Deploy supported services


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Defender XDR integrates various Microsoft security services to provide centralized detection, prevention, and investigation capabilities against sophisticated attacks. This article describes the supported services, their licensing requirements, the advantages and limitations associated with deploying one or more services, and links to how you can fully deploy them individually.

Supported services

A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft Defender XDR. See licensing requirements

Supported service Description
Microsoft Defender for Endpoint Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence
Microsoft Defender for Office 365 Advanced protection for your apps and data in Office 365, including email and other collaboration tools
Microsoft Defender for Identity Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals
Microsoft Defender for Cloud Apps Identify and combat cyberthreats across your Microsoft and third-party cloud services

Deployed services and functionality

Microsoft Defender XDR provides better visibility, correlation, and remediation as you deploy more supported services.

Benefits of full deployment

To get the complete benefits of Microsoft Defender XDR, we recommend deploying all supported services. Here are some of the key benefits of full deployment:

  • Incidents are identified and correlated based on alerts and event signals from all available sensors and service-specific analysis capabilities
  • Automated investigation and remediation (AIR) playbooks apply across various entity types, including devices, mailboxes, and user accounts
  • A more comprehensive advanced hunting schema can be queried for event and entity data from devices, mailboxes, and other entities

Limited deployment scenarios

Each supported service that you deploy provides an extremely rich set of raw signals as well as correlated information. While limited deployment doesn't cause Microsoft Defender XDR functionality to turn off, its ability to provide comprehensive visibility across your endpoints, apps, data, and identities is affected. At the same time, any remediation capabilities only apply to entities that can be managed by the services you've deployed.

The table below lists how each supported service provides additional data, opportunities to obtain additional insight by correlating the data, and better remediation and response capabilities.

Service Data (signals & correlated info) Remediation & response scope
Microsoft Defender for Endpoint
  • Endpoint states and raw events
  • Endpoint detections and alerts, including antivirus, EDR, attack surface reduction
  • Info on files and other entities observed on endpoints
Microsoft Defender for Office 365
  • Mail and mailbox states and raw events
  • Email, attachment, and link detections
  • Mailboxes
  • Microsoft 365 accounts
Microsoft Defender for Identity
  • Active Directory signals, including authentication events
  • Identity-related behavioral detections
Microsoft Defender for Cloud Apps
  • Detection of unsanctioned cloud apps and services (shadow IT)
  • Exposure of data to cloud apps
  • Threat activity associated with cloud apps
Cloud apps

Deploy the services

Deploying each service typically requires provisioning to your tenant and some initial configuration. See the following table to understand how each of these services is deployed.

Service Provisioning instructions Initial configuration
Microsoft Defender for Endpoint Microsoft Defender for Endpoint deployment guide See provisioning instructions
Microsoft Defender for Office 365 None, provisioned with Office 365 Configure Microsoft Defender for Office 365 policies
Microsoft Defender for Identity Quickstart: Create your Microsoft Defender for Identity instance See provisioning instructions
Microsoft Defender for Cloud Apps None Quickstart: Get started with Microsoft Defender for Cloud Apps

Once you've deployed the supported services, turn on Microsoft Defender XDR.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.