Onboarding MDE with Defender for Cloud (Problem)

Hi GuidoImpe​,

This is expected behavior when servers are onboarded using Azure Arc and Defender for Cloud. Arc-enabled servers do not create Entra ID device objects, so they won’t appear under Entra devices or be usable in Entra device groups. The object you see in Entra as an Enterprise Application is just the Azure Arc service principal, not a device. Even though the servers show up in Defender for Endpoint (and may say “managed by MDE”), they are not Intune-managed, which is why you can’t target them with Intune policies.

The supported approach is to manage these servers through Defender for Cloud using Azure Policy, scoped at the subscription or resource-group level after Arc onboarding. Use Azure scopes or tags for grouping, not Entra device groups. Intune should be used only for Windows 10/11 endpoints, while servers are managed via Azure Arc + Defender for Cloud - that’s the Microsoft-recommended model.