Microsoft EMS E3 & E5: Features, Costs and Comparisons

Microsoft Enterprise Mobility + Security (EMS) is a collection of security and management products from Microsoft that work seamlessly with Microsoft 365. In this article we will go through EMS to outline what is it, why it’s beneficial, what’s included and compare licenses, costs and features between E3 and E5 to help you choose the right version.

Looking to implement Microsoft 365? Join our webinar “Microsoft 365 strategy & implementation: Roadmap best practices” to hear from our experts on how best to approach an M365 rollout.

Increasing security risks

Many organisations are already using and benefiting from Office 365 and other cloud services, which has enabled staff and organisations to adopt new working behaviours to increase productivity and flexibility. Remote working, increased mobility, BYOD, and instant access to cloud services have empowered staff to work effectively – but this brings new risks, security vulnerabilities and management headaches to IT departments.

Staff can now easily store sensitive company data in places outside of IT control (shadow IT), or access information on personal devices, which can have little to no security protection in place. Situations like these – and many more – make managing your company network, identities and data difficult, as the boundary of your company IT landscape is blurred.

Consequently, companies need to adopt a ‘new’ cyber security model: zero trust networking and move away from the historic perimeter method, which is no longer effective. You can find out more on this in our article ‘What is Zero Trust Security?’ EMS provides a range of products and features to help organisations overcome these challenges, adopt a zero-trust approach and centrally manage and secure data, identities and devices.


EMS can be purchased as a standalone offering and comes in two versions: E3 and E5. E3 costs £8.00 per user per month and E5 costs £12.40 per user per month (commercial ERP pricing). Discounted pricing is available for Academic and Not for Profit licenses – and for charities this includes free ‘donated’ EMS licences as part of Microsoft’s $5,000 Azure donation for charities. If you would like to find out more on this, please contact us.

As well as being able to purchase as a standalone, EMS is available within Microsoft 365. Microsoft 365 combines Office 365, EMS and Windows 10 into one bundle available as Business, E3 and E5 – and is the most common way that organisations benefit from the capabilities of EMS. If you do not wish to make the step to Microsoft 365 E5 but want the security capabilities, then there is a security add-on (‘Microsoft 365 E5 Security’ addon) that you can purchase on top of Microsoft 365 E3 that comes with the advanced security features across Office 365, EMS and Windows 10.

Comparing E3 and E5

As mentioned, EMS is available in E3 and E5 (as well as a scaled down E3 version included in Microsoft 365 Business, which we haven’t included here). As you would expect, E3 contains the core functionality while E5 provides additional products and capabilities over and above E3. You can what’s included in our comparison table:

What’s Included?

Azure Active Directory

Azure AD is a cloud-based identity and access management solution from Microsoft. Azure Active Directory comes in four versions: free (included with an Azure subscription) and an Office 365 edition, which provide more basic functionality and then two premium versions: P1 and P2, which are included with EMS (P1 in E3 and P2 in E5) – you can review the complete list of versions and their features here. Key features of Azure AD include:

  • Streamlined user experience and logins with single sign-on (SSO) across thousands of SaaS applications
  • Elevate security with built-in MFA and apply conditional access policies based on location, device and more to transition to a zero-trust approach (Conditional Access only available for P2 or EMS E5)
  • Centralise and simplify identity management with advanced administration capabilities, such as group policies and dynamic groups
  • Empower staff and reduce IT overhead with self-service capabilities, such as self-service password reset (SSPR) and application requests
  • Integrate Azure AD with other Microsoft services, such as Cloud App Security for holistic security, or allow remote device building with Windows Autopilot and Intune


Intune is Microsoft’s Unified Endpoint Management (UEM) solution helps to protect and manage your staff devices and data – across mobiles, tablets, laptops and PCs. Key features include:

  • Mobile device management across your entire mobile and PC ecosystem (iOS, Android and Windows) as well as all Windows 10 devices – for a complete solution
  • Mobile app management to secure business apps and data on personal devices (BYOD) so staff can work securely on whatever device
  • Ensure devices and apps are compliant with company security requirements
  • Allow ‘zero touch’ IT – so that staff devices can be remotely deployed, reset or wiped to reduce courier costs and speed up efficiency
  • Automatically remove threats across all managed endpoint when integrated with Microsoft Defender Advanced Threat Protection

Microsoft Defender for Identities (formerly Azure Advanced Threat Protection)

This is Microsoft’s cloud-based threat detection platform that detects and investigates advanced attacks on your network using machine learning to rapidly alert you of any suspicious activity or anomalies. Key features include:

  • Learns typical user behaviour so that only anomalies or important issues are sent; greatly reducing alert noise
  • Improves speed of detection and picks up suspicious patterns that would otherwise likely go undetected
  • Prioritises risks and displays clear incident information with a simple timeline to make investigation much quicker, easier and more efficient

Microsoft Information Protection

Sometimes referred to as MIP, this solution is for information management and protection and available within EMS as P1 or P2. MIP allows organisations to configure policies and classify their data and then provide persistent protection (using Azure Rights Management) to protect the data wherever it goes – especially important for data governance and compliance. Key features include:

  • Ability to apply sensitivity labels and configure policies to tightly control data access and determine what is and isn’t allowed for labels (such as printing, forwarding, etc)
  • Automatically search, classify and protect your company documents and files
  • Ensure persistent protection so that it doesn’t matter where documents go – they are always protected with your configured rules
  • Easily share data with external contacts and have peace of mind that access can be revoked at any point- ideal for sharing data with partners and suppliers
  • Gain visibility on all data governance and documentation with powerful reporting and logging

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)

This is a Cloud App Security Broker (CASB) solution that provides visibility and control over your data across cloud services – Microsoft and third-party services, such as Salesforce, Dropbox etc. With MCAS, you can:

  • Discover and control shadow IT – identify third-party apps in usage, review associated risks and compliance, analyse usage and then manage access and controls
  • Classify and protect data across your cloud apps – apply policies (or automate labelling) with Azure Information Protection to make data self-protecting wherever it goes
  • Detect unusual cloud behaviour to identity and remediate threats (such as compromised users and ransomware) with alert scoring and remediation actions
  • Review your cloud app compliance – check the compliance risk of various cloud apps and drill into app usage to assess risk

Microsoft 365 Enterprise Guide

To find out more about Microsoft 365, you can download our Microsoft 365 Enterprise Guide – which outlines all the included features, benefits, costs and licensing.

Or, if you would like a trial or demo of Microsoft 365 then please contact us.


EMS is a powerful security and mobility solution and very often we find that organisations are already licensed with Microsoft 365 but may not be taking full advantage of the security and mobile management features available that they are already paying for. To find out more about the possibilities with EMS, you can download our guide to Microsoft 365 here – or contact us to review your licensing, discuss your requirements or organise a demo.