Onboard Defender for Endpoint without Azure Arc via Direct onboarding
Previously, onboarding hybrid servers to Defender for Servers with MDE required Azure Arc as a pre-requisite for the deployment. Since the standalone plan was removed from the licensing options some time ago (for CSP customers without EA agreement). Azure Arc gives a benefit in the modern management of servers, some organizations need only EDR without all additional controls and management of the Azure Resource management layer. Azure Arc is not next, next finish – it requires monthly maintenance, correct RBAC, update management, knowledge, and auditing.
With the new feature called Direct onboarding, it is possible to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc. This means we can deploy Defender for Endpoint from the M365 Defender portal using the onboarding package/ script – and have billing through Azure/ Defender for Cloud. Without the new for additional agents/ extensions or products.
The new method supports the same degree of data integration between MDC and MDE in comparison with the Azure Arc/ Defender for Servers method.
Current limitations: Direct onboarding Current limitations
Blog Published: June 5, 2023
Blog updated: June 5, 2023
Defender for Servers/ Defender for Cloud/ Defender for Enpoint and Azure Arc?
Let’s start with some explanation of the available components. Common question; What is the difference between Defender for Endpoint, Defender for Cloud, Defender for Server, and Azure Arc? And why do we need it? Let’s explain it more in-depth.
Defender for Cloud
Defender for Cloud is a Cloud-native application protection platform based on Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).
Defender for Cloud offers multiple Defender plans for more in-depth security. Available plans:
– Defender CSPM
– Defender for Servers
– Defender for App Service
– Defender for Databases
– Defender for Storage
– Defender for Containers
– Defender for Key Vault
– Defender for Resource Manager
– Defender for DNS
Defender for Servers
The Defender for Servers plan is part of Defender for Cloud and is available in two pricing models; P1/ P2. P1 focussed on a limited set of defenses with a strong focus on Defender for Endpoint technology. P2 contains the full set of Defender for Cloud-enhanced security features, including Network layer threat detection, FIM, Qualys vulnerability assessment, and 500MB free data ingestion.
P1=$5 Server/Month (calculated for each hour
P2=$15 Server/Month (calculated for each hour)
Both P1/ P2 contain all features of Defender for Endpoint P2 (Except the vulnerability management add-on which is only part of the Defender for Servers P2, is in MDE available as an add-on)
𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐄𝐧𝐝𝐩𝐨𝐢𝐧𝐭
Microsoft Defender for Endpoint (MDE) is a comprehensive solution for preventing, detecting, and automating the investigation and response to threats against endpoints.
After enabling the Defender for Endpoint integration in Defender for Cloud machines will be provisioned. The configuration/ installation is pushed using Azure Policies and contains the onboarding script and additional configuration. The result is the MDE.Windows and MDE.Linux VM extension for 2012R2 and higher.
Azure Arc functions as a bridge that extends the Azure platform to on-premises environments or other clouds (AWS/ GCP). For connecting servers with Azure Arc, it is needed to use Azure Arc-enabled servers and the Azure Connected Machine agent on supported systems.
1: In Defender for Cloud
2: Is the plan Defender for Servers P1 or P2 enabled
3: Which onboards Defender for Endpoint P2 via Azure Policy
License for Defender for Endpoint is part of the Defender for Server plan – no additional license purchasing is needed.
Onboarding with the new method
Previously it was always needed to use the Defender for Servers method for getting the license for servers since the standalone license was removed some time ago. With the license decision, it was needed to enroll Azure Arc for non-Azure resources like on-premises machines or machines hosted in another cloud. With the new onboarding method Azure Arc is no longer required when onboarding machines to Defender for Endpoint.
Now the question what is the best onboarding method?
There is still a benefit of Azure Arc since Azure Arc enables a couple of features that are not part of the new direct onboarding (P2 features + Arc features). When machines are hosted in Azure it is common to use the Defender for Servers onboarding method, since the provisioning is automatically via the MDE.Windows and MDE.Linux extension.
Direct onboarding method
In situations where Azure Arc is a huge overhead (it requires its own security/ policies and design decisions), it is possible to use the new direct onboarding method. With the newly announced direct onboarding, there is a seamless integration between Defender for Endpoint and Defender for Cloud without the need for additional deployment of agents. Once enabled, the machines part of Defender for Endpoint is synced to Defender for Cloud inventory in a designated Azure Subscription that is configured.
With the use of Direct onboarding the Defender for Cloud part is only used for licensing. The Azure Subscription is used for licensing, billing, alerts, and insights. For additional configuration and protection, it is needed to use Azure Arc.
The enablement of direct onboarding is an opt-in setting that needs to be enabled on the tenant level. After enabling it affects existing and new servers that are onboarded in the Defender for Endpoint tenant part of the tenant. After enabling the new onboarding machines will be synced under the designated subscriptions and pricing will be part of the Defender for Cloud process.
Enabling Direct onboarding
Direct onboarding enablement is possible in the Defender for Cloud environment settings. After enabling direct onboarding it will take up to 24 hours for machines to be synced in the designated subscription.
To manage this setting, you need Subscription Owner permissions (on the chosen subscription), and AAD Global Administrator or AAD Security Administrator
For enabling the feature go to Defender for Cloud -> Environment Settings -> Direct Onboarding
Switch the direct onboarding toggle to On
Select the subscription. The subscription will be used for the location where the machines are visible/ located. Ideally, create a separate machine for optimal control of the Defender for Servers P1/ P2 plan and cost of the servers.
When enabled it will take 24 hours before machines are synced to the inventory in the designated subscription. After enabling the feature the licensing is part of Defender for Cloud.
IMPORTANT: This setting is currently only possible tenant wide. It will sync devices part of Defender for Endpoint in a specific active time interval. Important to view the below information to make sure there is no duplicate cost.
Each machine included recommendations/ alerting and insights:
Data integration between MDE and Defender for Cloud:
Defender for Servers plan
In Defender for Servers there is P1 and P2 plan. Direct onboarding provides access to all Defender for Severs Plan 1 features, there is no real benefit of the Defender for Plan 2 features when using direct onboarding.
For Defender for Servers P2 there are a couple of features of the Azure Monitor Agent; which is only applicable via Azure Arc on non-Azure machines. Without the Azure Monitor Agent you will pay 15/month for a limited set of features.
When enabling Defender for Servers P2 in the designated subscriptions, machines onboarded directly will have access to the Defender for Servers Plan 1 feature and the Vulnerability Management add-on features. All other features are not supported or available.
The Defender for Servers plan is visible via the environment settings in Defender cloud.
NOTE: The count in the resource quality is currently not yet showing the machines onboarded via Direct onboarding.
Review machines onboarded via Direct onboarding
When machines are part of Defender for Endpoint and recently active in the inventory they will be synced automatically to the configured subscription when the requirements are in place.
For viewing machines part of the direct onboarding process: Go to Defender for Cloud and open the inventory. In the resource type there is a new filter available with the following resource types:
|Servers – Defender for Endpoint||Machines onboarded via direct onboarding|
|Virtual machines||Machines hosted in Azure|
|Servers – Azure Arc||Machines onboarded via Azure Arc|
Resource Type: Machines onboarded via direct onboarding contain all machines onboarded via the new direct onboarding. When machines are visible as duplicated – there is billing based on the hour activity, this is the same process as used with servers onboarded via Defender for Servers or Azure Arc.
Machines are visible in the inventory. Recommendations and alerts are directly visible on the resource name.
What happens when the machine is already part of Defender for Servers?
When the machine is already part of Defender for Servers the resource is visible as resource type Virtual machines or Machines onboarded via Azure Arc when onboarded via Azure Arc.
There is a limitation to this part. When the Azure VM or Azure Arc machine is onboarded in Defender for Servers via an Azure subscription or Log Analytics workspace and running the Defender for Endpoint it will be part of the direct onboarding flow when the MDE.Windows or MDE.Linux extension is not installed.
Make sure machines hosted in Azure or onboarded via Azure Arc are correctly registered using the MDE.Windows or MDE.Linux extension. When the extension is not visible it will result in overshares when the direct onboarding is enabled.
Log Analytics workspace
When machines are already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace the machines will be part of the direct onboarding flow and result in duplicate devices.
For more limitations see: Simultaneous onboarding limited support | Microsoft Learn.
When to use the different methods
In general, there are now three options:
- Onboard via Azure Arc
- Onboard via Defender for Servers
- Onboard via direct onboarding
Azure Arc is not focused on Defender for Endpoint onboarding and contains more features for managing the machines with Azure services. With the use of Azure Arc it is possible to deploy and use Azure Policies, Update management, Extensions, Automanage, and more.
When there is the need for collecting custom events via the Azure Monitor Agent it is needed to use Azure Arc for on-premises/ non-Azure machines.
When Azure Arc? When there is a use case for the management capabilities in Azure Arc or a requirement for collecting logs via the Azure Monitor agent.
Defender for Servers
Use Defender for Servers for machines hosted in Azure. With the use of Defender for Servers it is possible to deploy Defender for Endpoint automatically via the MDE.Windows or MDE.Linux extension. Customers can enable Defender for Servers P1 or Defender for Servers P2 and use all features.
When Defender for Servers? When machines are part of Azure it is easy to enable Defender for Servers. This gives flexibility in using/ securing machines with more advanced features like FIM/ JIT and more.
Direct onboarding is useful when Azure Arc gives an overhead and machines are hosted on-premises or in another cloud. With the use of direct onboarding it is possible to deploy only Defender for Endpoint and integrate alerts/ insights with Defender for Cloud and get the license managed via Defender for Cloud. With the use of direct onboarding there is no more a requirement for Azure Arc.
When direct onboarding? Direct onboarding is useful for only Defender for Endpoint and there is no need for Azure Monitor Agent deployment. When the Azure Monitor Agent is required; direct onboarding is not possible, since AMA requires Azure Arc for on-premises machines.
From direct onboarding to Azure Arc
It is supported to move from Direct onboarding to Azure Arc without any duplicate cost. When Azure Arc is needed for collecting logs via AMA or any other feature not supported it is completely supported to install the Azure Arc agent. No offboarding is required in Defender for Endpoint.
How to onboard using the Direct onboarding method
When using Direct onboarding the onboarding can be deployed via the available deployment options in Defender for Endpoint. For Windows the following options can be used:
- Microsoft Configuration Manager
- Intune (Via Tenant-Attach)
- Scripting/ GPO)
- And more..
For Linux the following options are available:
More information here: Onboard to the Microsoft Defender for Endpoint service
When using the unified agent for Server 2012R2 and 2016 it is needed to install the MSI and run the onboarding package. When the machine is onboarded in Defender for Endpoint it will automatically sync to the designed subscription in Defender for Cloud/ Defender for Server. In general, the order is the following:
- Onboard machine using available onboarding methods in MDE
- Enable direct onboarding in Defender for Cloud with Defender for Servers P1 enabled
- Machines will be synced automatically for licensing to Defender for Cloud
- Alert and recommendation experience is visible in Defender for Cloud
- The result is active Defender for Endpoint which is onboarded via GPO/ Configuration Manager or any other method – and licensing is billed via Defender for Servers P1.
With the new onboarding capability, there is more flexibility for organizations/ customers. It is good to see the Azure Arc agent is no longer a requirement for enrolling in MDE and getting the license for MDE since the standalone plan was removed some time ago.
Azure Arc is a good solution, all not perfect for some organizations. When there is no knowledge about Azure it is a security risk when Azure Arc is not correctly configured with the IAM permissions/ landing zone design/ update management and Azure policy monitoring. When only using Defender for Endpoint the new Direct onboarding capability is really nice and makes the deployment more easier. I would prefer still the migration path to Azure Arc and start learning the new options for managing on-premises servers. Update management is powerful in Azure Arc and Arc enables way more flexibility.
Currently, the setting is tenant wide; so make sure the machines are checked before enabling the feature to avoid duplicate costs in the billing when extensions are missing or machines are connected as part of Log Analytics and onboarded to Defender for Endpoint.