Configure Defender for Identity automated response exclusions

Note

The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft Defender XDR.

This article explains how to configure Microsoft Defender for Identity automated response exclusions in Microsoft Defender XDR.

Microsoft Defender for Identity enables the exclusion of Active Directory accounts from automated response actions, used in Automatic Attack Disruption. Automated response exclusions do not apply to responses triggered by Custom Detections.

For example, an incident involving Attack Disruption, where response actions are taken automatically, wouldn't disable a specified excluded account. This could be used, for example, to exclude sensitive accounts from automated actions.

How to add automated response exclusions

1. In Microsoft Defender XDR, go to Settings and then Identities.

   

2. You'll then see Automated response exclusions in the left-hand menu.

   

3. To exclude specific users, select Exclude Users.

   

4. Search for the users to exclude and select the Exclude Users button.

   

5. To remove excluded users, select the relevant users from the list and select the Remove button.

   

See also

• Configure event collection
• Check out the Defender for Identity forum!