Configure Defender for Identity automated response exclusions
Note
The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft Defender XDR.
This article explains how to configure Microsoft Defender for Identity automated response exclusions in Microsoft Defender XDR.
Microsoft Defender for Identity enables the exclusion of Active Directory accounts from automated response actions, used in Automatic Attack Disruption. Automated response exclusions do not apply to responses triggered by Custom Detections.
For example, an incident involving Attack Disruption, where response actions are taken automatically, wouldn't disable a specified excluded account. This could be used, for example, to exclude sensitive accounts from automated actions.
How to add automated response exclusions
In Microsoft Defender XDR, go to Settings and then Identities.
You'll then see Automated response exclusions in the left-hand menu.
To exclude specific users, select Exclude Users.
Search for the users to exclude and select the Exclude Users button.
To remove excluded users, select the relevant users from the list and select the Remove button.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for