Microsoft Defender for Office 365 in Microsoft Defender XDR


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

Quick reference

The table below lists the changes in navigation between the Security & Compliance Center and Microsoft Defender XDR.

Security & Compliance Center Microsoft Defender XDR Microsoft Purview compliance portal Exchange admin center
Alerts Alerts page
Classification See Microsoft Purview compliance portal
Data loss prevention See Microsoft Purview compliance portal
Records management See Microsoft Purview compliance portal
Information governance See Microsoft Purview compliance portal
Threat management Email & Collaboration
Permissions Permissions & roles See Microsoft Purview compliance portal
Mail flow See Exchange admin center
Data privacy See Microsoft Purview compliance portal
Search Audit Search (content search)
Reports Report
Service assurance See Microsoft Purview compliance portal
Supervision See Microsoft Purview compliance portal
eDiscovery See Microsoft Purview compliance portal

Microsoft Defender XDR at combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.

If you're familiar with the Security & Compliance Center (, this article describes some of the changes and improvements in Microsoft Defender XDR.

Learn more about the benefits: Overview of Microsoft Defender XDR

If you're looking for compliance-related items, visit the Microsoft Purview compliance portal.

New and improved capabilities

The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this Defender for Cloud.

With the unified Microsoft Defender XDR solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization.

The Microsoft Defender XDR converged experience.

Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

The Defender for Office 365 portal.

Incidents and alerts

Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.

Alerts and Actions quick launch bar in the Microsoft Defender portal.


Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.

Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.

Here's an example on advanced hunting in Microsoft Defender for Office 365.

Action center

Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft Defender XDR can help security teams by automatically responding to specific events.

Learn more about Action center.

Threat Analytics

Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:

  • Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • Incidents view related to the threats.
  • Enhanced experience for quickly identifying and using actionable information in the reports.

You can access Threat analytics either from the upper left navigation bar in Microsoft Defender XDR, or from a dedicated dashboard card that shows the top threats for your organization.

Learn more about how to track and respond to emerging threats with threat analytics.

Email & collaboration

Track and investigate threats to your users' email, track campaigns, and more. If you've used the Security & Compliance Center, this will be familiar.

The quick launch menu for Email & collab, on the left navigation pane in the Microsoft Defender portal.

Email entity page

The Email entity page unifies email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is centralized. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.

Access and Reports

View reports, change your settings, and modify user roles.

The quick launch menu for Microsoft Defender XDR permissions and reporting, on the left navigation pane in the Microsoft Defender portal.


DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain. For Defender for Office 365 users, you can now manage and rotate DKIM keys through Microsoft Defender XDR:, or navigate to Policy & rules > Threat policies > > Rules section > DKIM.

For more information, see Use DKIM to validate outbound email sent from your custom domain.

What's changed

This table is a quick reference of Threat management where change has occurred between the Security & Compliance center and the Microsoft Defender portal. Click the links to read more about these areas.

Area Description of change
Investigation Brings together AIR capabilities in Defender for Office 365 and Defender for Endpoint. With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
Alert queue The View alerts flyout pane in the Security & Compliance Center now includes links to Microsoft Defender XDR. Click on the Open Alert Page link and Microsoft Defender XDR opens. You can access the View alerts page by clicking on any Office 365 alert in the Alerts queue.
Attack Simulation training Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.

No changes to these areas:

Also, check the Related Information section at the bottom of this article.


The Microsoft Defender portal combines security features in, and However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.


All Exchange Online Protection (EOP) functions will be included in Microsoft Defender XDR, as EOP is a core element of Defender for Office 365.

Microsoft Defender XDR Home page

The Home page of the portal surfaces important summary information about the security status of your Microsoft 365 environment.

Using the Guided tour you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.

Also included is a link to the Security & Compliance Center for comparison. The last link is to the What's New page that describes recent updates.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.