-->![Microsoft Microsoft](https://windowsproductkey.net/wp-content/uploads/2017/09/office-365-for-free-13.png)
![Microsoft 365 Defender Microsoft 365 Defender](/uploads/1/3/4/8/134820182/538985960.png)
Important
Azure Sentinel's Microsoft 365 Defender (M365D) incident integration allows you to stream all M365D incidents into Azure Sentinel and keep them synchronized between both portals. Required permissions. You must be a global administrator or a security administrator in Azure Active Directory to turn on Microsoft 365 Defender. For the list of roles required to use Microsoft 365 Defender and information on how access to data is regulated, read about managing access to Microsoft 365 Defender.
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
2 days ago The Microsoft 365 Defender portal (also called the 'Microsoft 365 Security Center' portal) will be replacing them at some point, but Microsoft's announcements didn't indicate a timeline.
Applies to:
- Microsoft 365 Defender
Learn about licensing and other requirements for provisioning and using Microsoft 365 Defender.
![Microsoft Microsoft](https://windowsproductkey.net/wp-content/uploads/2017/09/office-365-for-free-13.png)
Licensing requirements
Any of these licenses gives you access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost:
- Microsoft 365 E5 or A5
- Microsoft 365 E5 Security or A5 Security
- Windows 10 Enterprise E5 or A5
- Enterprise Mobility + Security (EMS) E5 or A5
- Office 365 E5 or A5
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Cloud App Security
- Defender for Office 365 (Plan 2)
For more information, view the Microsoft 365 Enterprise service plans.
Don't have license yet? Try or buy a Microsoft 365 subscription
Check your existing licenses
Go to Microsoft 365 admin center (admin.microsoft.com) to view your existing licenses. In the admin center, go to Billing > Licenses.
Note
You need to be assigned either the Billing admin or Global readerrole in Azure AD to be able to see license information. If you encounter access problems, contact a global admin.
Required permissions
You must be a global administrator or a security administrator in Azure Active Directory to turn on Microsoft 365 Defender. For the list of roles required to use Microsoft 365 Defender and information on how access to data is regulated, read about managing access to Microsoft 365 Defender.
Browser requirements
Access Microsoft 365 Defender in the Microsoft 365 security center using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
Availability to US GCC, GCC High, and other US government institutions
Currently, Microsoft 365 Defender is not available to:
- US Government Community Cloud (GCC)
- US Government Community Cloud High (GCC High)
- US Department of Defense
- All US government institutions with commercial licenses
Related topics
This is a question that I receive often from customers and partners I work with. Here is one view on this topic.
Background
From a product perspective, the Microsoft 365 Defender is part of the Microsoft Defender XDR (Extended Detection & Response) portfolio which is divided into two different solutions, Microsoft 365 Defender and Azure Defender (picture from MS marketing material).
In a nutshell, M365 Defender protects M365 workloads and Azure Defender protects Azure workloads, on-premises & resources in 3rd party clouds (Threat protection).
Microsoft 365 Defender Training
Product Names Re-Branding
Before moving forward let’s familiar with the new names of M365 security solutions that were announced in Microsoft Ignite 2020. The Microsoft Cloud App Security (MCAS) name remains the same as it was before re-branding.
Which Solution To Use?
Microsoft is heavily investing in both solutions, M365 Defender, Extended Detection and Response (XDR), and Azure Sentinel, the cloud-native SIEM. In the Microsoft cloud environment, I would put my effort into both Microsoft 365 Defender & Azure Sentinel, not only one of the solutions.
Microsoft 365 Defender
According to Microsoft: “Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
It’s the next level of M365 security and the perfect solution when it comes to identities, endpoints, and SaaS applications. It has features such as:
- One unified portal for the incident management
- Security posture management
- Automatic healing
- Cross-domain active protection
- Threat Hunting capabilities
- Unified Threat Intel & Analytics
- Brand new APIs
Microsoft Defender 365 suite protects (list from docs.microsoft.com)
- Endpoints with Microsoft Defender for Endpoint – Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
- Email and collaboration with Microsoft Defender for Office 365 – Defender for Office 365 safeguard the organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
- Identities with Microsoft Defender for Identity and Azure AD Identity Protection – Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Applications with Microsoft Cloud App security – Microsoft Cloud App Security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
- With App Connectors you can ingest data from 3rd party apps to MCAS such as AWS, Google, Box, etc
It’s also the only solution that you can use for incident/alert management that syncs natively alert status changes back to the source itself (in some scenarios). Also, Microsoft is investing heavily to develop the M365 Defender and the associated portal (security.microsoft.com portal) which means that more integrations are coming to it, stay tuned.
![Microsoft 365 Defender Microsoft 365 Defender](/uploads/1/3/4/8/134820182/538985960.png)
You might ask, how about Azure security stuff? Currently, Azure Security Center (together with Azure Defender) is the place for Azure security management and M365 Defender doesn’t have integration with it. But if you look at Microsoft blogs back to 2018 infrastructure management was one of the core components in M365 Defender (in those days Microsoft Threat Protection aka MTP). I wouldn’t be surprised if Azure Security Center integration would be announced in near future but it might also be that the day never comes.
Azure Sentinel
Take into account that M365 Defender is not SIEM, the Azure Sentinel offers such capabilities.
Picture from Microsoft Security Compass material – ‘Microsoft SOC Reference Architecture‘.
Azure Sentinel is like ‘icing of the cake’, the solution that connects all the sources together including, Microsoft cloud solutions, network devices, 3rd party data sources, on-prem stuff, and so on.
Many of my customers have asked, do I need Sentinel because I have M365 Defender, and if I do, why I need it?
As written before, M365 Defender is not SIEM. Even though some capabilities are overlapping but still, Azure Sentinel offers many capabilities that you are not able to achieve with the M365 Defender, such as:
Microsoft 365 Defender For Endpoint
- Long-term storage for logs (Sentinel aka Log Analytics workspace is not a place for long-term storage but you can use storage accounts for it)
- Log Analytics data retention is 730 days, more than any of the security solutions
- Data export available from Log Analytics
- Threat Hunting capabilities with Jupyter Notebooks (also beyond MS stack)
- Data correlation with multiple data sources no matter where the actual solutions are located
- SOAR capabilities with custom playbooks
- User and Entity Behavior Analytics (UEBA)
Which one to pick?
If you want to have automated protection for M365 workloads in real-time select M365 Defender. If you want to have full-blown SOC with the benefits listed above, choose Azure Sentinel. As @RavivTamir said on Twitter: “For the best results – use both”.