Mobile Threat Defense for Entra Shared Device Mode

Hi StuartK73​ ,

good question, but in Entra Shared Device Mode (userless/shared) licensing the users won’t solve it because Microsoft Defender for Endpoint on mobile isn’t supported on userless or shared devices (Android and iOS). So even if every user had an MDE license, that specific shared/userless scenario still won’t be supported/functional.

For supported scenarios (non-shared/user-based devices), the licensing model is typically:

• Defender for Endpoint Plan 2 is per user, and each licensed user can have up to five concurrently onboarded devices.

For Shared Device Mode, most orgs go with a third-party MTD partner integrated with Intune compliance + Conditional Access, or they redesign the scenario to a user-based enrollment model if MDE is a hard requirement.

Not quite, and in this specific Entra Shared Device Mode/userless scenario it’s even simpler:

• Microsoft Defender for Endpoint on Android isn’t supported on userless or shared devices, and the same applies on iOS (“user-less or shared devices” not supported). So licensing every user who signs in won’t make MDE work on those shared devices, because the scenario itself isn’t supported.

• In general (for supported scenarios), Defender for Endpoint Plan 2 is licensed per user, and each licensed user can have up to five concurrent onboarded devices. So yes, where MDE is supported and users are benefiting from it, the licensing model is typically “per user”, not “per shared device session.”

So for Shared Device Mode: you normally pick a third-party MTD that supports shared/userless usage and integrate its risk into Intune compliance + Conditional Access (rather than trying to force MDE licensing onto a model MDE mobile doesn’t support).