Defender for Endpoint

Question

I have Microsoft Defender for Endpoint Plan 1 license, and all user already joined to the AAD.

In the security portal why the license used is 0, is there any configuration needed?

Answer 1

Hello @Handian Sudianto ,
When the Microsoft Defender for Endpoint Plan 1 license shows 0 used in the Microsoft 365 security portal, even though devices are joined to Azure AD, it usually means the service hasn’t been activated or devices aren’t reporting correctly. Here are the key checks and configurations:

✅ 1. Confirm License Assignment

Ensure the Defender for Endpoint Plan 1 license is assigned to the users in Microsoft 365 Admin Center.

Go to Users → Active Users → Select User → Licenses and Apps and verify the license is active.

✅ 2. Enable Defender for Endpoint in Security Settings

In Microsoft 365 Security & Compliance portal, navigate to:

Settings → Endpoints → Advanced Features

Confirm Microsoft Defender for Endpoint is turned ON.

✅ 3. Onboard Devices

Plan 1 requires devices to be onboarded to Defender for Endpoint.

Check if devices have the Microsoft Defender for Endpoint agent installed and are reporting to the service.

You can onboard via:

Microsoft Endpoint Manager (Intune)

Group Policy

Local script

After onboarding, verify in Security Portal → Devices that endpoints appear.

✅ 4. Verify Security Portal Sync

Sometimes the portal shows 0 licenses used because:

Devices are not yet reporting telemetry.

The sync between AAD and Defender service hasn’t completed.

It can take up to 24 hours after onboarding for usage to reflect.

✅ 5. Check Role Permissions

Ensure you have Security Administrator or Global Administrator role to view license usage.

Common Causes:

License assigned but service not enabled.

Devices joined to AAD but not onboarded to Defender for Endpoint.

Reporting delay after onboarding.
*
If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.*