Microsoft 365 E3 and E5 Licensing Changes: What the New Intune Suite Inclusions Mean

Microsoft has announced upcoming changes to Microsoft 365 E3, E5, and the Intune Suite that will affect both pricing and available features.

These changes will impact organisations differently depending on how they use Intune today. Some customers will gain access to new premium endpoint management capabilities that enhance security and resilience, while others may need to assess whether the newly included features are worth adopting or ignoring.

Key Microsoft 365 E3 and E5 Licensing Changes

• Microsoft 365 E3 and E5 prices will increase by $3 USD per licence.
• Microsoft 365 E3 will now include Intune premium capabilities, Intune Remote Help, and Advanced Analytics.
• Microsoft 365 E5 will include the full Intune Suite: Remote Help and Advanced Analytics (from the E3 features) plus Endpoint Privilege Management (EPM), Cloud PKI, Enterprise App Management, and additional advanced tools.
• Feature rollout begins in Oct 2026, however pricing changes will be effective 1 July 2026.

What This Means for You

Now more than ever is the time to look at replacing your legacy SCCM or ManageEngine product with a modern Intune deployment that can work across your hybrid deployments. The inclusion of Remote Help has traditionally been a blocker for some customers who relied on other products to enable a helpdesk to scale their support across the country.

• Organisations who heavily invested in endpoint management may see greater value included by default.
• Security focused teams can take advantage of native Zero-Trust aligned features such as EPM and Cloud PKI.
• Licensing complexity may decrease, while operational capability increases.

If you need help understanding how these changes affect your licensing position, Codify’s Managed Microsoft Licensing specialists are ready to support.

What’s New in the Intune Suite for E3 and E5 Customers?

Endpoint Privilege Management (EPM): Enabling Zero Trust on the Desktop

Endpoint Privilege Management (EPM) helps organisations progress toward a Zero Trust security model by allowing users to request just‑in‑time, per‑device administrative privileges – without relying on permanent local admin accounts.
This capability also directly supports the Essential Eight, particularly in areas such as application control (whitelisting) and restricting administrative privileges. Removing admin rights from legacy applications can often feel complex or risky, but EPM provides a controlled, auditable workflow to manage these exceptions.

By wrapping a structured approval and elevation process around applications that require elevated permissions, EPM enables organisations to adopt Essential Eight controls more confidently and without disrupting existing workflows. It reduces the operational burden traditionally associated with achieving higher maturity levels and helps ensure that only approved actions and applications are elevated – securely and transparently.

Key Capabilities

• Just-in-Time Elevation for approved binaries, scripts, and temporary admin actions.
• Audit Logging of script executions, privilege requests, justifications, and approvals – vital for compliance and forensic workflows.
• Policy-Based Control that governs allowed elevation types, behaviours, and rule creation.

Technical Impact

EPM reduces reliance on legacy admin models, helping developers, application support teams, and IT operations teams operate in a least-privilege environment while still enabling flexibility.

Cloud PKI Explained: A Modern Approach to Certificate Authority in the Cloud

Cloud PKI enables organisations to issue certificates directly to Intune‑managed cloud PCs, delivering a cloud‑first alternative to traditional on‑premises Certificate Authorities. This modern approach removes the complexity and infrastructure burden associated with legacy PKI environments, while maintaining strong security and compliance.

Key Capabilities

• Fully Cloud Hosted PKI – remove the need for on-premises CA servers on intune devices.
• Hybrid Support – retain root CAs on-premises if required, without needing domain joined computer objects.
• Cloud Hosted CRL Distribution – Intune manages CRL publication so you don’t have to maintain DMZ infrastructure.

Technical Impact

Cloud PKI significantly reduces operational overhead and enables certificate issuance for modern, cloud-native device deployments without the friction associated with legacy PKI infrastructure.

The Value Behind E5 & E5’s New Built‑In Capabilities

The enhanced capabilities being rolled into Microsoft 365 E3 and E5 were previously locked behind additional add‑on licences. With these new inclusions, organisations can:

• Strengthen endpoint resilience
• Streamline Zero Trust adoption
• Consolidate tooling
• Reduce licensing sprawl
• Modernise endpoint management across Windows devices

This represents a meaningful shift in how Microsoft expects organisations to secure and manage their environments.

Need Help Navigating Microsoft 365 Licensing Changes?

Microsoft’s licensing schema is famously complex – and changes like these don’t make things easier. If your organisation would benefit from clarity around entitlement, optimisation, or modernisation, Codify’s Microsoft Licensing specialists can help you navigate the path forward. Get in touch!