What Does EMS Mean?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
EMS is a bundle of Microsoft tools that help companies keep their data safe when employees use phones, laptops, and apps. It lets IT teams control who can access company files from personal devices. It also helps enforce security rules like requiring a password or wiping a lost device.
Commonly Confused With
Microsoft 365 E3 includes EMS plus Office 365 (Word, Excel, Outlook) and Windows 10 Enterprise. EMS alone does not include Office desktop apps or the Windows upgrade license. Learners often think EMS gives you Office apps, but it does not.
If your company already has Office 365 Business Premium, buying EMS E3 adds Intune and Azure AD Premium without changing Office licenses.
Azure AD Premium (P1 or P2) is a component of EMS, not the whole thing. EMS bundles Azure AD Premium with Intune and Azure Information Protection. If you only buy Azure AD Premium, you get identity features but no device management.
You can buy Azure AD Premium P2 for identity protection and PIM without needing Intune or AIP. But EMS forces you to buy all three together.
MEM is the brand name for the unified portal that includes Intune and Configuration Manager. EMS is the licensing bundle that gives you the right to use Intune. Think of MEM as the tool you use, and EMS as the subscription that lets you use it.
Having an EMS license allows you to open the Microsoft Endpoint Manager admin center and manage devices. Without the license, the portal is visible but you cannot apply policies.
Must Know for Exams
EMS appears in several Microsoft certification exams, most notably the Microsoft 365 Fundamentals (MS-900), Microsoft 365 Security Administration (MS-500), Microsoft 365 Mobility and Security (MS-101), and the newer Security, Compliance, and Identity Fundamentals (SC-900). It is also relevant to the Azure Administrator (AZ-104) and Identity and Access Administrator (SC-300) exams, though less directly.
In MS-900, EMS is a core concept. You need to know which components are included in each EMS license tier (E3 vs E5), and what each component does. Questions often ask: "Which EMS component provides mobile device management?" (Intune) or "Which EMS component provides identity protection?" (Azure AD Premium). You must also understand the difference between MDM and MAM.
In MS-500 and MS-101, EMS appears in deeper scenario-based questions. You may be asked to design a conditional access policy using Azure AD and Intune compliance policies. For example: "You need to ensure that users can only access Exchange Online from devices that are compliant with company security policies. Which two components should you use?" Expected answer: Azure AD Conditional Access and Intune compliance policies.
In SC-900, which is a fundamentals exam, EMS is covered under the concepts of Zero Trust and Identity & Access Management. You need to explain how EMS contributes to least privilege, multifactor authentication, and device hygiene. Questions can also focus on specific features like App Protection Policies (APP), which control data movement in managed apps. A typical question: "An employee uses a personal phone to access corporate OneDrive. What EMS feature ensures that the corporate files cannot be copied to the personal Notes app?" Answer: a Mobile Application Management (MAM) policy. Finally, the exam may test your understanding of licensing: "An organization needs advanced threat protection, mobile device management, and information protection. Which EMS tier is cost-effective?" The correct answer is EMS E3 for basic needs, but E5 is needed for Cloud App Security and ATA. Learners often confuse the features of E3 vs E5, so memorizing the differences is crucial.
Simple Meaning
Think of EMS as a high-tech security guard for a whole office building, but this guard works for a company that lets employees work from anywhere. In the old days, everyone worked at a desk with a company-owned computer that never left the building. Today, people use their own phones and laptops from coffee shops, airports, and home offices. That creates a big problem: how do you keep company secrets safe when they live on personal devices you don't control?
EMS solves this by acting like a set of smart locks and cameras that follow the company's rules no matter where the device is. For example, EMS can make sure a company app on a personal phone requires a fingerprint or face scan to open. It can also wipe all company data from a lost phone without touching the employee's personal photos.
EMS is not a single thing you touch or see. It is a subscription that includes several Microsoft services that work together. These include Azure Active Directory for user identities, Microsoft Intune for managing devices and apps, Azure Information Protection for classifying and protecting files, and Microsoft Advanced Threat Analytics for detecting suspicious behavior. When you buy EMS, you are buying a bundle of security tools that are designed to work together seamlessly.
For IT professionals, EMS replaces older on-premises tools like System Center Configuration Manager (SCCM) for device management. It moves everything to the cloud, so you can set policies from a web browser and have them apply instantly to thousands of devices across the world.
Full Technical Definition
EMS (Enterprise Mobility + Security) is a Microsoft 365 licensing bundle that provides a comprehensive set of cloud-based services for identity management, device management, application management, and information protection. It consists primarily of three core components: Azure Active Directory Premium (P1 or P2), Microsoft Intune, and Azure Information Protection. Depending on the tier (EMS E3 or E5), additional services like Microsoft Advanced Threat Analytics (ATA), Microsoft Cloud App Security, and Azure Rights Management may be included.
From a technical standpoint, EMS works by integrating these services through a unified identity layer. Azure AD acts as the central identity provider, handling authentication via modern protocols such as OAuth 2.0, OpenID Connect, and SAML 2.0. It also supports conditional access policies that evaluate signals like device compliance, user location, and risk level before granting access to a resource.
Microsoft Intune provides Mobile Device Management (MDM) and Mobile Application Management (MAM). MDM lets IT enroll devices using protocols like OMA-DM (Open Mobile Alliance Device Management), which is built into Windows 10/11, iOS, and Android. Through Intune, administrators can push configuration profiles, deploy certificates, enforce encryption, and remotely wipe devices. MAM allows IT to manage apps without enrolling the full device, using app protection policies that control data flow between managed and unmanaged apps.
Azure Information Protection (AIP) provides data classification and protection using encryption, rights management, and visual markings (headers/footers). It integrates with Microsoft 365 apps (Word, Excel, Outlook) to automatically classify documents based on sensitivity labels.
The EMS E5 tier adds Microsoft Cloud App Security (MCAS), which acts as a Cloud Access Security Broker (CASB). MCAS can discover shadow IT, enforce session policies on third-party SaaS apps, and detect anomalous behavior using machine learning. Advanced Threat Analytics (ATA) uses entity behavior analytics to detect internal and external threats against on-premises Active Directory.
EMS relies on REST APIs for integration with third-party tools and for automation. All configuration is managed through the Microsoft 365 admin center, Microsoft Endpoint Manager (which now includes Intune and Configuration Manager), and the Azure portal. Data flows are encrypted using TLS 1.2. The system generates audit logs that feed into Microsoft 365 Security and Compliance Center for monitoring.
Real-Life Example
Imagine a library that lends out books as normal, but also has a special reading room for rare manuscripts. In the old days, anyone could walk into the reading room if they looked serious. But now the library has many members who borrow books remotely and even take rare manuscripts home on tablets. The library needs a way to know who is borrowing what, ensure that borrowed items are not shared with unauthorized people, and instantly lock or recall a manuscript if it is lost.
EMS is like the library's new digital membership system. Each member gets a library card (user identity) that must be shown at every entry point (authentication). Certain rooms (apps and data) require extra verification, like a fingerprint scan (multifactor authentication). The library's staff (IT) can set rules: a rare manuscript can only be viewed on the library's own tablet (managed device), not on a personal phone. If a tablet is reported missing, the librarian can instantly erase all the manuscripts from it without affecting the borrower's personal notes (company data wipe).
The system also tracks what each member is doing. If a member who usually only borrows cookbooks suddenly tries to access the financial archives, the system flags this as suspicious (Advanced Threat Analytics). And if someone tries to copy a sensitive text and paste it into a public blog, the system can block that action (app protection policies).
In the IT world, EMS does exactly these things. It manages who can access what, from which device, under which conditions. It protects data even after it leaves the corporate network. It gives IT the same remote control that the librarian has: the ability to enforce rules, revoke access, and protect information from anywhere in the world.
Why This Term Matters
For any organization using Microsoft 365, EMS is not optional if security and compliance are priorities. The modern workforce uses multiple devices, often personal, to access corporate email, files, and apps. Without EMS, IT has little control over these endpoints, which can lead to data leaks, ransomware infections, and compliance violations.
EMS matters because it moves security from the network perimeter (the office firewall) to the identity and device level. This is often called a Zero Trust model: never trust, always verify. With EMS, IT can require multifactor authentication before anyone accesses sensitive data, even from inside the office. It can also enforce that devices are up-to-date with security patches and have encryption enabled.
For IT professionals, EMS reduces the burden of managing physical devices. Instead of imaging and deploying each computer manually, you can use Intune to configure new devices automatically from the cloud. You can deploy apps, settings, and certificates without touching the device. This is especially important in large organizations with hundreds or thousands of remote workers.
From a compliance perspective, EMS provides the tools to meet regulations like GDPR, HIPAA, and SOC 2. It offers audit logs, data classification, retention policies, and breach notification capabilities. Many external auditors now require proof of mobile device management and data loss prevention, which EMS can provide.
Finally, EMS matters in terms of cost. The bundle is cheaper than buying each service separately, and it reduces the need for expensive on-premises infrastructure like VPN servers and certificate authorities. Organizations that do not use EMS often face higher support costs due to security incidents and manual device management.
How It Appears in Exam Questions
EMS questions typically fall into scenario-based, configuration, and troubleshooting categories.
Scenario-based questions present a business requirement and ask you to select the appropriate EMS component or policy. For example: "A company allows employees to use personal iPads for email. They want to ensure that if an iPad is lost, corporate email is removed without affecting personal data. What should you use?" The answer is Microsoft Intune with a selective wipe (company data wipe) command. Another common scenario: "Your organization needs to block users from accessing corporate resources if they are connecting from a country where the company does business. Which two EMS features are required?" The answer: Azure AD Conditional Access (location condition) and Azure AD Premium license. Configuration questions ask about the steps to set up a feature. For instance: "You are configuring an Intune compliance policy for Windows 10 devices. Which setting would require BitLocker encryption?" The answer is the device health requirement. Troubleshooting questions are trickier. They might describe a situation where a user cannot access company email after updating their phone. You need to identify that the device may have become non-compliant (e.g., jailbroken) and that Intune requires a check-in to re-evaluate compliance. Or a user's app keeps crashing because an app protection policy is conflicting with a device-level policy. Questions can also combine multiple components: "A user reports that they cannot access SharePoint from their home computer. Conditional access policy requires MFA. The user has MFA set up, but the policy also requires a compliant device. The home computer is not enrolled. What is the most likely cause?" Answer: The computer is not enrolled in Intune, so it is marked non-compliant, causing access to be blocked. Another pattern is licensing questions: "Which EMS E5 feature allows you to detect when a user's credentials are being used from multiple locations simultaneously?" Answer: Microsoft Cloud App Security (or Advanced Threat Analytics). Finally, there are 'best practice' questions: "You are designing an EMS rollout. What is the recommended order of implementation?" The expected sequence is: 1) Establish Azure AD identities, 2) Enable MFA and conditional access, 3) Enroll devices in Intune, 4) Apply compliance policies, 5) Deploy app protection policies.
Practise EMS Questions
Test your understanding with exam-style practice questions.
Example Scenario
Contoso Ltd. is a mid-size marketing firm with 200 employees. The company uses Microsoft 365 for email, Teams, and SharePoint. Most employees work from home or on the road using their personal laptops and phones. The IT manager, Maria, is worried because an employee recently left her laptop in a taxi, and the laptop had sensitive client contract files. Fortunately, nothing bad happened, but Maria wants to prevent future risks.
Maria decides to implement EMS. She starts by purchasing EMS E3 licenses for all users. She opens the Microsoft Endpoint Manager portal. First, she creates an Azure AD Conditional Access policy that requires multifactor authentication whenever anyone accesses the company's HR portal. She tests it with her own account and confirms that after entering her password, she also gets a prompt on her Microsoft Authenticator app.
Next, she sets up Intune to manage devices. She creates a compliance policy that requires Windows devices to have BitLocker encryption enabled, Windows Defender running, and a minimum OS version of Windows 10 2004. She also configures a compliance policy for iOS devices that requires a passcode of at least 6 digits and prohibits jailbroken devices. These policies are automatically sent to enrolled devices.
Maria then creates an App Protection Policy for mobile devices. The policy prevents users from copying or pasting data from Outlook into unsanctioned apps like personal note-taking apps. It also forces users to use a PIN when opening Microsoft apps on their phones.
Two weeks later, an employee named James reports that his personal iPhone is lost. Maria quickly goes to the Intune portal, finds James's device, and issues a selective wipe command. Within seconds, all corporate email and files are removed from the iPhone, but James's personal photos and apps remain untouched.
Later, Maria receives an alert from Cloud App Security (they upgraded to EMS E5) that someone is trying to sign in as the CEO from an unknown location. Maria sees that the login failed because it did not pass the conditional access policy requiring MFA. She marks the alert as a legitimate threat and reviews the logs.
Thanks to EMS, Maria's company now has device security, data protection, and threat detection without needing any on-premises servers.
Common Mistakes
Thinking EMS is the same as Microsoft 365 E3/E5.
EMS is a separate suite within Microsoft 365. Microsoft 365 E3 includes EMS but also includes Office apps, Windows, and more. However, you can buy EMS standalone for organizations that already have Office 365. Many learners confuse the whole Microsoft 365 bundle with just the mobility and security part.
Learn the components: Microsoft 365 = Office 365 + Windows 10 + EMS. EMS specifically covers security and mobility features.
Believing Intune can manage all device types the same way.
Intune supports different management modes: MDM for full device enrollment, MAM for app-level management without device enrollment, and for Windows 10, co-management with Configuration Manager. Each mode has different capabilities and limitations.
Know that MAM works on any device (even unenrolled personal phones) but controls only specific apps. MDM gives full device control but requires enrollment.
Assuming EMS E3 includes Advanced Threat Analytics.
Advanced Threat Analytics (ATA) is only included in EMS E5. EMS E3 includes Azure AD Premium P1, Intune, and Azure Information Protection P1, but not ATA or Cloud App Security.
Memorize the feature differences: E3 = identity + device + basic info protection. E5 adds threat protection and advanced analytics.
Forgetting that conditional access requires a licensed Azure AD Premium tier.
Azure AD free includes basic conditional access (like requiring MFA for guest users), but custom location-based rules, risk-based policies, and device compliance checks require Azure AD Premium P1 or P2, which is part of EMS.
Remember that conditional access policies that evaluate device compliance need Intune enrollment AND Azure AD Premium licenses for every user.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a company that wants to prevent corporate data from being pasted into personal apps on an employee's personal phone. Many learners will immediately select 'Enroll the device in Intune MDM' as the solution.","why_learners_choose_it":"They correctly identify that data leakage prevention is needed, and they know Intune manages devices.
They assume device enrollment is required to apply any policy.","how_to_avoid_it":"Understand that MAM (Mobile Application Management) can be applied to managed apps without enrolling the device. For personal phones, enrolling the whole device is often unwanted.
MAM policies (also called App Protection Policies) control app-level behavior, like copy/paste restrictions, without touching the rest of the device."
Step-by-Step Breakdown
Obtain EMS Licenses
Each user who needs to manage devices or apply conditional access must have an EMS license (E3 or E5) assigned to their Azure AD account. The license is tenant-level. Without assignment, the user cannot be subject to Intune policies or Azure AD Premium features.
Configure Azure AD Identity
Ensure users are synchronized (or cloud-only) in Azure AD. Enable multifactor authentication and configure conditional access policies. This step establishes who can access what and under which conditions (e.g., location, device state, risk level).
Set Up Intune as MDM Authority
In the Microsoft Endpoint Manager admin center, set the MDM authority to Intune (unless using co-management). This tells iOS, Android, and Windows devices where to enroll. It also enables automatic enrollment for Windows 10 devices joined to Azure AD.
Create Compliance Policies
Define rules that enrolled devices must meet, such as minimum OS version, encryption status (BitLocker or FileVault), and jailbreak detection (for iOS). Devices that fail compliance are marked non-compliant and can be blocked from access via conditional access policies.
Create App Protection Policies (MAM)
For devices that are not fully enrolled (personal phones), create MAM policies targeting specific apps (Outlook, Teams, OneDrive). Configure settings like PIN length, cut/copy/paste restrictions, and multi-identity handling (separate corporate and personal data within the same app).
Deploy and Monitor
After policies are created, monitor device enrollment status and compliance reports. Use the Microsoft 365 Defender portal to review alerts from Cloud App Security (if on E5). Adjust policies based on user feedback and security incidents.
Practical Mini-Lesson
In practice, deploying EMS is not a one-time task but an ongoing security program. Many organizations start with EMS E3 because it covers the essentials: identity management, device compliance, and basic data protection. However, they quickly realize they need E5 for threat detection and Cloud App Security when a user accounts are compromised or when shadow IT is discovered.
The first technical hurdle is licensing assignment. IT must ensure that every user who accesses corporate resources from a mobile device has an EMS license. This is often done via group-based licensing in Azure AD, which automatically assigns licenses to all members of a security group. The mistake many administrators make is only licensing a subset of users, leaving others unprotected.
Next, the integration between Azure AD Conditional Access and Intune compliance is the heart of EMS. A typical conditional access policy might say: 'If a user is attempting to access SharePoint from an iOS device, require the device to be compliant with Intune policies AND require MFA.' This works because Intune reports compliance status to Azure AD, and Azure AD evaluates that status at each sign-in. If the policy is not configured correctly, a non-compliant device might still gain access. Another practical area is app protection policies (MAM). These are often misunderstood as device-level policies. MAM policies work on the app level, meaning IT can enforce a PIN on the Outlook mobile app even on an Android phone that is not enrolled. This is critical for BYOD (Bring Your Own Device) scenarios, where full device enrollment is invasive. In real-world deployments, configuration conflicts also arise. For example, a device may have both an MDM compliance policy requiring a 6-digit PIN and a MAM policy requiring a 4-digit PIN. The more restrictive policy wins, but this can confuse users. IT should harmonize policies to avoid support tickets. What can go wrong? The most common issue is that devices fail to enroll due to network restrictions or missing certificates. Another is that after a device is wiped (selective or full), the user may lose the ability to sign in because their device token is revoked. IT should communicate these processes to users beforehand. Professionals also need to understand reporting. The Microsoft Endpoint Manager console provides reports on device compliance, app protection status, and enrollment failures. These reports are critical for audits and for troubleshooting user access issues. Finally, a well-implemented EMS environment lays the foundation for future security improvements like device-based conditional access for on-premises resources via Microsoft 365 App Proxy or VPN integration.
Memory Tip
EMS = Identity (Azure AD Premium) + Devices (Intune) + Data (AIP). E3 covers these; E5 adds Threat (ATA) and Cloud (MCAS).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
MS-101MS-102(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Frequently Asked Questions
Do I need EMS if I already have Office 365?
If your users access email and files from personal devices, you should strongly consider EMS. Office 365 alone does not include Intune or Azure AD Premium. EMS adds the mobile device management and identity protection that Office 365 lacks.
Can I use Intune without buying EMS?
Intune is included in some Microsoft 365 plans (like Microsoft 365 E3) and also as a standalone license. However, many advanced features like conditional access based on device compliance require Azure AD Premium, which is part of EMS. Buying EMS is the most cost-effective way to get both.
What is the difference between MDM and MAM in EMS?
MDM (Mobile Device Management) controls the whole device: you can enforce encryption, require a PIN, and wipe the entire device. MAM (Mobile Application Management) controls only specific apps (like Outlook) and does not require device enrollment. MAM is ideal for personal phones.
Does EMS protect against ransomware?
EMS helps reduce the risk of ransomware by ensuring devices are up-to-date, apps are restricted from running unknown executables, and conditional access blocks compromised accounts. However, it is not an antivirus tool. You should combine it with Microsoft Defender for Endpoint.
Is EMS available for non-Microsoft operating systems?
Yes, Intune supports Android (including Android Enterprise), iOS/iPadOS, macOS, and Windows. EMS also manages app protection on these platforms. Some features (like full device enrollment) differ by OS, but the core functionality is cross-platform.
How do I know which EMS tier (E3 vs E5) my company needs?
If you need basic mobile device management, identity protection, and information classification, EMS E3 is sufficient. You should choose EMS E5 if you need advanced threat protection (Advanced Threat Analytics), Cloud App Security (to manage SaaS apps), and more detailed identity risk detection (Azure AD P2).
Summary
EMS (Enterprise Mobility + Security) is a comprehensive Microsoft 365 suite that provides the tools needed to secure users, devices, and data in a mobile and cloud-centric world. It combines Azure AD Premium for identity management, Microsoft Intune for device and app management, and Azure Information Protection for data classification and protection. The higher-tier EMS E5 adds advanced threat analytics and cloud app security capabilities.
For IT administrators, EMS is the modern replacement for traditional on-premises management tools like SCCM. It enables a Zero Trust security model where every access request is verified, regardless of location. It simplifies policy management through a single portal, reduces the operational overhead of maintaining on-premises servers, and provides detailed compliance reporting for auditors.
In certification exams, EMS is a core topic for MS-900, MS-500, and SC-900. You need to know its components, licensing differences (E3 vs E5), and how conditional access and compliance policies work together. Exam questions often present real-world scenarios where you must choose the correct EMS feature or licensing tier. Understanding the difference between MDM (full device control) and MAM (app-level control) is critical.
The key takeaway for learners: EMS is not just a buzzword. It is a set of practical, cloud-based tools that every Microsoft-oriented IT professional should understand. It is the foundation of Microsoft's security and mobility strategy. Master its components and policies, and you will be well-prepared for both real-world administration and certification exams.