Deploy supported services
Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.
- Microsoft 365 Defender
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft 365 Defender integrates various Microsoft security services to provide centralized detection, prevention, and investigation capabilities against sophisticated attacks. This article describes the supported services, their licensing requirements, the advantages and limitations associated with deploying one or more services, and links to how you can fully deploy them individually.
A Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses provides access to the following supported services and entitles you to use Microsoft 365 Defender. See licensing requirements
|Microsoft Defender for Endpoint||Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence|
|Microsoft Defender for Office 365||Advanced protection for your apps and data in Office 365, including email and other collaboration tools|
|Microsoft Defender for Identity||Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals|
|Microsoft Defender for Cloud Apps||Identify and combat cyberthreats across your Microsoft and third-party cloud services|
Deployed services and functionality
Microsoft 365 Defender provides better visibility, correlation, and remediation as you deploy more supported services.
Benefits of full deployment
To get the complete benefits of Microsoft 365 Defender, we recommend deploying all supported services. Here are some of the key benefits of full deployment:
- Incidents are identified and correlated based on alerts and event signals from all available sensors and service-specific analysis capabilities
- Automated investigation and remediation (AIR) playbooks apply across various entity types, including devices, mailboxes, and user accounts
- A more comprehensive advanced hunting schema can be queried for event and entity data from devices, mailboxes, and other entities
Limited deployment scenarios
Each supported service that you deploy provides an extremely rich set of raw signals as well as correlated information. While limited deployment doesn't cause Microsoft 365 Defender functionality to turn off, its ability to provide comprehensive visibility across your endpoints, apps, data, and identities is affected. At the same time, any remediation capabilities only apply to entities that can be managed by the services you've deployed.
The table below lists how each supported service provides additional data, opportunities to obtain additional insight by correlating the data, and better remediation and response capabilities.
|Service||Data (signals & correlated info)||Remediation & response scope|
|Microsoft Defender for Endpoint||
|Microsoft Defender for Office 365||
|Microsoft Defender for Identity||
|Microsoft Defender for Cloud Apps||
Deploy the services
Deploying each service typically requires provisioning to your tenant and some initial configuration. See the following table to understand how each of these services is deployed.
|Service||Provisioning instructions||Initial configuration|
|Microsoft Defender for Endpoint||Microsoft Defender for Endpoint deployment guide||See provisioning instructions|
|Microsoft Defender for Office 365||None, provisioned with Office 365||Configure Microsoft Defender for Office 365 policies|
|Microsoft Defender for Identity||Quickstart: Create your Microsoft Defender for Identity instance||See provisioning instructions|
|Microsoft Defender for Cloud Apps||None||Quickstart: Get started with Microsoft Defender for Cloud Apps|
Once you've deployed the supported services, turn on Microsoft 365 Defender.
Submit and view feedback for