If you’ve been managing endpoints on a Microsoft 365 E3 or E5 subscription and watching Intune Suite features from the sidelines because of the extra per-user cost, that wait is almost over. Starting July 1, 2026, Microsoft is folding a significant portion of the Intune Suite directly into base M365 E3 and E5 licenses.
The catch: your monthly bill goes up by $3 per user. But for most organizations, the math works heavily in Microsoft’s favor—and yours, too.
This post breaks down exactly what’s included in each tier, what the timeline looks like, what you need to do before the rollout, and where the real gaps still exist.
What’s Changing and When
Microsoft announced in late 2025 that premium Intune Suite capabilities would be absorbed into M365 enterprise licensing tiers. The rollout follows a two-phase schedule:
- July 1, 2026: Pricing changes take effect. Your per-user cost for M365 E3 and E5 increases by $3/user/month.
- October 2026: Feature provisioning begins. Eligible tenants will be automatically provisioned with the new capabilities.
Microsoft has committed to sending admin center notifications 30 days before features are provisioned in your tenant. If you’re not monitoring the M365 admin center regularly, now is the time to set up alert forwarding.
What Each License Tier Gets
Microsoft 365 E3: Three Key Additions
E3 customers gain access to three capabilities that previously required a standalone Intune Suite license or add-on purchase:
Remote Help is the in-console, cloud-based remote assistance tool that lets helpdesk agents view or take control of a managed device without third-party tools like TeamViewer. It supports both full control and view-only modes, works over the internet without VPN, and keeps a compliant audit trail of every session. For teams running hybrid environments, this closes a common gap where agents had to juggle separate tools for remote support.
Advanced Analytics adds device query (ad-hoc KQL queries against device inventory), anomaly detection for device health, and the battery health report. If you’ve been relying on third-party tools or manual PowerShell exports to interrogate your fleet, this brings those workflows natively into Intune.
Intune Plan 2 includes Microsoft Tunnel for Mobile Application Management (MAM), which extends VPN access to unmanaged personal devices without requiring full device enrollment, along with Specialty Device Management for dedicated device types like Teams Rooms and HoloLens.
Microsoft 365 E5: The Full Intune Suite Stack
E5 subscribers get everything in E3 plus three more capabilities:
Endpoint Privilege Management (EPM) lets you enforce standard user accounts across your fleet while still allowing targeted, audited elevation of specific processes. Instead of granting blanket local admin rights or routing every elevation through a helpdesk ticket, EPM creates policy-driven elevation rules. A developer can run a specific installer with elevated rights without holding permanent admin status. EPM has been one of the most-requested capabilities from organizations trying to enforce least privilege without killing productivity.
Microsoft Cloud PKI is a fully managed, cloud-hosted PKI for issuing SCEP and PKCS certificates to Intune-managed devices. If you’re currently running on-premises NDES infrastructure or using a third-party CA for device cert issuance, Cloud PKI can replace that entirely. Certificates are issued directly through Intune with no on-premises footprint required.
Enterprise App Management is a catalog of pre-packaged, Microsoft-maintained Win32 app deployments covering Chrome, Zoom, 7-Zip, VLC, and hundreds of common titles with automated update management. Instead of packaging and maintaining your own Win32 app wrappers, you pull from the catalog and Microsoft handles version updates. It doesn’t cover every enterprise app, but it removes a meaningful chunk of routine packaging work.
What This Means for Your Budget
The $3/user/month increase applies across the board. For a 500-seat M365 E3 organization, that’s $1,500/month or $18,000/year added to your M365 bill.
Before the change, the Intune Suite standalone add-on cost approximately $8/user/month on top of base licensing. Organizations paying for the full Intune Suite add-on today will see pricing simplification. The add-on effectively dissolves into the base license, and you stop paying separately.
Organizations not currently paying for any Intune Suite features need to evaluate whether the capabilities justify the $3 increase. For most mid-market and enterprise IT teams, Remote Help alone typically clears that bar if it replaces a third-party remote support tool with per-user or per-technician pricing.
One timing nuance that deserves attention: the pricing change triggers July 1, but features don’t land in tenants until October. You’re paying for three months before getting access. Flag this during budget conversations—some finance teams will want documentation of what’s being paid for during that gap.
How to Prepare Before October
Audit your current endpoint tooling. Before the rollout, map every tool in your stack that overlaps with what’s coming:
- Remote support platforms (TeamViewer, LogMeIn, AnyDesk)
- Third-party PKI or NDES infrastructure
- App packaging and distribution workflows
- Device health and analytics tools outside Intune
Any overlap is a potential cost reduction or consolidation candidate.
Review your EPM readiness. If you’re on E5, EPM arrives in October. Take stock of how many users currently hold local admin rights and why. EPM requires policy design work upfront. You need to define which processes require elevation and build the elevation rule set before enforcing standard user accounts. The EPM readiness dashboard in Intune helps identify which devices and users would be affected, making it a good starting point for scoping the rollout.
Check your Tunnel for MAM prerequisites. If you plan to use Intune Plan 2’s Tunnel for MAM, this requires Microsoft Tunnel gateway infrastructure deployed on-premises or in Azure. The MAM-only configuration doesn’t require device enrollment, but the gateway itself requires a Linux VM. Plan that infrastructure work before the feature lands so you’re not caught waiting on a VM deployment when users start asking about access.
Prepare for auto-provisioning notifications. Microsoft will send admin center messages 30 days before capabilities are provisioned. Make sure your tenant notification settings route those messages to a monitored inbox—not just the global admin account, which often goes unread in larger orgs.
What’s Not Included and Where the Gaps Are
The consolidation is significant, but it isn’t total.
Business Premium customers are excluded. The July 2026 change only applies to M365 E3 and E5 subscribers. Organizations on Business Premium who need Intune Suite features will still need the standalone add-on.
October 2026 is the earliest, not a guarantee. Microsoft’s track record on feature provisioning timelines has some slippage built into it. Budget decisions and tooling cancellations that depend on these features being live in October carry real risk. Build in buffer time before decommissioning anything.
Enterprise App Management catalog coverage is limited. The app catalog handles common commercial software well, but it doesn’t replace full Win32 packaging for line-of-business applications, complex software requiring custom MST transform files, or apps that need pre/post-install scripts beyond the catalog’s template support.
Cloud PKI has capacity limits tied to license count. Verify whether the provisioned certificate capacity covers your issuance volume before migrating off existing PKI infrastructure. High-volume environments may hit limits that require additional capacity planning.
The Practical Upside for IT Teams
The real value here isn’t just cost consolidation—it’s operational simplification. Every tool that moves natively into Intune reduces the number of admin portals, agent deployments, and disconnected policy frameworks your team has to manage.
Remote Help inside the Intune admin center means helpdesk agents don’t context-switch to a separate tool. EPM policies live alongside device configuration and compliance policies. Cloud PKI integrates directly with SCEP profiles already in your environment. The closer these workflows stay to a single management plane, the less institutional knowledge gets scattered across tools that don’t talk to each other.
For organizations running lean endpoint teams, this consolidation narrows the operational surface area without requiring architectural overhauls. That matters at renewal time and when headcount is flat.
Conclusion
July 2026 is the billing date. October 2026 is when the features actually arrive. The window between those two events is your planning runway. Use it to audit your tooling overlap, scope your EPM policy work, validate PKI capacity, and make sure the right people are watching for the provisioning notification.
The $3/user/month increase deserves scrutiny in budget conversations. For teams already paying for Intune Suite or running multiple overlapping third-party tools, the consolidation nets out neutral or better. For teams without current exposure to these features, the justification is tighter but defensible given where endpoint management is heading.
Start the audit now. October arrives faster than most IT roadmaps account for.