Microsoft 365 Defender overview


The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

Want to experience Microsoft 365 Defender? You can evaluate it in a lab environment or run your pilot project in production.

Microsoft 365 Defender ( combines protection, detection, investigation, and response to email, collaboration, identity, and device threats, in a central portal.

Microsoft 365 Defender brings together functionality from existing Microsoft security portals, like Microsoft Defender Security Center and the Office 365 Security & Compliance center. The security center emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. This center includes:

  • Microsoft Defender for Office 365 Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
  • Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization.
  • Microsoft 365 Defender is part of Microsoft’s Extended Detection and Response (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.

If you need information about what's changed from the Office 365 Security & Compliance center or the Microsoft Defender Security Center, see:


The Microsoft 365 security portal uses and enforces existing roles-based access, and will move each security model into the unified portal. Each converged workload has its own roles-based access. The roles already in the products will be converged into the Microsoft 365 security portal, automatically. However, roles and permissions for MCAS will still handled over in MCAS.

What to expect

All the security content that you use in the Office 365 Security and Compliance Center ( and the Microsoft Defender security center ( can now be found in the Microsoft 365 Defender.

Microsoft 365 Defender helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for:

  • Incidents & alerts
  • Hunting
  • Action center
  • Threat analytics

Microsoft 365 Defender emphasizes unity, clarity, and common goals as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination of:

  • Common building blocks
  • Common terminology
  • Common entities
  • Feature parity with other workloads


Microsoft 365 Defender will be accessible without any need for customers to take migration steps or purchase a new license. For example, this new portal will be accessible to administrators with an E3 subscription, just as it is to those with Microsoft Defender for Office 365 Plan 1 and Plan 2; however, Exchange Online Protection, or Defender for Office 365 Plan 1 customers will see only the security features their subscription license supports. The goal of the new center is to centralize security.

Unified investigations

Converging security centers creates a single place for investigating security incidents across Microsoft 365. A primary example is Incidents under Incidents & alerts on the quick launch of Microsoft 365 Defender.

The Incidents page in Microsoft 365 Defender.

Selecting an incident name displays a page that demonstrates the value of converging security centers.

Example of the Summary page for an incident in Microsoft 365 Defender

Along the top of an incident page, you'll see the Summary, Alerts, Devices, Users, Mailboxes, Investigations, and Evidence tabs. Select these tabs for more detailed information. For example, the Users tab displays information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security) and a range of sources such as on-premises Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD), and third-party identity providers. For more information, see investigate users.

Take the time to review the incidents in your environment, drill down into these tabs, and practice building an understanding of how to access the information provided for incidents for different kinds of threats.

For more information, see incidents in Microsoft 365 Defender.

Improved processes

Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, unified settings.

Unified settings

clicked 'Roles' and opened the Settings page, which includes General settings, Permissions, APIs and Rules. Open Permissions and then Roles. Shows all roles.

Permissions & roles

Permissions & Roles page showing Endpoints roles & groups, Roles, and Device groups.

Access to Microsoft 365 Defender is configured with Azure Active Directory global roles or by using custom roles. For Defender for Endpoint, see Assign user access to Microsoft Defender Security Center. For Defender for Office 365, see Permissions in the Microsoft 365 compliance center and Microsoft 365 Defender.


Microsoft Defender for Endpoint in Microsoft 365 Defender supports granting access to managed security service providers (MSSPs) in the same that way access is granted in the Microsoft Defender security center.

Integrated reports

Reports are also unified in Microsoft 365 Defender. Admins can start with a general security report, and branch into specific reports about endpoints, email & collaboration. The links here are dynamically generated based upon workload configuration.

Quickly view your Microsoft 365 environment

The Home page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs.

This at-a-glance information helps you keep up with the latest activities in your organization. Microsoft 365 Defender brings together signals from different sources to present a holistic view of your Microsoft 365 environment.

The cards fall into these categories:

  • Identities- Monitor the identities in your organization and keep track of suspicious or risky behaviors. Learn more about identity protection.
  • Data - Help track user activity that could lead to unauthorized data disclosure.
  • Devices - Get up-to-date information on alerts, breach activity, and other threats on your devices.
  • Apps - Gain insight into how cloud apps are being used in your organization. Learn more about Cloud App Security discovered apps.

Threat analytics with better data coverage

Track and respond to emerging threats with the following Microsoft 365 Defender threat analytics integrated experience:

  • Better data coverage between Microsoft Defender for Endpoint and Microsoft Defender for Office 365, making combined incident management, automatic investigation, remediation, and proactive or reactive threat hunting across-domain possible.
  • Email-related detections and mitigations from Microsoft Defender for Office 365, in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • A view of threat-related incidents which aggregate alerts into end-to-end attack stories across Microsoft Defender for Endpoint and Microsoft Defender for Office 365 to reduce the work queue, as well as simplify and speed up your investigation.
  • Attack attempts detected and blocked by Microsoft 365 Defender solutions. There's also data that you can use to drive preventive actions that mitigate the risk of further exposure and increase resilience.
  • Enhanced design that puts actionable information in the spotlight to help you quickly identify data to urgently focus on, investigate, and leverage from the reports.

A centralized Learning Hub

Microsoft 365 Defender portal includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at

Inside the learning hub, Email & Collaboration (Microsoft Defender for Office 365) guidance is side-by-side with Endpoint (Microsoft Defender for Endpoint) and Microsoft 365 Defender learning resources.

The learning hub opens with Learning paths organized around topics such as “How to Investigate Using Microsoft 365 Defender?” and “Microsoft Defender for Office 365 Best Practices”. This section is currently curated by the security Product Group inside Microsoft. Each Learning path reflects a projected time it takes to get through the concepts. For example 'Steps to take when a Microsoft Defender for Office 365 user account is compromised' is projected to take 8 minutes, and is valuable learning on the fly.

After clicking through to the content, it may be useful to bookmark this site and organize bookmarks into a 'Security' or 'Critical' folder. To see all Learning paths, click the Show all link in the main panel.


There are helpful filters along the top of Microsoft 365 Defender learning hub that will let you choose between products (currently Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365). Notice that the number of learning resources for each section is listed, which can help learners keep track of how many resources they have at hand for training and learning.

Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.


There are lots of other learning opportunities in Microsoft Learn. You'll find certification training such as Course MS-500T02-A: Implementing Microsoft 365 Threat Protection.

Send us your feedback

We need your feedback. We're always looking to improve, so if there's something you'd like to see, send us your Microsoft 365 Defender feedback.

You can also leave feedback from this article. In the 'Feedback' section at the end under 'Submit and view feedback for', the options are This product, or This page.

Use the This product button for product feedback:

  1. Select This product at the bottom of the article.
    1. Right-click the button and 'Open in a new tab' if you want to keep reading these directions.
  2. This will navigate to the UserVoice forum.
  3. You have 2 options:
    1. Scroll down to the text box How can we improve compliance or protect your users better in Office 365? and paste in Microsoft 365 Defender. You can search the results for an idea like yours and up-vote it, or use the button for Post a new idea.
    2. If you feel certain this issue is already reported, and want to raise its profile with a vote (or votes), use the Give Feedback box on the right side of UserVoice. Search for Microsoft 365 Defender, find the issue, and use the vote button to raise its status.

Use This page for feedback on the article itself. Thanks for your feedback. Your voice helps us improve products.

Explore what the security center has to offer

Keep exploring the features and capabilities in Microsoft 365 Defender: