Mixed mode Defender subscription & licensing for endpoints
I was recently asked by a customer about the possibility of using mixed licensing for Defender for Endpoint for endpoints. They had both MDE plan 1 and plan 2 licenses as part of M365 E3 and E5 respectively, but wanted all the Windows endpoints to be moved to MDE plan 1 capabilities until all the features under plan 2 were tested out. For a long time this was not possible and in cases of multiple subscriptions, the highest functional subscription would take precedence in the tenant. But not anymore. Microsoft now supports use of a mixture of subscriptions & licenses. Some of the most common scenarios are -
1. Mixed tenant - Different sets of capabilities for groups of users and their devices based off licenses like MDE plan 1 & plan 2, Microsoft 365 E3 & E5.
2. Mixed trial - Mixture of full and trial licenses like MDE plan 1, M365 E3 (purchased for all users) & MDE plan 2, M365 E5 trial (purchased for some users)
3. Phased upgrades - Upgrade user licenses in phases by moving users from MDE plan 1 to plan 2 and M365 E3 to E5.
There are some caveats to mixed licensing -
1. Mixed-mode settings apply to client endpoints only. Servers are not supported at the time of writing this blog.
2. Assigning user licenses in the Microsoft 365 admin center alone doesn't set the tenant to mixed mode.
3. At a minimum an active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2 is needed.
Assigning the licenses in the M365 Admin Center
1. Navigate to Microsoft 365 admin center.
2. Go under the licenses and assign the licenses based on requirements and availability. For all intents and purposes, I am using a mixed licensing between M365 E5 which gives MDE plan 2 capabilities and standalone MDE plan 1 trial.
Configuring mixed mode in the Defender subscription settings & creating dynamic tagging asset rule
1. Navigate to Microsoft Defender portal.
2. Go to Settings > Endpoints > Licenses.
3. Under Subscription state, select Manage subscription settings.
4. Choose the option to use Defender for Endpoint Plan 1 and Plan 2.
5. Create the Dynamic tagging rule. (Note: This step is important for mixed mode licensing to take into effect.)
Note: Again, for all intents and purposes, I am creating a dynamic rule looking at a specific device name. In a production setup, you can specify a set of criteria based on device name, domain, operating system platform, and/or device tags.
There is also the option to manually tag endpoints or use Intune through a custom profile, but I will personally recommend dynamic tagging for its simplicity and the fact it is directly configurable from the Defender portal. Tagged devices will get plan 1 capabilities, all other devices will received plan 2 capabilities. Once again and at the time of writing this blog, servers are not supported for dynamic tagging.
The tagging and license usage report can take some time to update. In my experience, the information got updated in both customer's and my own tenant under 30 minutes, but it can take up to 3 hrs for tagging and 1 hr for usage report to update, so patience is the key. :-)
Validation
The targeted device as per the dynamic rule, got tagged with 'License MDE P1'. It also didn't have the P2 capabilities like vulnerabilities and security recommendations listing in the device page in the inventory.
Here is an example of a device with P2 capabilities.
The subscription switched to mixed mode licensing and the license usage report updated as well.
Final thoughts..
The best part is that there is no requirement for device-to-user mapping and assignment. The only thing is missing is support for servers. Since servers can be managed using Defender portal as well, it will be great if a similar mixed licensing can be achieved for Defender for Servers. Nonetheless, mixed mode licensing for MDE is a welcome feature.
Comments
Post a Comment