What does the EMS add to Office 365?


The Enterprise Management Suite from Microsoft, as the name suggests, is a combination of products and is primarily aimed at organizations who have migrated to or are planning to migrate to Office 365. EMS includes mobile device management, advanced identity tools, document encryption and tools to help detect threats.

In this article, we’ll compare what EMS adds in addition to Office 365. What do you get with Office 365? Is it enough for what you need? What does EMS add and why might it be an essential addition…

Device management

Just a few years ago there was a clear difference between mobile devices and desktop devices. Tablets have blurred the line, with Apple and Android devices scaling up to tablet size from smartphone and Windows 8 and above scaling down to tablet size, and with the release of Windows 10 providing a common platform across phone, tablet and the desktop.

With EMS

InTune is Microsoft’s answer to the problem of managing all these devices. InTune provides core Mobile Device Management (MDM) functionality, such as ensuring the security of the device is maintained, managing profiles for email and VPN, restricting the functionality that can be used, deploying applications to devices and providing sand-boxing of applications to allow personal and corporate applications to co-exist.

Securing and managing devices is critical to most organizations, because the loss of data could result in heavy fines, breach of legislation or loss of revenue.

In addition to base MDM features, InTune works with Exchange Online and Exchange On-Premises to ensure that only managed devices can connect to Exchange, as covered in my previous tip. This is called conditional access and allows policies to be created to ensure that only compliant devices (such as those connected and reporting their status) can receive email.

Without EMS

If you don’t add InTune to your Office 365 subscription all is not lost. Firstly, you can still utilize the fairly capable functionality provided with Exchange Online ActiveSync to enforce device PINs, remotely wipe devices; of course these features are only aimed at ActiveSync emails and do not cover non-email usage and will not provide any visibility into the current device status.

Office 365 Mobile Device Management fills the gap between ActiveSync’s base functionality and InTune. Office 365 MDM is based on InTune and uses the same management applications on each device. Functionality to ensure mobile email policies are managed for Exchange Online users is included, along with advanced features like conditional access.

What you don’t get is the application deployment and management capabilities. If you want to deploy and manage Outlook for iPad, for example, you will need to look to the full InTune provided with EMS.

Information Rights Management

You can use Information Rights Management functionality to encrypt files and documents and enforce restrictions on what a recipient can do with a message. The IRM technology in Office 365 and EMS is known as Azure Rights Management Services (RMS) and is natively supported by modern versions of Microsoft Office, can be used to protect email, and via the RMS Sharing Application can also protect other files, like images. Azure RMS uses AES 128-bit encryption to encrypt files. Rather than require users to maintain keys, Azure RMS grants access based on the Azure AD identity.

Without EMS

You get most functionality you’ll need in Office 365 without adding EMS on. The Office 365 integrated RMS that comes with the E3 plan includes the core functionality required to protect Office 365 data. That means administrators can define templates, for example to prevent reply-all to emails, stop forwarding, remove the ability to print or copy a document, or edit. Users can elect to use the templates as-is or create their own combination of protection settings.

In addition to protecting files and email in the Office clients, the ability to protect email messages in Exchange Server is baked in. As an administrator, Transport Rules can be configured to protect mail using RMS if needed. Within SharePoint Online similar functionality can also be configured. Documents are not encrypted within SharePoint Online but certain document libraries can be configured so that when a document is downloaded, it will automatically be protected by RMS at the time of access.

If you are running Office 365 in Hybrid mode, with on-premises Exchange or SharePoint servers, the included RMS Connector allows the same protection to be applied.

In addition to RMS, another IRM technology is included, Office 365 Message Encryption. This provides the ability to configure a Transport Rule to protect certain messages using HTTPS-based encryption. A protected message sent by email has the content removed and replaced by a link to a specific Office 365 portal. The message contents can then be read securely, protected by a HTTPS channel.

With EMS

If you purchase EMS, you’ll get the Azure RMS Premium version. This adds additional functionality enabling on-premises file servers to use File Classification Infrastructure (FCI) to automatically apply RMS to files. To make use of this functionality the RMS connector is deployed, connecting the Windows Servers to the Azure RMS infrastructure.

Powerful end-user functionality is also included with the EMS version of RMS. Users can choose to revoke access to documents at any time – handy if the wrong version of a document was sent or the person with access no longer has a need to access the content. The ability to track usage is also included. This is particularly handy when the document is being distributed to a wide audience.

Azure Active Directory

The service that stores user information for Office 365 is known as Azure AD. This is often synchronized to the local on-premises Active Directory using a tool known as Azure AD Connect. Password hashes can be synced to Azure AD along with user details, or an on-premises installation of Active Directory Federation Services (AD FS) can be used to ensure that the user IDs mirrors in Azure AD use the local AD to verify passwords.

Without EMS

Office 365 comes with Azure AD Free. This provides all the out of the box capabilities for synchronizing directories with local AD, customization of login pages and for Cloud IDs (logins that are not synchronized with a local AD domain), self-service password reset and multi-factor authentication when logging into Office 365.

In addition to using your Azure AD with Office 365, you can also use applications with support for login with Azure AD identities – including Salesforce, Dropbox and others.

With EMS

EMS adds Azure AD Premium. This adds a range of functionality, including self-service password reset with write-back to the local AD for all users, multi-factor authentication for all Azure services and even on-premises applications with advanced controls, self-service group management, advanced reports and alerts and security controls to restrict where logins can occur from. For example, the reports within Azure AD Premium allow security teams to identify user logins from unusual places and potentially uncover compromised accounts.

Azure AD Premium also includes licensing for additional tools. Microsoft Identity Manager (MIM) – formally FIM – allows for advanced on-premises identity management. For example, if you have a compatible HR system you can connect it to MIM and use it to provision accounts or keep the accounts up to data with current information.

Azure AD Connect Health adds in additional functionality to help ensure your on-premises Active Directory remains healthy. Installed alongside the sync tool, Azure AD Connect, the health module provides alert management, performance and usage patterns.

Cloud App Discovery is useful when attempting to expand the list of applications managed by Azure AD. Installed on user desktops, Cloud App Discovery monitors the cloud-based services users access to provide detailed analysis helping administrators discover which existing applications could be brought under the control of Azure AD.

Advanced Threat Analytics

ATA is a component within EMS that has no equivalent or basic version in Office 365. ATS is firmly aimed at your on-premises environment. ATA runs on on-premises servers and reports into the cloud. It looks at the normal day to day behaviour within your organization and detects malicious threats or security issues.


EMS provides a lot of additional functionality on top of the core Office 365 capabilities. It is important to know what you do get – as many organizations may find that the out of the box capabilities of Office 365 are good enough. Like any technology it’s important to understand if you truly need it before buying it.