Microsoft Defender 365 Security Guide
Enterprise guide to Defender for Endpoint, Office 365, Identity, Cloud Apps, XDR unified portal, automated investigation, Sentinel integration, and deployment roadmap.
What Is Microsoft Defender 365?
What is Microsoft Defender 365 and what does it protect? Microsoft Defender 365 (now Microsoft Defender XDR) is the unified extended detection and response platform that protects endpoints, email, identities, and cloud applications. It combines Defender for Endpoint (device antivirus, EDR, attack surface reduction), Defender for Office 365 (anti-phishing, safe attachments, safe links), Defender for Identity (Active Directory threat detection), and Defender for Cloud Apps (SaaS shadow IT discovery, session controls). The XDR portal correlates signals across all products into unified incidents with automated investigation and response — reducing mean time to detect from days to minutes.
Microsoft Defender 365 is the security backbone of the Microsoft 365 enterprise stack. If your organization runs Microsoft 365 E3 or E5, you already own some or all of these capabilities — but most organizations have deployed only a fraction of what they are licensed for. The gap between what is licensed and what is configured is where attackers operate.
EPC Group has deployed and optimized Microsoft 365 security for enterprise organizations across healthcare (HIPAA), financial services (SOC 2), and government (FedRAMP). This guide covers the complete Defender suite — from product-by-product capabilities to deployment roadmap, licensing decisions, and the common misconfigurations we find in every security audit.
Whether you are deploying Defender for the first time, migrating from a third-party security stack, or optimizing an existing Defender deployment that is underperforming, this guide provides the enterprise methodology EPC Group applies to every engagement.
The Microsoft Defender Suite
Six products working together as a unified security platform. Each protects a different attack surface; XDR correlates them into a single incident view.
Defender for Endpoint
Device protection: next-gen antivirus, EDR, attack surface reduction, automated investigation, threat analytics, and device risk scoring. Covers Windows, macOS, Linux, iOS, Android.
Defender for Office 365
Email and collaboration protection: anti-phishing, Safe Attachments, Safe Links, attack simulation training, campaign views, and real-time detections across Exchange, SharePoint, OneDrive, Teams.
Defender for Identity
On-premises Active Directory protection: detects lateral movement, credential theft, reconnaissance, and compromised accounts by analyzing AD signals from domain controller sensors.
Defender for Cloud Apps
SaaS application protection: shadow IT discovery, session controls, DLP policies, OAuth app governance, and conditional access app control for sanctioned and unsanctioned cloud apps.
Defender XDR (Unified Portal)
Correlates signals across all four products into unified incidents. Single pane of glass for investigation, hunting (KQL), automated response, and attack disruption.
Defender for Cloud
Cloud infrastructure protection: CSPM, workload protection for VMs, containers, databases, storage. Multi-cloud (Azure, AWS, GCP) with regulatory compliance dashboards.
Defender XDR: The Unified Security Portal
The Defender XDR portal (security.microsoft.com) is the single pane of glass for all security operations. Instead of switching between four separate consoles, security analysts manage everything from one unified interface — incidents, alerts, hunting, response actions, and reporting.
Key XDR Capabilities
- Unified Incident Queue — all alerts from Endpoint, Office 365, Identity, and Cloud Apps automatically correlated into incidents. A single phishing attack that touches email, identity, and endpoint appears as one incident, not three separate alerts.
- Advanced Hunting — KQL-based threat hunting across all Defender telemetry tables. Query endpoint processes, email events, identity sign-ins, and cloud app activity in a single query. Find threats that no individual product detects.
- Attack Disruption — automatic containment of high-confidence attacks. When XDR detects a confirmed compromised account or device, it automatically disables the account, isolates the device, and blocks lateral movement — before a human analyst is involved.
- Threat Analytics — curated reports on active threat campaigns with specific recommendations for your environment. Shows which threats target your industry, which detections are active, and which mitigations are missing.
- Secure Score — organization-wide security posture score with prioritized improvement actions. Each action shows point impact, implementation difficulty, and user impact.
Enterprise Impact: EPC Group deployed Defender XDR for a healthcare system with 15,000 endpoints. Before XDR: 2,400 alerts/week across four separate consoles, 72-hour average investigation time, 3 FTE analysts overwhelmed. After XDR: 180 correlated incidents/week (93% alert reduction through correlation), 4-hour average investigation time, same 3 analysts now have capacity for proactive threat hunting.
Automated Investigation and Response (AIR)
Automated Investigation and Response is the force multiplier that allows a 3-person security team to operate like a 15-person SOC. When alerts trigger, AIR automatically investigates the evidence, determines the scope of impact, and takes remediation actions — quarantining emails, isolating devices, blocking URLs, and disabling compromised accounts.
AIR Automation Levels
| Level | Behavior | Best For |
|---|---|---|
| No Automation | AIR runs investigation but takes no action. Analysts must manually approve every remediation. | Not recommended — creates alert fatigue and delays response |
| Semi-Automation | AIR investigates and queues remediation actions for analyst approval. Analysts review and approve/reject. | Initial deployment (first 30 days) — builds analyst trust in AIR decisions |
| Full Automation | AIR investigates and executes remediation actions automatically. Analysts review completed actions in audit log. | Mature deployments — maximum speed, minimum MTTR |
Common Mistake: Many organizations leave AIR at "No Automation" because they are uncomfortable with automated remediation. This defeats the purpose — alerts pile up, analysts burn out, and threats go uncontained for hours. EPC Group recommends starting at Semi-Automation for 30 days, reviewing AIR decisions weekly, then transitioning to Full Automation once the team trusts the fidelity of automated actions.
Attack Simulation Training
Technical controls catch most threats, but humans remain the weakest link. Attack Simulation Training in Defender for Office 365 Plan 2 sends realistic phishing simulations to employees — measuring susceptibility, delivering targeted training, and tracking improvement over time.
Simulation Types
Credential Harvest
Simulated phishing email directs user to a fake login page. Tracks who enters credentials. Most common real-world attack vector.
Average initial fail rate: 25-30%
Malware Attachment
Email contains a simulated malicious attachment. Tracks who downloads and opens the file. Tests document-based attack awareness.
Average initial fail rate: 15-20%
Link in Attachment
Email contains a document with an embedded malicious link. Requires two user actions — open document, then click link. Tests layered awareness.
Average initial fail rate: 10-15%
Drive-by URL
Email contains a link to a compromised website. No credential entry required — just visiting the URL triggers the simulation. Tests link hygiene.
Average initial fail rate: 20-25%
EPC Group runs monthly simulation campaigns for enterprise clients, rotating attack types and increasing sophistication over time. Typical results: phishing susceptibility drops from 25-30% to under 5% within 6 months. The goal is not to catch employees failing — it is to build muscle memory so employees recognize and report real phishing attacks.
Integration with Microsoft Sentinel
Defender XDR covers Microsoft 365 workloads comprehensively, but most enterprises also run firewalls, VPNs, non-Microsoft SaaS apps, AWS/GCP workloads, and custom applications. Microsoft Sentinel extends detection and response to the entire IT estate.
Defender + Sentinel Architecture
- Defender XDR data connector streams all alerts, incidents, and raw telemetry into Sentinel workspace tables — no manual configuration per product
- Sentinel analytics rules detect cross-platform threats: "User flagged by Defender for Identity + VPN login from Palo Alto in impossible travel location + AWS API call from new region"
- SOAR playbooks (Logic Apps) automate cross-platform response: "When Defender detects compromised account → disable in Entra ID → block in Palo Alto → create ServiceNow ticket → notify SOC Slack channel"
- Unified investigation graph shows the full attack chain from email through endpoint through network through cloud — regardless of which product detected each stage
- Long-term log retention — Sentinel retains data for 1-7 years (configurable) compared to Defender 30-180 day retention. Critical for compliance and forensics.
When to Add Sentinel: Defender XDR alone is sufficient for organizations that are 100% Microsoft (M365, Azure, no third-party security tools). Add Sentinel when you have: multi-cloud (AWS/GCP), third-party firewalls or EDR, compliance requirements for long-term log retention (HIPAA 6-year, SOC 2 1-year), or a mature SOC that needs KQL-based custom analytics. EPC Group deploys Sentinel for approximately 70% of enterprise clients.
Defender Licensing: E3 vs E5 vs Standalone
Licensing determines which Defender capabilities you have access to. The gap between E3 and E5 security features is substantial — E3 provides basic protection while E5 provides enterprise-grade detection and response.
| Capability | M365 E3 | M365 E5 | Add-On Option |
|---|---|---|---|
| Defender for Endpoint | Plan 1 (AV, ASR only) | Plan 2 (full EDR, AIR, analytics) | $5.20/user/month for P2 |
| Defender for Office 365 | Plan 1 (Safe Attachments, Safe Links) | Plan 2 (attack simulation, threat explorer) | $5.00/user/month for P2 |
| Defender for Identity | Not included | Included | $5.50/user/month standalone |
| Defender for Cloud Apps | Not included | Included | $3.50/user/month standalone |
| XDR Unified Portal | Basic (limited correlation) | Full (all correlations, hunting, AIR) | Requires E5 or E5 Security add-on |
| Attack Simulation Training | Not included | Included (P2) | Requires Office 365 P2 add-on |
EPC Group Recommendation: If full E5 licensing is not in budget, the most cost-effective path is E3 + Microsoft 365 E5 Security add-on ($12/user/month). This adds all Defender products, XDR, and automated investigation without paying for the E5 compliance and voice features your organization may not need. For a 5,000-user organization, this saves approximately $600K/year compared to full E5 licensing while providing identical security capabilities.
12-Week Defender Deployment Roadmap
EPC Group deploys the full Defender suite in 12 weeks, starting with the highest-risk attack surfaces and building toward full XDR automation.
Email & Collaboration
Weeks 1-2
Deploy Defender for Office 365 strict preset policies. Enable Safe Attachments for SharePoint, OneDrive, and Teams. Configure Safe Links for email and Teams. Set up advanced anti-phishing with mailbox intelligence and impersonation protection.
Deliverable: Email protection live, anti-phishing policies active
Endpoint Protection
Weeks 3-4
Onboard all devices to Defender for Endpoint via Intune or GPO. Enable Attack Surface Reduction rules in audit mode. Configure EDR in block mode. Set up device risk-based Conditional Access policies. Begin vulnerability management scanning.
Deliverable: All endpoints onboarded, ASR rules in audit, EDR active
Identity & Cloud Apps
Weeks 5-8
Deploy Defender for Identity sensors on all domain controllers. Configure identity threat detection policies. Connect Defender for Cloud Apps to all sanctioned SaaS applications. Enable shadow IT discovery. Configure session controls for sensitive apps.
Deliverable: AD protection live, SaaS visibility complete
XDR & Automation
Weeks 9-12
Configure XDR incident correlation across all products. Enable AIR at semi-automation. Set up incident notification rules. Run attack simulations. Transition ASR rules to block mode. Move AIR to full automation. Establish SOC operating procedures.
Deliverable: Full XDR operational, automated response active
Top 10 Defender Misconfigurations
EPC Group finds these misconfigurations in 80%+ of enterprise Defender deployments. Each one creates an exploitable gap in your security posture.
Safe Attachments not enabled for SPO/ODB/Teams
By default, Safe Attachments only scans email. SharePoint, OneDrive, and Teams file scanning must be explicitly enabled.
Risk: Malicious files uploaded to Teams or SharePoint bypass scanning entirely.
Default anti-phishing policies instead of strict
Default policies use minimal thresholds. Strict preset policies enable mailbox intelligence, impersonation protection, and aggressive filtering.
Risk: Sophisticated phishing emails pass through default filters.
AIR set to no automation
Automated investigation runs but takes no action. Remediation actions queue indefinitely waiting for analyst approval.
Risk: Alerts pile up, analysts burn out, threats remain uncontained for hours.
ASR rules in audit mode only
Attack Surface Reduction rules generate logs but do not block. Provides visibility without protection.
Risk: Known attack techniques (Office macros, script execution) are detected but not prevented.
Incomplete device onboarding
20-40% of devices not enrolled in Defender for Endpoint. Often personal devices, BYOD, or legacy systems.
Risk: Unmanaged devices are invisible to EDR — compromises go undetected.
Safe Links not configured for Teams
Safe Links scans email URLs by default but Teams message URLs require separate configuration.
Risk: Malicious links shared in Teams chats bypass URL scanning.
Missing Defender for Identity sensors
Sensors not installed on all domain controllers. Partial coverage means lateral movement detection has blind spots.
Risk: Attackers move laterally through unmonitored DCs undetected.
Cloud Apps discovery without policies
Shadow IT discovery is enabled but no blocking or session control policies are configured.
Risk: You see risky SaaS app usage but cannot prevent data exfiltration.
No incident notification rules
Critical incidents are created but no email, Teams, or webhook notifications are configured.
Risk: High-severity incidents sit in the queue unseen for hours.
No Sentinel integration
Defender alerts exist in isolation. Cross-platform threats (firewall + identity + endpoint) are invisible.
Risk: Multi-stage attacks spanning Microsoft and non-Microsoft tools go undetected.
Frequently Asked Questions
What is Microsoft Defender 365 and what does it protect?
Microsoft Defender 365 (now called Microsoft Defender XDR) is Microsoft unified extended detection and response platform that protects endpoints, email, identities, and cloud applications from a single portal. It combines four products: Defender for Endpoint (device protection — antivirus, EDR, attack surface reduction), Defender for Office 365 (email and collaboration protection — anti-phishing, safe attachments, safe links), Defender for Identity (on-premises Active Directory protection — lateral movement detection, credential theft alerts), and Defender for Cloud Apps (SaaS application protection — shadow IT discovery, session controls, DLP). Together, they provide correlated threat detection, automated investigation, and unified incident management across the entire Microsoft 365 environment. EPC Group deploys the full Defender stack for enterprise clients, typically reducing mean time to detect (MTTD) from days to minutes.
What is Defender XDR and how does it differ from individual Defender products?
Defender XDR (Extended Detection and Response) is the unified platform that correlates signals across all Defender products into a single incident view. Without XDR, each Defender product generates its own alerts — a phishing email alert in Defender for Office 365, a suspicious login in Defender for Identity, and a malware execution in Defender for Endpoint would appear as three separate alerts. With XDR, these are automatically correlated into a single incident with a full attack story: "User received phishing email → clicked malicious link → credential compromised → attacker logged in from anomalous location → malware deployed on endpoint." XDR provides: unified incident queue, cross-product hunting with KQL, automated investigation and remediation, and attack disruption that automatically contains compromised accounts and devices. EPC Group configures XDR correlation rules as part of every Defender deployment.
How does automated investigation and response work in Defender 365?
Automated Investigation and Response (AIR) uses AI and playbooks to automatically investigate alerts and take remediation actions without human intervention. When an alert triggers, AIR: 1) Examines the alert evidence (file hashes, URLs, email metadata, sign-in logs), 2) Correlates with threat intelligence to determine if the entity is known malicious, 3) Expands the investigation to related entities (did the malicious file spread to other devices? did the phishing email reach other mailboxes?), 4) Recommends or automatically executes remediation actions (quarantine email, isolate device, block URL, disable account). AIR operates in two modes: Full automation (actions execute without approval — recommended for mature SOCs) and Semi-automation (actions require analyst approval — recommended for initial deployment). EPC Group starts clients on semi-automation for 30 days, then transitions to full automation once the SOC team is comfortable with the action fidelity.
What is attack simulation training in Defender for Office 365?
Attack Simulation Training is a built-in feature in Defender for Office 365 Plan 2 that sends realistic phishing, credential harvesting, and social engineering simulations to employees. It includes 200+ pre-built simulation templates based on real-world attacks, customizable payloads with organization branding, automated training assignment for users who fail simulations (click the phishing link or enter credentials), reporting dashboards showing organization-wide phishing susceptibility rates, and repeat offender tracking with escalating training requirements. Best practices: run simulations monthly, rotate attack types (link-based, attachment-based, QR code, CEO impersonation), set a target of under 5% click rate for mature organizations, and never punish users — use failures as training opportunities. EPC Group implements simulation programs that typically reduce phishing susceptibility from 25-30% to under 5% within 6 months.
How does Microsoft Defender integrate with Microsoft Sentinel?
Microsoft Sentinel is the cloud-native SIEM/SOAR platform that ingests data from Defender XDR plus hundreds of non-Microsoft sources (firewalls, SaaS apps, cloud providers, custom apps). The integration works through the Defender XDR data connector, which streams all Defender alerts, incidents, and raw telemetry into Sentinel workspace tables. Key benefits: 1) Unified visibility — Defender covers Microsoft 365, but Sentinel adds Palo Alto, CrowdStrike, AWS, Okta, and any other source, 2) Advanced analytics — Sentinel analytics rules detect cross-platform threats that no single product sees, 3) SOAR automation — Sentinel playbooks (Logic Apps) automate response workflows across Microsoft and third-party tools, 4) Long-term retention — Sentinel retains log data for years (vs Defender 30-180 day retention). EPC Group deploys Sentinel alongside Defender for clients with multi-cloud or hybrid environments, creating a unified SOC that covers the entire attack surface.
What is the difference between Microsoft 365 E3 and E5 for Defender licensing?
E3 includes basic protection: Defender for Endpoint Plan 1 (next-gen antivirus, attack surface reduction, but NO EDR), Defender for Office 365 Plan 1 (Safe Attachments, Safe Links, but NO advanced anti-phishing or attack simulation), Exchange Online Protection (basic email filtering). E5 includes full protection: Defender for Endpoint Plan 2 (full EDR, automated investigation, threat analytics, device risk scoring), Defender for Office 365 Plan 2 (advanced anti-phishing, attack simulation training, campaign views, threat explorer), Defender for Identity (Active Directory protection), Defender for Cloud Apps (SaaS security). The cost difference is approximately $20-22/user/month (E3 at $36 vs E5 at $57). For organizations that cannot justify full E5 licensing, EPC Group recommends E3 + add-on licensing for Defender for Endpoint P2 ($5.20/user/month) and Defender for Office 365 P2 ($5/user/month) — providing 80% of E5 security at 40% of the cost premium.
What is Defender for Cloud and how does it differ from Defender 365?
Defender for Cloud (formerly Azure Security Center) protects cloud infrastructure — Azure VMs, containers, databases, storage, Kubernetes, and multi-cloud resources (AWS, GCP). Defender 365/XDR protects Microsoft 365 workloads — endpoints, email, identities, and SaaS apps. They are complementary, not competing products. Defender for Cloud provides: Cloud Security Posture Management (CSPM) with a Secure Score for cloud resources, Cloud Workload Protection Platform (CWPP) for servers, containers, databases, and storage, regulatory compliance dashboards (HIPAA, SOC 2, PCI DSS, NIST 800-53), and multi-cloud coverage via Azure Arc. Both products feed into Defender XDR for unified incident management and into Sentinel for SIEM aggregation. EPC Group deploys Defender for Cloud alongside Defender 365 for clients with Azure infrastructure, creating end-to-end protection from endpoint to cloud.
What are the most common Microsoft Defender misconfigurations?
The top 10 Defender misconfigurations EPC Group finds in enterprise audits: 1) Safe Attachments not enabled for SharePoint, OneDrive, and Teams (only email is protected by default), 2) Anti-phishing policies using default settings instead of strict preset policies, 3) Automated investigation set to "No automated response" — alerts pile up without remediation, 4) Attack Surface Reduction (ASR) rules in audit mode instead of block mode (provides visibility but no protection), 5) Device onboarding incomplete — 20-40% of devices not enrolled in Defender for Endpoint, 6) Safe Links not configured for Teams messages (only email links are scanned by default), 7) Defender for Identity sensors not installed on all domain controllers, 8) Cloud Apps discovery configured but no session controls or policies blocking risky apps, 9) Incident notification rules not configured — critical alerts go unseen for hours, 10) No integration with Sentinel — Defender alerts exist in isolation without cross-platform correlation. EPC Group security audits check all 10 and remediate within the first engagement sprint.
What does a Microsoft Defender 365 deployment roadmap look like?
EPC Group recommends a 12-week phased deployment: Weeks 1-2 (Foundation): Enable Defender for Office 365 strict preset policies, configure Safe Attachments for SPO/ODB/Teams, enable Safe Links for email and Teams, set up anti-phishing policies with mailbox intelligence. Weeks 3-4 (Endpoint): Onboard all devices to Defender for Endpoint via Intune, enable ASR rules in audit mode, configure EDR in block mode, set up device risk-based Conditional Access. Weeks 5-6 (Identity): Deploy Defender for Identity sensors on all domain controllers, configure identity threat detection policies, enable Conditional Access identity protection. Weeks 7-8 (Cloud Apps): Connect Defender for Cloud Apps to sanctioned SaaS apps, enable shadow IT discovery, configure session controls for sensitive apps. Weeks 9-10 (XDR & Automation): Configure XDR incident correlation, enable automated investigation at semi-automation level, set up incident notification rules. Weeks 11-12 (Validation): Run attack simulations, validate detection and response, transition AIR to full automation, establish SOC operating procedures. EPC Group has executed this roadmap for organizations with 5,000-50,000 users.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, security, and managed services from EPC Group.
Read moreZero Trust Security Guide
Complete enterprise guide to implementing Zero Trust architecture with Microsoft security tools.
Read moreMicrosoft 365 Security Hardening Checklist
Step-by-step security hardening checklist for Microsoft 365 E3 and E5 environments.
Read moreGet Your Defender Deployment Optimized
Schedule a free Microsoft Defender security assessment with EPC Group. We will audit your current Defender configuration, identify the top 10 misconfigurations, and deliver a 12-week deployment roadmap that closes security gaps and enables automated detection and response.