Microsoft Defender for Office 365 in Microsoft 365 Defender

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

Quick reference

The table below lists the changes in navigation between the Security & Compliance Center and Microsoft 365 Defender.



Security & Compliance Center Microsoft 365 Defender Microsoft 365 compliance center Exchange admin center
Alerts Alerts page
Classification See Microsoft 365 compliance center
Data loss prevention See Microsoft 365 compliance center
Records management See Microsoft 365 compliance center
Information governance See Microsoft 365 compliance center
Threat management Email & Collaboration
Permissions Permissions & roles See Microsoft 365 compliance center
Mail flow See Exchange admin center
Data privacy See Microsoft 365 compliance center
Search Audit Search (content search)
Reports Report
Service assurance See Microsoft 365 compliance center
Supervision See Microsoft 365 compliance center
eDiscovery See Microsoft 365 compliance center

Microsoft 365 Defender at https://security.microsoft.com combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.

If you are familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in Microsoft 365 Defender.

Learn more about the benefits: Overview of Microsoft 365 Defender

If you are looking for compliance-related items, visit the Microsoft 365 compliance center.

New and improved capabilities

The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center.

With the unified Microsoft 365 Defender solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization.

Image of Microsoft 365 Defender converged experience

Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Image of Defender for Office 365

Incidents and alerts

Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.

The Alerts and Actions quick launch bar

Hunting

Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.

Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.

Here is an example on advanced hunting in Microsoft Defender for Office 365.

Action center

Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft 365 Defender can help security teams by automatically responding to specific events.

Learn more about Action center.

Threat Analytics

Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:

  • Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • Incidents view related to the threats.
  • Enhanced experience for quickly identifying and using actionable information in the reports.

You can access Threat analytics either from the upper left navigation bar in Microsoft 365 Defender, or from a dedicated dashboard card that shows the top threats for your organization.

Learn more about how to track and respond to emerging threats with threat analytics.

Email & collaboration

Track and investigate threats to your users' email, track campaigns, and more. If you've used the Security & Compliance Center, this will be familiar.

The quick launch menu for Email & Collab (or MSDO), on the left side of Microsoft 365 Defender.

Email entity page

The Email entity page unifies email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is centralized. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.

Access and Reports

View reports, change your settings, and modify user roles.

The quick launch menu for Microsoft 365 Defender permissions and reporting, on the left side of the security center.

Note

DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain. For Defender for Office 365 users, you can now manage and rotate DKIM keys through Microsoft 365 Defender: https://security.microsoft.com/threatpolicy, or navigate to Policy & rules > Threat policies > > Rules section > DKIM.

For more information, see Use DKIM to validate outbound email sent from your custom domain.

What's changed

This table is a quick reference of Threat management where change has occurred between the Security & Compliance center and the Microsoft 365 Defender portal. Click the links to read more about these areas.



Area Description of change
Investigation Brings together AIR capabilities in Defender for Office 365 and Defender for Endpoint. With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
Alert queue The View alerts flyout pane in the Security & Compliance Center now includes links to Microsoft 365 Defender. Click on the Open Alert Page link and Microsoft 365 Defender opens. You can access the View alerts page by clicking on any Office 365 alert in the Alerts queue.
Attack Simulation training Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.

No changes to these areas:

Also, check the Related Information section at the bottom of this article.

Important

The Microsoft 365 Defender portal (https://security.microsoft.com) combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.

Tip

All Exchange Online Protection (EOP) functions will be included in Microsoft 365 Defender, as EOP is a core element of Defender for Office 365.

Microsoft 365 Defender Home page

The Home page of the portal surfaces important summary information about the security status of your Microsoft 365 environment.

Using the Guided tour you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.

Also included is a link to the Security & Compliance Center for comparison. The last link is to the What's New page that describes recent updates.