A Cost-Reduction Primer on Microsoft Enterprise Mobility + Security Pricing and Options

By Dan Brewster

Director of Client Services – Microsoft, NPI

February 10, 2020

Interested in learning more about NPI’s services?

Contact Us

By now you’ve heard of Microsoft Enterprise Mobility + Security, and chances are, you’ve purchased the EMS E3 suite under your Enterprise Agreement. But… what, specifically, is this product? And what are Enterprise Mobility + Security pricing and options?

Microsoft will tell you that EMS is “an identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era.” It’s certainly all that and offers some great products for very competitive prices. The EMS product also includes the building blocks for Microsoft’s Azure solutions – you’ll likely be an EMS customer if you are using Azure.

In addition, EMS is a product bundle of individual cloud security products, most of which can be purchased on an a la carte basis. In fact, Microsoft likes bundles so much that you’ll see the EMS product bundled within other products.

Breaking Down EMS E3 and E5

So, what’s included in the EMS E3 and E5 suite? Let’s take a look.

Here’s what’s included in EMS E3:

  • Azure Active Directory Premium P1 – an identity management solution that combines on-premise directory services, cloud directory services, application access management through Single Sign On capabilities.
  • Microsoft Intune – mobile device and mobile application management
  • Azure Information Protection P1 – data protection for use both inside and outside your organization.
  • Microsoft Advanced Threat Analytics – Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyberattacks and insider threats.
  • Azure Rights Management (part of Azure Information Protection) – a cloud-based protection service that uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple device – phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries.
  • Windows Server CAL – the Windows Client Access License.

And here’s what’s included in EMS E5:

  • Azure Active Directory Premium (AADP) P2 includes AD P1, as well as identity protection and identity governance. A good summary of capabilities can be found here.
  • Azure Information Protection P2 – builds upon Azure IP P1 for automated discovery and classification of sensitive information within your organization.
  • Microsoft Cloud App Security – is a Cloud Access Security Broker that identifies the use of SaaS and PaaS services within your organization and the associated usage patterns of these services. Cloud App Security detects usual behavior across cloud apps and will automatically limit unusual behavior to better protect your organization.
  • Azure Active Directory [AD] Identity Protection (as a feature of AADP P2) automated detection and remediation of identity-based risks, including atypical travel, anonymous IP addresses, unfamiliar sign in properties, and more.
  • Azure Advanced Threat Protection – a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Azure AD Privileged Identity Management (as a feature of AADP P2) Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

If you are already an M365 E3 (or E5) customer, you have rights to EMS E3. The M365 E3 bundle includes Office 365 E3, the Windows OS E3, and the EMS E3 product. All of these bundles are licensed on a Per User basis.

Microsoft Enterprise Mobility + Security Pricing Considerations

While NPI often advises clients to “beware of the bundle,” there are instances where bundling delivers real savings (assuming there is real product utilization across the bundle). EMS certainly falls into this camp.

For example, for an EA Level B customer, the savings when purchasing EMS E3 as part of the M365 E3 bundle vs. purchasing the individual components are around 5%. The savings are MUCH MORE SIGNIFICANT (over 50 percent!) when stepping up from E3 to E5 vs. purchasing products on an a la carte basis.

Remember – whether it’s for EMS or another bundled Microsoft offering, it’s important to break down pricing to a line item level and model out the cost of the various purchase options before you sign on the dotted line!