Manage Microsoft Defender for Endpoint subscription settings across client devices (preview!)
A mixed-licensing scenario is a situation in which an organization is using a mix of Defender for Endpoint Plan 1 and Plan 2 licenses. Until recently, mixed-licensing scenarios weren't supported; in cases of multiple subscriptions, the highest functional subscription would take precedence for your tenant. Now, the ability to manage your subscription settings to accommodate mixed licensing scenarios across client devices is currently in preview! These capabilities enable you to:
- Set your tenant to mixed mode and tag devices to determine which client devices will receive features and capabilities from each plan (we call this option mixed mode); OR,
- Use the features and capabilities from one plan across all your client devices.
Set your tenant to mixed mode and tag devices
- Mixed-mode settings apply to client endpoints only. Tagging server devices won’t change their subscription state. All server devices running Windows Server or Linux should have appropriate licenses, such as Defender for Servers. See Options for onboarding servers.
- Make sure to follow the procedures in this article to try mixed-license scenarios in your environment. Assigning user licenses in the Microsoft 365 admin center (https://admin.microsoft.com) doesn't set your tenant to mixed mode.
- Make sure that you have opted in to receive preview features.
- You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2.
- To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
- Global Admin
- Security Admin
- License Admin + MDE Admin
As an admin, go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
Go to Settings > Endpoints > Licenses. Your usage report opens and displays information about your organization’s Defender for Endpoint licenses.
Under Subscription state, select Manage subscription settings.
If you don't see Manage subscription settings, at least one of the following conditions is true:
- You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or
- Mixed-license capabilities haven't rolled out to your tenant yet.
A Subscription settings flyout opens. Choose the option to use Defender for Endpoint Plan 1 and Plan 2. (No changes will occur until devices are tagged as per the next step.)
Tag the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. You can choose to tag your devices manually or by using a dynamic rule. Learn more about device tagging.
Method Details Tag devices manually To tag devices manually, create a tag called
License MDE P1and apply it to devices. To get help with this step, see Create and manage device tags.
Note that devices that are tagged with the
License MDE P1tag using the registry key method will not receive downgraded functionality. If you want to tag devices by using the registry key method, use a dynamic rule instead of manual tagging.
Tag devices automatically by using a dynamic rule Dynamic rule functionality is new for mixed-license scenarios! It allows you to apply a dynamic and granular level of control over how you manage devices.
To use a dynamic rule, you specify a set of criteria based on device name, domain, operating system platform, and/or device tags. Devices that meet the specified criteria will receive the Defender for Endpoint Plan 1 or Plan 2 capabilities according to your rule.
As you define your criteria, you can use the following condition operators:
Does not contain
For Device name, you can use freeform text.
For Domain, select from a list of domains.
For OS platform, select from a list of operating systems.
For Tag, use the freeform text option. Type the tag value that corresponds to the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. See the example in More details about device tagging.
Device tags are visible in the Device inventory view and in the Defender for Endpoint APIs.
Dynamically added Defender for Endpoint P1 tags are not currently filterable in the Device inventory view.
Save your rule and wait for up to three (3) hours for tags to be applied. Then, proceed to Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities.
More details about device tagging
As described in Tech Community blog: How to use tagging effectively, device tagging provides you with granular control over devices. With device tags, you can:
- Display certain devices to individual users in the Microsoft 365 Defender portal so that they see only the devices they're responsible for.
- Include or exclude devices from specific security policies.
- Determine which devices should receive Defender for Endpoint Plan 1 or Plan 2 capabilities. (This capability is now in preview!)
For example, suppose that you want to use a tag called
VIP for all the devices that should receive Defender for Endpoint Plan 2 capabilities. Here's what you would do:
Create a device tag called
VIP, and apply it to all the devices that should receive Defender for Endpoint Plan 2 capabilities. Use one of the following methods to create your device tag:
Set up a dynamic rule using the condition operator
Tag Does not contain VIP. In this case, all devices that do not have the
VIPtag will receive the
License MDE P1tag and Defender for Endpoint Plan 1 capabilities.
Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities
After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices, you can verify that an individual device is receiving those capabilities.
In the Microsoft 365 Defender portal (https://security.microsoft.com), go to Assets > Devices.
Select a device that is tagged with
License MDE P1. You should see that Defender for Endpoint Plan 1 is assigned to the device.
Devices that are assigned Defender for Endpoint Plan 1 capabilities will not have vulnerabilities or security recommendations listed.
Review license usage
The license usage report is estimated based on sign-in activities on the device. To reduce management overhead, there will not be a requirement for device-to-user mapping and assignment. Instead, the license report will provide a utilization estimation that is calculated based on the utilization seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.
To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
- Security Admin
- Global Admin
- License Admin + MDE Admin
Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
Choose Settings > Endpoints > Licenses.
Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Endpoint.
- Compare Microsoft endpoint security plans
- Licensing and product terms for Microsoft 365 subscriptions.
- How to contact support for Defender for Endpoint.
- Get started with Microsoft Security (trial offers)
- Microsoft Defender for Endpoint
- Microsoft Defender for Business (endpoint protection for small and medium-sized businesses)
Submit and view feedback for