Microsoft 365 Defender - Device Group, rules by tag and domain

Copper Contributor

Hi all. 

 

I have some interesting behavior with the "match rules" within the device group settings. 

 

Here is what I am trying to do;

I have Hybrid devices I can select and filter by defining them by "domain" (xxxxx.co.uk). I also have AAD joined devices also that I want to select within that Defender group. These devices have a Defender Tag, which is applied to the device registry via a intune configuration policy. 

 

Below is the domain selection;

AdamSedar_2-1655929788315.png

What I can't do is apply a "Or - Tag" without filling in the "And - Tag" value field. 

 

AdamSedar_1-1655929767589.png

What happens is my "or tag" value of "UK" gets moved to the "and tag" value field. 

Below is what the rule selections change to when I apply the settings

 

AdamSedar_3-1655930324408.png

I feel like I am missing something here or experiencing a bug of some sorts?

 

I know of course I could achieve this manually by applying tags within Defender, but my environment is split across 37 countries, with local I.T. teams who need access to their scoped devices, which altogether is some 10K. I need this to be as automated as possible.

 

Any help, advise or insight would be great!

Thanks.

Adam.

 

0 Replies