Microsoft Intune Plan 1 vs Plan 2: Which Do You Actually Need?

What Is Microsoft Intune Plan 1?

Intune Plan 1 is the baseline endpoint management platform priced at $8 per user per month as a standalone purchase. It provides cross-platform device management for Windows, macOS, iOS, Android, and Linux; mobile application management (MAM) for both enrolled and unenrolled devices; built-in endpoint security baselines; Windows Autopilot provisioning; endpoint analytics; and deep integration with Microsoft Configuration Manager via co-management. For most organisations running standard Windows, iOS, and Android fleets, Plan 1 handles the overwhelming majority of day-to-day endpoint management requirements.

Plan 1 is already included in Microsoft 365 E3, E5, and the new E7 SKU as part of the Enterprise Mobility + Security (EMS) licence bundle. If your organisation is on any of those enterprise tiers, you are already paying for Intune Plan 1 — you do not need to license it separately. Many procurement teams waste budget purchasing standalone Intune when it is already included in their EA.

What Does Intune Plan 2 Add?

Intune Plan 2 is an add-on to Plan 1, priced at $4 per user per month on top of Plan 1. It does not replace Plan 1 — it extends it with four specific capabilities that Plan 1 does not include:

• Endpoint Privilege Management (EPM): Allows standard user accounts to run specific, pre-approved applications with elevated privileges without granting full local administrator rights. This is a material security improvement for organisations trying to eliminate standing admin accounts across their fleet.
• Tunnel for Mobile Application Management (MAM): Extends VPN tunnel access to MAM-managed applications on unmanaged personal devices — important for BYOD environments where you want to protect corporate app data without enrolling the device in MDM.
• Advanced Endpoint Analytics: Expanded analytics beyond the baseline telemetry in Plan 1, including deeper anomaly detection and proactive remediation insights.
• Specialty Device Management: Management capabilities for non-standard endpoints such as HoloLens 2, AR/VR headsets, smart screens, and conferencing room equipment that fall outside Plan 1's standard device categories.

The critical point: Plan 2 is designed for specific advanced scenarios, not as a universal upgrade. If your organisation does not have standing local admin problems, BYOD VPN requirements, or mixed specialty device estates, Plan 2 delivers minimal incremental value over Plan 1.

Plan 1 vs Plan 2: Feature Comparison

The Intune Suite: When Does It Make Sense?

Microsoft packages Plan 1 and Plan 2 together with additional premium capabilities into the Intune Suite at $10 per user per month. Beyond what Plan 2 includes, the Suite adds Remote Help (cloud-based IT helpdesk remote assistance), Enterprise Application Management (automated app patching for non-Microsoft applications via the Intune Enterprise App Catalogue), and Microsoft Cloud PKI (a fully managed certificate authority for certificate-based authentication at scale).

The Intune Suite at $10 per user per month is only $2 more than Plan 1 + Plan 2 combined ($12), so at first glance it looks like a bargain. However, the comparison breaks down when you factor in that Remote Help, Enterprise App Management, and Cloud PKI all have viable third-party alternatives — often at lower cost. Before committing to the Suite across your entire user estate, benchmark the individual components against alternatives such as TeamViewer, Patch My PC, or your existing PKI infrastructure. Our Microsoft licensing advisory team regularly finds that 40–60% of seats in a Suite deployment could be on Plan 1 with targeted Plan 2 seats for privileged users only.

How Intune Fits Into M365 E3, E5, and E7

Understanding the Intune licensing question requires understanding where Intune sits within the M365 SKU stack. The current hierarchy runs E1 → E3 → E5 → E7, with E7 being Microsoft's newest and highest enterprise tier released above E5.

Microsoft 365 E3 ($39/user/month from July 2026)

E3 has historically included Intune Plan 1. From July 1 2026, Microsoft is expanding E3 to also include Intune Plan 2 (Tunnel for MAM and Specialty Device Management), Remote Help, and Intune Advanced Analytics as part of a broader price increase from $36 to $39 per user per month. This means E3 customers who were buying Plan 2 separately as an add-on can stop that spend post-July 2026 — though Microsoft's field teams are unlikely to proactively flag this during renewal discussions.

Microsoft 365 E5 ($60/user/month from July 2026)

E5 includes the full Intune Plan 2 feature set plus Endpoint Privilege Management, Enterprise Application Management, and Microsoft Cloud PKI — effectively the entire Intune Suite. Organisations on E5 who are additionally licensing standalone Intune Suite are double-paying. This is more common than it should be, typically because Intune procurement sits in a different budget or team than the EA negotiation.

Microsoft 365 E7 ($99/user/month, GA May 2026)

E7 is the new top SKU above E5, announced by Microsoft in March 2026 and reaching general availability on May 1, 2026. At $99 per user per month, E7 bundles advanced AI, security, compliance, and the complete Intune Suite in a single licence. Microsoft's field teams are already pushing E5 customers towards E7 at renewal by positioning it as a cost consolidation play across security, Copilot AI, and endpoint management. E5 is no longer the highest or most comprehensive M365 SKU — E7 sits above it. Before accepting an E7 upsell, validate whether the incremental AI and security capabilities in E7 versus E5 justify the $39 per user per month premium at scale.

Licensing Traps to Avoid

In over 500 Microsoft engagement reviews across EMEA and North America, we see the same Intune licensing errors repeatedly:

• Buying standalone Intune when it is already in your EA: E3, E5, and E7 all include Intune. If you have an EA on any of those tiers, you are already licensed. Separate standalone purchases are waste.
• Applying Plan 2 to 100% of seats when only privileged users need EPM: EPM is the primary Plan 2 driver for most organisations. It should be licensed for IT admins, developers, and privileged users — typically 10–25% of total headcount, not 100%.
• Buying the Intune Suite without benchmarking Remote Help and Enterprise App Management alternatives: Third-party tools often deliver Remote Help and automated patching at materially lower total cost, particularly at seat counts above 5,000.
• Missing the July 2026 E3 expansion: If you are on M365 E3 and currently paying for Intune Plan 2 as an add-on, you will be double-paying from July 2026 onwards. Cancel the add-on at your next renewal.
• Accepting the E5-to-E7 upsell without a proper capability audit: E7's premium over E5 is significant at scale. Run a structured analysis of which E7-exclusive features you will actually activate before committing.

Decision Framework: Which Plan Do You Need?

Working through the following questions will give you a defensible answer before entering any renewal or add-on negotiation with Microsoft:

1. Are you on M365 E3, E5, or E7? If yes, identify exactly which Intune capabilities are already included in your SKU before considering add-ons.
2. Do you have a standing local admin problem? If yes, EPM in Plan 2 is a genuine security capability worth considering — but scope it to the users who need it, not your entire user base.
3. Do you have a BYOD VPN requirement? Tunnel for MAM is the Plan 2 feature for unmanaged-device VPN access. If you do not have this requirement, it does not justify the add-on cost.
4. Do you manage specialty devices? HoloLens 2 and AR/VR management is genuinely only in Plan 2. If you have those devices in your estate, Plan 2 is appropriate for those device owners.
5. Are you evaluating the Intune Suite? Cost-compare Remote Help against TeamViewer or similar; Enterprise App Management against Patch My PC or SCCM; Cloud PKI against your existing certificate authority. The Suite wins on simplicity but often loses on total cost when alternatives are properly benchmarked.

NCE Pricing Considerations

If you are purchasing Intune Plan 2 or the Intune Suite outside an Enterprise Agreement — through the New Commerce Experience (NCE) — the pricing model matters significantly. NCE monthly commit carries no discount and is billed at list price. NCE annual commit offers up to 5% discount. Three-year commits deliver better discounts but lock you into the higher-tier spend for an extended period. Given that M365 E3 is absorbing Plan 2 from July 2026 onwards, committing to a three-year standalone Plan 2 NCE subscription today would be a costly mistake for organisations approaching an E3 renewal.

Negotiation Levers

Microsoft's fiscal year ends June 30, which means the Q4 window from April to June is the highest-leverage period for enterprise buyers. Microsoft field reps have maximum incentive to close and discount during this window. If you are approaching an Intune-related renewal or add-on decision, timing your negotiation to land before June 30 — and being prepared to walk away from Plan 2 or the Suite if the price does not reflect the right-sizing analysis — will produce the best commercial outcome.

Standard EA discounts on Intune add-ons currently run 10–20% off list price. Historical discounts were 15–25%, but Microsoft has tightened its discount floors over the past 18 months as it moved customers onto NCE. If your Microsoft account team is quoting less than 10% on a volume add-on purchase, there is room to push. Our Microsoft EA negotiation specialists can provide current market benchmark data to anchor your negotiation.