Intune Licensing - Device Enrolment

In your scenario, where you're using Microsoft Intune for device enrollment with Microsoft Entra ID P1 and a Microsoft E3 license, here's a breakdown of the licensing and rules around device enrollment:

1. Intune Device Enrollment with Microsoft E3 License

• Microsoft E3 license includes Intune, which allows you to manage and enroll devices. You can enroll devices (whether they are Windows, macOS, iOS, or Android) using Automatic Enrollment or Autopilot.
• Device Enrollment Manager (DEM) account allows you to manage multiple devices (up to 1,000 devices per DEM account). This is part of the Intune service in the Microsoft 365 E3 license.

Important Considerations:

• A DEM account can be used to enroll devices, but the devices you enroll still need to be licensed for Intune. This means that the device itself must have an appropriate license for Intune management, such as a Microsoft Intune Device license or a Microsoft 365 E3/E5 license.
• Microsoft Entra ID P1 provides the necessary identity and access management features, but Intune licensing is separate and needs to be considered when devices are enrolled.

2. License Requirements for Devices

• No Additional License Required for Device Enrollment: As long as you're using the Device Enrollment Manager (DEM) account for device enrollment, and you're not using any additional Intune features beyond basic device enrollment and management, you generally don’t need additional licenses for the DEM account itself.
• Device Licensing: The key part here is that each device needs to be licensed for Intune. Devices enrolled via Automatic Enrollment or Autopilot must have either:
  • A Microsoft 365 license (e.g., E3/E5) that includes Intune, or
  • A standalone Intune device license.
• If a device is only used for enrollment and doesn't require Intune management (e.g., it's simply a device that’s joined to Azure AD but doesn’t require ongoing management), it might not need an Intune license, but this is generally an exception.

3. Device License Requirements Post-Enrollment

• Once a device is enrolled in Intune, it will typically need to be licensed for Intune management for the device to continue to receive policies, configurations, and app deployments.
• If you're using Microsoft 365 E3, the device is already licensed for Intune as long as it’s assigned to a user with that license. The user’s license will cover Intune management for their device.

4. Is an Intune Device-Only License Required?

• If you're managing devices via Microsoft Intune and not using any additional advanced Intune features (like security policies, conditional access, etc.), you can technically get by with just Microsoft 365 E3 licenses for the users.
• However, each device needs to be assigned a Microsoft 365 license or an Intune device license if it's going to be managed through Intune.

5. Breakdown of Key Points:

• DEM Account: Allows for enrolling devices (up to 1,000 devices) and doesn’t require additional Intune licenses for the account itself.
• Device Licensing: Devices enrolled via DEM need an Intune license (via Microsoft 365 E3 or standalone Intune license). This is essential for managing the device with Intune, even if you’re not using advanced Intune features.
• Automatic Enrollment: This can be used to automatically enroll Windows devices into Intune without requiring additional licenses, as long as the device has a valid Microsoft 365 or Intune license.

Conclusion:

• If you’re using Microsoft 365 E3 for your users, and devices are being enrolled by a Device Enrollment Manager (DEM) account, you should be compliant with Microsoft’s licensing terms as long as the devices are licensed with Microsoft 365 E3 or a standalone Intune license.
• No additional Intune licenses are required specifically for the DEM account, as long as you're not using additional advanced features.