An Introduction to Microsoft EMS (Enterprise Mobility + Security)

Covering access management for entire businesses, Microsoft’s Enterprise Mobility + Security package is a must-have. Here’s our rundown.


If you’re already familiar with Microsoft’s comprehensive cloud-based ecosystem, you’ll understand why it plays such an important role in the everyday operations of many enterprise-level companies. The greater the investment made in the huge range of solutions empowered by Microsoft’s powerful Azure platform, the greater the payoff will be.

This is only viable if the overarching system is kept secure, of course. The processes and files it’s deployed to manage must be protected, with the risk of anyone gaining unauthorized access kept to a minimum. That’s the role of Microsoft’s Mobility + Security package, one of the core components of the full Microsoft 365 lineup.

In this post, we’re going to succinctly detail its history, what it currently has to offer, and why it’s a must-have for anyone who wants to wield the full force of Microsoft’s cloud ecosystem.

The origins of Microsoft EMS


Having been announced in 2008, Microsoft’s cloud computing service — then known as Windows Azure — was released for general use in 2010. Given the nature of the cloud, it was obvious that next-generation security and update management would be required, and it came in the form of Windows Intune. The Intune beta test launched the month after Azure’s release, and it ran successfully for a year before it hit general release in 2011.

By 2014, Microsoft was ready to make some sweeping changes. Having rebranded Windows Azure as Microsoft Azure, it subsequently announced the release of its Enterprise Mobility Suite with the similarly-rebranded Microsoft Intune at its core. Alongside it were tools for managing permissions and data protection in the form of Azure Active Directory Premium and Azure Rights Management respectively.

There was another addition to the lineup in mid-2015 when Advanced Threat Analytics was rolled out, and this foreshadowed the larger change that followed in mid-2016: the rebranding of the Enterprise Mobility Suite to the Enterprise Mobility + Security Suite. This rebrand didn’t bring substantive changes to what was available: instead, it made various premium features available at no extra cost (with the name intended to more accurately reflect the goal of the suite).

What it currently includes


Four years on from the 2016 rebrand, the Enterprise Mobility + Security has stuck, though some of the component parts have been renamed or folded together. Let’s go through the lineup:

  • Azure Active Directory. Otherwise known as Azure AD, this service deals in identity management, using multi-factor authentication to prevent cybersecurity attacks and ensure that the right people can gain system access at the right times. Single sign-on (or SSO) allows one login to be used for numerous applications.
  • Azure Information Protection. Encompassing Azure Rights Management and various other related services, Azure IP classifies business files through the automatic or manual application of labels. This intelligently protects them from unauthorized access. A given label can prevent a file from being opened or simply warn those using it not to share it.
  • Microsoft Advanced Threat Analytics. There are two facilities in Microsoft EMS for shielding a business from cyber attacks. Advanced Threat Analytics is the on-premise platform: installed locally, it monitors and parses traffic, blocks detected attacks, and provides a clear view of what’s happening and what actions are being taken.
  • Azure Advanced Threat Protection. Building on the data gathered through Advanced Threat Analytics, Advanced Threat Protection is the cloud-based component of the EMS cyber security service. Bringing the power of the cloud to bear, it can yield much richer insights and achieve a superior level of protection.
  • Microsoft Cloud App Security. It’s become common practice for corporations to take advantage of huge ranges of SaaS apps and integrations, but this greatly complicates things from a security standpoint. Each integration adds a point of vulnerability. Cloud App Security makes it simple to monitor cloud apps and services, assess compliance, detect concerning patterns, and limit the flow of sensitive data.
  • Microsoft Endpoint Manager. Given the expanded range of services in the EMS package, there was a clear need for a broader management solution, so Intune was folded into Endpoint Manager (along with Configuration Manager, formerly known as System Center Configuration Manager). This is the main dashboard through which all the disparate functions can be accessed.

What are the available EMS tiers?


Some elements of the EMS package are included with the Microsoft 365 Business Premium tier. Additionally, those elements can be licensed separately. If you want the entire range of security solutions, or want to add security to a reduced Microsoft cloud selection, you can choose one of two EMS tiers:

  • Enterprise Mobility + Security E3. The E3 tier prioritises the core device and application management functions, but also offers many of the features from the other areas of the package. If the E5 additions are unnecessary, the savings make it an obvious choice.
  • Enterprise Mobility + Security E5. The E5 tier steps up the breadth of the package and makes it more valuable as a holistic security solution. Notable additions are the cloud security services — Advanced Threat Protection and Cloud App Security — and the ability to implement risk-based conditional access using Azure Active Directory.

Why it mustn’t be overlooked


We explain why EMS is so valuable for supporting remote working in this companion piece, but it’s worth extends far beyond mobile device management. Today, it serves as a comprehensive security solution for governing every facet of a large cloud-empowered operation: which devices have access, which files can be accessed and by whom, and how threats are handled.

It’s obviously possible to call upon the power of Azure without also investing in the EMS package, but it isn’t advisable — and the bigger a corporation gets, the more tightly it needs to control its security. That makes this solution an obvious addition to every cloud reseller’s range. If you’d like to learn more about how best to present it, contact intY for some free advice.

If you'd like to know more about implementing Microsoft EMS and what else it covers, contact your intY Account Manager today or partner up with us today!

Press enter or esc to cancel