Configure managed security service provider integration
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
The following terms are used in this article to distinguish between the service provider and service consumer:
- MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
- MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
Grant the MSSP access to Microsoft 365 Defender
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.
Configure alert notifications sent to MSSPs
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
Fetch alerts from MSSP customer's tenant into SIEM system
This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
Fetch alerts from MSSP customer's tenant using APIs
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
Multi-tenant access for MSSPs
For information on how to implement a multi-tenant delegated access, see Multi-tenant access for Managed Security Service Providers.
- Grant MSSP access to the portal
- Access the MSSP customer portal
- Configure alert notifications
- Fetch alerts from customer tenant
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.