Modern Device Management

I was recently asked by a customer about the possibility of using mixed licensing for Defender for Endpoint for endpoints. They had both MDE plan 1 and plan 2 licenses as part of M365 E3 and E5 respectively, but wanted all the Windows endpoints to be moved to MDE plan 1 capabilities until all the features under plan 2 were tested out. For a long time this was not possible and in cases of multiple subscriptions, the highest functional subscription would take precedence in the tenant. But not anymore. Microsoft now supports use of a mixture of subscriptions & licenses. Some of the most common scenarios are - 1. Mixed tenant - Different sets of capabilities for groups of users and their devices based off licenses like MDE plan 1 & plan 2, Microsoft 365 E3 & E5. 2. Mixed trial - Mixture of full and trial licenses like MDE plan 1, M365 E3 (purchased for all users) & MDE plan 2, M365 E5 trial (purchased for some users) 3. Phased upgrades - Upgrade user licenses in phases by m

Source:Microsoft With the help of Microsoft Intune, organizations can use the device states returned from the enrolled devices to Entra ID to identify whether these devices meet specific policy compliance requirements and accordingly enforce controls to grant or block access to corporate resources. With device states, once the user has successfully authenticated, a Primary Refresh Token (PRT) containing both user and device claims is issued. With conditional access policies requiring either a device-based control or a multifactor authentication control in place, the policy requirement can be met through its device state using PRT without attempting MFA. This is because when a PRT requests access to an application, its device, session, and MFA claims are trusted by Microsoft Entra ID. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. With the currently available device states, Microsoft recommen