Help CenterComparison of Enterprise Mobility + Security (EMS) E3 vs EMS E5
Microsoft Enterprise Mobility + Security (EMS) is available in two primary plans: E3 and E5, each offering different levels of security and management capabilities. Here’s a breakdown of the key differences between the two plans, including pricing:
EMS E3:
- Price: $8.80 per user/month (USD)
- Features:
- Azure Active Directory Premium P1: Provides core identity and access management features like single sign-on (SSO), multi-factor authentication (MFA), and basic conditional access.
- Microsoft Intune: Offers mobile device management (MDM) and mobile application management (MAM) to secure data across devices.
- Azure Information Protection (AIP) P1: Manual classification and labeling of documents, with tracking and revocation capabilities.
- Microsoft Advanced Threat Analytics (ATA): Protects against insider threats and cyberattacks by analyzing user behavior.
- Windows Server Client Access License (CAL): Provides rights for devices to access Windows Server services
EMS E5:
- Price: $14.80 per user/month (USD)
- Additional Features in E5:
- Azure Active Directory Premium P2: Includes all P1 features plus advanced identity protection (such as risk-based conditional access) and Privileged Identity Management (PIM) for controlling and auditing administrator access.
- Azure Information Protection (AIP) P2: Adds automatic classification and labeling of documents based on content, providing enhanced data protection.
- Microsoft Cloud App Security (CASB): A cloud access security broker that monitors, controls, and protects data across both Microsoft and third-party cloud services.
- Azure Advanced Threat Protection: Detects identity-based attacks and helps reduce the attack surface by monitoring suspicious activities across your network.
- Risk-Based Conditional Access: Automatically responds to risky behaviors with actions like blocking sign-ins or requiring MFA.
Key Differences:
- Identity Management: EMS E5 adds more advanced tools for identity protection and privileged access management compared to EMS E3.
- Cloud App Security: Only EMS E5 includes Microsoft Cloud App Security for managing and securing cloud applications.
- Information Protection: EMS E5 enhances data protection by adding automatic classification of documents and files, compared to the manual classification available in EMS E3.
- Advanced Threat Protection: E5 provides more sophisticated detection and response capabilities against identity-based and cloud-based threats.
Tips
It is common for organizations to start their identity and mobile device management (MDM) projects with Enterprise Mobility + Security (EMS) E3, and later upgrade to E5 as their security needs become more complex. Here's why this phased approach is beneficial:
Starting with EMS E3:
- Cost Efficiency: At $8.80 per user/month, EMS E3 provides a cost-effective way to implement identity and device management. It includes critical tools like Azure Active Directory Premium P1 (for identity management and multi-factor authentication) and Microsoft Intune (for mobile device and app management).
- Basic Identity Management: EMS E3 provides core identity capabilities that are sufficient for many organizations starting out, such as SSO, MFA, and conditional access.
- Gradual Adoption: Many companies begin with E3 to address immediate needs such as identity protection and basic MDM. It allows organizations to get a handle on managing user identities and securing devices before adding more complex solutions.
Upgrading to EMS E5 as Identity Matures:
- Advanced Security Needs: As an organization’s identity framework matures, EMS E5 provides advanced features like Azure AD Premium P2 for risk-based conditional access and Privileged Identity Management (PIM). These tools allow for a higher level of access control, automating responses to risky user behaviors.
- Comprehensive Protection: EMS E5 includes additional tools like Microsoft Cloud App Security (CASB), which helps manage and secure third-party cloud applications, and Azure Information Protection P2, which offers automatic classification and labeling of sensitive documents.
- Future-proofing: Upgrading to E5 enables organizations to handle more advanced threats with tools like Advanced Threat Protection, helping them stay ahead of potential vulnerabilities as they grow.
This phased approach allows businesses to start small, optimize their identity management processes, and then expand into more advanced security measures as needed
Conclusion:
- EMS E3 is ideal for organizations looking for basic security tools at a lower cost, including mobile device management and manual document protection.
- EMS E5 is suited for businesses requiring advanced threat detection, privileged access management, and automated document classification, offering more comprehensive security at a higher price.
Choosing between EMS E3 and E5 depends on the complexity of your organization's security needs and whether you require advanced protection capabilities across identities, devices, and cloud applications.