Microsoft Defender service description
Microsoft Defender for Business and Microsoft Defender for Business Servers add-on
Microsoft Defender for Business is an endpoint security solution designed for small and medium-sized businesses (up to 300 employees). Defender for Business is available as a standalone solution and is also included as part of Microsoft 365 Business Premium. With this endpoint security solution, small and medium-sized business (SMB) organization devices are better protected from ransomware, malware, phishing, and other threats.
Microsoft Defender for Business servers provides endpoint security for Windows and Linux Servers for small and medium-sized businesses. The Defender for Business servers experience delivers the same level of protection for both clients and servers within a single admin experience inside of Defender for Business, helping you to protect all your endpoints in one location.
Available plans
Microsoft Defender for Business
For detailed plan information on subscriptions that enable users for Microsoft Defender for Business, see the Microsoft 365 business plan comparison and Microsoft 365 Enterprise plan comparison.
Microsoft Defender for Business is included as part of the Microsoft 365 Business Premium subscription plan.
A standalone version of Defender for Business is also available as an option for small and medium business (SMBs) with up to 300 employees. To learn more, see How to get Microsoft Defender for Business.
Microsoft Defender for Business Servers add-on
Customers are required to have at least one license of Microsoft 365 Business Premium or Microsoft Defender for Business to purchase and use the Microsoft Defender for Business servers add-on.
Note that the maximum quantity/seat cap is 60 licenses per customer for Defender for Business servers.
How do users benefit from the service?
The addition of Microsoft Defender for Business into Microsoft 365 Business Premium strengthens Business Premium’s existing productivity and security offering by adding cross-platform endpoint protection and sophisticated ransomware defenses with technologies like endpoint detection and response and automated investigation and remediation.
The standalone version of Defender for Business provides the option for small and medium businesses with up to 300 employees to get enterprise-grade endpoint security technology at an affordable price.
How is the service provisioned/deployed?
If you have Microsoft 365 Business Premium, you can access Defender for Business via the Microsoft Defender portal.
By default, Microsoft Defender for Business features are enabled at the tenant level for all users within the tenant. For information on how to set up and configure Defender for Business, see Microsoft Defender for Business documentation | Microsoft Docs.
Learn more
For more information, see Microsoft Defender for Business.
For more information, see Get Microsoft Defender for Business servers | Microsoft Learn.
Review the Microsoft Defender for Business technical documentation for more information and links to more resources.
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a comprehensive SaaS security solution that enables organizations to prevent and protect against advanced threats rising from the use of SaaS apps. It enables organizations to discover applications in their environment, strengthen app security posture, govern app-to-app behaviors, defend against advanced threats employing SaaS apps as attack technique, and secure use of generative AI apps.
Available plans
Microsoft Defender for Cloud Apps is available as a standalone license and is also available as part of the following plans:
- Enterprise Mobility + Security E5
- Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security
- Microsoft 365 E5/A5/G5/F5 Compliance
- Microsoft 365 F5 Security & Compliance
- Microsoft 365 E5/F5/G5 Information Protection and Governance
For detailed plan information on subscriptions that enable users for Microsoft Defender for Cloud Apps, see the Microsoft 365 business plan comparison and Microsoft 365 Enterprise plan comparison.
For detailed plan information on subscriptions that enable users for Microsoft Defender for Cloud Apps and are currently available in European Economic Area (EEA) countries and Switzerland, see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.
To benefit from the Conditional Access App Control capabilities in Defender for Cloud Apps, users must also be licensed for Microsoft Entra ID P1, which is included in Enterprise Mobility + Security F1/F3/E3/A3/G3, Enterprise Mobility + Security E5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, and Microsoft 365 F5 Security & Compliance.
How is the service provisioned/deployed?
By default, Microsoft Defender for Cloud Apps is enabled at the tenant level for all users within the tenant.
How can the service be applied only to users in the tenant who are licensed for the service?
Admins can scope Microsoft Defender for Cloud Apps deployments to licensed users by using the scoped deployment capabilities available in the service. For more information, see Scoped deployment.
Learn more
For more information, see Microsoft Defender for Cloud Apps.
See Getting started with Microsoft Defender for Cloud Apps for next steps.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an AI-powered endpoint security solution across Windows, macOS, Linux, Android, iOS and IoT devices that includes:
- Risk-based vulnerability management and assessment
- Attack surface reduction capabilities
- Behavioral based and cloud-powered next generation protection
- Endpoint detection and response (EDR)
- Automatic investigation and remediation
- Managed hunting services
Available plans
Microsoft Defender for Endpoint Plan 1 (P1)
Microsoft Defender for Endpoint P1 delivers core endpoint protection capabilities such as next generation anti-malware, attack surface reduction rules, device control, endpoint firewall, network protection, application control, and more. For details, see Microsoft Defender for Endpoint Plan 1 and Plan 2.
Microsoft Defender for Endpoint P1 is available as a standalone user subscription license and as part of Microsoft 365 E3/A3/G3.
Microsoft Defender for Endpoint Plan 2 (P2)
Microsoft Defender for Endpoint P2 delivers comprehensive endpoint protection capabilities including all the capabilities of Microsoft Defender for Endpoint P1 with additional capabilities such as endpoint detection and response, automated investigation and remediation, threat and vulnerability management, threat intelligence (threat analytics), sandbox (deep analysis), and Microsoft Threat Experts. For details, see Microsoft Defender for Endpoint documentation.
Microsoft Defender for Endpoint P2 is available as a standalone license and as part of the following plans:
- Windows 11 Enterprise E5/A5
- Windows 10 Enterprise E5/A5
- Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
- Microsoft 365 E5/A5/G5/F5 Security
- Microsoft 365 F5 Security & Compliance
Microsoft Defender for Endpoint for Servers
Microsoft Defender for Endpoint for Servers provides leading security for traditional on-prem server workloads, Windows, and Linux servers. It provides advanced detection and automatic attack disruption capabilities through the Microsoft Defender XDR console and provides deep insights into server activities and coverage for kernel and memory attack detection to enable scale response actions. A separate license is required for each Operating System Environment (OSE) for servers or virtual machines.
For detailed plan information on subscriptions that enable users for Microsoft Viva, see the Microsoft 365 business plan comparison and Microsoft 365 Enterprise plan comparison.
For detailed plan information on subscriptions that enable users for Microsoft Viva and are currently available in European Economic Area (EEA) countries and Switzerland, see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.
Learn more
For more information, see Microsoft Defender for Endpoint.
Microsoft Defender for Identity
Microsoft Defender for Identity is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats.
Available plans
Microsoft Defender for Identity is a per-user subscription license available as a standalone and included in the following plans:
- Enterprise Mobility + Security E5/A5
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5/F5 Security
- Microsoft F5 Security & Compliance
- Microsoft Defender for Identity for Users
These plans provide the rights to benefit from Microsoft Defender for Identity.
For detailed plan information on subscriptions that enable users for Microsoft Defender for Identity, see the Microsoft 365 business plan comparison and Microsoft 365 Enterprise plan comparison.
For detailed plan information on subscriptions that enable users for Microsoft Defender for Identity and are currently available in European Economic Area (EEA) countries and Switzerland, see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.
How do users benefit from the service?
SecOp analysts and security professionals benefit from the ability of Microsoft Defender for Identity to detect and investigate advanced threats, compromised identities, and malicious insider actions. End users benefit by having their data monitored by Microsoft Defender for Identity.
How is the service provisioned/deployed?
Microsoft Defender for Identity features are enabled at the tenant level for all users within the tenant. Some tenant services, such as Microsoft Defender for Identity, aren't currently capable of limiting benefits to specific users. To review the terms and conditions governing the use of Microsoft products and Professional Services acquired through Microsoft Licensing programs, see the Product Terms.
Learn more
For more information on configuring Microsoft Defender for Identity, see Deploy Microsoft Defender for Identity with Microsoft Defender XDR.
Microsoft Defender Vulnerability Management
Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
Available plans
Microsoft Defender Vulnerability Management core and premium capabilities are available as a standalone user subscription license.
Defender Vulnerability Management core capabilities are available in Microsoft Defender for Endpoint Plan 2.
Microsoft Defender Vulnerability Management premium capabilities are available as an add-on for Microsoft Defender for Endpoint Plan 2 customers.
Defender Vulnerability Management premium is available as an add-on to organizations with:
- Microsoft Defender for Endpoint Plan 2 (standalone)
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/F5/G5 Security
- Microsoft 365 F5 Security and Compliance add-on
- Windows 11 Enterprise E5/A5/G5
- Windows 10 Enterprise E5/A5/G5
For detailed plan information see Compare Microsoft Defender Vulnerability Management plans and capabilities | Microsoft Learn.
For detailed plan information on subscriptions that enable users for Microsoft Defender Vulnerability Management, see the Microsoft 365 business plan comparison and Microsoft 365 Enterprise plan comparison.
For detailed plan information on subscriptions that enable users for Microsoft Defender Vulnerability Management and are currently available in European Economic Area (EEA) countries and Switzerland see the Microsoft 365 business plan comparison for EEA and Microsoft 365 Enterprise plan comparison for EEA.
Defender Vulnerability Management standalone: Customers who do not have Defender for Endpoint Plan 2 can complement their endpoint detection and response (EDR) solution with the Defender Vulnerability Management standalone to meet their vulnerability management program needs.
Defender Vulnerability Management add-on: Microsoft Defender for Endpoint Plan 2 includes core vulnerability management capabilities that can be enhanced by adding new advanced vulnerability management tools included with the Microsoft Defender Vulnerability Management add-on.
Microsoft Defender Vulnerability Management add-on to Microsoft Defender for Endpoint for servers: Provides premium vulnerability management capabilities for customers with Microsoft Defender for Endpoint for servers.
Microsoft Defender for Servers Plan 1 and Defender for Servers Plan 2 also includes access to vulnerability management capabilities.
Microsoft Defender Experts for XDR
Microsoft Defender Experts for XDR is a managed extended detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft Defender XDR services: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID. Defender Experts for XDR augments your SOC by combining automation and Microsoft's security analyst expertise. This combination helps you detect and respond to threats with confidence and improve your security posture. With deep product expertise powered by threat intelligence, we're uniquely positioned to help you:
- Focus on incidents that matter—Our experts prioritize incidents and alerts that matter, alleviate alert fatigue, and drive SOC efficiency for your team.
- Manage response your way—Our experts provide detailed, step-by-step, actionable guidance to respond to incidents with the option to act on your behalf as needed.
- Access expertise when you need it—Extend your team's capacity with access to Defender Experts for assistance on an investigation.
- Stay ahead of emerging threats—Our experts proactively hunt for emerging threats in your environment, informed by unparalleled threat intelligence and visibility.
Apart from the constantly updated research and intelligence tailored for the threats currently seen across the various Microsoft Defender XDR signals, you also receive managed response from our security analysts and support from Microsoft's security-focused service delivery managers (SDMs). This service lets you enjoy the following capabilities:
- Managed detection and response—Expert analysts manage your Microsoft Defender XDR incident queue and handle triage and investigation on your behalf; they partner with you and your team to take action or guide you to respond to incidents.
- Proactive threat hunting—Microsoft Defender Experts for Hunting is built in to extend your team's threat hunting capabilities and prioritize significant threats.
- Live dashboards and reports—Transparent view of our operations on your behalf and noise-free, actionable view into what matters for you coupled with detailed analytics.
- Proactive check-ins for continuous security improvements—Periodic check-ins with your named service delivery team to guide your Defender Experts for XDR experience and improve your security posture.
Feature availability
For the Microsoft Defender Experts for XDR feature, the details are provided in the following table:
| Microsoft 365 E5 or A5 | Microsoft 365 E3 with the Microsoft 365 E5 Security add-on | Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on | Microsoft 365 A3 with the Microsoft 365 A5 Security add-on |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
Learn more
For more information, see Microsoft Defender Experts for XDR.
Read the Defender Experts for XDR ebook and maximize the benefits of this product suite.
Microsoft Defender Experts for Hunting
Defender Experts for Hunting is a managed threat-hunting service that proactively looks for threats 24/7/365 across endpoints, email, identity, and cloud apps using Microsoft Defender data. Designed for Microsoft Defender XDR customers who need to augment their security operations to prioritize significant threats, Defender Experts for Hunting combines hunter-trained AI and human expertise to probe deeper to expose threats and correlate across your security stack. With unparalleled visibility across diverse, cross-domain telemetry and leading threat intelligence, Defender Experts for Hunting extends your team’s threat-hunting capabilities to provide an additional layer of proactive threat detection to improve your overall threat response and security efficacy.
Defender Experts for Hunting covers Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra Identity Protection.
Our experts will investigate anything they find, correlate it with other data, then hand off the contextual alert information along with remediation instructions so that you can quickly respond.
If you are a Defender Experts for XDR customer, the alerts generated via hunting are further investigated by our security experts.
Note
Defender Experts for Hunting doesn't cover Microsoft Purview, including Data Loss Protection and Microsoft Defender for IoT, as part of the service.
Feature availability
For the Microsoft Defender Experts for Hunting feature, the details are provided in the following table:
| Microsoft 365 E5 or A5 | Microsoft 365 E3 with the Microsoft 365 E5 Security add-on | Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on | Microsoft 365 A3 with the Microsoft 365 A5 Security add-on |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
Defender Experts for Hunting builds on the Microsoft Defender XDR suite to provide proactive threat hunting. Here are the service capabilities outlined:
- Threat hunting and analysis—Defender Experts for Hunting looks deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks.
- Defender Experts Notifications—Notifications show up as incidents and alerts in Microsoft 365 Defender portal, helping to improve your security operations' incident response with specific information about the scope and method of entry.
- Experts on Demand—Select Ask Defender Experts in the Defender XDR portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, vulnerability, threat actor, or attack vector.
- Reports—This interactive, summary report includes details on what we found and investigated, adversary tactics according to the MITRE framework, and threat categorization based on behavior, characteristics, and impact.
- Hunter-trained AI—Defender Experts share their learning back into the detection and automation tools they use to improve threat discovery and prioritization.
For information on eligibility and licensing, see Before you begin using Defender Experts for Hunting.
Learn more
For more information, see How to Start using Microsoft Defender Experts for Hunting.
Microsoft Defender Threat Intelligence
Microsoft Defender Threat Intelligence (MDTI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a threat analysis intelligence platform that allows for accurate and timely assessments of alerting is important.
| Feature | Microsoft Defender Threat Intelligence Standard | Microsoft Defender Threat Intelligence Premium |
|---|---|---|
| Public indicators of compromise (IOCs) | Yes | Yes |
| Open-source intelligence (OSINT) | Yes | Yes |
| Common vulnerabilities and exposures (CVEs) database | Yes | Yes |
| Articles and analysis from Microsoft Threat Intelligence | Yes1 | Yes |
| Defender Threat Intelligence datasets | Yes1 | Yes |
| Intelligence Profiles | Yes1 | Yes |
| Microsoft IOCs | No | Yes |
| Microsoft-enriched OSINT | No | Yes |
| URL and file intelligence | No | Yes |
1 Limited.
Learn more
For more information, check out the following resources:
- What is Microsoft Defender Threat Intelligence (Defender TI)?
- Microsoft Defender Threat Intelligence
Messaging
To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message center.
Licensing terms
For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
Accessibility
Microsoft remains committed to the security of your data and the accessibility of our services. For more information, see the Microsoft Trust Center and the Office Accessibility Center.