Microsoft Enterprise Mobility & Security E3

by Laura Garwood
April 2019

Microsoft Enterprise Mobility & Security E3

In a modern, cloud first world, security is key, which is why Microsoft created Enterprise Mobility & Security (EMS), formally known as Enterprise Mobility Suite. This is a range of subscriptions that can manage devices and identity throughout your company. EMS is made up of four components – Azure Active Directory Premium, Microsoft Intune, Azure Information Protection and Microsoft Advanced Threat Analytics.

These were all separate subscriptions prior to EMS, but over the past few years these have been merged into one package and updated to meet modern day needs.  They can still be purchased separately but are much better value when taken together. 

The four segments of EMS come together to form one modern security solution that can all be managed centrally through your IT, no matter how many employees you have, how many devices they have and how spread out they are over the city, country or even, world.

Many of our clients have Microsoft Enterprise Mobility & Security E3 subscriptions and, together with Office 365 and Windows 10 Pro, forms the core of a 100% cloud first infrastructure.

If you'd like to know more, please do contact us or check out our Cloud Infrastructure & Services products.

Azure Active Directory Premium

This section of EMS essentially allows your employees to login to everything they need for work using one password, whether it’s a cloud app or on-premises software. They would have a profile in Azure Active directory which is linked to all their other Microsoft subscriptions and services.

This means that your team can sign in from anywhere, using any device. This might sound like the opposite of ‘secure’, but there are many benefits of Azure Active Directory Premium.

You can setup conditional access, to block people from logging in based on various factors. You can also enable multi factor authentication, meaning that employees need to use SMS or another form of verification whenever they login to any of the linked services.  We are very big fans of multi factor authentication!

Read more about Azure Active Directory on the Microsoft Azure website.

Microsoft Intune

Intune is the part of EMS that allows multiple devices per user, both corporate and personal, to access company data securely. It's the Microsoft Mobile Device Management (MDM) tool.

For example, if an employee downloaded the Microsoft Word app on their smartphone, Intune would allow them to securely access company documents through that app. This is great for productivity when employees aren’t in the office, minimising the wasted time from travelling and similar situations where working would have been less viable in the past.

Intune also allows your IT team to manage access to connected apps from a central console, giving them full control over the company’s data without needing access to personal devices.

Computer policy settings for things like password age, device encryption, antivirus protection and background wallpaper can also be configured and managed using Microsoft Intune.

More information about Microsoft Intune can be found on the Microsoft website.

Azure Information Protection

With your data in SharePoint Online, OneDrive for Business and Exchange Online we have the ability to inspect that data for patterns such as credit card numbers, passport numbers... whatever we like!  Once found, we can treat that data with encryption, watermarking or other security systems.  We can also state who can access that data and what they can do - for example not letting them print a file.

Azure Information Protection checks that the person viewing the data has the correct permissions to do so. This feature also allows you to track who has viewed a document or email, and revoke access at any time.

EMS E3 includes most of the features you'd need, but EMS E5 adds automation and a few other options.

Azure Information Protection requires buy-in from the business and end users due to the impact on the working environment.

Read more about how Microsoft tackles data protection, including GDPR, on the Microsoft Azure Information Protection site.

Microsoft Advanced Threat Analytics

This component of Microsoft Enterprise Mobility & Security is for your on-premise servers.

It's a traffic inspection tool that looks for suspicious and abnormal behaviour in an effort to identity attacks as they happen.  It's pretty cool tech.

Microsoft Enterprise Mobility & Security E3 includes a licence to Microsoft Advanced Threat Analytics.  Using Advanced Threat Analytics, log files can be processed live to identify malicious attacks and suspicious activities.  Your IT will then get an alert if anything seems out of place, allowing the cause of the abnormal behaviour to be investigated. What’s really clever about this feature is that it’s based on machine learning. This means it’s always on and it’s always improving itself.

There's more information about Microsoft Advanced Threat Analytics in the Microsoft documents.


Below is a handy little diagram giving a summary of features across EMS E3 and EMS E5 levels.

Enterprise Mobility + Security: Survival Guide