question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked amanpreetsingh-msft commented

Enterprise Mobility + Security for the existing (E1) users?

Hi All,

After reading: https://docs.microsoft.com/en-us/enterprise-mobility-security/

I wanted to enable all of my users to be able to secure themselves using the MFA/2FA.
All of them has been licensed using a minimum of E1 and E3.

  1. I wonder what is the purpose of buying additional licenses like Enterprise Mobility + Security for the existing (E1) users, not E3 and E5?

  2. So After assigning at least a minimum of Enterprise E1 license to the users, how can they enable the MFA/2FA themselves? Or this is something that only the Recipient / Security administrator role can do, not the users.

  3. Can I assign the Enterprise E1 users with Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5? Or it has to be on the same level as a minimum.

  4. Since the Microsoft Enterprise Mobility + Security E3 includes Microsoft Intune feature, therefore we can manage the users' mobile devices (ActiveSync) and home computers when they are installing Office 365 using (click to run) from Portal.office.com?

Thank you in advance.

azure-active-directoryazure-ad-privileged-identity-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered

You need the EMS (or Azure AD P1 standalone) license for Conditional Access policies, which offer a lot more flexibility compared to the "standard" MFA controls.

Enabling users for MFA is always an admin-level functionality. The users themselves can only configure the preferred method, out of the ones the admin has enabled.

You can mix and match the licenses as you seem fit.

To manage Intune devices, they need to be enrolled first, but that's a broad topic - make sure to read the documentation first.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hello @EnterpriseArchitect, Please find my comments inline:

I wonder what is the purpose of buying additional licenses like Enterprise Mobility + Security for the existing (E1) users, not E3 and E5?

EMS Licenses includes below products:

Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Information Protection Premium P2
Azure Information Protection Premium P1
Azure Rights Management
Microsoft Intune
Azure Active Directory Premium P2
Microsoft Azure Multi-Factor Authentication
Azure Active Directory Premium P1

Office 365 Enterprise licenses include below products. I have fetched the list for E3 but products in E1 is similar. For E1, refer to https://www.microsoft.com/en-in/microsoft-365/enterprise/office-365-e1?activetab=pivot%3aoverviewtab

Project for Office (Plan E3)
Common Data Service
Microsoft Bookings
Microsoft Kaizala Pro
Whiteboard (Plan 2)
Information Protection for Office 365 - Standard
Insights by MyAnalytics
To-Do (Plan 2)
Microsoft Forms (Plan E3)
Microsoft Stream for O365 E3 SKU
Microsoft StaffHub
Flow for Office 365
PowerApps for Office 365
Microsoft Teams
Microsoft Planner
Sway
Yammer Enterprise
Azure Rights Management
Microsoft 365 Apps for enterprise
Skype for Business Online (Plan 2)
Office for the web
SharePoint (Plan 2)
Exchange Online (Plan 2)


So After assigning at least a minimum of Enterprise E1 license to the users, how can they enable the MFA/2FA themselves? Or this is something that only the Recipient / Security administrator role can do, not the users.

Users can go to https://aka.ms/mfasetup and configure the MFA information for their accounts. However, when to trigger MFA is configured by Administrators. We have recently introduced Security Defaults which can be used to enable MFA for all users in the tenant without requiring any licenses to be purchased.

Can I assign the Enterprise E1 users with Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5? Or it has to be on the same level as a minimum.

Yes, since both these licenses include different products, you can assign Office 365 Enterprise E1 and EMS E3/E5 to same user.

Since the Microsoft Enterprise Mobility + Security E3 includes Microsoft Intune feature, therefore we can manage the users' mobile devices (ActiveSync) and home computers when they are installing Office 365 using (click to run) from Portal.office.com?

You can only manage the devices which are enrolled to Intune or Registered/Joined to Azure AD. Read more about device enrollment here: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment

Kindly let me know if the answers to your previous questions were helpful. Please take some time to "Accept the answer" wherever the information provided helped you.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @EnterpriseArchitect, I just wanted to follow up if the above response helped. Please don't forget to Accept helpful replies as answer. Feel free to tag me in your reply if you have any question.

0 Votes 0 ·