Hello @EnterpriseArchitect , Please find my comments inline:
I wonder what is the purpose of buying additional licenses like Enterprise Mobility + Security for the existing (E1) users, not E3 and E5?
EMS Licenses includes below products:
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Information Protection Premium P2
Azure Information Protection Premium P1
Azure Rights Management
Microsoft Intune
Azure Active Directory Premium P2
Microsoft Azure Multi-Factor Authentication
Azure Active Directory Premium P1
Office 365 Enterprise licenses include below products. I have fetched the list for E3 but products in E1 is similar. For E1, refer to https://www.microsoft.com/en-in/microsoft-365/enterprise/office-365-e1?activetab=pivot%3aoverviewtab
Project for Office (Plan E3)
Common Data Service
Microsoft Bookings
Microsoft Kaizala Pro
Whiteboard (Plan 2)
Information Protection for Office 365 - Standard
Insights by MyAnalytics
To-Do (Plan 2)
Microsoft Forms (Plan E3)
Microsoft Stream for O365 E3 SKU
Microsoft StaffHub
Flow for Office 365
PowerApps for Office 365
Microsoft Teams
Microsoft Planner
Sway
Yammer Enterprise
Azure Rights Management
Microsoft 365 Apps for enterprise
Skype for Business Online (Plan 2)
Office for the web
SharePoint (Plan 2)
Exchange Online (Plan 2)
So After assigning at least a minimum of Enterprise E1 license to the users, how can they enable the MFA/2FA themselves? Or this is something that only the Recipient / Security administrator role can do, not the users.
Users can go to https://aka.ms/mfasetup and configure the MFA information for their accounts. However, when to trigger MFA is configured by Administrators. We have recently introduced Security Defaults which can be used to enable MFA for all users in the tenant without requiring any licenses to be purchased.
Can I assign the Enterprise E1 users with Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5? Or it has to be on the same level as a minimum.
Yes, since both these licenses include different products, you can assign Office 365 Enterprise E1 and EMS E3/E5 to same user.
Since the Microsoft Enterprise Mobility + Security E3 includes Microsoft Intune feature, therefore we can manage the users' mobile devices (ActiveSync) and home computers when they are installing Office 365 using (click to run) from Portal.office.com?
You can only manage the devices which are enrolled to Intune or Registered/Joined to Azure AD. Read more about device enrollment here: https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment
Kindly let me know if the answers to your previous questions were helpful. Please take some time to "Accept the answer" wherever the information provided helped you.