Frequently asked questions when turning on Microsoft 365 Defender


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Read responses to the most commonly asked questions about turning on Microsoft 365 Defender, including required licenses and permissions, deploying support services, and initial settings.

For instructions on how to turn on the service, read Turn on Microsoft 365 Defender.

I don't have a Microsoft 365 E5 license. Can I still use Microsoft 365 Defender?

Customers with the following non-E5 licenses can use Microsoft 365 Defender:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Defender for Office 365 (Plan 2)

For a full list of supported licenses, read the licensing requirements.

Do I need to install or deploy anything to start using Microsoft 365 Defender?

No, Microsoft 365 Defender consolidates data from Microsoft 365 security services that you have already deployed. Once you turn it on, incident, automation, and hunting experiences will start working within the scope of the deployed products. If none of these products are properly deployed, Microsoft 365 Defender will not display any data and is unable to take any action.

To optimize your Microsoft 365 Defender experiences, we recommend deploying all supported Microsoft 365 security products and services.

Where does Microsoft 365 Defender process and store my data?

Microsoft 365 Defender automatically selects an optimal location for the data center where consolidated data is processed and stored. If you have Microsoft Defender for Endpoint, it selects the same location used by Defender for Endpoint.


Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.

The data center location is shown before and after the service is provisioned in the settings page for Microsoft 365 Defender (Settings > Microsoft 365 Defender). If you prefer to use another data center location, select Need help? in the Microsoft 365 Defender portal to contact Microsoft support.

Where can I access Microsoft 365 Defender?

Microsoft 365 Defender is available at:

What permissions do I need to access Microsoft 365 Defender?

Accounts assigned the following Azure Active Directory (Azure AD) roles can access Microsoft 365 Defender functionality and data:

  • Global administrator
  • Security administrator
  • Security Operator
  • Global Reader
  • Security Reader
  • Compliance Administrator
  • Compliance Data Administrator
  • Application Administrator
  • Cloud Application Administrator


Role-based access control settings in Microsoft Defender for Endpoint influence access to data. For more information, read about managing access to Microsoft 365 Defender.

If you are running the Microsoft 365 Defender preview program you can now also experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see Microsoft 365 Defender role-based access control (RBAC) model.

What time zone does Microsoft 365 Defender default to?

By default, Microsoft 365 Defender displays time information in the UTC time zone. You can change this setting to use your local time zone. Learn about setting the time zone

How can I learn about new Microsoft 365 Defender feature and UI updates?

Microsoft regularly provides information through the various channels, including:

Get the latest publicly available experiences by turning on preview features.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.