Here’s a blog to cover some aspects of licensing for Defender for Endpoint and a few pointers

I’ve seen a few public threads out on the internet that has caused some confusion regarding the types of licenses required and also the capabilities for Microsoft Defender for Endpoint (MDE). There are also a few threads that on the internet that I have seen where Admins have no access to MDE and are looking for guidance so I will address that here as well.

Know your solution requirements

Before purchasing licenses, ensure you understand the requirements for the solution that you are adopting. Once this is understood you can then start looking into the capabilities that Microsoft offer as part of MDE and review which licenses will be most appropriate based on the following:

  1. Do you already have licenses as part of your subscription?
  2. Do your current licenses fulfil all the current requirements?
  3. If your licenses do not meet all the requirements, what options are available?

Picking the right licenses

Microsoft provides comprehensive documentation for it’s licensing plans but sometimes they are misunderstood. I’ve added the most common ones below

Defender for Endpoint Licensing

For Defender for Endpoint, it’s worth first reviewing the Minimum Requirements. Please note, the EMS E5 license is not part of the minimum requirements and will not allow a Global or Security Admin to subscribe to the MDE service. I will discuss a little more regarding M365 Defender for Office because it can cause confusion.

In the event that a Defender for Endpoint License is not assigned the first time you access the service you will see the following message below, Please note, this is not an error

No Subscriptions Found

“If while accessing Microsoft 365 Defender you get a No subscriptions found message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender for Endpoint license.”

There is a direct mention in this document that a Defender for Endpoint License gives access to the portal

Centralized management
“Defender for Endpoint Plan 1 (preview) includes the Microsoft 365 Defender portal, which enables your security team to view current information about detected threats, take appropriate actions to mitigate threats, and centrally manage your organization’s threat protection settings.”

Microsoft also provides a very useful comparison document between Defender for Endpoint Plan 1 and 2 capabilities.

M365 Defender for Office (Plan 1 and 2)

These licenses should not be confused with the Defender for Endpoint licenses as they provide different capabilities. Please note, this does not provision the Defender for Endpoint Portal and requires the appropriate license as highlighted above.

Plan 1 vs Plan 2 Features

It is worth highlighting this document, Microsoft 365 Defender prerequisites and point out the statement:

“Any of these licenses gives you access to Microsoft 365 Defender features in Microsoft 365 Defender portal without additional cost

Please note, The states licenses such as the EMS E5 gives access to Features in the portal not access to the portal.

More Information

Introducing Microsoft Defender for Endpoint Plan 1