Enterprise Mobility + Security for the existing (E1) users?

EnterpriseArchitect 4,741 Reputation points
2020-08-03T06:21:06.923+00:00

Hi All,

After reading: https://learn.microsoft.com/en-us/enterprise-mobility-security/

I wanted to enable all of my users to be able to secure themselves using the MFA/2FA.
All of them has been licensed using a minimum of E1 and E3.

  1. I wonder what is the purpose of buying additional licenses like Enterprise Mobility + Security for the existing (E1) users, not E3 and E5?
  2. So After assigning at least a minimum of Enterprise E1 license to the users, how can they enable the MFA/2FA themselves? Or this is something that only the Recipient / Security administrator role can do, not the users.
  3. Can I assign the Enterprise E1 users with Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5? Or it has to be on the same level as a minimum.
  4. Since the Microsoft Enterprise Mobility + Security E3 includes Microsoft Intune feature, therefore we can manage the users' mobile devices (ActiveSync) and home computers when they are installing Office 365 using (click to run) from Portal.office.com?

Thank you in advance.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,467 questions
0 comments
Accepted answer
  1. Vasil Michev 95,341 Reputation points MVP
    2020-08-03T07:32:25.7+00:00

    You need the EMS (or Azure AD P1 standalone) license for Conditional Access policies, which offer a lot more flexibility compared to the "standard" MFA controls.

    Enabling users for MFA is always an admin-level functionality. The users themselves can only configure the preferred method, out of the ones the admin has enabled.

    You can mix and match the licenses as you seem fit.

    To manage Intune devices, they need to be enrolled first, but that's a broad topic - make sure to read the documentation first.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-08-03T08:13:16.067+00:00

    Hello @EnterpriseArchitect , Please find my comments inline:

    I wonder what is the purpose of buying additional licenses like Enterprise Mobility + Security for the existing (E1) users, not E3 and E5?

    EMS Licenses includes below products:

    Azure Advanced Threat Protection
    Microsoft Cloud App Security
    Azure Information Protection Premium P2
    Azure Information Protection Premium P1
    Azure Rights Management
    Microsoft Intune
    Azure Active Directory Premium P2
    Microsoft Azure Multi-Factor Authentication
    Azure Active Directory Premium P1

    Office 365 Enterprise licenses include below products. I have fetched the list for E3 but products in E1 is similar. For E1, refer to https://www.microsoft.com/en-in/microsoft-365/enterprise/office-365-e1?activetab=pivot%3aoverviewtab

    Project for Office (Plan E3)
    Common Data Service
    Microsoft Bookings
    Microsoft Kaizala Pro
    Whiteboard (Plan 2)
    Information Protection for Office 365 - Standard
    Insights by MyAnalytics
    To-Do (Plan 2)
    Microsoft Forms (Plan E3)
    Microsoft Stream for O365 E3 SKU
    Microsoft StaffHub
    Flow for Office 365
    PowerApps for Office 365
    Microsoft Teams
    Microsoft Planner
    Sway
    Yammer Enterprise
    Azure Rights Management
    Microsoft 365 Apps for enterprise
    Skype for Business Online (Plan 2)
    Office for the web
    SharePoint (Plan 2)
    Exchange Online (Plan 2)

    So After assigning at least a minimum of Enterprise E1 license to the users, how can they enable the MFA/2FA themselves? Or this is something that only the Recipient / Security administrator role can do, not the users.

    Users can go to https://aka.ms/mfasetup and configure the MFA information for their accounts. However, when to trigger MFA is configured by Administrators. We have recently introduced Security Defaults which can be used to enable MFA for all users in the tenant without requiring any licenses to be purchased.

    Can I assign the Enterprise E1 users with Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5? Or it has to be on the same level as a minimum.

    Yes, since both these licenses include different products, you can assign Office 365 Enterprise E1 and EMS E3/E5 to same user.

    Since the Microsoft Enterprise Mobility + Security E3 includes Microsoft Intune feature, therefore we can manage the users' mobile devices (ActiveSync) and home computers when they are installing Office 365 using (click to run) from Portal.office.com?

    You can only manage the devices which are enrolled to Intune or Registered/Joined to Azure AD. Read more about device enrollment here: https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment

    Kindly let me know if the answers to your previous questions were helpful. Please take some time to "Accept the answer" wherever the information provided helped you.

    2 people found this answer helpful.