What is Microsoft Enterprise Mobility + Security (EMS)?

Microsoft’s Enterprise Mobility + Security, or EMS, is a new product to Microsoft’s portfolio. At first glance, Microsoft EMS can be confusing, so I’m going to try to explain it as concisely as possible.

Before there was Microsoft Enterprise Mobility + Security, there were four separate products.  Microsoft EMS includes four components:

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Rights Management
  • Microsoft Advanced Threat Analytics

Overall, you can think of Microsoft EMS as a device-management and virtual-identity-management suite.

In a cloud-based world where employees want to work from all of their devices, Microsoft EMS allows IT maximum security and control.

Microsoft EMS Bundled Products

Azure Active Directory Premium

In one phrase, Azure Active Directory Premium is “single sign-on for your company”. Every employee has a profile in Azure Active directory which is linked to all of their other logins.   Your employees can sign into almost any service regardless of device model, location, or user identity.

  • File Servers
  • Email
  • Application Servers
  • Database Servers

The big deal about Azure Active Directory Premium is this: it enables single-sign-on to cloud software and on-premise software. With one password you can access almost everything, including thousands of SaaS cloud apps.  Other useful features include:

  • Conditional access: block people from logging in based on various factors
  • The promise of a single login applies to any device, including iOS and Android
  • Multifactor authentication – use things like SMS verification or even biometric scanning to verify identity
  • Reporting on logins and the meta-data associated with access requests

Microsoft Intune

In one phrase, Microsoft Intune is for “securely linking employees’ personal devices to company data”. Microsoft Intune is built on Azure Active Directory.

Microsoft Intune allows you to link an unlimited number of mobile devices to an employees’ Active Directory profile.  Microsoft Intune is your secure link between an employee’s mobile device (iOS, Android, Windows) and corporate data.

For instance, Microsoft Intune allows your employees to download the “Microsoft Word” app and securely access company documents from that device. Meanwhile, inside of Microsoft EMS, IT can block access to certain users, devices, data, or apps. Furthermore, Intune can give you direct control over “corporate apps”, like installing certain apps upon deployment from a central console.

One great advantage of Microsoft Intune is that employees don’t have to give IT control over their entire device to ensure secure access to company data.

Azure Rights Management

In one phrase, Azure Rights Management is “document-level security”.  With Azure Rights Management, every single time protected data is viewed, a check is done to see if the person viewing the file is allowed to do so. You can block people based on:

  • Company (internal/external)
  • Employment status (for instance, a fired employee can’t view documents even if they’re on a USB stick)
  • Date of viewing
  • Azure Active Directory Profile information
  • …and much more.

Azure Rights Management is baked right into Office 365, so business users only notice it if they’re trying to access something they aren’t allowed to. But there’s a lot more to Azure Rights Management; if you’re interested in learning more, I highly recommend Microsoft’s website.

Microsoft Advanced Threat Analytics

In a phrase, Microsoft Advanced Threat Analytics is “real-time monitoring for security purposes”.  Because Microsoft EMS is mostly in the cloud, all kinds of standardized data is collected. Microsoft EMS logs every access request, every document, every location, every device, every user, EVERYTHING. These logs are processed live to identify patterns of suspicious behavior:

  • Big-data analysis for anomalous behavior and suspicious activities
  • Detection of malicious attacks
  • Alerts for known risks

Because it’s based on machine learning, Microsoft Advanced Threat Analytics is always on and always improving itself. If a threat is detected, Microsoft EMS provides actionable recommendations to remedy the issue. Learn more about Microsoft’s commitment to security.

Who Uses Microsoft EMS?

The person who uses Microsoft EMS most frequently will be your “IT Guy”; the person in charge of setting up network security, employee devices, employee permissions, etc.  Alternatively, EMS can be configured by a Microsoft Partner.

Every person in your organization is a Microsoft EMS “user”, but they should never know what it’s doing – it just works.


Microsoft EMS is a bundle of four Microsoft products that allows your IT team to retain control and ensure security, even though your employees want to work from their own devices. Its key benefits are:

  • Single sign-on to any app or service from any device
  • Secure access to company data from any device
  • Document-level security
  • Constant security monitoring
18 Warning Signs You Need The Cloud

If your business experiences these red flags, your diagnosis is clear: time to adopt the cloud!

Get the Report

18 Warning Signs You Need The Cloud

Get the Report