You dont have javascript enabled! Please enable it! How To Use Microsoft 365 Defender? All You Should Know - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

How To Use Microsoft 365 Defender? All You Should Know

5 Min. Read

Microsoft 365 Defender integrates several security technologies at once to assure cybersecurity across your entire enterprise, including all apps, data, email, endpoints, and both inherent and third-party tools.

Continue reading to find out how to use Microsoft 365 Defender for integrated protection against malicious threats posed by hackers.


Microsoft 365 Defender is a sophisticated security solution that allows you to prevent, discover, and remediate malicious threats from one central dashboard.

From this central point, you can run:

  • Microsoft Defender for Identity, which protects from compromised identities and malicious insider sabotage.
  • Exchange Online Protection, is a filtering service that protects against malware and spam.
  • Microsoft Defender for Office 365, which offers threat protection for emails, collaboration tools, and URLs.
  • Microsoft Defender for Endpoint boasts automated remediation actions for any security breach.
  • Microsoft Defender for Cloud Apps, which uses SaaS to offer enhanced threat protection to your cloud apps.
  • Azure AD Identity Protection, which evaluates the risk of each sign-in to your environment.
  • Microsoft Defender Vulnerability Management, which is risk-based vulnerability management to identify, assess, remediate, and track all your biggest vulnerabilities.
  • Microsoft Data Loss Prevention, which detects sensitive items by using deep content analysis, not by just a simple text scan.
  • App Governance is an add-on feature to Defender for Cloud Apps designed for OAuth-enabled apps registered on Azure Active Directory (Azure AD).

Microsoft Defender 365 Order of Steps

After you visit the Microsoft 365 Defender portal, and your subscription is validated, you are ready to go.

What is Microsoft 365 Defender?
What is Microsoft 365 Defender?

Microsoft advises that you complete the evaluation process required by M365 Defender, and then enable its components in the order recommended below:

Microsoft Defender for Identity

The first component of Microsoft Defender 365 to activate is Microsoft Defender for Identity. Formerly known as Azure Advanced Threat Protection (ATP) it utilizes AI-powered automatic actions to monitor users and entity behavior.

It also protects user identities and credentials stored in the Active Directory and identifies suspicious events.

See Also: How to Deploy Microsoft Defender for Identity.

You could use Microsoft Defender for Identity to monitor your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyzing the data for attacks and threats.

The diagram below shows the core architecture of Defender for Identity.

Microsoft Defender for Identity
Microsoft Defender for Identity [ Image Credit Microsoft ]
The agent is installed directly on your domain controller or AD FS servers, and the Defender for Identity sensor accesses the event logs it requires directly from the servers.

Defender for Identity utilizes profiling, machine learning, and behavioral algorithms that Defender for Identity learn about your network, enable the detection of anomalies, and warn you of suspicious activities.

See Also: Managing Microsoft Defender for Identity.

Exchange Online Protection

The second component of Microsoft Defender 365 is the native cloud-based Exchange Online Protection (EOP). This SMTP relay service works in the background to protect your company against malware and spam.

Exchange Online protects your email from phishing email messages, utilizing flow rules to make sure that it never appears in your company mailbox.

EOP does all of the following:

  • Make sure attachments are safe
  • Alert to dubious links
  • Protection at sharing points for team collaboration
  • Time-of-click monitoring
  • Domain and user impersonation detection

It is necessary to activate Exchange Online before you activate many of the other features of Microsoft Defender for Office 365.

Microsoft Defender for Office 365

The core component of EOP must be activated before Microsoft Defender for Office can carry out its goals, which are to protect, detect, investigate, and respond.

Microsoft Defender for Office 365
Microsoft Defender for Office 365 [ Image Credit Microsoft ]
The EOP email verification must also be carried out before you can proceed to activate Defender for Office 365. Defender for Office then uses threat explorers and threat trackers to activate an Automate Investigation and Response (AIR).

Microsoft Defender for Office 365 is a fantastic security tool for training teams as it has a security professional focus. Attack simulation training can be run to show employees how to mitigate an incident. Users can also proactively hunt for security threats across the dashboard.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) is a unified platform that expands across your entire network to conduct an automated investigation and recommended response.

Aside from Microsoft’s other security software it also integrates nicely with Microsoft Sentinel, Intune (Microsoft Endpoint Manager), and Skype for Business (Microsoft Teams).

It uses in-built technology from Windows 10/11 and Microsoft Cloud to perform several detailed security functions.

Endpoint detection sensors embedded in Windows 11 and Windows 10 collect and analyze behavioral signals from the operating system. This sensor-collected data is then sent to the isolated cloud called Microsoft Defender for Endpoint.

Defender for Endpoint uses state-of-the-art AI and cloud security analytics to learn about malicious actions, gather insights about them, and then recommend a response to your security professionals.
At Microsoft, a threat intelligence team is constantly diagnosing and identifying threats, attacker tools, and techniques. One unusual behavioral signal is detected, and Defender for Endpoint advises your team of a recommended response.

Add-ons are also available through Microsoft support to strengthen web and network protection. This includes attack scope reduction, as well as a query-based threat-hunting tool that allows you to search for hidden breaches.

Defender for Endpoint also includes a feature called Microsoft Secure Score for Devices that evaluates your network system’s automatic response and the ability to immediately remediate impacted assets.

This can help you identify points of weakness and unprotected systems. You can then take recommended actions to offset threats.

Defender for Office 365 also gives you access to Microsoft Threat Experts, which allows you to collaborate with cybersecurity experts. Microsoft Threat Experts is an add-on that gives you exceptional live and personal technical support from security professionals.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is the new name for Microsoft Cloud App Security. Formerly it was a stand-alone app, but now it is a component of Microsoft Defender 365.

Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps [ Image Credit Microsoft ]
It is classified as a CASB, which stands for Cloud Access Security Broker. A security broker works by the reverse proxy to give you a bird’s eye view of all of your data and activities on any of your clouds.

Microsoft Defender for Cloud Apps sanctions any unwanted visitors to any of your organization’s cloud apps and services. Its sophisticated technology is known as Shadow IT and can immediately detect sign-in impersonations, signal sharing, and the exposure of data to sanctioned entities.

Defender for Cloud Apps deploys AI to help it integrate with all leading Microsoft solutions. One of its main value services is that it can show you all of the security gaps in your use of cloud services and help you organize and control all user activities.

It also allows you the means to protect sensitive data and how it is used on content collaboration platforms such as CRM, HR, and networking sites.

> Check the Top 20 use cases for Microsoft Defender for Cloud Apps (CASB).


Odds are that after your subscription is validated, you may not need to activate all of the components of Microsoft 365 Defender, but Microsoft recommends that you realize the gains and efficiencies of using any of them.

What you need to activate may be quite dependent on the scope and size of your enterprise network.

I hope you found this article helpful.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author:
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

How To Remove Microsoft Family Features Pop Up – Read This!

A Comparison Guide | Microsoft Sentinel VS Splunk > Security


Let us know what you think, or ask a question...