I always find using Microsoft Azure Active Directory dynamic groups much easier to use when assigning policies, for example Defender for Endpoint onboarding policies via Intune.
Microsoft Defender for Endpoint included with M365 licensed user rule syntax
user.assignedPlans -any (assignedPlan.servicePlanId -eq “871d91ec-ec1a-452b-a83f-bd76c7d770ef” -and assignedPlan.capabilityStatus -eq “Enabled”)
Microsoft Defender for Endpoint plan 1 licensed user rule syntax
user.assignedPlans -any (assignedPlan.servicePlanId -eq “292cc034-7b7c-4950-aaf5-943befd3f1d4” -and assignedPlan.capabilityStatus -eq “Enabled”)
Microsoft Defender for Endpoint DLP
user.assignedPlans -any (assignedPlan.servicePlanId -eq “64bfac92-2b17-4482-b5e5-a0304429de3e” -and assignedPlan.capabilityStatus -eq “Enabled”)
Microsoft Defender for Vulnerability Management add-on
user.assignedPlans -any (assignedPlan.servicePlanId -eq “36810a13-b903-490a-aa45-afbeb7540832” -and assignedPlan.capabilityStatus -eq “Enabled”)