Deploy threat protection capabilities across Microsoft 365 E5

This solution describes powerful threat protection capabilities in Microsoft 365 E5 and why threat protection is important. Get an overview of threat protection in Microsoft 365 E5 and see how to approach setup and configuration for your organization.

Why threat protection is important

Malware, and sophisticated cyberattacks, such as fileless threats, are a common occurrence. Businesses need to protect themselves and their customers with effective IT security capabilities. Cyberattacks can cause major problems for your organization, ranging from a loss of trust to financial woes, business-threatening downtime, and more. Protecting against threats is important, but it can be challenging to determine where to focus your organization's time, effort, and resources. Microsoft 365 E5 can help.

Threat protection in Microsoft 365 E5

Microsoft security solutions are built into our products and services. Automation and machine learning capabilities reduce the load on your security teams to make sure the right items are addressed. The strength of Microsoft security solutions is built on trillions of signals we process every day in our Intelligent Security Graph. Microsoft 365 security solutions include Microsoft 365 Defender, a solution that brings together signals across your email, data, devices, and identities to paint a picture of advanced threats against your organization.

Microsoft 365 E5 enables you to protect your organization with adaptive, built-in intelligence. With the security capabilities in Microsoft 365 E5, you can detect and investigate advanced threats, compromised identities, and malicious actions across your environment (on-premises and in the cloud).

Better protection with integration

In Microsoft 365 E5, threat protection capabilities are integrated by default. Signals from each capability add strength to the overall ability to detect and respond to threats. The combined set of capabilities offers the best protection for organizations, especially multi-national organizations, compared to running non-Microsoft products. The following image depicts the threat protection services and capabilities that are described in this article.

Overview of Microsoft 365 Defender

Microsoft 365 Defender brings the signals and data together into a unified Microsoft 365 security center.

Conceptual illustration of Microsoft 365 Defender dashboard

Deployment overview

The following illustration depicts a recommended path for deploying these individual capabilities.

M365 threat protection signals

Watch this video for an overview of the deployment process.

The following table describes the various solutions/capabilities to configure and what they do.

Step Solution/capabilities Description
1 Multi-factor authentication and Conditional Access Protect against compromised identities and devices. Begin with this protection because it's foundational. The configuration recommended in this guidance includes Azure AD Identity Protection as a prerequisite. For more information, see Azure AD Identity Protection.
2 Microsoft Defender for Identity A cloud-based security solution that uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Focus on Microsoft Defender for Identity next because it protects your on-premises and cloud infrastructure, has no dependencies or prerequisites, and can provide immediate security benefits. For more information, see What is Identity Protection?.
3 Microsoft 365 Defender Combines signals and orchestrates capabilities into a single solution. Enables security professionals to stitch together threat signals and determine the full scope and impact of a threat. Microsoft 365 Defender takes automatic actions to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities. For more information, see Microsoft 365 Defender.
4 Microsoft Defender for Office 365 Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Protects against malware, phishing, spoofing, and other attack types. Configuring Microsoft Defender for Office 365 is recommended because change control, migrating settings from incumbent system, and other considerations can take longer to deploy. For more information, see Microsoft Defender for Office 365.
5 Microsoft Defender for Endpoint Helps prevent, detect, investigate, and respond to advanced threats across devices (also referred to as endpoints). Defender for Endpoint is a robust threat protection offering. For more information, see Microsoft Defender for Endpoint.
6 Microsoft Cloud App Security A cloud access security broker for discovery, investigation, and governance. You can enable Microsoft Cloud App Security early to begin collecting data and insights. Implementing information and other targeted protection across your SaaS apps involves planning and can take more time. For more information, see What is Cloud App Security?


Organizations who have multiple security teams can implement capabilities in parallel. For example, one team can configure Defender for Office 365 while another team configures Defender for Endpoint. Configuration doesn't have to follow our suggested order exactly.

Plan to deploy your threat protection solution

The following diagram illustrates the high-level process for deploying threat protection capabilities.

Process for deploying threat protection capabilities

To make sure your organization has the best protection possible, set up and deploy your security solution with a process that includes the following steps:

  1. Set up multi-factor authentication and Conditional Access policies.
  2. Configure Microsoft Defender for Identity.
  3. Turn on Microsoft 365 Defender.
  4. Configure Defender for Office 365.
  5. Configure Microsoft Defender for Endpoint.
  6. Configure Microsoft Cloud App Security.
  7. Monitor status and take actions.
  8. Train users.

Your threat protection features can be configured in parallel, so if you have multiple network security teams responsible for different services, they can configure your organization’s protection features at the same time.

Next step

Continue to Configure threat protection capabilities across Microsoft 365.