Microsoft Defender for Office 365 in the Microsoft Defender portal

Applies to:

This article describes the Defender for Office 365 experience in the Microsoft Defender portal. Formerly, Defender for Office 365 customers used the Office 365 Security & Compliance center (https://protection.office.com).

Quick reference

The table below lists the changes in navigation between the Security & Compliance Center and The Microsoft Defender portal.

Security & Compliance Center The Microsoft Defender portal Microsoft Purview compliance portal Exchange admin center
Alerts Alerts page
Classification See Microsoft Purview compliance portal
Data loss prevention See Microsoft Purview compliance portal
Records management See Microsoft Purview compliance portal
Information governance See Microsoft Purview compliance portal
Threat management Email & Collaboration
Permissions Permissions & roles See Microsoft Purview compliance portal
Mail flow See Exchange admin center
Data privacy See Microsoft Purview compliance portal
Search Audit Search (content search)
Reports Report
Service assurance See Microsoft Purview compliance portal
Supervision See Microsoft Purview compliance portal
eDiscovery See Microsoft Purview compliance portal

The Microsoft Defender portal at https://security.microsoft.com combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.

If you're familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in The Microsoft Defender portal.

Learn more about the benefits: Overview of Microsoft Defender XDR

If you're looking for compliance-related items, visit the Microsoft Purview compliance portal.

New and improved capabilities

The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this Defender for Cloud.

With the unified Microsoft Defender XDR solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization.

A screenshot of the left navigation pane of the M365 Defender portal.

Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

A screenshot that shows the Defender for Office 365 navigation pane options.

Incidents and alerts

Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.

A screenshot that shows the M365 Defender portal navigation pane emphasizing Incidents & alerts as well as Hunting capabilities.

Hunting

Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.

Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.

Here's an example on advanced hunting in Microsoft Defender for Office 365.

Action center

Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in The Microsoft Defender portal can help security teams by automatically responding to specific events.

Learn more about Action center.

Threat Analytics

Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:

  • Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • Incidents view related to the threats.
  • Enhanced experience for quickly identifying and using actionable information in the reports.

You can access Threat analytics either from the upper left navigation bar in The Microsoft Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.

Learn more about how to track and respond to emerging threats with threat analytics.

Email & collaboration

Track and investigate threats to your users' email, track campaigns, and more. If you've used the Security & Compliance Center, this will be familiar.

A screenshot that shows the left navigation pane of the M365 Defender portal focused on Email & collaboration.

Email entity page

The Email entity page unifies email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is centralized. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.

Access and Reports

View reports, change your settings, and modify user roles.

A screenshot that shows the left navigation pane of the M365 Defender portal highlighting Access and Reports capabilities.

Note

For Defender for Office 365 users, you can now manage and rotate DKIM keys in The Microsoft Defender portal at https://security.microsoft.com/authentication?viewid=DKIM.

For more information, see Use DKIM to validate outbound email sent from your custom domain.

What's changed

This table is a quick reference of Threat management where change has occurred between the Security & Compliance center and the Microsoft Defender portal. Click the links to read more about these areas.

Area Description of change
Investigation Brings together AIR capabilities in Defender for Office 365 and Defender for Endpoint. With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
Alert queue The View alerts flyout pane in the Security & Compliance Center now includes links to The Microsoft Defender portal. Click on the Open Alert Page link and The Microsoft Defender portal opens. You can access the View alerts page by clicking on any Office 365 alert in the Alerts queue.
Attack Simulation training Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.

No changes to these areas:

Also, check the Related Information section at the bottom of this article.

Important

The Microsoft Defender portal combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.

Tip

All Exchange Online Protection (EOP) functions will be included in The Microsoft Defender portal, as EOP is a core element of Defender for Office 365.

The Microsoft Defender portal Home page

The Home page of the portal surfaces important summary information about the security status of your Microsoft 365 environment.

Using the Guided tour you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.

Also included is a link to the Security & Compliance Center for comparison. The last link is to the What's New page that describes recent updates.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.