Configure Defender for Identity detection exclusions in Microsoft 365 Defender

Applies to:

  • Microsoft 365 Defender
  • Defender for Identity

This article explains how to configure Microsoft Defender for Identity detection exclusions in Microsoft 365 Defender.

Important

As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.

Microsoft Defender for Identity enables the exclusion of specific IP addresses, computers, domains, or users from a number of detections.

For example, a DNS Reconnaissance alert could be triggered by a security scanner that uses DNS as a scanning mechanism. Creating an exclusion helps Defender for Identity ignore such scanners and reduce false positives.

Note

Of the most common domains with Suspicious communication over DNS alerts opened on them, we observed the domains that customers most excluded from the alert. These domains are added to the exclusions list by default, but you have the option to easily remove them.

How to add detection exclusions

  1. In Microsoft 365 Defender, go to Settings and then Identities.

    The Identities option in the Name column

  2. You'll then see Excluded entities in the left-hand menu.

    The Excluded entities pane

You can then set exclusions by two methods: Exclusions by detection rule and Global excluded entities.

Exclusions by detection rule

  1. In the left-hand menu, select Exclusions by detection rule. You'll see a list of detection rules.

    The Exclusions by detection rule option in the Excluded entities item in the left pane

  2. For each detection you want to configure, do the following steps:

    1. Select the rule. You can search for detections using the search bar. Once selected, a pane will open with the detection rule details.

      The details of a detection rule

    2. To add an exclusion, select the Excluded entities button, and then choose the exclusion type. Different excluded entities are available for each rule. They include users, devices, domains and IP addresses. In this example, the choices are Exclude devices and Exclude IP addresses.

      The option to exclude devices or IP addresses

    3. After choosing the exclusion type, you can add the exclusion. In the pane that opens, select the + button to add the exclusion.

      The option to add an exclusion

    4. Then add the entity to be excluded. Select + Add to add the entity to the list.

      The option to add entity that is to be excluded

    5. Then select Exclude IP addresses (in this example) to complete the exclusion.

      The option to exclude IP addresses

    6. Once you've added exclusions, you can export the list or remove the exclusions by returning to the Excluded entities button. In this example, we've returned to Exclude devices. To export the list, select the down arrow button.

      The Return to Exclude devices option

    7. To delete an exclusion, select the exclusion and select the trash icon.

      The Delete an exclusion option

Global excluded entities

You can now also configure exclusions by Global excluded entities. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection.

  1. In the left-hand menu, select Global excluded entities. You'll see the categories of entities that you can exclude.

    The Global excluded entities submenu item

  2. Choose an exclusion type. In this example, we selected Exclude domains.

    The Domains tab

  3. A pane will open where you can add a domain to be excluded. Add the domain you want to exclude.

    The option to add a domain to be excluded

  4. The domain will be added to the list. Select Exclude domains to complete the exclusion.

    The option to Select domains to be excluded

  5. You'll then see the domain in the list of entities to be excluded from all detection rules. You can export the list, or remove the entities by selecting them and clicking the Remove button.

    The list of global excluded entries

See also