Azure Active Directory Identity Protection which provides risk-based Conditional Access to your apps and company data 
  • Privileged Identity Management 
NO YES
Microsoft Intune 

*A cloud-based service that focuses on mobile device management and mobile application management. 

YES YES
Azure Information Protection P1 

*Use on-premises connectors, track and revoke shared documents, enable users to manually classify and label documents 

YES YES
Azure Information Protection P2 

*Builds on AIP P1 with automated and recommended classification & protection with policy-based rules and Hold Your Own Key Configurations that span Azure Rights Management and Active Directory Rights Management 

NO YES
Microsoft Advanced Threat Analytics 

*Protects against advanced targeted cyberattacks and insider threats 

YES YES
Microsoft Cloud App Security 

*Cloud access security broker with discovery, behavioural analytics, risk assessment, data protection, and threat protection 

NO YES
Azure Advanced Threat Protection 

*Cloud-based solution that helps protect your organization’s identities from multiple types of advanced targeted cyberattacks 

NO YES
Windows Server CAL rights YES YES

Feature Comparison

Features Included Enterprise Mobility + Security E3  Enterprise Mobility + Security E5 
Price $8.80 USD/user/month  

($11.30 CAD) 

$14.80 USD/user/month

($18.90 CAD)

Identity and access management: 

  • Simplified access management and security 
  • Multi-factor authentication 
  • Conditional access 
  • Risk-based conditional access 
  • Advanced security reporting 
  • Privileged identity management 
  • Windows Server Client Access License 
 

 

  • YES
  • YES
  • YES
  • NO
  • YES
  • NO
  • YES

 

 

  • YES
  • YES
  • YES
  • YES
  • YES
  • YES
  • YES
Endpoint management: 

  • Mobile application management 
  • Advanced Microsoft Office 365 data protection 
  • Integrated PC Management 
  • Integrated on-premises management 
 

  • YES 
  • YES 
  • YES 
  • YES 
 

  • YES 
  • YES 
  • YES 
  • YES 
Information Protection 

  • Persistent data protection 
  • Intelligent data classification and labeling 
  • Document tracking and revocation 
  • Encryption key management per regulatory needs 
  • YES 
  • NO 
  • YES 
  • YES 
  • YES 
  • YES 
  • YES 
  • YES 
Identity-driven security 

  • Microsoft Advanced Threat Analytics 
  • Microsoft Cloud App Security 
  • Azure Advanced Threat Protection 
 

  • YES 
  • NO 
  • NO 
 

  • YES 
  • YES 
  • YES 

 

EMS E3 VS. EMS E5 Comparison Conclusion:

Some notable differences between the applications offered in E5 that are not found in E3 as highlighted by the tables are:

  • Azure Active Directory Identity Protection– This tool automates the detection and remediation of identity-based risks, investigates risks using data in the portal, and exports risk detection data to third-party utilities for further analysis.
  • Privileged Identity Management – This tool helps discover, restrict, and monitor administrators and their access to resources as well as provide users just-in-time access when needed.
  • Microsoft Cloud App Security – This tool allows you to discover and control the use of Shadow IT, protect your information anywhere on the cloud, protect against cyberthreats and anomalies and assess the compliance of your cloud apps.
  • Azure Advanced Threat Protection – This tool monitors users behaviour and activities, protects user identities and reduces the attack surface, identifies and investigates suspicious user activities and advanced attacks.
  • Azure Information Protection P2– This tool includes intelligent data classification and labeling, has capabilities like controling oversharing of information when using Outlook, and much more.
  • Risk-based conditional access– This is a feature in Azure Active Directory that automatically repsonds to risky behaviours. It can automatically block a sign-in attempt or require a password change or Multi-Factor Authentication as a precaution.

If you believe that any of the above is necessary and essential for your organization, you may need to consider subscribing to EMS E5 instead of EMS E3.

 

Posted by: Noorez Khamis & Linda Chen