Frequently asked questions when turning on Microsoft Defender XDR

Note

Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

Read responses to the most commonly asked questions about turning on Microsoft Defender XDR, including required licenses and permissions, deploying support services, and initial settings.

For instructions on how to turn on the service, read Turn on Microsoft Defender XDR.

I don't have a Microsoft 365 E5 license. Can I still use Microsoft Defender XDR?

Customers with the following non-E5 licenses can use Microsoft Defender XDR:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Defender for Office 365 (Plan 2)

For a full list of supported licenses, read the licensing requirements.

Do I need to install or deploy anything to start using Microsoft Defender XDR?

No, Microsoft Defender XDR consolidates data from Microsoft 365 security services that you have already deployed. Once you turn it on, incident, automation, and hunting experiences will start working within the scope of the deployed products. If none of these products are properly deployed, Microsoft Defender XDR will not display any data and is unable to take any action.

To optimize your Microsoft Defender XDR experiences, we recommend deploying all supported Microsoft 365 security products and services.

Where does Microsoft Defender XDR process and store my data?

Microsoft Defender XDR automatically selects an optimal location for the data center where consolidated data is processed and stored. If you have Microsoft Defender for Endpoint, it selects the same location used by Defender for Endpoint.

Note

Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft Defender XDR will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.

The data center location is shown before and after the service is provisioned in the settings page for Microsoft Defender XDR (Settings > Microsoft Defender XDR). If you prefer to use another data center location, select Need help? in the Microsoft Defender portal to contact Microsoft support.

Where can I access Microsoft Defender XDR?

Microsoft Defender XDR is available at: https://security.microsoft.com.

What permissions do I need to access Microsoft Defender XDR?

Accounts assigned the following Microsoft Entra roles can access Microsoft Defender XDR functionality and data:

  • Global administrator
  • Security administrator
  • Security Operator
  • Global Reader
  • Security Reader
  • Compliance Administrator
  • Compliance Data Administrator
  • Application Administrator
  • Cloud Application Administrator

Note

Role-based access control settings in Microsoft Defender for Endpoint influence access to data. For more information, read about managing access to Microsoft Defender XDR.

If you are running the Microsoft Defender XDR preview program you can now also experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see Microsoft Defender XDR role-based access control (RBAC) model.

What time zone does Microsoft Defender XDR default to?

By default, Microsoft Defender XDR displays time information in the UTC time zone. You can change this setting to use your local time zone. Learn about setting the time zone

How can I learn about new Microsoft Defender XDR feature and UI updates?

Microsoft regularly provides information through the various channels, including:

Get the latest publicly available experiences by turning on preview features.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.