Azure AD Dynamic Device Group Managed by MDE Defender for Endpoint | MicrosoftSense

Let’s learn how you can create an Azure AD Dynamic Device Group Managed by MDE Defender for Endpoint using the MicrosoftSense attribute. The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.

With the upcoming MDE enrollment improvements, new device enrollments will no longer support the MDEManaged and MDEJoined system labels. However, existing Windows devices managed by Defender for Endpoint can continue to utilize these labels to target policies without any impact.

To ensure that all devices enrolled in security settings management for Microsoft Defender for Endpoint receive policies, It is recommended creating a dynamic Azure AD group based on the managementType attribute MicrosoftSense.

For new enrollments, including those that no longer require hybrid Azure AD join, the MDEManaged or MDEJoined system labels cannot be used to target policies. Instead, utilize one of the other available methods for targeting policies with these new enrollments.

Patch My PC

It is recommended to review your group policy and targeting settings for Windows devices managed by Defender for Endpoint, specifically if you are using the security settings management functionality.

What’s New Changes to System Label Attributes for Grouping and Targeting

As part of the upcoming enrollment improvements for this capability, the MDEManaged and MDEJoined system labels will no longer be applicable for new device enrollments. It’s important to note that this change only affects you if you have opted into the public preview features in Defender for Endpoint.

Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.1
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.1

NOTE from Microsoft: Starting on July 10th, the AAD system labels that were previously applied on MDE-managed devices will not be supported anymore. We recommend reviewing your dynamic Azure AD grouping queries to make sure these are not used anymore.

If you currently rely on the MDEManaged or MDEJoined system labels for Azure AD groups to target policies, recommend transitioning to one of the alternative methods listed below:

Adaptiva
  • Target policy based on the platform by using the deviceType attribute (Windows, WindowsServer, macOS, Linux) – Recommended.
  • Target policy by using the managementType attribute MicrosoftSense. This will target all devices managed by Defender for Endpoint that are using the security settings management functionality.
MDE Managed Devices - MicrosoftSense Entra Dynamic Group
MDE Managed Devices – MicrosoftSense Entra Dynamic Group

Azure AD Dynamic Device Group Managed by Defender for Endpoint

Here are the steps to create an Azure AD Dynamic Device Group managed by Defender for Endpoint, This will automatically add devices managed by Defender for Endpoint to the group, without requiring admins to perform any additional tasks, such as creating a new policy.

Note – Microsoft reveals a major announcement that Microsoft Azure Active Directory (Azure AD) is becoming Microsoft Entra ID. Here I will be using Azure AD, being known to all of you.

  • Sign in to the Entra Portal https://entra.microsoft.com/ with a Global administratorIntune administrator, or User administrator role in the Azure AD organization.
  • Azure AD is now Entra ID – More details – What is Microsoft Entra ID?
  • Select All groups, and select New Group.
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.2
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.2

On the New Group, Add the required information to proceed for Dynamic Group. Click on Add Dynamic Query under Dynamic Device Members.

  • Select Security – Group Type from the drop-down option.
  • Enter Group Name “Defender for Endpoint Windows Devices Group” (Provide a suitable name).
  • Enter Group Description, For Example, Target policy by using the managementType attribute MicrosoftSense.
  • Select Dynamic Device as Membership type.

Note – You need to select Membership type as Dynamic Device or User to have Add dynamic query in this blade to appear.

Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.3
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.3

There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.

  • Rule Builder  Graphical Interface, easy to create the dynamic query.
  • Rule Syntax – Advanced technical users for complex queries.

You need to follow the steps mentioned below to use Azure AD dynamic group Rule Builder to create dynamic query rules.

  • Under Configure Rules – Choose Property drop-down list.
  • Select managementType as the property from the drop-down list.

It’s time to choose an Operator now for the managementType. I have selected Equals from the operator drop-down menu, and the Value should be MicrosoftSense.

Device attributeValuesRules [For Example]
managementTypeMicrosoftSense(device.managementType -eq “MicrosoftSense”)
Table 1 – Azure AD Dynamic Device Group Managed by Defender for Endpoint
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.4
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.4

On Validate Rules tab, Click on Add devices or Add users based on group selection to validate configured rules for the group.

  • Validation results will appear and show whether a device or user is a member of the group or not. The result will show the Status as follows.
In group (✅Green Tick) - If a user or device satisfies a rule on a group, the result will show as In group. 
Not in group (❌Red Cross).- If a user or device no longer satisfies the rule, the result will show as Not in group.
Unknown - If the rule is not valid or there is a network issue, the result will show as Unknown. 
Azure AD Dynamic Device Group Managed by MDE Defender for Endpoint | MicrosoftSense 1
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.5

Click on SAVE and CREATE buttons to complete the process of building Azure AD dynamic device group creation. A notification will appear with a message, Successfully created group Defender for Endpoint Windows Devices Group.

Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.6
Azure AD Dynamic Device Group Managed by Defender for Endpoint Fig.6

Now, the Azure AD Dynamic Device Group is created and managed by Defender for Endpoint. The devices meeting the defined criteria in the dynamic query will automatically be included in the group, and the associated device tag will indicate their management status within Defender for Endpoint.

MDE Managed Device - Entra Dynamic Device Group
MDE Managed Device – Entra Dynamic Device Group

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.