Forum Discussion
Scope Profile - Device Group Creation - Help please
Hi Everyone,
Hope all is well.
I'm trying to make particular user group be excluded from a unsanctioned app. I saw you can create scoped profile which available under Setting - Apps - Scoped Profile. I'm following Microsoft documents here. https://docs.microsoft.com/en-us/defender-cloud-apps/governance-discovery
On step 5 and step 6 it talks about selecting device group? how I create device group?
I have bunch of azure ad device groups but nothing is coming up when search it which leads me to believe you need to import it. I tried importing through user groups but that does not seems to work.
Please let me know if you know how to do this or another way to get this task completed.
I'm trying to create Scope profile which is available
5 Replies
It's been years but I HAVE A SOLUTION!
Device Groups are NOT just an Entra Security Group with Devices in it. Device Groups are found in MS Defender portal, Settings > Endpoints > Permissions > Device GroupsFrom there you can make a device with conditionals that add devices, or assign that Entra Security group full of devices that wouldnt show up in the next step, and it will populate this device group. Save and close the group, check the top of the screen for the notification to reload and recalculate the groups, and Then you can go to the Scoped Devices, find your group in the setup, and then assign the Scoped device policy at the exemption for whichever Cloud App you've shut your employees out of.
https://learn.microsoft.com/en-us/defender-endpoint/machine-groups?view=o365-worldwide
PS: I'm looking for work outside of computers and away from anything Microsoft has touched if anyone is hiring- Feeling compelled to post here! This is still an issue in 2024, has anyone figured this out?
In my case we are using Intune for device management, and Business Premium licensing. There is not even an option to create a new group under Endpoints > Device Configuration, as it directs you to Intune for management in our case. Scoped Profiles is not picking up any groups at all... just an empty drop down.
https://learn.microsoft.com/en-us/defender-endpoint/machine-groups
https://learn.microsoft.com/en-us/defender-business/mdb-create-edit-device-groupsberryblack001 unless something has changed recently for some strange reason you are not given an option to create device groups with Business Premium.
This device groups concept is so unnatural in the modern device management and from my experience also not very reliable - multiple reasons.
As to those scope profiles not showing up - another pain with MCAS - everything is soo slooow, they will show up ultimately (if there are no other issues of course eg licensing).
MCAS (MDA or whatever it is called today) feels like a neglected product compared to all other areas of M365 security suite - which is strange and pitty.
Device groups here refer to the Device Groups defined in Defender for Endpoint.
This is unrelated to Azure AD Groups. Please see the link below.
Are you currently using Defender for Endpoint, and blocking unsanctioned apps there?
- Hey, can you give me my answer too, I am creating scope profile but when I select device group it's showing none. I already created 2 3 device groups. What should I do?
