Configure managed security service provider integration
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Managed security service provider partnership opportunities
Security is recognized as a key component in running an enterprise; however, some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Defender for Endpoint.
Defender for Endpoint adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender portal
- Get email notifications
- Fetch alerts through security information and event management (SIEM) tools
Note
The following terms are used in this article to distinguish between the service provider and service consumer:
- MSSPs: Security organizations who monitor and manage security devices for organizations (customers).
- MSSP customers: Organizations who engage the services of MSSPs.
MSSP integration
To enable MSSP integration, the MSSP customer needs to grant access to their Defender for Endpoint tenant so that the MSSP can access their Microsoft Defender portal (https://security.microsoft.com).
After access is granted, the MSSP or customer can do the other configuration steps. In general, the following table summarizes the configuration steps to complete:
| Step | Who does it |
|---|---|
| Grant the MSSP access to the Microsoft Defender portal. This action grants the MSSP access to the MSSP customer's Microsoft Defender portal. | MSSP Customer |
| Configure alert notifications sent to MSSPs. This action lets the MSSPs know what alerts they need to address for the MSSP customer. | MSSP customer or MSSP |
| Fetch alerts from MSSP customer's tenant into SIEM system. This action allows MSSPs to fetch alerts in SIEM tools. | MSSP |
| Fetch alerts from MSSP customer's tenant using APIs. This action allows MSSPs to fetch alerts using APIs. | MSSP |
Multitenant access for MSSPs
For information on how to implement a multitenant delegated access, see multitenant access for Managed Security Service Providers.
Related articles
- Grant MSSP access to the portal
- Access the MSSP customer portal
- Configure alert notifications
- Fetch alerts from customer tenant
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.