Microsoft Enterprise Mobility + Security (EMS) Licensing Explained!

How many devices do you own? A laptop, a tablet, a phone, maybe a gaming console, a smart TV, or a family desktop computer as well? How many of those have you ever used for work? Probably at least a couple. We check our emails at the groceries, forward emails on the train, answer a quick chat while waiting at the dentist. Work as we knew it doesn’T exist anymore. The boundaries have widened. The more we arrived into the IoT era and the multi-device world, the more things we connect to our networks. Each new addition is a potential entry for a new threat.

After all, Hackers were able to acquire data from a North American casino by using an Internet-connected fish tank thermometer meant to remotely monitor the tank’s water parameters. Hackers got their way into the fish tank’s wireless connection and used it to move around into other areas of the network. From the casino’s network, they stole sent out 10GB of data to a device in Finland.

Now, not every hack is this dramatic, but with greater mobility comes great responsibilities. I bet you’re thinking “Ok, Ben Parker… calm down.“, but the words that helped Spiderman should also help you. We often think that security is important, but people rarely prepare for fear it’s going to take too long. EMS is Microsoft’s answer to the many new threats that come with each new device in your organization.

What is Microsoft Enterprise Mobility + Security (EMS)?

Microsoft Enterprise Mobility + Security (EMS) is intelligent mobility management and security platform. What this means is that EMS helps protect and secure your organization with its products that act to increase security features of Windows 10 and Microsoft 365.

How do I get Microsoft Enterprise Mobility + Security (EMS)?

Microsoft EMS can be purchased as a standalone product. EMS E3 is $8.80 USD/user/month while EMS E5 is $14.80 USD/user/month. A more detailed comparison can be found in the tables below which gives a breakdown of what applications and features are found in EMS E3 and EMS E5 to help you understand which subscription is best suited for your organization’s needs.

An alternative is to purchase a Microsoft 365 enterprise subscription – Microsoft 365 E3 or E5 which comes with Microsoft EMS. The Microsoft 365 Enterprise E3 and E5 solutions offer not only EMS, but Microsoft 365 Apps, unlimited OneDrive storage for subscriptions with 5 or more users, Microsoft Teams, and numerous other tools like Power Automate and Power Apps. The Microsoft 365 E3 plan is $32 USD/user/month and the Microsoft 365 E5 plan is $57 USD/user/month- both great prices for their offerings.

It is important to note that Office 365 E3 and E5 are other enterprise plans that Microsoft offers besides Microsoft 365 E3 and E5. However, the Office 365 E3 and E5 plans do not come with EMS unlike Microsoft 365 E3 and E5 and so EMS has to be purchased individually and added on to the Office 365 E3 and E5 plans.

The main difference between Office 365 E3 + EMS E3 and Microsoft 365 E3 would be that the Office 365 E3 + EMS E3 would not include Windows 10 Enterprise E3 which Microsoft 365 E3 has. Windows 10 gives your organization advanced security, deployment methods, compatibility methods and productivity features. Similar to Office 365 E5 + EMS E5 and Microsoft 365 E5, the Office 365 plan doesn’t include the Windows 10 Enterprise E5 plan. Price-wise Microsoft 365 E3/E5 plans would have the best deal if you wish to have Office 365 Enterprise E3/E5 + EMS E3/E5 + Windows 10 Enterprise E3/E5 instead of purchasing all the components individually.

New call-to-action

Microsoft Enterprise Mobility + Security (EMS) E3 vs. Microsoft Enterprise Mobility + Security (EMS) E5 Comparison

Application Comparison

Apps Included Enterprise Mobility + Security E3 Enterprise Mobility + Security E5
Price $8.80 USD/user/month

($11.30 CAD)

$14.80 USD/user/month

($18.90 CAD)

Azure Active Directory Premium P1 (AADP P1) 

*This includes everything you need for information workers and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud. 

YES YES
Azure Active Directory Premium P2 

*All the features in AADP P1 plus  

  • Azure Active Directory Identity Protection which provides risk-based Conditional Access to your apps and company data 
  • Privileged Identity Management 
NO YES
Microsoft Intune 

*A cloud-based service that focuses on mobile device management and mobile application management. 

YES YES
Azure Information Protection P1 

*Use on-premises connectors, track and revoke shared documents, enable users to manually classify and label documents 

YES YES
Azure Information Protection P2 

*Builds on AIP P1 with automated and recommended classification & protection with policy-based rules and Hold Your Own Key Configurations that span Azure Rights Management and Active Directory Rights Management 

NO YES
Microsoft Advanced Threat Analytics 

*Protects against advanced targeted cyberattacks and insider threats 

YES YES
Microsoft Cloud App Security 

*Cloud access security broker with discovery, behavioural analytics, risk assessment, data protection, and threat protection 

NO YES
Azure Advanced Threat Protection 

*Cloud-based solution that helps protect your organization’s identities from multiple types of advanced targeted cyberattacks 

NO YES
Windows Server CAL rights YES YES

Feature comparison

Features Included Enterprise Mobility + Security E3  Enterprise Mobility + Security E5 
Price $8.80 USD/user/month  

($11.30 CAD) 

$14.80 USD/user/month

($18.90 CAD)

Identity and access management: 

  • Simplified access management and security 
  • Multi-factor authentication 
  • Conditional access 
  • Risk-based conditional access 
  • Advanced security reporting 
  • Privileged identity management 
  • Windows Server Client Access License 
 

 

  • YES
  • YES
  • YES
  • NO
  • YES
  • NO
  • YES

 

 

  • YES
  • YES
  • YES
  • YES
  • YES
  • YES
  • YES
Endpoint management: 

  • Mobile application management 
  • Advanced Microsoft Office 365 data protection 
  • Integrated PC Management 
  • Integrated on-premises management 
 

  • YES 
  • YES 
  • YES 
  • YES 
 

  • YES 
  • YES 
  • YES 
  • YES 
Information Protection 

  • Persistent data protection 
  • Intelligent data classification and labeling 
  • Document tracking and revocation 
  • Encryption key management per regulatory needs 
  • YES 
  • NO 
  • YES 
  • YES 
  • YES 
  • YES 
  • YES 
  • YES 
Identity-driven security 

  • Microsoft Advanced Threat Analytics 
  • Microsoft Cloud App Security 
  • Azure Advanced Threat Protection 
 

  • YES 
  • NO 
  • NO 
 

  • YES 
  • YES 
  • YES 

EMS E3 VS. EMS E5 comparison conclusion:

Some notable differences between the applications offered in E5 that are not found in E3 as highlighted by the tables are:

  • Azure Active Directory Identity Protection– This tool automates the detection and remediation of identity-based risks, investigates risks using data in the portal, and exports risk detection data to third-party utilities for further analysis.
  • Privileged Identity Management – This tool helps discover, restrict, and monitor administrators and their access to resources as well as provide users just-in-time access when needed.
  • Microsoft Cloud App Security – This tool allows you to discover and control the use of Shadow IT, protect your information anywhere on the cloud, protect against cyberthreats and anomalies and assess the compliance of your cloud apps.
  • Azure Advanced Threat Protection – This tool monitors users’ behaviour and activities, protects user identities and reduces the attack surface, identifies and investigates suspicious user activities and advanced attacks.
  • Azure Information Protection P2– This tool includes intelligent data classification and labelling, has capabilities like controlling oversharing of information when using Outlook, and much more.
  • Risk-based conditional access– This is a feature in the Azure Active Directory that automatically responds to risky behaviours. It can automatically block a sign-in attempt or require a password change or Multi-Factor Authentication as a precaution.

If you believe that any of the above is necessary and essential for your organization, you may need to consider subscribing to Microsoft Enterprise Mobility + Security (EMS) E5 instead of Microsoft Enterprise Mobility + Security (EMS) E3. However, we know that making sense of Microsoft licensing can be pretty confusing, so don’t hesitate to contact us and discuss your specific situation. We’ll be able to position the best license for your needs, no technical speech required!

New call-to-action

Subscribe our newsletter

Enter your email to get latest updates.