Microsoft Intune

E3-E5

Intune Suite Is Now Free in Your E3/E5 License — Here’s What I’d Actually Do About It | Modern Workplace Security
Licensing & Endpoint Strategy

Intune Suite Is Now Baked Into Your E3/E5 License

Microsoft is folding Intune Suite into E3/E5 starting July 2026. Here’s what that actually changes in a real tenant, where I think people will get tripped up, and what I’m doing in my own lab before the switch flips.

Intune Suite Endpoint Privilege Management Licensing Cloud PKI EAM M365 E3/E5
By Anand · modernworkplacesecurity.com · 12 min read · Endpoint Management

I’ve been managing Intune environments long enough to remember when it was a basic MDM tool that mostly fought with SCCM for relevance. So when Microsoft announced that Intune Suite — the add-on that used to run roughly ten dollars per user per month — is getting folded into the base E3 and E5 licenses starting July 2026, I sat up and paid attention.

Most of the coverage on this has been the “here’s what’s included” variety, which is useful but only gets you halfway. I’ve spent the last couple of weeks running these features against my own lab tenant, and I want to talk less about the feature list and more about the stuff that actually trips people up when they try to turn this on for real — licensing nuance, platform gaps, and the migration decisions you’ll have to make if you’re currently paying for Tanium, Patch My PC, or a third-party PAM tool to do what Intune Suite now does for free.

Let’s start with what’s actually changing, because the licensing details matter more than the marketing.

1 — What’s Actually Changing (and What Isn’t)

The short version: Intune Suite capabilities move from a paid add-on into the base license, split across E3 and E5 the way Microsoft tends to split everything — give E3 a taste, reserve the heavier stuff for E5.

License Now Included Platform Coverage
M365 E3 Remote Help, Intune Advanced Analytics Windows-focused, partial macOS
M365 E5 Everything in E3, plus Endpoint Privilege Management, Enterprise App Management, Cloud PKI Mostly Windows; Cloud PKI spans Windows, macOS, mobile

What doesn’t change: you still need E5 (or the standalone Intune Suite add-on, for anyone who wants it without a full E5 upgrade) to get the full set. If you’re sitting on E3 today, this announcement gives you Remote Help and Advanced Analytics for free, but the privilege management and app catalog pieces — the ones with the real teeth — are still behind the E5 wall. I’ve seen a few people misread the announcement as “Intune Suite is now free for everyone,” and that’s not quite right. It’s free if you’re already paying for E5, or it removes the add-on cost if you’re on E5 and were paying separately for Suite.

Where I’ve Seen Confusion
Don’t assume your tenant already has these features lit up just because July 2026 rolled around. In my experience, licensing changes like this still require the SKU to actually reconcile in your tenant, and depending on how you’re licensed (CSP vs EA vs direct), the rollout timing has not been identical across customers in similar announcements I’ve tracked before. Check your license details in the Microsoft 365 admin center rather than assuming.

2 — What I Actually Tested in My Lab

Reading a feature list tells you what a thing does. Turning it on tells you what it actually does. I ran three of the four E5-gated capabilities against my lab tenant — Endpoint Privilege Management, Advanced Analytics, and Cloud PKI — to see how much friction was involved in standing them up from a cold start.

Endpoint Privilege Management

This is the one I was most interested in, mostly because I’ve spent years cleaning up environments where standard users were quietly handed local admin “just to get them off our backs” and nobody ever walked it back. EPM’s pitch is that you can let users self-elevate for specific, pre-approved actions without giving them standing admin rights.

1
Created the EPM policy and assigned it to a test device group This is straightforward — it’s a standard Intune configuration profile. No agent to install separately, which is a real point in its favor compared to third-party PAM agents I’ve deployed before.
2
Defined an elevation rule for a known app (a driver installer) You can scope this by file hash, certificate, or path. I went with certificate-based detection since it survives version updates better than hash matching — hash rules break the moment the vendor ships a patch.
3
Tested the elevation prompt as a standard user The user-facing experience is clean — a justification prompt, then elevation scoped only to that process. It does not hand out broader admin rights, which is the entire point.
4
Checked the reporting Elevation events show up in the Intune reporting blade, and you can pipe them to Log Analytics if you’ve also got Advanced Analytics configured. This is where the two features start reinforcing each other rather than sitting as separate toggles.
Field Note
Don’t skip the policy design phase. EPM forces you to actually think about which apps legitimately need elevation in your environment — something most orgs have never formally documented, because they’ve just been handing out local admin instead. Budget real time for this discovery work before you pilot; it’s not a same-day rollout if you want it done properly.

Cloud PKI

I stood up a basic root and issuing CA in Cloud PKI and pushed a SCEP-style certificate profile to a test device. The setup itself took less time than I expected — no connector to install, no on-prem NDES server to babysit, which has historically been one of the most fragile pieces of any certificate-based Wi-Fi or VPN deployment I’ve worked on.

Where I’d pump the brakes: if you already have a working on-prem PKI with established trust chains, group policy dependencies, and certificate templates feeding things beyond just device auth — think internal web apps, code signing, smart card login — ripping that out for Cloud PKI is not a weekend project. It’s a genuinely good option for a clean, cloud-native build, and a much harder sell as a replacement for a mature on-prem CA that other systems already depend on.

Advanced Analytics

This was the least dramatic to set up and, honestly, the one I’d recommend turning on first regardless of where you are in your Intune Suite evaluation. It builds on Endpoint Analytics you may already be using, streams telemetry into a Log Analytics workspace, and doesn’t touch the end-user experience at all. No new agent, no new prompt for users, nothing to break.

0
New agents required for any of the 3 features I tested
~10
USD/user/month previously charged for the Suite add-on
2
Of the 5 Suite features still gated behind E5 only

3 — The Challenges Nobody Puts in the Announcement Post

This is the part I actually wanted to write about. License inclusion is a procurement win, not an engineering plan. Here’s what I think will actually slow teams down when they try to operationalize this.

“Free” still means a project

The cost savings narrative is real if you’re already on E5 and paying for the Suite add-on separately — that’s a straightforward win, cancel the add-on SKU and move on. But for E3 shops eyeing an E5 upgrade purely to get EPM and EAM, you’re still pricing out a full license tier jump, not a feature toggle. I’d treat this as a licensing conversation with finance, not an IT ticket.

EPM and EAM are Windows-only

If your environment is mixed Windows/macOS, which describes a lot of the orgs I talk to now, the two most differentiated features in this announcement simply don’t apply to your Mac fleet. You’ll still need a separate privilege management and app deployment story for macOS — JumpCloud, Privileges.app combined with Jamf, or whatever you’re already running. Don’t let the headline “Intune Suite is now included” make you think it solves endpoint management parity across platforms, because it doesn’t.

Tool consolidation is a people problem before it’s a technical one

I’ve sat through the conversation where someone points out that Intune’s app catalog can now do what Patch My PC does, and the technical answer is usually “mostly, yes.” The harder conversation is that someone’s team has built workflows, alerting, and trust around the existing tool for years. Swapping it out isn’t just a config change — it’s retraining, re-validating every packaged app, and convincing a skeptical sysadmin that the replacement won’t quietly break something six months from now. Budget for that resistance; it’s real and it’s not irrational.

EPM’s elevation model needs governance, not just configuration

It’s tempting to stand up EPM, define a couple of elevation rules, and call it done. In practice, the value of EPM comes from having an actual policy behind it — who can request elevation, what gets auto-approved versus what needs a human, and how often you review the logs. Without that, you’ve just built a more auditable way to hand out local admin, which is better than nothing but well short of what the feature is capable of.

Don’t Skip This
If you’re migrating off an existing PAM or privilege elevation tool to EPM, run both in parallel for at least one full patch cycle before decommissioning the old one. I’ve seen “the new tool handles it now” turn into a Friday afternoon incident when an edge case the old tool quietly covered wasn’t replicated in the new policy.

4 — How I’d Sequence the Rollout

If I were advising a team on this today — and a few people have already asked me, which is part of why I’m writing this — here’s the order I’d push them toward, based on risk and effort rather than the order Microsoft lists the features in.

Start here
Turn on Advanced Analytics
Zero user impact, no new agent, immediate visibility into device health data you probably aren’t fully using yet. There’s no real reason to wait on this one.
Next, run as a pilot
Pilot EPM on a small, well-understood device group
Pick a group where you already know exactly which apps need elevation — helpdesk laptops are a good starting point. Don’t pilot on a group where you’re still discovering the use cases.
Once EPM is stable
Evaluate EAM against your current packaging tool
Check the app catalog for your actual top 20 deployed apps before assuming it covers your needs — not every vendor’s installer makes it into the catalog.
Lowest priority unless cloud-native
Revisit Cloud PKI only if you’re already planning to retire on-prem PKI
If your on-prem CA is stable and other systems depend on it, this is a “nice to have evaluated” rather than an urgent migration.

5 — Questions I’ve Actually Been Asked

Q. Do I need to do anything for this to show up in my tenant?
Check your license SKUs in the Microsoft 365 admin center once the change is live for your tenant rather than assuming it’s automatic on a specific calendar date. Service rollouts like this haven’t always landed for every customer on the exact same day in my experience.
Q. Should I cancel my existing Intune Suite add-on now?
Only once you’ve confirmed the inclusion is actually active in your tenant and the features are functioning as expected. I wouldn’t cancel anything based on an announcement date alone.
Q. Is this a reason to drop my third-party PAM or packaging tool entirely?
Not immediately. Run EPM and EAM in parallel with your existing tooling long enough to validate edge cases before you decommission anything. The licensing change removes the cost barrier to evaluating — it doesn’t guarantee feature parity for every use case you’ve built up over time.
Q. Does this help my macOS fleet?
Partially. Remote Help has partial macOS support and Cloud PKI covers macOS fully. EPM and EAM are Windows-only today, so don’t expect this to solve cross-platform parity.

Wrapping Up

This is a genuinely good move from Microsoft — removing a licensing barrier to features that meaningfully improve endpoint security posture is worth the credit it’s getting. But I’d push back gently on the framing that this is a free upgrade you flip on and walk away from. EPM in particular rewards the teams that treat it as a governance project, not a checkbox, and the platform gaps (Windows-only EPM and EAM) mean most mixed-fleet orgs will still need a secondary tool for macOS regardless of what’s now “included.”

My honest advice: start with Advanced Analytics this week, since there’s no reason not to. Then carve out real time — not a single afternoon — to pilot EPM properly before you trust it with anything beyond a small, well-understood device group.

If you’re testing this in your own tenant and hit something that doesn’t match what I’ve described here, I’d genuinely like to hear about it — drop it in the comments. Licensing changes like this tend to behave a little differently tenant to tenant, and I’d rather correct this post than leave bad guidance up.

Prefer to watch this walkthrough? I cover the EPM and Cloud PKI lab setup from this post in full on the channel.
Watch on YouTube
A
Written by
Anand Kumar
Microsoft Security Consultant and IT EUC Engineer with 15+ years helping organisations modernise endpoint management and lock down Microsoft 365 using Zero Trust principles.

Leave a Comment

Your email address will not be published. Required fields are marked *