Turn on Microsoft Defender XDR
Applies to:
- Microsoft Defender XDR
Microsoft Defender XDR unifies your incident response process by integrating key capabilities across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. This unified experience adds powerful features you can access in the Microsoft Defender portal.
Microsoft Defender XDR automatically turns on when eligible customers with the required permissions visit Microsoft Defender portal. Read this article to understand various prerequisites and how Microsoft Defender XDR is provisioned.
A license to a Microsoft 365 security product generally entitles you to use Microsoft Defender XDR without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.
For detailed licensing information, read the licensing requirements.
You must be one of the following roles to turn on Microsoft Defender XDR:
- Global Administrator
- Security Administrator
- Security Operator
- Global Reader
- Security Reader
- Compliance Administrator
- Compliance Data Administrator
- Application Administrator
- Cloud Application Administrator
View your roles in Microsoft Entra ID
Configuring your network firewall ensures a smooth experience while navigating the Microsoft Defender portal https://security.microsoft.com.
Add to your firewall's allow list the outbound IP addresses in the following page:
In addition, ensure that other Defender services are properly configured. You can refer to the following pages for configuration information:
- Enable access to Microsoft Defender for Endpoint service in the proxy server
- Get started with Microsoft Defender for Office 365
- Configure endpoint proxy and internet connectivity settings for Microsoft Defender for Identity
- Ensure portal access for Microsoft Defender for Cloud Apps
Microsoft Defender XDR aggregates data from the various supported services that you've already deployed. It will process and store data centrally to identify new insights and make centralized response workflows possible. It does this without affecting existing deployments, settings, or data associated with the integrated services.
To get the best protection and optimize Microsoft Defender XDR, we recommend deploying all applicable supported services on your network. For more information, read about deploying supported services.
Onboarding to Microsoft Defender XDR is simple. From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.
Microsoft Defender XDR will store and process data in the same location used by Microsoft Defender for Endpoint. If you don't have Microsoft Defender for Endpoint, a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the screen.
Select Need help? in the Microsoft Defender portal to contact Microsoft support about provisioning Microsoft Defender XDR in a different data center location.
Note
In the past, Microsoft Defender for Endpoint automatically provisioned in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft Defender XDR will automatically provision in the same EU data center for customers who have provisioned Defender for Endpoint in this manner in the past.
Once the service is provisioned, it adds:
- Incidents management
- Alerts queue
- An action center for managing automated investigation and response
- Advanced hunting capabilities
- Threat analytics
Microsoft Defender portal with incidents management and other capabilities
To enable the integration with Microsoft Defender for Cloud Apps, you'll need to log in to the Microsoft Defender for Cloud Apps at least once.
To get answers to the most commonly asked questions about turning on Microsoft Defender XDR, read the FAQ.
Microsoft support staff can help provision or deprovision the service and related resources on your tenant. For assistance, select Need help? in the Microsoft Defender portal. When contacting support, mention Microsoft Defender XDR.
- Frequently asked questions
- Licensing requirements and other prerequisites
- Deploy supported services
- Setup guides for Microsoft Defender XDR
- Microsoft Defender XDR overview
- Microsoft Defender for Endpoint overview
- Defender for Office 365 overview
- Microsoft Defender for Cloud Apps overview
- Microsoft Defender for Identity overview
- Microsoft Defender for Endpoint data storage
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.