Manage Microsoft Defender for Endpoint subscription settings across client devices

In Defender for Endpoint, a mixed-licensing scenario is a situation in which an organization is using a mix of Defender for Endpoint Plan 1 and Plan 2 licenses. The following table describes examples of mixed-licensing scenarios:

Scenario Description
Mixed tenant Use different sets of capabilities for groups of users and their devices. Examples include:
- Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2
- Microsoft 365 E3 and Microsoft 365 E5
Mixed trial Try a premium level subscription for some users. Examples include:
- Defender for Endpoint Plan 1 (purchased for all users), and Defender for Endpoint Plan 2 (a trial subscription has been started for some users)
- Microsoft 365 E3 (purchased for all users), and Microsoft 365 E5 (a trial subscription has been started for some users)
Phased upgrades Upgrade user licenses in phases. Examples include:
- Moving groups of users from Defender for Endpoint Plan 1 to Plan 2
- Moving groups of users from Microsoft 365 E3 to E5

Until recently, mixed-licensing scenarios weren't supported; in cases of multiple subscriptions, the highest functional subscription would take precedence for your tenant. Now, you can manage your subscription settings to accommodate mixed licensing scenarios across client devices. These capabilities enable you to:

  • Set your tenant to mixed mode and tag devices to determine which client devices will receive features and capabilities from each plan (we call this option mixed mode); OR,
  • Use the features and capabilities from one plan across all your client devices.

You can also use a newly added license usage report to track status.

Note

If you're using Microsoft Defender for Business and you want to switch to Defender for Endpoint Plan 2, see Change your endpoint security subscription.

Set your tenant to mixed mode and tag devices

Important

  • Mixed-mode settings apply to client endpoints only. Tagging server devices won't change their subscription state. All server devices running Windows Server or Linux should have appropriate licenses, such as Defender for Servers. See Options for onboarding servers.
  • Make sure to follow the procedures in this article to try mixed-license scenarios in your environment. Assigning user licenses in the Microsoft 365 admin center (https://admin.microsoft.com) doesn't set your tenant to mixed mode.
  • You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2.
  • To access license information, you must have one of the following roles assigned in Microsoft Entra ID:
    • Security Administrator
    • License Administrator and Defender for Endpoint Administrator
  1. As an admin, go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Endpoints > Licenses. Your usage report opens and displays information about your organization's Defender for Endpoint licenses.

  3. Under Subscription state, select Manage subscription settings.

    Note

    If you don't see Manage subscription settings, at least one of the following conditions is true:

    • You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or
    • Mixed-license capabilities haven't rolled out to your tenant yet.
  4. A Subscription settings flyout opens. Choose the option to use Defender for Endpoint Plan 1 and Plan 2. (No changes will occur until devices are tagged as per the next step.)

  5. Tag the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. You can choose to tag your devices manually or by using a dynamic rule. Learn more about device tagging.

    Method Details
    Tag devices manually To tag devices manually, create a tag called License MDE P1 and apply it to devices. To get help with this step, see Create and manage device tags.

    Note that devices that are tagged with the License MDE P1 tag using the registry key method will not receive downgraded functionality. If you want to tag devices by using the registry key method, use a dynamic rule instead of manual tagging.
    Tag devices automatically by using a dynamic rule Dynamic rule functionality is new for mixed-license scenarios! It allows you to apply a dynamic and granular level of control over how you manage devices.

    To use a dynamic rule, you specify a set of criteria based on device name, domain, operating system platform, and/or device tags. Devices that meet the specified criteria will receive the Defender for Endpoint Plan 1 or Plan 2 capabilities according to your rule.

    As you define your criteria, you can use the following condition operators:
    - Equals / Not equals
    - Starts with
    - Contains / Does not contain

    For Device name, you can use freeform text.

    For Domain, select from a list of domains.

    For OS platform, select from a list of operating systems.

    For Tag, use the freeform text option. Type the tag value that corresponds to the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. See the example in More details about device tagging.

    Device tags are visible in the Device inventory view and in the Defender for Endpoint APIs.

    Note

    Dynamically added Defender for Endpoint P1 tags are not currently filterable in the Device inventory view.

  6. Save your rule and wait for up to three (3) hours for tags to be applied. Then, proceed to Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities.

More details about device tagging

As described in Tech Community blog: How to use tagging effectively, device tagging provides you with granular control over devices. With device tags, you can:

  • Display certain devices to individual users in the Microsoft Defender portal so that they see only the devices they're responsible for.
  • Include or exclude devices from specific security policies.
  • Determine which devices should receive Defender for Endpoint Plan 1 or Plan 2 capabilities.

For example, suppose that you want to use a tag called VIP for all the devices that should receive Defender for Endpoint Plan 2 capabilities. Here's what you would do:

  1. Create a device tag called VIP, and apply it to all the devices that should receive Defender for Endpoint Plan 2 capabilities. Use one of the following methods to create your device tag:

  2. Set up a dynamic rule using the condition operator Tag Does not contain VIP. In this case, all devices that do not have the VIP tag will receive the License MDE P1 tag and Defender for Endpoint Plan 1 capabilities.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities

After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices, you can verify that an individual device is receiving those capabilities.

  1. In the Microsoft Defender portal (https://security.microsoft.com), go to Assets > Devices.

  2. Select a device that is tagged with License MDE P1. You should see that Defender for Endpoint Plan 1 is assigned to the device.

Note

Devices that are assigned Defender for Endpoint Plan 1 capabilities don't have any vulnerabilities or security recommendations listed.

Review license usage

The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To learn more about license terms, see Microsoft Licensing.

To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.

Important

To access license information, you must have one of the following roles assigned in Microsoft Entra ID:

  • Security Administrator
  • License Administrator and Defender for Endpoint Administrator
  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Choose Settings > Endpoints > Licenses.

  3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Endpoint.

More resources

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.