What Does Enterprise Mobility and Security Mean?
On This Page
What do you want to do?
Quick Definition
Enterprise Mobility and Security helps companies keep their data safe when employees use phones, tablets, and laptops. It lets IT teams control which devices can access company resources and enforce security rules like requiring strong passwords. It also helps manage corporate apps and protect sensitive information from being shared outside the company.
Common Commands & Configuration
Connect-MgGraph -Scopes "User.Read.All", "Device.Read.All", "Policy.Read.All"Connects to Microsoft Graph with scopes for reading users, devices, and policies, which is essential for managing EMS components like conditional access and Intune via PowerShell.
Exams like MS-102 and SC-900 test knowledge of cmdlets for automating identity and device management; this command is a prerequisite for running subsequent EMS-related scripts.
New-DeviceCompliancePolicy -Name "iOS Compliance Policy" -Platform iOS -PasswordRequired $true -PasswordMinimumLength 6 -OsMinimumVersion "15.0"Creates a device compliance policy for iOS, requiring a 6-character password and a minimum OS version of 15.0, deployable via Intune in MEM.
A common exam question tests the parameters of New-DeviceCompliancePolicy, especially the Platform and PasswordRequired attributes.
New-AzureADMSConditionalAccessPolicy -Name "Block Non-Compliant Devices" -State "Enabled" -Conditions @{Applications=@{IncludeApplications=["All"]};Users=@{IncludeUsers=["All"]};Devices=@{IncludeDevices=["All"]}} -GrantControls @{BuiltInControls=["Block"]}Creates a conditional access policy in Azure AD that blocks all users from accessing any app if their device is not compliant with Intune policies.
This command tests understanding of conditional access components-Applications, Users, Devices, and GrantControls-which appear in MD-102 and MS-102 scenarios.
New-IntuneAppProtectionPolicy -Name "MAM Policy for iOS" -Platform iOS -CustomSettings @{RequirePin=$true;PinMinLength=4;AllowedDataStorageLocations=["OneDrive"],["SharePoint"]}Creates a mobile application management (MAM) policy that requires a PIN and restricts data storage to OneDrive and SharePoint, protecting corporate data in apps.
Exams test the difference between device and app protection policies; this command is specific to MAM for BYOD and is a frequent focus in SC-900 and MS-102.
Set-AzureADDeviceRegistrationPolicy -AllowDeviceRegistration $true -MaximumDevicesPerUser 5 -DeviceQuotaPeriod 30Configures the Azure AD device registration policy to allow users to register up to 5 devices per 30-day period, used for Intune enrollment.
This is a common configuration for hybrid deployments; exam questions often ask which policy controls device enrollment limits, linking to MD-102 objectives.
New-AzureADMSIdentityProtectionPolicy -Name "Risk-Based MFA" -RiskLevelForSignIn "Medium", "High" -ActionsForSignIn @{RequireMFA=$true}Creates an identity protection policy that requires MFA for sign-ins with medium or high risk levels, available with Azure AD Premium P2 (EMS E5).
Tests understanding of Azure AD Identity Protection and risk-based conditional access, a core topic in CISSP and MS-102 exams.
Set-MobilityPolicy -EnableKioskMode $true -KioskModeAppId "com.microsoft.office.outlook" -DeviceType "Android"Configures Intune to lock an Android device into kiosk mode, allowing only the Outlook app to run, used for shared devices in frontline scenarios.
This appears in MD-102 exam questions about device configuration profiles for shared or kiosk devices.
New-SensitivityLabel -Name "Confidential" -Tooltip "This label encrypts and restricts access to HR data" -EncryptionEnabled $true -EncryptionTemplateId "a12345b-c678-9d01-e234-567890f12abc"Creates a sensitivity label in Microsoft 365 for data classification, with encryption tied to an Azure Information Protection (AIP) template.
A key command for EMS's data protection pillar; SC-900 and MIS exams test label creation and its integration with DLP and Azure AD.
Must Know for Exams
Enterprise Mobility and Security is a recurring theme in several major certification exams. In the Microsoft 365 fundamentals exam MS-900, candidates must be able to describe the core components of EMS, including Azure AD Premium, Intune, and Azure Information Protection. The exam objectives specifically list understanding the differences between cloud-based identity management and on-premises directory services. Questions often present a scenario where a company needs to manage employee devices and protect corporate data, and the candidate must identify which EMS component addresses the need.
For the Microsoft 365 Administrator exam MS-102, EMS goes deeper. This exam covers how to plan and implement Conditional Access policies, deploy Intune device compliance policies, and configure app protection policies. Candidates may be asked to troubleshoot why a user cannot access email on their phone, and the answer often relates to a misconfigured compliance policy or a missing MFA requirement. The MD-102 exam for endpoint administrators focuses almost entirely on device management with Intune, including enrollment methods, configuration profiles, and update rings. Understanding EMS is essential for passing this exam.
Even in non-Microsoft exams, EMS concepts appear. The CompTIA Security+ exam includes objectives on mobile device management, BYOD policies, and secure access, all of which align with EMS. The CySA+ exam covers data protection and threat detection technologies similar to those in EMS. The CISSP exam includes domains like asset security, identity and access management, and security operations, where knowledge of EMS can help answer scenario-based questions. For AWS SAA candidates, while EMS is not directly tested, understanding how a cloud-native identity and device management suite works can inform solutions that integrate with AWS when using Microsoft 365. In each exam, the key is to match the correct EMS component to the business requirement described in the question.
Simple Meaning
Imagine your company is like a big office building with many rooms. Some rooms contain confidential documents, others have office supplies, and the lobby is open to everyone. In the old days, to get into any room, you needed a key, and you could only enter through the main door during business hours.
That was like having a desktop computer in the office that connected directly to the company network. Now, imagine that employees work from home, coffee shops, or moving between cities. They use their own smartphones, tablets, and laptops to access the company building.
This is like giving each employee a magic keycard that works on every door, but only if their device meets certain rules. For example, the keycard only works if the phone has a screen lock, the operating system is up to date, and the device is not rooted or jailbroken. That is what Enterprise Mobility and Security does.
It is a set of tools that acts like a smart security guard at every door. It checks each device before allowing access to company resources. It can also remotely erase company data from a lost phone, just like a security guard can change the locks if someone loses their keychain.
It makes sure that only approved apps can open company files, and it prevents those files from being copied to personal cloud storage. Even if an employee leaves the company, you can immediately remove their access to all corporate apps and data without touching their personal photos or messages. This combination of managing devices, securing apps, and protecting data is what the term Enterprise Mobility and Security means.
It is not just about allowing people to work from anywhere. It is about doing so safely, without letting the bad guys in and without losing control of your critical information. For IT professionals preparing for certifications like the Microsoft 365 exams or security exams, understanding this concept is essential because it shows up in questions about device management, conditional access, identity protection, and data loss prevention.
Full Technical Definition
Enterprise Mobility and Security, often abbreviated as EMS, is an integrated suite of cloud-based services within Microsoft 365 that provides identity and access management, mobile device management, mobile application management, information protection, and advanced threat protection. From Microsoft’s product perspective, EMS is built on several key components: Azure Active Directory Premium, Microsoft Intune, Azure Information Protection, and Microsoft Advanced Threat Analytics (now part of Microsoft Defender for Identity). In recent years, Microsoft has merged EMS into the Microsoft 365 Enterprise plans, but the core technologies remain distinct.
At the heart of EMS is Azure Active Directory, which acts as the identity provider. It handles authentication using modern protocols like OAuth 2.0, OpenID Connect, and SAML. Conditional Access policies in Azure AD evaluate signals such as user location, device compliance, risk level, and application sensitivity to decide whether to allow, block, or require step-up authentication. This is typically implemented by configuring policies in the Azure portal under the Azure Active Directory blade. For example, a policy might require that all access from outside the corporate network must come from a device that is marked as compliant by Intune, and the user must perform multi-factor authentication.
Microsoft Intune is the mobile device management and mobile application management component. It uses the MDM protocol for enrolled devices, which relies on management profiles and configuration services provided by the device manufacturer, such as Apple’s MDM protocol for iOS or Android Enterprise for Android devices. Intune communicates with devices over the internet using push notifications from Microsoft’s cloud services. For Windows 10 and 11, Intune uses the Windows Management Infrastructure and the Modern Management protocol that replaced traditional Group Policy in domain-joined environments. For application management, Intune uses app protection policies, often called MAM policies, which apply without device enrollment. These policies are delivered via the Intune client components baked into Microsoft 365 apps like Outlook and Word. They enforce data protection behaviors such as preventing copy/paste between managed and unmanaged apps, requiring a PIN to open the app, and blocking data from being saved to personal cloud storage.
Azure Information Protection, now part of Microsoft Purview Information Protection, provides data classification and labeling. It uses Azure Rights Management as the underlying encryption and access control technology. When a document is labeled as “Confidential,” the label applies encryption and usage rights that restrict who can open it, whether it can be printed, and if it can be forwarded. The protection follows the document wherever it goes, even if it is emailed or saved to a USB drive. The labels are defined in the Microsoft 365 compliance portal and can be applied automatically based on patterns like credit card numbers or manually by users.
The security part of EMS extends to threat protection through Microsoft Defender for Endpoint (formerly Windows Defender ATP) and Microsoft Defender for Office 365. These services monitor devices, email, and collaboration tools for malicious activity. They use sensors built into the operating system and cloud analytics to detect behavioral anomalies such as unusual logon times, suspicious process launches, or mass data exfiltration. The security stack is integrated into the Microsoft 365 Defender portal, where security teams can investigate incidents, run advanced hunting queries using Kusto Query Language, and automate responses with playbooks.
In practice, an organization using EMS might have a user named Sarah who connects her corporate iPhone to the company network. When she tries to access her work email via the Outlook mobile app, the app first checks with Intune to see if any app protection policies apply. Intune verifies that the device is not rooted, that the OS version is current, and that the device has a passcode. Then, Outlook requests an access token from Azure AD. The token request triggers a Conditional Access policy that requires MFA from a trusted location. Sarah approves the MFA prompt on her phone. Azure AD issues a token that includes claims about the session. Outlook uses that token to connect to Exchange Online. If Sarah later loses her phone, the IT administrator can use Intune to wipe company data from the device remotely, leaving her personal photos and apps untouched. If a malicious email with a phishing link arrives in her inbox, Microsoft Defender for Office 365 detonates the link in a sandbox environment before she clicks it, and blocks the message. The entire ecosystem is designed to enforce security while preserving user productivity across a variety of devices and locations.
EMS is typically administered through the Microsoft Endpoint Manager admin center, which unifies Intune and Configuration Manager. The core configuration tasks include creating device compliance policies, assigning app protection policies, setting up Conditional Access policies, defining information protection labels, and managing the security baseline for devices. For exam preparation, understanding the relationship between Intune, Azure AD, and the Microsoft 365 compliance center is critical. Many certification questions test whether a candidate knows which EMS component to use for a given scenario, such as using Conditional Access for access control or app protection policies for preventing data leakage from managed apps.
Real-Life Example
Think of Enterprise Mobility and Security like a smart building security system designed for a company where employees work from different places. In a traditional office, you have a receptionist at the front desk who checks IDs, a badge to open doors, and a guard who patrols the hallways. That is like the old network with a firewall and domain-joined computers. Now imagine that the company decides to let employees work from home, from coffee shops, or while traveling. They carry their own phones and laptops. The security system must adapt to this new reality.
In this analogy, the smart building has a central security office that knows about every employee and every device. When an employee approaches the building, the main door does not open automatically. Instead, the door asks for two things: who you are and what device you are carrying. For example, you might need to swipe your badge and also show a temporary code from your phone app. That is multi-factor authentication. Once inside, the security system checks whether your phone is updated with the latest security patches, whether it has a screen lock, and whether it has any spyware. If the device is out of date, the system refuses to let you into certain high-security rooms. That is device compliance, like Intune checks. If you try to take a confidential document from a secure room and put it in your personal bag, the system sounds an alarm and the document becomes unreadable. That is data loss prevention powered by Azure Information Protection labels. If you lose your phone, you can immediately report it to the central security office, which will remotely erase all company data from that phone without touching your personal photos or contacts. That is a selective wipe.
Now suppose you are on a business trip and you need to open a company contract on your personal tablet. The security system allows you to open the document only inside a special corporate app that you downloaded from the company store. Inside that app, you can read the document but you cannot copy text to a note-taking app or share it with a friend. The system also requires you to enter a PIN to even open the app. If you try to screenshot the document, the screen is black. That is mobile application management. All of these safeguards work together to ensure that employees are productive but company data stays controlled. The smart building security system has replaced the old guard with automated policies that follow the user and the data wherever they go.
Why This Term Matters
Enterprise Mobility and Security matters because modern work is no longer tied to a desk. Employees expect to check email on their phones, edit documents from tablets, and join video calls from personal laptops. Without EMS, IT teams would have to either let everyone in without restrictions, which is dangerous, or lock everything down so tightly that productivity suffers. EMS strikes a balance by providing a comprehensive set of tools to manage devices, protect apps, and secure data across platforms.
For organizations, the risk of data breaches increases when employees use unmanaged devices. A lost phone could expose sensitive customer data. An employee copying a confidential spreadsheet to a personal Google Drive could violate compliance regulations. EMS addresses these risks by enforcing security policies automatically and transparently. It also simplifies user onboarding because employees can configure their devices in minutes without calling IT. When an employee leaves, access can be revoked instantly. This reduces the cost of IT support and improves security posture.
For IT professionals, understanding EMS is critical because it appears across many certification paths. The Microsoft 365 exams, such as MS-900, MS-102, MD-102, and SC-900, all include questions on the components of EMS and their use cases. Security exams like Security+, CySA+, and CISSP also touch on the concepts of identity management, mobile device management, and data protection principles that EMS embodies. Knowing how to plan and deploy EMS solutions can make a candidate more valuable to employers who are transitioning to cloud-based work environments.
How It Appears in Exam Questions
Exam questions about Enterprise Mobility and Security typically follow a pattern. One common type is the definition question: Which Microsoft 365 service provides mobile device management? The answer is Microsoft Intune. Another type is scenario-based: A company wants to ensure that employees can only access corporate email from devices that have a screen lock and are not jailbroken. What should the administrator configure? The correct answer is a device compliance policy in Intune, combined with a Conditional Access policy in Azure AD that requires compliant device status.
Troubleshooting questions are also frequent. For example, a user reports that they cannot access their Microsoft 365 apps on their Android phone, but they can access the same apps on their laptop. The question might ask what is preventing access. Possible answers could include an expired device compliance policy, an app protection policy that requires a PIN, or a Conditional Access policy that blocks devices from certain locations. The candidate must analyze the symptoms and choose the most likely cause.
Configuration questions ask the candidate to select the correct steps. For instance, the requirement to automatically apply a confidentiality label to all documents containing an employee ID number would lead the candidate to configure a sensitivity label with auto-labeling in the Microsoft 365 compliance center. Another question might ask about the order of operations: when a user tries to access an app, the device must first be enrolled, then compliance is checked, then Conditional Access evaluates the request. Understanding the flow helps answer multi-step questions.
Finally, some questions test the difference between MDM and MAM. For example: A company wants to protect corporate data in Outlook on personal phones without managing the entire device. Which EMS technology should they use? The answer is mobile application management via Intune app protection policies. These distinctions are frequently tested in MS-900, MS-102, and MD-102 exams.
Practise Enterprise Mobility and Security Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company named AlpineTech has 500 employees. Most of them use company-issued Windows laptops in the office, but the CEO wants to allow employees to work from home and use their own smartphones to check email and Teams messages. The IT team needs to ensure that company data stays safe. They decide to implement Enterprise Mobility and Security.
The first step is to set up Azure AD Premium P2, which gives them access to Conditional Access and identity protection. Then they enroll all company laptops into Intune by installing the Intune client and signing in with corporate credentials. For personal phones, they decide not to enroll the devices fully, because employees are uncomfortable with IT having control over their personal phones. Instead, they configure app protection policies for the Microsoft 365 mobile apps. These policies require a six-digit PIN to open Outlook, block copy-paste to non-Microsoft apps like Gmail, and prevent saving attachments to personal storage. They also configure Conditional Access policies to require multi-factor authentication when accessing company resources from outside the office.
A few weeks later, an employee loses their phone at the airport. They call IT, who immediately kills the session by using Azure AD to revoke the user’s tokens. They also run a selective wipe from Intune to remove all company data from the lost phone. The employee’s personal photos and contacts are untouched. Later, the IT team reviews the compliance reports and sees that three devices are missing the latest security patches. They set up a compliance policy that blocks those devices from accessing corporate resources until they update. This scenario demonstrates how EMS gives the company visibility and control over mobile access while supporting a flexible work policy.
Common Mistakes
Thinking that EMS is just one product rather than a suite of services.
EMS includes Azure AD Premium, Intune, Azure Information Protection, and more. Confusing the suite with a single component leads to incorrect answers on exam questions that ask for the specific service needed for a task.
Remember EMS is an umbrella term. When asked what component handles device management, say Intune. When asked about identity, say Azure AD.
Believing that MDM and MAM are the same thing.
MDM manages the entire device, while MAM manages only apps and data. Using MDM when only MAM is required makes users uncomfortable and increases administrative overhead. Exams test the distinction.
If the requirement is to protect data without managing the device, choose MAM. If the requirement is to control the device settings, choose MDM.
Ignoring the order of operations in Conditional Access.
Some learners think Conditional Access checks device compliance first, then user identity. Actually, user authentication happens first, then device compliance is evaluated. Misunderstanding this leads to wrong troubleshooting steps.
Memorize the flow: user signs in, Azure AD authenticates, then Conditional Access policies evaluate device compliance and other conditions.
Assuming all devices need to be enrolled in Intune to be protected.
App protection policies can protect data on unenrolled devices. Forcing enrollment for personal devices may violate privacy laws or user trust. Exams often present scenarios with personal devices where MAM is the correct answer.
For company-owned devices, use MDM. For personal devices with corporate apps, use MAM. Both can be used together.
Forgetting that Azure Information Protection labels follow data outside the corporate network.
Protection only works if the label includes encryption and rights management. Simply labeling a document without applying encryption does not protect it if emailed. Exams test the understanding that protection requires Azure Rights Management.
Always enable encryption under the label settings if the requirement is to protect data even after it leaves the organization.
Confusing EMS with Microsoft 365 Business Premium or Microsoft 365 E5 licensing.
While EMS features are included in those licenses, they are not the same product name. Questions might ask which license includes EMS capabilities, and a learner might incorrectly choose a plan that does not.
Learn which plans include EMS: Microsoft 365 E3 and E5, and Microsoft 365 Business Premium. Do not confuse EMS with the basic Microsoft 365 Business Basic or Standard.
Exam Trap — Don't Get Fooled
{"trap":"A question says: 'An organization wants to allow users to access their corporate email from personal phones. They do not want to manage the phones, but they want to require a PIN to open the email app. Which EMS component should they use?'
The answer choices include Intune MDM, Azure AD Conditional Access, Azure Information Protection, and Intune MAM. Many learners choose Intune MDM because they associate Intune with device management.","why_learners_choose_it":"They hear 'Intune' and think of device enrollment and management.
They do not realize Intune also offers mobile application management (MAM) that works without enrolling the device.","how_to_avoid_it":"Read the scenario carefully. The key phrase is 'they do not want to manage the phones.'
That signals that MAM is the answer because it applies only to apps, not the whole device. Intune does both MDM and MAM, but the question is asking for the specific component that solves the problem without device management."
Commonly Confused With
Enterprise Mobility and Security focuses on identity, device, and app management, while Microsoft Purview (formerly Compliance Center) focuses on compliance features like data retention, eDiscovery, audit logs, and insider risk. EMS protects data from being accessed inappropriately, but Purview helps organizations meet regulatory requirements.
EMS can require MFA to access email. Purview can automatically delete emails older than 7 years.
EMS includes threat protection through Defender for Endpoint, but Defender for Endpoint is a standalone product that focuses on advanced endpoint detection and response, including antivirus, firewall, and attack surface reduction. EMS is a broader suite that includes identity and access management, while Defender for Endpoint is specifically for security monitoring of devices.
EMS controls which devices can access company resources. Defender for Endpoint detects malware on those devices.
Conditional Access is a component of Azure AD Premium that is part of EMS, not the entire suite. It is the policy engine that enforces access rules, while EMS includes many other services like Intune and Information Protection. Confusing Conditional Access with EMS is like confusing the steering wheel of a car with the whole vehicle.
Conditional Access blocks access from a non-compliant device. EMS is the full toolkit that includes Intune to mark the device as compliant or not.
This is a licensing bundle that includes EMS, Office 365, and Windows 10/11. EMS is the underlying technology, while Business Premium is the commercial plan that includes it. A question might ask which license provides EMS features, and a learner might say 'EMS' itself instead of the license name.
EMS is the ingredients; Business Premium is the meal that includes those ingredients plus others.
Step-by-Step Breakdown
User initiates access
The user opens an application like Outlook on their mobile device. The app attempts to connect to Microsoft 365 resources.
Authentication with Azure AD
The app sends an authentication request using OAuth 2.0 or OpenID Connect. Azure AD verifies user credentials and checks the user’s identity risk level.
Conditional Access policy evaluation
Azure AD evaluates the session against Conditional Access policies. It checks factors like user location, device platform, and application sensitivity.
Multi-factor authentication if required
If the policy requires MFA, the user must complete an additional factor such as a phone call, SMS code, or authenticator app prompt.
Device compliance check
If the policy requires compliant device status, Azure AD queries Intune to see if the device meets compliance policies like password requirements and encryption status.
Token issuance or rejection
If all conditions are met, Azure AD issues an access token to the app. If conditions are not met, access is blocked or limited.
App protection policy enforcement
For mobile apps, Intune app protection policies apply at the app level, controlling actions like copy/paste and requiring PIN entry.
Data access and protection
The user accesses data. Azure Information Protection labels may encrypt or restrict actions on sensitive documents. Defender for Endpoint monitors for threats.
Ongoing session monitoring
Azure AD continuously evaluates sign-in risk. If risk is detected, the session can be challenged or terminated. Device health is monitored for changes.
Practical Mini-Lesson
Enterprise Mobility and Security is not a single console but a set of integrated services you administer from multiple portals. In practice, an IT administrator setting up EMS for the first time will spend most of their time in three places: the Microsoft Entra admin center (formerly Azure AD), the Microsoft Endpoint Manager admin center, and the Microsoft 365 Defender portal. The Entra admin center handles identity and Conditional Access. The Endpoint Manager admin center handles Intune for device and app management. The Defender portal handles security incidents and threat hunting.
To deploy EMS, start by ensuring you have the appropriate licenses assigned to users. Then configure your Azure AD tenant with custom domain names and set up the authentication methods. Enable security defaults or create Conditional Access policies to require MFA for all users. Next, enroll devices into Intune. For Windows devices, you can use automatic enrollment by joining them to Azure AD. For iOS and Android, users install the Company Portal app from the store and follow enrollment steps. Create device compliance policies that require a PIN, encryption, and a minimum OS version. Create configuration profiles to set Wi-Fi, VPN, and email settings automatically. Then build app protection policies for mobile apps, targeting user groups.
One common mistake is to skip the Compliance policy before building Conditional Access. Without a compliance policy, there is no way to mark a device as compliant or non-compliant, so Conditional Access policies that require compliant devices will either block everyone or not work as expected. Another pitfall is not testing policies on a small pilot group before rolling out broadly. A poorly configured Conditional Access policy can lock out all users, including administrators. Always have a break-glass account with excluded admin account to regain access.
For data protection, create sensitivity labels in the Microsoft Purview compliance portal. Test them by applying a label manually to a Word document and verifying that it encrypts and restricts access. Configure auto-labeling rules for sensitive data types like credit card numbers. Remember that labels with encryption require that the viewer has an Azure AD account and the appropriate usage rights.
What can go wrong? users may be frustrated by repeated MFA prompts if you do not configure trusted locations or session controls. Devices that are not updated may become non-compliant, blocking access unexpectedly. App protection policies can cause data loss if they inadvertently block legitimate workflows, such as copying a phone number from a corporate app to the native dialer. To avoid this, you can define exceptions for specific apps. Regular monitoring of the Compliance reports and sign-in logs is essential to catch issues early. The Identity Protection reports in Azure AD can show risky sign-ins and users with compromised credentials. The goal is to balance security with usability, and that requires ongoing tuning of policies based on user feedback and incident data.
Core Concepts of Enterprise Mobility and Security in Microsoft 365
Enterprise Mobility and Security (EMS) is a comprehensive suite of Microsoft 365 services designed to secure and manage user identities, devices, applications, and data across an enterprise. The core concepts revolve around identity-driven security, device compliance, and conditional access. At its foundation, EMS leverages Azure Active Directory (Azure AD) as the identity provider, enabling single sign-on (SSO) and multi-factor authentication (MFA) across cloud and on-premises resources. This identity-centric approach ensures that only authenticated and authorized users can access corporate assets.
A key pillar is mobile device management (MDM) via Microsoft Intune, which allows administrators to enforce policies such as passcode requirements, encryption, and remote wipe on devices running iOS, Android, Windows, and macOS. Intune integrates with Azure AD to provide device-based conditional access, ensuring that only compliant devices can access sensitive data. For example, an administrator can configure a policy that blocks email access from jailbroken iOS devices or devices without a PIN.
Another critical concept is mobile application management (MAM), which protects corporate data within apps without managing the entire device. Microsoft Intune’s app protection policies (APPs) enable data loss prevention (DLP) by restricting copy-paste, preventing screen captures, and requiring PIN access for apps like Outlook or SharePoint. This is essential for bring-your-own-device (BYOD) scenarios where the device is personally owned but corporate data must remain secure.
EMS also includes Azure Information Protection (AIP) for data classification and labeling, protecting emails and documents with encryption and rights management. The suite’s integration with Microsoft 365 Defender provides advanced threat protection, detecting and responding to attacks on identities, endpoints, and data. Understanding these core concepts-identity as the zero-trust perimeter, device compliance through Intune, and data protection via AIP and conditional access-is fundamental for exam objectives in certifications like MS-900, MD-102, and SC-900. These concepts are tested through scenario-based questions where candidates must choose the correct EMS service to solve a specific business problem, such as enforcing MFA for remote users or preventing data leakage from mobile apps.
Configuration Workflows for Enterprise Mobility and Security in Microsoft 365
Configuring Enterprise Mobility and Security (EMS) in Microsoft 365 involves a series of logical workflows that integrate Azure AD, Microsoft Intune, and conditional access policies. The first step is to ensure Azure AD Premium P1 or P2 licensing is assigned, as these are required for advanced features like conditional access and identity protection. Administrators must also assign Intune licenses to users and devices. The typical workflow begins in the Azure portal or Microsoft 365 admin center, where the administrator sets up Azure AD Connect to synchronize on-premises Active Directory with Azure AD for hybrid environments.
Next, the administrator navigates to Microsoft Endpoint Manager (MEM) to create and deploy device compliance policies. For example, a compliance policy for Windows 10 might require BitLocker encryption, a minimum OS version, and Windows Defender Antivirus enabled. This policy is then assigned to a group of users or devices. Following compliance, conditional access policies are created in Azure AD to enforce specific controls. A common workflow is to create a policy that requires MFA for all cloud apps except for trusted locations like the corporate network. Another workflow blocks access from devices that are not compliant with Intune policies.
For app protection, administrators configure MAM policies in MEM. This involves selecting the target apps (e.g., Microsoft Outlook, Teams, SharePoint), then defining settings like require PIN for access, restrict cut/copy/paste to other apps, and prevent backing up corporate data to personal cloud storage. These policies are deployed to user groups, often separate from device management policies.
Workflows also include configuring Azure Information Protection (AIP) labels and policies. Administrators create labels like “Confidential” or “Highly Confidential” with specific protection settings, such as encryption or visual markings. These labels are published to users via the AIP client or built-in sensitivity labels in Microsoft 365. The workflow for data loss prevention (DLP) in Microsoft 365 Purview complements EMS by detecting sensitive info in transit.
Exams like AZ-104 and SC-900 test these workflows through drag-and-drop or multiple-choice questions. For instance, a question might ask which policy to configure to prevent a user from forwarding a confidential email from a mobile device-the answer is a MAM app protection policy. Another common scenario is configuring conditional access to block legacy authentication protocols, which is a standard security best practice tested in MD-102 and MS-102.
Cost Considerations and Licensing for Enterprise Mobility and Security
Enterprise Mobility and Security (EMS) is not a single product but a bundle of services that require specific Microsoft 365 licensing tiers. The licensing costs significantly impact enterprise deployment decisions and are a frequent topic in exams like MS-900 and SC-900. EMS E3 and E5 are the primary suites. EMS E3 includes Azure AD Premium P1, Microsoft Intune, Azure Information Protection (N/A for all features), and conditional access. EMS E5 adds Azure AD Premium P2, which includes identity protection (risk-based conditional access) and identity governance (privileged identity management), as well as advanced threat protection via Microsoft 365 Defender.
Cost considerations also involve user-based licensing. Each user must have an EMS license assigned to access features like MFA, Intune enrollment, and conditional access. For organizations that only need mobile device management, Microsoft Intune can be licensed standalone, but then features like Azure AD conditional access require separate licensing. The total cost of ownership (TCO) includes not just licensing but also potential infrastructure costs, such as on-premises connectors for hybrid identity or additional storage for data classification logs.
Another cost factor is the choice between the Microsoft 365 Business Premium license (which includes EMS capabilities for up to 300 users) versus Enterprise plans. Business Premium is cost-effective for SMEs but lacks advanced features like Azure AD P2 and eDiscovery. Enterprise plans (E3/E5) scale better for large organizations with complex compliance needs.
Exam questions often test licensing scenarios: for example, a company wants to implement risk-based conditional access that automatically blocks users with high-risk sign-ins. This requires Azure AD Premium P2, which comes with EMS E5 or Microsoft 365 E5. Another common question asks which license is needed for self-service password reset (SSPR)-this is a feature of Azure AD Premium P1, available in EMS E3 or Microsoft 365 E3. Understanding these cost and licensing nuances helps administrators advise their organizations correctly and is critical for passing the MS-102 and MD-102 exams, which include budgeting and planning objectives.
Best Practices for Deploying Enterprise Mobility and Security in Microsoft 365
Deploying Enterprise Mobility and Security (EMS) effectively requires adherence to best practices that align with zero-trust principles and exam objectives for certifications like CISSP, Security+, and MS-102. The first best practice is to enforce multi-factor authentication (MFA) for all users, especially administrators. Azure AD conditional access should be used to require MFA for all cloud app access except for trusted network locations. This reduces the risk of credential theft. Second, implement device enrollment and compliance policies early. Intune should be configured to automatically enroll devices (e.g., via Azure AD join or Device Enrollment Manager) and enforce baseline compliance policies like encryption and OS updates.
Third, adopt a least-privilege approach for identity governance. Use Azure AD Privileged Identity Management (PIM) in EMS E5 to provide just-in-time administrator roles, reducing standing access. Fourth, implement mobile application management (MAM) without device management for BYOD scenarios. This protects corporate data in apps like Teams and Outlook without intruding on personal device management. Fifth, use conditional access policies to block legacy authentication protocols (e.g., POP3, SMTP) which are often exploited in attacks.
Sixth, integrate Azure Information Protection with Microsoft 365 and third-party apps to classify and protect sensitive data. Train users to apply sensitivity labels correctly. Seventh, regularly review sign-in logs and identity protection reports to detect anomalies like impossible travel or leaked credentials. Eighth, use the Microsoft 365 Defender portal to correlate alerts across identities, endpoints, and email-a key capability for SOC teams.
In exams like CySA+ and CISSP, these best practices are often tested through scenario-based questions. For example, an organization wants to allow personal devices to access corporate email but ensure that corporate emails are not shared outside the organization. The best practice is to deploy Intune app protection policies with the “save-as” and “share” restrictions. Another common exam scenario is about preventing lateral movement after a compromised device-the answer is to use conditional access to automatically block access from non-compliant devices. Following these best practices ensures a robust security posture and is directly evaluated in the “Implement and Manage Security Controls” domain of Security+ and the “Identity and Access Management” domain of CISSP.
Troubleshooting Clues
User cannot enroll device in Intune
Symptom: Device appears as ‘Not enrolled’ in MEM admin center; user receives error ‘Enrollment restricted’ on device.
This occurs when the Intune enrollment block policy is active for specific platforms (e.g., Android) or when device enrollment limits per user are exceeded (default is 5). Also, Azure AD device registration must be enabled.
Exam clue: Exam questions often give a scenario where a user fails to enroll an Android device; the solution is to check the enrollment restriction policy in MEM or increase the device quota.
Conditional access policy blocks all users
Symptom: All users, including admins, are unable to access Exchange Online or other cloud apps; sign-in logs show ‘Blocked by conditional access’.
This is typically caused by a misconfigured conditional access policy that includes all users or excludes no users. For example, a policy that blocks non-compliant devices without another policy to allow compliant devices will block everyone who has not enrolled yet. Also, if the policy excludes no users, even admins are blocked.
Exam clue: Tested in MS-102 and MD-102: the candidate must identify that a ‘break-glass’ admin account should be excluded from all conditional access policies to prevent lockout.
MFA prompt not appearing for sensitive actions
Symptom: Users can perform high-risk actions (e.g., app registration or password change) without MFA, even though MFA is required for all cloud apps.
This happens when the conditional access policy for MFA does not include Azure AD portals or specific cloud apps (e.g., Microsoft Azure Management). Also, legacy authentication protocols (e.g., POP3, SMTP) bypass modern MFA challenges.
Exam clue: A common exam scenario: the admin sees MFA for Outlook but not for Azure portal; the fix is to add the Microsoft Azure Management app to the cloud app list in conditional access.
Device marked as non-compliant but meets all policies
Symptom: Device shows ‘Non-compliant’ in MEM with no specific reason; health status shows ‘Not evaluated’ or ‘Unknown’.
This often occurs when the Intune agent or device management service (e.g., Windows Management Framework) fails to report compliance. Also, device sync intervals may be out of range (default 60 minutes). If the device is jailbroken/rooted, Intune automatically marks it as non-compliant but may not show a detailed reason.
Exam clue: In MD-102, candidates must know that if a device shows non-compliant for no clear reason, they should check the device health attestation (e.g., BitLocker status) and sync logs.
App protection policy not applied to Outlook
Symptom: Users can copy-paste corporate data from Outlook to personal apps; Outlook does not require a PIN.
This happens when the MAM policy is not targeted to the correct user group or the policy’s app selection does not include Outlook. Also, if the user is using a personal device, the MAM policy might be overridden if device enrollment is also present. Another cause is that the app hasn’t been updated or the policy hasn’t propagated (up to 24 hours).
Exam clue: SC-900 and MS-102 questions: the correct fix is to verify the policy is assigned to the user group and that the ‘target all apps’ option is enabled.
User cannot access SharePoint from mobile device
Symptom: SharePoint app shows ‘Access denied’ on iOS/Android, but works on desktop; sign-in logs show ‘Not compliant’ or ‘Device is not compliant’.
This occurs when a conditional access policy requires device compliance via Intune but the device has not been enrolled or is non-compliant (e.g., missing encryption). The mobile device may also be blocked if it uses an unsupported operating system version.
Exam clue: Exams like MS-102 test troubleshooting: the admin should check the device compliance status in Intune and apply a conditional access policy that grants access only if the device meets the compliance policy.
Sensitivity labels not appearing in Office apps
Symptom: Users do not see the custom sensitivity labels in Excel or Outlook; labels are active in the Compliance portal.
This is often due to label policies not being published to the correct user groups or the labels are not scoped for content (they might be set to ‘none’ in the label settings). Also, the AIP client or built-in sensitivity labeling may need to be enabled via the Office 365 admin center or through registry keys.
Exam clue: In MS-900 and CISSP, the candidate must know that sensitivity labels require a published label policy to users and that labels must be configured with visibility settings (e.g., ‘visible in Office apps’).
Failed to deploy Intune configuration profiles
Symptom: Configuration profile shows ‘0 Succeeded’ in MEM; error ‘User interface policy conflict’.
This occurs when two different configuration profiles (e.g., one from a custom policy and one from a standard policy) conflict on the same device setting, such as password length or kiosk mode. Intune cannot resolve the conflict and deploys none.
Exam clue: MD-102 exam questions: the admin must merge or prioritize policies using the ‘replace’ setting in configuration profiles or remove conflicting policies.
Memory Tip
Remember the three pillars of EMS: Identity (Azure AD), Devices (Intune), and Data (AIP). IDD, Identity, Devices, Data.
Learn This Topic Fully
This glossary page explains what Enterprise Mobility and Security means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →CISSPCISSP →MS-900MS-900 →SAA-C03SAA-C03 →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Quick Knowledge Check
1.An organization wants to allow employees to access corporate email on their personal iPhones without requiring full device management. However, they need to prevent corporate emails from being copied to personal note apps. Which EMS component should be configured?
2.A company deploys a conditional access policy that requires MFA for all cloud apps. Users report they can sign into Microsoft Teams without MFA from home. What is the most likely cause?
3.During an Intune deployment, an administrator notices that all Android devices are showing as non-compliant even though they meet the password and encryption requirements. The compliance policy is set to report compliance every 60 minutes. What is the most likely reason?
4.An organization wants to automatically block users whose sign-in risk is high due to leaked credentials. Which license and feature are required?
5.A user reports that when they open a confidential document in Word, the sensitivity label appears but they cannot edit the protection. The label requires encryption. What is the most likely issue?
6.A company uses Microsoft Intune for MDM and wants to ensure that only devices with BitLocker encryption can access corporate email. Which two components must be configured? (Select the best single answer for this scenario)
Frequently Asked Questions
What is the difference between EMS and Microsoft 365 Business Premium?
EMS is a set of cloud services (Azure AD Premium, Intune, AIP). Microsoft 365 Business Premium is a license bundle that includes EMS plus Office 365 and Windows 10/11. So EMS is part of the bigger bundle.
Do I need to enroll my employees' personal phones in Intune to protect data?
Not necessarily. You can use Intune app protection policies (MAM) that protect corporate data in apps like Outlook without enrolling the entire phone. This keeps personal data separate and private.
Can EMS help if a device is lost or stolen?
Yes. Intune allows you to remotely wipe corporate data from a lost device or retire the device completely. Azure AD can also revoke the user’s tokens to block access.
Which EMS component enforces multi-factor authentication?
Azure AD Conditional Access policies enforce MFA. You configure the policy in the Azure AD admin center to require MFA based on user, location, or device state.
Is EMS only for Microsoft 365 apps?
No. EMS can manage access to any cloud app that uses Azure AD for authentication. You can configure Conditional Access for thousands of SaaS apps, not just Microsoft 365.
What is the role of Azure Information Protection in EMS?
Azure Information Protection helps classify and protect documents and emails. It applies labels that can encrypt and restrict actions like printing or forwarding, even after the data leaves the organization.
Do I need an on-premises server to use EMS?
No. EMS is cloud-based. You only need internet connectivity and users assigned applicable licenses. However, you can integrate it with on-premises Active Directory using Azure AD Connect.
Summary
Enterprise Mobility and Security is a foundational concept for IT professionals working with Microsoft 365. It represents the shift from traditional network perimeter security to a model where security follows the user, device, and data anywhere. The suite includes Azure AD Premium for identity, Intune for device and app management, and Azure Information Protection for data protection. Together, these components enable organizations to support a mobile workforce without sacrificing control or compliance.
For certification candidates, understanding EMS is critical for exams like MS-900, MS-102, MD-102, and SC-900, and it also supports broader security certifications like Security+, CySA+, and CISSP. The most common exam question types test the ability to select the correct EMS component for a scenario, understand the difference between MDM and MAM, and configure Conditional Access policies. Avoiding confusion between EMS and its individual components is key to success.
The real-world application of EMS is vast. It solves problems like lost devices, BYOD policies, compliance requirements, and data leakage. By implementing EMS, companies can embrace flexible work while maintaining a strong security posture. For learners, mastering EMS means gaining skills that are directly applicable in modern IT environments, making them more effective and valuable in their roles.