Monitor and maintain Microsoft 365 Business Premium and Defender for Business

After you have set up and configured Microsoft 365 Business Premium or the standalone version of Microsoft Defender for Business, your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan.

As you prepare your plan, you can organize the various tasks into two main categories, as listed in the following table:

Task type Sections
Security tasks Daily security tasks
Weekly security tasks
Monthly security tasks
Security tasks to perform as needed
General admin tasks Admin center tasks
Users, groups, and passwords
Email and calendars
Devices
Subscriptions and billing

Security tasks

Security tasks are typically performed by security administrators and security operators.

Daily security tasks

Task Description
Check your threat vulnerability management dashboard Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Vulnerability management > Dashboard.

2. Take a look at your Organization exposure score. If it's in the acceptable or "High" range, you can move on. If it isn't, select Improve score to see more details and security recommendations to improve this score.

Being aware of your exposure score helps you to:
- Quickly understand and identify high-level takeaways about the state of security in your organization
- Detect and respond to areas that require investigation or action to improve the current state
- Communicate with peers and management about the impact of security efforts
Review pending actions in the Action center As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Action center.

2. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.

3. Select the History tab to view a list of completed actions.
Review devices with threat detections When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Reports > General > Security report.

2. Scroll down to the Vulnerable devices row. If threats were detected on devices, you can see that information in this row.
Learn about new incidents or alerts As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft Defender portal.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation menu, select Incidents. Incidents are displayed on the page with associated alerts.

2. Select an alert to open its flyout pane, where you can learn more about the alert.

3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.
Run a scan or automated investigation Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, remediation actions can occur automatically or upon approval.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Assets > Devices.

2. Select a device to open its flyout panel, and review the information that is displayed.
- Select the ellipsis (...) to open the actions menu.
- Select an action, such as Run antivirus scan or Initiate Automated Investigation.

Weekly security tasks

Task Description
Monitor and improve your Microsoft Secure Score Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can:
- Report on the current state of your organization's security posture.
- Improve your security posture by providing discoverability, visibility, guidance, and control.
- Compare with benchmarks and establish key performance indicators (KPIs).

To check your score, follow these steps:

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane choose Secure score.

2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score.
Improve your Secure Score for devices Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.

To check your secure score, follow these steps:

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane select Secure score.

2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.

3.Select an item on the list to display details related to the recommendation.

4. Select Remediation options.

5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.

6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.

7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.

8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving.

Monthly security tasks

Task Description
Run reports Several reports are available in the Microsoft Defender portal (https://security.microsoft.com).

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Reports.

2. Choose a report to review. Each report displays many pertinent categories for that report.

3. Select View details to see deeper information for each category.

4. Select the title of a particular threat to see details specific to it.

Security tasks to perform as needed

Task Description
Manage false positives/negatives A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues.

For false positives/negatives on devices, see Address false positives/negatives in Microsoft Defender for Endpoint.

For false positives/negatives in email, see the following articles:
- How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365
- How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365
Strengthen your security posture Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture.

See the following articles:
- Use your vulnerability management dashboard in Microsoft Defender for Business
- Dashboard insights
Adjust security policies Reports are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others.

See the following articles:
- For device protection: View or edit policies in Microsoft Defender for Business
- For email protection: Recommended settings for EOP and Microsoft Defender for Office 365 security
Analyze admin submissions Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy.

See the following articles:
- Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft
- Admin review for user reported messages
Protect priority user accounts Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.

See the following articles:
- Protect your administrator accounts
- Security recommendations for priority accounts in Microsoft 365
Protect high-risk devices The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases.

See Manage devices in Microsoft Defender for Business.
Onboard or offboard devices As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business.

See the following articles:
- Onboard devices to Microsoft Defender for Business
- Offboard a device from Microsoft Defender for Business
Remediate an item Microsoft 365 Business Premium includes several remediation actions. Some actions are taken automatically, and others await approval by your security team.

1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, go to Assets > Devices.

2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.

3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.

4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device.

Remediation actions for devices

The following table summarizes remediation actions that are available for devices in Microsoft 365 Business Premium and Defender for Business:

Source Actions
Automated investigations Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
Manual response actions Run antivirus scan
Isolate device
Add an indicator to block or allow a file
Live response Collect forensic data
Analyze a file
Run a script
Send a suspicious entity to Microsoft for analysis
Remediate a file
Proactively hunt for threats

General admin tasks

Maintaining your environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Admin tasks are typically performed by global administrators and tenant administrators. Learn more about admin roles.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

If you're new to Microsoft 365, take a moment to get an Overview of the Microsoft 365 admin center.

Admin center tasks

Task Resources to learn more
Get started using the Microsoft 365 admin center Overview of the Microsoft 365 admin center
Learn about new features in the Microsoft 365 admin center What's new in the Microsoft 365 admin center
Find out about new product updates and features so you can help prepare users Stay on top of Microsoft 365 product and feature changes
View usage reports to see how people are using Microsoft 365 Microsoft 365 Reports in the admin center
Open a technical support ticket Get support for Microsoft 365 for business

Users, groups, and passwords

Task Resources to learn more
Add a new user Add a new employee to Microsoft 365
Assign or unassign licenses for users Assign or unassign licenses for users in the Microsoft 365 admin center

Assign Microsoft 365 licenses to user accounts by using PowerShell
Assign admin roles to people who need admin permissions Assign admin roles in the Microsoft 365 admin center

Assign admin roles to Microsoft 365 user accounts with PowerShell
Remove licenses from users Assign or unassign licenses for users in the Microsoft 365 admin center

Remove Microsoft 365 licenses from user accounts with PowerShell
Turn pronouns on or off Turn pronouns on or off for your organization in the Microsoft 365 admin center
Determine whether to allow guest access to groups for their whole organization or for individual groups
(applies to Microsoft 365 Business Premium)
Guest users in Microsoft 365 admin center
Remove a user account when someone leaves your organization Overview: Remove a former employee and secure data
Reset passwords for user accounts Reset passwords in Microsoft 365 for business

Email and calendars

Task Resources to learn more
Migrate email and contacts from Gmail or another email provider to Microsoft 365 Migrate email and contacts to Microsoft 365
Add an email signature, legal disclaimer, or disclosure statement to email messages that come in or go out Create organization-wide signatures and disclaimers
Set up, edit, or delete a security group Create, edit, or delete a security group in the Microsoft 365 admin center
Add users to a distribution group Add a user or contact to a Microsoft 365 distribution group
Set up a shared mailbox so people can monitor and send email from a common email addresses, like info@contoso.com Create a shared mailbox

Devices

Task Resources to learn more
Use Windows Autopilot to set up and preconfigure new devices or to reset, repurpose, and recover devices
(applies to Microsoft 365 Business Premium)
Overview of Windows Autopilot
View current status of and manage devices Manage devices in Microsoft Defender for Business
Onboard devices to Defender for Business Onboard devices to Defender for Business
Offboard devices from Defender for Business Offboard a device from Defender for Business
Manage devices with Intune What does device management with Intune mean?

Manage your devices and control device features in Microsoft Intune

Domains

Task Resources to learn more
Add a domain (like contoso.com) to your Microsoft 365 subscription Add a domain to Microsoft 365
Buy a domain Buy a domain name
Remove a domain Remove a domain

Subscriptions and billing

Task Resources to learn more
View your bill or invoice View your Microsoft 365 for business subscription bill or invoice
Manage your payment methods Manage payment methods
Change the frequency of your payments Change your Microsoft 365 subscription billing frequency
Change your billing address Change your Microsoft 365 for business billing addresses

See also