Microsoft 365 Defender

Microsoft 365 Defender: Services, Architecture And How it Works

Microsoft 365 Defender is a complete security suite that combines several services to protect your organisation’s data and infrastructure. It is designed to detect, prevent, investigate, and respond to threats, offering a unified approach to cybersecurity.

What is Microsoft 365 Defender?

Microsoft 365 Defender is an integrated platform with multiple Microsoft security solutions. It provides comprehensive protection through different products tailored to secure the digital environment. The suite includes:

  • Defender for Endpoint: An endpoint detection and response platform that prevents threats, detects breaches and automates endpoint investigation and response.
  • Defender for Office 365: This product protects against threats targeting collaboration tools, emails, and malicious links, ensuring safer communication.
  • Defender for Identity: Identifies and investigates compromised identities and malicious insiders. It integrates with Azure Directory Domain Services for on-premises managed identities and is part of Azure Active Directory (Azure AD) Identity Protection for cloud-managed identities.
  • Defender for Cloud Apps: Secures SaaS and cloud applications by providing visibility, data controls, and advanced threat protection.

Microsoft 365 Defender Services

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an EDR platform that aids enterprise networks in detecting, preventing, and responding to advanced threats. It also supports investigations. Its features are integrated into Microsoft’s Azure cloud services and the Windows 10 operating system. Here are key features:

  • Endpoint behavioural sensors—These sensors collect behavioural signals from Windows 10. The data is processed and sent to a private cloud instance of Microsoft Defender for Endpoint.
  • Cloud security analytics—The solution gathers data from the entire Windows ecosystem, using machine learning and big data to translate signals into detections and insights. It offers recommended responses to threats.
  • Threat intelligence—Microsoft’s security teams generate threat intelligence using Microsoft insights and third-party information. Defender for Endpoint uses this intelligence to identify attacker techniques, procedures, and tools, generating alerts when it detects attack indicators in the data collected.

Microsoft Defender for Office 365

This cloud-based service provides email filtering and automated investigation features. It protects organisations from threats to email and collaboration tools, such as phishing, malware attacks, and business email compromise. It also offers hunting and remediation capabilities to help teams identify, investigate, prioritise, and respond to threats. Here are ways to use Defender for Office 365 for message protection:

  • Filtering-only scenarios for on-premises deployments: This solution provides cloud-based email protection for SMTP email solutions like Microsoft Exchange Server.
  • Protect cloud mailboxes: Use the solution to safeguard Exchange Online cloud-hosted mailboxes.
  • Control mail routing for hybrid deployments: Configure the solution to protect environments with cloud and on-premises mailboxes. Use Exchange Online Protection for inbound email filtering and mail routing control.

Microsoft Defender for Identity

This cloud-based security solution uses Azure AD signals to detect and investigate compromised identities, advanced threats, and malicious insiders. It helps protect hybrid environments. Microsoft Defender for Identity monitors user behaviour with learning-based analytics and stores user identities and credentials in Azure AD. The solution provides insights to identify, investigate, and respond quickly to suspicious activities and threats.

Microsoft Defender for Cloud Apps

This cloud access security broker (CASB) supports multiple deployment modes: API connectors, reverse proxy, and log collection. It offers visibility and control over data flow. The solution provides centralised management, easy deployment, and automation. Advanced analytics help identify and respond to threats across all cloud services. Microsoft Defender for Cloud Apps supports third-party vendors and integrates natively with Microsoft solutions.

Microsoft 365 Defender Architecture

Microsoft 365 Defender automatically gathers, links, and examines threat, alert, and signal data from Microsoft 365. It covers email, endpoints, identities, and applications. The solution uses AI and automation to stop attacks and carry out remediation.

Core Components

The diagram below visualises high-level architecture for notable Microsoft 365 Defender integrations and components.

Combined and Shared Signals

Microsoft 365 Defender collects signals from all its components. It shares these signals across its ecosystem to provide:

  • A unified incident queue: Centralized management and assignment of security incidents.
  • Automated response to stop an attack: Immediate actions to neutralise threats.
  • Self-healing for compromised resources: Automatic restoration of compromised resources like user identities, mailboxes, and devices.
  • Cross-threat hunting: Proactive search for threats across multiple domains.
  • Threat Analytics: Detailed analysis to understand and mitigate threats effectively.

Protection for Email and Collaboration Tools

Microsoft 365 Defender guards against threats from links, collaboration tools, and emails. It gathers signals from these activities and shares them within the Microsoft 365 Defender ecosystem. The solution works with Exchange Online Protection (EOP) to safeguard all incoming emails and attachments.

Identity Protection for Hybrid Environments

Microsoft Defender for Identity protects hybrid identity environments. The service uses signals from servers running AD FS and on-premises AD DS. It guards against attackers using compromised accounts for lateral movement. You can also integrate with Azure AD Identity Protection to assess sign-in risks and apply conditional access policies.

Defending Data Flows

Microsoft Defender for Cloud Apps safeguards data between cloud apps and the corporate environment. It collects signals from approved and unapproved cloud apps to protect data.

Microsoft - 365 Defender

How Does Microsoft 365 Defender Work?

The illustration shows the typical steps of phishing schemes. It starts with a phishing email sent to a user, often an employee. Unaware of the danger, the user opens the email attachment and accidentally installs malware on the device.

Once installed, the malware tries to steal sensitive data. Defender for Office 365 can stop this attack at different stages using its suite of tools. Here are the main features Defender for Office 365 uses to protect against phishing schemes:

  • Exchange Online Protection: Detects phishing emails using mail flow rules to block them from reaching the inbox.
  • Safe attachments: This feature tests attachments for safety. Harmful attachments are blocked, preventing user interaction or their arrival in the inbox.
  • Defender for Endpoint: Manages network-connected devices. Detects vulnerabilities to prevent exploitation.
  • Defender for Identity: Detects sudden account changes and lateral movement. Reports identity issues like unconstrained Kerberos delegation.
  • Microsoft Defender for Cloud Apps: Detects unusual behaviour and alerts the security team. It identifies activities such as credential access, impossible travel, uncommon downloads and file shares, and abnormal mail forwarding activities.

Microsoft 365 Defender Integration With Microsoft Sentinel

Microsoft Sentinel is a security information and event manager (SIEM) that integrates with Microsoft 365 Defender. This integration lets you stream incidents directly into Microsoft Sentinel while synchronising them in both portals.

Key benefits of incident integration include:

  • Context: Incident information from Microsoft 365 Defender, such as alerts and entities, helps with triaging and preliminary investigations in Microsoft Sentinel.
  • Visibility: This integration lets you manage Microsoft 365 security incidents in the Microsoft Sentinel portal. You can add these incidents to the primary incident queue and correlate them with incidents from other systems across different environments.
  • Centralization: Incidents in Microsoft Sentinel are synchro with Microsoft 365 Defender. You can view all information in portals and the Azure portal, aiding in incident investigation and response. This allows you to use the capabilities of all portals effectively.


What is the old name for Microsoft Defender XDR?

Microsoft Defender XDR was formerly known as Microsoft Threat Protection. Microsoft rebranded it to streamline its security services, and the unified platform is now called Microsoft 365 Defender.

Where is Microsoft 365 Defender data stored?

Microsoft 365 Defender data is stored in its globally distributed data centres, which meet strict security and privacy standards to protect your data. The location of data storage depends on your organisation’s data residency requirements. Microsoft offers options for data residency in different regions worldwide. This ensures your data complies with local laws and company policies, providing added trust and safety.

How do I give access to Microsoft 365 Defender?

To access Microsoft 365 Defender, follow these steps in the Microsoft 365 security portal:

  1. Go to the security and compliance centre.
  2. Select “Permissions” from the menu.
  3. Manage roles for your security team. Assign roles like “Security Administrator” or “Security Reader” to the right users or groups.
  4. These roles provide different levels of access to Microsoft 365 Defender’s features and data.
  5. Ensure users have the permissions needed for security tasks while considering the principle of least privilege to reduce security risks.

After assigning roles, users will have the access they need to use Microsoft 365 Defender to protect their organisation.

Scroll to Top