Dynamic rules for device tagging in Microsoft Defender

Microsoft announced on 09-01-2024 that Dynamic device tagging rules is now generally available. While using dynamic rules, we can group (tag) devices based on certain values/parameters. This feels somehow the same as creating device groups in Defender for Endpoint.

As Microsoft describes, their are some benefits that come with dynamic tagging. The most important one to me is the “Set and forget” benefit. When deploying new machines for example: Deploying extra Azure Virtual Desktop workloads when needed (upscaling/downscaling).

Dynamic tagging benefits (and Examples)

  • “Set and forget” convenience: Dynamic tags simplify tag management, saving valuable time and effort for security teams. Automating tagging with dynamic rules reduces manual efforts, minimizing management overhead, and ensures accurate and up-to-date device classification for enhanced security insights. 

This is the most important one to me. It now tags devices automatically based on these tags. For example: Deploying extra Azure Virtual Desktop workloads when needed (upscaling/downscaling).

  • Optimized device management: Dynamic tags facilitate efficient device tracking and management, enabling organizations to monitor devices effectively and allocate resources with streamlined processes. 

I really like ordering devices based on tags, groups or similar roles. These dynamic rules could be used to group devices. Here are some examples:

Filter all domain controllers.

Filter all AAD joined devices.

Filter all devices which are not onboarded yet, but can be onboarded.

Filter all devices which are internet facing but are not onboarded to Defender (yet).

  • Proactive compliance management: Dynamic tags can simplify compliance by automatically categorizing non-compliant devices, proactively identifying risks, and ensuring a continuous and compliant security posture. 

Create a dynamic device tag

1: Go to https://security.microsoft.com -> Settings ->
Microsoft Defender XDR -> Asset Rule Management ->

2: Click Create a new rule.

3: Give your Rule a common name

4: Create rule conditions. These depend on your personal needs. I this case i tag all devices starting with JVL as their device name and are AAD Joined. The devices with this conditions are my Modern Workplace devices.

5: Create a common tag name.

6: Click Submit and Done

On the Review and finish page it should give you an indicator or devices which are affected by the conditions. If the selected devices is not what you expected their might be something wrong with your conditions.

Review tags

There might be some delay while filling the tags and assigning these to the devices. In my case it took around 15 minutes before the tags where actually filled and assigned to devices.

After a while the tags where filled and assigned to the devices:

Read the official Microsoft announcement here: Microsoft Defender | Dynamic rules for tagging devices.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × five =