Forum Discussion
Assigning Microsoft Defender for Endpoint (DFE) Licenses to Devices Without a Cloud-Visible User
We have a number of Windows 10 and Windows 7 clients that are used to control production systems. These devices do not have a cloud-visible user, as they are not associated with an Entra ID (Azure AD) account. However, each device does have a local Windows user for system operations.
The challenge we are facing is how to assign Defender for Endpoint (DFE) licenses to these devices, since DFE licensing is primarily user-based, and there is no direct device-based licensing for client OS.
Our main questions:
How can we assign a newly purchased DFE device license to a client that has no user?
Is there a way to assign licenses to local Windows users even if they are not synced to Entra ID?
1 Reply
Assigning Microsoft Defender for Endpoint (DFE) licenses to devices without a cloud-visible user, such as those not associated with an Entra ID (Azure AD) account, presents challenges due to DFE's primarily user-based licensing model. Here are some approaches to consider:
- Assign Licenses to Entra ID Users: DFE licenses are typically assigned to user identities within Entra ID. If your organization doesn't sync on-premises Active Directory (AD) to Entra ID, you may need to establish this synchronization to assign licenses appropriately.
- Onboard Devices Without Entra ID: It's possible to onboard devices to DFE even if they're not connected to AD or Entra ID. This involves deploying the Defender for Endpoint agent directly on the devices. However, without user association in Entra ID, managing licenses and policies becomes more complex.
