Usage card in Microsoft Defender for Office 365

• Applies to:

  ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In organizations with Microsoft Defender for Office 365, the usage card is available to help admins and Security Operations (SecOps) teams understand the usage of Defender for Office 365. Specifically, they can compare the active usage of Defender for Office 365 licenses vs the actual number of available licenses.

Tip

The usage card is enabled for tenants with at least one paid Defender for Office 365 Plan 1 or Defender for Office 365 Plan 2 license.

Usage cards can help determine the following scenarios:

• The active usage of Exchange Online licenses and how many of those licenses are active usage of Microsoft Defender for Office 365.
• A Breakdown of active usage across key Plan 1 and Plan 2 capabilities (Plan 1: protection and detection; Plan 2: SecOps capabilities).
• The Number of active Plan 1 and Plan 2 licenses purchased.

View the usage card

1. In the Microsoft Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration section > Email & collaboration reports. Or, to go directly to the Email & collaboration reports and insights page, use https://security.microsoft.com/emailandcollabreport.

2. On the Email & collaboration reports and insights page, go to the Email & collaboration insights section, and find the Defender for Office 365 usage card.

   

For members of Billing Administrator and Global Administrator^* roles in Microsoft Entra permissions, following items are available on the card:

• Add more licenses
• See licensing details

These items aren't available for member of Global Reader, Security Administrator, Security Operator, or Security Reader roles.

Important

^* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Understand usage details

On the Defender for Office 365 usage card, select Show details.

The details flyout that opens contains the following information from the last 28 days:

• The number of active users in the organization and the number of Plan 2 licenses.
• Configured prevention and detection section:
  • Users with Office protection: The number of active users of Safe Links or Safe Attachments for Office 365.
  • Users with email protection: The number of active users of Safe Links or Safe Attachments for emails.
  • Users with Teams protection: The number of active users of Safe Links for Teams.
• Security Operations capabilities section: The number of active users for the following categories:
  • Users for whom manual and automated investigations were triggered.
  • Users for whom remediations were triggered.
  • Users targeted by phishing simulation training.

Threat protection status report takes you to the Threat protection status report.

See licensing details is available for members of the Security Operator and Global Administrators^* roles in Microsoft Entra permissions.

Important

^* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Frequently asked questions

What are the different types of active users?

There are three types of active users:

• Defender for Office 365 active users: The distinct user count with active usage of Microsoft Defender for Office 365 Plan 1 and/or Plan 2 licenses over a period of 28 days for a specific paid Microsoft Defender for Office 365 tenant.
• Active users: The distinct user count with active usage of licenses over the past 28 days for a specific paid Microsoft Defender for Office 365 tenant.
• Other active users: Active users without the Microsoft Defender for Office 365 active users.

What is the usage count?

Usage count can be determined by:

• Users with Office 365 protection: Distinct count of active users of Safe Links for Office 365 or Safe Attachments for Office 365.
• Users with email protection: Distinct count of active users of Safe Links for email or Safe Attachments for email.
• Users for whom manual and automated investigations were triggered: Manual investigations triggered from Threat Explorer or auto investigations actions approved or rejected by SecOps in Incidents or in Action center.
• Users for whom remediations were triggered: Manual remediations in Threat Explorer, Email entity, Advanced Hunting, Automation, or Action center.
• Users targeted by Attack simulation training: Users who were targeted as part of simulations over past 28 days.

I have Defender for Office 365 Plan 1 or Plan 2 paid license. Why can I not see the usage card?

If you have at least one Defender for Office 365 Plan 1 or Plan 2 license, but you're still unable to see the card because of one of the following reasons:

• You don't have the required role to be able to view the card.
• Your organization had no active usage in the past 28 days.

What does Collecting license and usage data status mean?

If you see Collecting license and usage data status in your usage card, it means Microsoft is still collecting your current licensing and usage data. When it's available, you can see the full usage card and other details.

Why does the Usage card show an overage even though you don't have Defender for Office 365 Plan 2 and no usage of SecOps capabilities?

The usage card shows usage of both Defender for Office 365 Plan 1 and Plan 2. If you don't have any Plan 2 licenses, the usage is coming from Plan 1 features (for example, Safe Links or Safe Attachments). You can fix this overage by purchasing more Plan 1 licenses.