May 30 2023 07:23 AM
Hi,
I have seen similar questions regarding licensing before, but not this one in particular.
Right now I am working with a client who would like to use Defender for Identity, but only for a certain part of their organization.
From what I can read in the Microsoft Documentation, this should be possible, as long as you take efforts to limit the use to those who have the proper license.
Copied from the above URL:
Microsoft Defender for Identity services are currently not capable of limiting capabilities to specific users. Efforts should be taken to limit the service benefits to licensed users."
My question in specific is, that are the correct efforts that Microsoft is mentioning in their documentation, that limits the service benefits? Would that be to use "Global excluded entities"? And exlude all but those users who have the license applied?
All users is in the same domain, so I am unable to use that feature unfortunately.
If someone have any feedback or information regarding this, I would be really happy to hear about it.
Cheers,
Robin
May 30 2023 07:59 AM
May 30 2023 08:20 AM
Hi @eliekarkafy,
Thanks for your response.
The customers have bought X amount of individual Defender for Identity licenses to cover X amount of users in their organization.
I just want to make sure that we do the correct efforts from a Microsoft perspective to "limit the service benefits" for the rest of the unlicensed users. If that makes any sense?
Best regards,
Robin
May 30 2023 08:37 AM - edited May 30 2023 08:38 AM
SolutionCorrect, excluding your unlicensed users from MDI will help avoid potential service disruption to your organization as Some tenant services are not currently capable of limiting benefits to specific users. I recommend you to exclude the unlicensed users from the detection rules to make sure that this will not affect you in the future, open a case with the licensing team to make sure that you're covering the scenario as it should be.
May 30 2023 10:57 PM
May 31 2023 12:26 AM
MDI provides security value (posture, detection, investigation, response, etc.) to the entire organization or domain, rather than provide a specific capability to specific users or groups. As a result, it's not possible to scope the deployment or licensing to just part of the organization. This is actually a good thing, since attackers could come from outside the scope of any given user or group, and MDI needs to be able to detect and prevent such attacks regardless of their origin. By providing security value to the entire organization, MDI helps ensure that the entire organization is protected from a wide range of potential threats.
May 31 2023 12:36 AM
Thanks for taking time to respond to my question.
Are you telling me that there is no way of excluding non licensensed users, even though you state the following in the documentation? To me, that sentence sounds like you are opening up to use the feature for a limited amount of users. But what makes it hard for us as users / consultants is the fact that Microsoft isn't clearly stating what efforts are valid from their perspective.
"Microsoft Defender for Identity services are currently not capable of limiting capabilities to specific users. Efforts should be taken to limit the service benefits to licensed users."
So we either need to license all users, or disable the feature? That are the two real options we have to be compliant with Microsoft Licensing from your knowledge?
Jun 01 2023 02:47 AM
I understand why the documentation can be confusing. I'll ask to update it.
Thank you.
Jun 13 2023 02:43 AM
Jun 13 2023 11:46 AM
I agree, it is not really a valid solution in real life. I'll discuss this with the support teams.
Thank you for the feedback.
May 30 2023 08:37 AM - edited May 30 2023 08:38 AM
SolutionCorrect, excluding your unlicensed users from MDI will help avoid potential service disruption to your organization as Some tenant services are not currently capable of limiting benefits to specific users. I recommend you to exclude the unlicensed users from the detection rules to make sure that this will not affect you in the future, open a case with the licensing team to make sure that you're covering the scenario as it should be.