How Microsoft Intune Licensing Actually Works
Overpaying for Microsoft? We handle Microsoft EA, NCE, and Azure negotiation on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.
Get a free Microsoft savings estimate →Microsoft Intune is not a standalone product in any meaningful commercial sense for most enterprise buyers. It is a capability bundled into Microsoft 365 suites — specifically M365 E3, M365 E5, and several Business Premium SKUs — as well as the Enterprise Mobility + Security (EMS) E3 and E5 add-on bundles. You can purchase Intune Plan 1 as a standalone licence at approximately $8 per user per month, or Intune Plan 2 (adding endpoint privilege management and remote help) at around $12 per user per month.
In practice, what this creates is a bundling trap. Microsoft's sales motion is designed to move enterprises from E3 to E5, partly by pointing to Intune capabilities in combination with Defender for Endpoint, Entra ID P2, and Purview. The pitch: "You need endpoint management, device compliance, and identity protection — all included in E5." The reality: many enterprises buy E5 and use only a fraction of its capabilities, with Intune being the anchor justification.
The E5 uplift from E3 costs approximately $22–28 per user per month depending on your EA negotiation. If Intune is the primary driver of that upgrade decision, you are paying $22–28/user/month for an MDM that could be replaced by a third-party solution at $4–8/user/month — and retaining E3 pricing.
Intune Plan 1 vs Plan 2: What's Actually Different
Intune Plan 1 covers the core MDM and MAM (mobile application management) capabilities: device enrolment, compliance policy enforcement, conditional access integration, app deployment, and configuration profiles across Windows, iOS, Android, and macOS. This is what's included in M365 E3 and EMS E3.
Intune Plan 2 adds Endpoint Privilege Management (EPM), Microsoft Tunnel for Android/iOS VPN, and Remote Help capabilities. These are meaningful additions for enterprises managing privileged access without admin rights. However, Plan 2 is an add-on: it sits on top of Plan 1, not on top of your E5 licence. This means even E5 customers need to separately purchase Intune Plan 2 if they want EPM functionality — a fact that Microsoft's EA account teams regularly fail to explain clearly at renewal time.
Intune Suite (launched 2023, rebranded as Microsoft Intune Enterprise App Management in 2025) bundles Plan 2 plus Enterprise App Management and Firmware-Over-the-Air management at approximately $10/user/month. Before purchasing, verify whether you already have overlapping capabilities through Defender for Endpoint P2 or Entra ID — Microsoft will not flag this duplication voluntarily.
We negotiate Microsoft EA and M365 contracts on a 25% gainshare basis. If your E5 decision was driven by Intune bundling, we can restructure your suite mix and recover 20–35% on your annual spend. You pay nothing unless we save you money.
Third-Party MDM Cost Reality: What Enterprises Are Actually Paying
The MDM market has three dominant alternatives to Intune at enterprise scale: Jamf (strongest for macOS/iOS environments), VMware Workspace ONE (now Omnissa, rebranded post-Broadcom), and SOTI MobiControl (strong in industrial and rugged device deployments). Smaller players including Mosyle, Kandji (Mac-focused), and ManageEngine are increasingly competitive in mid-market.
Jamf Pro pricing for enterprises runs approximately $4.50–7.50 per device per month depending on volume and commitment term. For a 10,000-device estate, expect $540K–$900K annually. Workspace ONE (Omnissa) is broadly comparable: Standard tier starts around $3.50–5 per device for basic MDM, with Advanced adding identity and access management at $7–9 per device. These prices are list — significant discounts of 25–40% are achievable through negotiation, particularly from Omnissa which is under aggressive pressure to retain VMware customers post-Broadcom disruption.
| Solution | Approx. Cost/Device/Month | Windows | macOS | iOS/Android | Best For |
|---|---|---|---|---|---|
| Intune Plan 1 (standalone) | ~$8/user/month | ✓ Strong | ~ Basic | ✓ Strong | Microsoft-heavy orgs |
| Intune (via M365 E3) | Bundled — cost allocation varies | ✓ Strong | ~ Basic | ✓ Strong | Full Microsoft stack |
| Jamf Pro | $4.50–7.50/device/month | ~ Basic | ✓ Best-in-class | ✓ Strong | Apple-heavy environments |
| Workspace ONE (Omnissa) | $3.50–9/device/month | ✓ Strong | ✓ Strong | ✓ Strong | Mixed OS enterprises |
| SOTI MobiControl | $2.50–5/device/month | ✓ Strong | ~ Limited | ✓ Strong | Rugged/industrial devices |
The Hidden Cost Equation: Device vs User Licensing
This is where many enterprises make a critical error. Intune is licensed per user, not per device. A user with three managed endpoints (laptop, phone, tablet) consumes one Intune licence but generates three managed devices. Third-party MDM vendors typically price per device. If your average user-to-device ratio is above 2.5:1, per-device MDM pricing starts to look expensive quickly. Below 1.5:1, Intune's per-user model can be significantly cheaper even at standalone pricing.
For a 5,000-user organisation with 9,000 managed devices (1.8:1 ratio), the comparison looks approximately like this: Intune standalone at $8/user/month = $480K annually. Jamf Pro at $6/device/month = $648K annually. The bundle equation shifts the calculation further — if those 5,000 users are already on M365 E3, Intune is effectively "free" (though that cost is embedded in the E3 per-seat price of approximately $36/user/month).
Don't compare Intune standalone against third-party MDM in isolation. Compare the total cost of (a) M365 E3 or E5 with Intune bundled vs (b) a lower-tier M365 licence plus a third-party MDM. In Apple-heavy environments where Intune's macOS capabilities are limited, option (b) is frequently 15–25% cheaper while delivering better macOS management.
When Intune Is the Right Answer (And When It Isn't)
Intune wins clearly in Windows-dominant enterprises with a full Microsoft stack. If your devices are 80%+ Windows, your identity infrastructure is Entra ID, your security tooling is Defender, and your productivity suite is M365 — Intune's native integration across all these layers creates genuine operational value that justifies the bundled cost. Conditional access policies that require device compliance before granting access to SharePoint, Teams, and Outlook are significantly easier to operationalise with Intune than with a third-party MDM requiring API-based integration.
Intune struggles in three specific scenarios. First, Apple-heavy environments: Intune's macOS management capabilities — particularly software distribution, patch management, and declarative device management — remain materially behind Jamf Pro. Enterprises with 30%+ Mac endpoints frequently find themselves running both Intune (for Windows and policy consistency) and Jamf (for Mac management), incurring dual licensing costs that were not in the original business case. Second, industrial and IoT device management: Intune's support for rugged devices, scanners, kiosks, and Android Enterprise Dedicated is functional but limited compared to SOTI or Honeywell-focused solutions. Third, complex MAM-only (mobile application management without enrolment) scenarios at large scale: Intune's MAM policies work but the administrative overhead is higher than purpose-built MAM solutions.
If your Microsoft EA is up for renewal in the next 6–12 months, now is the time to conduct a licence-tier analysis. Our Microsoft negotiation service includes a full suite optimisation: comparing your current E3/E5 mix against your actual usage patterns and identifying where third-party tools could reduce total cost. We work on 25% gainshare — no savings, no fee.
Negotiation Angles: How to Use This Analysis at Your EA Renewal
The Intune vs third-party MDM analysis is most powerful not as a switching decision but as negotiation leverage. When Microsoft's EA renewal team presents an E5 upsell and cites Intune and Defender as the primary value drivers, you have three moves available.
Move 1: The Competitive Displacement Threat
Document your total cost of ownership under a scenario where you remain on M365 E3 and deploy Jamf Pro or Workspace ONE for device management, replacing the Intune capability. Present this to Microsoft's account team as a credible alternative. You don't need to actually switch — the threat is enough to drive meaningful pricing movement. Microsoft's EA account teams have discretionary discount authority, and device management competitive pressure is a recognised lever in their internal playbooks.
Move 2: The Licence Optimisation Play
Request a licence consumption report from Microsoft (available through the M365 Admin Center or your Microsoft representative). Identify users with E5 licences who are not consuming the security and compliance features that differentiate E5 from E3: specifically Defender for Identity, Entra ID P2, Purview Information Protection P2, and Defender for Cloud Apps. If 30–40% of your E5 users are using only productivity features, you have a compelling case to downgrade those users to E3 and retain Intune via standalone or EMS add-on at significantly lower total cost.
Move 3: The Intune Suite Deferral
Microsoft is actively pushing Intune Suite (Enterprise App Management tier) as an add-on to existing Intune Plan 1 customers. List price is approximately $10/user/month. The capabilities — advanced app management, firmware management, cloud PKI — are valuable but not universally required. Defer the Intune Suite conversation to your next renewal cycle and use the deferral as a concession to extract better pricing on your core M365 suite. Microsoft's fiscal year ends June 30; Q4 (April–June) and Q2 (October–December) are when account teams have maximum incentive to close deals with added-value concessions.
Microsoft EA renewals lock in pricing for three years under standard terms. Any licensing architecture decisions made at renewal — suite tier mix, Intune add-on structure, device management approach — will be difficult and expensive to change mid-term. Conduct your MDM total cost of ownership analysis at least 6 months before your EA renewal date, not during the final 90-day renewal window when Microsoft's leverage is highest.
The Coexistence Model: Running Intune and Jamf Together
A significant number of large enterprises are not choosing between Intune and third-party MDM — they are running both. Intune manages Windows and iOS devices under a unified policy framework integrated with Entra ID and Defender. Jamf Pro manages macOS endpoints where its declarative device management, software distribution, and Mac-specific security capabilities are materially superior. This coexistence model is operationally coherent but requires careful licence planning to avoid paying full price for two overlapping solutions.
The negotiation implication: if you are running or considering coexistence, you should be negotiating Jamf directly (not through a Microsoft-aligned reseller), benchmarking your Jamf pricing against published competitor rates, and ensuring your Microsoft EA does not include Intune Plan 2 add-ons for macOS devices that Jamf is managing. This sounds obvious but is regularly missed — enterprises discover post-renewal that they are paying Microsoft for Intune endpoint privilege management on devices that Jamf is actually managing, with zero incremental value from the Microsoft licence.
Decision Framework: Intune or Third-Party MDM
The right MDM decision depends on four variables: your OS mix, your existing Microsoft suite investment, your device-to-user ratio, and your operational capabilities. Before your next EA renewal or MDM contract decision, work through this framework:
Intune is likely optimal if: Your estate is 75%+ Windows devices, you are already on M365 E3 or above, your device-to-user ratio is below 2:1, and your security architecture is built on Defender and Entra ID. The integration value and reduced operational complexity outweigh the marginal feature gaps.
Consider a third-party MDM or coexistence model if: Your Mac devices exceed 25% of the managed estate, you have significant industrial or rugged device inventory, you are considering a Microsoft licence tier downgrade to reduce per-seat costs, or your Intune deployment has persistent operational issues that Microsoft's support tier has not resolved.
Audit your current spend before any decision: Use the M365 Admin Center licence assignment reports and Intune's Device Compliance dashboard to identify the exact scope of what you are managing, what licences are active vs assigned vs consumed, and what your true per-device cost is under current licensing. This data is available internally — you do not need Microsoft's account team to generate it for you, and generating it yourself means they cannot shape the narrative around your renewal.
We negotiate Microsoft EA contracts on a 25% gainshare basis. If your Intune or M365 suite architecture is overpriced relative to your actual usage and management requirements, we will find the savings. Our Microsoft negotiation service covers licence tier optimisation, Intune vs third-party MDM cost modelling, and full EA commercial negotiation. Get a free savings estimate — no obligation, no risk, and you pay nothing unless we deliver verified savings.