Assign Microsoft Defender for Endpoint baseline to users or devices?

MDE baseline contains a subset of settings that should be configured at a minimum according to Microsoft. It is ideal if you are only looking for a baseline and don't want to admin over head of maintaining these settings outside the baseline. However, most organizations go for complete feature set (if they are licensed) and therefore I normally recommend to deploy the MDE settings using Endpoint security profiles instead. They are specifically tailored for endpoints keeping security in mind. I normally exclude the BitLocker and Defender settings from MDM baseline and don't even consider using MDE security baseline. Not to mention that these baselines have not been updated for a long time, however, that is expected to change in the coming months. As for the assignments, it will depend on the use of the assignments. For example, if it is existing devices, then you can assign to either devices or users. Won't really matter. However, if it is for Autopilot, then you may want to assign profiles like Exploit guard, Application control to users as they can trigger a reboot during AP provisioning sometimes.