Microsoft 365 Licensing for Remote and Hybrid Work: What Enterprises Need to Know in 2026

Why Remote and Hybrid Work Changes Your Licensing Posture

The core M365 license requirement does not change because a user works from home rather than an office. A user assigned M365 E3 retains their E3 entitlements regardless of where they work. What changes is the complexity of how those licenses are consumed, the security perimeter that must be licensed to protect a distributed estate, and the mix of devices and access methods that can inadvertently trigger additional licensing requirements.

Microsoft's audit team has identified remote and hybrid work as a growth area for compliance findings since 2022. The most common issues are not deliberate non-compliance — they are the result of IT teams deploying access solutions and security controls for remote workers without revisiting whether the underlying licenses cover those deployment patterns. Three years into permanent hybrid work models, many enterprise estates carry latent licensing exposure that was never resolved after the initial emergency response to COVID-era remote work expansion.

The Multi-Device Entitlement: What It Covers and What It Does Not

M365 E3 and above entitles each user to install the Office desktop suite on up to five PCs or Macs, five tablets, and five smartphones simultaneously. In a remote work context this is typically adequate: a work laptop, a home desktop, a personal tablet, and a smartphone represent four of the five PC/Mac installs, with one remaining. The entitlement travels with the user, not the device.

Where complexity enters is the shared device scenario. A family computer used by an M365-licensed user to access corporate Office applications is not problematic if the user is logged in with their work credentials — the per-user entitlement covers personal device access. What creates a licensing gap is a shared or unmanaged device where multiple users access M365 services. Shared device licensing, particularly in frontline or shift-worker scenarios, requires either a per-device license model or a frontline worker SKU that explicitly covers shared device use cases.

Frontline Worker Licensing in a Hybrid Estate

The M365 SKU stack relevant to hybrid work includes not just the E-series tiers but the F-series Frontline Worker plans. M365 F1 at $2.25 per user per month provides web and mobile-only Office apps, Teams, and Exchange web access, with no desktop Office installs. M365 F3 at $8.00 per user per month adds desktop Office installs, Intune MDM, and Windows 10/11 Enterprise rights for frontline scenarios.

Organisations that expanded remote work licensing rapidly in 2020 and 2021 frequently assigned E3 to workers who are now back in hybrid patterns and only require F3 capabilities. Moving these users from E3 ($36, rising to $39 from July 2026) to F3 ($8) delivers $28 to $31 per user per month in savings — a compelling optimization target before the July price increase.

Security Licensing for the Distributed Perimeter

Remote and hybrid work fundamentally expands the security perimeter. Users access corporate resources from personal networks, unmanaged devices, coffee shops, and home offices. The licensing implications depend on which security controls the organisation deploys in response.

Conditional Access and Azure AD P1

Conditional Access is the cornerstone of zero-trust security for hybrid work. It evaluates sign-in risk, device compliance, location, and application sensitivity before granting access. Conditional Access requires Azure Active Directory Premium P1 at minimum. Azure AD P1 is included in M365 E3 and above. Organisations still on M365 E1 or standalone Office 365 E3 — without the M365 licensing — do not have Azure AD P1 included and must add it as a separate license ($6/user/month) to deploy Conditional Access policies.

This is one of the most common licensing gaps in post-pandemic hybrid estates: IT deployed Conditional Access as a security control, without verifying whether the user population was appropriately licensed for the feature. A Microsoft licensing audit that surfaces this gap can trigger significant back-payment exposure for the unlicensed period.

Intune Device Compliance

Microsoft Intune is used to enforce device compliance policies for remote workers — ensuring that devices accessing corporate resources meet minimum security requirements (patch level, encryption, screen lock). Intune is included in M365 E3 and above. It is also available as a standalone license at $8/user/month. For organisations that deployed Intune across their hybrid workforce from standalone licenses before upgrading to E3, those standalone Intune licenses are now duplicate spend — a common add-on redundancy discovered in optimization assessments.

Defender for Endpoint for Remote Devices

Defender for Endpoint P1 is included in M365 E3. Defender for Endpoint P2, which adds EDR capabilities, automated investigation, and threat hunting, is included in M365 E5 and E7. The E7 SKU is the new top tier above E5 and bundles advanced security with Microsoft 365 Copilot and the Entra Suite — making it the licensing destination Microsoft is pushing for organisations that need both AI capability and advanced endpoint security. Organisations that deployed Defender for Endpoint as a standalone add-on for remote worker devices should verify whether their current M365 base license already covers the required tier.

Teams Licensing Changes Arriving in April 2026

Microsoft is implementing Teams licensing changes effective April 2026. Organisations should verify the current state of Teams licensing in their estate, particularly if they have users on legacy Office 365 SKUs where Teams was previously bundled as part of the Office 365 E3 suite. The unbundling of Teams from Office 365 in some regions, and re-bundling decisions in others, has created a patchwork of licensing positions that varies by geography and by the vintage of the underlying EA.

Teams Phone — the add-on that provides PSTN calling capability through Teams — remains a separate add-on from the core M365 subscription. For hybrid workers who rely on Teams as their primary telephony solution, Teams Phone licensing must be verified separately from the M365 base license. Teams Phone domestic calling plans range from $8 to $18 per user per month depending on region and usage model.

Teams Rooms devices — conference room hardware used in hybrid meeting scenarios — require their own dedicated licenses, separate from the user licenses of meeting participants. Teams Rooms Basic is free for the first 25 rooms; Teams Rooms Pro costs $40 per device per month and is required for advanced room management, analytics, and AI-powered meeting features. The proliferation of hybrid meeting rooms as organisations redesign office space for collaborative work has driven significant growth in Teams Rooms licensing obligations that may not be accurately reflected in current EA true-up documentation.

VDI and Remote Desktop: The Compliance Risk Area

Virtual Desktop Infrastructure (VDI) and Remote Desktop Services (RDS) represent the highest-risk licensing area in a hybrid work context. Running Microsoft Office in a VDI or RDS environment requires licensing that goes beyond the standard per-user M365 entitlement. The requirements vary significantly depending on the VDI technology, the number of concurrent users, and whether the infrastructure is on-premises or cloud-based.

For on-premises VDI and RDS: users running Office applications on a Remote Desktop Session Host (RDSH) server require both their M365 user license and a Remote Desktop Services Client Access License (RDS CAL). The per-user RDS CAL is available in the M365 E3/E5 SKUs as part of the Windows Enterprise licensing, but organisations must verify this coverage explicitly — it is not universally included in all M365 SKU variants.

For Azure Virtual Desktop (AVD): Microsoft provides specific rights for running Windows and Office in AVD for users licensed with M365 E3 and above. This is a significant licensing advantage of Azure-hosted VDI over on-premises deployments, and one of the reasons Microsoft has been actively promoting AVD to organisations with hybrid work requirements. However, the coverage only applies to users with qualifying M365 licenses — not to Office or Windows licensed through other channels.

The 80/15/5 Framework for Hybrid License Assignment

The most effective framework for right-sizing M365 licensing across a hybrid estate segments the user population into three tiers based on actual capability requirements rather than role title or department.

The 80 percent tier — standard information workers who need full Office, email, Teams, SharePoint, and basic compliance — maps to M365 E3. These users work from home, the office, or in transit and need the full productivity suite on multiple devices. E3 at $36 (rising to $39 in July) is the correct and cost-appropriate license for this population.

The 15 percent tier — shift workers, deskless employees, and occasional users who primarily communicate via Teams and access shared documents — maps to M365 F3 at $8 per user per month or M365 F1 at $2.25 for the lightest users. Many organisations have this population on E3, paying a $28 to $31 premium per user per month for capabilities that are never used.

The 5 percent tier — IT administrators, security analysts, legal, compliance, and power users who need advanced security, eDiscovery, and AI features — maps to M365 E5 or, from May 2026, M365 E7 at $99 per user per month. E7 is the new top SKU above E5 and is specifically designed for users who need both advanced security and Microsoft 365 Copilot. For these users, the E7 bundle is economically efficient relative to purchasing E5 plus Copilot plus Entra Suite separately.

Practical Steps for Hybrid License Compliance

The actions that protect enterprises from licensing exposure in a hybrid estate and ensure cost efficiency are straightforward in concept but require deliberate execution. First, audit the gap between your VDI deployment and the licensing entitlements that cover it — this is the single highest-risk area. Second, reconcile your Conditional Access deployment against the Azure AD license tier of the users it applies to. Third, identify frontline and deskless workers currently on E3 and model the savings from F3 migration before the July 2026 price increase. Fourth, verify that Teams Rooms licenses are accurate for every conference room device. Fifth, cross-reference standalone Intune and Defender add-ons against E3 base entitlements for redundancy elimination.

Our Microsoft EA advisory specialists team works exclusively on the buyer side and has completed this analysis across hundreds of enterprise hybrid estates. A structured review typically identifies 15 to 30 percent cost reduction opportunity while eliminating compliance exposure that would otherwise surface at the next EA True-Up or formal audit.