Frequently asked questions when turning on Microsoft Defender XDR
Article
Applies to:
Microsoft Defender XDR
Read responses to the most commonly asked questions about turning on Microsoft Defender XDR, including required licenses and permissions, deploying support services, and initial settings.
Do I need to install or deploy anything to start using Microsoft Defender XDR?
No, Microsoft Defender XDR consolidates data from Microsoft 365 security services that you have already deployed. Once you turn it on, incident, automation, and hunting experiences will start working within the scope of the deployed products. If none of these products are properly deployed, Microsoft Defender XDR will not display any data and is unable to take any action.
Where does Microsoft Defender XDR process and store my data?
Microsoft Defender XDR automatically selects an optimal location for the data center where consolidated data is processed and stored. If you have Microsoft Defender for Endpoint, it selects the same location used by Defender for Endpoint.
Note
Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft Defender XDR will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.
The data center location is shown before and after the service is provisioned in the settings page for Microsoft Defender XDR (Settings > Microsoft Defender XDR). If you prefer to use another data center location, select Need help? in the Microsoft Defender portal to contact Microsoft support.
What permissions do I need to access Microsoft Defender XDR?
Accounts assigned the following Microsoft Entra roles can access Microsoft Defender XDR functionality and data:
Global administrator
Security administrator
Security Operator
Global Reader
Security Reader
Compliance Administrator
Compliance Data Administrator
Application Administrator
Cloud Application Administrator
Note
Role-based access control settings in Microsoft Defender for Endpoint influence access to data. For more information, read about managing access to Microsoft Defender XDR.
If you are running the Microsoft Defender XDR preview program you can now also experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see Microsoft Defender XDR role-based access control (RBAC) model.
What time zone does Microsoft Defender XDR default to?
By default, Microsoft Defender XDR displays time information in the UTC time zone. You can change this setting to use your local time zone. Learn about setting the time zone
How can I learn about new Microsoft Defender XDR feature and UI updates?
Microsoft regularly provides information through the various channels, including:
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).