Turn on Microsoft 365 Defender
- Microsoft 365 Defender
Microsoft 365 Defender unifies your incident response process by integrating key capabilities across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. This unified experience adds powerful features you can access in the Microsoft 365 security center.
Microsoft 365 Defender automatically turns on when eligible customers with the required permissions visit Microsoft 365 security center. Read this article to understand various prerequisites and how Microsoft 365 Defender is provisioned.
Check license eligibility and required permissions
A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender in Microsoft 365 security center without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.
For detailed licensing information, read the licensing requirements.
Check your role
You must be a global administrator or a security administrator in Azure Active Directory to turn on Microsoft 365 Defender. View your roles in Azure AD
Microsoft 365 Defender aggregates data from the various supported services that you've already deployed. It will process and store data centrally to identify new insights and make centralized response workflows possible. It does this without affecting existing deployments, settings, or data associated with the integrated services.
To get the best protection and optimize Microsoft 365 Defender, we recommend deploying all applicable supported services on your network. For more information, read about deploying supported services.
Before starting the service
Before you turn on the service, the Microsoft 365 security center (security.microsoft.com) shows the Microsoft 365 Defender settings page when you select Incidents, Action center, or Hunting from the navigation pane. These navigation items are not shown if you are not eligible to use Microsoft 365 Defender.
Microsoft 365 Defender settings in Microsoft 365 security center
Starting the service
To turn on Microsoft 365 Defender, simply select Turn on Microsoft 365 Defender and apply the change. You can also access this option by selecting Settings (security.microsoft.com/settings) in the navigation pane and then selecting Microsoft 365 Defender.
If you don't see Settings in the navigation pane or couldn't access the page, check your permissions and licenses.
Data center location
Microsoft 365 Defender will store and process data in the same location used by Microsoft Defender for Endpoint. If you don't have Microsoft Defender for Endpoint, a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the screen.
Select Need help? in the Microsoft 365 security center to contact Microsoft support about provisioning Microsoft 365 Defender in a different data center location.
Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Azure Defender. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Defender for Endpoint in this manner.
Confirm that the service is on
Once the service is provisioned, it adds:
- Incidents management
- An action center for managing automated investigation and response
- Advanced hunting capabilities
Microsoft 365 security center with incidents management and other Microsoft 365 Defender capabilities
Getting Microsoft Defender for Identity data
To share Microsoft Defender for Identity data with Microsoft 365 Defender, ensure that Microsoft Cloud App Security and Microsoft Defender for Identity integration is turned on. Learn more about this integration.
To get answers to the most commonly asked questions about turning on Microsoft 365 Defender, read the FAQ.
Microsoft support staff can help provision or deprovision the service and related resources on your tenant. For assistance, select Need help? in the Microsoft 365 security center. When contacting support, mention Microsoft 365 Defender.
- Frequently asked questions
- Licensing requirements and other prerequisites
- Deploy supported services
- Microsoft 365 Defender overview
- Microsoft Defender for Endpoint overview
- Defender for Office 365 overview
- Microsoft Cloud App Security overview
- Microsoft Defender for Identity overview
- Microsoft Defender for Endpoint data storage