Microsoft Defender for Office 365 in the Microsoft Defender portal

Applies to:

• Microsoft Defender XDR
• Microsoft Defender for Office 365 Plan 1 and Plan 2

This article describes the Microsoft Defender for Office 365 experience in the Microsoft Defender portal at https://security.microsoft.com. Formerly, Defender for Office 365 customers used the Office 365 Security & Compliance Center at https://protection.office.com, but access to that portal ended in 2022.

The Defender portal combines security capabilities from existing Microsoft 365 security portals. This improved portal helps security teams protect their organization from threats more effectively and efficiently.

For more information about the benefits of the unified Microsoft Defender XDR, see Overview of Defender XDR.

If you're looking for compliance-related items, see Microsoft Purview compliance portal.

Capabilities

With the unified Defender XDR solution, you can stitch together the threat signals and determine the full scope of the threat, and how it currently affects the organization.

Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Most Defender for Office 365 specific features are available under the Email & collaboration node as described in the Email & collaboration section.

Tip

• Defender for Office 365 includes all the functionality in Exchange Online Protection (EOP). For more information about EOP, see Exchange Online Protection overview.

• What you see or don't see in the Defender portal depends on your subscription (for example, Microsoft 365 E5 vs. an add-on or standalone Defender for Office 365 Plan 2 subscription).

  For more information about the differences between Defender for Office 365 Plan 1 and Plan 2, see Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet.

Home

The Home page of the Defender portal shows important summary information (cards) about the security status of your Microsoft 365 environment.

• Use Guided tour to take a quick tour of:
  • Email & collaboration
  • Attack simulation training (Defender for Office 365 Plan 2 only)
• Use What's New to go to the Microsoft Defender XDR Blog.
• Use Community to go to the Security, Compliance, and Identity community.
• Use Add cards to customize the information on the page.

Investigation & response

The following subsections describe the features that are available in the Investigation & response node in the Defender portal.

Incidents & alerts

Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action. For more information, see the following articles:

• Incident response in the Microsoft Defender portal
• Alerts queue in Microsoft Defender XDR

Tip

Email & collaboration alerts at https://security.microsoft.com/viewalertsv2 is available in Defender for Office 365 Plan 1 only.

Hunting

Proactively search for threats, malware, and malicious activity across your endpoints, Microsoft 365 mailboxes, and more by using advanced hunting queries. You can use these powerful queries to locate and review threat indicators and entities for known and potential threats.

You can build custom detection rules from advanced hunting queries to proactively monitor events that might indicate breach activity and misconfigured devices.

Actions & submissions

Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing capability in the Defender portal can help security teams by automatically responding to specific events.

For more information, see Action center.

Admins can use the Submissions page to submit email messages, email attachments, and URLs to Microsoft for analysis. Messages reported as Junk, Not junk, or **Phishing by users in Outlook are also available to review or resubmit to Microsoft.

For more information, see Admin submissions.

Threat intelligence in Defender for Office 365 Plan 2

The following subsections describe the features that are available in the Threat intelligence node in the Defender portal in organizations with Defender for Office 365 Plan 2.

Threat Analytics

Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:

• Email-related detections and mitigations from Microsoft Defender for Office 365.
• Incidents view related to the threats.
• Enhanced experience for quickly identifying and using actionable information in the reports.

You can access Threat analytics either from the left navigation pane in the Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.

For more information, see Threat analytics in Microsoft Defender XDR.

Email & collaboration

The Email & collaboration node contains features that are specific to Defender for Office 365:

• Investigations: Defender for Office 365 Plan 2 only. For more information, see Automated investigation and response (AIR).
• Explorer (Threat Explorer): Defender for Office 365 Plan 2 only. Defender for Office 365 Plan 1 has Real-time detections instead. For more information, see About Threat Explorer and Real-time detections.
• Review at https://security.microsoft.com/threatreview contains the following features:
  • Action center: Defender for Office 365 Plan 2 only.
  • Quarantine for users and admins.
  • Restricted entities: Contains restricted users and restricted connectors.
  • Malware trends
• Campaigns: Defender for Office 365 Plan 2 only.
• Threat trackers: Defender for Office 365 Plan 2 only.
• Exchange message trace
• Attack simulation training: Defender for Office 365 Plan 2 only.
• Policies & rules at https://security.microsoft.com/securitypoliciesandrules contains the following features:
  • Threat policies:
    • Templated policies section:
      • Preset security policies
      • Configuration analyzer
    • Policies section:
      • Anti-phishing
      • Anti-spam: Includes inbound anti-spam, outbound anti-spam, and connection filtering.
      • Anti-malware
      • Safe Attachments
      • Safe Links
    • Rules section:
      • Tenant Allow/Block List
      • Email authentication settings: Settings for trusted ARC sealers and DKIM.
      • Advanced delivery
      • Enhanced filtering
      • Quarantine policies
  • Alert policies
  • Activity alerts

Tip

For more information about the differences between Defender for Office 365 Plan 1 and Plan 2, see Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet.

Although it isn't directly accessible from the left navigation pane in the Defender portal, the Email entity page in Defender for Office 365 unifies and centralizes email information to empower admins and security operations (SecOps) teams to quickly understand and act on email threats. For more information, see The Email entity page.

SOC optimization

For more information, see SOC optimization reference of recommendations.

Reports

Defender for Office 365 reports are available on the Reports page at https://security.microsoft.com/securityreports > Email & collaboration section > Email & collaboration reports.

For more information, see the following articles:

• Email security report
• Defender for Office 365 reports

Learning hub

Redirects to the Microsoft Defender XDR learning paths.

Trials

Start trials of eligible Defender security products and Microsoft Purview compliance products.

Organizations with Defender for Office 365 Plan 1 can start a trial of Defender for Office 365 Plan 2. For more information, see Trial user guide: Microsoft Defender for Office 365.

System

The following subsections describe the features that are available in the System node in the Defender portal.

Audit

Audit log search and audit log retention policies.

Permissions

• Microsoft Defender XDR Unified role-based access control (RBAC)
• Microsoft Entra ID. You can view information about the roles that are shown, but you can't manage role membership here. The details flyout of each role contains a link to the Users page in Microsoft Entra where you can add users to roles.
• Email & collaboration roles

Health

• Service health: View the health status of the Microsoft 365 services that are included in your company's subscription.
• Message center: The Microsoft 365 Message center in the Microsoft 365 admin center.

Settings

Email & collaboration contains the following Defender for Office 365 features:

• User reported settings
• User tags
• Priority account protection (Defender for Office 365 Plan 2 only)
• Microsoft Teams protection (Defender for Office 365 Plan 2 only)

Related information

• The Action center
• Email & collaboration alerts
• Custom detection rules
• Create a phishing attack simulation and create a payload for training your people

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.