Forum Discussion
Onboarding MDE with Defender for Cloud (Problem)
Hello Community,
In our Customer i have a strange problem.
We onboarded with Azure Arc server and activate a Defender for Cloud servises only for Endpoint protection.
Some of this device onboarded into Microsoft Defender portale, but not appears as a device, infact i don't have opportunity to put them into a group to apply policy.
I have check sensor of Azure Arc and all works fine (device are in Azure Arc, are in the defender portal and see them on Intune (managed by MDE)).
From Intune portal
From Defender portal
But in difference from other device into entra ID exists only the enterprise application and not device
I show the example of device that works correctly (the same onboarding method)
Is there anyone who has or has had this problem?
Thanks and Regards,
Guido
2 Replies
Hi GuidoImpe,
This is expected behavior when servers are onboarded using Azure Arc and Defender for Cloud. Arc-enabled servers do not create Entra ID device objects, so they won’t appear under Entra devices or be usable in Entra device groups. The object you see in Entra as an Enterprise Application is just the Azure Arc service principal, not a device. Even though the servers show up in Defender for Endpoint (and may say “managed by MDE”), they are not Intune-managed, which is why you can’t target them with Intune policies.
The supported approach is to manage these servers through Defender for Cloud using Azure Policy, scoped at the subscription or resource-group level after Arc onboarding. Use Azure scopes or tags for grouping, not Entra device groups. Intune should be used only for Windows 10/11 endpoints, while servers are managed via Azure Arc + Defender for Cloud - that’s the Microsoft-recommended model.
