My first blog on the new site is a fact now! If you manage endpoints for a living, the December announcement that the Microsoft Intune Suite is being folded into Microsoft 365 E3 and E5 probably landed on your radar already. What didn’t land cleanly, for a lot of people, including me, was the small print. Who exactly gets what, when, and whether the word “eligible” means what you think it means.
I spent the last few months chasing that clarity directly with the Intune and Security Copilot product teams, because as both an MVP and someone delivering this at an MSP, I’d rather not pass guesswork on to customers. Here’s the field-tested version: what’s actually changing, what “eligible” really means, and what you should be doing about it before 1 July 2026.
The short version
From 1 July 2026, advanced Intune Suite capabilities get included in Microsoft 365 E3 and E5 at no separate add-on cost, alongside a list-price increase (E3 $36 → $38, E5 $57 → $60 per user/month). Eligible tenants are provisioned automatically and get a Microsoft 365 admin center notice ~30 days before activation.
What’s actually being added
Exploring the Benefits of the Microsoft Intune Suite
The capabilities split across the two tiers. E3 picks up the day-to-day operational tooling (it rides in via Enterprise Mobility + Security E3). E5 layers the heavier security and automation pieces on top.
| Tier | Capabilities added |
|---|---|
| Microsoft 365 E3 (via EMS E3) | Intune Remote Help · Intune Advanced Analytics · Microsoft Tunnel for Mobile Application Management · Specialty device management · Firmware-over-the-air updates |
| Microsoft 365 E5 (everything in E3, plus) | Intune Endpoint Privilege Management (EPM) · Intune Enterprise Application Management · Microsoft Cloud PKI |
If you’ve been paying for the Intune Suite as a standalone add-on, the relevant pieces become part of your E3/E5 entitlement on the same date. That’s the headline most coverage leads with. The interesting part is underneath it.
The word everyone trips over: “eligible”
The original announcement says eligible tenants “will automatically be provisioned with the Intune Suite capabilities.” Fair enough, but eligible how? Based on tenant size? On having moved to a Microsoft 365 E3/E5 bundle specifically? This is exactly the question I put to the product team, because it changes the answer you give a customer.
Here’s the clarification I got, in plain terms:
“Eligible” = the entitlement-carrying plan is present in the tenant.
Eligibility is tied to the presence of EMS E3 (ME3) or ME5 plans — the plans that carry the Intune Suite entitlements. It is not based on tenant size, license count, or whether the customer has moved to a Microsoft 365 E3/E5 bundle.
The practical consequence is the bit worth circling for your customers:
- You do not have to migrate to the Microsoft 365 bundle to benefit. A customer running Office 365 E3 + EMS E3 doesn’t need to move to Microsoft 365 E3. Because EMS E3 is present, the Intune Suite capabilities get provisioned at the tenant level automatically.
- There is no minimum license count. Provisioning is triggered by the presence of an eligible plan, not by hitting some seat threshold. A small tenant qualifies the same way a large one does.
- Provisioning ≠ usage. Capabilities land at the tenant level, but who actually uses them is still governed by license assignment and admin configuration. Nothing switches itself on for end users without you assigning and configuring it.
One caveat to set expectations honestly: the capability table reflects the current plan of record for the FY27 packaging changes. It’s the right thing to plan against today, but treat anything dated as “subject to refinement as we get closer.”
Security Copilot in Microsoft 365 E5
Riding alongside the Intune changes is Security Copilot inclusion for Microsoft 365 E5. The mechanics here are different enough that they deserve their own note, especially the capacity math, which is where I see people guessing.
How Security Copilot capacity is allocated
Eligible E5 tenants receive 400 Security Compute Units (SCUs) per 1,000 Microsoft 365 E5 user licenses, activated through “zero-click” provisioning. Eligible tenants are notified ~30 days before activation.
A few things I confirmed that aren’t obvious from a quick read of the docs:
- It’s phased, and the timing isn’t something your partner can look up. Tenants are flighted in waves, and those decisions sit with the Microsoft Sales organization, not with the product or partner teams. So if a customer asks “when exactly does our tenant light up?”, the honest answer is that no one outside that flighting process can give you a date. Watch the admin center notification.
- Eligibility is defined in the docs, not improvised. The criteria and the SCU calculation are documented; I’d point customers to the official inclusion page rather than back-of-napkin math.
What you should actually do before July
This is more than a licensing footnote. Bundling these capabilities changes how teams should plan budgets, consolidate third-party tools, and standardize operations. A short, unglamorous checklist:
- Inventory your plans, not just your bundles. Confirm whether EMS E3 / ME5 is actually present in each tenant, that’s the real eligibility signal.
- Review existing standalone add-ons. If a customer already bought individual Intune Suite components (EPM, Remote Help, Advanced Analytics), check for overlap so you’re not paying twice once inclusion kicks in.
- Map the overlap with third-party tooling. Remote support, privilege management, certificate/PKI, device analytics, the savings aren’t automatic, but the consolidation opportunity is real.
- Plan the enablement, not just the entitlement. Provisioned ≠ adopted. Service desk needs hands-on time with Remote Help and EPM elevation approvals before you turn them loose.
- Factor in the price change. The list-price increase lands the same day. Line that up with renewal/true-up timing so it’s a planned conversation, not a surprise on an invoice.
Don’t assume cost savings are automatic. The capabilities are included, but realizing value means reviewing overlapping add-ons, retiring redundant third-party tools, and actually rolling the features out. The entitlement is the start of the work, not the end of it.
Worth a read: the wider MVP take
I’m not the only one digging into this. Microsoft pulled together independent perspectives from across the MVP community on what these changes mean in practice, several colleagues have written up individual features of the Suite in real depth. If you want more angles than mine, start here:
- Independent expert views on the advanced Intune capabilities coming to Microsoft 365 E3 and E5 (Microsoft Intune Blog)
- Microsoft 365 adds advanced Microsoft Intune solutions at scale (the original announcement)
- Learn about Security Copilot inclusion in Microsoft 365 E5 (Microsoft Learn)
Bottom line: the value of E3 and E5 just went up meaningfully, and the entry condition is more generous than the headlines suggest, if EMS E3 or ME5 is in the tenant, you’re in, no bundle migration and no seat minimum required. The work now is making sure that entitlement turns into something your endpoints actually benefit from.
Got a tenant that’s already been flighted, or hit something the docs don’t cover? I’d like to hear about it, that’s exactly the kind of field detail worth writing up next.
And as always if you feel there is something in error or you want to add some stuff from your own experience, don’t hesitate to contact me!
One Comment