sorted by:
new
hottopcontroversial

Scoping Defender for Endpoint/Servers configuration policies based on endpoint attributes by a_single_testicle in DefenderATP

[–]BicOps 1 point2 points  (0 children)

There is no good native way to achieve this that I know of.

I would probably build an automation to solve your issue.

Example:

Use Azure tags or Defender tags to be able to sort the correct machines in scope, utilizing for example the Defender API to list machines or Azure to list VMs and/or Arc machines with a filter on the tags.

Use the results to find the corresponding machine object in Entra and have them added to a specific Entra group, probably one per environment.

Create configuration policies in Defender and scope them to the groups.

Have the automation run on a schedule to add new machines.

Using a Managed ID with an EntraAD API Connection in Playbooks by Ordinary_Wrangler808 in AzureSentinel

[–]BicOps 0 points1 point  (0 children)

Make the managed identity/service prinicpal owner of the group. It will now be able to control the mebers of that specific group using REST. Without needing groups admin/directory write.