💼 Understanding Microsoft Intune Licensing: User vs Device Policy Assignments
Microsoft Intune licensing often confuses IT admins, especially when it comes to how user-based licenses interact with device-level policies. A Reddit thread highlighted this confusion, as administrators debated whether user-based Intune licenses can be used to assign policies, apps, and configurations directly to devices.
This guide explains the nuances between user-based and device-based Intune licensing, when to use each, and how policies apply in practical scenarios.
🧩 Scenario Overview
An administrator managing a small Intune environment (under 20 Windows 11 devices) wanted to know if user-based Intune Plan 1 or Plan 2 licenses would allow:
- Assigning device-level configurations such as Wi-Fi, VPN, and security baselines.
- Deploying apps and profiles that stay on the device even if another (unlicensed) user logs in.
The concern was about ensuring configurations and compliance remain consistent across shared or multi-user devices, especially when devices are used by unlicensed accounts or guests.
🧠 Core Clarifications from the Community
1. User-Based Intune Licenses Cover Both User and Device Policies
Most Intune licenses — including Microsoft Intune Plan 1, Plan 2, and Microsoft 365 bundles — are user-based. When a licensed user enrolls a device, that license extends to the device for the purpose of policy enforcement and management.
This means:
- The device can receive device-targeted configurations (like Defender, BitLocker, or Wi-Fi profiles).
- Apps and compliance settings assigned to device groups will still deploy correctly.
- The Intune service doesn’t require an additional device-based license unless the device is not linked to a specific user.
✅ Example:
If “Alice” has an Intune Plan 1 license and enrolls a Windows 11 device, that device can receive both:
- User-scoped policies (e.g., OneDrive configuration, app protection policies).
- Device-scoped policies (e.g., Endpoint Security, Disk Encryption, or Firewall policies).
2. Device Licenses Are for Non-User-Affiliated Scenarios
The Intune Device License exists for situations where a device:
- Is shared among multiple unlicensed users.
- Has no primary user (e.g., kiosks, conference room PCs, digital signage, or lab computers).
🔹 Key Restriction:
A device license cannot be used if the device is assigned to or primarily used by a licensed user.
In such cases, a user-based license is mandatory.
✅ Example Use Case:
- A shared device in a school lab that multiple students log into using temporary credentials.
- A self-service kiosk where no one signs in with a personal Microsoft 365 account.
For these, an Intune Device License can apply security baselines, kiosk mode restrictions, and app deployments at the device level without associating a specific user.
3. Policy Assignments Work Regardless of License Type
Even though the license type defines how Intune billing and compliance are handled, the policy assignment mechanism itself works independently. You can target:
- User groups — for configurations that follow the user across devices.
- Device groups — for configurations tied to the device, regardless of who signs in.
💡 Best Practice:
Use Assignment Filters in Intune to refine which devices get specific policies within a user-based license model. For example:
- Assign Wi-Fi, VPN, and Defender policies to all enrolled devices.
- Use filters to exclude personal BYOD devices or apply settings only to specific hardware models.
4. Conditional Access Controls Who Can Sign In
If your concern is unlicensed users signing into licensed devices, Conditional Access can enforce login restrictions:
- Block sign-ins from unlicensed accounts.
- Require MFA or compliance before access to resources.
- Ensure only approved users can use company-managed devices.
This ensures that even if a device is enrolled by a licensed user, access is controlled dynamically through Microsoft Entra ID (formerly Azure AD) and Intune compliance policies.
🧾 Real-World Example: Small Business Deployment
Imagine a small business with 15 employees using Windows 11 laptops.
- Each employee has Microsoft 365 Business Premium, which includes Intune Plan 1.
- The IT admin wants to apply:
- Device encryption (BitLocker)
- Firewall and Defender antivirus settings
- Wi-Fi configuration
- Company portal and required app deployments
In this case:
- The user-based Intune license allows both user and device policy application.
- The same Intune policy can be assigned to device groups for enforcement.
- If an unlicensed temporary user logs in, the device remains compliant, since the configuration applies at the system level.
For shared office PCs used by multiple people without Microsoft 365 accounts, the admin could purchase Intune Device Licenses instead to manage those systems without assigning licenses to each person.
🧩 License Comparison Summary
| License Type | Assigned To | Use Case | Supports Device Policies | Supports User Policies | Typical Scenario |
|---|---|---|---|---|---|
| Intune Plan 1 / Plan 2 | User | General purpose, user devices | ✅ Yes | ✅ Yes | Employee laptops, tablets, phones |
| Intune Device License | Device | Shared or kiosk devices | ✅ Yes | ❌ No | Labs, kiosks, shared terminals |
| Microsoft 365 Business Premium | User | SMB all-in-one solution | ✅ Yes | ✅ Yes | Standard business deployments |
| Microsoft 365 E3 / E5 | User | Enterprise-level configuration | ✅ Yes | ✅ Yes | Enterprise desktops and mobile devices |
⚙️ Licensing Tips and Best Practices
- Always License Primary Users:
Ensure each person who owns or regularly uses a device has a valid Intune or Microsoft 365 license. - Avoid Mixing License Types on the Same Device:
Don’t assign both user-based and device-based licenses to the same endpoint. It can cause compliance tracking conflicts. - Use Device Licenses for Shared Scenarios:
Deploy device licenses for non-user devices, like kiosks or meeting room PCs. - Verify Licensing in Microsoft 365 Admin Center:
Check license assignments under Users > Active Users > Licenses and Apps. - Monitor Policy Conflicts:
Use Intune’s Devices > Monitor > Policy Conflicts to ensure user-based and device-based settings aren’t overlapping incorrectly.
