Step 2. Deploy attack detection and response

As a strongly recommended initial step for ransomware attack detection and response in your Microsoft 365 tenant, set up a trial environment to evaluate the features and capabilities of Microsoft 365 Defender.

For additional information, see these resources.

Feature Description Where to start How to use it for detection and response
Microsoft 365 Defender Combines signals and orchestrates capabilities into a single solution.

Enables security professionals to stitch together threat signals and determine the full scope and impact of a threat.

Automates actions to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
Get started Incident response
Microsoft Defender for Identity Identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions directed at your organization through a cloud-based security interface uses your on-premises Active Directory Domain Services (AD DS) signals. Overview Working with the Microsoft Defender for Identity portal
Microsoft Defender for Office 365 Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Protects against malware, phishing, spoofing, and other attack types.
Overview Threat hunting
Microsoft Defender for Endpoint Enables detection and response to advanced threats across endpoints (devices). Overview Endpoint detection and response
Azure Active Directory (Azure AD) Identity Protection Automates detection and remediation of identity-based risks and investigation of those risks. Overview Investigate risk
Microsoft Defender for Cloud Apps A cloud access security broker for discovery, investigation, and governance across all your Microsoft and third-party cloud services. Overview Investigate


All of these services require Microsoft 365 E5 or Microsoft 365 E3 with the Microsoft 365 E5 Security add-on.

Use these services to detect and respond to the following common threats from ransomware attackers:

  • Credential theft

    • Azure AD Identity Protection
    • Defender for Identity
    • Defender for Office 365
  • Device compromise

    • Defender for Endpoint
    • Defender for Office 365
  • Escalation of privilege

    • Azure AD Identity Protection
    • Defender for Cloud Apps
  • Malicious app behavior

    • Defender for Cloud Apps
  • Data exfiltration, deletion, or uploading

The following services use Microsoft 365 Defender and its portal ( as a common threat collection and analysis point:

  • Defender for Identity
  • Defender for Office 365
  • Defender for Endpoint
  • Defender for Cloud Apps

Microsoft 365 Defender combines threat signals into alerts and connected alerts into an incident so that your security analysts can more quickly detect, investigate, and remediate the phases of a ransomware attack.

Resulting configuration

Here's the ransomware protection for your tenant for steps 1 and 2.

Ransomware protection for your Microsoft 365 tenant after Step 2

Next step

Step 3 for ransomware protection with Microsoft 365

Continue with Step 3 to protect the identities in your Microsoft 365 tenant.