Introduction to reporting in Microsoft 365 security center

Important

Threat protection product names in Microsoft are changing. Read more about this and other updates. We'll be updating names in products and in the Learn content in the near future.

Reporting in Microsoft 365 security center is split up into four categories:

  • Identities – user accounts and credentials
  • Data – email and document contents
  • Devices – computers, mobile phones, and other devices
  • Apps – programs and attached online services

In the Identities category of Reports, you can track:

  • Users with the most detected anomalies
  • How many users are reported at risk by conditional access policies
  • The number of global admins in your org

Identities reports

The Data category helps track user activity that could lead to unauthorized data disclosure. You can see:

  • Users who share the most files from cloud apps
  • How many Data Loss Prevention (DLP) policy matches occurred
  • How many DLP policies overrides or false positives are reported
  • How many DLP policy matches happened in 3rd-party cloud services via Microsoft Cloud App Security

Data reports

The Device category ensures devices are secure, up-to-date, and that you can spot potential threats. You can see:

  • Microsoft Defender Advanced Threat Protection (ATP) alerts, which may require an immediate response
  • Intune enrolled device data such as: device compliance, devices with active malware, and types of malware on devices
  • Attack Surface Reduction rules, which help prevent actions that are used by exploit-seeking malware

Device compliance and malware detection reports

The App category provides more insight into how cloud apps are being used in your organization, including what kinds of apps, their level of risk, and alerts.

This includes:

  • Monitor email accounts at risk
  • Apps discovered by Cloud App Security that have been granted permissions by users
  • Cloud Discovery reporting to show what kind of apps are being used
  • Cloud app activity locations
  • Azure Security Center alerts signaling infrastructure health

Cloud Security and Discovered Cloud Apps reports