Microsoft Defender 365 Security Guide
Enterprise guide to Defender for Endpoint, Office 365, Identity, Cloud Apps, XDR unified portal, automated investigation, Sentinel integration, and deployment roadmap.
Microsoft Defender 365 is the unified XDR (Extended Detection and Response) platform covering Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This guide covers deployment, the top 10 misconfiguration findings from enterprise audits, Sentinel integration, and licensing.
Key Facts
- Microsoft Defender XDR unifies endpoint, email, identity, and cloud app security into a single portal at security.microsoft.com.
- Defender for Office 365 Plan 2 is included in M365 E5 ($57/user/month) or available as a standalone add-on ($5.00/user/month).
- Defender for Endpoint Plan 2 is included in M365 E5 or available standalone ($5.20/user/device/month).
- EPC Group enterprise audits find 20–40% of devices are not enrolled in Defender for Endpoint — the most common endpoint gap.
- Automated investigation and response (AIR) in Defender for Endpoint resolves the majority of endpoint alerts without analyst intervention when configured correctly.
What Is Microsoft Defender 365?
What is Microsoft Defender 365 and what does it protect? Microsoft Defender 365, now known as Microsoft Defender XDR, is a unified platform for extended detection and response. It provides protection in several important areas:
- Threat detection
- Incident response
- Data protection
- Compliance management
- Threat detection
- Incident response
- Data loss prevention
- Endpoints: Device antivirus, EDR, and attack surface reduction through Defender for Endpoint.
- Email: Anti-phishing, safe attachments, and safe links via Defender for Office 365.
- Identities: Active Directory threat detection with Defender for Identity.
- Cloud Applications: SaaS shadow IT discovery and session controls using Defender for Cloud Apps.
The XDR portal correlates signals from all products into unified incidents. It also automates investigation and response, reducing mean time to detect from days to minutes.
Microsoft Defender 365 is the security foundation of the Microsoft 365 enterprise stack. If your organization uses Microsoft 365 E3 or E5, you likely have access to many of its features. However, many organizations only use a small part of what they are licensed for. This gap between licensed features and actual setup can create opportunities for attackers.
EPC Group has deployed and optimized Microsoft 365 security for enterprise organizations across healthcare (HIPAA), financial services (SOC 2), and government (FedRAMP). This guide covers the complete Defender suite — from product-by-product capabilities to deployment roadmap, licensing decisions, and the common misconfigurations we find in every security audit.
If you are using Defender for the first time, switching from a third-party security solution, or enhancing a current Defender setup, this guide provides a clear approach. EPC Group applies a consistent enterprise strategy for every engagement.
The Microsoft Defender Suite
Six products working together as a unified security platform. Each protects a different attack surface; XDR correlates them into a single incident view.
Defender for Endpoint
Device protection: next-gen antivirus, EDR, attack surface reduction, automated investigation, threat analytics, and device risk scoring. Covers Windows, macOS, Linux, iOS, Android.
Defender for Office 365
Email and collaboration protection: anti-phishing, Safe Attachments, Safe Links, attack simulation training, campaign views, and real-time detections across Exchange, SharePoint, OneDrive, Teams.
Defender for Identity
On-premises Active Directory protection: detects lateral movement, credential theft, reconnaissance, and compromised accounts by analyzing AD signals from domain controller sensors.
Defender for Cloud Apps
SaaS application protection: shadow IT discovery, session controls, DLP policies, OAuth app governance, and conditional access app control for sanctioned and unsanctioned cloud apps.
Defender XDR (Unified Portal)
Correlates signals across all four products into unified incidents. Single pane of glass for investigation, hunting (KQL), automated response, and attack disruption.
Defender for Cloud
Cloud infrastructure protection: CSPM, workload protection for VMs, containers, databases, storage. Multi-cloud (Azure, AWS, GCP) with regulatory compliance dashboards.
Defender XDR: The Unified Security Portal
The Defender XDR portal (security.microsoft.com) serves as the central hub for all security operations. Security analysts can manage everything from one unified interface. This includes:
- Incidents
- Alerts
- Hunting
- Response actions
- Reporting
Key XDR Capabilities
- Unified Incident Queue — all alerts from Endpoint, Office 365, Identity, and Cloud Apps automatically correlated into incidents. A single phishing attack that touches email, identity, and endpoint appears as one incident, not three separate alerts.
- Advanced Hunting — KQL-based threat hunting across all Defender telemetry tables. Query endpoint processes, email events, identity sign-ins, and cloud app activity in a single query. Find threats that no individual product detects.
- Attack Disruption — automatic containment of high-confidence attacks. When XDR detects a confirmed compromised account or device, it automatically disables the account, isolates the device, and blocks lateral movement — before a human analyst is involved.
- Threat Analytics — curated reports on active threat campaigns with specific recommendations for your environment. Shows which threats target your industry, which detections are active, and which mitigations are missing.
- Secure Score — organization-wide security posture score with prioritized improvement actions. Each action shows point impact, implementation difficulty, and user impact.
Enterprise Impact: EPC Group implemented Defender XDR for a healthcare system with 15,000 endpoints. Before XDR, the system faced:
- 2,400 alerts per week across four separate consoles
- 72-hour average investigation time
- 3 FTE analysts overwhelmed
After XDR, the results improved significantly:
- 180 correlated incidents per week (93% alert reduction through correlation)
- 4-hour average investigation time
- The same 3 analysts now have the capacity for proactive threat hunting
Automated Investigation and Response (AIR)
Automated Investigation and Response (AIR) enhances the efficiency of a small security team. A 3-person team can perform like a 15-person Security Operations Center (SOC).
When alerts occur, AIR:
- Automatically investigates the evidence
- Determines the scope of impact
- Takes remediation actions such as:
- Quarantining emails
- Isolating devices
- Blocking URLs
- Disabling compromised accounts
AIR Automation Levels
| Level | Behavior | Best For |
|---|---|---|
| No Automation | AIR runs investigation but takes no action. Analysts must manually approve every remediation. | Not recommended — creates alert fatigue and delays response |
| Semi-Automation | AIR investigates and queues remediation actions for analyst approval. Analysts review and approve/reject. | Initial deployment (first 30 days) — builds analyst trust in AIR decisions |
| Full Automation | AIR investigates and executes remediation actions automatically. Analysts review completed actions in audit log. | Mature deployments — maximum speed, minimum MTTR |
Common Mistake: Many organizations stay at "No Automation" due to discomfort with automated remediation. This approach is counterproductive. Alerts accumulate, analysts experience burnout, and threats remain unaddressed for hours.
EPC Group suggests the following steps:
- Start with Semi-Automation for 30 days.
- Review AIR decisions weekly.
- Transition to Full Automation once the team trusts the reliability of automated actions.
Attack Simulation Training
Technical controls can catch most threats. However, humans remain the weakest link in security. Attack Simulation Training in Defender for Office 365 Plan 2 provides realistic phishing simulations for employees. This training:
- Measures susceptibility to attacks
- Offers targeted instruction
- Tracks improvement over time
Simulation Types
Credential Harvest
Simulated phishing email directs user to a fake login page. Tracks who enters credentials. Most common real-world attack vector.
Average initial fail rate: 25-30%
Malware Attachment
Email contains a simulated malicious attachment. Tracks who downloads and opens the file. Tests document-based attack awareness.
Average initial fail rate: 15-20%
Link in Attachment
Email contains a document with an embedded malicious link. Requires two user actions — open document, then click link. Tests layered awareness.
Average initial fail rate: 10-15%
Drive-by URL
Email contains a link to a compromised website. No credential entry required — just visiting the URL triggers the simulation. Tests link hygiene.
Average initial fail rate: 20-25%
EPC Group conducts monthly simulation campaigns for enterprise clients. These campaigns rotate attack types and increase in complexity over time.
- Phishing susceptibility typically drops from 25-30% to under 5% within 6 months.
- The goal is not to catch employees making mistakes.
- Instead, we aim to build muscle memory so employees can recognize and report real phishing attacks.
Integration with Microsoft Sentinel
Defender XDR provides thorough coverage for Microsoft 365 workloads. However, many enterprises also use:
- Firewalls
- VPNs
- Non-Microsoft SaaS apps
- AWS/GCP workloads
- Custom applications
Microsoft Sentinel enhances detection and response across the entire IT estate.
Defender + Sentinel Architecture
- Defender XDR data connector streams all alerts, incidents, and raw telemetry into Sentinel workspace tables — no manual configuration per product
- Sentinel analytics rules detect cross-platform threats: "User flagged by Defender for Identity + VPN login from Palo Alto in impossible travel location + AWS API call from new region"
- SOAR playbooks (Logic Apps) automate cross-platform response: "When Defender detects compromised account → disable in Entra ID → block in Palo Alto → create ServiceNow ticket → notify SOC Slack channel"
- Unified investigation graph shows the full attack chain from email through endpoint through network through cloud — regardless of which product detected each stage
- Long-term log retention — Sentinel retains data for 1-7 years (configurable) compared to Defender 30-180 day retention. Critical for compliance and forensics.
When to Add Sentinel: Defender XDR works well for organizations that only use Microsoft products, such as M365 and Azure, without third-party security tools. Consider adding Sentinel if you have:
- Multiple cloud environments
- Third-party security solutions
- Complex security needs
- Multi-cloud environments (AWS/GCP)
- Third-party firewalls or EDR
- Compliance needs for long-term log retention (HIPAA 6 years, SOC 2 1 year)
- A mature SOC that requires KQL-based custom analytics
EPC Group deploys Sentinel for about 70% of our enterprise clients.
Defender Licensing: E3 vs E5 vs Standalone
Licensing affects your access to Defender capabilities. The difference between E3 and E5 security features is significant. E3 offers basic protection, while E5 delivers enterprise-grade detection and response.
| Capability | M365 E3 | M365 E5 | Add-On Option |
|---|---|---|---|
| Defender for Endpoint | Plan 1 (AV, ASR only) | Plan 2 (full EDR, AIR, analytics) | $5.20/user/month for P2 |
| Defender for Office 365 | Plan 1 (Safe Attachments, Safe Links) | Plan 2 (attack simulation, threat explorer) | $5.00/user/month for P2 |
| Defender for Identity | Not included | Included | $5.50/user/month standalone |
| Defender for Cloud Apps | Not included | Included | $3.50/user/month standalone |
| XDR Unified Portal | Basic (limited correlation) | Full (all correlations, hunting, AIR) | Requires E5 or E5 Security add-on |
| Attack Simulation Training | Not included | Included (P2) | Requires Office 365 P2 add-on |
EPC Group Recommendation: If full E5 licensing is not within your budget, consider the E3 plan with the Microsoft 365 E5 Security add-on. This option costs $12 per user per month. It includes:
- Advanced threat protection
- Information protection
- Compliance solutions
- All Defender products
- XDR
- Automated investigation features
You can save on E5 compliance and voice features that your organization may not need.
For an organization with 5,000 users, this approach can save around $600,000 per year compared to full E5 licensing. You will still receive the same security capabilities.
12-Week Defender Deployment Roadmap
EPC Group deploys the full Defender suite in 12 weeks, starting with the highest-risk attack surfaces and building toward full XDR automation.
Email & Collaboration
Weeks 1-2
Deploy Defender for Office 365 strict preset policies. Enable Safe Attachments for SharePoint, OneDrive, and Teams. Configure Safe Links for email and Teams. Set up advanced anti-phishing with mailbox intelligence and impersonation protection.
Deliverable: Email protection live, anti-phishing policies active
Endpoint Protection
Weeks 3-4
Onboard all devices to Defender for Endpoint via Intune or GPO. Enable Attack Surface Reduction rules in audit mode. Configure EDR in block mode. Set up device risk-based Conditional Access policies. Begin vulnerability management scanning.
Deliverable: All endpoints onboarded, ASR rules in audit, EDR active
Identity & Cloud Apps
Weeks 5-8
Deploy Defender for Identity sensors on all domain controllers. Configure identity threat detection policies. Connect Defender for Cloud Apps to all sanctioned SaaS applications. Enable shadow IT discovery. Configure session controls for sensitive apps.
Deliverable: AD protection live, SaaS visibility complete
XDR & Automation
Weeks 9-12
Configure XDR incident correlation across all products. Enable AIR at semi-automation. Set up incident notification rules. Run attack simulations. Transition ASR rules to block mode. Move AIR to full automation. Establish SOC operating procedures.
Deliverable: Full XDR operational, automated response active
Top 10 Defender Misconfigurations
EPC Group finds these misconfigurations in 80%+ of enterprise Defender deployments. Each one creates an exploitable gap in your security posture.
Safe Attachments not enabled for SPO/ODB/Teams
By default, Safe Attachments only scans email. SharePoint, OneDrive, and Teams file scanning must be explicitly enabled.
Risk: Malicious files uploaded to Teams or SharePoint bypass scanning entirely.
Default anti-phishing policies instead of strict
Default policies use minimal thresholds. Strict preset policies enable mailbox intelligence, impersonation protection, and aggressive filtering.
Risk: Sophisticated phishing emails pass through default filters.
AIR set to no automation
Automated investigation runs but takes no action. Remediation actions queue indefinitely waiting for analyst approval.
Risk: Alerts pile up, analysts burn out, threats remain uncontained for hours.
ASR rules in audit mode only
Attack Surface Reduction rules generate logs but do not block. Provides visibility without protection.
Risk: Known attack techniques (Office macros, script execution) are detected but not prevented.
Incomplete device onboarding
20-40% of devices not enrolled in Defender for Endpoint. Often personal devices, BYOD, or legacy systems.
Risk: Unmanaged devices are invisible to EDR — compromises go undetected.
Safe Links not configured for Teams
Safe Links scans email URLs by default but Teams message URLs require separate configuration.
Risk: Malicious links shared in Teams chats bypass URL scanning.
Missing Defender for Identity sensors
Sensors not installed on all domain controllers. Partial coverage means lateral movement detection has blind spots.
Risk: Attackers move laterally through unmonitored DCs undetected.
Cloud Apps discovery without policies
Shadow IT discovery is enabled but no blocking or session control policies are configured.
Risk: You see risky SaaS app usage but cannot prevent data exfiltration.
No incident notification rules
Critical incidents are created but no email, Teams, or webhook notifications are configured.
Risk: High-severity incidents sit in the queue unseen for hours.
No Sentinel integration
Defender alerts exist in isolation. Cross-platform threats (firewall + identity + endpoint) are invisible.
Risk: Multi-stage attacks spanning Microsoft and non-Microsoft tools go undetected.
Frequently Asked Questions
What is Microsoft Defender 365 and what does it protect?
Microsoft Defender 365 (now called Microsoft Defender XDR) is Microsoft unified extended detection and response platform that protects endpoints, email, identities, and cloud applications from a single portal. It combines four products: Defender for Endpoint (device protection — antivirus, EDR, attack surface reduction), Defender for Office 365 (email and collaboration protection — anti-phishing, safe attachments, safe links), Defender for Identity (on-premises Active Directory protection — lateral movement detection, credential theft alerts), and Defender for Cloud Apps (SaaS application protection — shadow IT discovery, session controls, DLP). Together, they provide correlated threat detection, automated investigation, and unified incident management across the entire Microsoft 365 environment. EPC Group deploys the full Defender stack for enterprise clients, typically reducing mean time to detect (MTTD) from days to minutes.
What is Defender XDR and how does it differ from individual Defender products?
Defender XDR (Extended Detection and Response) is the unified platform that correlates signals across all Defender products into a single incident view. Without XDR, each Defender product generates its own alerts — a phishing email alert in Defender for Office 365, a suspicious login in Defender for Identity, and a malware execution in Defender for Endpoint would appear as three separate alerts. With XDR, these are automatically correlated into a single incident with a full attack story: "User received phishing email → clicked malicious link → credential compromised → attacker logged in from anomalous location → malware deployed on endpoint." XDR provides: unified incident queue, cross-product hunting with KQL, automated investigation and remediation, and attack disruption that automatically contains compromised accounts and devices. EPC Group configures XDR correlation rules as part of every Defender deployment.
How does automated investigation and response work in Defender 365?
Automated Investigation and Response (AIR) uses AI and playbooks to automatically investigate alerts and take remediation actions without human intervention. When an alert triggers, AIR: 1) Examines the alert evidence (file hashes, URLs, email metadata, sign-in logs), 2) Correlates with threat intelligence to determine if the entity is known malicious, 3) Expands the investigation to related entities (did the malicious file spread to other devices? did the phishing email reach other mailboxes?), 4) Recommends or automatically executes remediation actions (quarantine email, isolate device, block URL, disable account). AIR operates in two modes: Full automation (actions execute without approval — recommended for mature SOCs) and Semi-automation (actions require analyst approval — recommended for initial deployment). EPC Group starts clients on semi-automation for 30 days, then transitions to full automation once the SOC team is comfortable with the action fidelity.
What is attack simulation training in Defender for Office 365?
Attack Simulation Training is a built-in feature in Defender for Office 365 Plan 2 that sends realistic phishing, credential harvesting, and social engineering simulations to employees. It includes 200+ pre-built simulation templates based on real-world attacks, customizable payloads with organization branding, automated training assignment for users who fail simulations (click the phishing link or enter credentials), reporting dashboards showing organization-wide phishing susceptibility rates, and repeat offender tracking with escalating training requirements. Best practices: run simulations monthly, rotate attack types (link-based, attachment-based, QR code, CEO impersonation), set a target of under 5% click rate for mature organizations, and never punish users — use failures as training opportunities. EPC Group implements simulation programs that typically reduce phishing susceptibility from 25-30% to under 5% within 6 months.
How does Microsoft Defender integrate with Microsoft Sentinel?
Microsoft Sentinel is the cloud-native SIEM/SOAR platform that ingests data from Defender XDR plus hundreds of non-Microsoft sources (firewalls, SaaS apps, cloud providers, custom apps). The integration works through the Defender XDR data connector, which streams all Defender alerts, incidents, and raw telemetry into Sentinel workspace tables. Key benefits: 1) Unified visibility — Defender covers Microsoft 365, but Sentinel adds Palo Alto, CrowdStrike, AWS, Okta, and any other source, 2) Advanced analytics — Sentinel analytics rules detect cross-platform threats that no single product sees, 3) SOAR automation — Sentinel playbooks (Logic Apps) automate response workflows across Microsoft and third-party tools, 4) Long-term retention — Sentinel retains log data for years (vs Defender 30-180 day retention). EPC Group deploys Sentinel alongside Defender for clients with multi-cloud or hybrid environments, creating a unified SOC that covers the entire attack surface.
What is the difference between Microsoft 365 E3 and E5 for Defender licensing?
E3 includes basic protection: Defender for Endpoint Plan 1 (next-gen antivirus, attack surface reduction, but NO EDR), Defender for Office 365 Plan 1 (Safe Attachments, Safe Links, but NO advanced anti-phishing or attack simulation), Exchange Online Protection (basic email filtering). E5 includes full protection: Defender for Endpoint Plan 2 (full EDR, automated investigation, threat analytics, device risk scoring), Defender for Office 365 Plan 2 (advanced anti-phishing, attack simulation training, campaign views, threat explorer), Defender for Identity (Active Directory protection), Defender for Cloud Apps (SaaS security). The cost difference is approximately $20-22/user/month (E3 at $36 vs E5 at $57). For organizations that cannot justify full E5 licensing, EPC Group recommends E3 + add-on licensing for Defender for Endpoint P2 ($5.20/user/month) and Defender for Office 365 P2 ($5/user/month) — providing 80% of E5 security at 40% of the cost premium.
What is Defender for Cloud and how does it differ from Defender 365?
Defender for Cloud (formerly Azure Security Center) protects cloud infrastructure — Azure VMs, containers, databases, storage, Kubernetes, and multi-cloud resources (AWS, GCP). Defender 365/XDR protects Microsoft 365 workloads — endpoints, email, identities, and SaaS apps. They are complementary, not competing products. Defender for Cloud provides: Cloud Security Posture Management (CSPM) with a Secure Score for cloud resources, Cloud Workload Protection Platform (CWPP) for servers, containers, databases, and storage, regulatory compliance dashboards (HIPAA, SOC 2, PCI DSS, NIST 800-53), and multi-cloud coverage via Azure Arc. Both products feed into Defender XDR for unified incident management and into Sentinel for SIEM aggregation. EPC Group deploys Defender for Cloud alongside Defender 365 for clients with Azure infrastructure, creating end-to-end protection from endpoint to cloud.
What are the most common Microsoft Defender misconfigurations?
The top 10 Defender misconfigurations EPC Group finds in enterprise audits: 1) Safe Attachments not enabled for SharePoint, OneDrive, and Teams (only email is protected by default), 2) Anti-phishing policies using default settings instead of strict preset policies, 3) Automated investigation set to "No automated response" — alerts pile up without remediation, 4) Attack Surface Reduction (ASR) rules in audit mode instead of block mode (provides visibility but no protection), 5) Device onboarding incomplete — 20-40% of devices not enrolled in Defender for Endpoint, 6) Safe Links not configured for Teams messages (only email links are scanned by default), 7) Defender for Identity sensors not installed on all domain controllers, 8) Cloud Apps discovery configured but no session controls or policies blocking risky apps, 9) Incident notification rules not configured — critical alerts go unseen for hours, 10) No integration with Sentinel — Defender alerts exist in isolation without cross-platform correlation. EPC Group security audits check all 10 and remediate within the first engagement sprint.
What does a Microsoft Defender 365 deployment roadmap look like?
EPC Group recommends a 12-week phased deployment: Weeks 1-2 (Foundation): Enable Defender for Office 365 strict preset policies, configure Safe Attachments for SPO/ODB/Teams, enable Safe Links for email and Teams, set up anti-phishing policies with mailbox intelligence. Weeks 3-4 (Endpoint): Onboard all devices to Defender for Endpoint via Intune, enable ASR rules in audit mode, configure EDR in block mode, set up device risk-based Conditional Access. Weeks 5-6 (Identity): Deploy Defender for Identity sensors on all domain controllers, configure identity threat detection policies, enable Conditional Access identity protection. Weeks 7-8 (Cloud Apps): Connect Defender for Cloud Apps to sanctioned SaaS apps, enable shadow IT discovery, configure session controls for sensitive apps. Weeks 9-10 (XDR & Automation): Configure XDR incident correlation, enable automated investigation at semi-automation level, set up incident notification rules. Weeks 11-12 (Validation): Run attack simulations, validate detection and response, transition AIR to full automation, establish SOC operating procedures. EPC Group has executed this roadmap for organizations with 5,000-50,000 users.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, security, and managed services from EPC Group.
Read moreZero Trust Security Guide
Complete enterprise guide to implementing Zero Trust architecture with Microsoft security tools.
Read moreMicrosoft 365 Security Hardening Checklist
Step-by-step security hardening checklist for Microsoft 365 E3 and E5 environments.
Read moreGet Your Defender Deployment Optimized
Schedule a free Microsoft Defender security assessment with EPC Group. We will review your current Defender setup and identify the top 10 misconfigurations.
Our assessment includes a 12-week deployment roadmap that will:
- Close security gaps
- Enable automated detection
- Facilitate response