Optimizing endpoint security with Microsoft Defender for Endpoint’s flexible licensing options

Microsoft is committed to delivering best of breed, multi-platform, and multi-cloud security for all organizations on the planet. Our aim is to offer simplified, comprehensive protection that prevents breaches and enables our customers to innovate and grow, delivering security for all. As part of that commitment, last year our foundational set of industry leading prevention and protection capabilities became available for customers to purchase through for Endpoint Plan 1. This offering is available as a standalone and also through various packages, including Microsoft 365 E3/A3. It delivers on our endpoint security promise to help organizations of all sizes to rapidly stop attacks, scale their security resources, and evolve their defenses.

As the largest market share leader for endpoint security, we've seen a growing segment of customers consuming a mix of SKUs, such as Defender for Endpoint Plan 1 and Plan 2. Customers sometimes need different sets of capabilities on devices in a single environment, depending on the level of risk associated with each device. To accommodate these mixed licensing scenarios, Defender for Endpoint customers can now control how licenses are applied with minimal friction and management overhead.

This new preview capability, mixed licensing support, allows customers to use different Defender for Endpoint licenses on different devices, depending on their security needs, without having to set up multiple subscriptions. They can access a report that details the current license state and usage.

In this article, we'll explore the available mixed licensing scenarios and provide a guide on try them out in your environment. For full details, please see ‘Manage your Microsoft Defender for Endpoint subscription settings across client devices' on Microsoft Learn.

Please note:

  • This feature applies only to client endpoints. All / devices should have relevant Defender for Server Plan 2 licenses and capabilities. Tagging / devices won't change their subscription state.

  • Assigning user licenses in the Microsoft 365 is not supported for Defender for Endpoint mixed-licensing scenarios. Follow the guidance in this document to try mixed-license scenarios.

  • Make sure that you have opted in to receivepreview features.

Phase 1: Mix mode enablement
You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2, or Microsoft Defender for Server Plan 1/Plan 2, and 
one of the following roles assigned in Azure (): Global Admin, Security Admin, License Admin + MDE Admin

  1. As an admin, go to the Microsoft 365 Defender portal and sign in. Go to Settings > Endpoints > Licenses.
    Your view should now include a usage report. Make sure the report reflects the set of Defender for Endpoint Plan 1/Plan 2 licenses available across your tenant.


  2. If you would like to change from Defender for Endpoint Plan 2 to Plan 1 (across all devices), this option is available to you.

  3. To put your subscription state into a mixed mode (Defender for Endpoint Plan 1 and Plan 2), select Manage subscription settings. No changes should take place until devices are tagged.

  4. To tag a device to use only Defender for Endpoint P1 capabilities, use the License MDE P1 tag. You can tag a device manually or through an API (the register tag should not work in this case). For more details see: Create and manage device tags

  5. Validate that the device page was updated to reflect only Defender for Endpoint Plan 1 capabilities, and a new field called Device subscription state was added to the device properties. To view the device page, go to Assets > Devices, select a device, and then view the device details page.

    6. The licenses usage report estimates utilization across your organization. This report might take up to 3 hours to tag assignment to propagate.

Phase 2: Mixed mode – Validate license assignment at scale using dynamic tagging.

You can define the Defender for Endpoint Plan 1 tagging criteria easily at scale using the new dynamic tagging engine.
Dynamic rules can help manage device context by assigning tags and device values automatically based on certain criteria. This will save time and ensure accuracy. For example, tagging devices with a specific OS version or assigning a value to devices with a particular naming convention. Dynamic rules also ensure devices remain relevant by removing tags or updating values when criteria are no longer met.
The dynamic engine will assign all devices meeting the specified condition with the “License MDE P1” tag.

1. As an admin, go to the Microsoft 365 Defender portal and sign in. 
Go to Settings > Endpoints > License and then select Manage subscription settings. Select the Dynamic rule option.


2. Specify one or more criteria for client endpoints to tag those devices with the “License MDE P1” using Dynamic tagging.


3. Save your rule.  Check after 3 hours for the updated tagging and usage report.


By following the steps outlined in this article and documentation, you can enable mixed licensing support and validate license assignment at scale using dynamic tagging. This will not only help you optimize your licensing usage and save costs, but also ensure compliance with your licenses in your environment.


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.