Microsoft 365 Defender


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.

Microsoft 365 Defender services

Microsoft Defender for Endpoint
Microsoft Defender Vulnerability Management
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps

Microsoft 365 Defender interactive guide

In this interactive guide, you'll learn how to protect your organization with Microsoft 365 Defender. You'll see how Microsoft 365 Defender can help you detect security risks, investigate attacks to your organization, and prevent harmful activities automatically.

Check out the interactive guide

Microsoft 365 Defender protection

Microsoft 365 Defender services protect:

  • Endpoints with Defender for Endpoint - Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
  • Assets with Defender Vulnerability Management - Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
  • Email and collaboration with Defender for Office 365 - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.
  • Identities with Defender for Identity and Azure Active Directory (Azure AD) Identity Protection - Defender for Identity uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure AD Identity Protection automates the detection and remediation of identity-based risks in your cloud-based Azure AD.
  • Applications with Microsoft Defender for Cloud Apps - Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Microsoft 365 Defender's unique cross-product layer augments the individual service components to:

  • Help protect against attacks and coordinate defensive responses across the services through signal sharing and automated actions.
  • Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to 'incidents'.
  • Automate response to compromise by triggering self-healing for impacted assets through automated remediation.
  • Enable security teams to perform detailed and effective threat hunting across endpoint and Office data.

Here's an example of how the Microsoft 365 Defender portal correlates all related alerts across products into a single incident.

The incident overview page

Here's an example of the list of related alerts for an incident.

The list of alerts for an incident

Here's an example of query-based hunting on top of email and endpoint raw data.

 The Advanced Hunting page with query details

Microsoft 365 Defender cross-product features include:

  • Cross-product single pane of glass in the Microsoft 365 Defender portal - A central view for all information on detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane in Microsoft 365 Defender portal.

  • Combined incidents queue - To help security professionals focus on what is critical by ensuring the full attack scope, impacted assets and automated remediation actions are grouped together and surfaced in a timely manner.

  • Automatic response to threats - Critical threat information is shared in real time between the Microsoft 365 Defender products to help stop the progression of an attack.

    For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.

  • Self-healing for compromised devices, user identities, and mailboxes - Microsoft 365 Defender uses AI-powered automatic actions and playbooks to remediate impacted assets back to a secure state. Microsoft 365 Defender leverages automatic remediation capabilities of the suite products to ensure all impacted assets related to an incident are automatically remediated where possible.

  • Cross-product threat hunting - Security teams can leverage their unique organizational knowledge to hunt for signs of compromise by creating their own custom queries over the raw data collected by the various protection products. Microsoft 365 Defender provides query-based access to 30 days of historic raw signals and alert data across endpoint and Defender for Office 365 data.

Get started

Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 Defender portal at For more information, see:

The Microsoft 365 Defender portal

The Microsoft 365 Defender portal combines protection, detection, investigation, and response to email, collaboration, identity, device, and app threats, in a central place.

This single pane of glass brings together functionality from existing Microsoft security portals, like the Microsoft 365 Defender portal and the Office 365 Security & Compliance center. The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes:

  • Microsoft Defender for Office 365 Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
  • Microsoft Defender for Endpoint delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization.
  • Microsoft 365 Defender is part of Microsoft's Extended Detection and Response (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
  • Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS and PaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

If you need information about what's changed from the Office 365 Security & Compliance center or the Microsoft 365 Defender portal, see:


The Microsoft 365 Defender portal uses and enforces existing roles-based access, and will move each security model into the unified portal. Each converged workload has its own roles-based access. The roles already in the products will be converged into the Microsoft 365 Defender portal automatically. However, Microsoft Defender for Cloud Apps will still handle its own roles and permissions.

Watch this short video to learn about the new unified portal in Microsoft 365 Defender.

What to expect

All the security content that you use in the Office 365 Security & Compliance Center and the Microsoft 365 security center can now be found in the Microsoft 365 Defender portal.

The Microsoft 365 Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for:

  • Incidents & alerts
  • Hunting
  • Action center
  • Threat analytics

Microsoft 365 Defender emphasizes unity, clarity, and common goals as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination of:

  • Common building blocks
  • Common terminology
  • Common entities
  • Feature parity with other workloads


The Microsoft 365 Defender portal is accessible without any need for customers to take migration steps or purchase a new license. For example, this new portal is accessible to administrators with an E3 subscription, just as it is to those with Microsoft Defender for Office 365 Plan 1 and Plan 2; however, Exchange Online Protection, or Defender for Office 365 Plan 1 customers see only the security features their subscription license supports. The goal of the portal is to centralize security.

Unified investigations

Centralizing security information creates a single place for investigating security incidents across Microsoft 365. A primary example is Incidents under Incidents & alerts on the quick launch of Microsoft 365 Defender.

The Incidents page in the Microsoft 365 Defender portal

Selecting an incident name displays a page that demonstrates the value of centralizing security information.

The Summary page for an incident in the Microsoft 365 Defender portal

Along the top of an incident page, you'll see the Summary, Alerts, Devices, Users, Mailboxes, Investigations, Evidence and response, and Graph tabs. Select these tabs for more detailed information. For example, the Users tab displays information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps) and a range of sources such as on-premises Active Directory Domain Services (AD DS), Azure AD, and third-party identity providers. For more information, see investigate users.

Take the time to review the incidents in your environment, drill down into these tabs, and practice building an understanding of how to access the information provided for incidents for different kinds of threats.

For more information, see incidents in Microsoft 365 Defender.

Improved processes

Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, unified settings.

Unified settings

The Settings page in the Microsoft 365 Defender portal

Permissions & roles

The Endpoints roles & groups displayed on the Permissions & roles page

Access to Microsoft 365 Defender is configured with Azure AD global roles or by using custom roles. For Defender for Endpoint, see Assign user access to the Microsoft 365 Defender portal. For Defender for Office 365, see Permissions in the Microsoft Purview compliance portal and Microsoft 365 Defender.


Microsoft Defender for Endpoint in Microsoft 365 Defender supports granting access to managed security service providers (MSSPs) in the same that way access is granted in the Microsoft 365 Defender portal.

Integrated reports

Reports are also unified in Microsoft 365 Defender. Admins can start with a general security report, and branch into specific reports about endpoints, email & collaboration. The links here are dynamically generated based upon workload configuration.

Quickly view your Microsoft 365 environment

The Home page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs.

This at-a-glance information helps you keep up with the latest activities in your organization. Microsoft 365 Defender brings together signals from different sources to present a holistic view of your Microsoft 365 environment.

The cards fall into these categories:

Search across entities (Preview)


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The search bar is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities.

You can search across the following entities in Defender for Endpoint and Defender for Identity:

  • Devices - supported for both Defender for Endpoint and Defender for Identity. Supports use of search operators.

  • Users - supported for Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps.

  • Files, IPs, and URLs - same capabilities as in Defender for Endpoint.


    IP and URL searches are exact match and don't appear in the search results page – they lead directly to the entity page.

  • TVM - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations).

Threat analytics with better data coverage

Track and respond to emerging threats with the following Microsoft 365 Defender threat analytics integrated experience:

  • Better data coverage between Microsoft Defender for Endpoint and Microsoft Defender for Office 365, making combined incident management, automatic investigation, remediation, and proactive or reactive threat hunting across-domain possible.
  • Email-related detections and mitigations from Microsoft Defender for Office 365, in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • A view of threat-related incidents which aggregate alerts into end-to-end attack stories across Microsoft Defender for Endpoint and Microsoft Defender for Office 365 to reduce the work queue, as well as simplify and speed up your investigation.
  • Attack attempts detected and blocked by Microsoft 365 Defender solutions. There's also data that you can use to drive preventive actions that mitigate the risk of further exposure and increase resilience.
  • Enhanced design that puts actionable information in the spotlight to help you quickly identify data to urgently focus on, investigate, and leverage from the reports.

A centralized Learning Hub

Microsoft 365 Defender portal includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at

Inside the learning hub, Email & Collaboration (Microsoft Defender for Office 365) guidance is side-by-side with Endpoint (Microsoft Defender for Endpoint) and Microsoft 365 Defender learning resources.

The learning hub opens with Learning paths organized around topics such as "How to Investigate Using Microsoft 365 Defender?" and "Microsoft Defender for Office 365 Best Practices". This section is currently curated by the security Product Group inside Microsoft. Each Learning path reflects a projected time it takes to get through the concepts. For example 'Steps to take when a Microsoft Defender for Office 365 user account is compromised' is projected to take 8 minutes, and is valuable learning on the fly.

After clicking through to the content, it may be useful to bookmark this site and organize bookmarks into a 'Security' or 'Critical' folder. To see all Learning paths, click the Show all link in the main panel.


There are helpful filters along the top of Microsoft 365 Defender learning hub that will let you choose between products (currently Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365). Notice that the number of learning resources for each section is listed, which can help learners keep track of how many resources they have at hand for training and learning.

Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.


There are lots of other learning opportunities in Microsoft Learn. You'll find certification training such as Course MS-500T02-A: Implementing Microsoft 365 Threat Protection.

Send us your feedback

We need your feedback. We're always looking to improve, so if there's something you'd like to see, watch this video to find out how you can trust us to read your feedback.

You can also leave feedback from this article. In the 'Feedback' section at the end under 'Submit and view feedback for', the options are This product, or This page.

Use the This product button for product feedback:

  1. Select This product at the bottom of the article.
    1. Right-click the button and 'Open in a new tab' if you want to keep reading these directions.
  2. This will navigate to the UserVoice forum.
  3. You have 2 options:
    1. Scroll down to the text box How can we improve compliance or protect your users better in Office 365? and paste in Microsoft 365 Defender. You can search the results for an idea like yours and up-vote it, or use the button for Post a new idea.
    2. If you feel certain this issue is already reported, and want to raise its profile with a vote (or votes), use the Give Feedback box on the right side of UserVoice. Search for Microsoft 365 Defender, find the issue, and use the vote button to raise its status.

Use This page for feedback on the article itself. Thanks for your feedback. Your voice helps us improve products.

Explore what the Microsoft 365 Defender portal has to offer

Keep exploring the features and capabilities in Microsoft 365 Defender:

Training for security analysts

With this learning path from Microsoft Learn, you can understand Microsoft 365 Defender and how it can help identify, control, and remediate security threats.

Training: Detect and respond to cyber attacks with Microsoft 365 Defender
Microsoft 365 Defender training icon. Microsoft 365 Defender unifies threat signals across endpoints, identities, email, and applications to provide integrated protection against sophisticated cyber attacks. Microsoft 365 Defender is the central experience to investigate and respond to incidents and proactively search for ongoing malicious cyber security activities.

1 hr 38 min - Learning Path - 5 Modules

See also