Configure alert notifications in Microsoft Defender XDR
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
You can configure Microsoft Defender XDR to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
If you're using Defender for Business, you can set up email notifications for specific users (not roles or groups).
Note
- Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
- Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts triggered after they're added. For more information about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
Note
Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
Create rules for alert notifications
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
Go to Microsoft Defender XDR and sign in using an account with the Security administrator or Global administrator role assigned.
In the navigation pane, select Settings > Endpoints > General > Email notifications.
Click Add item.
Specify the General information:
Rule name - Specify a name for the notification rule.
Include organization name - Specify the customer name that appears on the email notification.
Include tenant-specific portal link - Adds a link with the tenant ID to allow access to a specific tenant.
Include device information - Includes the device name in the email alert body.
Note
This information might be processed by recipient mail servers that are not in the geographic location you have selected for your Defender data.
Devices - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see Create and manage device groups. (If you're using Defender for Business, device groups do not apply.)
Alert severity - Choose the alert severity level.
Click Next.
Enter the recipient's email address then click Add recipient. You can add multiple email addresses.
Check that email recipients can receive the email notifications by selecting Send test email.
Click Save notification rule.
Edit a notification rule
Select the notification rule you'd like to edit.
Update the General and Recipient tab information.
Click Save notification rule.
Delete notification rule
Select the notification rule you'd like to delete.
Click Delete.
Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.
Problem: Intended recipients report they're not getting the notifications.
Solution: Make sure that the notifications aren't blocked by email filters:
- Check that the email notifications aren't sent to the Junk Email folder. Mark them as Not junk.
- Check that your email security product isn't blocking the email notifications.
- Check your email application rules that might be catching and moving your email notifications.
Related topics
- Update data retention settings
- Configure advanced features
- Configure vulnerability email notifications
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.