Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
Important
Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft 365 Defender integrates various Microsoft security services to provide centralized detection, prevention, and investigation capabilities against sophisticated attacks. This article describes the supported services, their licensing requirements, the advantages and limitations associated with deploying one or more services, and links to how you can fully deploy them individually.
Supported services
A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft 365 Defender. See licensing requirements
| Supported service | Description |
|---|---|
| Microsoft Defender for Endpoint | Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence |
| Microsoft Defender for Office 365 | Advanced protection for your apps and data in Office 365, including email and other collaboration tools |
| Microsoft Defender for Identity | Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals |
| Microsoft Defender for Cloud Apps | Identify and combat cyberthreats across your Microsoft and third-party cloud services |
Deployed services and functionality
Microsoft 365 Defender provides better visibility, correlation, and remediation as you deploy more supported services.
Benefits of full deployment
To get the complete benefits of Microsoft 365 Defender, we recommend deploying all supported services. Here are some of the key benefits of full deployment:
- Incidents are identified and correlated based on alerts and event signals from all available sensors and service-specific analysis capabilities
- Automated investigation and remediation (AIR) playbooks apply across various entity types, including devices, mailboxes, and user accounts
- A more comprehensive advanced hunting schema can be queried for event and entity data from devices, mailboxes, and other entities
Limited deployment scenarios
Each supported service that you deploy provides an extremely rich set of raw signals as well as correlated information. While limited deployment doesn’t cause Microsoft 365 Defender functionality to turn off, its ability to provide comprehensive visibility across your endpoints, apps, data, and identities is affected. At the same time, any remediation capabilities only apply to entities that can be managed by the services you’ve deployed.
The table below lists how each supported service provides additional data, opportunities to obtain additional insight by correlating the data, and better remediation and response capabilities.
| Service | Data (signals & correlated info) | Remediation & response scope |
|---|---|---|
| Microsoft Defender for Endpoint | – Endpoint states and raw events – Endpoint detections and alerts, including antivirus, EDR, attack surface reduction – Info on files and other entities observed on endpoints |
Endpoints |
| Microsoft Defender for Office 365 | – Mail and mailbox states and raw events – Email, attachment, and link detections |
– Mailboxes – Microsoft 365 accounts |
| Microsoft Defender for Identity | – Active Directory signals, including authentication events – Identity-related behavioral detections |
Identities |
| Microsoft Defender for Cloud Apps | – Detection of unsanctioned cloud apps and services (shadow IT) – Exposure of data to cloud apps – Threat activity associated with cloud apps |
Cloud apps |
Deploy the services
Deploying each service typically requires provisioning to your tenant and some initial configuration. See the following table to understand how each of these services are deployed.
| Service | Provisioning instructions | Initial configuration |
|---|---|---|
| Microsoft Defender for Endpoint | Microsoft Defender for Endpoint deployment guide | See provisioning instructions |
| Microsoft Defender for Office 365 | None, provisioned with Office 365 | Configure Microsoft Defender for Office 365 policies |
| Microsoft Defender for Identity | Quickstart: Create your Microsoft Defender for Identity instance | See provisioning instructions |
| Microsoft Defender for Cloud Apps | None | Quickstart: Get started with Microsoft Defender for Cloud Apps |
Once you’ve deployed the supported services, turn on Microsoft 365 Defender.