Skip to content

Field note

July 2026 Intune Changes for M365 E3 and E5

A licensing announcement is not an implementation plan. The useful question is which capability is active for which users, what problem it solves, and whether the current add-on still earns its place.

Published11 Jul 2026

Updatedyesterday

Read time4 min. 864 words.

On 1 July 2026, Microsoft announced that advanced Intune Suite capabilities are now included in Microsoft 365 E5, with selected capabilities available in Microsoft 365 E3.

Existing customers are due 30 days' notice in the Microsoft 365 admin centre and Microsoft says access will be available by August 2026. Feature availability varies by subscription, some capabilities can still require additional licences, and Security Copilot-related features may need separate licensing.

That makes this a tenant-and-contract review, not a reason to cancel an add-on from a headline.

Quick answer

Before the next Microsoft renewal:

  1. Record the exact Microsoft 365 products assigned to users.
  2. Check Message Center for the tenant's rollout notice.
  3. Review Tenant administration > Intune add-ons for active and eligible capabilities.
  4. Compare entitlement with separately purchased Intune products.
  5. Pick one operational use case to evaluate.
  6. Change licensing only after access, scope and replacement behaviour are proven.

Microsoft 365 Business Premium customers should not assume an E3/E5 announcement applies to their plan. Verify the current product terms and tenant eligibility.

Capabilities worth checking

Microsoft's current advanced Intune capability list includes:

Remote HelpCan support connect through identity and role-based controls, with useful audit evidence?
Endpoint Privilege ManagementCan standard users complete approved elevation tasks without permanent local admin?
Enterprise Application ManagementCan the app catalogue reduce packaging and update drift for supported Win32 apps?
Advanced AnalyticsCan device queries and health data shorten real support investigations?
Microsoft Cloud PKIIs there a genuine certificate use case that justifies changing the current PKI design?
Tunnel for MAMDo unenrolled mobile devices need per-app access to on-premises resources?
Specialty device managementAre meeting, AR/VR or other purpose-built devices actually in scope?
Firmware over-the-air updatesAre supported Android devices present and currently unmanaged at firmware level?

This table describes use cases, not plan entitlement. Microsoft publishes the current licensing position and the Intune admin centre shows what the tenant can use.

Do not start with every feature

The packaging change can create a familiar problem: a long list of new buttons with no service owner.

Choose the use case with the clearest existing cost or risk.

Examples:

  • repeated remote-support delays for distributed staff
  • users kept as local administrators because elevation is hard
  • vulnerable third-party applications waiting on manual packaging
  • poor endpoint evidence during incident response
  • personal mobile devices needing access to a private application

Define one success measure before enabling a pilot. It might be fewer permanent local admins, shorter support resolution, faster deployment of a supported app update, or a complete audit record for remote sessions.

A licence review that produces evidence

Build a simple matrix:

User cohortWho needs the capability
Current Microsoft planExact SKU, not "we have E5 somewhere"
Current add-onProduct, quantity, term and renewal date
Tenant statusActive, eligible, trial or unavailable
Required dependencyEntra, Defender, platform or device prerequisites
Existing toolWhat would be replaced, if anything
Pilot resultMeasured operational or security outcome
DecisionKeep, consolidate, expand or stop

Mixed licensing needs extra care. A capability visible to an administrator is not evidence that every intended user is correctly licensed.

Pilot controls before rollout

Advanced endpoint tools can change user access and support behaviour. Run a small, reversible pilot.

For Endpoint Privilege Management, start with a small set of approved elevations and verify denial, approval and support paths. Do not turn a broad allow rule into a new form of permanent admin.

For Remote Help, confirm role assignments, support identity, consent behaviour and audit records. Decide whether the service replaces an existing remote tool or merely adds another one.

For Enterprise Application Management, test a supported app from deployment through update and rollback. Catalogue coverage will not remove the need to own applications outside the catalogue.

For Cloud PKI, document the relying service, certificate lifecycle and recovery path before issuing certificates. A new certificate authority is infrastructure, not a convenience toggle.

Evidence to keep

A defensible renewal decision needs:

  • Message Center rollout notice
  • current licence and add-on export
  • tenant eligibility screenshot or report
  • pilot scope and success measure
  • access and audit evidence
  • overlap analysis against current tools
  • approved commercial decision and effective date

Do not claim savings until the old contract is actually reduced or removed. Do not claim a control improvement until the capability is configured, targeted and operating.

The July change is useful because it may let some Microsoft 365 customers use tools they previously bought separately. Its value comes from disciplined adoption and licence cleanup, not from activating every capability at once.

If the entitlement review exposes policy drift or unclear device ownership, use the Intune and Autopilot consultancy to turn the licensing change into a controlled endpoint plan.

References

Related notes

Need help mapping this to your own tenant, controls, or assessment timeline?