Microsoft Defender for Business security administration guide

Security administrators (also referred to as security admins) perform various tasks, such as:

  • Defining or editing security policies
  • Onboarding or offboarding devices
  • Taking steps to protect high-risk user accounts or devices

The following table lists common tasks that security admins typically perform, with links to more detailed information.

Task Description
Manage false positives/negatives A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Defender for Business. Fortunately, steps can be taken to address and reduce these kinds of issues.

See Address false positives/negatives in Microsoft Defender for Endpoint.
Strengthen your security posture Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture.

See the following articles:
- Use your vulnerability management dashboard in Defender for Business
- Dashboard insights
Adjust security policies Reports are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others.

See View or edit policies in Defender for Business.
Protect high-risk devices The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases.

See Manage devices in Defender for Business.
Onboard or offboard devices As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business.

See the following articles:
- Onboard devices to Defender for Business
- Offboard a device from Defender for Business

See also