Share via

Unable to Create Defender for Endpoint Device Groups (Machine Groups) for Web Content Filtering Scope – Tenant Shows Defender for Business Subscription State Despite MDE Plan 2 License

Niharika P 60 Reputation points
2026-06-18T15:41:48.7233333+00:00

Hi Team,
Screenshot 2026-06-18 202630

Screenshot 2026-06-18 202033

Screenshot 2026-06-18 184604

Screenshot 2026-06-18 183019

We are trying to configure Web Content Filtering in Microsoft Defender and scope the policy to a specific Device Group (Machine Group) instead of applying it to All devices in the organization.

As per Microsoft documentation, Device Groups can be created and managed under:

Settings → Endpoints → Permissions → Device Groups

and are supported in:

  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2

However, we are unable to locate the Device Groups/Machine Groups option in our tenant.

Tenant Licensing

Our tenant currently has the following licenses:

  • Microsoft Defender for Business – 38 licenses
  • Microsoft Defender for Endpoint Plan 1 – 1 license
  • Microsoft Defender for Endpoint Plan 2 – 1 license

The user account being used for administration:

  • Has the Microsoft Defender for Endpoint Plan 2 license assigned
  • Has Global Administrator permissions
  • Has Security Administrator permissions

Observation

Under Settings → Endpoints → Licenses, the portal displays:

Subscription State: Microsoft Defender for Business

and

All devices in the tenant will get Defender for Business protection.

We are able to create Device Groups while creating policies under:

Configuration Management → Device Configuration

For example, when creating Next-Generation Protection or Firewall policies, we can create and assign device groups.

However, these groups do not appear to be available for Web Content Filtering policy scoping.

Web Content Filtering Issue

When creating a Web Content Filtering policy:

Settings → Endpoints → Rules → Web Content Filtering

the Organizational Scope only shows:

All devices in my organization

We do not see any option to select or create Device Groups/Machine Groups as described in the Defender for Endpoint documentation.

Questions

  1. Does the presence of a larger number of Defender for Business licenses cause the tenant to operate in Defender for Business mode even when Defender for Endpoint Plan 2 licenses exist?
  2. Is the Subscription State = Microsoft Defender for Business the reason why the classic Defender for Endpoint Device Groups (Machine Groups) page is not available?
  3. Are Device Groups created under Configuration Management → Device Configuration equivalent to Defender for Endpoint Device Groups (Machine Groups) used for Web Content Filtering scoping?
  4. Can Web Content Filtering policies be scoped to Defender for Business device groups, or is the feature limited to Defender for Endpoint Device Groups?
  5. What licensing or configuration changes are required to make Device Groups available for Web Content Filtering policy assignment in this tenant?

Expected Outcome

We would like to create a Device Group/Machine Group and use it to scope a Web Content Filtering policy to a subset of devices instead of applying the policy tenant-wide.

We have attached screenshots showing:

  • Tenant licensing and Subscription State
  • Available Device Configuration Group functionality
  • Absence of Device Groups under Endpoints Permissions

Any clarification regarding how mixed Defender for Business and Defender for Endpoint Plan 2 licensing affects Device Group availability would be greatly appreciated.

Thank you.We are trying to configure Web Content Filtering in Microsoft Defender and scope the policy to a specific Device Group (Machine Group) instead of applying it to All devices in the organization.

As per Microsoft documentation, Device Groups can be created and managed under:

Settings → Endpoints → Permissions → Device Groups

and are supported in:

  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2

However, we are unable to locate the Device Groups/Machine Groups option in our tenant.

Tenant Licensing

Our tenant currently has the following licenses:

  • Microsoft Defender for Business – 38 licenses
  • Microsoft Defender for Endpoint Plan 1 – 1 license
  • Microsoft Defender for Endpoint Plan 2 – 1 license

The user account being used for administration:

  • Has the Microsoft Defender for Endpoint Plan 2 license assigned
  • Has Global Administrator permissions
  • Has Security Administrator permissions

Observation

Under Settings → Endpoints → Licenses, the portal displays:

Subscription State: Microsoft Defender for Business

and

All devices in the tenant will get Defender for Business protection.

We are able to create Device Groups while creating policies under:

Configuration Management → Device Configuration

For example, when creating Next-Generation Protection or Firewall policies, we can create and assign device groups.

However, these groups do not appear to be available for Web Content Filtering policy scoping.

Web Content Filtering Issue

When creating a Web Content Filtering policy:

Settings → Endpoints → Rules → Web Content Filtering

the Organizational Scope only shows:

All devices in my organization

We do not see any option to select or create Device Groups/Machine Groups as described in the Defender for Endpoint documentation.

Questions

  1. Does the presence of a larger number of Defender for Business licenses cause the tenant to operate in Defender for Business mode even when Defender for Endpoint Plan 2 licenses exist?
  2. Is the Subscription State = Microsoft Defender for Business the reason why the classic Defender for Endpoint Device Groups (Machine Groups) page is not available?
  3. Are Device Groups created under Configuration Management → Device Configuration equivalent to Defender for Endpoint Device Groups (Machine Groups) used for Web Content Filtering scoping?
  4. Can Web Content Filtering policies be scoped to Defender for Business device groups, or is the feature limited to Defender for Endpoint Device Groups?
  5. What licensing or configuration changes are required to make Device Groups available for Web Content Filtering policy assignment in this tenant?

Expected Outcome

We would like to create a Device Group/Machine Group and use it to scope a Web Content Filtering policy to a subset of devices instead of applying the policy tenant-wide.

We have attached screenshots showing:

  • Tenant licensing and Subscription State
  • Available Device Configuration Group functionality
  • Absence of Device Groups under Endpoints Permissions

Any clarification regarding how mixed Defender for Business and Defender for Endpoint Plan 2 licensing affects Device Group availability would be greatly appreciated.

Thank you.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

Answer accepted by question author

AI answer

2026-06-18T15:42:37.9566667+00:00
  1. In this tenant, Defender for Business is the active subscription state for endpoints. In Defender for Business, web content filtering is designed as a single, tenant‑wide policy. Device‑scoped web content filtering using Defender for Endpoint device groups is not available. The presence of Defender for Business therefore effectively puts the tenant into Defender for Business mode for endpoint capabilities, even if Defender for Endpoint Plan 1/Plan 2 licenses also exist.
  2. Yes. When the subscription state is Microsoft Defender for Business, the classic Defender for Endpoint Device groups (machine groups) experience under Settings → Endpoints → Permissions → Device groups is not used. Instead, Defender for Business manages device groups differently and exposes them only in the context of Defender for Business policies.
  3. No. The device groups that are created while editing policies under Configuration management → Device configuration in Defender for Business are not the same as Defender for Endpoint device groups (machine groups). They are specific to Defender for Business policy scoping and are created/managed only as part of those policies.
  4. Web content filtering in Defender for Business cannot be scoped to device groups. In Defender for Business there is a single web content filtering policy that is applied to all users/devices, and scoping to specific device groups is explicitly not supported:
    • “In Defender for Business, you can have one web content filtering policy applied to all users.”
    • “Apply the policy to all users. (Scoping to specific devices isn't available in Defender for Business.)”
  5. With the current subscription state of Microsoft Defender for Business, there is no supported configuration change that will enable Defender for Endpoint device groups for web content filtering in this tenant. To scope web content filtering by device group, the environment must be using Defender for Endpoint (Plan 1/Plan 2) device groups, but Defender for Business enforces an all‑users web content filtering model and does not expose device‑group scoping.

In this subscription state, the expected and supported behavior is:

  • Use Defender for Business device groups only for Defender for Business device protection policies (for example, next‑generation protection and firewall) created under Configuration management → Device configuration.
  • Use a single web content filtering policy that applies to all users/devices, without device‑level scoping.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Niharika P 60 Reputation points
    2026-06-19T08:32:20.65+00:00

    So what should i do now, if i want this plan 2 to be used in this enant level what do i do how do i do and how ca i change that subscription state

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.