Deploy supported services

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft 365 Defender integrates various Microsoft security services to provide centralized detection, prevention, and investigation capabilities against sophisticated attacks. This article describes the supported services, their licensing requirements, the advantages and limitations associated with deploying one or more services, and links to how you can fully deploy them individually.

Supported services

A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft 365 Defender. See licensing requirements

Supported service Description
Microsoft Defender for Endpoint Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence
Microsoft Defender for Office 365 Advanced protection for your apps and data in Office 365, including email and other collaboration tools
Microsoft Defender for Identity Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals
Microsoft Cloud App Security Identify and combat cyberthreats across your Microsoft and third-party cloud services

Deployed services and functionality

Microsoft 365 Defender provides better visibility, correlation, and remediation as you deploy more supported services.

Benefits of full deployment

To get the complete benefits of Microsoft 365 Defender, we recommend deploying all supported services. Here are some of the key benefits of full deployment:

  • Incidents are identified and correlated based on alerts and event signals from all available sensors and service-specific analysis capabilities
  • Automated investigation and remediation (AIR) playbooks apply across various entity types, including devices, mailboxes, and user accounts
  • A more comprehensive advanced hunting schema can be queried for event and entity data from devices, mailboxes, and other entities

Limited deployment scenarios

Each supported service that you deploy provides an extremely rich set of raw signals as well as correlated information. While limited deployment doesn’t cause Microsoft 365 Defender functionality to turn off, its ability to provide comprehensive visibility across your endpoints, apps, data, and identities is affected. At the same time, any remediation capabilities only apply to entities that can be managed by the services you’ve deployed.

The table below lists how each supported service provides additional data, opportunities to obtain additional insight by correlating the data, and better remediation and response capabilities.

Service Data (signals & correlated info) Remediation & response scope
Microsoft Defender for Endpoint - Endpoint states and raw events
- Endpoint detections and alerts, including antivirus, EDR, attack surface reduction
- Info on files and other entities observed on endpoints
Endpoints
Microsoft Defender for Office 365 - Mail and mailbox states and raw events
- Email, attachment, and link detections
- Mailboxes
- Microsoft 365 accounts
Microsoft Defender for Identity - Active Directory signals, including authentication events
- Identity-related behavioral detections
Identities
Microsoft Cloud App Security - Detection of unsanctioned cloud apps and services (shadow IT)
- Exposure of data to cloud apps
- Threat activity associated with cloud apps
Cloud apps

Deploy the services

Deploying each service typically requires provisioning to your tenant and some initial configuration. See the following table to understand how each of these services are deployed.

Service Provisioning instructions Initial configuration
Microsoft Defender for Endpoint Microsoft Defender for Endpoint deployment guide See provisioning instructions
Microsoft Defender for Office 365 None, provisioned with Office 365 Configure Microsoft Defender for Office 365 policies
Microsoft Defender for Identity Quickstart: Create your Microsoft Defender for Identity instance See provisioning instructions
Microsoft Cloud App Security None Quickstart: Get started with Microsoft Cloud App Security

Once you’ve deployed the supported services, turn on Microsoft 365 Defender.