Zero Trust with Microsoft 365 Defender


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Microsoft 365 Defender contributes to a strong Zero Trust strategy and architecture by providing extended detection and response (XDR). Microsoft 365 Defender works together with other Microsoft XDR tools and services and can be integrated with Microsoft Sentinel as a security information and event management (SIEM) source for a complete XDR/SIEM solution.

Microsoft 365 Defender is an XDR solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities.

Diagram that shows the Microsoft 365 Defender in the Zero Trust architecture.

In the illustration: Microsoft 365 Defender provides XDR capabilities for protecting:

  • Endpoints, including laptops and mobile devices
  • Data in Office 365, including email
  • Cloud apps, including other SaaS apps that your organization uses
  • On-premises Active Directory Domain Services (AD DS) and Active Directory Federated Services (AD FS) servers

Microsoft 365 Defender helps you apply the principles of Zero Trust in the following ways:

Zero Trust principle Met by
Verify explicitly Microsoft 365 Defender provides XDR across users, identities, devices, apps, and emails.
Use least privileged access If used with Azure Active Directory (Azure AD) Identity Protection, Microsoft 365 Defender blocks users based on the level of risk posed by an identity. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender and is included with Azure AD Premium P2.
Assume breach Microsoft 365 Defender continuously scans the environment for threats and vulnerabilities. It can implement automated remediation tasks, including automated investigations and isolating endpoints.

To add Microsoft 365 Defender to your Zero Trust strategy and architecture, go to Evaluate and pilot Microsoft 365 Defender for a methodical guide to piloting and deploying Microsoft 365 Defender components. The following table summarizes what these topics include.

Includes Prerequisites Doesn't include
Set up the evaluation and pilot environment for all components:
  • Defender for Identity
  • Defender for Office 365
  • Defender for Endpoint
  • Microsoft Defender for Cloud Apps

Protect against threats

Investigate and respond to threats
See the guidance for the architecture requirements for each component of Microsoft 365 Defender. Azure AD Identity Protection is not included in this solution guide. It is included in Step 1. Configure Zero Trust identity and device access protection.

Next steps

Learn more about Zero Trust for Microsoft 365 Defender services:

Learn more about other Microsoft 365 capabilities that contribute to a strong Zero Trust strategy and architecture with the Zero Trust deployment plan with Microsoft 365.

Learn more about Zero Trust and how to build an enterprise-scale strategy and architecture with the Zero Trust Guidance Center.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.