Microsoft 365 Defender / Microsoft Defender - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, July 30, 2023

Microsoft 365 Defender / Microsoft Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Here's a list of the different Microsoft 365 Defender products and solutions that Microsoft 365 Defender coordinates with:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender Vulnerability Management
  • Azure Active Directory Identity Protection
  • Microsoft Data Loss Prevention
  • App Governance

Related Posts:

Microsoft 365 Defender is an XDR solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities.

Role & Permissions

1. Subscription level - reader role
2. User level - assignement 
  • Global reader
  • Security reader

For Defender for cloud, it will have a chance to request tenant-level permissions. 

Microsoft 365 Defender Protection

Zero Trust

In the illustration: Microsoft 365 Defender provides XDR capabilities for protecting:

  • Endpoints, including laptops and mobile devices
  • Data in Office 365, including email
  • Cloud apps, including other SaaS apps that your organization uses
  • On-premises Active Directory Domain Services (AD DS) and Active Directory Federated Services (AD FS) servers

Microsoft 365 Defender helps you apply the principles of Zero Trust in the following ways:

Zero Trust principleMet by
Verify explicitlyMicrosoft 365 Defender provides XDR across users, identities, devices, apps, and emails.
Use least privileged accessIf used with Azure Active Directory (Azure AD) Identity Protection, Microsoft 365 Defender blocks users based on the level of risk posed by an identity. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender and is included with Azure AD Premium P2.
Assume breachMicrosoft 365 Defender continuously scans the environment for threats and vulnerabilities. It can implement automated remediation tasks, including automated investigations and isolating endpoints.

Learn more about Zero Trust for Microsoft 365 Defender services:

Microsoft 365 Defender services protect:

  • Endpoints with Defender for Endpoint - Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
  • Assets with Defender Vulnerability Management - Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
  • Email and collaboration with Defender for Office 365 - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.
  • Identities with Defender for Identity and Azure Active Directory (Azure AD) Identity Protection - Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure AD Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.
  • Applications with Microsoft Defender for Cloud Apps - Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Microsoft 365 Defender Services

Security portals

Security operators and admins can go to the following portals to manage security-specific settings, investigate possible threat activities, respond to active threats, and collaborate with IT admins to remediate issues.

Portal nameDescriptionLink
Microsoft 365 Defender portalMonitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with Microsoft 365
Microsoft Defender Security CenterMonitor and respond to threat activity on your endpoints using capabilities provided with Microsoft Defender for EndpointNOTE: Most tenants should now be redirected to the Microsoft 365 Defender portal at
Office 365 Security & Compliance CenterManage Exchange Online Protection and Microsoft Defender for Office 365 to protect your email and collaboration services, and ensure compliance to various data-handling regulations. NOTE: Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft 365 Defender portal at
Defender for Cloud portalUse Microsoft Defender for Cloud to strengthen the security posture of your data centers and your hybrid workloads in the
Microsoft Defender for Identity portalIdentify, detect, and investigate advanced threats, compromised identities, and malicious insider actions using Active Directory signals with Microsoft Defender for
Defender for Cloud Apps portalUse Microsoft Defender for Cloud Apps to get rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats on cloud
Microsoft Security Intelligence portalGet security intelligence updates for Microsoft Defender for Endpoint, submit samples, and explore the threat

Portals for other workloads

While these portals are not specifically for managing security, they support various workloads and tasks that can impact your security. Visit these portals to manage identities, permissions, device settings, and data handling policies.

Portal nameDescriptionLink
Entra portalAccess and administer the Microsoft Entra family to protect your business with decentralized identity, identity protection, governance, and more, in a multi-cloud
Azure portalView and manage all your Azure
Azure Active Directory portalView and manage Azure Active
Microsoft Purview compliance portalManage data handling policies and ensure compliance with
Microsoft 365 admin centerConfigure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365
Microsoft Intune admin centerUse Microsoft Intune to manage and secure devices. Can also combine Intune and Configuration Manager
Microsoft Intune portalUse Microsoft Intune to deploy device policies and monitor devices for

Plan and Pricing


Microsoft Defender for Endpoint

Microsoft Defender for Endpoint Plan 1 and 2, Defender for Business, and Microsoft 365 Business Premium don't include server licenses. Servers require an additional license, such as:

Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Servers. You can onboard servers automatically, have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer. For more information please go to Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint


  • Patrick Mercier
  • Clean up Domain Controller DNS Records with Powershell - Scripting Blog (
  • PowerShell Active Directory DNS - Using Windows PowerShell to remove Stale / Dead Domain Controller records
  • - GitHub - microsoft/Microsoft-Defender-for-Identity-Sizing-Tool
  • Group Managed Service Accounts Overview | Microsoft Docs
  • Microsoft Defender for Identity security alert guide
  • This article provides a list of the security alerts issued by Microsoft Defender for Identity.
  • Azure-Advanced-Threat-Protection/Auditing at master · microsoft/Azure-Advanced-Threat-Protection
  • Additional Resources to improve Customer Experience with Azure Advanced Threat Protection - Azure-Advanced-Threat-Protection/Auditing at master · microsoft/Azure-Advanced-Threat-Protection

GitHub - microsoft/DefendTheFlag: Get started fast with a built out lab, built from scratch via Azure Resource Manager (ARM) and Desired State Configuration (DSC), to test out Microsoft's security ...

No comments:

Post a Comment