This article describes the Microsoft Defender for Office 365 experience in the Microsoft Defender portal at https://security.microsoft.com. Formerly, Defender for Office 365 customers used the Office 365 Security & Compliance Center at https://protection.office.com, but access to that portal ended in 2022.
The Defender portal combines security capabilities from existing Microsoft 365 security portals. This improved portal helps security teams protect their organization from threats more effectively and efficiently.
For more information about the benefits of the unified Microsoft Defender XDR, see Overview of Defender XDR.
With the unified Defender XDR solution, you can stitch together the threat signals and determine the full scope of the threat, and how it currently affects the organization.
Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Most Defender for Office 365 specific features are available under the Email & collaboration node as described in the Email & collaboration section.
Tip
Defender for Office 365 includes all the functionality in Exchange Online Protection (EOP). For more information about EOP, see Exchange Online Protection overview.
What you see or don't see in the Defender portal depends on your subscription (for example, Microsoft 365 E5 vs. an add-on or standalone Defender for Office 365 Plan 2 subscription).
Use
Add cards to customize the information on the page.
Investigation & response
The following subsections describe the features that are available in the Investigation & response node in the Defender portal.
Incidents & alerts
Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action. For more information, see the following articles:
Proactively search for threats, malware, and malicious activity across your endpoints, Microsoft 365 mailboxes, and more by using advanced hunting queries. You can use these powerful queries to locate and review threat indicators and entities for known and potential threats.
You can build custom detection rules from advanced hunting queries to proactively monitor events that might indicate breach activity and misconfigured devices.
Actions & submissions
Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing capability in the Defender portal can help security teams by automatically responding to specific events.
Admins can use the Submissions page to submit email messages, email attachments, and URLs to Microsoft for analysis. Messages reported as Junk, Not junk, or **Phishing by users in Outlook are also available to review or resubmit to Microsoft.
Threat intelligence in Defender for Office 365 Plan 2
The following subsections describe the features that are available in the Threat intelligence node in the Defender portal in organizations with Defender for Office 365 Plan 2.
Threat Analytics
Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:
Email-related detections and mitigations from Microsoft Defender for Office 365.
Incidents view related to the threats.
Enhanced experience for quickly identifying and using actionable information in the reports.
You can access Threat analytics either from the left navigation pane in the Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.
Explorer (Threat Explorer): Defender for Office 365 Plan 2 only. Defender for Office 365 Plan 1 has Real-time detections instead. For more information, see About Threat Explorer and Real-time detections.
Although it isn't directly accessible from the left navigation pane in the Defender portal, the Email entity page in Defender for Office 365 unifies and centralizes email information to empower admins and security operations (SecOps) teams to quickly understand and act on email threats. For more information, see The Email entity page.
Microsoft Entra ID. You can view information about the roles that are shown, but you can't manage role membership here. The details flyout of each role contains a link to the Users page in Microsoft Entra where you can add users to roles.
This module introduces you to several features in Microsoft 365 that can help protect your organization against cyberthreats, detect when a user or computer has been compromised, and monitor your organization for suspicious activities. MS-102