Run your pilot Microsoft 365 Defender project


The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

This guide helps you run a pilot project by providing pointers to ensure you have a well-structured plan, guiding you through using the attack simulation feature, and finally concluding the pilot with key take-aways for you to reflect on and document results.

Phases in running a Microsoft 365 Defender pilot

Running a pilot helps you effectively determine the benefit of adoptiing Microsoft 365 Defender. Before enabling Microsoft 365 Defender in your production environment and starting your use cases, it's best to plan to determine the tasks to accomplish for your pilot project and set the success criteria.

How to use this pilot playbook

This guide provides an overview of Microsoft 365 Defender and step-by-step instructions on how to set up your pilot project.

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates protection, detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. It does so by combining and orchestrating the following capabilities into a single security solution:

  • Microsoft Defender for Endpoint (endpoints)
  • Microsoft Defender for Office 365 (email)
  • Microsoft Defender for Identity (identity)
  • Microsoft Cloud App Security (apps)

Image of_Microsoft 365 Defender solution for users, Microsoft Defender for Identity, for endpoints Microsoft Defender for Endpoint, for cloud apps, Microsoft Cloud App Security, and for data, Microsoft Defender for Office 365

With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security receive, and determine the full scope and impact of the threat, how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities. See the Microsoft 365 Defender overview for details.

The following sample timeline varies depending on having the right resources in your environment. Some detections and workflows might need more learning time than the others.

Sample timeline in running a Microsoft 365 Defender pilot


For optimum results, follow the pilot instructions as closely as possible.

Pilot playbook phases

There are four phases in running a Microsoft 365 Defender pilot:

Phase Description
~ 1 day
Learn what you need to consider before running your Microsoft 365 Defender pilot project:

- Scope
- Use cases
- Requirements
- Test plan
- Success criteria
- Scorecard
~2 days
Access Microsoft 365 Security Center to set up your Microsoft 365 Defender pilot environment. You'll be guided to:

- Identify stakeholders and seek sign-off for your pilot
- Environment considerations
- Access
- Azure Active Directory setup
- Configuration order
- Sign up for Microsoft 365 E5 Trial
- Configure domain
- Assign Microsoft 365 E5 licenses
- Complete the setup wizard in the portal
Attack simulation
~2 days
To simulate an attack, you'll be guided to:

- Verify the test environment requirements
- Run the simulation
- Investigate an incident
- resolve the incident
Closing and summary
~ 1 day
When you've reached the end of the process, you'll be guided to:

- Go through your final output
- Present your output to your stakeholders
- Provide feedback
- Take next steps

Next step

Planning phase Plan your Microsoft 365 Defender pilot project