Microsoft Intune Licensing Guide: Plan 1, Plan 2, Intune Suite and the 2026 Bundle Changes

What Microsoft Intune Actually Is

Microsoft Intune is a cloud-based endpoint management and mobile device management (MDM) service that allows IT administrators to manage, secure, and enforce policy across Windows, macOS, iOS, iPadOS, and Android devices from a single control plane. It also delivers mobile application management (MAM), which enables organisations to apply data protection policies to specific apps on personal devices without enrolling the device itself into full management.

Intune sits at the centre of Microsoft's Zero Trust architecture. It integrates natively with Microsoft Entra ID for Conditional Access enforcement, with Microsoft Defender for Endpoint for device health signals, and with Microsoft Purview for data classification and protection policy on managed endpoints. For organisations running primarily within the Microsoft ecosystem, Intune is a logical consolidation of endpoint management, security configuration, and application lifecycle management into a single licensed service.

The licensing model has three tiers: Plan 1 (the foundational MDM/MAM tier included in most M365 enterprise SKUs), Plan 2 (an add-on targeting specialty device and advanced mobile scenarios), and the Intune Suite (a comprehensive add-on bundling Plan 2 with five premium capabilities). From July 2026 onwards, the picture changes dramatically — Microsoft is folding key Intune Suite features directly into M365 E3 and E5, which means any organisation currently buying the Suite as a standalone add-on needs to reassess their licensing position before their next True-Up.

Intune Plan 1: The Foundational Tier

Intune Plan 1 costs $8 per user per month as a standalone subscription, though the vast majority of enterprise customers already have it included in their M365 bundle and should never need to pay for it separately. Plan 1 delivers what most organisations need for standard endpoint management: full MDM enrolment across Windows, macOS, iOS, iPadOS, and Android; app deployment and lifecycle management; configuration profiles for device hardening; compliance policies that feed into Conditional Access decisions; and Windows Autopatch for automated patch management.

What Plan 1 includes

The core MDM capabilities in Plan 1 cover the most common enterprise device scenarios. On Windows, administrators can manage corporate-owned devices joined to Microsoft Entra ID or hybrid-joined to Active Directory, configure BitLocker encryption, deploy Win32 and MSIX applications, and enforce security baselines aligned to CIS or DISA STIG standards. The Windows Autopatch service automates the delivery of Windows quality updates, security updates, Microsoft 365 Apps updates, and driver updates without requiring WSUS infrastructure or manual ring management.

For mobile platforms, Plan 1 delivers Apple Device Enrolment Program (DEP) and Apple Business Manager integration for zero-touch iOS and macOS provisioning, Android Enterprise work profile management for BYOD scenarios, and managed Google Play for app deployment on corporate Android devices. From 2026, Intune also supports Apple's Declarative Device Management (DDM) protocol, which extends to line-of-business app deployment on iOS and iPad — a meaningful improvement for organisations running custom enterprise apps on Apple hardware.

MAM without enrolment is one of Plan 1's most operationally valuable capabilities. It allows organisations to apply app protection policies — enforcing PIN, preventing copy-paste to unmanaged apps, enabling selective wipe — on corporate applications running on personally owned devices, without requiring the user to enrol their phone into full MDM. This is critical for BYOD programmes where users refuse full device enrolment but the organisation still needs to control data in Teams, Outlook, and other corporate apps.

Which M365 SKUs include Plan 1

If your organisation holds any of the following licences, Intune Plan 1 is already included at no additional cost: Microsoft 365 E3, E5, E7; Microsoft 365 F1, F3; Microsoft 365 Business Premium; Enterprise Mobility and Security E3 or E5; and Microsoft Intune for Education. Organisations running standalone M365 Apps for Enterprise or Microsoft 365 E1 do not receive Intune Plan 1 and would need to either upgrade their base SKU or add it as a standalone component.

The important implication here is that any organisation running an EA with M365 E3 or above is likely running Intune Plan 1 already — the question is whether they are actually deploying and managing it, or whether it is sitting unused while the IT team continues to manage devices with a third-party MDM they have been running for years. If you are in the latter camp, your renewal is an opportunity to consolidate and eliminate that third-party cost.

Intune Plan 2: The Specialty Device Add-On

Intune Plan 2 is an add-on to Plan 1 priced at $4 per user per month. It targets two scenarios that fall outside what Plan 1 handles: specialty and frontline devices, and advanced mobile connectivity requirements. Most organisations running standard knowledge-worker deployments of Windows laptops and iPhones have no need for Plan 2 as a standalone purchase — but for industries with non-standard device fleets, it can be meaningful.

Specialty device management

Plan 2 adds management support for devices that are not standard smartphones, tablets, or laptops: augmented reality and virtual reality headsets such as HoloLens 2 and Meta Quest for Business, smart screens and digital signage, conferencing room systems running Windows IoT or Android, and other purpose-built enterprise hardware that does not fit the standard Intune MDM enrolment flow. For these devices, Plan 2 provides dedicated enrolment profiles, configuration policy sets, and reporting dashboards.

Firmware-over-the-air (FOTA) updates are also part of Plan 2, allowing IT teams to manage firmware and software updates on Android devices through carrier-level update mechanisms. This is relevant for organisations running large managed fleets of Android devices in logistics, healthcare, or field service scenarios where devices are carrier-managed rather than managed through standard app stores.

Intune Tunnel for MAM

The second major Plan 2 capability is Microsoft Tunnel for Mobile Application Management. Standard Intune Tunnel (available in Plan 1) provides VPN access to on-premises resources for enrolled devices. Tunnel for MAM extends this to unenrolled BYOD devices — it allows specific managed apps on a personal iOS or Android device to tunnel into corporate network resources via Intune's gateway, without requiring the full device to be enrolled and without a traditional device-level VPN client. This is a genuinely useful capability for regulated industries where employees use personal devices to access line-of-business applications hosted on-premises.

The Intune Suite: All Premium Add-Ons in One Bundle

The Intune Suite is priced at $10 per user per month as an add-on to Plan 1. It combines Plan 2 with five premium capabilities that were previously either unavailable, very expensive as standalone point solutions, or required separate vendor contracts. The key question — which we address in detail below — is whether the July 2026 M365 E3 and E5 bundle changes make the Intune Suite redundant for most customers.

Endpoint Privilege Management (EPM)

EPM is arguably the most operationally significant capability in the Intune Suite. It solves the persistent enterprise problem of users needing elevated privileges for specific tasks — installing a printer driver, running a legacy application, updating a specialised tool — without granting them permanent local administrator rights that create serious security exposure.

With EPM, administrators define elevation rules that allow specific files, processes, or applications to run with elevated privileges on a per-rule, per-approval, or self-approval basis. The elevation runs in a constrained context rather than giving the user full local admin rights. Every elevation event is logged with full metadata — who elevated, what they elevated, at what time — providing the audit trail that compliance frameworks increasingly require. EPM supports Microsoft's Zero Trust posture by enabling least-privilege user access at scale without breaking productivity.

From 2026, EPM has added an "elevate as current user" option where elevated processes run under the user's own account context rather than a virtual account, which addresses compatibility issues with applications that behave differently when run as a different identity. EPM also now supports Azure Virtual Desktop single-session environments, extending least-privilege management to cloud-hosted desktops.

Enterprise Application Management

Enterprise Application Management (EAM) provides a curated catalogue of pre-packaged Win32 applications — major ISV software titles that Microsoft pre-packages for direct deployment via Intune without requiring IT to manually package, test, and maintain installers. The catalogue simplifies the most time-consuming part of application lifecycle management: turning vendor installers into managed, deployable packages that update reliably over time.

EAM also adds application supersedence management and dependency mapping, making it easier to retire old application versions systematically and enforce version compliance across the estate. For IT teams managing large software inventories through Intune, EAM reduces the manual packaging and testing burden significantly.

Microsoft Cloud PKI

Cloud PKI replaces the on-premises Certificate Authority and NDES (Network Device Enrolment Service) infrastructure that most large enterprises have been running for decades to issue certificates to managed devices. Issuing certificates to Intune-managed devices via on-premises AD CS and NDES requires a complex, fragile server infrastructure that is difficult to maintain and creates single points of failure.

Cloud PKI is a fully managed, cloud-hosted certificate authority service that integrates directly with Intune for certificate issuance to enrolled devices. It supports custom root and intermediate CAs, certificate lifecycle management, and revocation. The standalone list price for Cloud PKI is approximately $2 per user per month, and its inclusion in the Intune Suite or in M365 E5 from July 2026 represents a direct offset against organisations currently maintaining on-premises PKI infrastructure costs.

Remote Help

Remote Help is a secure, cloud-based remote assistance tool built into Intune that allows helpdesk technicians to remotely view and control managed endpoints — Windows PCs, Android devices, and macOS — for support sessions. Unlike general-purpose remote access tools, Remote Help operates within the Intune permission model: technicians can only connect to devices where they have been granted the appropriate role, sessions are logged and auditable, and the connection does not require the device to be on the corporate network.

Remote Help supports both full remote control and view-only modes, and includes a chat function for communication during sessions. For organisations currently paying for third-party remote support tools — TeamViewer, LogMeIn, BeyondTrust — the inclusion of Remote Help in the Intune Suite (and from July 2026 in M365 E3) provides a direct consolidation opportunity that can offset some of the Suite cost.

Advanced Analytics

Advanced Analytics within the Intune Suite extends the baseline reporting available in Endpoint Analytics with anomaly detection, custom device query capabilities using Kusto Query Language (KQL), and battery health predictions across the managed device estate. The enhanced reporting allows IT operations teams to proactively identify devices approaching end-of-life, detect unusual application behaviour patterns, and build custom dashboards for executive reporting on device health, patch compliance, and security posture.

The July 2026 Bundle Change: What Gets Moved and When

On 4 December 2025, Microsoft announced a major restructuring of M365 E3 and E5 packaging effective July 2026. For Intune, this is the most significant licensing event since the Intune Suite was launched in 2023. Microsoft is moving the following Intune capabilities into the base M365 E3 and E5 licences at no additional cost:

What M365 E3 customers gain from July 2026

Customers holding M365 E3 (or EMS E3) licences will receive three additions: Remote Help, Advanced Analytics, and Intune Plan 2 (which includes Tunnel for MAM and Specialty Device Management). The rollout begins in Q3 CY26 and is scheduled to be complete across all eligible tenants by 1 August 2026. Microsoft will deliver 30-day advance notice via the Message Center before the features activate in any given tenant.

For an M365 E3 customer currently paying for the Intune Suite as a standalone add-on ($10 per user per month), this announcement effectively means they are about to receive Remote Help, Advanced Analytics, and Plan 2 as part of their E3. The only Intune Suite capabilities not coming to E3 are EPM, EAM, and Cloud PKI — those remain E5 features.

What M365 E5 customers gain from July 2026

M365 E5 customers receive a more substantial addition: Endpoint Privilege Management, Enterprise Application Management, and Microsoft Cloud PKI — on top of everything E3 receives. This means an M365 E5 customer will have the full Intune Suite capabilities included in their base licence from August 2026, with no additional Intune add-on purchase required.

The practical implication is significant: any E5 customer currently paying $10 per user per month for the Intune Suite add-on should be planning to drop that add-on at their next renewal date. Continuing to hold it would mean paying twice for the same capabilities. For a 5,000-user organisation, the Intune Suite add-on represents $600,000 per year in spend that becomes entirely redundant from August 2026 if those users are on M365 E5.

Intune Licensing Within the M365 SKU Stack

Understanding where Intune sits in the M365 SKU hierarchy is essential for licensing decisions. The current SKU stack runs E1 → E3 → E5 → E7. E7 is Microsoft's newest top-tier SKU, released above E5 and bundling advanced AI, security, and compliance capabilities previously sold as add-ons — including Copilot at no additional charge. Microsoft field teams are actively pushing E5 customers to evaluate E7 at renewal.

From an Intune perspective, the hierarchy works as follows. E1 includes no Intune. E3 includes Intune Plan 1 today, and from August 2026 will also include Remote Help, Advanced Analytics, and Intune Plan 2. E5 includes Intune Plan 1 today, and from August 2026 will include the full Intune Suite equivalent — EPM, EAM, Cloud PKI, Remote Help, Advanced Analytics, and Plan 2. E7 includes the full Intune Suite already.

The Microsoft field team's upsell motion from E3 to E5 has historically pointed to Intune Suite add-ons as a cost justification: "You need EPM and Cloud PKI; they come free with E5." From August 2026, E3 customers receive Remote Help, Analytics, and Plan 2 without upgrading. This weakens the E3-to-E5 Intune cost justification, but Microsoft has responded by strengthening the E5-to-E7 motion — E7 includes Copilot, and the combined value of AI productivity plus full security coverage is the new field team pitch.

Standalone and EMS licensing paths

Organisations not on enterprise M365 bundles can license Intune through two standalone routes. The first is direct Intune Plan 1 at $8 per user per month, with Plan 2 ($4) and the Intune Suite ($10) available as add-ons. The second is through the Enterprise Mobility and Security (EMS) bundle, which pairs Intune Plan 1 with Microsoft Entra ID P1 (EMS E3, approximately $14.80 per user per month) or with Entra ID P2 (EMS E5, approximately $22.50 per user per month). EMS E3 customers also receive the same Intune additions as M365 E3 in August 2026 — Remote Help, Advanced Analytics, and Plan 2 — since EMS E3 is included in M365 E3.

For smaller organisations or those with specific identity requirements who do not need the full M365 suite, the EMS path can be more cost-efficient than paying for full M365 E3 purely to access Intune and Entra ID capabilities. The decision depends on whether the organisation also needs the M365 productivity apps (Teams, Exchange Online, SharePoint, etc.) — if yes, the M365 bundle is almost always cheaper than assembling components separately.

MDM vs MAM: The Deployment Decision That Drives Licensing

Before committing to a specific Intune tier, organisations need to make a foundational deployment architecture decision: which device populations will be managed via full MDM enrolment, and which via app-level MAM only? This decision directly affects user assignment and licensing requirements.

MDM: Full device enrolment

MDM enrolment gives IT administrators full control over the managed device: configuration policy enforcement, application deployment, compliance reporting, remote wipe, and certificate deployment. For corporate-owned devices — company-issued laptops, phones, and tablets — MDM is the standard approach. Devices enrolled in Intune MDM check in regularly with the service and enforce policies continuously. The MDM approach is appropriate when the organisation owns the device and needs full visibility and control of its security posture.

MDM is also the prerequisite for most EPM and Windows Autopatch functionality. If your organisation is planning to use EPM to implement least-privilege access for field workers or knowledge workers, those endpoints need to be MDM-enrolled first.

MAM: App protection without enrolment

MAM without enrolment targets BYOD scenarios where employees use personal devices to access corporate data via managed apps such as Teams, Outlook, and OneDrive. Instead of enrolling the entire device, Intune applies App Protection Policies (APPs) specifically to the managed applications — enforcing PIN on app launch, blocking copy-paste from managed to unmanaged apps, enabling selective corporate data wipe without touching personal data, and requiring application-level Conditional Access compliance.

MAM-only licensing is lighter: the user must hold a Plan 1 licence, but the personal device itself is not enrolled and does not consume an MDM device slot. This is relevant for large organisations with significant BYOD populations — for example, a 10,000-user organisation where 4,000 users are fully managed corporate device users (MDM) and 6,000 are BYOD contractors or part-time workers who only access corporate email and Teams from personal phones. The BYOD cohort still needs user licences for Plan 1, but the deployment model is simpler and does not require the organisation to take inventory control of personal devices.

From January 2026, Microsoft has introduced the Multiple Managed Accounts (MMA) feature for Intune MAM, which allows users to maintain more than one managed corporate account within a single app, with independent app protection policies enforced for each account. This is particularly useful for consulting firms, law firms, and agencies where employees may have contractual obligations to multiple organisations and need to keep client data isolated within the same Teams or Outlook application.

Windows Autopatch and Hotpatch: Reducing Patch Management Overhead

Windows Autopatch, included in Intune Plan 1 for eligible Windows 10/11 Enterprise licences, automates the deployment of Windows security updates, quality updates, Microsoft 365 Apps updates, Edge updates, and driver updates without requiring the IT team to manually manage WSUS rings or Configuration Manager deployment packages. Devices are automatically placed into deployment rings based on their Intune enrolment and gradually receive updates over a defined timeline, with automatic pause and investigation if a deployment generates elevated device failure signals.

From May 2026, Microsoft has made hotpatch updates the default for all Windows 11 devices enrolled in Windows Autopatch on eligible hardware. Hotpatch security updates install into memory without requiring a device restart, reducing the restart interruptions for end users from approximately twelve security update restarts per year to approximately four — only for updates that cannot be hotpatched. For organisations where restart compliance has been a source of friction between IT and end users, Autopatch hotpatch removes a meaningful operational pain point.

Negotiating Intune Within a Microsoft Enterprise Agreement

Intune licensing decisions rarely sit in isolation. They are almost always made in the context of an Enterprise Agreement renewal, where Intune Plan 1 is bundled into the M365 E3 or E5 base SKU and Intune add-ons (Plan 2, Suite) are negotiated separately. Understanding the EA context is essential for getting the best commercial outcome.

Volume discount tier collapse and its impact

As of 1 November 2025, Microsoft eliminated the built-in volume discount tiers (Levels A through D) for online services in EA renewals. Previously, an organisation committing to 2,000 seats received automatic discounts of 15 to 25 percent off list price based on seat count alone. Those tiers are gone. The current EA discount reality is that standard EA discounts for M365 run at approximately 10 to 20 percent off list price, and those discounts are earned through negotiation, not automatic tier assignment.

For Intune specifically, this means that add-on pricing for Plan 2 ($4/user/month) and the Intune Suite ($10/user/month) is now negotiated from list rather than from a tiered baseline. The single most effective lever for improving Intune add-on pricing in an EA is committing to the EMS or M365 base bundle across all qualifying users — Microsoft values full seat coverage commitments and will apply better discounts to add-on products when the base commitment is strong.

The July 2026 changes as a negotiation lever

If you are in active EA negotiations now — or if your True-Up falls before August 2026 — the July 2026 bundle changes give you a negotiating lever that many Microsoft field teams will not proactively raise. Specifically: if you are currently purchasing the Intune Suite as an add-on and your E3 or E5 renewal extends beyond August 2026, you should be reducing your add-on commitment to reflect the capabilities being folded into the base SKU.

Microsoft field teams are incentivised to maximise Total Contract Value and may present the July 2026 additions as a reason to upgrade from E3 to E5, rather than as a reason to reduce your existing Suite add-on spend. Your negotiating position should be: "We will evaluate the E5 upgrade based on EPM and Cloud PKI need — but in the meantime, we are removing the Suite add-on from our renewal because Remote Help and Analytics are moving into E3 at no cost." This forces the field team to either offer a meaningful E5 discount or accept the add-on reduction.

We are in Microsoft's fiscal Q4 window — 1 April through 30 June is the period of maximum field team pressure to close, and it is also the period of maximum buyer leverage. Microsoft field reps carry quota measured to 30 June, and the combination of quarter-end pressure and the July 2026 bundle change creates an unusually strong negotiating position for organisations renewing before summer.

Intune Suite standalone discount history

For organisations that do need to purchase the Intune Suite as a standalone add-on — for example, those on M365 E3 who need EPM and Cloud PKI before those capabilities arrive in E5 in August 2026, and who choose not to upgrade to E5 — the historical data on Suite discounts is worth noting. Early Intune Suite adopters who committed at volume and provided Microsoft with strong deployment commitments received significant discounts, reportedly in the 40 to 60 percent range in some cases. The discount level has moderated as the product has matured, but there is still meaningful room to negotiate below list price for large seat counts.

Common Intune Licensing Mistakes

Having reviewed Intune licensing positions across hundreds of enterprise EA customers, the same over-licensing and under-optimisation patterns appear repeatedly. Avoiding these mistakes is straightforward once you know what to look for.

Paying for the Intune Suite when E5 is already owned

From August 2026, M365 E5 includes the full Intune Suite equivalent. Any E5 customer holding a separate Intune Suite add-on contract that extends beyond July 2026 is paying for duplicate capabilities. The add-on should be flagged for removal at the next available True-Up date. On a 5,000-user E5 deployment, this is $600,000 per year in recoverable spend.

Assigning Intune Plan 2 licences to users who only need MAM

Plan 2 adds value for specialty devices and Tunnel for MAM deployments. Organisations that assign Plan 2 licences to their entire user population when only a subset of users access specialty hardware or require Tunnel for MAM connectivity are over-licencing. The correct approach is to assign Plan 2 only to users with confirmed specialty device or Tunnel for MAM requirements, and to maintain a Plan 1-only assignment for the remainder of the population.

Running parallel third-party MDM alongside Intune

Organisations that acquired Intune as part of an M365 bundle but continued running a pre-existing Jamf, Workspace ONE, or MobileIron deployment are paying for redundant MDM licensing. In many cases the third-party contract persists simply because the migration project was never prioritised. Intune's macOS and iOS management capabilities have matured substantially over the past three years, and the DDM support from 2026 closes most of the remaining gaps with Jamf for standard enterprise macOS management scenarios. The migration project is worth scoping as a direct cost reduction initiative.

Not deploying Conditional Access on Intune compliance policies

This is a licensing mistake of a different kind — under-deploying rather than over-spending. Organisations that run Intune MDM without connecting device compliance policies to Conditional Access in Entra ID are not extracting the security or licensing value from their Intune investment. Conditional Access requires Entra ID P1 (included in M365 E3 and above), so for most enterprise M365 customers the capability is already licensed. Configuring Conditional Access to require device compliance as a condition of accessing corporate resources is the primary mechanism by which Intune delivers Zero Trust enforcement, and it is the capability that most strongly differentiates Intune MDM from simpler mobile management approaches.

Ignoring the E7 SKU for Intune-intensive organisations

Microsoft's E7 SKU — the new top tier above E5 — includes the full Intune Suite, Copilot, and the full Entra Suite, among other capabilities previously sold as separate add-ons. For organisations that are currently running M365 E5 plus the Intune Suite plus Microsoft 365 Copilot ($30 per user per month) plus Entra ID Governance, the E7 SKU consolidation may deliver a lower effective per-user cost than maintaining all those components separately. The E7 conversation is worth modelling at the spreadsheet level before your next renewal to determine whether the consolidated pricing is genuinely better than your current component-by-component negotiated position.

Intune and the Broader Microsoft Security Stack

Intune does not operate in isolation. Its security value is amplified when deployed alongside other components of the Microsoft security stack, and its licensing requirements interact with those of adjacent products in ways that are worth understanding.

The most important integration is with Microsoft Defender for Endpoint. Intune and Defender for Endpoint share device health signals via the Microsoft Endpoint Manager integration. Defender for Endpoint's risk score for a device can feed directly into Intune's compliance evaluation — a device that Defender identifies as compromised can automatically be marked non-compliant in Intune, triggering Conditional Access to block the device from accessing corporate resources until the threat is remediated. This integration is available to M365 E5 customers who hold both Defender for Endpoint Plan 2 and Intune, and it represents the full implementation of the Zero Trust endpoint model that Microsoft markets as the justification for E5 pricing.

Intune also integrates with Microsoft Purview for information protection on managed endpoints. Sensitivity labels and data loss prevention policies defined in Purview can be enforced at the application layer on Intune-managed and MAM-protected devices, ensuring that documents classified as Confidential cannot be saved to unmanaged locations or shared externally from managed applications. This integration requires M365 E5 Compliance (or the equivalent Purview component), and it is one of the scenarios where the jump from E3 to E5 delivers compounding value across multiple workloads rather than just incremental capability in a single product.

Decision Framework: Which Intune Tier Do You Need?

The following framework summarises the practical licensing decision for enterprise organisations. Work through each question in order to identify your optimal licensing position.

Question 1: Do you hold M365 E3 or higher? If yes, Intune Plan 1 is already included. Do not purchase it standalone. Proceed to Question 2.

Question 2: Do you need to manage specialty devices (AR/VR, conferencing hardware) or require Tunnel for MAM for BYOD users accessing on-premises resources? If yes, Plan 2 is required. If no, and you are on E3, Plan 2 is coming to you in August 2026 at no additional cost — no need to purchase it standalone before then unless you need it immediately.

Question 3: Do you need Endpoint Privilege Management to implement least-privilege access for Windows users? If yes, this requires either the Intune Suite add-on or M365 E5. If you are on E3 today and EPM is a security requirement, the E5 upgrade typically makes more commercial sense than the Intune Suite add-on because of the additional Entra ID P2, Defender for Endpoint Plan 2, and Purview compliance capabilities that come with E5 at relatively little incremental cost.

Question 4: Do you hold M365 E5? If yes, from August 2026 you will receive the full Intune Suite equivalent in your base licence. Remove any existing Intune Suite add-on from your renewal. If you are also targeting E7, model whether the combined capability set at E7 pricing beats your E5-plus-add-on spend.

Question 5: Are you renewing before or after July 2026? If before July 2026, the current add-on structure applies. If after July 2026, the bundle changes are live and your E3 or E5 renewal pricing should reflect the expanded inclusions. Ensure your EA renewal quote has been updated accordingly — Microsoft does not always proactively remove add-on line items from renewal proposals when the underlying capability moves into the base SKU.