I have a client that uses an autoscaling solution to stand up and down EC2 Instances with Linux hosts. These are ephemeral and may be trashed at any time due to resources reallocation. The hosts are onboarded to Azure using Azure Arc and are then Onboarded to MDE.
Bearing in mind that you can have multiple instances in the Defender portal with the same hostname, is there any difference between Offboarding and trashing a server in terms of what happens in the portal and licencing. Currently they are using the Defender for Endpoint Server licence model but may move to Defender for Servers Plan 2 in the future.
I'd appreciate an official response from Microsoft
Hi Rob, From my experience, Defender for Endpoint is a fixed license contract so if you buy 50 you have 50 to work with. When you start applying Defender for Server you don't have to buy a separate license, it's just included in your Azure subscription so whatever you used for that month is just added to your bill. Typically Defender for Server will be applied when you set up Defender for cloud under the Workload Protections.