Configure managed security service provider integration
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Important
Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
To enable the managed security service provider (MSSP) integration, follow the guidance in this article.
Note
The following terms are used in this article to distinguish between the service provider and service consumer:
- MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
- MSSP customers: Organizations that engage the services of MSSPs.
The integration allows MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer needs to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, the MSSP or customer can do the other configuration steps. In general, these are the configuration steps to complete:
| Step | Who does it |
|---|---|
| Grant the MSSP access to Microsoft Defender XDR. This action grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. | MSSP Customer |
| Configure alert notifications sent to MSSPs. This action lets the MSSPs know what alerts they need to address for the MSSP customer. | MSSP customer or MSSP |
| Fetch alerts from MSSP customer's tenant into SIEM system. This action allows MSSPs to fetch alerts in SIEM tools. | MSSP |
| Fetch alerts from MSSP customer's tenant using APIs. This action allows MSSPs to fetch alerts using APIs. | MSSP |
Multi-tenant access for MSSPs
For information on how to implement a multitenant delegated access, see Multi-tenant access for Managed Security Service Providers.
Related articles
- Grant MSSP access to the portal
- Access the MSSP customer portal
- Configure alert notifications
- Fetch alerts from customer tenant
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for