Most tenants accumulate device inventory debt over time. Decommissioned VMs, test machines someone joined to Entra ID and never cleaned up, AVD hosts deleted without offboarding. They sit in Defender doing nothing except skewing your Secure Score.
The data plane stays put, in your Log Analytics workspace. The operator surface moves to security.microsoft.com, and the friction sits in RBAC, KQL scope, and incident schema. Here's what to watch.
Your GPOs have been quietly running the show for fifteen years. They work. But they were designed for a world where every device is on-premises. That world is shrinking fast.
Most inherited tenants sit somewhere between 28 and 45. The controls are there, they've just never been touched. Here's what actually moves the needle.